Centrify Express For Mac

Centrify DirectControl Express for Smart Card is a free offering based on the same technology as the Centrify DirectControl for Mac OS X Smart Card Edition deployed today across federal, defense and first responder communities. Centrify Express is a free software for integrating UNIX, Linux and macOS systems and users with Microsoft Active Directory that provides the ability to join a domain and authenticate users. Express is based on the vendor`s enterprise product Centrify Suite. Note: Support for Centrify Express for Mac has ended as of May 1, 2019. Centrify Express is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access, file-sharing, monitoring The #1 Choice for Active Directory Integration and cloud security for cross-platform systems. It is the quickest and most proven solution for integrating UNIX, Linux and Mac systems with Windows, and delivers more functionality and more to upgrade to when compared to other free offerings.

With IT organizations looking to connect their non-Windows® resources to Microsoft® Active Directory®, one question comes up quite often: what is Centrify®? In web searches targeted at discovering a way to extend AD, Centrify comes up quite a bit, so it’s important to understand what their product does.

What Was Centrify?

In short, Centrify was an identity bridge. We use the past tense to say that Centrify was an identity bridge because the product recently faced EOL, and Centrify split into two companies—Idaptive® and Centify. Previously, the Centrify Express product extended legacy, on-prem Microsoft Active Directory identities to non-Windows resources such as Mac® and Linux® systems as well as web applications. Centrify was essentially an add-on to on-prem Active Directory infrastructure.

What is Centrify Now?

It seems as though the current incarnation of Centrify will keep the privileged access management components (Linux and network infrastructure authentication). Idaptive, on the other hand, looks to follow the traditional first generation IDaaS path that has been paved by companies such as Okta® and OneLogin™.

What Can’t Centrify Manage?

What we should really be asking when we attempt to define Centrify’s now defunct role is more of a question about the right approach to identity management in the cloud era. Do we want to continue to leverage on-prem hardware and its expenses when the industry is shifting to the cloud? No longer are IT networks based on just Microsoft Windows®. They’re an amalgamation of different types of solutions including G Suite, Office 365, AWS® and GCP, Mac® and Linux® machines, web applications such as Slack, Github, Salesforce®, cloud and physical file servers (NAS devices, Samba file servers, and Box™) and many other types of IT resources. So, with all of these IT changes, why must the directory remain on-prem and require add ons like Centrify to work with all these resources?

Resulting from the shift of IT resources in most environments (Windows-based workstations, wired networks, on-prem file servers) to what we have today in our cloud-forward environment (Macbooks®, WiFi, and cloud storage) IT organizations are struggling to extend their legacy directory service to these modern IT resources. Historically, on-prem identity bridges such as Centrify extended AD to some of these new digital tools, but not all. While it may seem like a good approach, Centrify’s scope was limited in that it still required Active Directory on-prem to fulfill its purpose.

The shift to the cloud is underway; so IT admins really have two options. One is to extend AD identities to these modern, cloud IT resources and the second is to eliminate AD altogether and find a cloud directory service.

Both options have benefits and drawbacks and each organization’s requirements will be different. In the case of cloud forward organizations, continuing to purchase CALs, maintaining AD implementations, and spending time deploying add-ons to AD are all activities they would like to avoid. For those that are tied to their on-prem identity provider, a Centrify implementation made sense to extend AD to non-Windows resources.

How Can I Move on Without Centrify?

What should IT admins do for identity and access management (IAM) in a modern IT network? The short answer is to look at replacing your identity provider (IdP), in this case AD, with something based in the cloud. For many organizations, the most effective cloud IdP is JumpCloud® Directory-as-a-Service®. JumpCloud thinks about the problem of securely connecting users to the IT resources differently. As a cloud-based source of truth for identities from the cloud, JumpCloud can connect you to more resources, more easily than you can using add-ons such as Centrify along with AD.

AD To Non-Windows Resources

Centrify Express For Smart Card Mac

But if the thought of having to get rid of all your existing on-prem Active Directory infrastructure is too much, JumpCloud has a solution there too. You can now leverage AD Integration from JumpCloud to fill the gap in your IAM solution left by Centrify’s EOL and extend AD to non-Windows IT resources.

With AD Sync (an add-on component of the AD Integration platform), you can tightly integrate your macOS® devices into Active Directory. End users can leverage their AD credentials to access their Mac systems while also accessing other on-prem Windows resources such as file servers, applications, and other IT resources. Further, with AD Sync end users can change passwords directly on their Mac systems which will automatically update to your Active Directory implementation and vice versa. For users, it means a streamlined and easy-to-use self-service password tool. For IT admins, that means a significant reduction in help desk tickets, and as a result, saved time. For both IT and end users it means that macOS systems (and non-Windows IT resources) can be leveraged for the good of the organization.

In addition to macOS systems, when you integrate JumpCloud with AD, our cloud-based directory service can securely connect users to web applications, WiFi via RADIUS, authorize and authenticate to LDAP applications, enforce system security standards with Policies, provision identities via Office 365 and G Suite, and much more.

Learn More About JumpCloud

When asking yourself, “What is Centrify,” consider asking instead, “how do I want to manage my IT resources going forward?” Do you want to do it from the cloud, with minimal upkeep, or do you want to maintain your AD implementation and modernize it with a cloud-based directory tool? If you’re ready to learn more about how JumpCloud can support your IT environment, drop us a line. Or, sign up today and start managing up to 10 users free — forever.

