Pbis Installation 8 7 0

PowerBroker Identity Services
Installation Guide
Revision/Update Information: August 2018
Corporate Headquarters
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2018 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when
applicable, is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc.
(“BeyondTrust”) or BeyondTrust’s authorized remarketer, if and when applicable.
TRADE SECRET NOTICE

This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or
author, and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or
documentation, as and when applicable, have been provided pursuant to an agreement that contains prohibitions against
and/or restrictions on copying, modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties
expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR
PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)

If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights.
This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the
express limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following
purposes: manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)

If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is
subject to limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at
DFARS 252.227-7013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops,
PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker
Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust.
ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The
SSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certain
jurisdictions.
This application contains software powered by PKAIP®, the leading solution for enabling efficient and secure data storage and
transmission. PKAIP® is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used with
permission.
OTHER NOTICES
If and when applicable the following additional provisions are so noted:
The PowerBroker Identity Services Open software is free to download and use according to the terms of the Limited GPL 2.1
for client libraries and the GPL 2 for daemons. The licenses for PowerBroker Identity Services Enterprise and for PowerBroker
Identity Services UID-GID Module are different. For complete information on the software licenses and terms of use for
BeyondTrust products, see www.beyondtrust.com.
Contents
Contents
Introduction 6
Conventions Used in This Guide 6
Font Conventions 6
Documentation Set for PBIS Enterprise 7
Contact Technical Support 8
Before Contacting Technical Support 8
Generating a Support Pack 9
Contacting Support 10
PBIS Enterprise Overview 11

PBIS Enterprise Overview 11
PBIS - Open Edition 11
Components 11
PowerBroker Identity Services Enterprise Agent 13
Services 13
Caches and Databases 17
Name Service Caching Daemon (NSCD) 19
Time Synchronization 19
Using a Network Time Protocol Server 19
Automatic Detection of Offline Domain Controller and Global Catalog 19
Cached Credentials 20
Trust Support 20
Supported Platforms 21
SELinux Support 21
Unsupported Operating Systems 22
Storage Modes 22
Directory Integrated Mode 22
Schemaless Mode 23
Planning Your Installation and Deployment 24

Planning Your Deployment 24
Installing the Management Console 25

Requirements 25
Microsoft Management Tools 25
Administrator Privileges 26
Active Directory Requirements 26
Windows Requirements for the Console 26
Requirements to Run PBIS Enterprise in Directory Integrated Mode 27
Networking 27
Replication 27
Supported Platforms and Applications 27
Installing the Console 27
Silent Install 28
Installing Active Directory and GPMC Extensions 28
Installation Guide 3 © 2018. BeyondTrust Software, Inc.

Contents
Upgrading the Console 29

Upgrading PBIS 7.5 to PBIS 8.1 29
Upgrading from 8.1 - Directory Integrated Mode 30
Changing to Directory Integrated Mode 30
Changes Made by the Directory Integrated Mode Configuration 30
Configuring Clients Before PBIS Enterprise Agent Installation 32

Configure nsswitch.conf 32
Configure netsvc.conf on AIX 32
Restart Services 32
Configure resolv.conf 33
Configure Firewall Ports 33
Extend Partition Size (IBM AIX) 33
Increase Max User Name Length (IBM AIX) 34
Installing the PBIS Enterprise Agent 35

Install the Correct Version for the Operating System 35
Checking the Linux Kernel Release Number 35
Package Management Commands 35
Requirements for the Agent 35
Environment Variables 35
Patch Requirements 36
Other Requirements for the Agent 36
Additional Requirements for Specific Operating Systems 37
Install the Agent on Linux or Unix with the Shell Script 37
Install the Agent on Linux in Unattended Mode 38
Install the Agent in Solaris Zones 38
Install Options for Embedded Scripts 38
Post Install 39
Installing Solaris 11 39
What's New with the Solaris 11 Installer 40
Uploading the Packages with the P5P file 40
Installing the Agent in Solaris 11 Zones 40
Upgrading An Operating System 41
Configuring SELinux 42
Installing SELinux on Unsupported Platforms 42
Configuring SELinux After Installing 42
Joining an Active Directory Domain 43

Overview 43
Privileges and Permissions 44
Creation of Local Accounts 44
Join Active Directory from the Command Line 46
Before Joining a Domain 46
Joining a Computer to Active Directory 46
Join a Linux or Unix Computer to an Organizational Unit 47
Join a Linux or Unix Computer to a Nested Organizational Unit 47

Contents
Join Active Directory Without Changing /etc/hosts 47

Turn Off OS X Directory Service Authentication 49
Automatically Join an Agent to a Domain 49
Create a Computer Account in Active Directory 49
Run a Domain Join Script on the Agent 50
Files Modified When You Join a Domain 50
Logging on with Domain Credentials 53

Log on with AD Credentials 53
Log on with SSH 54
Leaving a Domain and Uninstalling the PBIS Enterprise Agent 55

Leave a Domain 55
Remove a Linux or Unix Computer from a Domain 55
Disable the Computer Account in Active Directory 55
Remove the Computer Account in Active Directory 56
Remove a Mac from a Domain 56
Uninstall the Agent on a Linux or Unix Computer 56
Using a Shell Script to Uninstall 56
Using a Command to Uninstall 56
Uninstall the Agent on a Mac 57

Introduction
Introduction
This guide shows system administrators and security administrators how to use BeyondTrust PowerBroker Identity
Services Enterprise Edition (PBIS Enterprise).
PBIS Enterprise ships with a number of documents that help you to use the various features of the product. See the
following section for a list of the guides.
Conventions Used in This Guide

Specific font and line spacing conventions are used in this book to ensure readability and to highlight important
information such as commands, syntax, and examples.
Font Conventions
The font conventions used for this document are:
• Courier New Font is used for program names, commands, command arguments, directory paths,
variable names, text input, text output, configuration file listings, and source code. For example:
C:\Documents and Settings\All Users
• Courier New Bold Font is used for information that should be entered into the system exactly as
shown. For example:
pbdeploy.exe
• Courier New Italics Font is used for input variables that need to be replaced by actual values. In the
following example, the variable MyServer, must be replaced by an actual environment server name and the
variable MyFolder must be replaced by an actual folder name:
\\MyServer\MyFolder\pbdcl32.msi
• Bold is used for Windows buttons. For example:
Click OK.

Introduction
Documentation Set for PBIS Enterprise

The complete PowerBroker Identity Services Enterprise Edition documentation set includes the following:
• PBIS Enterprise Installation Guide
• PBIS Enterprise Windows Administration Guide
• PBIS Enterprise Linux Administration Guide
• PBIS Enterprise Mac OS X Administration Guide
• PBIS Enterprise Integration Guide
• PBIS Enterprise Config Tool Reference Guide
• PBIS Enterprise Group Policy Reference Guide
• PBIS EnterpriseTroubleshooting Guide
• PBIS Enterprise Report Book
• PBIS Enterprise Release Notes

Introduction
Contact Technical Support

BeyondTrust Software, Inc. provides an online knowledge base, as well as telephone and web-based support.
Before Contacting Technical Support

To expedite support, collect the following information to provide to Technical Support:
• PBIS Enterprise version (Available in the PBIS Enterprise Console by clicking Help, About on the menu bar.)
• PBIS Enterprise Agent version and build number
• Linux or Unix version
• Windows or Windows Server version
If you are contacting Technical Support about one of the following problems, also provide the diagnostic
information specified.
Segmentation Faults
Provide the following information when contacting Technical Support:
• Core dump of the PowerBroker Identity Services application:
ulimit - c unlimited
• Exact patch level or exact versions of all installed packages.
Program Freezes
• Debug logs
• tcpdump
• An strace of the program
Domain-Join Errors
• Debug logs (Copy the log file from /var/log/pbis-join.log.)
• tcpdump
All Active Directory Users Are Missing

• Run /opt/pbis/bin/get-status
• Contents of nsswitch.conf
All Active Directory Users Cannot Log On

• Output of id <user>
• Output of su -c 'su <user>' <user>

Introduction
• Lsass debug logs (See Generate an Authentication Agent Debug Log, in the PBIS Troubleshooting webhelp.)
• Contents of pam.d/pam.conf
• The sshd and ssh debug logs and syslog
AD Users or Groups are Missing

• The debug logs for lsass
• Output for getent passwd or getent group for the missing object
• Output for id <user> if user
• tcpdump
• Copy of lsass cache file.
Poor Performance When Logging On or Looking Up Users

• Output of id <user>
• The lsass debug log
• Copy of lsass cache file. (For more about the file name and location of the cache files, refer to the Linux
Administration Guide.)
• tcpdump
Generating a Support Pack

The PBIS support script will copy system files that PBIS needs to function into an archive. This archive can then be
sent to support to assist in the investigation.
Installed location
/opt/pbis/libexec/pbis-support.pl
Download location
http://download.beyondtrust.com/pbis/support-pbis/pbis-support.pl

Introduction
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along
with product downloads, product installers, license management, account, latest product releases, product
documentation, webcasts and product demos.
Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Vulnerability Management Support

North/South America: 866.529.2201 | 949.333.1997
+ enter access code
All other Regions

Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code
Online
http://www.beyondtrust.com/Resources/Support/

PBIS Enterprise Overview

PowerBroker Identity Services Enterprise Edition connects Linux, Unix, and Mac OS X computers to Microsoft
Active Directory so you can centrally manage all your computers and users from a single identity management
system.
This guide describes how to install and manage PowerBroker Identity Services Enterprise Edition. The target
audience is system administrators who manage access to workstations, servers, and applications with Active
Directory.
The guide assumes that you know how to administer computers, users, and Group Policy settings in Active
Directory and that you know how to manage computers running Unix, Linux, and Mac OS X.

