How to Configure PBIS to Join Ubuntu with Windows AD

pbis ubuntuIn this article, we will install and configure PowerBroker Identity Services (PBIS) on the Ubuntu 14.04 in order to join together with Windows Active Directory. We also will consider how to remove stale computer account from AD using dsquery command.

Download and Install

To start with, we need to download the latest version of PowerBroker Identity Services from GitHub

Also, you can download it by simply running following command on Ubuntu OS:

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.5.3/pbis- open-8.5.3.293.linux.x86.deb.sh

Now, you need to set execution bit and execute the package with root privileges:

chmod +x pbis-open-8.5.3.293.linux.x86_64.deb.sh
sudo ./pbis-open-8.5.3.293.linux.x86_64.deb.sh

It will ask a couple of question during installation so choose options accordingly. Once the installation is done its time to join the machine to the domain.

PBIS Configuration

We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.

cd /opt/pbis/bin/
sudo domainjoin-cli join [DomainName [DomainAccount]

where,

DomainName - the name of your domain
DomainAccount - your domain account ([email protected])

Example: sudo domainjoin-cli join example.com administrator

When prompted, please provide Active Directory administrator's password. On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:

sudo domainjoin-cli query

The command will display the name of the domain to which your Ubuntu computer has joined.

Example:

Name = username
Domain = example.com
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com

Note: If you want to remove your Ubuntu computer from the domain, you need to run

sudo domainjoin-cli leave

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set domain prefix

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set this to 'true' avoid entering domain names all the time

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set default shell

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\\[SecurityGroup]"

Set specific Active Directory security groups

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vi /etc/pam.d/common-session

Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

allow-guest=false
greeter-show-manual-login=true

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

Test it!

Once satisfied with all the options just reboot the machine:

reboot

and login:

ssh [username]@[servername]

How to restart PBIS service

The PBIS agents are composed of the service manager lwsmd daemon, that is located in /opt/pbis/sbin/lwsmd. This daemon includes lsass service, that handles authentication, authorization, caching and ldmap lookups. Because the authentication service registers trusts only on startups, you should restart lsass with the PBIS Service Manager after you modify a trust relationship. To restart the service simply run:

/opt/pbis/bin/lwsm restart lsass

How to uninstall PBIS using a command line

To uninstall PBIS by using a command, run the following command:

/opt/pbis/bin/uninstall.sh uninstall

If you want to completely remove all PBIS related files from you system, please run purge process:

/opt/pbis/bin/uninstall.sh purge

How to find and remove stale computers in Active Directory

Some organizations have their maximum inactivity period that can be allowed for the AD accounts. So, accounts that were being inactive for such period of time should be deleted. But it is highly recommended that you first find out all the inactive accounts before deleting them. In our article, we will use Command Prompt. Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using dsquery command.
Basically, the dsquery command searches for AD objects according to the specified criteria (for instance, inactive account for specific period of time). Later on, the search results can be given as input to dsmod and dsrm commands in order to disable and delete accounts. To start with, you need to open Command Prompt on AD host. Then, to find the computers that are inactive, please run:

dsquery computer -inactive

Now, to disable inactive computers, please run:

dsquery computer -inactive | dsmod computer -disabled yes

After disabling then, you are allowed to delete them by running:

dsquery computer -disabled | dsrm -noprompt

Please note, that instead of disabling the inactive computers firs, you can directly delete them by running:

dsquery computer -inactive | dsrm -noprompt

Conclusion

This article is a continuation of the earleir article on integrating LDAP with Active Directory. There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. and installers are available for both debian and rpm package format supporting RHEL, Ubuntu, CentOS, Debian, etc. Nevertheless, provided instructions have only been tested on Ubuntu 14.04 LTS Distribution. With minimal tweaking these steps should also work for other distributions. Older and now deprecated versions of Likewise-Open should work in a similar fashion as PBIS-Open, and may be required on older distributions.

Sergej Kalenichenko 2:15 am

About Sergej Kalenichenko

Sergej Kalenichenko is working with Linux/Hadoop and Big Data technologies since 2015. His life credo - "Well done is better than well said". Apart from permanent work and freelancing, he writes articles for the community. He is passionate about newest and latest IT technologies.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

7 Comments

  1. Hi We have installed powerbroker in our ennvironment on all linux servers RHEL6 and RHEL7.

    When ever we are joining the AD it's affecting all the virtual ip's. Could some one let me understand why the AD join impacting the virtualip's on interfaces with VLAN configured.

  2. Thanks for the comprehensive article, but is there any way I could restrict only one domain user to login via ssh to that machine? I tried AllowUsers in /etc/ssh/sshd_config on Ubuntu 16.04, but it seems to recognize only local users!

  3. works perfectly but would you mind elaborating on what exactly the changes inside /etc/pam.d/common-session are meant to do? On Ubuntu 18.04 there is no such line anyway.

  4. Are you sure the solution with domain^admins in the sudoers works? afaik the open edition of PBIS does not support groups only their enterprise version.

  5. thanks a lot, its done. can you please do favorable for me ?
    after login in Kubuntu 18.04 with active directory login, on session lock screen not showing logged users name.
    if there is multiple login on the system, its difficult to identify witch user is mine.