Help

Deploying Centrify via Casper.

Seide
New Contributor

Posted on ‎04-15-2014 09:38 AM

Hi,

Does anyone have recent experience deploying Centrify via Casper? I dug up an old thread on here from 2011 that didn't seem to be much help.

Installing Centrify requires a lot of set up and I don't think it can be done through scripts, unless I am wrong. Currently, we bind our Macs through a shell script and we're going to have to set up Centrify on these Macs in the near future.

Any help is appreciated and/or if you can point me in the right direction, that would be great.

Thanks in advance.

0 Kudos
6 REPLIES 6

pblake
Contributor III

Posted on ‎04-15-2014 10:37 AM

If you are a Centrify customer, you should reach out to them. I am pretty sure almost all of the setup can be scripted and they can help you script it.

0 Kudos

Seide
New Contributor

Posted on ‎04-15-2014 12:50 PM

Ok, I'll try and find out our support channels there. Thanks.

0 Kudos

BLau
New Contributor

Posted on ‎04-16-2014 02:15 AM

Hi Seide,

A couple of commands that may help you out:
- If the Mac is currently joined via the native Apple AD plugin, use this to unjoin it:

/usr/sbin/dsconfigad -r -u "*domain_admin_username*" -p "*domain_admin_password*"

- Once the Centrify installer package has been pushed out to the target machine, you can use this to install it:

sudo /usr/sbin/installer –pkg *CentrifyDC-5.1.x.pkg* –target /

- To join the Mac via Centrify, use this command (with the most commonly used options):

sudo /usr/sbin/adjoin --user "*domain_admin_username*" -p "*domain_admin_password*" --container "*domain.com/Path/To/OU*" --name "*computer_name*" --workstation *domain.com*

- (Lookup the adjoin help file for additional join options)

- If you are a licensed customer of Centrify and are using group policies, then you can use this to activate GPs:

sudo adlicense -l

- If you have had AD users logging into the Mac while joined with the Apple AD plugin, then I would recommend you also edit/push the following parameters in the /etc/centrifydc/centrifydc.conf file:

auto.schema.apple_scheme: true
auto.schema.primary.gid: -1

- After the settings are pushed, run:

sudo adreload
sudo adflush

- This will tell the Centrify agent to use the same UID generation algorithm as the Apple plugin (Rather than use the traditional Centrify method of calculating it off of the user's SID).
- This way your existing AD users can continue logging into their Mac systems without any further configuration needed. It is the most seamless way to migrate from the Apple AD plugin to Centrify.

Hope that helps!
Brian

0 Kudos

JPDyson
Valued Contributor

Posted on ‎04-16-2014 07:12 AM

^^Brian works for Centrify; great resource. However, some of the steps are unnecessary because of functionality in the Casper Suite.

- The package can simply be deployed/installed via Casper Policy, Imaging, or Remote - the conventional methods. No need to modify it; it installs correctly via policy and imaging. This has been our experience for several versions running now.

- No need to use a script for binding; Casper supports saved AD bindings. In your JSS, go to Settings - Casper Admin - New Directory Binding. All of your settings can be put into a saved binding, which can be used via all the same conventional methods (it'll show up under the Accounts section in Policies and Remote, or under the Directory Bindings type in Admin).

So, we have our images install Centrify and use the saved AD binding; all Macs come out of imaging bound just fine. We can also create a Self-Service policy that does the same thing - installs the package, runs the binding. Naturally, you can do this with Remote (basically just a means of creating an ad-hoc policy).

- Leaves are trickier. Not the process, mind you: the GUI or scripted methods are simple enough. However, invariably, we lose our in-house CA trust when this happens, so our JSS becomes untrusted by extension. We have to re-install our CA and re-trust it before we can run further policies and all that.

0 Kudos

corbinmharris
Contributor

Posted on ‎06-02-2015 06:03 AM

Never been able to get Centrify binding to work during imaging or otherwise. Need to make point of opening a support ticket with Centrify soon since we're trying to get a close to zero-touch imaging as possible with the Macs.

0 Kudos

kenergy
Contributor

Posted on ‎02-16-2016 11:53 AM

Does this help you @corbinmharris 

#!/bin/bash

#Variables
#########################################################################################
SCUTIL='/usr/sbin/scutil'
TOUCH='/usr/bin/touch'
lhost=`scutil --get LocalHostName`
centrify_log="/private/var/log/Centrify_fresh_deploy.log"
sTime=`date "+%Y-%m-%d %H:%M:%S%n"`
eTime=`date "+%Y-%m-%d %H:%M:%S%n"`

# Create Centrify Install Script Log-File
#########################################################################################
${TOUCH} "${centrify_log}"
echo "Start Script on: ${sTime}" >> "${centrify_log}"

# Configure Centrify
#########################################################################################
sudo adlicense -l
echo "License Mode Enabled" >> "${centrify_log}"

sudo /usr/sbin/adjoin -u [serivce account] -p [password] -c OU=[someOU],OU=[someOU],OU=[someOU],DC=[someDC],DC=[someDC],DC=com -n "$lhost" -z OSX [FQDN]
echo "Computer is now Centrified" >> "${centrify_log}"

# Script Finalization
#########################################################################################
           echo "End Script on: ${eTime}" >> "${centrify_log}"

exit 0
0 Kudos