PBIS Enterprise is installed on a Windows administrative workstation connected to a domain controller so you can
set user identifiers and group identifiers in Active Directory Users and Computers. Once the UIDs and GIDs are set,
the PBIS Enterprise agent uses the identifiers to authenticate users and groups and to control access to computers
and applications.
PBIS Enterprise includes additional features:
• Apply policy settings to Unix computers from the Microsoft Group Policy Management Console (GPMC),
including policy settings based on the Gnome GConf project to define desktop and application preferences for
Linux computers.
• Integrates Apple's Workgroup Manager with the Group Policy Management Editor to apply managed client
settings to Mac OS X computers with Group Policy Objects (GPOs).
• Generate a range of reports to help improve regulatory compliance. The result: lower operating costs, better
security, enhanced compliance.
• PBIS Enterprise provides graphical tools to manage Linux and Unix information in Active Directory. However, it
can be useful to access and modify the information programmatically. For this purpose, PBIS Enterprise
provides scripting objects that can be used by any programming language that supports the Microsoft Common
Object Model, or COM. The scripting objects provide dual interfaces that can be used by languages that use
COM early binding, such as C++ and C#, and by languages that use Idispatch, such as VBScript and Jscript.
PBIS - Open Edition

PBIS Open Edition is available as a free and open source version of PowerBroker Identity Services. PBIS Open
authenticates domain users with the highly secure Kerberos 5 protocol by hashing their security identifiers from
Active Directory.
PBIS Open does not, however, process user identifiers or group identifiers even if they are set in Active Directory.
For more information, visit the BeyondTrust website.
Components
There are two installation packages that you need to install PBIS Enterprise:
• Management tools for Active Directory– Install on a Windows computer that connects to an Active Directory
domain controller.

• Agent – Install on a Linux, Unix, or Mac computer to connect it to Active Directory.
Component Function
Agent n Runs on a Linux, Unix, or Mac OS X computer to connect it to Active Directory with the PBIS
Enterprise command-line interface or GUI. See Join Active Directory from the Command Line.
n Communicates with an Active Directory domain controller to authenticate and authorize users
and groups with the PBIS Enterprise Identity Service. See Log On with AD Credentials.
n Pulls and refreshes policy settings by using the Group Policy service, which is included only with
the PBIS Enterprise agent.
Enterprise n Runs on a Windows administrative workstation that connects to an Active Directory domain
Console controller to help manage Linux, Unix, and Mac OS X computers in Active Directory.
n Migrates users, checks status, and generates reports.
MMC Snap- n Extends Active Directory Users and Computers to include Unix and Linux users.
Ins for
n With PBIS Enterprise, it also extends the Group Policy Management Console (GPMC) to include
ADUC and
Linux, Unix, and Mac OS X Group Policy settings as well as a way to target them at specific
GPMC
platforms.
Cell A snap-in for the Microsoft Management Console to manage cells associated with Active Directory
Manager Organizational Units.
Reporting Stores security events and access logs for compliance reports.
Database
Operations A management application, or plug-in, for the BeyondTrust Management Console. The dashboard
Dashboard retrieves information from the PBIS Enterprise reporting database to display authentication
transactions, authorization requests, network events, and other security events that take place on
PBIS Enterprise clients.

PowerBroker Identity Services Enterprise Agent

The PowerBroker Identity Services Enterprise (PBIS Enterprise) agent is installed on a Linux, Unix, or Mac OS X
computer to connect it to Microsoft Active Directory and to authenticate users with their domain credentials.
The agent integrates with the core operating system to implement the mapping for any application, such as the
logon process (/bin/login), that uses the name service (NSS) or pluggable authentication module (PAM). As
such, the agent acts as a Kerberos 5 client for authentication and as an LDAP client for authorization. In PBIS
Enterprise , the agent also retrieves Group Policy Objects (GPOs) to securely update local configurations, such as
the sudo file.
Services
Prior to PowerBroker Identity Services 6.5, the agent was composed of separate daemon processes, and each was
started in sequence by the operating systems at start up.
In PowerBroker Identity Services 6.5, the daemons are replaced by libraries loaded by the service manager
daemon (/opt/pbis/sbin/lwsmd). The service lsass replaces the daemon lsassd.
At start up, the operating system is configured to start the service manager daemon. It is then instructed by the
operating system (with the command /opt/pbis/bin/lwsm autostart) to start all desired services.
The service manager daemon keeps track of the services already started and ensures the services are started and
stopped in the appropriate order.

PBIS Open and PBIS Enterprise

The PBIS Open agent and the PBIS Enterprise agent are composed of the service manager daemon
(/opt/pbis/sbin/lwsmd) and include the following services:
Service Description Dependencies

lsass Handles authentication, authorization, caching, and netlogon
lwio
idmap lookups. You can check its status or restart it.
rdr
To view the Lsass architecture see the diagram lwreg
following the tables. Usually eventlog (Can be disabled
after installation.)
Sometimes dcerpc (Can be enabled
after installation for registering TCP/IP
endpoints of various services.)
netlogon Detects the optimal domain controller and global lwreg
catalog and caches them.
lwio An input-output service that is used to communicate lwreg
through DCE-RPC calls to remote computers, such as
during domain join and user authentication.
rdr A redirector that multiplexes connections to remote lwio
lwreg
systems.
dcerpc Handles communication between Linux, Unix, and
Mac computers and Microsoft Active Directory by
mapping data to end points. By default, it is disabled.
eventlog Collects and processes data for the local event log. Can
be disabled.
lwreg The registry service that holds configuration
information both about the services and information
provided by the services.
reapsysl The syslog reaper that scans the syslog for events of eventlog
interest and records them in the eventlog.
usermonitor The usermonitor service scans the system for changes lsass
eventlog
to users, groups, and authorization rights and records
the changes in the eventlog.
PBIS Enterprise Only

Additionally, PBIS Enterprise also includes the following services to apply Group Policy settings, handle smart cards,
and monitor security events:

gpagent Pulls Group Policy Objects (GPOs) from Active Directory and applies them to lsass
the computer. netlogon
lwio


rdr
lwreg
eventlog
eventfwd Forwards events from the local event log to a remote computer. eventlog
lwsc Smart card service. lwpkcs11
lwpkcs11 Aids lwsc by supporting PKCS#11 API.
lwpkcs11r Smart card redirector service for windows client. lwsc
Figure 1. LSASS Architecture
PBIS Enterprise Input-Output Service

The lwio service multiplexes input and output by using SMB1 or SMB2. The service's plugin-based architecture
includes several drivers, the most significant of which is coded as rdr—the redirector.

The redirector multiplexes CIFS/SMB connections to remote systems. For instance, when two different processes
on a local Linux computer need to perform input-output operations on a remote system by using CIFS/SMB, with
either the same identity or different identities, the preferred method is to use the APIs in the lwio client library,
which routes the calls through the redirector. In this example, the redirector maintains a single connection to the
remote system and multiplexes the traffic from each client by using multiplex IDs.
The input-output service plays a key role in the PBIS Enterprise architecture because PBIS Enterprise uses DCE/RPC
(Distributed Computing Environment/Remote Procedure Calls). DCE/RPC uses SMB: Thus, the DCE-RPC client
libraries use the PBIS Enterprise input-output client library, which in turn makes calls to lwio with Unix domain
sockets.
When you join a domain, for example, PBIS Enterprise uses DCE-RPC calls to establish the machine password. The
PBIS Enterprise authentication service periodically refreshes the machine password by using DCE-RPC calls.
Authentication of users and groups in Active Directory takes place with Kerberos, not RPC.
The following data-flow diagram shows how systems interact when you join a domain.

In addition, when a joined computer starts up, the PBIS Enterprise authentication service enumerates Active
Directory trusts by using DCE-RPC calls that go through the redirector. With one-way trusts, the authentication
service uses RPC to look up domain users, groups, and security identifiers. With two-way trusts, lookup takes place
through LDAP, not RPC.
Because the authentication service registers trusts only when it starts up, you should restart lsass with the PBIS
Enterprise Service Manager after you modify a trust relationship.
The PBIS Enterprise Group Policy agent also uses the input-output client library and the redirector when it copies
files from the sysvol share of a domain controller.
To troubleshoot remote procedure calls that go through the input-output service and its redirector, use a
Wireshark trace or a TCP dump to capture the network traffic. Wireshark, a free open-source packet analyzer, is
recommended.
PAM Options
PowerBroker Identity Services Enterprise Edition uses the following standard PAM options:
• try_first_pass
• use_first_pass
• use_authtok
• debug
Additionally, there are non-standard options to the PAM configuration on some systems:
• unknown_ok – Allows local users to continue down the stack (first line succeeds but second line fails) while
blocking domain users who do not meet group membership requirements.
• remember_chpass – On AIX systems, which have both PAM and LAM modules, the remember_chpass
prevents the AIX computer from trying to change the password twice and prompting the user twice.
• set_default_repository – On Solaris systems, the set_default_repository option is used to
make sure password changes work as expected.
• smartcard_prompt – Enables smartcard prompts.
• no_require_membership – Allows the require membership check to be skipped.
Managing the PBIS Enterprise Services

Using the PBIS Enterprise Service Manager, you can:
• Track and troubleshoot all the PBIS Enterprise services with a single command-line utility.
For example, check the status of the services, view their dependencies, and start or stop them. The service
manager is the preferred method for restarting a service because it automatically identifies a service's
dependencies and restarts them in the correct order.
• Use the service manager to set the logging destination and the log level.
For more information, see "Manage PBIS Services (lwsm)" in the PBIS Enterprise Windows Administration Guide.
Caches and Databases

To maintain the current state and to improve performance, the PBIS Enterprise authentication service (lsass)
caches information about users and groups in memory.

