BeyondTrust: Difference between revisions
Jump to navigation
Jump to search
| (12 intermediate revisions by the same user not shown) | |||
| Line 21: | Line 21: | ||
https://www.beyondtrust.com/privilege-management/active-directory-bridge | https://www.beyondtrust.com/privilege-management/active-directory-bridge | ||
https://www.beyondtrust.com/products/active-directory-bridge | https://www.beyondtrust.com/products/active-directory-bridge | ||
== Install BeyondTrust AD Bridge == | |||
BeyondTrust AD Bridge: APT Repository | |||
https://repo.pbis.beyondtrust.com/apt.html | |||
To add the BeyondTrust AD Bridge GPG key to your system: | |||
sudo wget -O /usr/share/keyrings/DEB-GPG-KEY-adb.gpg https://repo.pbis.beyondtrust.com/apt/DEB-GPG-KEY-adb.gpg | |||
To add the BeyondTrust AD Bridge repository to your system: | |||
sudo wget -O /etc/apt/sources.list.d/adbridge.sources https://repo.pbis.beyondtrust.com/apt/adbridge.sources | |||
sudo apt update | |||
Once your Repository has been added, install BeyondTrust AD Bridge: | |||
sudo apt install pbis-enterprise | |||
== What is PBIS == | == What is PBIS == | ||
| Line 71: | Line 85: | ||
== Authenticate User == | == Authenticate User == | ||
pbis authenticate-user --user [USER] | |||
pbis authenticate-user --user [USER] --domain [DOMAIN] | pbis authenticate-user --user [USER] --domain [DOMAIN] | ||
| Line 81: | Line 97: | ||
--password User's password (prompted if not passed on commandline) | --password User's password (prompted if not passed on commandline) | ||
</pre> | </pre> | ||
== Clear Cache == | |||
/opt/pbis/bin/ad-cache --delete-all | |||
/opt/pbis/bin/lwsm restart lsass | |||
rm -f /tmp/krb5cc_* | |||
/opt/pbis/bin/ad-cache --delete-all | |||
== Allow Local Users == | |||
If you still want to allow local users on the system, allow "Local" user providers, or "passwd" is not going to work for local accounts. | |||
/opt/pbis/bin/domainjoin-cli configure --enable nsswitch | |||
/opt/pbis/bin/domainjoin-cli configure --enable pam | |||
/opt/pbis/bin/config Providers "ActiveDirectory" "Local" | |||
Add local users to pbis ignore list (one user per line). Default entries include 'root' and 'tty'. | |||
/etc/pbis/user-ignore | |||
/etc/pbis/group-ignore | |||
ref: | |||
* https://docs.beyondtrust.com/adb/docs/configure-user-group-ignore | |||
-- | |||
Also suggested to change Domain Prefix to "" | |||
/opt/pbis/bin/config UserDomainPrefix "" | |||
== logs == | |||
/var/log/auth.log | |||
/var/log/syslog or /var/log/messages | |||
== Services Status == | |||
/opt/pbis/bin/lwsm list | |||
<pre> | |||
lwreg running (container: 960) | |||
dcerpc stopped | |||
eventlog running (container: 1040) | |||
lsass running (container: 2701213) | |||
lwio running (container: 1183) | |||
netlogon running (container: 1126) | |||
rdr running (io: 1183) | |||
reapsysl running (container: 1324) | |||
usermonitor stopped | |||
</pre> | |||
=== lwsm === | |||
/opt/pbis/bin/lwsm settings | |||
watchdog: on | |||
/opt/pbis/bin/lwsm shutdown | |||
== Latest Release == | == Latest Release == | ||
| Line 120: | Line 193: | ||
https://docs.beyondtrust.com/adb/docs/install-adb | https://docs.beyondtrust.com/adb/docs/install-adb | ||
== Issues == | |||
=== LW_ERROR_LDAP_INSUFFICIENT_ACCESS === | |||
Error: | |||
<pre> | |||
# /opt/pbis/bin/domainjoin-cli --loglevel verbose join corp.example.com MYUSER | |||
Joining to AD Domain: corp.example.com | |||
With Computer DNS Name: fixit01.corp.example.com | |||
MYUSER@CORP.EXAMPLE.COM's password: | |||
Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b] | |||
Insufficient access to perform LDAP operation | |||
</pre> | |||
