Training Guide
Delinea PCS Linux Agent & AD Bridging
A complete technical reference for deploying, configuring, and managing the Delinea Privileged Access Service agent on Linux systems — including Active Directory bridge integration for seamless identity federation.
10
Modules
~45
Minutes
Lvl 2
Intermediate
01
Foundation
Overview & Architecture
Understand how PCS components work together on Linux.
Delinea Privileged Access Service (PCS) is a cloud-delivered Privileged Access Management (PAM) platform. The Linux Agent (also called the Client) extends PCS policy enforcement to Linux endpoints by intercepting PAM calls, sudo executions, and login events, then evaluating them against cloud-hosted policies.
Architecture Flow
Linux
Endpoint
Endpoint
RHEL / Ubuntu
→
PCS
Agent
Agent
daas-agent
→
PCS
Tenant
Tenant
*.delinea.app
↔
AD
Bridge
Bridge
adjoin
→
Active
Directory
Directory
LDAP / Kerberos
Key Components
daas-agent
Core agent daemon. Handles policy fetch, caching, and enforcement. Communicates with PCS cloud over HTTPS.
PAM Module (pam_centrify)
Pluggable Authentication Module that intercepts login, su, and sudo calls for MFA and policy evaluation.
NSS Module
Name Service Switch extension that resolves AD user and group identities on the local system.
adjoin / adleave
CLI utilities for joining and leaving an Active Directory domain. Forms the AD Bridge backbone.
The PCS Linux agent was formerly branded as Centrify. You will encounter
centrifydc, adjoin, and adinfo commands throughout — these
are part of the same product suite under the Delinea umbrella.02
Foundation
Prerequisites
System requirements and network access before deployment.
Supported Operating Systems
| Distribution | Versions | Architecture | Status |
|---|---|---|---|
| RHEL / CentOS / Rocky | 7, 8, 9 | x86_64, ARM64 | Supported |
| Ubuntu | 18.04, 20.04, 22.04, 24.04 | x86_64, ARM64 | Supported |
| SUSE / SLES | 12, 15 | x86_64 | Supported |
| Debian | 10, 11, 12 | x86_64 | Supported |
| Amazon Linux | 2, 2023 | x86_64, ARM64 | Cloud Only |
| Oracle Linux | 7, 8, 9 | x86_64 | Supported |
System Requirements
CPU
2+ cores recommended for policy evaluation under load
RAM
Minimum 512 MB free; 1 GB recommended
Disk
300 MB for agent + cache; 1 GB+ if audit logging enabled
Network
Outbound HTTPS (443) to
*.delinea.app requiredRequired Network Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
| *.delinea.app | 443 | HTTPS | Agent–cloud communication |
| *.centrify.com | 443 | HTTPS | Legacy endpoints (still active) |
| AD Domain Controllers | 389 / 636 | LDAP / LDAPS | AD Bridge identity queries |
| AD Domain Controllers | 88 | Kerberos | Kerberos ticket issuance |
| AD Domain Controllers | 445 | SMB | Group Policy (optional) |
| NTP Servers | 123 | UDP | Time sync (required for Kerberos) |
Kerberos authentication will fail if the Linux host clock skew exceeds 5 minutes
from the Domain Controller. Always ensure NTP is configured and running before joining the domain.
Pre-flight Checklist
- DNS resolves AD domain name and Domain Controllers
- NTP configured and synchronized (<5 min skew)
- Outbound HTTPS (443) allowed to *.delinea.app
- AD service account created with Domain Join permissions
- Root or sudo access available on target Linux host
- PCS Tenant URL and enrollment token obtained from admin console
- SELinux / AppArmor status reviewed (permissive mode recommended during install)
03
Installation
Agent Installation
Download, install, and verify the PCS Linux agent.