You can change the cache to store the information in a SQLite database. For more information, refer to the PBIS
Enterprise Administration Guide, "lsass Cache Settings".
The PBIS Enterprise site affinity service, netlogon, caches information about the optimal domain controller and
global catalog in the PBIS Enterprise registry.
The following files are in /var/lib/pbis/db:
File Description
registry.db The SQLite 3.0 database in which the PBIS Enterprise registry service, lwreg, stores data.
sam.db Repository managed by the local authentication provider to store information about local
users and groups.
lwi_events.db The database in which the event logging service, eventlog, records events.
lsass- Cache managed by the Active Directory authentication provider to store user and group
adcache.filedb.FQDN information. The file is in /var/lib/pbis/db. In the name of the file, FQDN is replaced
by your fully qualified domain name.
Since the default UIDs that PBIS Enterprise generates are large, the entries made by the operating system in the
lastlog file when AD users log in make the file appear to increase to a large size. This is normal and should not
cause concern. The lastlog file (typically /var/log/lastlog) is a sparse file that uses the UID and GID of the
users as disk addresses to store the last login information. Because it is a sparse file, the actual amount of storage
used by it is minimal.
Additional information about a computer's Active Directory domain name, machine account, site affinity, domain
controllers, forest, the computer's join state, and so forth is stored in the PBIS Enterprise registry. Here is an
example of the kind of information that is stored under the netlogon key:
[HKEY_THIS_MACHINE\Services\netlogon\cachedb\example.com-0]
"DcInfo-ClientSiteName"="Default-First-Site-Name"
"DcInfo-DCSiteName"="Default-First-Site-Name"
"DcInfo-DnsForestName"="example.com"
"DcInfo-DomainControllerAddress"="192.168.92.20"
"DcInfo-DomainControllerAddressType"=dword:00000017
"DcInfo-DomainControllerName"="w2k3-r2.example.com"
"DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,95,fb,5b,62,e3
"DcInfo-Flags"=dword:000003fd
"DcInfo-FullyQualifiedDomainName"="example.com"
"DcInfo-LMToken"=dword:0000ffff
"DcInfo-NetBIOSDomainName"="EXAMPLE"
"DcInfo-NetBIOSHostName"="W2K3-R2"
"DcInfo-NTToken"=dword:0000ffff
"DcInfo-PingTime"=dword:00000006
"DcInfo-UserName"=""
"DcInfo-Version"=dword:00000005
"DnsDomainName"="example.com"
"IsBackoffToWritableDc"=dword:00000000
"LastDiscovered"=hex:c5,d9,86,4b,00,00,00,00
"LastPinged"=hex:1b,fe,86,4b,00,00,00,00
"QueryType"=dword:00000000
"SiteName"=""

Name Service Caching Daemon (NSCD)

Disable nscd for optimal efficiency.
PowerBroker Identity Services best practice is to disable the nscd cache from the configuration file
/etc/nscd.conf.
If nscd is not disabled, clear the cache after a domain join by restarting the service:
service nscd restart/reload
Time Synchronization
For the PBIS Enterprise agent to communicate over Kerberos with the domain controller, the clock of the client
must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. (For
more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Clock-Skew.html.)
The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the
domain controller's Kerberos key distribution center that determines the maximum clock skew. Since changing the
maximum clock skew in a client's krb5.conf file does not affect the clock skew tolerance of the domain
controller, the change will not allow a client outside the domain controller's tolerance to communicate with it.
The clock skew value that is set in the /etc/pbis/krb5.conf file of Linux, Unix, and Mac OS X computers is
useful only when the computer is functioning as a server for other clients. In such cases, you can use a PBIS
Enterprise Group Policy setting to change the maximum tolerance; for more information, see Set the Maximum
Tolerance for Kerberos Clock Skew in the PowerBroker Identity Services Group Policy Administration Guide.
The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every
authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew
are discarded. When the server receives an authentication request within the clock skew, it checks the replay
cache to make sure the request is not a replay attack.
Using a Network Time Protocol Server

If you set the system time on your computer with a Network Time Protocol (NTP) server, the time value of the NTP
server and the time value of the domain controller could exceed the maximum skew. As a result, you will be
unable to log on your computer.
If you use an NTP server with a cron job, there will be two processes trying to synchronize the computer's time—
causing a conflict that will change the computer's clock back and forth between the time of the two sources.
It is recommended that you configure your domain controller to get its time from the NTP server and configure the
domain controller's clients to get their time from the domain controller.
Automatic Detection of Offline Domain Controller and Global Catalog

The PBIS Enterprise authentication service—lsass—manages site affinity for domain controllers and global
catalogs and caches the information with netlogon. When a computer is joined to Active Directory, netlogon
determines the optimum domain controller and caches the information.
If the primary domain controller goes down, lsass automatically detects the failure and switches to another
domain controller and another global catalog within a minute.

However, if another global catalog is unavailable within the forest, the PBIS Enterprise agent will be unable to find
the Unix and Linux information of users and groups. The PBIS Enterprise agent must have access to the global
catalog to function. Therefore, it is a recommended that each forest has redundant domain controllers and
redundant global catalogs.
Cached Credentials
Both PBIS Open and PBIS Enterprise cache credentials so users can log on when the computer is disconnected
from the network or Active Directory is unavailable.
Trust Support
The PBIS Enterprise agent supports the following Active Directory trusts:
Trust Type Transitivity Direction PBIS Enterprise Default Cell Support Named Cells
Parent and child Transitive Two-way Yes Yes
External Nontransitive One-way No Yes
External Nontransitive Two-way No Yes
Forest Transitive One-way No Yes
Forest Transitive Two-way Yes: Must enable default cell in both forests. Yes
There is information on the types of trusts at http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx.
Notes on Trusts
The following is general information about working with trusts.
• You must place the user or group that you want to give access to the trust in a cell other than the default cell.
• In a two-way forest or parent-child trust, PBIS Enterprise merges the default cells. When merged, users in one
domain can log on computers in another domain, and vice-versa.
• To put a user in a child domain but not the parent domain, you must put the user in a named cell, which is a
cell associated with an organizational unit.
• If there is a UID conflict across two domains, one domain will be dropped.
• In a cross-forest transitive one- or two-way trust, the root of the trusted forest must have a default cell.
• In a one-way trust in which Forest A trusts Forest B, a computer in Forest A cannot get group information from
Forest B, because Forest B does not trust Forest A. The computer in Forest A can obtain group information if
the user logs on with a password for a domain user, but not if the user logs on with Kerberos single sign-on
credentials. Only the primary group information, not the secondary group information, is obtained.

• To support a 1-way trust without duplicating user accounts, you must use a cell associated with an OU, not a
default cell. If Domain A trusts Domain B (but not the reverse) and if Domain B contains all the account
information in cells associated with OUs, then when a user from Domain B logs on a machine joined to Domain
A, Domain B will authenticate the user and authorize access to the machine in Domain A.
In such a scenario, you should also add a domain user from the trusted domain to an administrative group in
the trusting domain so you can manage the trusting domain with the appropriate level of read access to
trusted user and group information. However, before you add the domain user from the trusted domain to the
trusting domain, you must first add to the trusting domain a group that includes the user because Unix and
Linux computers require membership in at least one group and Active Directory does not enumerate a user's
membership in foreign groups.
• If you have a network topology in which the "front" domain trusts the "back" domain, and you join a machine
to the front domain using a back domain administrator, as in the following example, the attempt to join the
domain will fail: domainjoin-cli join front.example.com back\\administrator
password. However, the attempt to join the domain will succeed if you use the following nomenclature:
domainjoin-cli join front.example.com administrator@BACK.example.COM
password
• With PBIS Enterprise, aliased user names are supported in the default cell and in named cells.
Trusts and Cells in PBIS

In PBIS Enterprise, a cell contains Unix settings, such as a UID and a GID, for an Active Directory user. When an AD
user logs on a PBIS Enterprise client, PBIS Enterprise searches Active Directory for the user's cell information—and
must find it to operate properly. Thus, your AD topology and your trust relationships may dictate where to locate a
cell in Active Directory so that your PBIS Enterprise clients can access their Unix settings.
With a default cell, PBIS Enterprise searches for a user or group's attributes in the default cell of the domain where
the user or group resides. In a multi-domain topology, a default cell must exist in the domain where user and group
objects reside in addition to the default cell that exists in the domain to which Unix, Linux, and Mac computers are
joined. In a multi-domain topology, then, be sure to create a default cell in each domain.
Ideally, Unix information is stored on the user object in default cell Directory Integrated mode. If the client
computer does not have the access rights to read and write the information to the user object, as in an external
one-way trust, the Unix information cannot be stored on the user object. It can, however, be stored locally in a
named cell, that is, a cell associated with an organizational unit.
Since a named cell can be linked to the default cell, you can store Unix information on the user object in default
cell Directory Integrated mode when possible, and otherwise in a named cell that represents the external user. For
information about cells, see the chapter on planning your PBIS Enterprise installation and deployment.
Supported Platforms
PBIS Open and PBIS Enterprise run on a broad range of Unix, Mac OS X, and Linux platforms. BeyondTrust
frequently adds new vendors and distributions. See the BeyondTrust website for the list of supported platforms.
SELinux Support
The PBIS Enterprise SELinux implementation supports the following operating systems:
• Fedora 13—Fedora 17
• RedHat Enterprise Linux version 6 (and Centos) 6.x—7.x

When you install on RedHat Enterprise Linux, PBIS runs under the unconfined_t domain (as of 8.3.4).
The PBIS post install script checks if /usr/sbin/semodule and /etc/selinux/targeted/policy are
present. If both checks pass then the targeted policy file - pbis.pp - will get installed if found in
/opt/pbis/share/<os>/<version>/pbis.pp
Unsupported Operating Systems

If SELinux is enabled and you are installing to an unsupported operating system (for example, Fedora 12 or Fedora
25), the installation is stopped. You must place SELinux in permissive mode to continue.
• SELinux enabled is only detected with the RPM package.
• SELinux enabled is not detected with the self-extracting installer or domainjoin.
For more information, see Installing SELinux on Unsupported Platforms.
Storage Modes
PBIS Enterprise has two operating modes: Directory Integrated mode and Schemaless mode.
Note: Directory Integrated mode is the preferred mode.
The modes provide a method for storing Unix and Linux information in Active Directory—including UIDs and GIDs—
so that PBIS Enterprise can map SIDs to UIDs and GIDs and vice versa.
The mapping lets PBIS Enterprise use an Active Directory user account to grant a user access to a Unix or Linux
resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the PBIS
Enterprise agent communicates with the Active Directory Domain Controller through standard LDAP protocols to
obtain the following authorization data:
• UID
• Primary GID
• Secondary GIDs
• Home directory
• Login shell
PBIS Enterprise uses this information to control the user's access to Unix and Linux resources.
Directory Integrated Mode

Directory Integrated mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to
store Linux and Unix user and group information, namely the posixAccount and posixGroup object classes.
For example, the posixAccount and posixGroup object classes include attributes—uidNumber and
gidNumber—that PBIS Enterprise uses for UID and GID mapping. In addition, PBIS Enterprise uses
serviceConnectionPoint objects to store the same information as in Schemaless by using the keywords
attribute.
For example, when you create a cell in Directory Integrated mode, PBIS Enterprise creates a container object—
CN=$LikewiseIdentityCell—in the domain root, or in the OU where you created the cell. If the container
is created in an OU, which is called a named or named cell, the Unix-specific data is stored in CN=Users and
CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user
or group information with a backlinked security identifier.

