In this article, we will install and configure PowerBroker Identity Services (PBIS) on the Ubuntu 14.04 in order to join together with Windows Active Directory. We also will consider how to remove stale computer account from AD using dsquery command.
Download and Install
To start with, we need to download the latest version of PowerBroker Identity Services from GitHub
Also, you can download it by simply running following command on Ubuntu OS:
wget https://github.com/BeyondTrust/pbis-open/releases/download/8.5.3/pbis- open-22.214.171.1243.linux.x86.deb.sh
Now, you need to set execution bit and execute the package with root privileges:
chmod +x pbis-open-126.96.36.1993.linux.x86_64.deb.sh
It will ask a couple of question during installation so choose options accordingly. Once the installation is done its time to join the machine to the domain.
We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.
cd /opt/pbis/bin/ sudo domainjoin-cli join [DomainName [DomainAccount]
DomainName - the name of your domain
DomainAccount - your domain account (user@domainname)
Example: sudo domainjoin-cli join example.com administrator
When prompted, please provide Active Directory administrator's password. On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:
sudo domainjoin-cli query
The command will display the name of the domain to which your Ubuntu computer has joined.
Name = username
Domain = example.com
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com
Note: If you want to remove your Ubuntu computer from the domain, you need to run
sudo domainjoin-cli leave
Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL
The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:
sudo /opt/pbis/bin/config UserDomainPrefix [Domain]
Set domain prefix
sudo /opt/pbis/bin/config AssumeDefaultDomain True
Set this to 'true' avoid entering domain names all the time
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
Set default shell
sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U
Set different home dir then the local users on the machine
sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\\[SecurityGroup]"
Set specific Active Directory security groups
Next step, you need to edit the pamd.d common-session file. Please type in terminal:
sudo vi /etc/pam.d/common-session
Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so
Then, we need to edit the lightdm configuration file and append the following lines:
sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf
Once satisfied with all the options just reboot the machine:
How to restart PBIS service
The PBIS agents are composed of the service manager lwsmd daemon, that is located in /opt/pbis/sbin/lwsmd. This daemon includes lsass service, that handles authentication, authorization, caching and ldmap lookups. Because the authentication service registers trusts only on startups, you should restart lsass with the PBIS Service Manager after you modify a trust relationship. To restart the service simply run:
/opt/pbis/bin/lwsm restart lsass
How to uninstall PBIS using a command line
To uninstall PBIS by using a command, run the following command:
If you want to completely remove all PBIS related files from you system, please run purge process:
How to find and remove stale computers in Active Directory
Some organizations have their maximum inactivity period that can be allowed for the AD accounts. So, accounts that were being inactive for such period of time should be deleted. But it is highly recommended that you first find out all the inactive accounts before deleting them. In our article, we will use Command Prompt. Finding inactive accounts, and disabling or deleting them can be performed using the command prompt, by using dsquery command.
Basically, the dsquery command searches for AD objects according to the specified criteria (for instance, inactive account for specific period of time). Later on, the search results can be given as input to dsmod and dsrm commands in order to disable and delete accounts. To start with, you need to open Command Prompt on AD host. Then, to find the computers that are inactive, please run:
dsquery computer -inactive
Now, to disable inactive computers, please run:
dsquery computer -inactive | dsmod computer -disabled yes
After disabling then, you are allowed to delete them by running:
dsquery computer -disabled | dsrm -noprompt
Please note, that instead of disabling the inactive computers firs, you can directly delete them by running:
dsquery computer -inactive | dsrm -noprompt
This article is a continuation of the earleir article on integrating LDAP with Active Directory. There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. and installers are available for both debian and rpm package format supporting RHEL, Ubuntu, CentOS, Debian, etc. Nevertheless, provided instructions have only been tested on Ubuntu 14.04 LTS Distribution. With minimal tweaking these steps should also work for other distributions. Older and now deprecated versions of Likewise-Open should work in a similar fashion as PBIS-Open, and may be required on older distributions.