Overcoming Centrify Express for Linux restrictions

In their latest release Centrify has added some restrictions to their, up until now, great product. Changes are listed here http://www.centrify.com/express/changes-centrify-express-unix-linux.asp where they state this.

Centrify Express for UNIX/Linux and Centrify Express for Mac no longer support access controls. We made this change to clearly delineate between the intended premium versus free features.

While I do understand why they have done that I have had to find a way to limit login rights for Active Directory users. First you will have to edit /etc/security/access.conf file and add to bottom

+ : linux_admins : ALL
+ : linux_users : ALL
+ : josip: ALL
- : ALL : ALL

As you can see we are adding here list of users and groups that will have login permissions on Linux box. linux_admins and linux_users are Active Directory groups, while josip is my local user. You can add here local groups aswell. At the end we deny everyone else login permissions.

Now open /etc/pam.d/common-auth and add at the top this line

auth required pam_access.so

It is important that this line should be at the top, atleast above lines that are added by Centrify installer. You should end up with something like this.

centrify_pam_access

I assume you will want to add some AD users to have sudo privileges. Open visudo and add this line

%linux_admins ALL=(ALL:ALL) ALL

This will grant DOMAIN\linux_admins group sudo privileges.

ad_visudo

I have tested this on Ubuntu 14.04 LTS, one would assume that on other distros similar setup should work. Enjoy your Centrify Express enabled machine.

Josip Lazić

Josip Lazić wrote 21 posts

Post navigation


Comments

  • tomislav

    Great article,

    thanks for posting it.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>