Logs: | |||
<pre> | |||
Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to set computer account attribute msDS-SupportedEncryptionTypes. LW_ERROR_LDAP_INSUFFICIENT_ACCESS(40331) | |||
Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40331, symbol = LW_ERROR_LDAP_INSUFFICIENT_ACCESS, client pid = 5462 | |||
</pre> | |||
Solution: | |||
* Have your IT give you write permission to attribute msDS-SupportedEncryptionTypes. PBIS does not give you a way to not actively try to set this. | |||
== keywords == | == keywords == | ||
[[Category:Linux AD]] | [[Category:Linux AD]] | ||
Latest revision as of 22:39, 15 April 2026
BeyondTrust AD Bridge Open-Source Community Project
BeyondTrust AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is currently archived and will no longer receive updates. If you are interested in an Enterprise version of this project, please see our AD Bridge product.
See SSSD instead
SSSD
See SSSD
Github
BeyondTrust AD Bridge Open https://github.com/BeyondTrust/pbis-open
PROJECT HAS BEEN ARCHIVED This repository has been archived by the owner on Nov 8, 2021. It is now read-only.
"We have decided to fork BeyondTrust AD Bridge Enterprise from BeyondTrust AD Bridge Open solution. Please consider BeyondTrust Active Directory Bridge for continued support." https://www.beyondtrust.com/privilege-management/active-directory-bridge https://www.beyondtrust.com/products/active-directory-bridge
Install BeyondTrust AD Bridge
BeyondTrust AD Bridge: APT Repository https://repo.pbis.beyondtrust.com/apt.html
To add the BeyondTrust AD Bridge GPG key to your system:
sudo wget -O /usr/share/keyrings/DEB-GPG-KEY-adb.gpg https://repo.pbis.beyondtrust.com/apt/DEB-GPG-KEY-adb.gpg
To add the BeyondTrust AD Bridge repository to your system:
sudo wget -O /etc/apt/sources.list.d/adbridge.sources https://repo.pbis.beyondtrust.com/apt/adbridge.sources sudo apt update
Once your Repository has been added, install BeyondTrust AD Bridge:
sudo apt install pbis-enterprise
What is PBIS
"PowerBroker Identity Services" [1]
Ref:
It was renamed / rebranded to "BeyondTrust AD Bridge" in the 9.0 release. [2] [3]
Join Domain
/opt/pbis/bin/domainjoin-cli join AD-DOMAIN USER@AD-DOMAIN
/opt/pbis/bin/config UserDomainPrefix AD-DOMAIN /opt/pbis/bin/config AssumeDefaultDomain True /opt/pbis/bin/config LoginShellTemplate /bin/bash /opt/pbis/bin/config HomeDirTemplate %H/%U
Grand AD users or security groups as 'root':
/opt/pbis/bin/config RequireMembershipOf “AD-DOMAIN\<AD-DOMAIN-GROUP>” “AD-DOMAIN\<user>”
Sudo: /etc/sudoers
%DOMAIN\\<AD-DOMAIN-GROUP> ALL=(ALL) NOPASSWD:ALL
Set Machine Name
Set machine name before joining:
pbis set-machine-name [name]
Show All Config Settings
/opt/pbis/bin/config --dump
Show System Joined Details
$ /opt/pbis/bin/domainjoin-cli query
Name = MYSYSTEMNAME Domain = CORP.EXAMPLE.COM Distinguished Name = CN=MYSYSTEMNAME,OU=SOMESITE,OU=UnitedStates,OU=Eng,OU=Workstations,DC=corp,DC=example,DC=com
PBIS Full Details
pbis status
Dump all users
/opt/pbis/bin/enum-users
Authenticate User
pbis authenticate-user --user [USER]
pbis authenticate-user --user [USER] --domain [DOMAIN]
Usage: authenticate-user --user <name> --domain <name> [ --password <pass> ] [ --provider name ]
--user User name to authenticate with
--domain User's domain
--password User's password (prompted if not passed on commandline)
Clear Cache
/opt/pbis/bin/ad-cache --delete-all /opt/pbis/bin/lwsm restart lsass
rm -f /tmp/krb5cc_*
/opt/pbis/bin/ad-cache --delete-all
Allow Local Users
If you still want to allow local users on the system, allow "Local" user providers, or "passwd" is not going to work for local accounts.