If the container is created at the level of the root domain, it is known as a default cell. In this case, the Unix-specific
data is stored directly in the AD user or group account.
Upgrading Your Schema

You must upgrade your schema if your schema does not comply with RFC 2307 (Windows Server 2003 R2 or later
complies with RFC 2307).
Use the Active Directory Domains and Trusts tool to raise the forest functional level.
PBIS Enterprise does not change the schema, but you still must run the Directory Integrated Mode Wizard to
include the RFC 2307 attributes in the global catalog and to index them for faster searches.
Schemaless Mode
In contrast, Schemaless mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes
and without modifying the schema. Instead, Schemaless mode uses existing object classes and attributes to store its
data.
• To store information about a cell, PBIS Enterprise creates a container object and stores data in its
description attribute.
• To store information about a group or user, PBIS Enterprise creates a serviceConnectionPoint object
and stores data in its keywords attribute. Both keywords and description are multi-valued attributes
that can have multiple values while still allowing AD searches for specific values.
In Schemaless mode, PBIS Enterprise uses RFC 2307 attribute names to store values in the keywords and
description attributes in the form name=value, where name is the attribute name and value is its value.

Planning Your Installation and Deployment
Planning Your Installation and Deployment

Planning Your Deployment
The key to a successful deployment is planning. Before you begin deploying PBIS Enterprise in an enterprise,
develop a plan that addresses at least the following aspects of installation and deployment:
• Review the PBIS Enterprise Release Notes to ensure your enviroment meets the deployment requirements.
• Set up a test environment. It is recommended that you first deploy PBIS Enterprise in a test environment so
that you can identify and resolve any issues specific to your mixed network before you put the system into
production.
• Determine whether to use PBIS Enterprise in Directory Integration or Schemaless mode. When you configure
your domain with the PBIS Enterprise domain configuration wizard, you must choose the mode to use.
Important: Back up Active Directory before you run the PBIS Enterprise domain configuration wizard.
• Decide whether to configure PBIS Enterprise to manage a single forest or multiple forests. If you manage
multiple forests, the UID-GID range assigned to a forest should not overlap with the range of another forest.
• Determine how you will migrate Linux, Unix, and Mac OS X users to Active Directory.
For example, if you are using NIS, decide whether you will migrate those accounts to Active Directory and
whether you will migrate local accounts and then delete them or leave them. It is usually recommended that
you delete interactive local accounts other than the root account.
• Identify the structure of the organizational units—or cell topology—that you will need, including the UID-GID
ranges. If you have multiple NIS servers in place, your users may have different UID-GID maps in each NIS
domain. You may want to eliminate the NIS servers but retain the NIS mapping information in Active Directory.
To do so, you can use PowerBroker cells.
• Determine whether you will use aliasing. If you plan to use aliasing, you must associate users with a specific
PowerBroker cell; you cannot use the default cell.

Installing the Management Console

This section provides information on management console requirements and installing the console.
Requirements
This section lists the requirements to use PBIS Enterprise with Active Directory.
You must have at least the following components:
• An Active Directory domain controller.
• A Windows administrative workstation that is running ADUC and is connected to your Active Directory domain
controller.
• One or more Unix or Linux computers running an operating system that PBIS Enterprise supports, such as
versions of Mac OS X, Red Hat, SUSE Linux, Fedora, CentOS, Debian, Sun Solaris, IBM AIX, HP-UX, and Ubuntu.
For a complete list of supported platforms, see www.beyondtrust.com.
Requirements for the agent—the software that runs on the Linux, Unix, and Mac OS X computers that you want to
connect to AD—are listed in Installing the Agent.
Microsoft Management Tools

PBIS Enterprise works with ADUC, GPME, and GPMC. Ensure that the Microsoft management tools are installed
before you install PBIS Enterprise.
The Microsoft management tools vary by Windows version, but include the Remote Server Administration Tools
(RSAT) for Windows.
• Turn on the following RSAT features. Go to Control Panel, select Programs, and then select Turn Windows
features on or off:
– Group Policy Management Tools
– Active Directory Module for Windows PowerShell
– Active Directory Administrative Center
– AD DS Snap-ins and Command-Line Tools
For more information, see Remote Server Administration Tools for Windows and your Microsoft Windows
documentation.

Administrator Privileges
• Root access or sudo permission on the Unix, Linux, and Mac OS X computers that you want to join to the
domain.
• Active Directory credentials that allow you to add computers to an Active Directory domain—for example,
membership in the Domain Administrators security group or the Enterprise Administrators security group.
Active Directory Requirements

• Windows Server 2008R2+
Windows Requirements for the Console

• One of the following operating systems:
• One of the following operating systems:
– Windows Professional 7+ with RSAT
– Windows Server 2008R2+
- 64-bit versions only
• Microsoft .NET Framework 4.5
• 50 MB of free space

Requirements to Run PBIS Enterprise in Directory Integrated Mode

• Active Directory installations that comply with RFC 2307
• Domain and forest functional levels have been raised to Windows Server 2003 or later.
For more information, see Storage Modes.
Networking
The subnets with your Linux, Unix, and Mac computers must be added to Active Directory sites before joining the
computers to Active Directory so that the PBIS Enterprise agent can detect the optimal domain controller and
global catalog.
Replication
Make sure your AD replication system is up to date and functioning properly by using the following diagnostic tools
from http://www.microsoft.com/download to test replication. For instructions, see the Microsoft documentation
for each tool.
• DCDiag. Part of Microsoft's support tools for Windows Server 2003, dcdiag.exe should be run with the /v /c
/e switches to test all the domain controllers in all your sites.
• FRSDiag. Use frsdiag.exe tool, available from the Microsoft Resource Kit tools, to check the File Replication
Service (FRS).
In addition, the following tools can help you review and troubleshoot FRS problems.
• Sonar. Optionally use it to perform a quick review of FRS status.
• Ultrasound. Optionally use it to monitor and troubleshoot FRS.
• ReplMon. Included in the Microsoft Resource Kit Tools. Use it to investigate replication problems across links
where DCDiag showed failures.
Supported Platforms and Applications
Platforms
PBIS Enterprise supports many Unix, Linux, Mac, and virtualization platforms. For a list, visit www.beyondtrust.com.
Applications
Advanced Group Policy Management (AGPM) Tool
You can use the AGPM tool to manage your GPOs. Any PBIS Enterprise settings applied to your GPOs will be
maintained.
Installing the Console

Install the BeyondTrust Management Console on a Windows administrative workstation that can connect to your
Active Directory domain controller.
It is recommended that you do not install the console on a domain controller.
Checkpoint

– Review the requirements before proceeding with the installation. See Requirements.
– Ensure the account you are using to run the install is a member of the Domain Admins group or Enterprise
Admins group. The account needs privileges to change objects and child objects in Active Directory.
– Ensure the Microsoft management tools for Active Directory are installed before you install the console.
See Microsoft Management Tools.
During the installation, checks are in place to ensure that your environment meets successful installation
requirements. For more information, a log file is created here during the install:
%UserProfile%AppData\Local\Temp\PBIS.Logs.
1. Locate and copy the install file to your Windows workstation:
SetupPBIS64-*.exe
The installer file includes the version and build number.
2. Run SetupPBIS64-*.exe.
3. On the License Agreement page, click Accept to go through the installation.
4. Click Install.
5. On the Directory Integrated Mode Configuration page, click Configure to set up Directory Integrated mode.
Otherwise, click Skip.
6. On the Default Cell Creation page, click Create Cell to build the default cell. Otherwise, click Skip.
7. On the Reporting Options page, configure the following:
– Report Viewer - Click Install to install the Report viewer.
– SQL Server database instance - Click Search Server to create the PBIS database.
– Event Collector services - Click Install to go through the wizard to configure the PBIS Database utilities.
8. Click Finish.
Silent Install
Run a silent install or uninstall of the console using the msiexec.exe
To see a complete list of options run msiexec.exe.
Example:
msiexec.exe /i PBISEnterprise64-x.x.x.xxx.msi /quiet /qn
msiexec.exe /x PBISEnterprise64-x.x.x.xxx.msi /quiet /qn
Installing Active Directory and GPMC Extensions

You can run an installer that only installs the Active Directory Users and Computers and GPMC extensions.
The BeyondTrust Management Console and reporting components will not be installed.
Run the installer:
SetupExtensions64-x.x.x.xxx.exe

Upgrading the Console

To upgrade to the latest version of PBIS Enterprise, first uninstall the existing version. Then, before installing the
latest version of PBIS Enterprise, install the latest version of GPMC and run Windows update to make sure your
workstation has the latest XML patches.
Upgrading PBIS 7.5 to PBIS 8.1

If you were using Directory Integrated mode in PBIS Enterprise 7.5, updates to the schema need to be applied
when you upgrade to PBIS Enterprise 8.1. Ensure that the user installing PBIS is a member in the Schema Admins
group. The install must be run on the forest root since the Schema Admins group only exists on the domain
controller for the forest. For more information on the Schema Admins group refer to Microsoft documentation.
When Schema Admins permissions are in place, you can upgrade PBIS without removing your existing
PowerBroker Cells.
Note: The Schema Admins permissions only applies to an upgrade.
To upgrade PBIS Enterprise:
1. Locate and copy the install file to your Windows workstation:
SetupPBIS64-*.exe
The installer file includes the version and build number.
2. Run SetupPBIS64-*.exe.
3. Accept the license agreement, and then click Next.
4. To change settings for the PBIS Enterprise install, click Modify.
This installation wizard starts. This is where you select the components to install.
a. Set the user name and organization
b. Set the installation directory.
c. Select the PBIS components to install: BT management console, Reporting, Operations Dashboard,
Database Update and Management tools, Migration tools, GPMC support
– Click Finish.
5. If you are using DI mode, there is no configuration required here. Click Skip.
6. Click Skip on the Default Cell Create Page.

