{"id":1497,"date":"2016-04-16T12:13:27","date_gmt":"2016-04-16T10:13:27","guid":{"rendered":"http:\/\/www.identitycosmos.com\/?p=1497"},"modified":"2016-04-16T12:13:27","modified_gmt":"2016-04-16T10:13:27","slug":"unix_nis_maps_active-directory","status":"publish","type":"post","link":"https:\/\/identitycosmos.com\/index.php\/2016\/04\/16\/unix_nis_maps_active-directory\/","title":{"rendered":"Tutorial: how to store or migrate UNIX NIS maps in Active Directory using the Centrify NIS Gateway"},"content":{"rendered":"

I received a lot, I mean a lot, of requests after I had published my 3 last posts about the storage of NIS maps in Active Directory [http:\/\/bit.ly\/1S4gKUG<\/a> – http:\/\/bit.ly\/1qvvyzr<\/a> – http:\/\/bit.ly\/1q8iAHi<\/a> ] \u2013 The main problem was my posts are in French \ud83d\ude09 and a lot of people tried to use Google Translate to get it, but it wasn’t perfect. So, from the popular demand, I decided to translate it in English. English is not my native language, so sorry in advance if you will find some ‘bugs’ in the text.<\/p>\n

As I explained in one of my last post<\/a> (sorry again in French !), Microsoft announced<\/a> it will not implement some Unix Services in Windows 2016 and Active Directory 2016 anymore, including NIS Services.<\/p>\n

Through my different projects, I had meet a lot of organizations which are using mixt environment with Windows and Unix boxes and I can say the NIS usage is even nowadays very widespread. For sure, it is very bad to use NIS authentication and NIS authorizations, it is really better to use Kerberos ad LDAP instead. I will not go in the details now, but it is true that NIS is not something secured, however, the fact to totally eliminate the NIS Services is impossible for a lot of organizations. These organizations have a “IT history”, from years, and a lot of very important information still remain in the NIS maps (automount, etc.)<\/p>\n

So, the goal is to use Kerberos\/LDAP for authentication\/authorization services and a NIS Gateway service which expose to NIS client the maps NIS which are stored in Active Directory. Using this way, we get the best of the two worlds, we can secure the authentication with Kerberos and the organization is able to continue to use the NIS maps for the legacy needs.<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

In this tutorial, we will use the NIS Gateway provided by Centrify and get a magic trick to improve security without abandon the NIS history.<\/p>\n

Inn this tutorial, we will use a Fedora 23 workstation as a NIS Gateway and Fedora 23 as a NIS client, in my example the Active Directory is a Windows 2012R2 one, but it will work with various flavors of Linux\/Unix and with different versions of Active Directory.<\/p>\n

A\/ First step: Centrify packages installation on the future NIS Server (=NIS Gateway)
\n<\/strong><\/span><\/p>\n

First, we need to set our NIS Gateway with a hostname and with a IP which permit to the NIS Gateway to communicate with the Active Directory world. Here, we consider that the basic settings regarding the Centrify Zones are already done (just refer to the Centrify Quick Start Guide to do it).<\/p>\n

1\/ Hostname settings<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

In our example, the hostname of the NIS Gateway will be: nisserver01.demo.local<\/p>\n

2\/ SSH checking<\/p>\n

We will check that the SSH server service is present on the Linux box, we will need it to transfer the packages for the Centrify agent and the packages for the Centrify NIS Gateway on the NIS Server.<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

If the SSH server is not installed, type the following command to install the SSH server packages:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

When the SSH packages are installed, you need to start the SSH service<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

3\/ Centrify packages transfer to the machine<\/p>\n

We will use WinSCP to transfer the Centrify agent (Centrify Server Suite 2016) on the NIS server (\/tmp directory for example) \u2013 for a Fedora23 OS, the name of the package is centrify-suite-2016-rhel4-i386.tgz<\/em><\/strong><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

4\/ Centrify agent installation<\/p>\n

Go the the \/tmp directory and check you have the agent package.<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Unzip the package:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Instal the agent, using the install.sh script:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

The install.sh script will check everything to be sure your system is able to get it \u2013 if you don’t have any ‘failed” result, you will be able to install the agent \u2013 if you get some ‘warning’ result, it is not really important (we are doing a POC !)<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Choose the Enterprise or the Standard version, it doesn’t matter for the NIS Gateway itself, so let’ choose Enterprise [E] in our example:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Choose the run adcheck<\/strong> again (just to be sure\u2026) et provide the needed information linked to Active Directory during the installation process \u2013 In our example, we will join a zone named arizona<\/strong>, so our NIS server will provide “NIS service” for this zone \u2013 and choose to not reboot at the end of the installation:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

As soon the information will be provided, the install process will start, but just before the installation process will ask you to verify your different values.<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

The installation process is starting \u2013 after the adcheck<\/strong> final check, just validate the agent installation process:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

At the end of the process, the Centrify agent installation proceeds:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Now, we will install the package which will update the SSH Server packages with the Centrify packages \u2013 this is not 100% mandatory, but it will provide a better integration with Kerberos authentication, so let’s do it:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Now, we will install the Centrify NIS Gateway package:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

At the end, just reboot the system, again this is not 100% mandatory, but let’s do it easier and reboot the system.<\/p>\n

At this stage the first big step is over. Let’s see now how to set Centrify NIS Gateway.<\/p>\n

