Installing Centrify Client on the appliance to use Active Directory users

Resolving The Problem

WARNING! The following operations modify user logins.  It is recommended that you keep a root terminal open during the entire process in case any corrections need to be made.

Here are the steps that need to be done in order to setup Centrify properly on the Appliance.  This will also allow Active Directory users to ssh into the appliance on any node.  Note that in order for this to work, ihadmin, ihasupport, and biadmin will remain a local user and will be managed by the ihash passwd and user commands.  If there is a biadmin user in Active Directory, it will be ignored.  This is because the tasktracker on the data nodes would complain that biadmin's group id is not the same as the group on the executable.  The only requirements on the Active Directory side is that the following groups need to be created and that a user must belong to one or more of these groups: bi_supergroup, bi_users, bi_app_admins, bi_data_admins, and bi_sys_admins.

Go to the Centrify website
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp
download the product named:

Centrify Agent for Red Hat Enterprise Linux 64-bit Red Hat Enterprise Linux: 6.0–6.4 (64-bit)

filename: centrify-suite-2013.3-rhel3-x86_64.tgz

1. Login to the appliance as biadmin and stop all services:
   Leave this session open as it might need to be used later.
   
   stop.sh all
   
   
2. Login to the appliance as root
   
   
3. Modify sshd_config
   
   Save a copy of the file
   cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
   
   Edit file /etc/ssh/sshd_config
   
   PermitEmptyPasswords must be set to no, so uncomment the "no" line.
   This is extremely important. Note there is another "yes" line near the bottom of the file. To be safe, this "yes" line should also be commented out. The file should then have the entries looking like this:
   PermitEmptyPasswords no
   #PermitEmptyPasswords yes
   
   ChallengeResponseAuthentication should be set to yes, so uncomment the yes line and comment the no line. The entries should look like this:
   
   ChallengeResponseAuthentication yes
   #ChallengeResponseAuthentication no
   
   Comment out the AllowUsers line, so that Centrify users can ssh into the appliance
   
   #AllowUsers ihadmin ihasupport biadmin sysadmin@10.77.* root
   
   
4. Restart the ssh using this command
   
   service sshd restart
   
   
5. Download Centrify file to the appliance and untar it.
   The next steps should probably be done with the help of an Active Directory (AD) administrator since a username, password, domain, IP address, etc information will need to be entered. For this example, I used the following:
   AD Server Name: testdc1.lenexa.ibm.com
   AD Server IP  : 9.25.162.15
   AD      Domain: sdstest.lenexa.com
   AD Username   : Administrator
   AD Password   : new.password
   
   
1. Add the IP address of the AD server to the end of the /etc/hosts file so that the AD server can be located by the installation
   
   echo "9.25.162.15 testdc1" >> /etc/hosts
   
2. Add the AD server to the /etc/resolv.conf file so that the install can locate it. Important that you comment out the current nameserver that is listed. Also note that the name and IP address were added. If incorrect, the install will fail with an unusable DNS.
   
   domain localdomain
   search localdomain sdstest.lenexa.com lenexa.ibm.com ibm.com nzlab.ibm.com
   #nameserver 10.168.0.250
   nameserver 9.25.162.15
   
   
3. Set the time to match the time on the AD sever.
   The appliance and the AD server must have the same time for the installation to complete. Once the two masters are done, then the correct time should be pushed to the data nodes.
   
   date
   Mon Nov 11 18:20:25 EST 2013
   
   date --set "Mon Nov 11 18:25:25 EST 2013"
   Mon Nov 11 18:25:25 EST 2013
   
   
4. Run the install
   
   ./install-express.sh
   
   
   Do a custom install and skip Centrify's openssh.
   When the installer prompts whether you want to reboot or not, say No.
   This is important! See sample run here:
   
   