7. On the Advanced Options page, you can:

– Remove the report viewer.

– Create or remove database instances.
– Run the PBIS Enterprise Database Utilities wizard.
8. Click Finish.
Upgrading from 8.1 - Directory Integrated Mode

This section applies to upgrades from PowerBroker Identity Services version 8.1 and later.
If you were:
• Using Directory Integrated mode in PowerBroker Identity Services versions 7.5 and earlier Installing the
Management Console
and/or
• In your forest schema; UidNumber, GidNumber and Uid are all indexed and promoted to the Global Catalog
The installer detects the old Directory Integration mode and updates to the schema need to be applied to prevent
potential issues. Ensure that the user installing PowerBroker Identity Services is a member in the Schema Admins
group.
Run the installer on the forest root. For more information on the Schema Admins group refer to Microsoft
documentation.
When Schema Admins permissions are in place, you can upgrade PowerBroker Identity Services Directory
Integration mode without removing your existing PowerBroker Cells.
For changes to the schema, see Changes Made by the Directory Integrated Mode Configuration.
Changing to Directory Integrated Mode

If you are already using Windows Server 2003 R2, running the wizard indexes frequently searched attributes in the
Active Directory global catalog.
To change the storage mode to Directory Integrated mode:
1. Run the PBIS installer, and skip to the Directory Integrated Mode Configuration page.
2. Click the Configure button.
The necessary attributes are updated.
Changes Made by the Directory Integrated Mode Configuration

The Active Directory schema changes are applied from a set of LDAP Data Interchange Format (LDIF) files. The
standard installation places these files in the following directory:
\Program Files\BeyondTrust\PBIS\Enterprise\Resources\LDF
After you raise the domain and forest to 2003 functional levels, the PBIS Enterprise domain configuration wizard
changes the following attributes, which are required for PBIS Enterprise to run in Directory Integrated mode.
Promotes and indexes the following attributes to the global catalog:
• displayName
• gidNumber
• uid

• uidNumber
Promotes (but does not index) the following attributes to the global catalog:
• gecos
• loginShell
• unixHomeDirectory

Configuring Clients Before PBIS Enterprise Agent
Configuring Clients Before PBIS Enterprise Agent Installation

Before you install the PBIS Enterprise agent, configure client computers as indicated in the following topics.
Configure nsswitch.conf
Before you attempt to join an Active Directory domain, make sure the /etc/nsswitch.conf file contains the
following line:
hosts: files dns
The hosts line can contain additional information, but it must include the dns entry, and it is recommended that
the dns entry appear after the files entry.
Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.
When you use PowerBroker Identity Services with Multicast DNS 4 (mDNS4) and have a domain in your
environment that ends in .local, you must place the dns entry before the mdns4_minimal entry and before
the mdns4 entry:
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
The default setting for many Linux systems is to list the mdns4 entries before the dns entry—a configuration that
leaves PBIS Enterprise unable to find the domain.
For PBIS Enterprise to work correctly, the nsswitch.conf file must be readable by user, group, and world.
For more information on configuring nsswitch, see the man page for nsswitch.conf.
Configure netsvc.conf on AIX

On AIX computers, ensure the netsvc.conf file contains the following line:
hosts = local,bind
Restart Services
After you update nsswitch.conf (or netsvc.conf), you must restart the PBIS Enterprise input-output service (lwio)
and the authentication service (lsass).
Run the following command as root to restart both services:
/opt/pbis/bin/lwsm restart lwio

Configure resolv.conf
Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix,
or Mac client includes a DNS server that can resolve SRV records for your domain.
Example:
[root@rhel5d Desktop]# cat /etc/resolv.conf
search example.com
nameserver 192.168.100.132
For more information on resolv.conf, see your operating system's man page.
Configure Firewall Ports

If you are using local firewall settings, such as iptables, on a computer running the PBIS Enterprise agent,
ensure the following ports are open for outbound traffic.
Note: The PBIS Enterprise agent is a client; it does not listen on any ports.
Port Protocol Use

53 UDP/ TCP DNS
88 UDP/TCP Kerberos 5
123 UDP NTP
389 UDP/TCP LDAP
443 TCP PBIS Reporting to BI
445 TCP SMB over TCP
464 UDP/TCP Computer password changes (typically after 30 days)
1433 TCP Connection to SQL Server. Open the port you are using.
The default port for SQL is 1433.
3268 TCP Global Catalog search
Tip: To view the firewall rules on a Linux computer using iptables, execute the following command:
iptables - nL
Extend Partition Size (IBM AIX)

On AIX 5.2 and 5.3, you may need to extend the size of certain partitions to complete the installation.
To change the partition size using IBM'S chfs command:
# chfs -a size=+200M /opt
The example command increases the size of the opt partition by 200 MB, which should be sufficient for a
successful installation.

Increase Max User Name Length (IBM AIX)

By default, IBM AIX is not configured to support long user and group names, which might present a conflict when
you try to log on with a long Active Directory username.
On AIX 5.3 and AIX 6.1, group names are truncated when enumerated through the groups command.
To increase the max user name length on AIX 5.3, use the following syntax:
# chdev -l sys0 -a max_logname=MaxUserNameLength+1
Example:
# chdev -l sys0 -a max_logname=255
This command allocates 254 characters for the user and 1 for the terminating null.
The safest value that you can set max_logname to is 255.
You must reboot for the changes to take effect:
# shutdown -Fr
Note: AIX 5.2 does not support increasing the maximum user name length.

Installing the PBIS Enterprise Agent

The following sections provide details on installing the PBIS Enterprise agent to your computers.
Install the Correct Version for the Operating System

Install the PBIS Enterprise agent—the identity service that authenticates users—on each Linux, Unix, or Mac OS X
computer that you want to connect to Active Directory.
To download the installer or to view a list of supported platforms, go to www.beyondtrust.com.
Important: Before installing the agent, it is recommended that you upgrade your system with the latest security
patches. See Patch requirements.
The procedure for installing the agent depends on the operating system of the target computer or virtual machine.
Checking the Linux Kernel Release Number

To run the PBIS Enterprise agent on a Linux machine, the kernel release number must be 2.6 or later.
To determine the release number of the kernel, run the following command:
uname -r
Package Management Commands

For an overview of commands such as rpm and dpkg that can help you manage PBIS Enterprise on Linux and Unix
platforms, see PowerBroker Identity Services Package Management Commands.
Requirements for the Agent

This section lists requirements for installing and running the PBIS Enterprise agent.
Environment Variables
Before installing the PBIS Enterprise agent, make sure that the following environment variables are not set:
LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH, LD_PRELOAD
Setting any of these environment variables violates best practices for managing Unix and Linux computers because
it causes PBIS Enterprise to use non-PBIS Enterprise libraries for its services. For more information on best
practices, see http://linuxmafia.com/faq/Admin/ld-lib-path.html.
If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the PBIS Enterprise
library path (/opt/pbis/lib or /opt/pbis/lib64) before any other path—but keep in mind that doing so
may result in side effects for other programs, as they will now use PBIS Enterprise libraries for their services.
If joining the domain fails with an error message that one of these environment variables is set, stop all the PBIS
Enterprise services, clear the environment variable, make sure it is not automatically set when the computer
restarts, and then try to join the domain again.

Patch Requirements
It is recommended that the latest patches for an operating system be applied before installing PBIS Enterprise.
Sun Solaris
All Solaris versions require the md5sum utility, which can be found on the companion CD.
Visit the Oracle Technology Network Patching Center to ensure the latest patches are deployed to Solaris targets.
HP-UX
Visit the HP Software Depot to download patches.
Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed.
Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable
Authentication Module, or PAM, which PBIS Enterprise requires to allow domain users to execute sudo commands
with super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make
sure that you use the with-pam configuration option when you build it.
HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_
31903, and PHKL_29243.
The patches listed here represent the minimum patch level for proper operation. The patches might be
superceded by later patches.
Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, install the latest KRB5-Client libraries from
the HP Software Depot. By default, HP-UX 11.31 includes the libraries.
Other Requirements for the Agent
Locale
Configure the locale with UTF-8 encoding for every target computer.
Secure Shell
To properly process logon events with PBIS Enterprise, the SSH server or client must support the UsePam yes
option.
For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.
Other Software
Telnet, rsh, rcp, rlogin, and other programs that use PAM for processing authentication requests are compatible
with PBIS Enterprise.
Networking Requirements
Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that
service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for
the Active Directory domain, including at least the following:
• A domain.tld
• SRV _kerberos._tcp.domain.tld
• SRV _ldap._tcp.domain.tld

• SRV _kerberos._udp.sitename.Sites._msdcs.domain.tld
• A domaincontroller.domain.tld
Disk Space Requirements

The PBIS Enterprise agent requires 100MB of disk space in the /opt mount point.
The agent also creates configuration files in /etc/pbis and offline logon information in /var/lib/pbis.
The PBIS Enterprise agent caches Group Policy Objects (GPOs) in /var/lib/pbis.
Memory and CPU Requirements

• RAM – The agent services and daemons can use between 9 MB – 14 MB:
– Authentication service on a 300-user mail server is typically 7 MB
– Other services and daemons require between 500 KB and 2 MB each
• CPU – On a 2.0 GHz single-core processor under heavy load with authentication requests is about 2 percent.
For a description of the PBIS Enterprise services and daemons, see PBIS Enterprise Agent.
Clock Skew Requirements

For the PBIS Enterprise agent to communicate over Kerberos with the domain controller's Kerberos key
distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is
300 seconds, or 5 minutes, by default.
For more information, see Time Synchronization.
Additional Requirements for Specific Operating Systems
AIX
On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX
6.x.
Install the Agent on Linux or Unix with the Shell Script

Install the agent using a shell script that contains a self-extracting executable.
To view information about the installer or to view a list of command-line options, run the installer package using --
help command. For example (examples here are for RPM-based Linux platform):
./pbis-enterprise-x.x.x.xxxx.linux.i386.rpm.sh --help
Run the install as root or with a user that has sudo rights.

