Power Broker (formerly Likewise)

Goal / Scope

Successful Active Directory Authentication using Power Broker Open, formerly Likewise and configuration of settings.

Background

Likewise has been around for quite a while now and can be used to join a Linux or Mac computer to an Active Directory domain.  It makes quick and easy work of configuration that used to take a long time and varied between flavors of Linux.  It still can be confusing.

Methodology / Process Steps

Initial installation and joining the computer to the domain

download the package / source specific to the flavor of Linux from the following location

http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True&elq=3216b1fedc644fefb146cf3eb5111d74&elqCampaignId=

change the attributes of the file to allow it to be run

$ sudo chmod +x [filename].sh

run the file with the following command

$ sudo sh [filename].sh

This will initiate the installation.  Once the installation is complete, the next step is joining the computer to the domain

sudo domainjoin-cli join [domain.internal] [username] (entered credentials when prompted)

if everything is configured correctly and the command completes successfully, the computer will be joined to the domain and a request to restart will be displayed.  It is recommend restarting the computer, just to be complete.

All of the commands and settings for Power Broker will be found in the following location:

 /opt/pbis/bin

./config –list (will list the various options available)

./config –show [option name] (will display the current configuration of the option)

./config –details [option name] (will display the full details of the option)

UserDomainPrefix

The domain prefix for users can be set with this option.

sudo ./config UserDomainPrefix DOMAIN

(where DOMAIN is the NetBIOS domain of the the Active Directory domain)

HomeDirTemplate

The location of newly created accounts can be set with this option.

sudo ./config HomeDirTemplate %H/%U

(where %H/%U translates into system home directory and system username)  Other options exist as well.

LoginShellTemplate

The login shell associated with the new user accounts by default is set with the LoginShellTemplate option.

sudo ./config LoginShellTemplate /bin/bash

By default, the login shell is /bin/sh

AssumeDefaultDomain

The AssumeDefault Domain option, allows only the username to be entered, the domain name is not required.  A domain name can be specified, but if one has not be entered, it will assume the value assigned in UserDomainPrefix.  The accepted input for this option is either “true” or “false”

sudo ./config AssumeDefaultDomain true

(where “true” will add the value in UserDomainPrefix if a domain is not specified with the login)

RequireMembershipOf

Access to Linux servers can be restricted to specific Active Directory security groups.  This can be achieved by the following configuration setting:  RequireMembershipOf

NOTE:  To review all configuration settings, the following command will list all available settings

$ ./config --list

In order to view the current configuration (by default the configuration doesn’t specify a group allowing any connections, authenticated by Active Directory, to successfully connect.), the following command displays the basic configuration of the setting.

$ ./config --show RequireMembershipOf

To add users and / or groups, the following command is used

$ ./config RequireMembershipOf "DOMAIN\\examplegroup" "DOMAIN\\username"

To review all the details of this configuration setting, the following command will provide all information regarding this setting:

$ ./config --detail RequireMembershipOf

Known Issues / Troubleshooting

This section is for the issues that have well defined and tested solutions.

Problem: | Authentication is failing when a security group is specified for RequireMembershipOf, but when security group is removed, authentication is successful

Solution: | The group may not be found.  The syntax is extremely important when specifying a group name.  Verify the following:

  • double backslash (\\) is used when specifying the domain
  • The carret (^) is used in place of spaces
  • quotes have been used (this has solved issues on certain flavors of Linux)
  • issuing the following command to check for existence of the group
$./enum-groups
  • verifying group membership of the user to the group

If all of these things have been verified, the next step will be to verify successful domain membership.

Problem: |

Solution: |

References

More information is provided in the Power Broker documentation

Installation Guide

http://www.beyondtrust.com/Content/pdfs/PBIS_Installation_Guide_8.2.pdf

Administration Guide

http://www.beyondtrust.com/Content/pdfs/PBIS_Administration_Guide_8.2.pdf

Enterprise Linux Administration Guide

http://www.beyondtrust.com/Content/pdfs/PBIS_Linux_Administration_Guide_8.2.pdf

Enterprise Group Policy Administration Guide

http://www.beyondtrust.com/Content/pdfs/PBIS_Group_Policy_Guide_8.2.pdf