Installing the IBM Security Samba Integration Components
This section explains how to install the Verify Privilege Server Suite adbindproxy package. You install the adbindproxy package on your Linux and UNIX computers so that the DirectControl agent works with Samba.
Installation Process Overview
Your Linux or UNIX computer can be in one of three main states regarding Samba and Verify Privilege Server Suite:
-
New to both Verify Privilege Server Suite and Samba:
Samba is not in use and the computer does not have the DirectControl agent installed. The Samba packages might already be installed but you haven’t configured Samba yet. For details, see Installation Overview for Computers New to both Verify Privilege Server Suite and Samba.
-
Using Samba, new to Verify Privilege Server Suite:
Samba is in use but the computer doesn’t have the DirectControl agent installed. For details, see Installation Overview for Computers New to Verify Privilege Server Suite.
-
Using the previous Centrify-enabled version of Samba:
Samba is in use and the DirectControl agent is installed, and you’re using the previous release of Centrify-enabled Samba. For details, see Upgrade overview for Computers with Verify Privilege Server Suite Enabled Samba.
The installation process varies slightly depending on what kind of environment you’re currently using.
Installation Overview for Computers New to both Verify Privilege Server Suite and Samba
If you’re configuring a computer that does not yet have either Samba working nor the DirectControl agent, here’s an overview of what you need to do.
Software | Tasks |
---|---|
Make sure that you have the software you need. | Make sure that you have the latest version of the DirectControl agent, the Centrify adbindproxy package, and the open source Samba files. |
Install the DirectControl agent. | Refer to the Verify Privilege Server Suite documentation for instructions. |
Install open source Samba. | All major UNIX and Linux distributions have Samba as a native package. See your distributor’s package or port system for a native install of Samba on your system. You can also visit https://samba.plus/ which offers Samba packages for Red Hat Linux, SUSE Linux Enterprise Server, and Debian. |
Install the Verify Privilege Server Suite adbindproxy package. |
See Installing the adbindproxy Components. You can run the following command, |
Run the adbindproxy.pl script. | See Configuring the Samba Integration |
Modify the Samba configuration file, as needed. | See Modifying the Samba smb.conf Configuration File. |
Test and verify the configuration. | See Verifying the Samba Integration |
Installation Overview for Computers New to Verify Privilege Server Suite
If you’re configuring a computer that has Samba configured but that does not yet have the DirectControl agent installed, here’s an overview of what you need to do.
Software | Tasks |
---|---|
Make sure that you have the software you need. | Make sure that you have the latest version of the DirectControl agent, the Centrify adbindproxy package, and the open source Samba files. |
Install the DirectControl agent. | Refer to the Verify Privilege Server Suite documentation for instructions. |
Make a backup copy of your smb.conf file. | |
Install the Centrify adbindproxy package. | See Installing the adbindproxy Components |
Migrate Samba users to Active Directory. | See Migrating Existing Samba Users to Verify Privilege Server Suite Note: If you’re using Auto Zone or Verify Privilege Server Suite Express, user migration is not supported. |
Run the adbindproxy.pl script. | See Configuring the Samba Integration |
Modify the Samba configuration file, as needed. | See Modifying the Samba smb.conf Configuration File. |
Test and verify the configuration. | See Verifying the Samba Integration |
Upgrade Overview for Computers with Verify Privilege Server Suite-Enabled Samba
Beginning in calendar year 2016, we neither provide nor support the Verify Privilege Server Suite-enabled version of Samba that was available earlier. Instead, we now provide a standalone adbindproxy package containing the components that are necessary for Verify Privilege Server Suite to integrate with open-source Samba.
If you are currently using Verify Privilege Server Suite-enabled Samba with Verify Privilege Server Suite 2013.3 or later (Verify Privilege Server Suite), not only do you need to upgrade to the latest DirectControl agent but there are some additional steps to migrate your users and settings. Below is an overview of what you need to do on each agent-controlled Linux and UNIX computer that was integrated with Samba.
Software | Tasks |
---|---|
Make sure that you have the software you need. | Make sure that you have the latest version of the DirectControl agent, the Centrify adbindproxy package, and the open source Samba files. |
Make a backup copy of your smb.conf file. | |
Uninstall Verify Privilege Server Suite-enabled Samba. | For example, on most Linux variants you would issue the following command: rpm -e CentrifyDC-samba |
Upgrade the DirectControl agent so that it’s either the latest version or a version later than 2013.3. | Refer to the Verify Privilege Server Suite documentation for instructions. |
Install open source Samba. | All major UNIX and Linux distributions have Samba as a native package. See your distributor’s package or port system for a native install of Samba on your system. You can also visit https://samba.plus/ which offers Samba packages for Red Hat Linux, SUSE Linux Enterprise Server, and Debian. |
Install the Verify Privilege Server Suite adbindproxy package. | See Installing the adbindproxy Components |
Migrate Samba users to Active Directory. | See Migrating Existing Samba Users to Verify Privilege Server Suite Note: If you’re using Auto Zone or Verify Privilege Server Suite Express, user migration is not supported. |
Run the adbindproxy.pl script. | See Configuring the Samba Integration |
Modify the Samba configuration file, as needed. | See Modifying the Samba smb.conf Configuration File. |
Test and verify the configuration. | See Verifying the Samba Integration. |
What’s in the adbindproxy Package
After you download and extract the Centrify adbindproxy package, you’ll see the following files:
./Centrify-Adbindproxy-Release-Notes.html
./CentrifyDC-adbindproxy-*release*-rhel5-x86_64.rpm
The software bundle has a name in this format: centrify-adbindproxy-release-rhel5-x86_64.rpm and it contains these components:
- adbindproxy (adbindd) module: The adbindproxy module uses the
adbindd
daemon. Unless otherwise noted,adbindproxy
andadbindd
are used interchangeably in the documentation. The adbindproxy (adbindd
) module intercepts Samba UNIX ID mapping requests and reroutes them to the DirectControl agent for processing. This module ensures that Samba and the DirectControl agent agree on the UNIX attribute values. - adbindproxy.pl PERL configuration script: This script automates most of the setup process and designates the DirectControl agent as the manager of the shared computer object.