Step 1 — Download the package from the PCS Admin Portal
bash
# Download from Delinea portal or use direct URL wget https://downloads.delinea.com/pcs/linux/centrifydc-latest.x86_64.rpm # Verify checksum (SHA-256 hash provided in portal) sha256sum centrifydc-latest.x86_64.rpm
Step 2 — Install the agent
bash
# Install base agent and AD Bridge packages sudo rpm -ivh centrifydc-latest.x86_64.rpm sudo rpm -ivh centrifydc-openssh-latest.x86_64.rpm # SSH integration sudo rpm -ivh centrify-agent-latest.x86_64.rpm # Cloud agent component # Verify installation rpm -qa | grep -i centrify
Step 1 — Add the Delinea APT repository
bash
# Add Delinea signing key curl -fsSL https://downloads.delinea.com/pcs/linux/delinea.gpg | \ sudo gpg --dearmor -o /usr/share/keyrings/delinea.gpg # Add repository echo "deb [signed-by=/usr/share/keyrings/delinea.gpg] \ https://downloads.delinea.com/pcs/linux/apt stable main" | \ sudo tee /etc/apt/sources.list.d/delinea.list sudo apt update
Step 2 — Install packages
bash
sudo apt install -y centrifydc centrify-agent centrifydc-openssh
Auto-Enrollment via PCS Portal Script
The PCS Admin Portal can generate a one-line enrollment script that installs the agent and enrolls the machine in a single step.
bash — generated from PCS portal
# Retrieve script from: Admin Portal → Resources → Add System → Linux # The portal generates a unique enrollment token per deployment curl -fsSL https://<your-tenant>.delinea.app/enroll/linux | \ sudo bash -s -- --enrollment-code <TOKEN> --url https://<tenant>.delinea.app # This script automatically: # 1. Detects OS and installs appropriate package # 2. Runs cenroll to register with PCS cloud # 3. Optionally joins AD domain if configured in policy
The auto-enrollment script is the recommended method for large-scale deployments.
Combine with Ansible, Puppet, or Chef for fleet-wide rollout.
Post-Installation Verification
bash
# Check agent daemon status sudo systemctl status centrifydc sudo systemctl status centrify-agent # Verify agent version adinfo --version # Check overall system status adinfo # Expected output includes: # Local host name : hostname.domain.com # Joined to domain : (Not Joined) <-- until adjoin is run # CentrifyDC mode : disconnected
04
Installation
AD Bridging Setup
Join Linux systems to Active Directory for unified identity management.
AD Bridging (also called DirectControl) enables Linux hosts to authenticate users via Active Directory using Kerberos and LDAP. AD users can log in to Linux systems using their AD credentials without requiring local accounts.
Joining the AD Domain
1
Verify DNS resolution of the domain
bash
nslookup yourdomain.com nslookup -type=SRV _ldap._tcp.yourdomain.com host -t SRV _kerberos._tcp.yourdomain.com
2
Run
adjoin to join the domainbash
# Basic domain join sudo adjoin yourdomain.com -u DomainJoinUser # Join to specific OU (recommended for production) sudo adjoin yourdomain.com \ -u DomainJoinUser \ -c "OU=Linux Servers,OU=Computers,DC=yourdomain,DC=com" \ -n linux-host-01 # custom computer name # Join using existing keytab (service account) sudo adjoin yourdomain.com -k /etc/krb5.keytab
3
Verify domain join status
bash
adinfo # Expected output: # Local host name : linux-host-01.yourdomain.com # Joined to domain : yourdomain.com # Joined as : linux-host-01$ # Pre-win2k name : LINUX-HOST-01 # Current DC : dc01.yourdomain.com # Preferred site : Default-First-Site-Name # CentrifyDC mode : connected # Licensed Features : DirectControl DirectAudit
4
Test AD user resolution
bash
# Resolve AD user id aduser@yourdomain.com # List AD groups for user adquery user aduser --attributes memberOf # Test Kerberos authentication kinit aduser@YOURDOMAIN.COM klist # list acquired tickets
AD Bridge Configuration File
Key parameters in /etc/centrifydc/centrifydc.conf:
| Parameter | Default | Description |
|---|---|---|
| adclient.use.fqdn.login | false | Require DOMAIN\user or user@domain format for login |
| adclient.local.account.override | false | Allow local accounts to override AD accounts by same name |
| krb5.forwardable.tickets | true | Issue forwardable Kerberos tickets for SSO |
| pam.allow.groups | (empty) | Restrict login to specific AD groups (space-separated) |
| adclient.cache.flush.interval | 300 | Cache refresh interval in seconds |
| adclient.schema.ldap.use.ssl | false | Force LDAPS (port 636) for all AD queries |
| adclient.preferred.domain.controllers | (auto) | Comma-separated list of preferred DC hostnames |
Leaving the Domain
bash
# Graceful domain leave (removes computer object from AD) sudo adleave -u DomainAdminUser # Force leave (if DC unreachable, does NOT remove computer object) sudo adleave --force
After leaving the domain, AD users will no longer be able to authenticate.