1. Download or copy the shell script to the computer desktop.

Important: If you FTP the file, select binary (or BIN), for the transfer as the installer includes some binary code
that becomes corrupted in AUTO or ASCII mode.
2. As root, change the mode of the installer to executable.
chmod a+x pbis-enterprise-x.x.x.xxxx.linux.i386.rpm.sh
3. As root, run the installer:
./pbis-enterprise-x.x.x.xxxx.linux.i386.rpm.sh
4. Follow the instructions in the installer.
Install the Agent on Linux in Unattended Mode

Install the agent in unattended mode using the install command.
For example, on a 32-bit RPM-based Linux system, the installation command would look like the following:
./pbis-enterprise-x.x.x.xxxx.linux.i386.rpm.sh install
Install the Agent in Solaris Zones

Solaris zones are a virtualization technology created to consolidate servers. Primarily used to isolate an application,
Solaris zones act as isolated virtual servers running on a single operating system, making each application in a
collection of applications seem as though it is running on its own server. A Solaris Container combines system
resource controls with the virtual isolation provided by zones.
Every zone server contains a global zone that retains visibility and control in any installed non-global zones. By
default, the non-global zones share certain directories, including /usr, which are mounted read-only. The shared
directories are writable only for the global zone.
By default, installing PBIS Enterprise in the global zone results in it being installed in all the non-global zones. You
can, however, use the following commands to control the zones that you install to.
Install Options for Embedded Scripts

Use the following commands to pass the option to the embedded script.
Help
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --help
Install to all zones (default)
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --all-zones
Install to only current zone
./pbis-enterprise-x.x.x.xxxx.solaris.i386.pkg.sh -- --current-zone

Post Install
After a new child zone is installed, booted, and configured, you must run the following command as root to
complete the installation:
/opt/pbis/bin/postinstall.sh
You cannot join zones to Active Directory as a group. Each zone, including the global zone, must be joined to the
domain independently of the other zones.
Caveats
There are some caveats when using PBIS Enterprise with Solaris zones:
• When you join a non-global zone to AD, an error occurs when PBIS Enterprise tries to synchronize the Solaris
clock with AD.
The error occurs because the root user of the non-global zone does not have root access to the underlying
global system and thus cannot set the system clock. If the clocks are within the 5-minute clock skew permitted
by Kerberos, the error will not be an issue.
Otherwise, you can resolve the issue by manually setting the clock in the global zone to match AD or by joining
the global zone to AD before joining the non-global zone.
• Some Group Policy settings may log PAM errors in the non-global zones even though they function as
expected. The cron Group Policy setting is one example:
Wed Nov 7 16:26:02 PST 2009 Running Cronjob 1 (sh)

Nov 7 16:26:01 zone01 last message repeated 1 time
Nov 7 16:27:00 zone01 cron[19781]: pam_lsass(cron): request failed
Depending on the Group Policy setting, these errors may result from file access permissions, attempts to write
to read-only directories, or both.
• By default, Solaris displays auth.notice syslog messages on the system console. Some versions of PBIS
Enterprise generate significant authentication traffic on this facility-priority level, which may lead to an
undesirable amount of chatter on the console or clutter on the screen.
To redirect the traffic to a file instead of displaying it on the console, edit your /etc/syslog.conf file as
follows:
Change this:
*.err;kern.notice;auth.notice /dev/sysmsg
To this:
*.err;kern.notice /dev/sysmsg
auth.notice /var/adm/authlog
Important: Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from
the action field (on the right). Using spaces will cue syslog to ignore the entire line.
Installing Solaris 11
This guide is intended for administrators installing PBIS Enterprise to Solaris targets.

What's New with the Solaris 11 Installer

There are two ways to install Solaris 11:
• Traditional shell script using the legacy SVR4 packaging mechanism.
• IPS repository install using Oracle's preferred IPS packaging mechanism
There is a p5p file that can be uploaded to your local IPS repository. This is located on the ISO in the following
directory:
agents/solaris11-<ARCH>/p5p
Uploading the Packages with the P5P file

You can use the -ips option in the install script to upload the PBIS p5p archive file to the local repository.
Example
pbis/install.sh --ips <repository>
If you only have the p5p file you can use the pkgrecv command.
Example
pkgrecv –s ./PBISEnterprise-X.X.X.XXXX-solaris11-<ARCH>.p5p –d <repository>
PBISEnterprise.<ARCH>
Confirm the Package Added to Repository

Verify that the PBIS Enterprise package with publisher BeyondTrust has been added to the repository:
>pkgrepo list –s <repository>
Installing the Agent in Solaris 11 Zones

After the files are uploaded to the local IPS repository and the global zone can access the IPS repository, then non-
global zones can also access the repository.
In the zone, run the following IPS package command:
pkg install PBISEnterprise.<ARCH>

Upgrading An Operating System

Follow the steps to upgrade an operating system:
– Leave the domain
– Uninstall the agent
For more information about uninstalling agents, refer to the PBISE Administration Guide.
– Upgrade the operating system
– Install the correct agent for the new version of the operating system
– Join an Active Directory Domain

Configuring SELinux
Configuring SELinux
Be sure to review the latest SELinux documentation. You can start with the SELinux wiki,
http://www.selinuxproject.org/page/Main_Page
Installing SELinux on Unsupported Platforms

If you are installing SELinux on an unsupported platform, a message similar to the following is displayed:
SELinux found to be present, enabled, and enforcing. You may either provide a policy at
/opt/pbis/share/pbis.pp --OR-- SELinux must be disabled or set to permissive mode by editing the file
/etc/selinux/config and rebooting. For instructions on how to edit the file to disable SELinux, see the SELinux
man page.
To install SELinux on an unsupported platform:
1. Create a compiled policy.
To get started creating an SELinux policy for PBIS Enterprise, use existing policy sources located under version
directories: /opt/pbis/share/rhel or in /opt/pbis/share/fedora.
2. Rename the policy pbis.pp and place it in the following directory:
\opt\pbis\share
3. Run the installation again. The pbis.pp file will be installed.
Configuring SELinux After Installing

After installing PBIS Enterprise with SELinux, security denials might occur.
Security denials caused by the current policy are reported in the following log file:
/var/log/audit/audit.log
You can fix security denial issues automatically or manually.
Automatically Fix Security Denials

To create a policy to fix existing denials involving applications and resources with 'pbis' in the name:
grep pbis /var/log/audit/audit.log | audit2allow -M pbislocal
The file pbislocal.pp will be a compiled policy module and can be loaded with semodule -i pbislocal.pp.
Manually Fix Security Denials

The procedure is similar to automatically fixing security denials. However, you can edit the policy file
pbislocal.te:
grep pbis /var/log/audit/audit.log | audit2allow -m pbislocal > pbislocal.te
To build a compiled policy, execute the following command in the directory where pbislocal.te is located:
make -f /usr/share/selinux/devel/Makefile
Load the module with semodule -i pbislocal.pp

Joining an Active Directory Domain

You can join computers to Active Directory using one of the following ways:
• Command line utility. See Join Active Directory from the Command Line.
• A GUI-based domain join tool. See Join Active Directory Using the Domain Join GUI Tool.
For more information about the Domain Join tool CLI commands, refer to the Linux Administration Guide.
Overview
When PBIS Enterprise joins a computer to an Active Directory domain, it uses the hostname of the computer to
create the name of the computer object in Active Directory. From the hostname, the PBIS Enterprise domain join
tool attempts to derive a fully qualified domain name. By default, the PBIS Enterprise domain join tool creates the
Linux and Unix computer accounts in the default Computers container in Active Directory.
After you join a domain for the first time, you must restart the computer before you can log on. If you cannot
restart the computer, you must restart each service or daemon that looks up users or groups through the standard
nsswitch interface, which includes most services that authenticate users, groups, or computers. You must, for
instance, restart the services that use Kerberos, such as sshd.
Pre-Create Accounts in Active Directory

You can create computer accounts in Active Directory before you join your computers to the domain. When you
join a computer to a domain, PBIS Enterprise associates the computer with the pre-existing computer account
when PBIS Enterprise can find it.
To locate the computer account, PBIS Enterprise first looks for a computer account with a DNS hostname that
matches the hostname of the computer. If the DNS hostname is not set, PBIS Enterprise then looks for the name of
a computer account that matches the computer's hostname, but only when the computer's hostname is 15
characters or less.
Therefore, when the hostname of your computer is more than 15 characters, set the DNS hostname for the
computer account to ensure that the correct computer account is found. If no match is found, PBIS Enterprise
creates a computer account.

