Download and Install

To start with, we need to download the latest version of PowerBroker Identity Services from GitHub

Also, you can download it by simply running following command on Ubuntu OS:

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.5.3/pbis- open-8.5.3.293.linux.x86.deb.sh

https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh

Now, you need to set execution bit and execute the package with root privileges:

chmod +x pbis-open-8.5.3.293.linux.x86_64.deb.sh

sudo ./pbis-open-8.5.3.293.linux.x86_64.deb.sh

It will ask a couple of question during installation so choose options accordingly. Once the installation is done its time to join the machine to the domain.

PBIS Configuration

We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.

cd /opt/pbis/bin/

sudo domainjoin-cli join [DomainName [DomainAccount]

sudo domainjoin-cli join ad.tpt.local administrator

where,

DomainName - the name of your domain
DomainAccount - your domain account (user@domainname)

Example: sudo domainjoin-cli join example.com administrator

When prompted, please provide Active Directory administrator’s password.

on error joining ad do;

sudo apt-get remove avahi-daemon

sudo domainjoin-cli join example.com administrator

sudo apt-get install avahi-daemon

et reboot

sudo pam-auth-update

reboot

On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:

sudo domainjoin-cli query

The command will display the name of the domain to which your Ubuntu computer has joined.

Example:

Name = username
Domain = example.com
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com

Note: If you want to remove your Ubuntu computer from the domain, you need to run

sudo domainjoin-cli leave

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set domain prefix

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set this to ‘true’ avoid entering domain names all the time

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set default shell

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\[SecurityGroup]"

Set specific Active Directory security groups

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vi /etc/pam.d/common-session

Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

allow-guest=false
greeter-show-manual-login=true

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

issue login not permited but it sees users

Hi @Vitor_Hugo_Barbosa
Thank you for this howto. I am curious why you choose PBIS-Open to join your linux client to Samba4AD? IMO it is introducing extra (unnecessary?) packages because PBIS-Open uses a mandatory agent on every client.
Why not using a more traditional option and install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools packages so you don’t need a 3rd party agent?
I remember I used PBIS-Open in the past on an LTSP environment with a Zentyal host.

Also a concern is the ‘other services’ provided by BeyondTrust. Those don’t seem to be opensource? So when you start with PBIS-Open, you will run into non free software sooner or later…

Looking through the documentation, I must say that decent docs on joining a NethServer Samba4AD is lacking. In the documentation I only find creation of users and homedirs and groups etc… but device accounts are completely neglected.

@support_team @docs_team @dev_team Can we start an extra chapter adding device accounts to Samba4AD account provider. With explanation of different approaches (SSSD vs WindBind vs PBIS-Open) and how to manage them.

If we want to be a viable alternative for Windows Server, IMO this should be added.

Hi rob thanks for the explanation, I just want to include the easy step… Without much extra terminal stepsbut this one has caveats… Trying the traditonal way with samba and get out of pbis-open cleaning it

hi rob I’ve solved the issue with an tuto to join by the conventional means and even the user files in ubuntu desktop or other are stored on /var/lib/nethserver/home/username
i was able to login and etc :), i will test in another machine on the first place linux desktop, trying to see if the document that I’ve created i can access in other pc, like roaming profiles but in ubuntu or other distro

Hi Vitor,

Are all the users of the linux stations imported automatically to AD or did you have to import them manually?

If they were automatically imported, did you have to do something with their passwords?

If you also have a Windows station joined to AD, can you use RSAT and see all the users of all the stations (Linux and Windows)?

I am asking those questions because when I install AD as Account Provider on a NethServer, I have to import the users and groups into AD. Doing so, it seems that the importation is creating new passwords for the imported users: the old paswords don’t work.

If AD doesn’t create new passwords, it might be that it cannot compares with the original encrypted passwords because it uses a different algorithm for encryption…

If your users with their passwords are automatically imported, it means that there is something missing with the installation of AD as Account provider because of the above problem.

Also, the installation of AD changes the user:group of the home directory to uid:uid. With a script, I had to change it recursively to user:domain users@FQDN i.e for the user toto it then became toto@FQDN:domain users@FQDN.

I had to do nothing to the mail directories because AD used the same FQDN for the NetBIOS domain name but without the final TLD.

For the password, after a suggestion from Markus: [SOLVED- almost] AD as the Account provider - changing user password, I used the “bad methods like storing the passwords in clear text” because with encrypted password, AD was not able to compare the new password it encrypts to the original stored encrypted one. That is why I think that AD uses a different algorytm to encrypt the password…

Michel-André

hello

1st - the users created into ad with rsat will be showed automatically in your linux machines and the machine (linux) will be added to RSAT, the procedure makes global, only the join procedure in linux is a global procedure, regardless the users or groups.

in fact the rights are applied for example to a simple nethserver AD user… if you want to gog to settings into your ubuntu desktop logged into AD account successfully, it demands local machine administrator password but you can chose i think in user preferences on local pc linux…to investigate…

2nd no the passwords are applied normally is this configuration with sssd and realm that makes the nethserver manage the rest os the stuff…

3rd its weird because if you create the users both sides it will synchronize (RSAT and nethserver), and with RSAT is better managed the passwords policies

ps: i choose to make the AD on nethserver, with the windows AD provider (With an AD network ip container on it from green interface DHCP free IP Address not openLDAP service (the first one))

“I have to import the users and groups into AD. Doing so, it seems that the importation is creating new passwords for the imported users: the old passwords don’t work.” it seems you have a weird problem, because with me always works both sides (user passwords) out-of-the box,

even renews it because i have chose on nethserver GUI, but you can put also “password expires” on rsat and working for me without issues…

Hi again Vitor,

Can you explain a little bit more because I think your way will resolve my password problem…

Michel-André

the thing you have tried to recreate your password from an windows machine with RSAT, Try to operate from there, users, passwords…etc…i think it was the thing that works better for me, with more options
on your windows machine grab cmd as administrator write the following gpupdate /force, and a important issue that i’had faced the ntp server that you have on nethserver config, to the sychronisation of AD chose from this site https://www.pool.ntp.org/fr/ (on your near local area) and paste on nethserver

nethserver ntp.png1920×1080 216 KB

into account tab for password changes (i think)

try also to see if the accounts are locked ( nothing maybe to do with that, but why not :))

Hi,

I wrote a few HowTos abt to join Linux Desktops to NS…

# HowTo join Fedora 27 Desktop to NethServer-7 Active Directory
https://community.nethserver.org/t/howto-join-fedora-27-desktop-to-nethserver-7-active-directory/8607/4

# HowTo join xUbuntu 16.04 Desktop to NethServer-7 AD and automount ServerHomeDir
https://community.nethserver.org/t/howto-join-xubuntu-16-04-desktop-to-nethserver-7-ad-and-automount-serverhomedir/8624/4

# HowTo join Debian 9 Desktop to NethServer-7 Active Directory
https://community.nethserver.org/t/howto-join-debian-9-desktop-to-nethserver-7-active-directory/8608

# HowTo join openSUSE Tumbleweed Desktop to NethServer-7 Active Directory
https://community.nethserver.org/t/howto-join-opensuse-tumbleweed-desktop-to-nethserver-7-active-directory/8619

Maybe this can help you?

i there fausp i have successfully join the active directory and logued with users

i will check your tutorials for sure!!

tanks a lot fausp

You are welcome!