Background
Automation and orchestration are key capabilities of the modern IT infrastructure. Whether organizations are using private or public clouds, tools like Bladelogic, System Center, Satellite, Chef, Casper, Puppet or homegrown scripts - software should be orchestration friendly.
Centrify Server Suite for UNIX, Linux, and Mac offers a facility that should be leveraged by any savvy IT infrastructure team. The tool is a script called install.sh.
This script is shipped with the gzipped tarball for Centrify software, for example, here are the listings for a RHEL-based system (excluding the release notes):
  • adcheck-rhel4-x86_64
  • centrifyda-3.2.3-rhel4-x86_64.rpm
  • centrifydc-5.2.3-rhel4-x86_64.rpm
  • centrifydc-install.cfg
  • centrifydc-ldapproxy-5.2.3-rhel4-x86_64.rpm
  • centrifydc-nis-5.2.3-rhel4-x86_64.rpm
  • centrifydc-openssh-6.7p1-5.2.3-rhel4-x86_64.rpm
  • centrify-suite.cfg
  • install-express.sh -> install.sh
  • install.sh

Note that all the installation bits are shipped in the native package manager or the platform, this gives the opportunity to the administrator to bypass install.sh and use the native installer. E.g. to install only the base agent, you can run

rpm -Ivh centrifydc-5.2.3-rhel4-x86_64.rpm
Many admins just simply add the RPMs to their repositories and can use facilities like yum to install or maintain the package.
Capabilities of install.sh
  • Interactive install/join operations: walks the user through a series of menus and options
  • Automatic with command options: can be run manually or by an orchestration facility for installations and joins.
  • Automatic with an answer file: any of the .CFG answer files can be used with install.sh
  • Kerberized: install.sh calls adjoin and other utilities that can benefit from Kerberos keytab preauthentication.

install.sh is a script; it acts as an abstraction layer between the package manager of the native OS and any other tool or manual script. This is very powerful because eliminates the nuances related to each operating system, architecture or distribution.
For example, some AIX systems use the installp facility, RHEL and derivatives use RPM, Debian derivatives like Ubuntu use dpkg, OS X systems use Install.app and so on; install.sh allows for the administrator to have a QA tested way to install Centrify software and perform additional tasks.
When preparing for a release, Centrify will QA install.sh against all the supported platforms.

Basic Automation Playbook
What you need:Smart
a) The keytab for an AD user that can join systems (or remove them) to the target OUs
For more info on how to create this, click here.
b) A krb5.conf file for a working system
d) Install.sh (or the native package manager utility)
e) If not using install.sh, you'll need adjoin (or adleave)
Sample Command Sequences
Sample 1: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use install.sh to install standard edition and join a zone called myzone in the acme.test domain in the 'My Servers' OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner
./install.sh --std-suite --adjoin_opt='acme.test -z myzone -c acme.test/My Servers'
Sample 1: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use install.sh to install standard edition and join a zone called myzone in the corp.contoso.com domain in the 'My Servers' OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner
./install.sh --std-suite --adjoin_opt='corp.contoso.com -z myzone -c corp.contoso.com/My Servers'
Sample 2: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use rpm to install the standard package and adjoin to join the Global zone in the corp.contoso.com domain and put the computer under the CentrifyServers OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner

rpm -Ivh centrifydc-5.2.3-rhel4-x86_64.rpm

adjoin -z Global -c 'ou=servers,ou=centrify' corp.contoso.com
install.sh Help file
This script installs (upgrades/uninstalls) Centrify Suite.
Only the superuser can run this script.

Usage:
install.sh [-n|--ent-suite|--std-suite|--express] [-e] [-h] [-V] [-v ver] [-l log_file]

where:
-n Custom install/upgrade/uninstall in non-interactive mode.

Centrify Express For Mac

--ent-suite Install Enterprise Suite in non-interactive mode.
--std-suite Install Standard Suite in non-interactive mode.
--express Install Centrify Express in non-interactive mode.
--bundle Install Centrify Suite using bundle.
--suite-config <config_file>
Override default suite config file with <config_file>.
-e Uninstall (erase) CentrifyDC.
-h, --help Print out this usage and then exit.
-V Print out installer version and then exit.
-v <ver> Install CentrifyDC <ver> version.
Format: x.x.x or x.x.x-xxx. x is number.

Centrify Express For Mac Download


-l <log_file> Override default log-file PATH with <log_file>.
--rev <rev> Package OS revision to install.
--custom_rc Return meaningful exit code.
--override='<options>'
In non-interactive mode, override default options with <options> list.
Format: --override='CentrifyDC_openssh=n,CentrifyDA=R'
--adjoin_opt='<adjoin_options>'
Override default adjoin command line options with <adjoin_options>.
--enable-da In non-interactive mode, once joined to a domain,
enable DA for all shells.
--disable-da In non-interactive mode, disable DA NSS mode after install.

Examples:
./install.sh -n --override='INSTALL=R,CentrifyDC_nis=Y,CentrifyDC_openssh=N,CentrifyDA=N'
./install.sh --std-suite --adjoin_opt='acme.test -p pass$ -z t_zone -c acme.test/My Servers'
./install-bundle.sh --std-suite '--adjoin_opt='acme.test -p pass$ -z t_zone -c acme.test/My Servers'