Rolling out new Ubuntu servers in a heavily MS infrastructure is always a pain. PowerBroker Identity Services from Beyond Trust makes like a bit easier by allowing Active Directory-based authentication in a straightforward package.
I’ve personally been using PBIS for a few years now, but only today discovered they offer several reposto make installation and patching even easier! Since I’m rolling up a new base server, I thought I would write up a quick how-to for everyone.
Of course, you first need to setup Ubuntu 16.04. For this server, I’ve used the base server build right off the ISO.
Next, head on over to https://repo.pbis.beyondtrust.com/apt.html to get the APT instructions. It’s pretty simple, but remember to install the “Open Edition” and not the “Enterprise Edition.”
wget -O - http://repo.pbis.beyondtrust.com/yum/RPM-GPG-KEY-pbis|sudo apt-key add - sudo wget -O /etc/apt/sources.list.d/pbiso.list http://repo.pbis.beyondtrust.com/apt/pbiso.list sudo apt-get update sudo apt-get install pbis-open
Now for the fun part - setting up the domain authentication.
sudo domainjoin-cli join [DOMAIN-DNSZONE] [DOMAIN-ADMIN-USERNAME]
Follow the prompt to login, then wait for the “SUCCESS” prompt. Once this is done, take the opportunity to move this into whatever OU you keep your servers in.
Next, it’s time to setup the local machine settings for domain user authentication and home directory format. If you are like me, you only want to require the username for login and keep the domain login shell looking the same as all other shells.
At a minimum, you need to run these commands:
sudo /opt/pbis/bin/config UserDomainPrefix "[DOMAIN NETBIOS NAME]" sudo /opt/pbis/bin/config AssumeDefaultDomain true sudo /opt/pbis/bin/config LoginShellTemplate "/bin/bash" sudo /opt/pbis/bin/config Local_HomeDirTemplate "%H/local/%D/%U" sudo /opt/pbis/bin/config RequireMembershipOf "[DOMAIN NETBIOS NAME][NETBIOS GROUP NAME]"
I prefer to restrict shell login to a small group of Linux admins.
OPTIONAL: If you have another server already configured to your liking, run this command on it to dump all settings to a file:
sudo /opt/pbis/bin/config --dump > pibs-config
Then copy the file over to your new server and import it:
sudo /opt/pbis/bin/config --file pbis-config
Disclaimer - I didn’t test this commandso your mileage may vary. If you do try it and it works, please let me know!
Finally, add the domain group to the /etc/sudoers file to ensure they can actually administer the server.
sudo nano /etc/sudoers
Then paste this after the last line of the file:
#post install additions %[NETBIOS GROUP NAME]ALL=(ALL:ALL) ALL
At this point, fire up another SSH session and attempt to login as your domain account. It should work right away.