Centrify Express for Linux

Frequently Asked Questions

Centrify Express

Centrify Express for Linux started with the simple idea that Centrify would provide organizations with the best solution to centrally manage identities for small quantities of Linux servers within their existing Active Directory infrastructure. Like all freemium models, the intent is that as Express deployments grow that users upgrade to Centrify Infrastructure Services for premium features and enterprise-class support.
Centrify Express for Linux quickly and easily integrates Linux systems with Active Directory from an authentication and single sign-on perspective. Centrify Express for Linux is comprised of the following components:
  • DirectControl Express secures your non-Windows systems using the same authentication services deployed in your Windows environment.
  • DirectManage Express centrally discovers your systems, checks their ability to integrate with Active Directory, downloads the required software packages and automatically deploys to your systems. DirectManage Express also provides you with a single pane of glass to quickly and remotely access any of your systems securely using your Active Directory credentials.
  • Centrify-enabled open source tools including OpenSSH, PuTTY and Samba that have been enhanced and tested to seamlessly work with Active Directory and support Kerberos while delivered as easy to install pre-compiled packages.

Centrify Express for Linux is free to use, non-intrusive, easy to deploy, robust in operation, and delivers more functionality and more to upgrade to than any other free Active Directory integration solution.

Anyone who is looking for a solution to leverage their Active Directory credentials on a small quantity of Linux systems. Express for Linux installs in minutes and enables login via domain name or display name — or even silently using our Kerberized OpenSSH. If you want to make your heterogeneous environment more homogenous — and easier to manage — then Centrify Express for Linux is for you.
Express for Linux can be deployed on up to 200 systems for commercial and government organizations and up to 400 systems for educational institutions and non-profit organizations. Please refer to the Centrify EULA “Express Use” section.
Starting with the release of Centrify Server Suite 2014.1, (now Centrify Infrastructure Services), access control features are available as premium features within Centrify Infrastructure Services. Centrify Express for Linux does not support access control capabilities.

The following features of Centrify Express for Linux and Centrify Express for Mac have changed in this release.

  1. Specifying lists of users and groups who are allowed or denied authentication is supported only by the premium version of the product. Support for the following settings have been restricted in the free version.
    • pam.allow.users
    • pam.deny.users
    • pam.allow.groups
    • pam.deny.groups
  2. Override of users or groups and associated settings in local files is no longer allowed. Support for the following settings has been removed.
    • nss.passwd.override
    • nss.group.override
  3. Active Directory users and groups can no longer be specified for inclusion in the Auto Zone. Support for the following settings has been removed.
    • auto.schema.allow.user
    • auto.schema.allow.groups
    • auto.schema.group
  4. The adcert command is no longer supported.
No. You can run Centrify Express for Mac on an unlimited number of systems.
One of the great benefits of Centrify Express for Linux is the fact that users log in as themselves using their Active Directory identity. Express for Linux is a great way to break the habit of sharing accounts and to reduce forgotten passwords.
Centrify Express for Linux and the Centrify Infrastructure Services share the same robust technology for integration and single sign-on to Active Directory. Here are the key differences:
  • Centrify Express for Linux is primarily useful when you need proven Active Directory authentication for a limited number of systems running on Linux. You have access to peer support through our Centrify Express Community.
  • Centrify Infrastructure Services is required in larger environments that include Linux, UNIX and Windows platforms, and need automated, centralized management of user identities, access controls, and privilege levels. You will also benefit from Centrify Infrastructure Services’ advanced features such as granular Zone-based access controls, cross-platform policy enforcement through Group Policy, privilege management, shared account password management, secure remote access, multi-factor authentication, session recording/monitoring and detailed auditing and reporting on user activity— to name just a few. In addition to peer support, Centrify Infrastructure Services customers have guaranteed service-level agreements, plus 24x7 access to technical support representatives and an extensive online knowledge base.

See Reasons to Upgrade to the Full Centrify Infrastructure Services for a list of key features that will help you manage your cross-platform environment more efficiently and securely.

If you can't decide, you can always request a free 30-day trial to experience the full Centrify Infrastructure Services set of capabilities.

Some vendors provide Active Directory plugins for their operating systems, and free open source toolkits are also available. Centrify Express for Linux offers more functionality and more to upgrade to when compared to other free offerings.

There are many ways to get help using Centrify Express for Linux. They can all be found in the Centrify Express Community for Linux and the Centrify Express Community for Mac. We have created some great training videos, quick start guides, technical articles, and troubleshooting tips and tricks. There is also a discussion forum where you can post questions and get answers from other users and even Centrify experts.

If you need additional support and/or additional product functionality, consider upgrading to the full Centrify Infrastructure Services.

For a number of reasons.

First, we want to make end users' lives easier by giving them a single sign-on account, rather than having to remember different usernames and passwords for different operating systems. We also think we can make IT staffs' lives easier by allowing them to use a tool that they already have — Active Directory — to centrally control authentication. This will cut down on the time they spend provisioning accounts and helping reset forgotten passwords.

Second, we were getting requests from many people who had tried other free Active Directory integration tools and found them difficult to deploy and unreliable. Could we do better, they asked? And our answer was an emphatic Yes! Instead of providing a one-off toolset for Active Directory integration, we decided to give away a subset of the same enterprise-hardened technology that our 5,000 customers have in production on hundreds of thousands of servers today. With Centrify Express for Linux we knew we could offer customers more functionality and more to upgrade to than anyone else. See What makes Centrify Express for Linux unique? for more details on why we think Express is by far the best choice.

