Rolling out new Ubuntu servers in a heavily MS infrastructure is always a pain. PowerBroker Identity Services from Beyond Trust makes like a bit easier by allowing Active Directory-based authentication in a straightforward package.
I’ve personally been using PBIS for a few years now, but only today discovered they offer several reposto make installation and patching even easier! Since I’m rolling up a new base server, I thought I would write up a quick how-to for everyone.
Of course, you first need to setup Ubuntu 16.04. For this server, I’ve used the base server build right off the ISO.
Next, head on over to https://repo.pbis.beyondtrust.com/apt.html to get the APT instructions. It’s pretty simple, but remember to install the “Open Edition” and not the “Enterprise Edition.”
sudo wget -O /etc/apt/sources.list.d/pbiso.list http://repo.pbis.beyondtrust.com/apt/pbiso.list
sudo apt-get update
sudo apt-get install pbis-open
Now for the fun part – setting up the domain authentication.
Follow the prompt to login, then wait for the “SUCCESS” prompt. Once this is done, take the opportunity to move this into whatever OU you keep your servers in.
Next, it’s time to setup the local machine settings for domain user authentication and home directory format. If you are like me, you only want to require the username for login and keep the domain login shell looking the same as all other shells.
At a minimum, you need to run these commands:
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate “/bin/bash”
sudo /opt/pbis/bin/config Local_HomeDirTemplate “%H/local/%D/%U”
sudo /opt/pbis/bin/config RequireMembershipOf “[DOMAIN NETBIOS NAME][NETBIOS GROUP NAME]”
I prefer to restrict shell login to a small group of Linux admins.
OPTIONAL: If you have another server already configured to your liking, run this command on it to dump all settings to a file:
Then copy the file over to your new server and import it:
Disclaimer – I didn’t test this commandso your mileage may vary. If you do try it and it works, please let me know!
Finally, add the domain group to the /etc/sudoers file to ensure they can actually administer the server.
Then paste this after the last line of the file:
%[NETBIOS GROUP NAME]ALL=(ALL:ALL) ALL
At this point, fire up another SSH session and attempt to login as your domain account. It should work right away.