My l3g3nd

There is no spoon

Authenticating Linux Machines Against Active Directory

| Comments

There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. During my research I came across another tool called Power Broker Identity Service (PBIS) by Beyond Trust. Beyond Trust took over a company previously known as Likewise Open and rebranded it as PBIS Open. They have released Enterprise and Community edition of PBIS. I am using Open Source edition for active directory bridging.

Installers are available for both debian and rpm packaage format supporting RHEL, Ubuntu, CentOS, Debian, etc. Download the latest version based on OS architecture that’s being dealt with, set execution bit and execute the package with root privileges:

1
2
chmod a+x pbis-open-7.1.0.1203.linux.x86_64.deb.sh
sudo ./pbis-open-7.1.0.1203.linux.x86_64.deb.sh

It will ask couple of question during installation so choose options accordingly. Once installation is done its time to join the machine to the domain. Make sure you have domain joining privileges on AD credentials:

1
sudo domainjoin-cli join L3G3NDARY.ORG l3g3ndary

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows (make sure syntax of the line matches with already existing line):

1
2
3
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

Good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. For example, I make following changes in the original configuration to make it look the way I want:

1
2
3
4
5
sudo /opt/pbis/bin/config Local_LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash            # Set default shell
sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U                # Set different home dir then the local users on the machine    
sudo /opt/pbis/bin/config UserDomainPrefix l3g3ndary              # Set domain prefix
sudo /opt/pbis/bin/config AssumeDefaultDomain True                # Set this to 'true' avoid entering domain names all the time 

Main config file of PBIS is /opt/pbis/bin/config and running a dump of that file will show all the options that has been set in previous step:

1
sudo /opt/pbis/bin/config --dump

Once satisfied with all the options just reboot the machine and login:

1
ssh username@servername

Feel free to let me know if there is any question(s) and I will be happy to assist.

Comments