PBISE : Installation and Administration Guide v7.5

June21,2013
InstallationandAdministrationGuide
Release7.5

Revision/UpdateInformation:June21,2013
SoftwareVersion:PowerBrokerIdentityServicesEnterpriseEdition7.5
RevisionNumber:2
COPYRIGHTNOTICE
Copyright©2013BeyondTrustSoftware,Inc.Allrightsreserved.Useofthissoftwareand/ordocument,asandwhenapplicable,is
alsosubjecttothetermsandconditionsofthelicensebetweenthelicenseeandBeyondTrustSoftware,Inc.(“BeyondTrust”)or
BeyondTrust’sauthorizedremarketer,ifandwhenapplicable.
TRADESECRETNOTICE
Thissoftwareand/ordocumentation,asandwhenapplicable,andtheinformationandknow-howtheycontainconstitutethe
proprietary,confidentialandvaluabletradesecretinformationofBeyondTrustand/oroftherespectivemanufacturerorauthor,and
maynotbedisclosedtootherswithoutthepriorwrittenpermissionofBeyondTrust.Thissoftwareand/ordocumentation,asandwhen
applicable,havebeenprovidedpursuanttoanagreementthatcontainsprohibitionsagainstand/orrestrictionsoncopying,
modificationanduse.
DISCLAIMER
BeyondTrustmakesnorepresentationsorwarrantieswithrespecttothecontentshereof.Otherthan,anylimitedwarrantiesexpressly
providedpursuanttoalicenseagreement,NOOTHERWARRANTYISEXPRESSEDANDNONESHALLBEIMPLIED,
INCLUDINGWITHOUTLIMITATIONTHEWARRANTIESOFMERCHANTABILITY ANDFITNESSFORUSEORFORA
PARTICULARPURPOSE.
LIMITEDRIGHTSFARSNOTICE(IfApplicable)
IfprovidedpursuanttoFARS,thissoftwareand/ordocumentation,asandwhenapplicable,aresubmittedwithlimitedrights.This
softwareand/ordocumentation,asandwhenapplicable,maybereproducedandusedbytheGovernmentwiththeexpresslimitation
thatitwillnot,withoutthepermissionofBeyondTrust,beusedoutsidetheGovernmentforthefollowingpurposes:manufacture,
duplication,distributionordisclosure.(FAR52.227.14(g)(2)(AlternateII))
LIMITEDRIGHTSDFARSNOTICE(IfApplicable)
IfprovidedpursuanttoDFARS,use,duplication,ordisclosureofthissoftwareand/ordocumentationbytheGovernmentissubjectto
limitedrightsandotherrestrictions,assetforthintheRightsinTechnicalData–NoncommercialItemsclauseatDFARS252.227-
7013.
TRADEMARK NOTICES
PowerBroker,PowerPassword,andPowerKeeperareregisteredtrademarksofBeyondTrust.PowerSeries,PowerADvantage,
PowerBrokerPasswordSafe,PowerBrokerDirectoryIntegrator,PowerBrokerManagementConsole,PowerBrokerDesktops,
PowerBrokerVirtualization,PowerBrokerExpress,PowerBrokerDatabases,PowerBrokerWindowsServers,PowerBrokerWindows
Desktops,andPowerBrokerIdentityServicesaretrademarksofBeyondTrust.
ssh®isaregisteredtrademarkofSSHCommunicationsSecurityCorpintheUnitedStatesandincertainotherjurisdictions.TheSSH
logo,TectiaandtectialogoaretrademarksofSSHCommunicationsSecurityCorpandmayberegisteredincertainjurisdictions.
ThisapplicationcontainssoftwarepoweredbyPKAIP®,theleadingsolutionforenablingefficientandsecuredatastorageand
transmission.PKAIP®isprovidedbyPKWARE,theinventorandcontinuinginnovatoroftheZIPfileformat.Usedwithpermission.
FICTITIOUSUSEOFNAMES
Allnamesofpersonsmentionedinthisdocumentareusedfictitiously.Anyresemblancetoactualpersons,livingordeadisentirely
coincidental.
OTHERNOTICES
Ifandwhenapplicablethefollowingadditionalprovisionsaresonoted:
ThePowerBrokerIdentityServicesOpensoftwareisfreetodownloadanduseaccordingtothetermsoftheLimitedGPL2.1for
clientlibrariesandtheGPL2fordaemons.ThelicensesforPowerBrokerIdentityServicesEnterpriseandforPowerBrokerIdentity
ServicesUID-GIDModulearedifferent.ForcompleteinformationonthesoftwarelicensesandtermsofuseforBeyondTrust
products,seewww.beyondtrust.com.

Contents
I.PreparingforPBISDeployment 1
IntroductiontoPBISEnterprise 2
PBISOverview 2
PBISComponents 3
TaskRoadMap 4
PBISFeatureReview 6
PBISAgent 6
Services 6
PBISRegistry 12
PortsandLibraries 12
CachesandDatabases 12
TimeSynchronization 14
UsingaNetworkTimeProtocolServer 15
AutomaticDetectionofOfflineDomainControllerandGlobalCatalog 15
UID-GIDGenerationinPowerBrokerCells 16
CachedCredentials 16
TrustSupport 16
IntegratingwithSamba 19
SupportedPlatforms 19
SELinuxSupport 19
StorageModes 20
DirectoryIntegratedMode 20
SchemalessMode 21
KeyDifferences 23
ProsandConsoftheModes 24
PowerBrokerCells 25
TypesofCells 26
HowCellsAreProcessed 27
CellDesign 28
UsingMultipleCells 30
LinkingCells 30
ManagingCellswithCellManager 31
MigratingUserstoActiveDirectory 31
MigratingNISDomains 31
FindingOrphanedObjects 32
PlanningYourInstallationandDeployment 33
InstallationandProvisioningOverview 33
PlanningYourDeployment 34
BestPracticesforModes,Cells,andUserRights 35
NumberofCells 35
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 3

StorageMode 35
MigratingCells 35
UserRights 35
Pre-stageUnixComputerAccounts 36
BestPracticesforWindows 36
PBISEnterpriseToolsBestPractices 36
ActiveDirectoryBestPractices 37
ReportingToolsBestPractices 37
GroupPolicyBestPractices 38
BestPracticesforUnix,Linux,andMacOS X 40
AIXBestPractices 40
LinuxBestPractices 40
MacOSXBestPractices 41
SolarisBestPractices 41
UnixApplicationsBestPractices 42
AccountManagementBestPractices 42
BestPracticesforOperations 43
SSHLogons 43
LookupsandConfiguration 43
OperatingSystemPatchingandUpgrades 43
II.InstallingandProvisioningPBIS 44
InstallingtheManagementConsole 45
Requirements 45
MicrosoftManagementTools 45
AdministratorPrivileges 46
ActiveDirectoryRequirements 46
WindowsRequirementsfortheConsole 46
RequirementstoRunPBISinDirectoryIntegratedMode 47
Networking 47
Replication 47
SupportedPlatformsand Applications 48
InstalltheBeyondTrustManagementConsole 48
RuntheInitializationWizard 50
ConfiguringClientsBeforePBISAgentInstallation 51
Configurensswitch.conf 51
Configureresolv.conf 52
ConfigureFirewallPorts 52
ExtendPartitionSize(IBMAIX) 52
IncreaseMaxUserNameLength(IBMAIX) 53
InstallingthePBISAgent 54
InstalltheCorrectVersionforYourOperatingSystem 54
CheckingYourLinuxKernelReleaseNumber 55
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 4

PackageManagementCommands 55
RequirementsfortheAgent 55
EnvironmentalVariables 55
PatchRequirements 56
OtherRequirementsfortheAgent 57
AdditionalRequirementsforSpecificOperatingSystems 58
InstalltheAgentonLinuxorUnixwiththeShellScript 58
InstalltheAgentonLinuxinUnattendedMode 59
InstalltheAgentonUnixfromtheCommandLine 59
InstalltheAgentonaMacOS XComputer 60
InstalltheAgentonaMacinUnattendedMode 61
InstalltheAgentinSolarisZones 62
UpgradingYourOperatingSystem 64
ConfiguringSELinux 64
InstallingSELinuxonUnsupportedPlatforms 64
ConfiguringSELinuxAfterInstalling 65
ConfiguringClientsAfterPBISAgentInstallation 66
ModifySettingswiththeConfigTool 66
AddDomainAccountstoLocalGroups 67
ConfigureEntriesinYoursudoersFiles 68
CheckaUser'sCanonicalNameonLinux 69
SetasudoersSearchPath 69
AIX:CreateAuditClassestoMonitorEvents 70
JoininganActiveDirectoryDomain 72
PrivilegesandPermissions 73
CreationofLocalAccounts 73
JoinActiveDirectoryfromtheCommandLine 75
BeforeJoiningaDomain 75
JoinaLinuxorUnixComputertoActiveDirectory 75
JoinaMacComputertoActiveDirectory 76
JoinaLinuxorUnixComputertoanOrganizationalUnit 76
JoinaLinuxorUnixComputertoaNestedOrganizationalUnit 76
domainjoin-cliOptions,Commands,andArguments 77
BasicCommands 77
AdvancedCommands 78
ConfigurationandDebuggingCommands 83
JoinActiveDirectoryWithoutChanging/etc/hosts 84
JoinaLinuxComputertoActiveDirectory 85
JoinaMacComputertoActiveDirectory 87
TurnOffOSXDirectoryServiceAuthentication 89
FilesModifiedWhenYouJoinaDomain 89
LoggingonwithDomainCredentials 92
LogonwithADCredentials 93
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 5

LogonwithSSH 93
III.Administration 94
UsingtheManagementConsole 95
StarttheBeyondTrustManagementConsole 95
ConnecttoaDomain 97
RuntheDirectoryIntegratedModeWizard 97
RunningtheDirectoryIntegratedModeWizard 97
ChangesMadebytheDirectoryIntegratedModeWizard 98
ReplicationinaLargeForestorinMultipleDomains 99
AddaPlug-In 99
WorkingwithCells 100
CreateaCellandAssociateitwithanOUoraDomain 100
MovingaComputertoAnotherCell 102
CreateaDefaultCell 102
AssociateaUserwithCells 103
AddaGrouptoaCell 103
AddaUsertoaCell 104
ModifyPowerBrokerCellSettingsinADUC 106
LinkCells 106
DelegateControltoCreateContainerObjects 108
AdministeringCellswithCellManager 109
StartCellManager 109
DelegateManagement 110
ChangePermissionsofaCell,Group,orUser 111
AddaCell 111
GiveaUserAccesstoaCell 112
GiveaGroupAccesstoaCell 113
FilterCells 113
ConnecttoaDifferentDomain 113
ManagingUsers,Groups,andComputers 114
CreateaUser 114
FindingUsersandGroupsinADUC 116
ProvisionaUserwithLinuxorUnixAccess 117
ProvisionaGroupwithLinuxorUnixAccess 119
SpecifyaUserIDandUnixorLinuxSettings 120
ApplyUnixorLinuxSettingstoMultipleUsers 122
SetaUserAlias 123
SetaGroupAlias 124
SettheDefaultHomeDirectory 124
SettheHomeDirectoryforaCell 125
SettheHomeDirectoryforMultipleUsers 125
SettheHomeDirectoryforaSingleUser 126
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 6