Ensure local fallback accounts exist before running
adleave in production.05
Installation
Tenant Enrollment
Register the Linux host with the PCS cloud tenant.
Enrolling a Linux system into PCS ties it to your cloud tenant, allowing administrators to manage access, apply policies, and see the system in the PCS Admin Portal.
Manual Enrollment with cenroll
bash
# Enroll using an enrollment code (obtain from portal) sudo cenroll \ --tenant https://<yourtenant>.delinea.app \ --code ABCD-1234-EFGH-5678 \ --agentauth true # Enroll with specific resource profile (recommended) sudo cenroll \ --tenant https://<yourtenant>.delinea.app \ --code ABCD-1234-EFGH-5678 \ --features aapm,dmc,audit \ --environment production # Verify enrollment status sudo cinfo
Enrollment Token Types
One-Time Code Expires
Single-use token valid for 24–72 hours. Generated per system in the portal. Safest for production.
Persistent Code Reusable
Reusable enrollment token. Useful for Ansible/Terraform provisioning. Revoke after bulk deployment.
Verify Enrollment in Admin Portal
After running cenroll, the system should appear within 2–3 minutes under:
Admin Portal → Resources → Systems → (Your Linux Host)
bash — check enrollment
# Show enrollment and agent status sudo cinfo # Expected output snippet: # Enrolled : Yes # Tenant URL : https://yourtenant.delinea.app # Agent ID : a1b2c3d4-e5f6-... # Last check-in : 2025-03-07 14:22:11 UTC
06
Configuration
Policy Configuration
Define access policies for Linux systems through the PCS portal.
PCS policies are created in the cloud portal and pushed to enrolled Linux agents. Policies control who can log in, what commands they can run, and which authentication methods are required.
Policy Hierarchy
Global
Policy
Policy
Tenant-wide
→
Policy
Set
Set
Group scoped
→
System
Policy
Policy
Per machine
→
User
Policy
Policy
Per user/role
Common Policy Settings (Portal Navigation)
| Policy Area | Portal Path | Key Settings |
|---|---|---|
| Login Access | Policies → Login | Allowed users/groups, require MFA on login, session timeout |
| Privilege Elevation | Policies → Privilege | sudo commands, run-as-root rules, command allow/deny lists |
| Session Monitoring | Policies → Audit | Keystroke logging, session recording, replay storage location |
| Network Access | Policies → Network | SSH jump hosts, allowed IP ranges, VPN enforcement |
| Password Policy | Policies → Password | Complexity, rotation schedule, LAPS-style local admin mgmt |
Applying Policies via Group Policy (AD Bridge)
When AD Bridge is active, PCS can deliver Group Policy Objects (GPOs) to Linux systems. Policies are stored in AD and fetched by the agent using the standard GPO mechanism.
bash
# Force Group Policy refresh on Linux sudo adgpupdate # Show applied GPOs adgpresult # Test policy enforcement (shows effective sudo rights) dzinfo aduser@yourdomain.com
GPO-delivered PCS policies take precedence over local
sudoers rules when the
Delinea PAM module is active. Use dzinfo to validate effective privilege grants
for any AD user without requiring them to log in.07
Configuration
Role Assignment
Assign PCS roles to users and groups for access control.
