PowerBroker Identity Service (named pbis for short) is an utility that helps simplify Unix/Linux systems integrate with Microsoft Active Directory.

Installation[edit | edit source]

The source code can be found on their GitHub page at https://github.com/BeyondTrust/pbis-open

Compiled binaries can be installed from their repo as well. More information at https://repo.pbis.beyondtrust.com/yum.html

# cd /etc/yum.repos.d
# wget http://repo.pbis.beyondtrust.com/yum/pbiso.repo
# yum clean all
# yum install pbis-open

Quick Usage[edit | edit source]

The pbis binaries are located in /opt/pbis by default.

To join a computer to the domain:

## Assuming /opt/pbis/bin/ is in your PATH.
# domainjoin-cli join CS.UCALGARY.CA admin-user

## The samba interop
# samba-interop-install --install

## Once joined, you can set some settings using the config tool
# config UserDomainPrefix CS.UCALGARY.CA
# config AssumeDefaultDomain true
# config LoginShellTemplate /bin/bash

You can either restart or ensure that the lsass daemon is running. Your nsswitch.conf file should also be using lsass for passwd and group.

Note: I had to manually join the domain via net ads as well before things started working... Not sure if this is an issue with the project or what.

Once everything is working, you should be able to see accounts on the domain.

# id leo
uid=897057976(CS\leo) gid=897057281(CS\domain^users) groups=897057281(CS\domain^users),897058359(CS\wheel),897058194(CS\ilab_admin),897058139(CS\gradcom),897058732(CS\aselab),897093370(CS\pc449),897093371(CS\vpn^access),897058698(CS\cstech),897065970(CS\sccm^amt^admins),897057887(CS\staff),897058146(CS\ebe),897065718(CS\sccm_users_unix_ws),897058333(CS\pjtr239),897058334(CS\pjtr176),897058170(CS\grouplab),897058335(CS\pjtr160),897057895(CS\offstaff),897058337(CS\visagg),897064874(CS\scvmmadmins),897065473(CS\sccm_users),897065474(CS\sccm_users_windows_ws),897058254(CS\colour2),897094974(CS\sccm_users_mac_ws),897090114(CS\jungle_admin),897077971(CS\surfnet)

Troubleshooting[edit | edit source]

If things don't work, check the domain status by running domainjoin-cli query. net ads info should also be working.

After joining the domain, there should be a keytab file in /etc/krb5.keytab which can be viewed using the bundled klist utility (or from krb5-workstation).

Cannot Join Domain[edit | edit source]

When running the domainjoin-cli command, the join fails with an error:

pbis undocumented exception 0x00009efc

This was fixed only after a reinstall of pbis via yum. An strace seems to suggest that pbis can't talk to its registry service for some reason and starting the lwsmd service didn't help either.