SettheDefaultLoginShell 126
SettheLoginShellforaCell 126
SettheLoginShellforMultipleUsers 127
SettheLoginShellforaSingleUser 127
AssignaGroupID 128
DisableaUser 129
ImproveMMCPerformanceWhenAccessingSettingsinADUC 129
ExtendFileModePermissionswithPOSIXACLs 130
Prerequisites 130
Example 131
UsingPOSIXACLstoGrantADAccountsAccesstoSubversion 133
UsingtheDomain-JoinTool 134
UsePBISwithaSingleOrganizationalUnit 134
RenameaJoinedComputer 135
RenameaComputerUsingtheCommand-LineTool 136
RenameaComputerbyUsingtheDomainJoinToolGUI 136
RemovingaComputerfromaDomain 138
NetworkManager:UseaWiredConnectiontoJoinaDomain 138
MigratingUserstoActiveDirectory 139
MigrateUserstoActiveDirectory 140
BeforeRunningtheMigrationTool 140
RuntheMigrationTool 140
FindOrphanedObjects 143
MigrateaUserProfileonaMac 143
MigrateaUserProfilefromtheGUI 144
MigrateaUserProfilefromtheCommandLine 145
CustomizetheMigrationScript 145
LeavingaDomainandUninstallingthePBISAgent 146
LeaveaDomain 146
RemovetheComputerAccountinActiveDirectory 147
RemoveaLinuxorUnixComputerfromaDomain 147
RemoveaMacfromaDomain 147
RemoveaMacfromaDomainfromtheCommandLine 148
UninstalltheAgentonaLinuxorUnixComputer 148
UsingaShellScripttoUninstall 148
UsingaCommandtoUninstall 148
UninstalltheAgentonaMac 148
UsingSmartCardswithPBIS 150
SmartCardSetup 150
SupportedLinuxPlatforms 150
PrepareActiveDirectoryforSmartCardLogon 150
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 7

PrepareaLinuxComputerforSmartCardLogon 151
LogonwithaSmartCard 152
SmartCardGroupPolicySettings 155
ManagingPBISLicenses 157
CreateaLicenseContainer 160
TurnonAutomaticLicensing 161
ImportaLicenseFile 162
AssignaLicensetoaComputerinAD 162
ManageaLicenseKeyfromtheCommandLine 163
ChecktheLicenseKey 163
SetaLicenseKey 164
ReleaseaLicenseKey 164
ChangetheTypeofLicense 165
DeleteaLicense 165
RevokeaLicense 165
PBISReporting 166
OverviewofthePBISReportingSystem 166
PBISDataCollectors 166
ReportingSetupPreview 167
RequirementsforthePBISReportingSystem 167
ConfiguringSQLServer 168
InstallandConfigureSQLServer 169
CreatetheLikewiseEnterpriseDatabase 172
InstallthePBISDatabaseUtilities 173
PlanningSQLServerDatabaseSecurity 174
ConfiguringMySQL 176
CreatetheLikewiseEnterpriseDatabase 177
InstallthePBISDatabaseUtilities 178
CustomizeYourMySQLSecuritySettings 179
ConnectingthePBISConsoletotheDatabase 180
ConnectthePBISConsoletotheDatabase 180
VerifyThattheCollectorProcessesAreRunning 181
RuntheDatabaseUpdateScript 182
RuntheDatabaseUpdateScriptfromtheCommandLine 184
ConfiguringComputerstoForwardEventstoBTCollector 185
ConfigureEventForwardingwithGroupPolicy 186
ConfigureEventForwardingwithLocalSettings 187
CullEventsfromSyslog 187
GenerateaSampleReport 188
EntitlementReporting 189
AccessPrivilegesbyUser 190
AccessPrivilegesbyComputer 190
AccessPrivilegeChanges 190
AccessPrivilegeDailyChanges 191
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 8

AccountAttributeInconsistencies 191
MonitoringEventswiththeOperationsDashboard 191
StarttheOperationsDashboard 192
ConnecttoaDatabase 193
ChangetheRefreshRate 193
ConfiguringthePBISDataCollectors 193
ConfiguringBTCollectorUsingtheShellPrompt 194
ConfiguringBTEventDBReaperUsingtheShellPrompt 196
UsingtheEnterpriseDatabaseManagementPlug-in 198
ConnecttoaDatabase 199
ChangetheParametersoftheCollectors 199
ConfiguretheACLforRPCAccess 200
ArchivingEvents 200
ArchiveEventswiththeConsole 200
ArchiveEventswiththeCommandLine 201
MonitoringEventswiththeEventLog 202
ViewtheLocalEventLog 203
EventTypes 205
EventSources 207
EventSourceIDs 207
SingleSign-OnUsingPBIS 211
HowPBISMakesSSOHappen 211
HowtoImplementSSOwithPBIS 212
EnablePAMforSSH 213
ConfigurePuTTYforWindows-BasedSSO 215
ConfigurePuTTY 216
ConfiguretheBaseLinuxComputerinActiveDirectory 216
ConfigureApacheforSSO 218
Prerequisites 219
ConfigureApacheHTTPServer2.2forSSOonRHEL5 221
ControlGroupAccesswithmod_authz_unixgroup 225
ConfigureFirefoxforSSO 225
ConfigureInternetExplorerforSSO 227
Examples 229
Command-LineReference 230
ManagePBISServices(lwsm) 230
ModifySettings(config) 231
StarttheRegistryShell(regshell) 231
ExporttheRegistrytoanEditor(edit-reg) 232
ChangetheHostNameintheLocalProvider(set-machine-name) 232
FindaUseroraGroup 232
FindaUserbyName 232
FindaUserbyUID 233
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 9

FindaUserbySID 234
FindaGroupbyName 234
FindaGroupbyID 234
ListGroupsforaUser(list-groups-for-user) 235
ListGroups(enum-groups) 235
ListUsers(enum-users) 235
ListtheStatusofAuthenticationProviders(get-status) 236
ListtheDomain 237
ListDomainControllers(get-dc-list) 237
ListDomainControllerInformation(get-dc-name) 238
ListDomainControllerTime(get-dc-time) 238
ListComputerAccountInformation(lsaad-get-machine) 238
DynamicallyUpdateDNS(update-dns) 238
ManagetheADCache(ad-cache) 239
OnMacOSX 240
JoinorLeaveaDomain(domainjoin-cli) 240
DisplayNISMap(ypcat) 240
DisplaytheValueofaKeyinanNISMap(ypmatch) 240
ModifyObjectsinAD(adtool) 241
UsingtheTool 243
Options 245
Examples 246
CopyFilesAcrossDisparateOperatingSystems(lwio-copy) 249
ModifyLocalAccounts 249
AddaLocalUser(add-user) 250
AddaLocalGroupMember(add-group) 250
RemoveaLocalUser(del-user) 250
RemoveaLocalGroup(del-group) 250
ModifyaLocalUser(mod-user) 250
ModifytheMembershipofaLocalGroup(mod-group) 251
KerberosCommands 251
DestroytheKerberosTicketCache(kdestroy) 251
ViewKerberosTickets(klist) 252
ObtainandCacheaTGT(kinit) 252
ChangeaPassword(kpasswd) 253
TheKeytabFileMaintenanceUtility(ktutil) 253
AcquireaServiceTicketandPrintKeyVersionNumber(kvno) 254
ManagePBISEnterprisefromtheWindowsCommandLine(btopt.exe) 254
ConfiguringPBISwiththeRegistry 256
TheStructureoftheRegistry 256
DataTypes 257
ModifySettingswiththeconfigTool 258
Example1 258
Example2 259
Example3 260
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 10

AccesstheRegistry 261
ChangeaRegistryValueUsingtheShell 262
SetCommonOptionswiththeRegistryShell 264
ChangeaRegistryValuefromtheCommandLine 265
FindaRegistrySetting 266
lsassSettings 266
LogLevelValueEntries 266
TurnonEventLogging 266
TurnoffNetworkEventLogging 267
RestrictLogonRights 267
DisplayanErrortoUsersWithoutAccessRights 268
DisplayaMessageoftheDay 268
ChangetheDomainSeparatorCharacter 269
ChangeReplacementCharacterforSpaces 269
TurnOffSystemTimeSynchronization 270
SettheDefaultDomain 271
SettheHomeDirectoryandShellforDomainUsers 271
SettheUmaskforHomeDirectories 273
SettheSkeletonDirectory 274
ForcePBISEnterprisetoWorkWithoutCellInformation 275
RefreshUserCredentials 276
TurnOffK5LogonFileCreation 277
ChangetheDurationoftheComputerPassword 277
SignandSealLDAPTraffic 278
NTLMSettings 279
AdditionalSubkeys 280
AddDomainGroupstoLocalGroups 281
ControlTrustEnumeration 281
ModifySmartCardSettings 283
SettheIntervalforCheckingtheStatusofaDomain 283
SettheIntervalforCachinganUnknownDomain 283
lsassCacheSettings 283
SettheCacheType 284
CaptheSizeoftheMemoryCache 284
ChangetheDurationofCachedCredentials 285
ChangeNSSMembershipandNSSCacheSettings 285
eventlogSettings 287
AllowUsersandGroupstoDeleteEvents 287
AllowUsersandGroupstoReadEvents 288
AllowUsersandGroupstoWriteEvents 288
SettheMaximumDiskSize 288
SettheMaximumNumberofEvents 289
SettheMaximumEventTimespan 289
ChangethePurgeInterval 289
netlogonSettings 290
SettheNegativeCacheTimeout 290
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 11

