BeyondTrust: Difference between revisions

Latest revision as of 22:39, 15 April 2026

BeyondTrust AD Bridge Open-Source Community Project

BeyondTrust AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is currently archived and will no longer receive updates. If you are interested in an Enterprise version of this project, please see our AD Bridge product.

See SSSD instead

SSSD

See SSSD

Github

BeyondTrust AD Bridge Open
https://github.com/BeyondTrust/pbis-open

PROJECT HAS BEEN ARCHIVED
This repository has been archived by the owner on Nov 8, 2021. It is now read-only.

"We have decided to fork BeyondTrust AD Bridge Enterprise from BeyondTrust AD Bridge Open solution.
Please consider BeyondTrust Active Directory Bridge for continued support."
https://www.beyondtrust.com/privilege-management/active-directory-bridge
https://www.beyondtrust.com/products/active-directory-bridge

Install BeyondTrust AD Bridge

BeyondTrust AD Bridge: APT Repository
https://repo.pbis.beyondtrust.com/apt.html

To add the BeyondTrust AD Bridge GPG key to your system:

sudo wget -O /usr/share/keyrings/DEB-GPG-KEY-adb.gpg https://repo.pbis.beyondtrust.com/apt/DEB-GPG-KEY-adb.gpg

To add the BeyondTrust AD Bridge repository to your system:

sudo wget -O /etc/apt/sources.list.d/adbridge.sources https://repo.pbis.beyondtrust.com/apt/adbridge.sources
sudo apt update

Once your Repository has been added, install BeyondTrust AD Bridge:

sudo apt install pbis-enterprise

What is PBIS

"PowerBroker Identity Services" ^[1]

Ref:

It was renamed / rebranded to "BeyondTrust AD Bridge" in the 9.0 release. ^[2] ^[3]

Join Domain

/opt/pbis/bin/domainjoin-cli join AD-DOMAIN USER@AD-DOMAIN

/opt/pbis/bin/config UserDomainPrefix AD-DOMAIN
/opt/pbis/bin/config AssumeDefaultDomain True
/opt/pbis/bin/config LoginShellTemplate /bin/bash
/opt/pbis/bin/config HomeDirTemplate %H/%U

Grand AD users or security groups as 'root':

/opt/pbis/bin/config RequireMembershipOf “AD-DOMAIN\<AD-DOMAIN-GROUP>” “AD-DOMAIN\<user>”

Sudo: /etc/sudoers

%DOMAIN\\<AD-DOMAIN-GROUP> ALL=(ALL) NOPASSWD:ALL

Set Machine Name

Set machine name before joining:

pbis set-machine-name [name]

Show All Config Settings

/opt/pbis/bin/config --dump

Show System Joined Details

$ /opt/pbis/bin/domainjoin-cli query

Name = MYSYSTEMNAME
Domain = CORP.EXAMPLE.COM
Distinguished Name = CN=MYSYSTEMNAME,OU=SOMESITE,OU=UnitedStates,OU=Eng,OU=Workstations,DC=corp,DC=example,DC=com

PBIS Full Details

pbis status

Dump all users

/opt/pbis/bin/enum-users

Authenticate User

pbis authenticate-user --user [USER]

pbis authenticate-user --user [USER] --domain [DOMAIN]

Usage: authenticate-user --user <name> --domain <name> [ --password <pass> ] [ --provider name ]

    --user                  User name to authenticate with
    --domain                User's domain
    --password              User's password (prompted if not passed on commandline)

Clear Cache

/opt/pbis/bin/ad-cache --delete-all
/opt/pbis/bin/lwsm restart lsass

rm -f /tmp/krb5cc_*

/opt/pbis/bin/ad-cache --delete-all

Allow Local Users

If you still want to allow local users on the system, allow "Local" user providers, or "passwd" is not going to work for local accounts.

/opt/pbis/bin/domainjoin-cli configure --enable nsswitch
/opt/pbis/bin/domainjoin-cli configure --enable pam
/opt/pbis/bin/config Providers "ActiveDirectory" "Local"

Add local users to pbis ignore list (one user per line). Default entries include 'root' and 'tty'.

