{"id":380,"date":"2014-11-17T16:43:27","date_gmt":"2014-11-17T15:43:27","guid":{"rendered":"http:\/\/lazic.info\/josip\/?p=380"},"modified":"2014-11-17T20:20:47","modified_gmt":"2014-11-17T19:20:47","slug":"overcoming-centrify-express-for-linux-restrictions","status":"publish","type":"post","link":"https:\/\/lazic.info\/josip\/post\/overcoming-centrify-express-for-linux-restrictions\/","title":{"rendered":"Overcoming Centrify Express for Linux restrictions"},"content":{"rendered":"<p>In their latest release Centrify has added some restrictions to their, up until now, great product. Changes are listed here <a href=\"http:\/\/www.centrify.com\/express\/changes-centrify-express-unix-linux.asp\" title=\"FAQ \u2014 Changes to Centrify Express for UNIX\/Linux\" target=\"\">http:\/\/www.centrify.com\/express\/changes-centrify-express-unix-linux.asp<\/a> where they state this.<\/p>\n<blockquote><p>Centrify Express for UNIX\/Linux and Centrify Express for Mac no longer support access controls. We made this change to clearly delineate between the intended premium versus free features.<\/p><\/blockquote>\n<p>While I do understand why they have done that I have had to find a way to limit login rights for Active Directory users. First you will have to edit <code>\/etc\/security\/access.conf<\/code> file and add to bottom<\/p>\n<p><code>+ : linux_admins : ALL<br \/>\n+ : linux_users : ALL<br \/>\n+ : josip: ALL<br \/>\n- : ALL : ALL<\/code><\/p>\n<p>As you can see we are adding here list of users and groups that will have login permissions on Linux box. <code>linux_admins<\/code> and <code>linux_users<\/code> are Active Directory groups, while <code>josip<\/code> is my local user. You can add here local groups aswell. At the end we deny everyone else login permissions.<\/p>\n<p>Now open <code>\/etc\/pam.d\/common-auth<\/code> and add at the top this line<\/p>\n<p><code>auth       required       pam_access.so<\/code><\/p>\n<p>It is important that this line should be at the top, atleast above lines that are added by Centrify installer. You should end up with something like this.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/centrify_pam_access.png\" alt=\"centrify_pam_access\" width=\"648\" height=\"134\" class=\"aligncenter size-full wp-image-386\" srcset=\"https:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/centrify_pam_access.png 648w, https:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/centrify_pam_access-300x62.png 300w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/p>\n<p>I assume you will want to add some AD users to have <em>sudo<\/em> privileges. Open <code>visudo<\/code> and add this line<\/p>\n<p><code>%linux_admins   ALL=(ALL:ALL) ALL<\/code><\/p>\n<p>This will grant <code>DOMAIN\\linux_admins<\/code> group <em>sudo<\/em> privileges.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/ad_visudo.png\" alt=\"ad_visudo\" width=\"320\" height=\"73\" class=\"aligncenter size-full wp-image-388\" srcset=\"https:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/ad_visudo.png 320w, https:\/\/lazic.info\/josip\/wp-content\/uploads\/2014\/11\/ad_visudo-300x68.png 300w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/p>\n<p>I have tested this on Ubuntu 14.04 LTS, one would assume that on other distros similar setup should work. Enjoy your Centrify Express enabled machine.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In their latest release Centrify has added some restrictions to their, up until now, great product. Changes are listed here http:\/\/www.centrify.com\/express\/changes-centrify-express-unix-linux.asp where they state this. Centrify Express for UNIX\/Linux and Centrify Express for Mac no longer support access controls. We made this change to clearly delineate between the intended premium versus free features. While I [&hellip;]<\/p>\n<div class=\"clearfix text-center more-button\"><a href=\"https:\/\/lazic.info\/josip\/post\/overcoming-centrify-express-for-linux-restrictions\/\" class=\"btn btn-success\">Continue reading<\/a><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-380","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/posts\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":0,"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"wp:attachment":[{"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lazic.info\/josip\/wp-json\/wp\/v2\/tags?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}