SetthePingAgainTimeout 291
SettheWritableRediscoveryTimeout 291
SettheWritableTimestampMinimumChange 291
SetCLdapOptions 292
lwioSettings 292
SignMessagesIfSupported 292
EnableSecuritySignatures 293
RequireSecuritySignatures 293
SetSupportforSMB2 293
LwedspluginSettingsforMacComputers 294
IV.Troubleshooting 296
TroubleshootingDomain-JoinProblems 297
Top10ReasonsDomain-JoinFail 297
GenerateaDomain-JoinLog 298
SolveDomain-JoinProblems 298
VerifythattheNameServerCanFindtheDomain 298
MakeSuretheClientCanReachtheDomainController 298
CheckDNSConnectivity 299
MakeSurensswitch.confIsConfiguredtoCheckDNSforHostNames 299
EnsurethatDNSQueriesUsetheCorrectNetworkInterfaceCard 299
DetermineIfDNSServerIsConfiguredtoReturnSRVRecords 299
MakeSurethattheGlobalCatalogIsAccessible 299
VerifythattheClientCanConnecttotheDomainonPort123 300
FreeBSD:RunldconfigIfYouCannotRestartComputer 300
IgnoreInaccessibleTrusts 300
ResolvingCommonErrorMessages 302
ConfigurationofKrb5 302
ChkconfigFailed 302
ReplicationIssues 303
DiagnoseNTPonPort123 303
OutputWhenThereIsNoNTPService 304
TurnoffApachetoJoinaDomain 305
TroubleshootingthePBISAgent 306
PBISServices 306
ChecktheStatusoftheAuthenticationService 307
ChecktheStatusoftheDCE/RPCService 307
ChecktheStatusoftheNetworkLogonService 308
ChecktheStatusoftheInput-OutputService 308
RestarttheAuthenticationService 308
RestarttheDEC/RPCService 309
RestarttheNetworkLogonService 309
RestarttheInput-OutputService 309
Logging 310
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 12

TemporarilyChangetheLogLevelandTargetforaService 312
GenerateaDirectoryServiceLogonaMac 313
GenerateaNetworkTrace 314
BasicTroubleshooting 314
ChecktheVersionandBuildNumber 314
DetermineaComputer'sFQDN 315
MakeSureOutboundPortsAreOpen 316
ChecktheFilePermissionsofnsswitch.conf 316
ConfigureSSHAfterUpgradingIt 317
UpgradinganOperatingSystem 317
Accounts 317
AllowAccesstoAccountAttributes 317
UserSettingsAreNotDisplayedinADUC 318
ResolveanADAliasConflictwithaLocalAccount 319
FixtheShellandHomeDirectoryPaths 320
TroubleshootwiththeGetStatusCommand 321
TroubleshootUserRightswithLdp.exeandGroupPolicyModeling 322
FixSelectiveAuthenticationinaTrustedDomain 326
Cache 327
CleartheAuthenticationCache 327
ClearaCorruptedSQLiteCache 328
PAM 329
DismisstheNetworkCredentialsRequiredMessage 329
GenerateaPAMDebugLog 329
OS-SpecificTroubleshooting 330
RedHatandCentOS 330
Ubuntu 332
SUSELinuxEnterpriseDesktop(SLED) 333
AIX 334
FreeBSD 334
Solaris 335
MacOSX 336
TroubleshootingLogonIssues 338
SolveLogonProblemsfromWindows 338
SolveLogonProblemsonLinuxorUnix 339
MakeSureYouAreJoinedtotheDomain 339
CheckWhetherYouAreUsingaValidLogonForm 339
CleartheCache 339
DestroytheKerberosCache 339
ChecktheStatusofthePBISAuthenticationService 340
CheckCommunicationbetweenthePBISServiceandAD 340
VerifythatPBISCanFindaUserinAD 340
MakeSuretheADAuthenticationProviderIsRunning 341
RuntheidCommandtoChecktheUser 342
SwitchUsertoCheckPAM 342
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 13

TestSSH 343
RuntheAuthenticationServiceinDebugMode 343
CheckNsswitch.Conf 343
OnHP-UX,EscapeSpecialCharactersattheConsole 343
AdditionalDiagnosticTools 343
TroubleshootingSSHSSOProblems 344
UseNT4-styleCredentialsandEscapetheSlashCharacter 344
PerformGeneralLogonTroubleshooting 344
GetanSSHLog 344
AfteranUpgrade,ReconfigureSSHforPBIS 345
VerifythatPort22IsOpen 345
MakeSurePAMIsEnabledforSSH 345
MakeSureGSSAPIIsConfiguredforSSH 347
ChecktheConfigurationofSSHforSSO 347
Platform-SpecificIssues 349
TroubleshootingKerberos 356
FixaKeyTableEntry-TicketMismatch 356
FixaKRBErrorDuringSSOinaDisjointNamespace 357
EliminateLogonDelaysWhenDNSConnectivityIsPoor 358
EliminateKerberosTicketRenewalDialogBox 359
TroubleshootingSingleSign-onandKerberosAuthentication 359
TroubleshootingthePBISDatabase 364
ChecktheEndpoints 364
ChecktheCollector 366
ChecktheDatabase 368
TroubleshootingChecklists 369
SwitchingBetweenDatabases 370
ContactTechnicalSupport 373
BeforeContactingTechnicalSupport 373
ContactingSupport 375
PBISEnterpriseInstallationandAdministration Contents
BeyondTrust
®
June21,2013 14

I.PreparingforPBISDeployment
ThissectionoftheInstallationandAdministrationGuideprovidesdetailed
informationonPBISfeatures,including:
IntroductiontoPBIS
PBISFeatureReview
PlanningYourInstallationandDeployment
PBISEnterpriseInstallationandAdministration I.PreparingforPBISDeployment
BeyondTrust
®
June21,2013 1

IntroductiontoPBISEnterprise
PowerBrokerIdentityServicesEnterpriseEditionconnectsLinux,Unix,
andMacOSXcomputerstoMicrosoftActiveDirectorysoyoucancentrally
manageallyourcomputersandusersfromasingleidentitymanagement
system.
ThisguidedescribeshowtoinstallandmanagePowerBrokerIdentity
ServicesEnterpriseEdition.Thetargetaudienceissystemadministrators
whomanageaccesstoworkstations,servers,andapplicationswithActive
Directory.
Theguideassumesthatyouknowhowtoadministercomputers,users,and
GroupPolicysettingsinActiveDirectoryandthatyouknowhowtomanage
computersrunningUnix,Linux,andMacOSX.
PBISOverview
PBISEnterpriseisinstalledonaWindowsadministrativeworkstation
connectedtoadomaincontrollersoyoucansetuseridentifiersandgroup
identifiersinActiveDirectoryUsersandComputers.OncetheUIDsand
GIDsareset,thePBISagentusestheidentifierstoauthenticateusersand
groupsandtocontrolaccesstocomputersandapplications.
PBISEnterpriseincludesadditionalfeatures:
•ApplypolicysettingstoUnixcomputersfromtheMicrosoftGroup
PolicyManagementConsole(GPMC),includingpolicysettingsbasedon
theGnomeGConfprojecttodefinedesktopandapplicationpreferences
forLinuxcomputers.
•IntegratesApple'sWorkgroupManagerwiththeGroupPolicy
ManagementEditor(orGroupPolicyObjectEditor)toapplymanaged
clientsettingstoMacOSXcomputerswithGroupPolicyObjects
(GPOs).
•Generatearangeofreportstohelpimproveregulatorycompliance.The
result:loweroperatingcosts,bettersecurity,enhancedcompliance.
•PBISprovidesgraphicaltoolstomanageLinuxandUnixinformationin
ActiveDirectory.However,itcanbeusefultoaccessandmodifythe
informationprogrammatically.Forthispurpose,PBISprovidesscripting
objectsthatcanbeusedbyanyprogramminglanguagethatsupportsthe
MicrosoftCommonObjectModel,orCOM.Thescriptingobjects
providedualinterfacesthatcanbeusedbylanguagesthatuseCOMearly
binding,suchasC++andC#,andbylanguagesthatuseIdispatch,such
asVBScriptandJscript.
PBIS-OpenEdition
PBISEnterpriseInstallationandAdministration IntroductiontoPBISEnterprise
BeyondTrust
®
June21,2013 2

PBISOpenEditionisavailableasafreeandopensourceversionof
PowerBrokerIdentityServices.PBISOpenauthenticatesdomainuserswith
thehighlysecureKerberos5protocolbyhashingtheirsecurityidentifiers
fromActiveDirectory.
PBISOpendoesnot,however,processuseridentifiersorgroupidentifiers
eveniftheyaresetinActiveDirectory.Formoreinformation,visitthe
BeyondTrustwebsite.
PBISComponents
TherearetwoinstallationpackagesthatyouneedtoinstallPBIS:
•PBISmanagementtoolsforActiveDirectory,whichyouinstallona
WindowscomputerthatconnectstoanActiveDirectorydomain
controller.
•PBISagent,whichyouinstallonaLinux,Unix,orMaccomputerto
connectittoActiveDirectory.
ComponentFunction
Agent nRunsonaLinux,Unix,orMacOSXcomputertoconnectitto
ActiveDirectorywiththePBIScommand-lineinterfaceorGUI.
SeeJoinActiveDirectoryfromtheCommandLine.PBISOpenis
anopen-sourceversionoftheagentthatisavailableforfreeat
www.beyondtrust.com.
nCommunicateswithanActiveDirectorydomaincontrollerto
authenticateandauthorizeusersandgroupswiththePBISIdentity
Service.SeeLogOnwithADCredentials.
nPullsandrefreshespolicysettingsbyusingtheGroupPolicyservice,
whichisincludedonlywiththePBISEnterpriseagent.
Enterprise
Console
nRunsonaWindowsadministrativeworkstationthatconnectstoan
ActiveDirectorydomaincontrollertohelpmanageLinux,Unix,
andMacOSXcomputersinActiveDirectory.
nMigratesusers,checksstatus,andgeneratesreports.
MMCSnap-
Insfor
ADUCand
GPME
nExtendsActiveDirectoryUsersandComputerstoincludeUnix
andLinuxusers.
nWithPBISEnterprise,italsoextendstheGroupPolicy
ManagementEditor(orGroupPolicyObjectEditor)andthe
GroupPolicyManagementConsole(GPMC)toincludeLinux,
Unix,andMacOSXGroupPolicysettingsaswellasawaytotarget
thematspecificplatforms.
PBISEnterpriseInstallationandAdministration IntroductiontoPBISEnterprise
BeyondTrust
®
June21,2013 3

