PowerBroker Identity Service
PowerBroker Identity Service (named
pbis for short) is an utility that helps simplify Unix/Linux systems integrate with Microsoft Active Directory.
The source code can be found on their GitHub page at https://github.com/BeyondTrust/pbis-open
Compiled binaries can be installed from their repo as well. More information at https://repo.pbis.beyondtrust.com/yum.html
# cd /etc/yum.repos.d # wget http://repo.pbis.beyondtrust.com/yum/pbiso.repo # yum clean all # yum install pbis-open
The pbis binaries are located in
/opt/pbis by default.
To join a computer to the domain:
## Assuming /opt/pbis/bin/ is in your PATH. # domainjoin-cli join CS.UCALGARY.CA admin-user ## The samba interop # samba-interop-install --install ## Once joined, you can set some settings using the config tool # config UserDomainPrefix CS.UCALGARY.CA # config AssumeDefaultDomain true # config LoginShellTemplate /bin/bash
You can either restart or ensure that the
lsass daemon is running. Your
nsswitch.conf file should also be using lsass for passwd and group.
Note: I had to manually join the domain via
net ads as well before things started working... Not sure if this is an issue with the project or what.
Once everything is working, you should be able to see accounts on the domain.
# id leo uid=897057976(CS\leo) gid=897057281(CS\domain^users) groups=897057281(CS\domain^users),897058359(CS\wheel),897058194(CS\ilab_admin),897058139(CS\gradcom),897058732(CS\aselab),897093370(CS\pc449),897093371(CS\vpn^access),897058698(CS\cstech),897065970(CS\sccm^amt^admins),897057887(CS\staff),897058146(CS\ebe),897065718(CS\sccm_users_unix_ws),897058333(CS\pjtr239),897058334(CS\pjtr176),897058170(CS\grouplab),897058335(CS\pjtr160),897057895(CS\offstaff),897058337(CS\visagg),897064874(CS\scvmmadmins),897065473(CS\sccm_users),897065474(CS\sccm_users_windows_ws),897058254(CS\colour2),897094974(CS\sccm_users_mac_ws),897090114(CS\jungle_admin),897077971(CS\surfnet)
If things don't work, check the domain status by running
net ads info should also be working.
After joining the domain, there should be a keytab file in
/etc/krb5.keytab which can be viewed using the bundled
klist utility (or from krb5-workstation).
Cannot Join Domain
When running the
domainjoin-cli command, the join fails with an error:
pbis undocumented exception 0x00009efc
This was fixed only after a reinstall of pbis via yum. An strace seems to suggest that pbis can't talk to its registry service for some reason and starting the lwsmd service didn't help either.