PCS uses a Role-Based Access Control (RBAC) model. Roles bundle permissions and are assigned to AD users, AD groups, or PCS-native users. Roles can be system-specific or tenant-wide.
Built-in Roles
| Role | Type | Capabilities |
|---|---|---|
| System Administrator | Admin | Full control over enrolled systems, policy management |
| Privileged Access User | Access | Log in via PCS, request privilege elevation |
| Vault Account Manager | Vault | Manage shared account credentials in the vault |
| Auditor | Read-Only | View audit logs and session recordings; no login access |
| Help Desk | Limited | Unlock accounts, view system status, no policy changes |
Assigning Roles (Portal)
1
Navigate to Roles
Admin Portal → Access → Roles → Select or Create Role
2
Add Members
Click Members tab → Add AD groups or individual users. Using AD groups is strongly recommended for scalability.
3
Set Administrative Rights
Under Administrative Rights tab, assign system-level rights: Login, Sudo, Privilege Elevation.
4
Assign Role to Systems
Navigate to the target Linux system → Permissions tab → Add Role. Optionally scope to System Sets.
Verify Role Assignments on Agent
bash
# View effective rights for an AD user on this machine dzinfo user@yourdomain.com # List all users/groups with login rights adquery user --all # Force policy refresh from cloud sudo centrifyda --force-sync
08
Configuration
MFA & Authentication
Enforce multi-factor authentication for Linux logins and privilege escalation.
PCS enforces MFA through its PAM module. When a user logs in via SSH or runs sudo,
the PAM module contacts the PCS cloud to validate the second factor before granting access.
Supported MFA Methods
Delinea Mobile App
Push notification or TOTP via Delinea Authenticator app. Recommended default.
TOTP (Any App)
Google Authenticator, Authy, Microsoft Authenticator — standard TOTP protocol.
SMS / Email OTP
One-time passcode delivered via SMS or email as a fallback mechanism.
FIDO2 / Security Key
YubiKey and FIDO2 hardware tokens. Highest assurance level. Requires v21.x+.
PAM Configuration
The PCS PAM module is inserted into the PAM stack automatically at install time. Review at:
config — /etc/pam.d/sshd (example)
# PCS PAM module — inserted by install
auth required pam_centrifydc.so try_first_pass
auth required pam_centrifydc.so mfa
account required pam_centrifydc.so
session required pam_centrifydc.so
password required pam_centrifydc.so
MFA Policy Settings
| Setting | Portal Path | Notes |
|---|---|---|
| Require MFA at Login | Policies → Authentication → Login | Triggers MFA challenge on SSH/console login |
| Require MFA for sudo | Policies → Authentication → Privilege | MFA required each time sudo is invoked |
| MFA Grace Period | Policies → Authentication → Session | Seconds before MFA is required again (0 = always) |
| Offline MFA | Policies → Authentication → Offline | Cached credentials for network-disconnected login |
| Exempt IP Ranges | Policies → Network | Skip MFA when connecting from trusted networks |
Testing MFA Enforcement
bash
# Test PAM stack interactively sudo pamtester sshd aduser@domain.com authenticate # View PAM-related agent log sudo tail -f /var/log/centrifydc.log | grep -i pam # Check MFA configuration applied to agent sudo cinfo --mfa
If MFA policy is set to Required and the PCS cloud is unreachable,
authentication will fail by default. Configure Offline MFA or maintain
a local emergency account outside PCS control for break-glass scenarios.
09
Operations
Monitoring & Logs
Key log files, audit trails, and health checks.
