How to Configure PBIS to Join Ubuntu with Windows AD

pbis ubuntuIn this article, we will install and configure PowerBroker Identity Services (PBIS) on the Ubuntu 14.04 in order to join together with Windows Active Directory. We also will consider how to remove stale computer account from AD using dsquery command.

Download and Install

To start with, we need to download the latest version of PowerBroker Identity Services from GitHub

Also, you can download it by simply running following command on Ubuntu OS:

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.5.3/pbis- open-8.5.3.293.linux.x86.deb.sh

Now, you need to set execution bit and execute the package with root privileges:

chmod +x pbis-open-8.5.3.293.linux.x86_64.deb.sh
sudo ./pbis-open-8.5.3.293.linux.x86_64.deb.sh

It will ask a couple of question during installation so choose options accordingly. Once the installation is done its time to join the machine to the domain.

PBIS Configuration

We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.

cd /opt/pbis/bin/
sudo domainjoin-cli join [DomainName [DomainAccount]

where,

DomainName - the name of your domain
DomainAccount - your domain account (user@domainname)

Example: sudo domainjoin-cli join example.com administrator

When prompted, please provide Active Directory administrator's password. On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:

sudo domainjoin-cli query

The command will display the name of the domain to which your Ubuntu computer has joined.

Example:

Name = username
Domain = example.com
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com

Note: If you want to remove your Ubuntu computer from the domain, you need to run

sudo domainjoin-cli leave

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set domain prefix

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set this to 'true' avoid entering domain names all the time

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set default shell

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\\[SecurityGroup]"

Set specific Active Directory security groups

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vi /etc/pam.d/common-session

Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

allow-guest=false
greeter-show-manual-login=true

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

Test it!

Once satisfied with all the options just reboot the machine:

reboot

and login:

ssh [username]@[servername]

How to restart PBIS service

The PBIS agents are composed of the service manager lwsmd daemon, that is located in /opt/pbis/sbin/lwsmd. This daemon includes lsass service, that handles authentication, authorization, caching and ldmap lookups. Because the authentication service registers trusts only on startups, you should restart lsass with the PBIS Service Manager after you modify a trust relationship. To restart the service simply run:

/opt/pbis/bin/lwsm restart lsass

How to uninstall PBIS using a command line

To uninstall PBIS by using a command, run the following command:

/opt/pbis/bin/uninstall.sh uninstall

If you want to completely remove all PBIS related files from you system, please run purge process:

/opt/pbis/bin/uninstall.sh purge

How to find and remove stale computers in Active Directory

Some organizations have their maximum inactivity period that can be allowed for the AD accounts. So, accounts that were being inactive for such period of time should be deleted. But it is highly recommended that you first find out all the inactive accounts before deleting them. In our article, we will use Command Prompt. Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using dsquery command.
Basically, the dsquery command searches for AD objects according to the specified criteria (for instance, inactive account for specific period of time). Later on, the search results can be given as input to dsmod and dsrm commands in order to disable and delete accounts. To start with, you need to open Command Prompt on AD host. Then, to find the computers that are inactive, please run:

dsquery computer -inactive

Now, to disable inactive computers, please run:

dsquery computer -inactive | dsmod computer -disabled yes

After disabling then, you are allowed to delete them by running:

dsquery computer -disabled | dsrm -noprompt

Please note, that instead of disabling the inactive computers firs, you can directly delete them by running:

dsquery computer -inactive | dsrm -noprompt

Conclusion

This article is a continuation of the earleir article on integrating LDAP with Active Directory. There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. and installers are available for both debian and rpm package format supporting RHEL, Ubuntu, CentOS, Debian, etc. Nevertheless, provided instructions have only been tested on Ubuntu 14.04 LTS Distribution. With minimal tweaking these steps should also work for other distributions. Older and now deprecated versions of Likewise-Open should work in a similar fashion as PBIS-Open, and may be required on older distributions.

About Sergej Kalenichenko

Sergej Kalenichenko is working with Linux/Hadoop and Big Data technologies since 2015. His life credo - "Well done is better than well said". Apart from permanent work and freelancing, he writes articles for the community. He is passionate about newest and latest IT technologies.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.