PowerBroker Identity Services Open

Download link: https://github.com/BeyondTrust/pbis-open/releases

PBIS AD membership, basic setup for Linux (RPM)

#UnattendedMode
./pbis-open-8.5.4.334.linux.x86_64.rpm.sh install

/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname

# cat < /etc/pbis.conf
rem AD domain: YOUR
AssumeDefaultDomain true
HomeDirTemplate "%H/%D/%U"
LoginShellTemplate "/bin/bash"
RemoteHomeDirTemplate ""
CacheEntryExpiry "00000060"
EOT

/opt/pbis/bin/config --file /etc/pbis.conf

/opt/pbis/bin/update-dns

Login/Server Access Rights

In the /etc/pbis.conf file, before HomeDirTemplate, add or modify a new line beginning ‘RequireMembershipOf’. RequireMembershipOf specifies a comma separated list of AD groups – To login to the system the user must belong to one of the listed groups eg:
RequireMembershipOf "your\\group1" "your\\group2"

To apply a new configuration, you need to run /opt/pbis/bin/config –file /etc/pbis.conf manually.

SUDO Rights

Use the visudo command, and add the name of the AD group, prefixed with % using standard sudoers syntax: eg:
%group1 ALL=(ALL) ALL

PBIS Utilities

A number of useful scripts are available in the /opt/pbis/bin directory. Most of these scripts are self documenting and support eg, the –help argument.
/opt/pbis/bin/get-status ; show ad connection/status information
/opt/pbis/bin/find-user-by-name ; lookup an ad user by name.
/opt/pbis/bin/find-group-by-name ; lookup an ad group by name.
/opt/pbis/bin/list-groups-for-user [–level=2] ; show group membership for a user.

There are lots of useful scripts in this directory, it’s worth exploring.

Delegate rights using Active Directory Users and Computers for PBIS computer join user

This process allows a specific user/group to manage a group, or a section of the AD tree.
1.Open the Active Directory Users and Computers snap-in.
2.Right-click the container under which you want the computers added, and press Delegate Control.
3.Press Next.
4.Press Add.
5.After adding all the users and/or groups, press Next.
6.Select Create custom task to delegate and press Next.
7.Select Only the following objects in the folder, check Computer objects, check the “Create selected objects in this folder”, “Create selected objects in this folder” boxes, and press Next.
8.Check the “Create all child object”, “Delete all child object” boxes and press Next.
9.Press Finish.

ISSUES

If pbis just stopped working and you get “Error: ERROR_FILE_NOT_FOUND code 0x00000002” after “service lwsmd restart”, remove it completely:
/opt/pbis/bin/domainjoin-cli leave
/opt/pbis/bin/uninstall.sh uninstall

and reinstall/reconfigure

pbis-open-8.5.4.334.linux.x86_64.rpm.sh install /opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname

Leave a comment

You must be logged in to post a comment.