ComponentFunction
CellManagernAsnap-infortheMicrosoftManagementConsoletomanagecells
associatedwithActiveDirectoryOrganizationalUnits.
Reporting
Database
nStoressecurityeventsandaccesslogsforcompliancereports.
Operations
Dashboard
nThePBISOperationsDashboardisamanagementapplication,or
plug-in,fortheBeyondTrustManagementConsole.Thedashboard
retrievesinformationfromthePBISreportingdatabasetodisplay
authenticationtransactions,authorizationrequests,networkevents,
andothersecurityeventsthattakeplaceonPBISclients.
TaskRoadMap
To See
SetupandtestatrialversionofPBISEnterpriseina
networkedtestenvironment.
PowerBrokerIdentity
ServicesEvaluationGuide
InstalltheBeyondTrustManagementConsoleandthePBIS
managementtoolsonaWindowsworkstationina
productionenvironment.
InstalltheEnterprise
Console
Determinethestoragemode. StorageModes
Findouthowtouseacontainer,knownasaPowerBroker
cell,tomanagePBISclientsandUnixsettingsinAD.
PowerBrokerCells
CreateacellinADforUnixsettings,suchasaUID,soan
ADusercanlogonaPBISclient.
CreateaCellinAD
ProvideADusersandgroupswithaccesstoLinux,Unix,
andMaccomputers.
ManagingUsers,
Groups,andComputers
InstallthePBISagentonaLinux,Unix,orMacOSX
computer.
InstalltheAgent
ConnectacomputerrunningPBIStoActiveDirectory.JoinActiveDirectory
fromtheCommandLine
Troubleshootproblemsjoiningadomain. Troubleshooting
Domain-JoinProblems
LogonaPBISclientwithanActiveDirectoryuseraccount.LogOnwithAD
Credentials
Troubleshootlogonproblems. TroubleshootingLogon
Problems
UseCellManagertoadministerPowerBrokercellsinAD.AdministeringCellswith
CellManager
PBISEnterpriseInstallationandAdministration IntroductiontoPBISEnterprise
BeyondTrust
®
June21,2013 4

To See
ApplyGroupPolicysettingstoLinux,Unix,andMac
computers.
PowerBrokerIdentity
ServicesGroupPolicy
AdministrationGuide
UseWorkgroupManagertoapplymanagedclientsettings
(MCX)toMaccomputersasGroupPolicyObjects(GPOs).
PowerBrokerIdentity
ServicesGroupPolicy
AdministrationGuide
InstallthePBISreportingandauditingcomponents,
includingthePBISdatabase.
ConfiguringthePBIS
ReportingSystem
FindinformationaboutPBIScommandsandcommand-line
utilitiesforLinux,Unix,andMac.
Command-Line
Reference
ChangethelocalsettingsonaPBISclient. ConfiguringthePBIS
Agent
Monitorsecurityeventswiththeeventlog. MonitoringEventswith
theEventLog
ConfigurePBISclientsforsinglesign-on. UsingPBISforSingle
Sign-On
MigrateUnixorNISuserstoActiveDirectory. MigratingUsersto
ActiveDirectory
MigrateauserprofileonaMacfromalocaluseraccountto
thehomedirectoryspecifiedfortheuserinActive
Directory.
MigrateaUserProfileon
aMac
SetupSambatoauthenticateuserswithPBISEnterprise.PowerBrokerIdentity
ServicesSambaIntegration
Guide
InstallandusePBISOpen. PBISOpenInstallationand
AdministrationGuide
ViewalistofdocumentsforallPBISproducts. DocumentationLibrary
PBISEnterpriseInstallationandAdministration IntroductiontoPBISEnterprise
BeyondTrust
®
June21,2013 5

PBISFeatureReview
ThefollowingsectionsprovidedetailsonPBISfeatures.
PBISAgent
ThePowerBrokerIdentityServices(PBIS)agentisinstalledonaLinux,
Unix,orMacOSXcomputertoconnectittoMicrosoftActiveDirectory
andtoauthenticateuserswiththeirdomaincredentials.
Theagentintegrateswiththecoreoperatingsystemtoimplementthe
mappingforanyapplication,suchasthelogonprocess(/bin/login),that
usesthenameservice(NSS)orpluggableauthenticationmodule(PAM).As
such,theagentactsasaKerberos5clientforauthenticationandasan
LDAPclientforauthorization.InPBISEnterprise,theagentalsoretrieves
GroupPolicyObjects(GPOs)tosecurelyupdatelocalconfigurations,such
asthesudofile.
ThefollowingtopicsprovidemoreinformationaboutthePBISagent,also
knownasthePBISclientsoftware.
Services
PriortoPowerBrokerIdentityServices6.5,theagentwascomposedof
separatedaemonprocesses(withvariousdependenciesbetweenthem),and
eachwasstartedinsequencebytheoperatingsystemsatbootup.In
PowerBrokerIdentityServices6.5,thedaemonshavebeenreplacedby
librariesloadedbytheservicemanagerdaemon(/opt/pbis/sbin/lwsmd).
Beginninginversion6.5,theservicelsassreplacesthedaemonlsassd.
Atboottime,theoperatingsystemisconfiguredtostarttheservicemanager
daemon.Itistheninstructedbytheoperatingsystem(withthecommand
/opt/pbis/bin/lwsm autostart)tostartalldesiredservices.Theservice
managerdaemonkeepstrackofwhichserviceshavealreadybeenstartedand
seestoitthatallservicesarestartedandstoppedintheappropriateorder.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 6

PBISOpenandPBISEnterprise
BoththePBISOpenagentandthePBISEnterpriseagentarecomposedof
theservicemanagerdaemon(/opt/pbis/sbin/lwsmd)andincludethe
followingservices:
Service Description Dependencies
lsass Handlesauthentication,authorization,
caching,andidmaplookups.Youcan
checkitsstatusorrestartit.
ToviewtheLsassarchitectureseethe
diagramfollowingthetables.
netlogon
lwio
rdr
lwreg
Usuallyeventlog(Canbe
disabledafterinstallation.)
Sometimesdcerpc(Can
beenabledafterinstallation
forregisteringTCP/IP
endpointsofvarious
services.)
netlogon Detectstheoptimaldomaincontroller
andglobalcatalogandcachesthem.
lwreg
lwio Aninput-outputservicethatisusedto
communicatethroughDCE-RPCcalls
toremotecomputers,suchasduring
domainjoinanduserauthentication.
lwreg
rdr Aredirectorthatmultiplexes
connectionstoremotesystems.
lwio
lwreg
dcerpc Handlescommunicationbetween
Linux,Unix,andMaccomputersand
MicrosoftActiveDirectorybymapping
datatoendpoints.Bydefault,itis
disabled.
eventlog Collectsandprocessesdataforthelocal
eventlog.Canbedisabled.
lwreg Theregistryservicethatholds
configurationinformationbothabout
theservicesandinformationprovided
bytheservices.
reapsysl Thesyslogreaperthatscansthesyslog
foreventsofinterestandrecordsthem
intheeventlog.
eventlog
usermonitorTheusermonitorservicescansthe
systemforchangestousers,groups,
andauthorizationrightsandrecordsthe
changesintheeventlog.
lsass
eventlog
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 7

PBISEnterpriseOnly
Additionally,PBISEnterprisealsoincludesthefollowingservicestoapply
GroupPolicysettings,handlesmartcards,andmonitorsecurityevents:
Service Description Dependencies
gpagent PullsGroupPolicyObjects(GPOs)fromActive
Directoryandappliesthemtothecomputer.
lsass
netlogon
lwio
rdr
lwreg
eventlog
eventfwdForwardseventsfromthelocaleventlogtoaremote
computer.
eventlog
lwsc Smartcardservice. lwpkcs11
lwpkcs11AidslwscbysupportingPKCS#11API.
Figure 1.LSASSArchitecture
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 8

PBISInput-OutputService
ThelwioservicemultiplexesinputandoutputbyusingSMB1orSMB2.
Theservice'splugin-basedarchitectureincludesseveraldrivers,themost
significantofwhichiscodedasrdr—theredirector.
TheredirectormultiplexesCIFS/SMBconnectionstoremotesystems.For
instance,whentwodifferentprocessesonalocalLinuxcomputerneedto
performinput-outputoperationsonaremotesystembyusingCIFS/SMB,
witheitherthesameidentityordifferentidentities,thepreferredmethodis
tousetheAPIsinthelwioclientlibrary,whichroutesthecallsthroughthe
redirector.Inthisexample,theredirectormaintainsasingleconnectionto
theremotesystemandmultiplexesthetrafficfromeachclientbyusing
multiplexIDs.
Theinput-outputserviceplaysakeyroleinthePBISarchitecturebecause
PBISusesDCE/RPC(DistributedComputingEnvironment/Remote
ProcedureCalls).DCE/RPCusesSMB:Thus,theDCE-RPCclientlibraries
usethePBISinput-outputclientlibrary,whichinturnmakescallstolwio
withUnixdomainsockets.
Whenyoujoinadomain,forexample,PBISusesDCE-RPCcallsto
establishthemachinepassword.ThePBISauthenticationservice
periodicallyrefreshesthemachinepasswordbyusingDCE-RPCcalls.
AuthenticationofusersandgroupsinActiveDirectorytakesplacewith
Kerberos,notRPC.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 9

Thefollowingdata-flowdiagramshowshowsystemsinteractwhenyoujoin
adomain.
Inaddition,whenajoinedcomputerstartsup,thePBISauthentication
serviceenumeratesActiveDirectorytrustsbyusingDCE-RPCcallsthatgo
throughtheredirector.Withone-waytrusts,theauthenticationserviceuses
RPCtolookupdomainusers,groups,andsecurityidentifiers.Withtwo-way
trusts,lookuptakesplacethroughLDAP,notRPC.
Becausetheauthenticationserviceregisterstrustsonlywhenitstartsup,
youshouldrestartlsasswiththePBISServiceManagerafteryoumodifya
trustrelationship.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 10