With this script, you can perform the following tasks: - Install (update) Centrify Suite Enterprise Edition (License required) [E] - Install (update) Centrify Suite Standard Edition (License required) [S] - Install (update) Centrify Suite Express Edition [X] - Custom install (update) of individual packages [C] You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment. How do you want to proceed? (E|S|X|C|Q) [X]: C Install the Centrify DirectControl 5.1.2 package? (Q|Y|N) [Y]: Y Install the CentrifyDC-nis 5.1.2 package? (Q|Y|N) [N]: N Install the CentrifyDC-openssh 5.1.2 package? (Q|Y|N) [Y]: N Install the CentrifyDC-ldapproxy 5.1.2 package? (Q|Y|N) [N]: N Install the Centrify DirectAudit 3.1.1 package? (Q|Y|N) [N]: N Express authentication mode does not allow use of separately licensed features such as Group Policy, DirectAuthorize or DirectAudit. Do you want to install in Express authentication mode? (Q|Y|N) [Y]: Y Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]: Y Please enter the Active Directory domain to check []: sdstest.lenexa.com Join an Active Directory domain? (Q|Y|N) [Y]: Y Enter the Active Directory domain to join [sdstest.lenexa.com]: sdstest.lenexa.com Enter the Active Directory authorized user [administrator]: Administrator Enter the password for the Active Directory user: new.pass Enter the computer name [lx-h1001-01-ha1]: <press enter> Enter the container DN [Computers]: <press enter> Enter the name of the domain controller [auto detect]: testdc1 Reboot the computer after installation? (Q|Y|N) [Y]: N

5. 
   Next it will show you what you selected, and then ask if you want to continue.
   

If this information is correct and you want to proceed, type "Y". To change any information, type "N" and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]: Y

6. 
   The install will then commence. Warnings may be ignored. However if errors are returned, you must investigate and correct any issues. Once the issue has been corrected, then start with step 5d above.
   
   Installation should complete successfully with the following message:
   
   Install.sh completed successfully.
   
   
7. Edit the /etc/resolv.conf and remove the comment from the internal namesever
   contents for mater nodes should look like this:
   
   domain localdomain
   search localdomain sdstest.lenexa.com lenexa.ibm.com ibm.com nzlab.ibm.com
   nameserver 10.168.0.250
   nameserver 9.25.162.15
   
   NOTE: for data nodes the contents might look like this:
   
   search localdomain sdstest.lenexa.com
   nameserver 10.168.0.250
   nameserver 9.25.162.15
   
   
6. Configure Centrify to ignore biadmin and setup user's home dir:
   
   cd /etc/centrifydc
   
   Edit centrifydc.conf
   
   In the pam.ignore.users section, add this line:
   
   pam.ignore.users: biadmin
   
   In the auto.schema.homedir section, add this line:
   
   auto.schema.homedir: /opt/ibm/home/%{user}
   
   
   
7. Reload the Centrify config file by running the following commands:
   
   adreload
   adflush
   
   
8. This is for the BI console
   Unlock net-sf-jpam using these commands:
   
   cd /etc/pam.d
   
   chattr -i net-sf-jpam
   
   chmod u+w net-sf-jpam
   
   Edit net-sf-jpam and make it look like this:
   
   auth       sufficient   /lib64/security/pam_centrifydc.so
   auth       sufficient   /lib64/security/pam_ldap.so
   auth       required     /lib64/security/pam_deny.so
   
   account    sufficient   /lib64/security/pam_centrifydc.so
   account    sufficient   /lib64/security/pam_ldap.so
   account    required     /lib64/security/pam_permit.so
   
   password   sufficient   /lib64/security/pam_centrifydc.so
   password   sufficient   /lib64/security/pam_ldap.so
   password   required     /lib64/security/pam_deny.so
   
   session    sufficient   /lib64/security/pam_centrifydc.so
   session    sufficient   /lib64/security/pam_ldap.so
   
   
   Then lock up the file again:
   
   chmod u-w net-sf-jpam
   
   chattr +i net-sf-jpam
   
   
   
9. Edit global bashrc to add BI environment variables.
   Edit /etc/bashrc and add these lines at the end:
   
   if [ -f /opt/ibm/biginsights/conf/biginsights-env.sh ]; then
      source /opt/ibm/biginsights/conf/biginsights-env.sh
   fi
   
   
10. Repeat steps 2-9 for master2.
    
    
11. Repeat steps 2-7 for each data node.
    
    
12. After all data nodes are done, then start all services again.
    Use the session from step #1 or Login to the appliance as biadmin
    
    start.sh all
    
    
13. Once BI is completely restarted, you should be able to login to the BI console and ssh into the appliance as an Active Directory user and biadmin.