Configure PBIS to Join Ubuntu to Windows Domain

pbis ubuntu

In this article, we will install and configure PowerBroker Identity Services (PBIS) on the Ubuntu 14.04 in order to join together with Windows Active Directory Domain. We also will consider how to remove stale computer account from AD using dsquery command.

Download and Install

To start with, we need to download the latest version of PowerBroker Identity Services from GitHub

Also, you can download it by simply running following command on Ubuntu OS:


Now, you need to set execution bit and execute the package with root privileges:

chmod +x
sudo ./

It will ask a couple of question during installation so choose options accordingly. Once the installation is done its time to join the machine to the domain.

PBIS Configuration

We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.

cd /opt/pbis/bin/
sudo domainjoin-cli join [DomainName [DomainAccount]


DomainName - the name of your domain
DomainAccount - your domain account (user@domainname)

Example: sudo domainjoin-cli join administrator

When prompted, please provide Active Directory administrator's password. On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:

sudo domainjoin-cli query

The command will display the name of the domain to which your Ubuntu computer has joined.


Name = username
Domain =
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com

Note: If you want to remove your Ubuntu computer from the domain, you need to run

sudo domainjoin-cli leave

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set domain prefix

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set this to 'true' avoid entering domain names all the time

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set default shell

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\\[SecurityGroup]"

Set specific Active Directory security groups

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vi /etc/pam.d/common-session

Navigate to the line that states session sufficient and replace it with session [success=ok default=ignore]

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

Test it!

Once satisfied with all the options just reboot the machine:


and login:

ssh [username]@[servername]

How to restart PBIS service

The PBIS agents are composed of the service manager lwsmd daemon, that is located in /opt/pbis/sbin/lwsmd. This daemon includes lsass service, that handles authentication, authorization, caching and ldmap lookups. Because the authentication service registers trusts only on startups, you should restart lsass with the PBIS Service Manager after you modify a trust relationship. To restart the service simply run:

/opt/pbis/bin/lwsm restart lsass

How to uninstall PBIS using a command line

To uninstall PBIS by using a command, run the following command:

/opt/pbis/bin/ uninstall

If you want to completely remove all PBIS related files from you system, please run purge process:

/opt/pbis/bin/ purge

How to find and remove stale computers in Active Directory

Some organizations have their maximum inactivity period that can be allowed for the AD domain accounts. So, accounts that were being inactive for such period of time should be deleted. But it is highly recommended that you first find out all the inactive accounts before deleting them. In our article, we will use Command Prompt. Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using dsquery command.
Basically, the dsquery command searches for AD objects according to the specified criteria (for instance, inactive account for specific period of time). Later on, the search results can be given as input to dsmod and dsrm commands in order to disable and delete accounts. To start with, you need to open Command Prompt on AD host. Then, to find the computers that are inactive, please run:

dsquery computer -inactive

Now, to disable inactive computers, please run:

dsquery computer -inactive | dsmod computer -disabled yes

After disabling then, you are allowed to delete them by running:

dsquery computer -disabled | dsrm -noprompt

Please note, that instead of disabling the inactive computers firs, you can directly delete them by running:

dsquery computer -inactive | dsrm -noprompt


This article is a continuation of the earleir article on integrating LDAP with Active Directory. There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. and installers are available for both debian and rpm package format supporting RHEL, Ubuntu, CentOS, Debian, etc. Nevertheless, provided instructions have only been tested on Ubuntu 14.04 LTS Distribution. With minimal tweaking these steps should also work for other distributions. Older and now deprecated versions of Likewise-Open should work in a similar fashion as PBIS-Open, and may be required on older distributions.

13 Comments... add one

  1. Hi We have installed powerbroker in our ennvironment on all linux servers RHEL6 and RHEL7.

    When ever we are joining the AD it's affecting all the virtual ip's. Could some one let me understand why the AD join impacting the virtualip's on interfaces with VLAN configured.

  2. Thanks for the comprehensive article, but is there any way I could restrict only one domain user to login via ssh to that machine? I tried AllowUsers in /etc/ssh/sshd_config on Ubuntu 16.04, but it seems to recognize only local users!

  3. works perfectly but would you mind elaborating on what exactly the changes inside /etc/pam.d/common-session are meant to do? On Ubuntu 18.04 there is no such line anyway.

  4. Are you sure the solution with domain^admins in the sudoers works? afaik the open edition of PBIS does not support groups only their enterprise version.

  5. thanks a lot, its done. can you please do favorable for me ?
    after login in Kubuntu 18.04 with active directory login, on session lock screen not showing logged users name.
    if there is multiple login on the system, its difficult to identify witch user is mine.

  6. If I have 2 forests roots that have a bidirectional trust, how can I configure pbis to let users from domain B login into a linux machine that is joined to domain A?

  7. Hi ,
    What about the policies of AD?
    I authenticate successfully, but how would be applied gpo over Linux env.?
    Any suggestion?


  8. I was trying configure it with Azure AD. After i provide the username , it goes to microsoft page for device authentication. And once it authorized, again it is asking passwd from local server.

    login as:
    Using keyboard-interactive authentication.
    To sign in, use a web browser to open the page and enter the code BT4XXXXT7L to authenticate. Press ENTER when ready.
    Access denied's password:

    Can somebody please help.

  9. Hi.. it's working but when system goes to offline or other network the domain user not possible to login it shows access denied .but in same network it loge in no issue ...........................
    please provide any solution for that .i need domain user after login they can log in offline also

  10. Hi, I've joined my Ubuntu 18.04 machine to a domain using the instructions here and created a folder to be shared using samba and added corresponding coniguration to smb.conf file. I want windows machines to be able to access that folder using their AD accounts but it doesn't seem to recognize them and keeps asking for a user and password. Neither I can log into the ubuntu machine using an AD account, it says loggon is incorrect.


Leave a Comment