Linux AD Integration with Powerbroker

Linux and Window Authentication is a topic that comes up often and there are various ways of achieving this. We have been testing the Powerbroker Identity Services Open Source Edition (PBIS) and have found it very easy to install and use.

PBIS comes with a GUI and CLI installation interface. In order to test it, we decided that the CLI would be the better approach and give us a better insight into the tool. For the test we used Centos 6.0 and Fedora 16 as the Linux hosts.

The installation is simple and straight forward. Just type the following cmd and answer yes to the questions:


BASH# sh pbis-open-6.5.561.linux.x86_64.rpm.sh


The installation may require a reboot, but we found it was not always necessary. The default installation will create the directory /opt/pbis for the installation.

Once installed its time to add the linux host to the active directory domain and gain, using CLI, this is easily done. For this example we were joining the linux host to the domain example.com. We used the account administrator but this can be any account with privilege on the active directory domain.


BASH# /opt/pbis/bin/domainjoin-cli join EXAMPLE.COM administrator


That completed the installation and the linux host was then part of the domain. A straight forward and easy installation. To test we then logged in via SSH with the following:


BASH# ssh "example\gtlg"@192.168.1.2


by default pbis however does not use the BASH shell and creates the home diretory as follows:

/home/local/EXAMPLE/gtlg

This was not in-line with our normal standards and led us to dig a bit further into pbis to see how we could make it match our policies. Again pbis turned out to be very easy to use and very straight forward in editing the configuration. To change the default settings requires simple cmd's from pbis to edit the pbis "registry".

To change the default shell to the BASH shell was as follows:
in /opt/pbis/bin: ./config LoginShellTemplate /bin/bash

To change the default home directory is match this standard - /home/EXAMPLE/gtlg
in /opt/pbis/bin: ./config HomeDirTemplate %H/%D/%U

%H = /home
%D= Domain Name
%U = Username

At this point we had working logins via console or ssh, the use of the BASH shell by default and the directory structure that we wanted. Our last test was to see how to add users to groups and visudo. Again we are pleased to say that it was very simple.

in /opt/pbis/bin: use the command enum-groups and find a group in Active Directory that you want to use. In our case we used the group Domain Admins which was displayed by pbis as EXAMPLE\domain^admins. Adding this to our linux host was as simple as editing /etc/group and adding EXAMPLE\domain^admins into a group.

adding a group to sudo is just as easy and is as follows:

EXAMPLE\\domain^admins       ALL=(ALL)      ALL


Powerbroker Identity Services is great and works exactly as described.We have tested the file permissions and sudo rights successfully.