Installing the adbindproxy Components
Perform the following steps to install the integration components from the adbindproxy package. In these steps, the file name CentrifyDC-adbindproxy-*.rpm
is used in place of the full file name. You can use the wildcard symbol (*) to substitute for a portion of the file name if there are no conflicting files in the directory.
If you are upgrading from a previous version of Verify Privilege Server Suite-enabled Samba, see Upgrade overview for computers with Centrify-enabled Samba before proceeding.
Be sure to enter the full path name in the command line if multiple versions of the same file exist in the same directory.
To install the IBM Security Samba integration components
-
Run the appropriate command for your platform to install the centrifydc-adbindproxy package.
The following table shows sample commands using the common package installers for each platforms.
For This Platform You Can Run Linux-based computers Red Hat Enterprise Linux For 64-bit systems: rpm -Uvh CentrifyDC-adbindproxy-*release*-rhel5.x86_64.rpm
For PowerPC systems:rpm -Uvh CentrifyDC-adbindproxy-*release*-rhel5.ppc64.rpm
For Little-endian PowerPC systems (PPCLE):rpm -Uvh CentrifyDC-adbindproxy-*release*-rhel7.ppc64le.rpm
Oracle Solaris using SVR4 package manager On SPARC systems, for example: gunzip delinea-adbindproxy-*release*-sol10-sparc-local.tgz
tar -xf delinea-adbindproxy-*release*-sol10-sparc-local.tar
pkgadd -d delinea-adbindproxy
For other Solaris versions and platforms, the commands are the same but the filenames are different. For example, on a 64-bit system:delinea-adbindproxy-*release*-sol10-x86-local.tgz
Oracle Solaris using IPS package manager For SPARC systems, for example:
gunzip delinea-adbindproxy-*release*-sol11-sparc.tgz
tar -xf delinea-adbindproxy-*release*-sol11-sparc.tar
pkg install -g centrifydc-adbindproxy-*release*-sol11-sparc.p5p security/centrifydc-adbindproxy
For other Solaris versions and platforms, the commands are the same, but the filenames are different. For example, on a 64-bit system:delinea-adbindproxy- *release*-sol11-i386.tgz
.
You can also reference KB-010444 here: https://support.delinea.com/s/article/KB-010444-How-to-install-the-IPS-adbindproxy-package-on-SolarisHP-UX For HP-UX 11.31 on PA-RISC: gunzip centrifydc-adbindproxy-*release*-hp11.31-pa.depot.gz
swinstall -s /path/centrifydc-adbindproxy-*release*-hp11.31-pa.depot CentrifyDC-adbindproxy
For other HP-UX versions and platforms the commands are the same but the file names are different. For example on HP-UX 11.31 Itanium 64-bit systems:centrifydc-adbindproxy-*release*-hp11.31-ia64.depot.gz
IBM AIX For AIX 7.1 or later: gunzip centrifydc-adbindproxy-*release*-aix7.1-ppc-bff.gz
inutoc
installp -aY -d centrifydc-adbindproxy-*release*-aix7.1-ppc-bff CentrifyDC.adbindproxy
Debian Linux Ubuntu Linux Check that you have libcupsys2-gnutls10
(1.1.23-1 or later) installed If you have the required libraries, run the following command to install:dpkg –i centrifydc-adbindproxy-*release*-deb8-x86_64.deb
SuSE Linux OpenSuSE Linux For 64-bit systems: rpm -ivh CentrifyDC-adbindproxy-*release*-suse11.x86_64.rpm
-
(Optional) Join the computer to a zone using the adjoin command.
This concludes the installation of the adbindproxy package.
If you have existing Samba users to migrate, go to Migrating Existing Samba Users to Verify Privilege Server Suite. Otherwise, go to Configuring the Samba Integration to continue.
Updating the Samba Files
After you've installed the Verify Privilege Server Suite adbindproxy package, you might need to update your version of Samba. When you update the Samba files, the update will replace smb.conf
and also restart Samba with its own startup script instead of the adbindd
script.
Before you update your version of Samba, it's a good practice to make a backup copy of your smb.conf
file.
After you update your version of Samba, perform the following tasks so that you can keep the Verify Privilege Server Suite adbindproxy package working.
To keep the Verify Privilege Server Suite adbindproxy package working after updating Samba:
-
Do one of the following:
-
Run
adbindproxy.pl
to reconfigure thecentrifydc-samba
service (Recommended)After
adbindproxy.pl
finishes the setup, you may want to add back the customized settings from thesmb.conf
backup to the new smb.conf file. Restart thecentrifydc-samba
service after the change. Note that the commands to restart the service are different on different platforms. -
Manually replace the
smb.conf
with the backup.After replacing the
smb.conf
file, restart thecentrifydc-samba
service. Note that the commands to restart the service are different on different platforms.This method may not work because the Samba upgrade may affect the configurations of the
centrifydc-samba
service and the Samba service itself.
-