/etc/pbis/user-ignore
/etc/pbis/group-ignore

ref:

https://docs.beyondtrust.com/adb/docs/configure-user-group-ignore

--

Also suggested to change Domain Prefix to ""

/opt/pbis/bin/config UserDomainPrefix ""

logs

/var/log/auth.log

/var/log/syslog or /var/log/messages

Services Status

/opt/pbis/bin/lwsm list

lwreg          running (container: 960)
dcerpc         stopped
eventlog       running (container: 1040)
lsass          running (container: 2701213)
lwio           running (container: 1183)
netlogon       running (container: 1126)
rdr            running (io: 1183)
reapsysl       running (container: 1324)
usermonitor    stopped

lwsm

/opt/pbis/bin/lwsm settings
  watchdog: on

/opt/pbis/bin/lwsm shutdown

Latest Release

AD Bridge Open 9.1.0.551

pbis-open-9.1.0.551.linux.x86.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.deb.sh
pbis-open-9.1.0.551.linux.x86.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.rpm.sh
pbis-open-9.1.0.551.linux.x86_64.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh
pbis-open-9.1.0.551.linux.x86_64.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.rpm.sh

Source:

https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.zip
https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.tar.gz

Tag: AD Bridge Open 9.1.0.551

https://github.com/BeyondTrust/pbis-open/releases/tag/9.1.0

Sudo

[root@license-01 sudoers.d]# cat admin
# Ansible managed | any changes in this file will be overwritten
%AD\\it-infra ALL=(ALL:ALL) NOPASSWD: ALL

[root@license-01 sudoers.d]# cat pbissudouser
# Ansible managed | any changes in this file will be overwritten
1234   ALL=(root) NOPASSWD: ALL
%ENG-INFRA   ALL=(root) NOPASSWD: ALL
%eng-infra   ALL=(root) NOPASSWD: ALL

BeyondTrust Enterprise AD Bridge

https://repo.pbis.beyondtrust.com/

https://www.beyondtrust.com/docs/archive/ad-bridge/9-1/adb-windows-administration-guide-9-1.pdf

https://docs.beyondtrust.com/adb/docs/adb-overview

https://docs.beyondtrust.com/adb/docs/install-adb

Issues

LW_ERROR_LDAP_INSUFFICIENT_ACCESS

Error:

# /opt/pbis/bin/domainjoin-cli --loglevel verbose join corp.example.com MYUSER
Joining to AD Domain:   corp.example.com
With Computer DNS Name: fixit01.corp.example.com

MYUSER@CORP.EXAMPLE.COM's password:

Error: LW_ERROR_LDAP_INSUFFICIENT_ACCESS [code 0x00009d8b]

Insufficient access to perform LDAP operation

Logs:

Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to set computer account attribute msDS-SupportedEncryptionTypes. LW_ERROR_LDAP_INSUFFICIENT_ACCESS(40331)
Apr 15 15:27:09 fixit01 lsass: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40331, symbol = LW_ERROR_LDAP_INSUFFICIENT_ACCESS, client pid = 5462

Solution:

Have your IT give you write permission to attribute msDS-SupportedEncryptionTypes. PBIS does not give you a way to not actively try to set this.

keywords

[1] ttps://github.com/BeyondTrust/pbis-open/releases/tag/8.8.0

[2] ttps://github.com/BeyondTrust/pbis-open/releases/tag/9.0.0

[3] ttps://github.com/BeyondTrust/pbis-open/commit/54e888873e455aa876f5623b01aa36fedf6506a9

[1]

[2]

[3]

BeyondTrust: Difference between revisions

Latest revision as of 22:39, 15 April 2026

Contents

BeyondTrust AD Bridge Open-Source Community Project

SSSD

Github

Install BeyondTrust AD Bridge

What is PBIS

Join Domain

Set Machine Name

Show All Config Settings

Show System Joined Details

PBIS Full Details

Dump all users

Authenticate User

Clear Cache

Allow Local Users

logs

Services Status

lwsm

Latest Release

Sudo

BeyondTrust Enterprise AD Bridge

Issues

LW_ERROR_LDAP_INSUFFICIENT_ACCESS

keywords

Navigation menu

BeyondTrust: Difference between revisions

Latest revision as of 22:39, 15 April 2026

BeyondTrust AD Bridge Open-Source Community Project

SSSD

Github

Install BeyondTrust AD Bridge

What is PBIS

Join Domain

Set Machine Name

Show All Config Settings

Show System Joined Details

PBIS Full Details

Dump all users

Authenticate User

Clear Cache

Allow Local Users

logs

Services Status

lwsm

Latest Release

Sudo

BeyondTrust Enterprise AD Bridge

Issues

LW_ERROR_LDAP_INSUFFICIENT_ACCESS

keywords

Navigation menu

Search