Privileges and Permissions

To join a computer to a domain, use credentials for an Active Directory account that has privileges to join
computers to the domain and the full name of the domain that you want to join.
For instructions on how to delegate rights to join a computer to a domain, see
http://support.microsoft.com/kb/932455. The level of privileges that you need is set by Microsoft Active Directory
and is typically the same as performing the corresponding action on a Windows computer.
For more information about Active Directory privileges, permissions, and security groups, see the following
references on the Microsoft TechNet website:
• Active Directory Privileges
• Active Directory Object Permissions
• Active Directory Users, Computers, and Groups
• Securing Active Directory Administrative Groups and Accounts
Creation of Local Accounts

After you join a domain, PBIS Enterprise creates two local user accounts:
– ComputerName\Administrator – The account is disabled until you run mod-user with the root
account. You are prompted to reset the password the first time you use the account.
– ComputerName\Guest
You can view information about these accounts by executing the following command:
/opt/pbis/bin/enum-users
Example output:
User info (Level-2):

====================
Name: EXAMPLE-01\Administrator
UPN: Administrator@EXAMPLE-01
Generated UPN: YES
Uid: 1500
Gid: 1544
Gecos: <null>Shell: /bin/sh
Home dir: /
LMHash length: 0
NTHash length: 0
Local User: YES
Account disabled: TRUE
Account Expired: FALSE
Account Locked: FALSE
Password never expires: FALSE
Password Expired: TRUE
Prompt for password change: YES
User can change password: NO
Days till password expires: -149314

User info (Level-2):

====================
Name: EXAMPLE-01\Guest
UPN: Guest@EXAMPLE-01
Generated UPN: YES
Uid: 1501
Gid: 1546
Gecos: <null>Shell: /bin/sh
Home dir: /tmp
LMHash length: 0
NTHash length: 0
Local User: YES
Account disabled: TRUE
Account Expired: FALSE
Account Locked: TRUE
Password never expires: FALSE
Password Expired: FALSE
Prompt for password change: YES
User can change password: NO
Days till password expires: -149314

Join Active Directory from the Command Line

On Linux, Unix, and Mac OS X computers, the location of the domain join command-line utility is as follows:
/opt/pbis/bin/domainjoin-cli
When you join a domain by using the command-line utility, PBIS Enterprise uses the hostname of the computer to
derive a fully qualified domain name (FQDN) and then automatically sets the FQDN in the /etc/hosts file.
You can also join a domain without changing the /etc/hosts file. See Join Active Directory Without Changing
/etc/hosts.
Before Joining a Domain

To join a domain ensure the following are in place:
• The computer's name server can find the domain.
Run the command:
nslookup domainName
• The computer can reach the domain controller.
Run the command:
ping domainName
If either of these tests fails, see Check System Health Before Installing the Agent and Troubleshooting Domain-Join
Problems.
Joining a Computer to Active Directory

Run the following command as root.
Replace domainName with the FQDN of the domain that you want to join and joinAccount with the user
name of an account that has privileges to join computers to the domain:
/opt/pbis/bin/domainjoin-cli join domainName joinAccount
Example: /opt/pbis/bin/domainjoin-cli join example.com Administrator

Tip: On Ubuntu, execute the sudo su command before you run the domainjoin-cli command.
Joining a Mac Computer

Using sudo, execute the following command in Terminal:
sudo /opt/pbis/bin/domainjoin-cli join domainName joinAccount
Terminal prompts you for two passwords:

• A Mac user account with administrative privileges.
• The Active Directory account that you are using in the join command.

Join a Linux or Unix Computer to an Organizational Unit

Run the following command as root.
Replace organizationalUnitName with the path and name of the organizational unit that you want to join,
domainName with the FQDN of the domain, and joinAccount with the user name of an account that has
privileges to join computers to the target OU:
/opt/pbis/bin/domainjoin-cli join --ou organizationalUnitName domainName

joinAccount
Example: /opt/pbis/bin/domainjoin-cli join --ou Engineering example.com

Administrator
Join a Linux or Unix Computer to a Nested Organizational Unit

Run the following command as root, replacing these values:
• path with the AD path to the OU from the top down, with each node separated by a forward slash (/).
• organizationalUnitName with the name of the organizational unit that you want to join.
• domainName with the FQDN of the domain.
• joinAccount with the user name of an AD account that has privileges to join computers to the target OU:
/opt/pbis/bin/domainjoin-cli join --ou path/organizationalUnitName domainName

joinAccount
Here is an example of how to join a deeply nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU
example.com Administrator
Join Active Directory Without Changing /etc/hosts

When you use the PBIS Enterprise domain join tool, PBIS Enterprise uses the host name of the computer to derive
a fully qualified domain name (FQDN) and automatically sets the computer’s FQDN in the /etc/hosts file.
To join a Linux computer to the domain without changing the /etc/hosts file, run the following command as
root. Replace:
– domainName – the FQDN of the domain to join
– joinAccount – the user account with privileges to join computers to the domain
/opt/pbis/bin/domainjoin-cli join --disable hostname domainName joinAccount
Example: /opt/pbis/bin/domainjoin-cli join --disable hostname example.com
Administrator
After you join a domain for the first time, you must restart the computer before you can log on.

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in /etc/hosts. For the computer to process tickets in compliance
with the Kerberos protocol and to function properly when it uses cached credentials in offline mode or when its
DNS server is offline, there must be a correct FQDN in /etc/hosts. For more information on GSS-API
requirements, see RFC 2743.
You can determine the FQDN of a computer running Linux, Unix, or Mac OS X by executing the following
command:
ping -c 1 `hostname`
When you execute this command, the computer looks up the primary host entry for its hostname. In most cases,
this means that it looks for its hostname in /etc/hosts, returning the first FQDN name on the same line. For
example, the correct entry for the hostname qaserver, in /etc/hosts:
10.100.10.10 qaserver.corpqa.example.com qaserver
If the entry in /etc/hosts incorrectly lists the hostname (or anything else) before the FQDN, the computer's
FQDN becomes, using the malformed example below, qaserver:
10.100.10.10 qaserver qaserver.corpqa.example.com
If the host entry cannot be found in /etc/hosts, the computer looks for the results in DNS instead. This means
that the computer must have a correct A record in DNS. If the DNS information is wrong and you cannot correct it,
add an entry to /etc/hosts.

Turn Off OS X Directory Service Authentication

If you are migrating from Open Directory or Active Directory and you had set authentication from the command
line with dsconfigad or dsconfigldap, you must run the following commands to stop the computer from
trying to use the built-in directory service even if the Mac is not bound to it:
dscl . -delete /Computers

dscl /Search -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController
dscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController
Automatically Join an Agent to a Domain

The following sections show you how to prepare a computer account and automate the domain join process.
Create a Computer Account in Active Directory

1. Using Active Directory Users and Computers, create a Computer Account in your preferred OU.
2. The Computer Name must be configured to correctly match the PBIS agent hostname.
3. Select the Assign this computer account as a pre-Windows 2000 computer check box to assign this computer
a password which is based on the new computer name.
4. Select the permissions: Write access and Reset Password access.

Run a Domain Join Script on the Agent

On the PBIS agent host, create a script that will run after a reboot (for example a cron job) that will run the
following command:
/opt/pbis/bin/domainjoin-cli join <YOUR_DOMAIN> `hostname -s`$ `hostname -s`
Files Modified When You Join a Domain

Some system files are changed when a computer is joined to a domain. The files that change depend on the
platform, the distribution, and the system's configuration.
Run the following command to see a list of the changes:
domainjoin-cli join --advanced --preview domainName
Note: Not all the following files are present on all computers.
The following files might be modified.
• /etc/nsswitch.conf (On AIX, the file is /etc/netsvcs.conf.)
• /etc/pam.conf on AIX, HP-UX, and Solaris
• /etc/pam.d/* on Linux
• /etc/ssh/{ssh_config,sshd_config} (or wherever sshd configuration is located)

• /etc/hosts (To join a domain without modifying /etc/hosts, see Join Active Directory Without Changing
/etc/hosts.)
• /etc/apparmor.d/abstractions/nameservice
• /etc/X11/gdm/PreSession/Default
• /etc/vmware/firewall/services.xml
• /usr/lib/security/methods.cfg
• /etc/security/user
• /etc/security/login.cfg
• /etc/netsvc.conf
• /etc/krb5.conf
• /etc/krb5/krb5.conf
• /etc/rc.config.d/netconf
• /etc/nodename
• /etc/{hostname,HOSTNAME,hostname.*}
• /etc/sysconfig/network/config
• /etc/sysconfig/network/dhcp
• /etc/sysconfig/network/ifcfg-*
• /etc/sysconfig/network-scripts/ifcfg-*
• /etc/init.d or /sbin/init.d
• /etc/rcX.d/ (new files and links created)
• /etc/inet/ipnodes
As an example, the following table lists the files that are modified for the default configuration of the operating
system of a few selected platforms.
Solaris Solaris AIX AIX Red Hat Enterprises

Modified Files
9 10 5.3 6.1 Linux 5
/etc/nsswitch.conf (On AIX, the file is /etc/netsvcs.conf.) ü ü ü
/etc/pam.conf on AIX, HP-UX, and Solaris ü ü ü ü
/etc/pam.d/* on Linux ü
/etc/ssh/{ssh_config,sshd_config} (or wherever sshd
ü ü ü
configuration is located)
/etc/hosts ü ü ü ü ü
/etc/apparmor.d/abstractions/nameservice
/etc/X11/gdm/PreSession/Default
/etc/vmware/firewall/services.xml

Solaris Solaris AIX AIX Red Hat Enterprises

Modified Files
9 10 5.3 6.1 Linux 5
/usr/lib/security/methods.cfg ü ü
/etc/security/user ü ü
/etc/security/login.cfg ü
/etc/netsvc.conf ü ü
/etc/krb5.conf ü ü ü
/etc/krb5/krb5.conf ü ü
/etc/rc.config.d/netconf
/etc/nodename ü ü
/etc/{hostname, HOSTNAME, hostname.*} ü
/etc/sysconfig/network/config
/etc/sysconfig/network/dhcp
/etc/sysconfig/network/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-*
/etc/init.d or /sbin/init.d
/etc/rcX.d/ (new files and links created) ü
/etc/inet/ipnodes ü ü