/opt/pbis/bin/domainjoin-cli configure --enable nsswitch /opt/pbis/bin/domainjoin-cli configure --enable pam /opt/pbis/bin/config Providers "ActiveDirectory" "Local"
Add local users to pbis ignore list (one user per line). Default entries include 'root' and 'tty'.
/etc/pbis/user-ignore /etc/pbis/group-ignore
ref:
--
Also suggested to change Domain Prefix to ""
/opt/pbis/bin/config UserDomainPrefix ""
logs
/var/log/auth.log
/var/log/syslog or /var/log/messages
Services Status
/opt/pbis/bin/lwsm list
lwreg running (container: 960) dcerpc stopped eventlog running (container: 1040) lsass running (container: 2701213) lwio running (container: 1183) netlogon running (container: 1126) rdr running (io: 1183) reapsysl running (container: 1324) usermonitor stopped
lwsm
/opt/pbis/bin/lwsm settings watchdog: on
/opt/pbis/bin/lwsm shutdown
Latest Release
AD Bridge Open 9.1.0.551
pbis-open-9.1.0.551.linux.x86.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.deb.sh pbis-open-9.1.0.551.linux.x86.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.rpm.sh pbis-open-9.1.0.551.linux.x86_64.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh pbis-open-9.1.0.551.linux.x86_64.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.rpm.sh
Source:
https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.zip https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.tar.gz
Tag: AD Bridge Open 9.1.0.551
https://github.com/BeyondTrust/pbis-open/releases/tag/9.1.0
Sudo
[root@license-01 sudoers.d]# cat admin # Ansible managed | any changes in this file will be overwritten %AD\\it-infra ALL=(ALL:ALL) NOPASSWD: ALL
[root@license-01 sudoers.d]# cat pbissudouser # Ansible managed | any changes in this file will be overwritten 1234 ALL=(root) NOPASSWD: ALL %ENG-INFRA ALL=(root) NOPASSWD: ALL %eng-infra ALL=(root) NOPASSWD: ALL
BeyondTrust Enterprise AD Bridge
https://repo.pbis.beyondtrust.com/
https://www.beyondtrust.com/docs/archive/ad-bridge/9-1/adb-windows-administration-guide-9-1.pdf
https://docs.beyondtrust.com/adb/docs/adb-overview
https://docs.beyondtrust.com/adb/docs/install-adb
Issues
LW_ERROR_LDAP_INSUFFICIENT_ACCESS
Error:
# /opt/pbis/bin/domainjoin-cli --loglevel verbose join corp.example.com MYUSER Joining to AD Domain: corp.example.com With Computer DNS Name: fixit01.corp.example.com MYUSER@CORP.EXAMPLE.COM's password: Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b] Insufficient access to perform LDAP operation
Logs:
Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to set computer account attribute msDS-SupportedEncryptionTypes. LW_ERROR_LDAP_INSUFFICIENT_ACCESS(40331) Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40331, symbol = LW_ERROR_LDAP_INSUFFICIENT_ACCESS, client pid = 5462
Solution:
- Have your IT give you write permission to attribute msDS-SupportedEncryptionTypes. PBIS does not give you a way to not actively try to set this.