Setting up Active Directory Authentication using PowerBroker Identity Services APT install on Ubuntu 16.04

Rolling out new Ubuntu servers in a heavily MS infrastructure is always a pain.  PowerBroker Identity Services from Beyond Trust makes like a bit easier by allowing Active Directory-based authentication in a straightforward package.

I’ve personally been using PBIS for a few years now, but only today discovered they offer several repos to make installation and patching even easier!  Since I’m rolling up a new base server, I thought I would write up a quick how-to for everyone.

Of course, you first need to setup Ubuntu 16.04.  For this server, I’ve used the base server build right off the ISO.

Next, head on over to https://repo.pbis.beyondtrust.com/apt.html to get the APT instructions.  It’s pretty simple, but remember to install the “Open Edition” and not the “Enterprise Edition.”

wget -O - http://repo.pbis.beyondtrust.com/yum/RPM-GPG-KEY-pbis|sudo apt-key add -
sudo wget -O /etc/apt/sources.list.d/pbiso.list http://repo.pbis.beyondtrust.com/apt/pbiso.list
sudo apt-get update
sudo apt-get install pbis-open

Now for the fun part - setting up the domain authentication.

sudo domainjoin-cli join [DOMAIN-DNSZONE] [DOMAIN-ADMIN-USERNAME]

Follow the prompt to login, then wait for the “SUCCESS” prompt.  Once this is done, take the opportunity to move this into whatever OU you keep your servers in.

Next, it’s time to setup the local machine settings for domain user authentication and home directory format.  If you are like me, you only want to require the username for login and keep the domain login shell looking the same as all other shells.

At a minimum, you need to run these commands:

sudo /opt/pbis/bin/config UserDomainPrefix “[DOMAIN NETBIOS NAME]”
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate “/bin/bash”
sudo /opt/pbis/bin/config Local_HomeDirTemplate “%H/local/%D/%U”
sudo /opt/pbis/bin/config RequireMembershipOf “[DOMAIN NETBIOS NAME][NETBIOS GROUP NAME]”

I prefer to restrict shell login to a small group of Linux admins.

OPTIONAL:  If you have another server already configured to your liking, run this command on it to dump all settings to a file:

sudo /opt/pbis/bin/config –dump > pibs-config

Then copy the file over to your new server and import it:

sudo /opt/pbis/bin/config –file pbis-config

Disclaimer - I didn’t test this command so your mileage may vary.  If you do try it and it works, please let me know!

Finally, add the domain group to the /etc/sudoers file to ensure they can actually administer the server.

sudo nano /etc/sudoers

Then paste this after the last line of the file:

#post install additions
%[NETBIOS GROUP NAME] ALL=(ALL:ALL) ALL


At this point, fire up another SSH session and attempt to login as your domain account.  It should work right away.