ThePBISGroupPolicyagentalsousestheinput-outputclientlibraryand
theredirectorwhenitcopiesfilesfromthesysvolshareofadomain
controller.
Totroubleshootremoteprocedurecallsthatgothroughtheinput-output
serviceanditsredirector,useaWiresharktraceoraTCPdumptocapture
thenetworktraffic.Wireshark,afreeopen-sourcepacketanalyzer,is
recommended.
PAMOptions
PowerBrokerIdentityServicesusesthreestandardPAMoptions:
•try_first_pass
•use_first_pass
•use_authtok
Additionally,therearethreenon-standardoptionstothePAMconfiguration
onsomesystems:
•unknown_ok–Allowslocaluserstocontinuedownthestack(firstline
succeedsbutsecondlinefails)whileblockingdomainuserswhodonot
meetgroupmembershiprequirements.
•remember_chpass–OnAIXsystems,whichhavebothPAMandLAM
modules,theremember_chpasspreventstheAIXcomputerfrom
tryingtochangethepasswordtwiceandpromptingtheusertwice.
•set_default_repository–OnSolarissystems,theset_default_
repositoryoptionisusedtomakesurepasswordchangesworkas
expected.
ManagingthePBISServices
UsingthePBISServiceManager,youcan:
•TrackandtroubleshootallthePBISserviceswithasinglecommand-line
utility.
Forexample,checkthestatusoftheservices,viewtheirdependencies,
andstartorstopthem.Theservicemanageristhepreferredmethodfor
restartingaservicebecauseitautomaticallyidentifiesaservice's
dependenciesandrestartstheminthecorrectorder.
•Usetheservicemanagertosettheloggingdestinationandtheloglevel.
Toliststatusoftheservices,runthefollowingcommandwithsuperuser
privilegesatthecommandline:
/opt/pbis/bin/lwsm list
Example:
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 11

[root@bvt-rhe55-32s~]#/opt/pbis/bin/lwsm list
lwreg running(container:4916)
dcerpc stopped
eventfwd stopped
eventlog running(container:4929)
gpagent stopped
lsass running(container:4963)
lwio running(container:4951)
lwpkcs11 stopped
lwsc stopped
netlogon running(container:4941)
rdr running(io:4951)
reapsysl running(container:4978)
usermonitor stopped
[root@bvt-rhe55-32s~]#
Afteryouchangeasettingintheregistry,youmustusetheservicemanager
toforcetheservicetobeginusingthenewconfigurationbyexecutingthe
followingcommandwithsuperuserprivileges.Thisexamplerefreshesthe
lsassservice:
/opt/pbis/bin/lwsm refreshlsass
PBISRegistry
ConfigurationinformationfortheservicesisstoredinthePBISregistry.
Youcanaccessandmodifythereregistryusingtheregistryshellorexecuting
registrycommandsatthecommandline.
Theregistryshellisat/opt/pbis/bin/regshell
Formoreinformation,seeConfiguringthePBISServiceswiththeRegistry.
PortsandLibraries
Theagentincludesanumberoflibrariesin/opt/pbis/libandusescertain
portsforoutboundtraffic.Fordetailsabouttheports,seeMakeSure
OutboundPortsAreOpen.
Toviewadata-flowdiagramthatshowshowsystemsinteractwhenyoujoin
adomain,seePBISInput-OutputService.
CachesandDatabases
Tomaintainthecurrentstateandtoimproveperformance,thePBIS
authenticationservice(lsass)cachesinformationaboutusersandgroupsin
memory.
YoucanchangethecachetostoretheinformationinaSQLitedatabase.For
moreinformation,seelsassCacheSettings.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 12

ThePBISsiteaffinityservice,netlogon,cachesinformationaboutthe
optimaldomaincontrollerandglobalcataloginthePBISregistry.
Thefollowingfilesarein/var/lib/pbis/db:
File Description
registry.db TheSQLite3.0databaseinwhichthePBISregistryservice,
lwreg,storesdata.
sam.db Repositorymanagedbythelocalauthenticationproviderto
storeinformationaboutlocalusersandgroups.
lwi_events.db Thedatabaseinwhichtheeventloggingservice,eventlog,
recordsevents.
lsass-
adcache.filedb.FQDN
CachemanagedbytheActiveDirectoryauthentication
providertostoreuserandgroupinformation.Thefileisin
/var/lib/pbis/db.Inthenameofthefile,FQDNis
replacedbyyourfullyqualifieddomainname.
SincethedefaultUIDsthatPBISgeneratesarelarge,theentriesmadebythe
operatingsysteminthelastlogfilewhenADusersloginmakethefile
appeartoincreasetoalargesize.Thisisnormalandshouldnotcause
concern.Thelastlogfile(typically/var/log/lastlog)isasparsefilethat
usestheUIDandGIDoftheusersasdiskaddressestostorethelastlogin
information.Becauseitisasparsefile,theactualamountofstorageusedby
itisminimal.
WithPBISOpen,youcanmanagethefollowingsettingsforyourcacheby
editingthePBISregistry.SeeCacheSettingsinthelsassBranch.
•TheCacheType
•TheSizeoftheMemoryCache
•TheDurationofCachedCredentials
•TheNSSMembershipandNSSCacheSettings
•TheIntervalforCachinganUnknownDomain
WithPBISEnterprise,youcanmanagethesettingswithGroupPolicy
settings;seethePowerBrokerIdentityServicesGroupPolicyAdministrationGuide.
Additionalinformationaboutacomputer'sActiveDirectorydomainname,
machineaccount,siteaffinity,domaincontrollers,forest,thecomputer's
joinstate,andsoforthisstoredinthePBISregistry.Hereisanexampleof
thekindofinformationthatisstoredunderthePstorekeyandthe
netlogonkey:
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\EXAMPLE.COM\Pstore]
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 13

"ClientModifyTimestamp"=dword:4b86d9c6
"CreationTimestamp"=dword:4b86d9c6
"DomainDnsName"="EXAMPLE.COM"
"DomainName"="EXAMPLE"
"DomainSID"="S-1-5-21-3190566242-1409930201-3490955248"
"HostDnsDomain"="example.com"
"HostName"="RHEL5D"
"MachineAccount"="RHEL5D$"
"SchannelType"=dword:00000002
[HKEY_THIS_MACHINE\Services\netlogon\cachedb\example.com-
0]
"DcInfo-ClientSiteName"="Default- First-Site-Name"
"DcInfo-DCSiteName"="Default-First-Site-Name"
"DcInfo-DnsForestName"="example.com"
"DcInfo-DomainControllerAddress"="192.168.92.20"
"DcInfo-DomainControllerAddressType"=dword:00000017
"DcInfo-DomainControllerName"="w2k3- r2.example.com"
"DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,
95,fb,5b,62,e3
"DcInfo-Flags"=dword:000003fd
"DcInfo-FullyQualifiedDomainName"="example.com"
"DcInfo-LMToken"=dword:0000ffff
"DcInfo-NetBIOSDomainName"="EXAMPLE"
"DcInfo-NetBIOSHostName"="W2K3-R2"
"DcInfo-NTToken"=dword:0000ffff
"DcInfo-PingTime"=dword:00000006
"DcInfo-UserName"=""
"DcInfo-Version"=dword:00000005
"DnsDomainName"="example.com"
"IsBackoffToWritableDc"=dword:00000000
"LastDiscovered"=hex:c5, d9,86,4b,00,00,00,00
"LastPinged"=hex:1b,fe,86,4b,00,00,00,00
"QueryType"=dword:00000000
"SiteName"=""
TimeSynchronization
ForthePBISagenttocommunicateoverKerberoswiththedomain
controller,theclockoftheclientmustbewithinthedomaincontroller's
maximumclockskew,whichis300seconds,or5minutes,bydefault.(For
moreinformation,seehttp://web.mit.edu/kerberos/krb5-1.4/krb5-
1.4.2/doc/krb5-admin/Clock-Skew.html.)
Theclockskewtoleranceisaserver-sidesetting.Whenaclient
communicateswithadomaincontroller,itisthedomaincontroller's
Kerberoskeydistributioncenterthatdeterminesthemaximumclockskew.
Sincechangingthemaximumclockskewinaclient'skrb5.conffiledoes
notaffecttheclockskewtoleranceofthedomaincontroller,thechangewill
notallowaclientoutsidethedomaincontroller'stolerancetocommunicate
withit.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 14

Theclockskewvaluethatissetinthe/etc/pbis/krb5.conffileof
Linux,Unix,andMacOSXcomputersisusefulonlywhenthecomputeris
functioningasaserverforotherclients.Insuchcases,youcanuseaPBIS
GroupPolicysettingtochangethemaximumtolerance;formore
information,seeSettheMaximumToleranceforKerberosClockSkewin
thePowerBrokerIdentityServicesGroupPolicyAdministrationGuide.
Thedomaincontrollerusestheclockskewtolerancetopreventreplay
attacksbykeepingtrackofeveryauthenticationrequestwithinthe
maximumclockskew.Authenticationrequestsoutsidethemaximumclock
skewarediscarded.Whentheserverreceivesanauthenticationrequest
withintheclockskew,itchecksthereplaycachetomakesuretherequestis
notareplayattack.
UsingaNetworkTimeProtocolServer
IfyousetthesystemtimeonyourcomputerwithaNetworkTimeProtocol
(NTP)server,thetimevalueoftheNTPserverandthetimevalueofthe
domaincontrollercouldexceedthemaximumskew.Asaresult,youwillbe
unabletologonyourcomputer.
IfyouuseanNTPserverwithacronjob,therewillbetwoprocessestrying
tosynchronizethecomputer'stime—causingaconflictthatwillchangethe
computer'sclockbackandforthbetweenthetimeofthetwosources.
Itisrecommendedthatyouconfigureyourdomaincontrollertogetitstime
fromtheNTPserverandconfigurethedomaincontroller'sclientstoget
theirtimefromthedomaincontroller.
AutomaticDetectionofOfflineDomainControllerandGlobalCatalog
ThePBISauthenticationservice—lsass—managessiteaffinityfordomain
controllersandglobalcatalogsandcachestheinformationwithnetlogon.
WhenacomputerisjoinedtoActiveDirectory,netlogondeterminesthe
optimumdomaincontrollerandcachestheinformation.
Iftheprimarydomaincontrollergoesdown,lsassautomaticallydetectsthe
failureandswitchestoanotherdomaincontrollerandanotherglobalcatalog
withinaminute.
However,ifanotherglobalcatalogisunavailablewithintheforest,thePBIS
agentwillbeunabletofindtheUnixandLinuxinformationofusersand
groups.ThePBISagentmusthaveaccesstotheglobalcatalogtofunction.
Therefore,itisarecommendedthateachforesthasredundantdomain
controllersandredundantglobalcatalogs.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 15

