There are several ways to authenticate Linux servers against Microsoft Active Directory such as Samba/Winbind, Centrify, etc. During my research I came across another tool called Power Broker Identity Service (PBIS) by Beyond Trust. Beyond Trust took over a company previously known as Likewise Open and rebranded it as PBIS Open. They have released Enterprise and Community edition of PBIS. I am using Open Source edition for active directory bridging.
Installers are available for both debian and rpm packaage format supporting RHEL, Ubuntu, CentOS, Debian, etc. Download the latest version based on OS architecture that’s being dealt with, set execution bit and execute the package with root privileges:
It will ask couple of question during installation so choose options accordingly. Once installation is done its time to join the machine to the domain. Make sure you have domain joining privileges on AD credentials:
Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating
/etc/sudoers file by adding
%domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows (make sure syntax of the line matches with already existing line):
1 2 3
Good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. For example, I make following changes in the original configuration to make it look the way I want:
1 2 3 4 5
Main config file of PBIS is
/opt/pbis/bin/config and running a dump of that file will show all the options that has been set in previous step:
Once satisfied with all the options just reboot the machine and login:
Feel free to let me know if there is any question(s) and I will be happy to assist.