PBIS Open Edition Setup

The PBIS Open Edition runs as an agent-based tool allowing connections from Nix computers to Microsoft Active Directory for consistent security policy across the infrastructure. First install the PBIS agent and join the domain and you will then be able to log on using Active Directory credentials. You can give the AD account local admin rights to execute commands with superuser privileges and perform tasks as a su such as setting. Common options e.g. shell and default domain. Also in the current version mounting of remote file share specific to the user is possible. PBIS Agent Once the PowerBroker Identity Services (PBIS) agent is installed on Linux you will be able to authenticate users with their domain credentials. This works by integrating with the core operating system to implement the mapping for any application e.g. The logon process (/bin/login) which uses the name service (NSS) or pluggable authentication module (PAM) and therefore acts as a Kerberos client for authentication and an LDAP client for authorisation. At boot time, the operating system is configured to start the service manager daemon. It is then instructed by the operating system (with the command /opt/pbis/bin/lwsm autostart) to start all desired services. The service manager daemon keeps track of which services have already been started and sees to it that all services are started and stopped in the appropriate order. PBIS Enterprise also retrieves Group Policy Objects (GPOs) to securely update local configurations; such as the sudo file but this has licensing costs associated with it. The gpagent pulls Group Policy Objects (GPOs) from Active Directory and applies them to the computer. Time Synchronisation In order for the PBIS agent to communicate over Kerberos with the DC it is important to ensure the maximum clock skew is within the default 300 seconds (5 minutes). This is a server side setting so altering the skew in the clients /etc/pbis/krb5.conf file has no effect on the tolerance of the DC. Cached Credentials PBIS Open will cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable. Trusts The PBIS agent supports all the major Active Directory trusts relationships. Samba Included in PBIS Open is a tool, samba-interop-install located in/opt/pbis/bin which will install the necessary files for using Samba with PBIS.

PBIS Agent Installation

Preparation Before installation configure client computers as described below: Configure nsswitch.conf Before you attempting to join an AD domain, make sure the /etc/nsswitch.conf file contains the following: hosts: files dns The hosts line can contain any additional information but must include the dns entry. Important: For PBIS to process changes to nsswitch.conf file you must restart the PBIS input-output service (lwio) and the authentication service (lsass). Running the command as root restarts both services: /opt/pbis/bin/lwsm restart lwio For PBIS to work correctly, the nsswitch.conf file must be readable by user, group, and world. Configure resolv.conf Make sure /etc/resolv.conf includes a DNS server entry that can resolve SRV records for your domain. Firewall Ports IPtables firewall settings on the computer running the PBIS agent must include the following ports for outbound traffic. Note. The PBIS agent does not listen on any ports. Port 53 88 123 389 445 464 1433 3268 Protocol UDP/TCP UDP/TCP UDP UDP/TCP TCP UDP/TCP TCP TCP Use DNS Kerberos 5 NTP LDAP SMB over TCP Password changes SQL Server (default) Global Catalog

To view rules use iptables nL

Account Attributes
1. In Active Directory Users and Computers create a group named Unix Computers (Global and Security Group) 2. Add each PBIS client computer to the group. 3. In the console tree, right-click the domain, choose Delegate Control, click Next, click Add, and then enter the group named Unix Computers. 4. Click Next, select Delegate the following common tasks, and then in the list select Read all user information. 5. Click Next, and then click Finish. 6. On the target computer restart the PBIS agent to reinitialise the computer accounts logon to Active Directory and to get the new information about group membership. 7. Run/opt/pbis/enum-users to verify that you can read user information. Install Agent You can install the agent in unattended mode by using the install command or from the CLI e.g. With Install command ./pbis-open-X.X.X.XXX.linux.i386.rpm.sh install From CLI As root, change the mode of the installer to executable chmod a+x pbis-enterprise-7.0.0.70.solaris.sparc.pkg.sh As root, run the installer ./pbis-enterprise-7.0.0.70.solaris.sparc.pkg.sh Follow the instructions in the installer Privileges and Permissions To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. After joining a domain, PBIS creates two local user accounts: ComputerName\Administrator and ComputerName\Guest. The administrator account is disabled until you enable it by running the mod-user command with the root account. You will be prompted to reset the password the first time you use the account. You can view information about these accounts by executing the following command: opt/pbis/bin/enum-users Removing Computer from Domain You can remove a computer from the domain by either removing the computer's account from Active Directory Users and Computers or by running the domain join tool again on the computer that you want to remove.

Join AD from the CLI The location of the domain join command-line utility is: /opt/pbis/bin/domainjoin-cli When joining a domain, the computer's name server must be able to find the domain and reach the DC. Therefore run nslookup domainName and verify you can reach the domain controller by pinging it ping domainName Execute the following command as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain: /opt/pbis/bin/domainjoin-cli join domainName joinAccount To join a nested Organisational Unit (OU), run the command: /opt/pbis/bin/domainjoin-cli join--ou organizationalUnitName domainName joinAccount

Monitoring Events
The PBIS Event Log records and categorizes information about authentication transactions, authorisation requests, network events, and other security events on Linux. Monitoring events such as failed logon attempts and failed sudo attempts can help prevent unauthorised access to commands, applications, and sensitive resources. PBIS also includes methods to specify which users and groups have read or write access permissions to the event log. You can filter the event log and decide which event categories to log.