UID-GIDGenerationinPowerBroker Cells
InPBISEnterprise,youcansettheUIDsandGIDsthatyouwant.
•UsingPowerBrokercells,setmultipleUIDandGIDvaluesforagiven
userbasedonOUmembership.(PowerBrokercells,availableonlyin
PBISEnterprise,provideamethodformappingActiveDirectoryusers
andgroupstoUIDsandGIDs.)
•YoucanalsosetPBISEnterprisetoautomaticallygenerateUIDand
GIDvaluessequentially.
InPBISOpen,aUIDandGIDaregeneratedbyhashingtheuserorgroup's
securityidentifier(SID)fromActiveDirectory.WithPBISOpen,youdo
notneedtochangeActiveDirectory.AUIDandGIDstaythesameacross
hostmachines.WithPBISOpen,youcannotsetUIDsandGIDsforLinux
andUnixinActiveDirectory.
IfyourActiveDirectoryrelativeidentifiers(RIDs)areanumbergreaterthan
524,287,thePBISOpenalgorithmthatgeneratesUIDsandGIDscanresult
inUID-GIDcollisionsamongusersandgroups.Insuchcases,itis
recommendedthatyouusePBISEnterpriseorthePBISUID-GID
managementtool.
ThePBISOpenalgorithmisthesameinallversionsofPBIS.Ifyouare
runningPBISV5.xononecomputerandV6.0orlateronanothercomputer,
eachuserandgroupshouldhavethesameUIDandGIDonboth
computers.
Note:IfyouhaveUIDsandGIDsdefinedinActiveDirectory,PBIS
OpenwillnotusethoseUIDsandGIDs.
CachedCredentials
BothPBISOpenandPBISEnterprisecachecredentialssouserscanlogon
whenthecomputerisdisconnectedfromthenetworkorActiveDirectoryis
unavailable.
TrustSupport
ThePBISagentsupportsthefollowingActiveDirectorytrusts:
Trust
TypeTransitivityDirection
PBISDefaultCell
Support
PBISNon-DefaultCell
Support(NamedCells)
Parent
andchild
TransitiveTwo-wayYes Yes
ExternalNontransitiveOne-wayNo Yes
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 16

Trust
TypeTransitivityDirection
PBISDefaultCell
Support
PBISNon-DefaultCell
Support(NamedCells)
ExternalNontransitiveTwo-wayNo Yes
ForestTransitiveOne-wayNo Yes
ForestTransitiveTwo-wayYes:Mustenable
defaultcellinboth
forests.
Yes
Thereisinformationonthetypesoftrustsat
http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx.
NotesonTrusts
Thefollowingisgeneralinformationaboutworkingwithtrusts.
•Youmustplacetheuserorgroupthatyouwanttogiveaccesstothe
trustinacellotherthanthedefaultcell.
•Inatwo-wayforestorparent-childtrust,PBISmergesthedefaultcells.
Whenmerged,usersinonedomaincanlogoncomputersinanother
domain,andvice-versa.
•Toputauserinachilddomainbutnottheparentdomain,youmustput
theuserinanon-defaultcell,whichisacellassociatedwithan
organizationalunit.
•IfthereisaUIDconflictacrosstwodomains,onedomainwillbe
dropped.
•Inacross-foresttransitiveone-ortwo-waytrust,therootofthetrusted
forestmusthaveadefaultcell.
•Inaone-waytrustinwhichForestAtrustsForestB,acomputerin
ForestAcannotgetgroupinformationfromForestB,becauseForestB
doesnottrustForestA.ThecomputerinForestAcanobtaingroup
informationiftheuserlogsonwithapasswordforadomainuser,but
notiftheuserlogsonwithKerberossinglesign-oncredentials.Onlythe
primarygroupinformation,notthesecondarygroupinformation,is
obtained.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 17

•Tosupporta1-waytrustwithoutduplicatinguseraccounts,youmust
useacellassociatedwithanOU,notadefaultcell.IfDomainAtrusts
DomainB(butnotthereverse)andifDomainBcontainsalltheaccount
informationincellsassociatedwithOUs,thenwhenauserfromDomain
BlogsonamachinejoinedtoDomainA,DomainBwillauthenticate
theuserandauthorizeaccesstothemachineinDomainA.
Insuchascenario,youshouldalsoaddadomainuserfromthetrusted
domaintoanadministrativegroupinthetrustingdomainsoyoucan
managethetrustingdomainwiththeappropriatelevelofreadaccessto
trusteduserandgroupinformation.However,beforeyouaddthe
domainuserfromthetrusteddomaintothetrustingdomain,youmust
firstaddtothetrustingdomainagroupthatincludestheuserbecause
UnixandLinuxcomputersrequiremembershipinatleastonegroupand
ActiveDirectorydoesnotenumerateauser'smembershipinforeign
groups.
•Ifyouhaveanetworktopologyinwhichthe"front"domaintruststhe
"back"domain,andyoujoinamachinetothefrontdomainusingaback
domainadministrator,asinthefollowingexample,theattempttojoin
thedomainwillfail:domainjoin-clijoinfront.example.com
back\\administrator password.However,theattempttojointhe
domainwillsucceedifyouusethefollowingnomenclature:
domainjoin-clijoinfront.example.com
[email protected] password
•WithPBISEnterprise,aliasedusernamesaresupportedinthedefault
cellandinnamedcells.
TrustsandCellsinPBISEnterprise
InPBISEnterprise,acellcontainsUnixsettings,suchasaUIDandaGID,
foranActiveDirectoryuser.WhenanADuserlogsonaPBISclient,PBIS
EnterprisesearchesActiveDirectoryfortheuser'scellinformation—and
mustfindittooperateproperly.Thus,yourADtopologyandyourtrust
relationshipsmaydictatewheretolocateacellinActiveDirectorysothat
yourPBISclientscanaccesstheirUnixsettings.
Withadefaultcell,PBISsearchesforauserorgroup'sattributesinthe
defaultcellofthedomainwheretheuserorgroupresides.Inamulti-domain
topology,adefaultcellmustexistinthedomainwhereuserandgroup
objectsresideinadditiontothedefaultcellthatexistsinthedomainto
whichUnix,Linux,andMaccomputersarejoined.Inamulti-domain
topology,then,besuretocreateadefaultcellineachdomain.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 18

Ideally,Unixinformationisstoredontheuserobjectindefaultcell
DirectoryIntegratedmode.Iftheclientcomputerdoesnothavetheaccess
rightstoreadandwritetheinformationtotheuserobject,asinanexternal
one-waytrust,theUnixinformationcannotbestoredontheuserobject.It
can,however,bestoredlocallyinanamedcell,thatis,acellassociatedwith
anorganizationalunit.
Sinceanamedcellcanbelinkedtothedefaultcell,youcanstoreUnix
informationontheuserobjectindefaultcellDirectoryIntegratedmode
whenpossible,andotherwiseinanamedcellthatrepresentstheexternal
user.Forinformationaboutcells,seethechapteronplanningyourPBIS
Enterpriseinstallationanddeployment.
IntegratingwithSamba
PowerBrokerIdentityServicesincludesatooltoinstallthefilesnecessaryto
useSambawithPBIS.Locatedin/opt/pbis/bin,thetoolisnamed
samba-interop-install.ThePowerBrokerIdentityServicesSambaGuide
describeshowtousethetooltointegrateSamba3.0.25,3.2.X,or3.5.X
withPBISEnterpriseorPBISOpen.
SupportedPlatforms
PBISOpenandPBISEnterpriserunonabroadrangeofUnix,MacOSX,
andLinuxplatforms.BeyondTrustfrequentlyaddsnewvendorsand
distributions.SeetheBeyondTrustwebsiteforthelistofsupported
platforms.
SELinuxSupport
ThePBISSELinuximplementationsupportsthefollowingoperating
systems:
•Fedora13—Fedora17
•RedHatEnterpriseLinuxversion6
Whenyouinstallanyoftheseversions,PBISpoliciesareinstalled
(regardlessifSELinuxisenabled).
Allversionsofthepolicyandthesourceforthepolicyareavailableonthe
workstationafterthePBISRPMisinstalled.
AppropriateversionsofthepolicyaredeterminedbythelogicintheRPM
package.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 19

Unsupported OperatingSystems
IfSELinuxisenabledandyouareinstallingtoanunsupportedoperating
system(forexample,Fedora12orFedora25),theinstallationisstopped.
YoumustplaceSELinuxinpermissivemodetocontinue.
•SELinuxenabledisonlydetectedwiththeRPMpackage.
•SELinuxenabledisnotdetectedwiththeself-extractinginstalleror
domainjoin.
StorageModes
PBIShastwooperatingmodes:DirectoryIntegratedmodeandSchemaless
mode.
ThemodesprovideamethodforstoringUnixandLinuxinformationin
ActiveDirectory—includingUIDsandGIDs—sothatPBIScanmapSIDs
toUIDsandGIDsandviceversa.
ThemappingletsPBISuseanActiveDirectoryuseraccounttograntauser
accesstoaUnixorLinuxresourcethatisgovernedbyaUID-GIDscheme.
WhenanADuserlogsonaUnixorLinuxcomputer,thePBISagent
communicateswiththeActiveDirectoryDomainControllerthrough
standardLDAPprotocolstoobtainthefollowingauthorizationdata:
•UID
•PrimaryGID
•SecondaryGIDs
•Homedirectory
•Loginshell
PBISusesthisinformationtocontroltheuser'saccesstoUnixandLinux
resources.
DirectoryIntegratedMode
DirectoryIntegratedmodetakesadvantageoftheUnix-andLinux-specific
RFC2307objectclassesandattributestostoreLinuxandUnixuserand
groupinformation,namelytheposixAccountandposixGroupobject
classes.
Forexample,theposixAccountandposixGroupobjectclassesinclude
attributes—uidNumberandgidNumber—thatPBISusesforUIDandGID
mapping.Inaddition,PBISusesserviceConnectionPoint objectsto
storethesameinformationasinSchemalessbyusingthekeywords
attribute.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 20