B\/ Second step: Centrify NIS Gateway settings
\n<\/strong><\/span><\/p>\n

1\/ Active Directory integration of the NIS Gateway Linux box<\/p>\n

We will integrate the NIS Server in the zone named arizona<\/strong>. We consider here that you already performed the basic step of the Centrify installation procedure (refer to the Centrify Quick Start guide for details) and we consider you already created some Centrify zones in Active Directory.<\/p>\n

First, let’s connect to the NIS Server and execute the following command to perform the Active Directory join to the arizona<\/strong> zone:<\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

In our example, the domain is named demo.local<\/strong>, the Centrify zone is named arizona<\/strong> and the Active Directory service account used to perform the Active Directory join is named centrify<\/strong>. And the password for the service account is \u2026no, for sure, just kidding ;-)) \u2013 but the join process will ask you the password for the Active Directory service account.
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

After few seconds, the following window will appear, saying everything is ok:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

It is not mandatory to reboot the server itself, but to make it easier, let’s reboot the server:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

2\/ Let’s check some important things
\n<\/span><\/p>\n

Now let’s set some accurate parameters of the Centrify NIS Gateway. We will start to start the management tool Centrify Access Manager, we will find a new machine account in the zone names arizona, it is nisserver01:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

This is another view with the list of the machines in the Centrify zone. We will use a other machine from this zone to be NIS client (ypbind) of our NIS Gateway. For sure, the NIS Gateway as a NIS server only for the machines which are in the same zone.
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

As we didn’t specify a specific container during the Active Directory join of the NIS Gateway, the computer object which represents the NIS server is stored by the containers Computers<\/strong> in Active Directory or any default container if you changed your Active Directory configuration:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Because we will apply some specific GPOs on the computer object which represents the NIS Gateway, we will create a new organization unit (OU) and we will move the computer object in it- in our example, the OU is named NIS_Gateway<\/strong>:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Now, we will start our NIS Gateway computer. When the computer will be started, it would be possible the use any AD account with a UNIX profile in the Centrify zone to log on it, but we will log as root to make it more convenient for the future manipulations.
\n<\/span><\/p>\n

As soon you are logged on the system, just type the adinfo<\/strong> command, you will obtain information about the state of the adclient daemon which represents more or less a Active Directory client for UNIX\/Linux:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

The most important thing is to have the value ‘connected’ for the attribute ‘CentrifyDC mode’, this means the system is truly connected to Active Directory and communicate with it. At this stage, our Linux server is integrated in Active Directory and it is totally secured, thanks to Centrify technology.
\n<\/span><\/p>\n

3\/ Apply specific settings on the Centrify NIS Gateway
\n<\/span><\/p>\n

Let’s set some settings to set the correct behavior of Centrify NIS Gateway (adnisd).
\n<\/span><\/p>\n

First, we will use the Centrify extension for the GPMC to create some specific GPOs to set the NIS Gateway, nisserver01<\/strong>. Centrify provides some ADMX files if you just want to use the classic GPMC provided by Microsoft, so you can import the administration model in the GPMC. Or you can install some Centrify GPMC snap-in to create the UNIX\/Linux GPOS. It is up to you, but you need to do one or the other.
\n<\/span><\/p>\n

Here we will use the ADMX files method, and e consider we already import the different ADMX files in the GPMC. Open the GPMC and go the node “computer configuration \/ Strategy \/ Administration model \/ Centrify Settings \/ DirectControl Settings \/ NIS Daemon Settings:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

Edit the ‘Specify allowed client machines for NIS daemon<\/strong>‘ property and set the value to 0\/0<\/strong>:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

We need to do so, because by default, the NIS Gateway only accept NIS request from itself (I will not go in the details, but in some specific secured configurations where you need to deploy the NIS Gateway packages on all the UNIX systems, this “by default” behavior is useful). So we need to define the is of the IP addresses which are authorized to request the NIS service, if you set the value to 0\/0<\/strong>, the NIS server will accept all the request from all the client.
\n<\/span><\/p>\n

Let’s edit also the ‘Specify NIS daemon update interval<\/strong>‘ property and set the value to 60<\/strong>.
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

This property will allow us to set the synchronization time between Active Directory and the NIS Gateway. Because of performance reasons, the NIS Gateway maintains a local cache of the values from Active Directory, so in our example, the values will be replicate every minute. In a production environment, a value between 16 and 30 minutes seems a good choice.
\n<\/span><\/p>\n

Just validate the GPO and close the GPMC. If you want to update the NIS Server with these new settings, it is just matter to execute the adgpupdate command on the NIS Server, this command will refresh the GPOs settings from Active Directory. You can also wait for the next GPO application process (the time period will depend of your Active Directory settings):<\/strong>
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

It is possible to check which GPO is applied or not by executing the adgpresult<\/strong> command on the system, here, we will see the settings we just created in the new GPO we created:
\n<\/span><\/p>\n

\"\"<\/a>
\n<\/span><\/p>\n

C\/ Third step: Verify some elements on the Centrify NIS Gateway settings
\n<\/strong><\/span><\/p>\n

As you may know, to have a consistent NIS Server on a system, we need to have RPC services up and running. If you don’t know so much about NIS, I recommend to read this book which is for me a sort of “NIS bible” [ special thanks to Randip M<\/a> to let me know about this book. \ud83d\ude09<\/em> ]<\/span><\/p>\n