Third and finally, we naturally want to give a wide range of potential customers a taste of what Centrify can offer — not just software, but the experience of working with a company that goes the extra mile in providing customers with the expert support and resources needed to be successful. Naturally, we hope that based on this experience they will be interested in exploring our advanced solutions. The good news: because we are giving away a version of our current product, all that is required is a simple license-key upgrade to unlock advanced features.

DirectControl Express

You will need to provide the username and password of an Active Directory account that has permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you don't specify a user with the --user option, the Administrator account is used by default.
No schema extensions are required, no software needs to be installed on the domain controllers, and in fact no information is stored in Active Directory except for the computer account that is created when you join a system to Active Directory.
When installing the Express agent, you'll need either root access or sudo permissions.

DirectManage Express

Using the DirectManage Express wizard, you can supply an IP address range to search for systems, import a list of computers, or simply add systems by their name. For more information, check out the documentation on the Centrify Express Community for Linux.
The DirectManage Express wizard gives you two options:
  • You can point to your software archives for the Centrify Express for Linux Download page.
  • DirectManage Express can download the right packages for you from the Centrify website. All you need to provide is the username and password of your Centrify community account.
One powerful feature of the DirectManage Express component is its ability to remotely log in and run operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The domain should be a fully qualified domain name; for example, sales.example.com.

The output from the pre-install check includes notes, warnings, and error messages, including suggestions on how to fix them. By default, the DirectManage Express component checks:
  • The operating system to verify that it is at a supported version and patch level, and that there is sufficient disk space.
  • The network to verify DNS and SSH.
  • The Active Directory configuration, including the domain name, time and domain synchronization, and the availability of multiple domain controllers.

For more information, see the documentation on the Centrify Express Community for Linux site.

The DirectManage Express component makes installation of the DirectControl Express agent easy by ensuring that the right package for the target system is transferred over to the system, correctly installed and joined to Active Directory. For this step to work, you will need to provide the Active Directory username and password that will be used to join the system to Active Directory.

Don't worry, we won't send this password over the network. Under the covers we pre-create the computer object in Active Directory and instruct the DirectControl Express agent to automatically join as the pre-created computer. This allows both a silent installation and join as well as a secure process for centrally deploying the DirectControl Express agents.
This is another cool feature of the DirectManage Express component. By providing a single list of computers, you can with a single click remote to any system via VNC, SSH or SCP. This can be done with either the stored user and password, a different user/password (either local users or Active Directory users) or via Kerberos.

Centrify-Enabled Open Source Tools

Centrify has found that most IT organizations prefer consistency across all their platforms, hence the value of getting an OpenSSH or Samba distribution from a single vendor who supports multiple platforms. In the case of OpenSSH from Centrify, this guarantees support for GSS Key Exchange on all platforms in order to establish trust between hosts, a feature which is not part of the standard OpenSSH distribution. Centrify-enabled OpenSSH also provides you a consistent and more up-to-date version of OpenSSH across your heterogeneous systems that are invariably running different versions of OpenSSH, including versions that may not have the latest security enhancements. For example, say you are running a mixed environment of Ubuntu 10.04, SUSE 11.2 and Fedora 13. That means you are running OpenSSH versions 5.3p1, 5.2p1 and 5.4p1 respectively. Centrify allows you to have a consistent and more up-to-date versions across your heterogeneous environment, that is also being continuously updated and fully supported by Centrify. But as noted in the question and answer below, Centrify Express for Linux also fully supports usage of the native SSH provided on a given operating system or commercial SSH solutions. We simply provide Centrify-enabled OpenSSH and Samba as a convenience, not as a requirement.
No, Centrify-enabled OpenSSH is NOT a requirement to run Centrify Express for Linux or the Centrify Infrastructure Services. Centrify provides Centrify-enabled OpenSSH as a convenience to you, but if you want to use the SSH provided by the OS vendor, or use a commercial SSH vendor, Centrify supports that too (and has fully tested our solution in all of these scenarios). Using our supplied OpenSSH is simply an installation choice, and not a requirement. The bottom line is Centrify gives you choice — use the Centrify-enabled OpenSSH with the advantages noted above, the "stock" OpenSSH, or a commercial SSH solution — and Centrify works well with the choice you want. For example, here's how to use Centrify Express for Linux with stock SSH. Centrify has found that most IT organizations prefer consistency across all their platforms, hence the value of getting an OpenSSH or Samba distribution from a single vendor who supports multiple platforms. In the case of OpenSSH from Centrify, this guarantees support for GSS Key Exchange on all platforms in order to establish trust between hosts, a feature which is not part of the standard OpenSSH distribution. But in the end it is your choice, and choice is good.
Centrify has compiled the standard OpenSSH distribution unmodified, but in the compile process we linked OpenSSH with the Express for Linux Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment. This provides several advantages, including:
  • The OpenSSH client and server are preconfigured to automatically support PAM and Kerberos.
  • There is no need for DNS-to-realm mapping because Express for Linux knows the relationship between hosts and their SPNs.
  • The DirectControl Express agent will accept connections to any of the computer's valid hostnames, either fully qualified or not, because all combinations are registered with Active Directory. This further reduces the dependency on accurate DNS entries to enable Kerberos to operate properly.
  • The installation process automatically updates the $PATH environment by adding /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users, making direct access to OpenSSH possible.
If you want to take advantage of these features, and have a consistent version of OpenSSH across your heterogeneous environment, that's great. But if you want to use the SSH provided by the OS vendor, or use a commercial SSH vendor, Centrify supports that too (and has fully tested our solution in all of these scenarios). Centrify works well with the choice you want. Choice is good.