Forexample,whenyoucreateacellinDirectoryIntegratedmode,PBIS
createsacontainerobject—CN=$LikewiseIdentityCell —inthedomain
root,orintheOUwhereyoucreatedthecell.Ifthecontaineriscreatedin
anOU,whichiscalledanamedornon-defaultcell,theUnix-specificdatais
storedinCN=UsersandCN=Groupsinthe$LikewiseIdentityCell
containerobject.TheobjectspointtotheActiveDirectoryuserorgroup
informationwithabacklinkedsecurityidentifier.
Ifthecontaineriscreatedattheleveloftherootdomain,itisknownasa
defaultcell.Inthiscase,theUnix-specificdataisstoreddirectlyintheAD
userorgroupaccount.
UpgradingYourSchema
YoumustupgradeyourschemaifyourschemadoesnotcomplywithRFC
2307.ThePBISDirectoryIntegratedModeWizard,whichisatoolinthe
console,canautomaticallyupgradeyourschematocomplywithRFC2307.
(WindowsServer2003R2orlatercomplieswithRFC2307.)
WhenyouuseDirectoryIntegratedmodewithaschemathatalready
complieswithRFC2307,PBISdoesnotchangetheschema,butyoustill
mustruntheDirectoryIntegratedModeWizardtoincludetheRFC2307
attributesintheglobalcatalogandtoindexthemforfastersearches.
Formoreinformation,seeRuntheDirectoryIntegratedModeWizard.
SchemalessMode
Incontrast,SchemalessmodestoresLinuxandUnixdatawithoutrequiring
RFC2307objectclassesandattributesandwithoutmodifyingtheschema.
Instead,Schemalessmodeusesexistingobjectclassesandattributestostore
itsdata.
•Tostoreinformationaboutacell,PBIScreatesacontainerobjectand
storesdatainitsdescriptionattribute.
•Tostoreinformationaboutagrouporuser,PBIScreatesa
serviceConnectionPoint objectandstoresdatainitskeywords
attribute.Bothkeywordsanddescriptionaremulti-valuedattributes
thatcanhavemultiplevalueswhilestillallowingADsearchesfor
specificvalues.
InSchemalessmode,PBISusesRFC2307attributenamestostorevaluesin
thekeywordsanddescriptionattributesintheformname=value,where
nameistheattributenameandvalueisitsvalue.Hereisanexampleofhow
thekeywordsattributename-valuepairscancontainUnixandLinux
informationforanADuser:
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 21

uid=
uidNumber=1016
gidNumber=100000
loginShell=/bin/bash
unixHomeDirectory=/home/joe
gecos=
backlink=[securityIdentifierOfUser]
objectClass=CenterisLikewiseUser
Intheexample,theuidattributeisempty.Itisneededonlywhenyouwant
tospecifyanamealiassothattheADusercanlogonacomputerwith
somethingotherthanhisorherADaccountname.
InADSIEdit,thepropertiesforauserlooklikethis:
ThekeywordsattributeisalsousedtostoreLinuxandUnixgroup
information.Hereisanexampleofhowtheattributename-valuepairscan
containUnixandLinuxinformationforagroup:
backLink=[securityIdentifierOfGroup] description=
displayName=gidNumber=100000objectClass=centerisPBISGroup
Whenyousetanaliasforagroup,itisstoredinthedisplayNameattribute
(forthegroupintheexampleabove,noaliashasbeenset,andthus
displayNameisempty).
InADSIEdit,thevaluesofthekeywordsattributelooklikethis:
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 22

KeyDifferences
Thefollowingtablesummarizesthedifferencesbetweenmodes:
Mode UseCase StorageMethod
Schemaless
mode
ADinstallationsthathavenot
migratedtothelatestADschema;
administratorsarereluctantor
unwillingtochangetheschema.
ADinstallationsthatuseWindows
2000domaincontrollers.
PBISusesthedescription
andthekeywordsattributesof
containerand
serviceConnectionPoint
objectstostoreUnixandLinux
informationforusers,groups,
andcells.
Directory
Integrated
mode
ADinstallationsthatcomplywith
RFC2307,suchasWindows
Server2003R2orlater.Or,
administratorswhoarewillingto
changetheschematoRFC2307
andtoraisetheforestfunctional
leveltoWindowsServer2003.
ADinstallationsthatdonotuse
Windows2000domain
controllers.
PBISusestheUnix-andLinux-
specificattributesthatarebuilt
intotheRFC2307schemaas
wellasthecontainerobject
andthekeywordsattribute.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 23

ProsandConsoftheModes
Reviewthefollowingsectionsonadvantagesanddisadvantagesofthe
modes.
SchemalessMode:AdvantagesandDisadvantages
Thebenefitofusingschemalessmodeisthatitdoesnotrequireyouto
upgradetheActiveDirectoryschema.Thismaybepreferableinan
environmentthatplacesspecialcontrolsaroundhowActiveDirectoryis
managed.Thismodeissufficientforuseinsmalldeployments,suchasa
singleserverorworkstationthatwillbeaddedtoasingledomaincontroller.
Advantagesofschemalessmodeincludethefollowing:
•SupportsWindows2000domaincontrollers.
•Doesnotchangethecurrentschema.PBISobjectsarecontainedintheir
ownserviceConnectionPoints.
•Doesnotaffectsettingsinaglobalmanner.
•DoesnotaffectotherUnixschemaextensionsthatmaybeinplace.
Adisadvantageofschemalessmodeisthatifyou'reusingthird-party
softwaretomanipulateADobjects,itwillnotrecognizehowPBISstores
datainActiveDirectory.
DirectoryIntegratedMode:AdvantagesandDisadvantages
DirectoryIntegratedmoderaisestheversionoftheschematomatchthatof
WindowsServer2003R2—theschemaextensionsareaddedtocomplywith
thestandarddefinedinRFC2307.Thesechangesareprescribedby
MicrosoftandarebuiltintoWindowsServer2003R2.
AdvantagesofDirectoryIntegratedmodeincludethefollowing:
•Usesindexedsearching,whichmakeslookupsfasterwhentherearea
largenumberofUID-GIDmappingstoprocess.
•Improvescompatibilitywithothertools.
•EnhancesADSIscriptingcapabilities.
DrawbacksofDirectoryIntegratedmodeincludethefollowing:
•SignificantlymodifiestheActiveDirectoryschemaincaseswhereit
mustbeupgradedtoRFC2307.IfyouarealreadyusingtheRFC2307-
compliantschema,theschemaaddstheuid,uidNumber,and
gidNumberattributestotheglobalcatalog,whichcouldmarginally
increasethesizeofthecatalogandmightmarginallyaffectperformance
inalargeActiveDirectoryimplementation.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 24

•RequiresyoutoraisetheforestfunctionalleveltoatleastWindows
Server2003.
Important:IfyouupgradeyourschematoRFC2307,youcannotroll
backthechanges.
•CannotuseDirectoryIntegratedmodeifyouhaveWindows2000
domaincontrollers;youmustfirstupgradethemtoatleastWindows
Server2003.Seehttp://support.microsoft.com/kb/322692
Thereisbackgroundinformationaboutfunctionallevelsat
http://technet.microsoft.com/en-us/library/cc738038.aspxandreference
informationaboutfunctionallevelfeaturesat
http://technet.microsoft.com/en-us/library/understanding-active-
directory-functional-levels(WS.10).aspx.
PowerBroker Cells
APowerBrokercellisacontainerofUnixsettingsforActiveDirectory
usersandgroupssotheycanlogontoLinux,Unix,andMacOSX
computers.
Reviewthedetailsinthissectiontolearnmoreabouthowcellswork.For
moreinformationaboutcreatingandmanagingcells,seeWorkingwithCells.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 25

YoucanusecellstomapausertodifferentUIDsandGIDsfordifferent
computers.Inthefollowingscreenshot,theexampleuser,Bala,isallowed
toaccessthecomputersthatareintheselectedcells:
TypesofCells
TherearetwotypesofPowerBrokercells:
•Defaultcell–Acellassociatedwithadomainoranentireenterprise.In
amulti-domaintopology,youcreateadefaultcellineachdomain,and
thesedomain-specificdefaultcellsmergeintoanenterprise-widedefault
cell.
•Namedcell–Acellassociatedwithanorganizationalunit(OU).
AssociatingcellswithOUsisanaturalwaytoorganizecomputersand
users.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 26

PBISletsyoudefineadefaultcellthathandlesmappingforcomputersthat
arenotinanOUwithanassociatednamedcell.Thedefaultcellforthe
domaincancontainthemappinginformationforallyourLinuxandUnix
computers.IfyouareusingDirectoryIntegratedmode,variousattributesare
indexedintheglobalcatalogbyusingthedefaultcell.
Inamulti-domainormulti-forestenterprise,thedefaultcellsofthedomains
mergeintoasingleenterprise-widedefaultcellwhereusersfromeach
domaincanauthenticatewiththeircredentials.Users'UID,GID,andother
settingsaredefinedseparatelyineachdomain,butnothingadditionalis
neededatthedomain-leveltoenabletheusertoauthenticate.
Eachforestthathasatwo-waytransitiveforesttrustwiththecomputer's
forestislistedinthedefaultcell.Eachdomainineachforestcanoptinto
thisenterprise-widedefaultcellbycreatingadefaultcellinthatdomain.Any
userwhoislistedinthedefaultcellinadomaincanbeseenbythePBIS-
enabledoperatingsystemofanycomputerjoinedtothedefaultcell.
HowCellsAreProcessed
•PBISsearchesActiveDirectoryforcellinformation
WhenanActiveDirectoryuserlogsontoaPBISclientcomputer,the
PBISagentsearchesActiveDirectoryfortheuser'sPowerBrokercell
information.
Thesearchtypicallybeginsatthenodewherethecomputerisjoinedto
ActiveDirectoryandcanextendtoallforeststhathaveatwo-way
transitivetrustwiththeclientcomputer'sforest.
•PBISagentchecksthecelltype
ThePBISagentdeterminestheOUwherethecomputerisamember
andcheckswhetheranamedcellisassociatedwithit.
•PBISagentcontinuessearchifnocellfoundfortheOU
IfacellisnotassociatedwiththeOU,thePBISagentontheUnixor
Linuxcomputermovesupthedirectorystructure,searchingtheparent
andgrandparentOUsuntilitfindsanOUthathasaPowerBrokercell
associatedwithit.
•Namedcellfound
Ifanamedcellisfound,PBISsearchesforauserorgroup'sattributesin
thecellassociatedwiththecomputer.
IfanOUwithanassociatedcellisnotfound,thePBISagentusesthe
defaultcellforthedomaintomaptheusernametoUIDandGID
information.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 27

