BeyondTrust: Difference between revisions
Jump to navigation
Jump to search
| Line 88: | Line 88: | ||
/opt/pbis/bin/ad-cache --delete-all | /opt/pbis/bin/ad-cache --delete-all | ||
/opt/pbis/bin/lwsm restart lsass | /opt/pbis/bin/lwsm restart lsass | ||
rm -f /tmp/krb5cc_* | |||
/opt/pbis/bin/ad-cache --delete-all | |||
== Allow Local Users == | == Allow Local Users == | ||
Revision as of 21:55, 25 March 2026
BeyondTrust AD Bridge Open-Source Community Project
BeyondTrust AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is currently archived and will no longer receive updates. If you are interested in an Enterprise version of this project, please see our AD Bridge product.
See SSSD instead
SSSD
See SSSD
Github
BeyondTrust AD Bridge Open https://github.com/BeyondTrust/pbis-open
PROJECT HAS BEEN ARCHIVED This repository has been archived by the owner on Nov 8, 2021. It is now read-only.
"We have decided to fork BeyondTrust AD Bridge Enterprise from BeyondTrust AD Bridge Open solution. Please consider BeyondTrust Active Directory Bridge for continued support." https://www.beyondtrust.com/privilege-management/active-directory-bridge https://www.beyondtrust.com/products/active-directory-bridge
What is PBIS
"PowerBroker Identity Services" [1]
Ref:
It was renamed / rebranded to "BeyondTrust AD Bridge" in the 9.0 release. [2] [3]
Join Domain
/opt/pbis/bin/domainjoin-cli join AD-DOMAIN USER@AD-DOMAIN
/opt/pbis/bin/config UserDomainPrefix AD-DOMAIN /opt/pbis/bin/config AssumeDefaultDomain True /opt/pbis/bin/config LoginShellTemplate /bin/bash /opt/pbis/bin/config HomeDirTemplate %H/%U
Grand AD users or security groups as 'root':
/opt/pbis/bin/config RequireMembershipOf “AD-DOMAIN\<AD-DOMAIN-GROUP>” “AD-DOMAIN\<user>”
Sudo: /etc/sudoers
%DOMAIN\\<AD-DOMAIN-GROUP> ALL=(ALL) NOPASSWD:ALL
Set Machine Name
Set machine name before joining:
pbis set-machine-name [name]
Show All Config Settings
/opt/pbis/bin/config --dump
Show System Joined Details
$ /opt/pbis/bin/domainjoin-cli query
Name = MYSYSTEMNAME Domain = CORP.EXAMPLE.COM Distinguished Name = CN=MYSYSTEMNAME,OU=SOMESITE,OU=UnitedStates,OU=Eng,OU=Workstations,DC=corp,DC=example,DC=com
PBIS Full Details
pbis status
Dump all users
/opt/pbis/bin/enum-users
Authenticate User
pbis authenticate-user --user [USER]
pbis authenticate-user --user [USER] --domain [DOMAIN]
Usage: authenticate-user --user <name> --domain <name> [ --password <pass> ] [ --provider name ]
--user User name to authenticate with
--domain User's domain
--password User's password (prompted if not passed on commandline)
Clear Cache
/opt/pbis/bin/ad-cache --delete-all /opt/pbis/bin/lwsm restart lsass
rm -f /tmp/krb5cc_*
/opt/pbis/bin/ad-cache --delete-all
Allow Local Users
If you still want to allow local users on the system, allow "Local" user providers, or "passwd" is not going to work for local accounts.
/opt/pbis/bin/domainjoin-cli configure --enable nsswitch /opt/pbis/bin/domainjoin-cli configure --enable pam /opt/pbis/bin/config Providers "ActiveDirectory" "Local"
Add local users to pbis ignore list (one user per line). Default entries include 'root' and 'tty'.
/etc/pbis/user-ignore /etc/pbis/group-ignore
ref:
logs
/var/log/auth.log
/var/log/syslog or /var/log/messages
Services Status
/opt/pbis/bin/lwsm list
lwreg running (container: 960) dcerpc stopped eventlog running (container: 1040) lsass running (container: 2701213) lwio running (container: 1183) netlogon running (container: 1126) rdr running (io: 1183) reapsysl running (container: 1324) usermonitor stopped
lwsm
/opt/pbis/bin/lwsm settings watchdog: on
/opt/pbis/bin/lwsm shutdown
Latest Release
AD Bridge Open 9.1.0.551
pbis-open-9.1.0.551.linux.x86.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.deb.sh pbis-open-9.1.0.551.linux.x86.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.rpm.sh pbis-open-9.1.0.551.linux.x86_64.deb.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh pbis-open-9.1.0.551.linux.x86_64.rpm.sh - https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.rpm.sh
Source:
https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.zip https://github.com/BeyondTrust/pbis-open/archive/refs/tags/9.1.0.tar.gz
Tag: AD Bridge Open 9.1.0.551
https://github.com/BeyondTrust/pbis-open/releases/tag/9.1.0
Sudo
[root@license-01 sudoers.d]# cat admin # Ansible managed | any changes in this file will be overwritten %AD\\it-infra ALL=(ALL:ALL) NOPASSWD: ALL
[root@license-01 sudoers.d]# cat pbissudouser # Ansible managed | any changes in this file will be overwritten 1234 ALL=(root) NOPASSWD: ALL %ENG-INFRA ALL=(root) NOPASSWD: ALL %eng-infra ALL=(root) NOPASSWD: ALL
BeyondTrust Enterprise AD Bridge
https://repo.pbis.beyondtrust.com/
https://www.beyondtrust.com/docs/archive/ad-bridge/9-1/adb-windows-administration-guide-9-1.pdf
https://docs.beyondtrust.com/adb/docs/adb-overview
https://docs.beyondtrust.com/adb/docs/install-adb