PBIS Open Edition SetupThe PBIS Open Edition runs as an agent-based tool allowing connections from Nix computers to Microsoft Active Directory for consistent security policy across the infrastructure. First install the PBIS agent and join the domain and you will then be able to log on using Active Directory credentials. You can give the AD account local admin rights to execute commands with superuser privileges and perform tasks as a su such as setting. Common options e.g. shell and default domain. Also in the current version mounting of remote file share specific to the user is possible. PBIS Agent Once the PowerBroker Identity Services (PBIS) agent is installed on Linux you will be able to authenticate users with their domain credentials. This works by integrating with the core operating system to implement the mapping for any application e.g. The logon process (/bin/login) which uses the name service (NSS) or pluggable authentication module (PAM) and therefore acts as a Kerberos client for authentication and an LDAP client for authorisation. At boot time, the operating system is configured to start the service manager daemon. It is then instructed by the operating system (with the command /opt/pbis/bin/lwsm autostart) to start all desired services. The service manager daemon keeps track of which services have already been started and sees to it that all services are started and stopped in the appropriate order. PBIS Enterprise also retrieves Group Policy Objects (GPOs) to securely update local configurations; such as the sudo file but this has licensing costs associated with it. The gpagent pulls Group Policy Objects (GPOs) from Active Directory and applies them to the computer. Time Synchronisation In order for the PBIS agent to communicate over Kerberos with the DC it is important to ensure the maximum clock skew is within the default 300 seconds (5 minutes). This is a server side setting so altering the skew in the clients /etc/pbis/krb5.conf file has no effect on the tolerance of the DC. Cached Credentials PBIS Open will cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable. Trusts The PBIS agent supports all the major Active Directory trusts relationships. Samba Included in PBIS Open is a tool, samba-interop-install located in/opt/pbis/bin which will install the necessary files for using Samba with PBIS. conf file contains the following: hosts: files dns The hosts line can contain any additional information but must include the dns entry. the nsswitch. Running the command as root restarts both services: /opt/pbis/bin/lwsm restart lwio For PBIS to work correctly.conf includes a DNS server entry that can resolve SRV records for your domain.conf file you must restart the PBIS input-output service (lwio) and the authentication service (lsass). Firewall Ports IPtables firewall settings on the computer running the PBIS agent must include the following ports for outbound traffic.PBIS Agent Installation Preparation Before installation configure client computers as described below: Configure nsswitch. The PBIS agent does not listen on any ports. Note. Port 53 88 123 389 445 464 1433 3268 Protocol UDP/TCP UDP/TCP UDP UDP/TCP TCP UDP/TCP TCP TCP Use DNS Kerberos 5 NTP LDAP SMB over TCP Password changes SQL Server (default) Global Catalog To view rules use iptables – nL .conf Make sure /etc/resolv. make sure the /etc/nsswitch.conf Before you attempting to join an AD domain. Configure resolv. group. and world.conf file must be readable by user. Important: For PBIS to process changes to nsswitch. 6. change the mode of the installer to executable chmod a+x pbis-enterprise-7. and then in the list select Read all user information.sh install From CLI As root.rpm. Click Next. In Active Directory Users and Computers create a group named Unix Computers (Global and Security Group) 2. click Add.pkg. On the target computer restart the PBIS agent to reinitialise the computer account’s logon to Active Directory and to get the new information about group membership./pbis-open-X. The administrator account is disabled until you enable it by running the mod-user command with the root account. 3. and then click Finish. With Install command .70.Account Attributes 1.X. 7. choose Delegate Control.0. PBIS creates two local user accounts: ComputerName\Administrator and ComputerName\Guest.sh Follow the instructions in the installer Privileges and Permissions To join a computer to a domain. 4.XXX. right-click the domain. After joining a domain.solaris.sh As root. 5.g.X./pbis-enterprise-7.0.sparc.linux. you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. and then enter the group named Unix Computers.0. Add each PBIS client computer to the group.70.sparc. You will be prompted to reset the password the first time you use the account. Install Agent You can install the agent in unattended mode by using the install command or from the CLI e. select Delegate the following common tasks. Run/opt/pbis/enum-users to verify that you can read user information.pkg. . Click Next.solaris.0. click Next.i386. In the console tree. run the installer . You can view information about these accounts by executing the following command: opt/pbis/bin/enum-users Removing Computer from Domain You can remove a computer from the domain by either removing the computer's account from Active Directory Users and Computers or by running the domain join tool again on the computer that you want to remove. replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain: /opt/pbis/bin/domainjoin-cli join domainName joinAccount To join a nested Organisational Unit (OU). authorisation requests. network events. and other security events on Linux. You can filter the event log and decide which event categories to log. applications. and sensitive resources. the computer's name server must be able to find the domain and reach the DC. .Join AD from the CLI The location of the domain join command-line utility is: /opt/pbis/bin/domainjoin-cli When joining a domain. run the command: /opt/pbis/bin/domainjoin-cli join--ou organizationalUnitName domainName joinAccount Monitoring Events The PBIS Event Log records and categorizes information about authentication transactions. Therefore run nslookup domainName and verify you can reach the domain controller by pinging it ping domainName Execute the following command as root. PBIS also includes methods to specify which users and groups have read or write access permissions to the event log. Monitoring events such as failed logon attempts and failed sudo attempts can help prevent unauthorised access to commands.