Important Log Files
| Log File | Purpose |
|---|---|
| /var/log/centrifydc.log | Main agent log — authentication, policy fetch, errors |
| /var/log/centrify-agent/agent.log | Cloud agent communication and enrollment events |
| /var/log/secure (RHEL) / /var/log/auth.log (Debian) | PAM and SSH authentication events (system-level) |
| /var/centrify/audit/ | Local session audit data before upload to cloud |
| /var/log/centrifydc-install.log | Installation and upgrade log |
Health Check Commands
bash
# Full system health summary adinfo --test # Check agent connectivity to PCS cloud sudo cinfo --connectivity # AD connectivity test adinfo --dc # show connected DC adinfo --sitename # AD site information # Check daemon statuses sudo systemctl status centrifydc centrify-agent # View live authentication events sudo journalctl -u centrifydc -f
Session Audit & Recording
When DirectAudit is licensed, PCS records terminal sessions to the cloud. Recordings are searchable and replayable in the Admin Portal under Audit → Sessions.
bash
# Check audit daemon status sudo systemctl status centrifyda # View current session audit queue dastatus # Force upload of cached audit data sudo daflush
SIEM Integration
PCS can forward audit events via syslog (RFC 5424) to your SIEM.
Configure in /etc/centrifydc/centrifydc.conf:
config — centrifydc.conf (syslog forwarding)
# Enable syslog forwarding adclient.syslog.events: login logout sudo privilege # Forward to external SIEM (rsyslog/syslog-ng handles transport) # Add to /etc/rsyslog.conf: # *.* @@siem.yourdomain.com:514
10
Operations
Troubleshooting
Diagnose and resolve common issues with PCS Linux agents.
User Cannot Log In
diagnosis
# 1. Check if user has login permission dzinfo user@domain.com # 2. Check group membership via AD adquery user username # 3. Check PAM log for deny reason sudo grep username /var/log/centrifydc.log | tail -20 # 4. Test PAM authentication chain sudo pamtester sshd user@domain.com authenticate
Common cause: User's AD group not assigned a PCS role with Login permission on the target system. Add group to role and wait for policy sync (~30 seconds).
AD Bridge / Domain Join Failures
diagnosis
# Check current domain status adinfo # Test DC connectivity adinfo --test # Check Kerberos clock skew ntpdate -q dc01.yourdomain.com # Re-join if computer account is stale sudo adleave --force sudo adjoin yourdomain.com -u AdminUser --force # Flush Kerberos tickets and retry sudo kdestroy -A kinit user@DOMAIN.COM
Agent Cannot Reach PCS Cloud
diagnosis
# Test HTTPS connectivity to PCS endpoints curl -v https://<tenant>.delinea.app/health 2>&1 | head -20 # Check if proxy is required env | grep -i proxy # Set proxy for agent if needed sudo cagent config --proxy http://proxy.company.com:8080 # View agent communication log sudo tail -100 /var/log/centrify-agent/agent.log # Restart agent to force reconnect sudo systemctl restart centrify-agent
Reset Agent Enrollment
bash
# Unenroll from PCS cloud (soft reset) sudo cunenroll --remove-all # Re-enroll with new token sudo cenroll --tenant https://<tenant>.delinea.app --code NEW-TOKEN # Full wipe and reinstall (nuclear option) sudo adleave --force sudo cunenroll --remove-all # Remove packages (rpm -e / apt purge centrifydc centrify-agent) # Reinstall from scratch
A full reinstall will remove all locally cached policies and credentials.
Ensure break-glass local accounts are in place before proceeding.
Debug Logging
bash — enable verbose logging
# Enable debug logging temporarily sudo adinfo --loglevel DEBUG # Or in centrifydc.conf — set temporarily: adclient.log.level: DEBUG # WARNING: verbose, disable after troubleshooting # Restart agent to apply sudo systemctl restart centrifydc # Monitor logs sudo tail -f /var/log/centrifydc.log
★
Assessment
Knowledge Check
Test your understanding of Delinea PCS Linux agent deployment.
1. Which command is used to join a Linux host to an Active Directory domain?
2. What is the maximum allowed clock skew between a Linux host and a Domain Controller for Kerberos authentication to succeed?
3. Which command registers a Linux system with the PCS cloud tenant?
4. Which port is required for Kerberos communication with Active Directory Domain Controllers?
5. What command shows effective sudo and login rights for an AD user on the current system?
Delinea PCS Linux Agent
•
Training Guide v1.0
•
Covers Agent v24.x
•
Always verify against official Delinea documentation for production deployments