Logging on with Domain Credentials
PBIS Enterprise includes the following logon options:
• Full domain credentials—example: example.com\\hoenstiv
• Single domain user name—example: example\\hoenstiv
• Alias—example: stiv
• Cached credentials
Important: When you log on from the command line, you must use a slash to escape the slash character, making
the logon form DOMAIN\\username.
When you log on a Linux, Unix, or Mac OS X computer using your domain credentials, PBIS Enterprise uses the
Kerberos protocol to connect to Active Directory's key distribution center, or KDC, to establish a key and to request
a Kerberos ticket granting ticket (TGT). The TGT lets you log on to other computers joined to Active Directory or
applications provisioned with a service principal name and be automatically authenticated with Kerberos and
authorized for access through Active Directory.
After logon, PBIS Enterprise stores the password in memory and securely backs it up on disk. You can, however,
configure PBIS Enterprise to store logon information in a SQLite database, but it is not the default method. The
password is used to refresh the user's Kerberos TGT and to provide NTLM-based single sign-on through the PBIS
Enterprise GSSAPI library. In addition, the NTLM verifier hash—a hash of the NTLM hash—is stored to disk to handle
offline logons by comparing the password with the cached credentials.
PBIS Enterprise stores an NTLM hash and LM hash only for accounts in PBIS Enterprise's local provider. The hashes
are used to authenticate users over CIFS. Since PBIS Enterprise does not support offline logons for domain users
over CIFS, it does not store the LM hash for domain users.
UPN Names
To use UPN names, you must raise your Active Directory forest functional level to Windows Server 2003, but
raising the forest functional level to Windows Server 2003 will exclude Windows 2000 domain controllers from
the domain. For more information, see Storage Modes.
Log on with AD Credentials

After the PBIS Enterprise agent is installed and the Linux or Unix computer is joined to a domain, you can log on
with your Active Directory credentials.
• Log on from the command line. Use a slash character to escape the slash (DOMAIN\\username).
Example with ssh: ssh example.com\\hoenstiv@localhost
• Log on the system console or the text login prompt using an Active Directory user account in the form of
DOMAIN\username, where DOMAIN is the Active Directory short name.
Note: After you join a domain for the first time, you must restart the computer before you can log on
interactively through the console.
Example on Ubuntu:
Log on with SSH
You can log on with SSH by executing the ssh command at the shell prompt in the following format:
ssh DOMAIN\\username@localhost
Example: ssh example.com\\hoenstiv@localhost
Leaving a Domain and Uninstalling the PBIS Enterprise

Agent
You can remove a computer from a domain without necessarily disabling or deleting the computer's account in
Active Directory. If needed, you can uninstall the PBIS Enterprise agent from a client computer.
Leave a Domain
When a computer is removed from a domain, PBIS Enterprise retains the settings that were made to the
computer's configuration when it was joined to the domain. Changes to the nsswitch module are also preserved
until you uninstall PBIS Enterprise, at which time they are reverted.
Before leaving a domain, run the following command to view the changes that will take place:
domainjoin-cli leave --advanced --preview domainName
Example:
[root@rhel4d example]# domainjoin-cli leave --advanced --preview exmple.com
Leaving AD Domain:
EXAMPLE.COM
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[X] [N] nsswitch - enable/disable PowerBroker Identity Services nsswitch module
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[X] [N] krb5 - configure krb5.conf
[F] keytab - initialize kerberos keytab
Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently
- the system meets the minimum configuration requirements for this step
configured
[N]ecessary - this step must be run or manually performed
[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
For information on advanced commands for leaving a domain, see Join Active Directory from the Command Line.
Remove a Linux or Unix Computer from a Domain

To remove the computer, use a root account to run the following command:
/opt/pbis/bin/domainjoin-cli leave
Disable the Computer Account in Active Directory

By default, a computer account in Active Directory is not disabled or deleted when the computer is removed from
the domain.
To disable but not delete the computer account, include the user name as part of the leave command. Note that
you will be prompted for the user account password:
/opt/pbis/bin/domainjoin-cli leave userName

Remove the Computer Account in Active Directory

To delete the computer account, use the option --deleteAccount and include the user name as part of the
leave command. Note that you will be prompted for the password of the user account:
/opt/pbis/bin/domainjoin-cli leave --deleteAccount userName
Remove a Mac from a Domain

Note: For Mac OS 10.8 and later, the GUI is no longer supported.
For PBIS Enterprise 7.0 and later, GUI on any Mac is not supported.
Use the CLI commands. See Remove a Mac from a Domain from the Command Line.
To leave a domain on a Mac OS X computer, administrative privileges are required on the Mac.
1. In Finder, click Applications.
2. In the list of applications, double-click Utilities, and then double-click Directory Access.
3. On the Services tab, click the lock and enter an administrator name and password to unlock it.
4. In the list, click Likewise, and then click Configure.
5. Enter a name and password of a local machine account with administrative privileges.
6. On the menu bar at the top of the screen, click the Domain Join Tool menu, and then click Join or Leave
Domain.
7. Click Leave.
Uninstall the Agent on a Linux or Unix Computer

You can uninstall PBIS Enterprise by using a shell script or by using a command.
Using a Shell Script to Uninstall

Important: Before uninstalling the agent, you must leave the domain. Then execute the uninstall command
from a directory other than pbis so that the uninstall program can delete the pbis directory and all its
subdirectories—for example, execute the command from the root directory.
If you installed the agent on a Linux or Unix computer by using the shell script, you can uninstall the PBIS Enterprise
agent from the command line by using the same shell script with the uninstall option. (To uninstall the agent,
you must use the shell script with the same version and build number that you used to install it.) For example, on a
Linux computer running glibc, change directories to the location of PBIS Enterprise and then run the following
command as root, replacing the name of the script with the version you installed:
./pbis-open-x.x.x.xxxx.linux.oldlibc.i386.rpm.sh uninstall
For information about the script's options and commands, execute the following command:
./pbis-open-x.x.x.xxxx.linux.i386.rpm.sh help
Using a Command to Uninstall

To uninstall PBIS Enterprise by using a command, run the following command:
/opt/pbis/bin/uninstall.sh uninstall
To completely remove all files related to PBIS Enterprise from your computer, run the command as follows
instead. If using this command and option, you do not need to leave the domain before uninstalling.

/opt/pbis/bin/uninstall.sh purge
Uninstall the Agent on a Mac

On a Mac OS X computer, you must uninstall the PBIS Enterprise agent by using Terminal.
Note: Choose the appropriate action depending on whether you plan to re-install the product.
– If you are not planning to re-install the product, leave the domain before uninstalling the agent.
– If you are planning to re-install the product, remain in the domain while uninstalling the agent.
1. Log on to the Mac using a local account with privileges that allow you to use sudo.
2. Open a Terminal window: In Finder, on the Go menu, click Utilities, and then double-click Terminal.
3. At the Terminal shell prompt, execute the following command:
sudo /opt/pbis/bin/macuninstall.sh

Pbis Installation 8 7 0

Uploaded by

Copyright:

Available Formats

Pbis Installation 8 7 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pbis Installation 8 7 0

Uploaded by

Copyright:

Available Formats

PowerBroker Identity Services

TRADE SECRET NOTICE

LIMITED RIGHTS FARS NOTICE (If Applicable)

LIMITED RIGHTS DFARS NOTICE (If Applicable)

PBIS Enterprise Overview 11

Planning Your Installation and Deployment 24

Installing the Management Console 25

Installation Guide 3 © 2018. BeyondTrust Software, Inc.

Upgrading the Console 29

Configuring Clients Before PBIS Enterprise Agent Installation 32

Installing the PBIS Enterprise Agent 35

Joining an Active Directory Domain 43

Installation Guide 4 © 2018. BeyondTrust Software, Inc.

Join Active Directory Without Changing /etc/hosts 47

Logging on with Domain Credentials 53

Leaving a Domain and Uninstalling the PBIS Enterprise Agent 55

Installation Guide 5 © 2018. BeyondTrust Software, Inc.

Conventions Used in This Guide

Installation Guide 6 © 2018. BeyondTrust Software, Inc.

Documentation Set for PBIS Enterprise

Installation Guide 7 © 2018. BeyondTrust Software, Inc.

Contact Technical Support

Before Contacting Technical Support

All Active Directory Users Are Missing

All Active Directory Users Cannot Log On

Installation Guide 8 © 2018. BeyondTrust Software, Inc.

AD Users or Groups are Missing

Poor Performance When Logging On or Looking Up Users

Generating a Support Pack

Installation Guide 9 © 2018. BeyondTrust Software, Inc.

Vulnerability Management Support

All other Regions

Installation Guide 10 © 2018. BeyondTrust Software, Inc.

PBIS Enterprise Overview

PBIS Enterprise Overview

PBIS - Open Edition

Installation Guide 11 © 2018. BeyondTrust Software, Inc.

• Agent – Install on a Linux, Unix, or Mac computer to connect it to Active Directory.

Installation Guide 12 © 2018. BeyondTrust Software, Inc.

PowerBroker Identity Services Enterprise Agent

Installation Guide 13 © 2018. BeyondTrust Software, Inc.

PBIS Open and PBIS Enterprise

Service Description Dependencies

PBIS Enterprise Only

Service Description Dependencies

Installation Guide 14 © 2018. BeyondTrust Software, Inc.

Service Description Dependencies

Figure 1. LSASS Architecture

PBIS Enterprise Input-Output Service

Installation Guide 15 © 2018. BeyondTrust Software, Inc.

Installation Guide 16 © 2018. BeyondTrust Software, Inc.

Managing the PBIS Enterprise Services

Caches and Databases

Installation Guide 17 © 2018. BeyondTrust Software, Inc.

Installation Guide 18 © 2018. BeyondTrust Software, Inc.

Name Service Caching Daemon (NSCD)

Using a Network Time Protocol Server

Automatic Detection of Offline Domain Controller and Global Catalog

Installation Guide 19 © 2018. BeyondTrust Software, Inc.