Integrating Ubuntu Server with AD using Centrify

Introduction:An active directory is a directory service developed by Microsoft for Windows domain network, it is a database and a set of services that a user can connect to anytime when these services are required. The AD database consists of all the critical info about the organization.As an example if a user wants to access the Exchange account and also wants to access the network printer, they need to manually log in to each of these services. But if they are logged in to a domain-joined computer, they will have access to these resources automatically along with some other resources without the need of manually logging in to each service.This was all about why joining the computer to an AD is beneficial. Now let’s take a look into how to join an Ubuntu server to an AD using Centrify Access Manager.Requirements:

1. A domain joined Windows computer (for installing Centrify access manager).
2. A Linux/Unix computer (Ubuntu agent need to be installed in this)
3. Centrify License key for downloading access manager setup
4. Admin right to add new OU in the AD.

The first step in the Integration process is to create an Organizational Unit (OU) in the Active Directory.What is an OU?An organizational unit (OU) is a container or a sub-division within an Active Directory into which we can place users, groups, computers, and other organizational units also. It is a simple unit within a domain on which an administrator can use it to link Group Policy objects and assign permissions to other users/groups.We can create new OU for the Ubuntu server integration simply by opening Active Directory Users and Computers MMC (Microsoft management console) snap-in in domain-joined computer and right-click on domain and select New>Organizational Unit.The next step in the integration process is to install Centrify access manager in a domain-joined Windows computer.What is Centrify Access manager?A Centrify Access Manager is a primary tool for managing all the Centrify-related information stored in Active Directory. With Access Manager, we can:

• Control access to all of our Linux, Unix, and macOS X-based computers.
• Also set and modify user and group properties for all of our UNIX, Linux, and Mac OS X users and groups.
• Create new zones and also direct already created zones and zone properties to simplify the process of access management and migrating UNIX user accounts to Active Directory.
• Add Active Directory users and groups to zones.
• From local password and groups files or NIS and NIS+ servers and domains, we can import user and group data.
• Import and maintain information related to the network from NIS maps such as netgroup, auto. master, and automount or create custom NIS maps.
• Authorize or restrict access to specific computers and operations on managed computers by defining certain rights and rules.

To download all the components of Centrify Server Suite Access manager we need first need to buy the license from by Centrify website or create a free trial account.If we have the required credentials, we just need to log in, go to Supports>Downloads. Select Zero Trust privilege>Enterprise to download the latest version of the software. After downloading we can run the setup wizard and install the access manager.The next step in the integration process after the installation of the Centrify access manager is to create the zone and configure the zone using the access manager.What are Centrify Zones?A Centrify Zone is a set or collection of attributes and security policies that define the identities, access rights, and privileges shared by a group of users in a domain. In Layman’s terms, a Centrify Zone contains a set of users that need to be managed as a group for efficiency or security reasons.Why we need Zones?Centrify Zones provides an easy and flexible means of managing a set of users and computers that all share a common set of policies and access controls.For example, we can create a zone for a certain branch in an organization that has its own set of administrators tasked with managing all the Windows, Linux, and UNIX systems in their location. Also, a user can be listed in multiple zones that enable us to create identity management, access control, privilege management, and delegation solutions.We can create zones by opening up the Centrify Access Manager and selecting create new zone button. We can configure the new zone according to our needs.The next step in the integration process after the installation of the Centrify zones creation is to install the Ubuntu agent in the Ubuntu Server.What is an Ubuntu Agent?The Ubuntu agents are software packages that we need to install on our Ubuntu machine that we need to be joined to the AD. The Centrify agent is used to facilitate and synchronize the role-based permission and privilege that we grant to AD users, to give them the ability to authenticate and perform an elevated task.To download the Ubuntu agent, we need to go to the Centrify website and log in using the correct credentials. Then browse to the Supports>download and select Zero trust privilege-Enterprise and download the latest Agents for UNIX/Linux.After the download process we can manually install the packages, we required by using the commandsudo dpkg -install [.deb file]Or can use the install.sh script for the installation purpose.The next step in the integration process is configuring the config file of the Ubuntu machine.

1. Open the /etc/resolv.conf file.
2. Set the IP address of the nameserver entry to the IP address of the DNS server on the Active Directory domain controller that we need to connect. As shown below:

nameserver ip_address_of_DNS_serverWe also need to manually specify a domain controller inside the Centrify configuration file, /etc/centrifydc/centrifydc.conf:The format for it is- dns.dc.domain_name: server_name[server_name]The next step in the integration process is joining the Ubuntu machine to AD.We can use the adjoin command to join the Ubuntu machine to the AD. The syntax for the adjoin command is:adjoin --user username --zone zonename domainThe username in command is the domain join computer username, and it must be specified in the user_name@domain_name format.We also need to provide the password for the AD joined account.For more info about the adjoin command we can view the man page of adjoin: man adjoinThe final step in the integration process is to verify the AD join.We can verify that the AD is joined successfully to the Ubuntu Server by simply running the adinfo command in the Ubuntu machine. It will show all the information related to the AD we have joined.That’s how we successfully integrate the Ubuntu machine with the active directory using Centrify Access Manager. After the domain is joined, the password for managed computer in AD is reset at a regular interval of time to ensure security, and we can change this interval using the password change interval group policy.We can also use the managed Ubuntu machine to authenticate NIS users. 

Have questions about finding an Identity and  Access Management consultant?

Call +1 (925) 918-6618 the consultation is free.

About Sennovate

Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: +1 (925) 918-6618