DefaultCellProcessing
Adefaultcellisprocesseddifferentlythananamedcell.Whenprocessinga
defaultcell,PBISsearchesforauserorgroup'sattributesinthedefaultcell
ofthedomainwheretheuserorgroupresides.Forexample,atwo-domain
topologyconfiguredwithonedomainforusersandanotherdomainfor
computerswouldrequiretwodefaultcells—onedefaultcellinthedomain
whereuserandgroupobjectsreside,andanotherdefaultcellinthedomain
wherecomputerobjectsarejoined.
ALinuxorUnixcomputercanbeamemberofanOUthatdoesnothavea
cellassociatedwithit.Insuchacase,theGroupPolicyObjects(GPOs)
associatedwiththeOUapplytotheLinuxorUnixcomputer,butuserUID
andGIDmappingsfollowthepolicyofthenearestparentcellorthedefault
cell.
PBISdoesnotrequireyoutohaveadefaultcell,butforPBIStooperate
properlyyoumustensurethatthePBISagentcanalwaysfindacell.For
moreinformation,seeBestPracticesforModes,Cells,andUserRights.
CellDesign
PowerBrokercelltechnologyallowsmanagingoverlappingUnixidentitiesin
asingleActiveDirectoryorganizationforPBISEnterprise.Cellsworkin
DirectoryIntegratedorSchemalessmode.
StoringUnixIdentities
CellsstoreUnixidentityinformationseparatefromothercells.Thisallowsa
singleuserorgrouptohavedifferentnamesordifferentnumericalIDvalues
(UIDorGID)indifferentenvironments,allassociatedwiththesameAD
identity.
Thisalsoallowsmultipleusersorgroupstohaveoverlappingnamesor
numericalIDvalues(UIDorGID)inseparateenvironments.Eachcell
requiresadditionaloverheadforthestandardprocedureforaccount
managementandfortroubleshootingend-userlogonissues,becauseboth
casesrequiretheadditionalstepofdeterminingwhichcelltheoperation
mustbeperformedagainst.
Tominimizecomplexitywhileallowingtheflexibilityofcells,itis
recommendedthatyouusenomorethanfourcells.
NamedCells
NamedCellsstoreUnixidentityinformation(uid,uidNumber,gidNumber,
gecos,unixHomeDirectory,logonShell)inasubcontainerofthe
organizationalunit(OU)whichisassociatedwiththecell.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 28

Whetherauserexistsinthelocaldomainoratrusteddomain,theUnix
identityinformationexistsinanobjectinthecell.Inotherwords,aNamed
CellcanreferenceusersorgroupsfromoutsidethecurrentADdomain.
DefaultCells
DefaultCellmodereferstohowanADdomainissetup.Thereisone
DefaultCell,anditisenterprise-wide.AlltrustedMicrosoftActive
DirectoryGlobalCatalogsarepartoftheDefaultCell.However,individual
ADdomainsparticipateintheDefaultCellbycreatingtheDefaultCell
objectintherootofthosedomains.
InDefaultCellmode,theUnixidentityinformationisstoredinthesame
OUastheuserobjectthattheUnixIdentityinformationisrelatedto.This
enforcesasingleUnixidentityforasingleADuseracrosstheentire
enterprise.Therefore,theDefaultCellshouldbeviewedastheultimate
authorityforUnixinformationwithinanenterprise.
DirectoryIntegratedMode-DefaultCellConfigurations
InDirectoryIntegratedmode,theDefaultCellstorestheUnixidentity
informationdirectlytotheuserorgroupobjectinthesamemanneras“First
Name”(givenName),“Address”(address,city,state),and“Email”
(emailAddress)attributes.
BecausetheDirectoryIntegratedMode-DefaultCellstorestheinformation
totheuserorgroupobject,existingIdentityManagement(IDM)products
donotneedtobemodifiedtoprovisionusersfortheDefaultCellin
DirectoryIntegratedMode.Thisalsoallowsnon-PBIScomputersthatuse
theRFC2307attributes(suchasNetworkAppliancesONTAPPFilersand
EMCCelerrastoragedevices)tousethesameidentityinformationasPBIS
Enterprise.
DirectoryIntegratedMode-DefaultCellisthepreferredmethodforall
PBISEnterpriseinstallations.InallcaseswhereUnixidentityinformation
canbemadetobenon-overlapping,theDirectoryIntegratedMode-Default
Cellshouldbeused.
DirectoryIntegratedMode-NamedCellConfigurations
InDirectoryIntegratedmode,NamedCellscreateobjectsofclass
PosixAccountandserviceConnectionPoint,whicharelinkedbacktothe
userorgroupobjectassociatedwiththePBISobject.
DirectoryIntegratedMode-NamedCellsarerecommendedwherever
multiplecellsbeyondtheDefaultCellarerequired.
SchemalessModeCells
Schemalessmodeisdeprecatedbutfullysupported.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 29

ThePBISclientsdeterminecellandSchemaconfigurationatstartupandre-
checkthisconfigurationperiodically.Becauseofhowthedataisstored,
migrationfromaSchemalessDefaultCelltoaDirectoryIntegratedMode-
DefaultCellconfigurationrequiresmorework,moresteps,andmore
potentialrisksthananyothercellmigration.
Formigrationandlong-termsupportpurposes,SchemalessModeCells
shouldonlybecreatedasNamedCells.
Note:DirectoryIntegratedmodeispreferredfortheperformancebenefits
andbecauseMicrosoftActiveDirectoryismovingtowardsDirectory
IntegratedModebydefault.
UsingMultipleCells
IfyouhavemultipleUnixandLinuxcomputersbutarenotusinga
centralizedschemetomanageUIDsandGIDs,itislikelythateach
computerhasuniqueUID-GIDmappings.Youmayalsohavemorethanone
centralizedIMS,suchasmultipleNISdomains.Youcanusemultiplecells
torepresenttheUID-GIDassociationsthattheNISdomainprovided,
allowingthoseUnixandLinuxuserstocontinuetousetheirexistingUID-
GIDinformationwhileusingActiveDirectorycredentials.
Whenusingmultiplecells,itcanbehelpfultoidentifywhatUnixandLinux
objectseachcellrepresents.Forexample:
•IndividualUnix,Linux,orMacOSXcomputers
•AsingleNISdomain
•MultipleNISdomains(whichrequiremultiplecells)
LinkingCells
Toprovideamechanismforinheritanceandtoeasesystemmanagement,
PowerBrokerIdentityServicescanlinkcells.Usersandgroupsinalinked
cellcanaccessresourcesinthetargetcell.
Forexample,ifyourdefaultcellcontains100systemadministratorsandyou
wantthoseadministratorstohaveaccesstoanothercell,calledEngineering,
youdonotneedtoprovisionthoseusersintheEngineeringcell—Linkthe
Engineeringcelltothedefaultcell.TheEngineeringcellwillinheritthe
settingsofthedefaultcell.
Toeasemanagement,intheEngineeringcellyoucansetanymapping
informationthatshoulddifferfromthedefaultcell.
Althoughyoucanuselinkingtocreateahierarchyofcells,linkingisnot
transitive.
Forexample,considerthefollowinglinkedcells:
-CivilcelllinkedtoEngineeringcell
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 30

-EngineeringcelllinkedtoDefaultcell
Inthisscenario,theCivilcellwillnotinheritthesettingsofthedefaultcell.
LinkingtoMultipleCells
TheorderoftheUIDscontrolsthesearchorder.
Considerthefollowingscenario:
Kathy,asystemadministrator,hasUIDssetinthedefaultcell(100,000)and
intheEngineeringcell(150,000).IntheCivilcell,however,theUIDfrom
theEngineeringcellmustbeusedtologontoCivilcomputers.
IftheCivilcellislinkedtothedefaultcellandtheEngineeringcell,the
orderisimportant.IfEngineeringdoesnotprecedethedefaultcellinthe
searchorder,KathywillbeassignedthewrongUIDandwillbeunableto
logoncomputersintheCivilcell.
Forinformationabouthowtolinkcells,seeLinkCells.
ManagingCellswithCellManager
PBISEnterpriseincludesCellManager,aMicrosoftManagementConsole
(MMC)snap-informanagingPowerBrokercellsassociatedwithActive
Directoryorganizationalunits.
UsingCellManager,youcanviewallofyourcellsinoneplace.CellManager
complementsActiveDirectoryUsersandComputersbylettingyoudelegate
managementofacell.
CellManagerisautomaticallyinstalledwhenyouinstalltheBeyondTrust
ManagementConsole.Formoreinformation,seeManageCells.
MigratingUserstoActiveDirectory
TheBeyondTrustManagementConsoleincludesamigrationtooltoimport
Linux,Unix,andMacOSX,passwdandgroupfiles—typically
/etc/passwdand/etc/group—andautomaticallymaptheirUIDsand
GIDstousersandgroupsdefinedinActiveDirectory.Themigrationtool
canalsogenerateaWindowsautomationscripttoassociatetheUnixand
LinuxUIDsandGIDswithActiveDirectoryusersandgroups.Formore
information,seeMigrateUserstoActiveDirectory.
MigratingNISDomains
IfyouusePBIStomigrateallyourUnixandLinuxuserstoActive
Directory,inmostcasesyouwillassigntheseusersaUIDandGIDthatis
consistentacrossalltheUnixandLinuxcomputersthatarejoinedtoActive
Directory—asimpleapproachthatreducesadministrativeoverhead.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 31

IncaseswhenmultipleNISdomainsareinuseandyouwanttoeliminate
thesedomainsovertimeandmigrateallusersandcomputerstoActive
Directory,mappinganActiveDirectoryusertoasingleUIDandGIDmight
betoodifficult.WhenmultipleNISdomainsareinplace,ausertypicallyhas
differentUID-GIDmapsineachNISdomain.WithPBIS,youcaneliminate
theseNISdomainsbutretainthedifferentNISmappinginformationin
ActiveDirectorybecausePBISletsyouuseacelltomapausertodifferent
UIDsandGIDsdependingontheUnixorLinuxcomputerthattheyare
accessing.
TomovetoActiveDirectorywhenyouhavemultipleNISservers,youcan
createanOU(orchooseanexistingOU)andjointotheOUalltheUnix
computersthatareconnectedtotheNISserver.Youcanthenusecellsto
representusers'UID-GIDmappingfromthepreviousidentitymanagement
system.
FindingOrphanedObjects
TheBeyondTrustManagementConsoleincludesatoolforfindingand
removingorphanedobjects.Anorphanedobjectisalinkedobject,suchasa
UnixorLinuxUIDorGID,thatremainsinacellafteryoudeleteagroupor
user'ssecurityidentifier(SID),fromanActiveDirectorydomain.Removing
orphanedobjectsfromActiveDirectorycancleanupmanuallyassigned
UIDsandimprovesearchspeed.Formoreinformation,seeFindOrphaned
Objects.
PBISEnterpriseInstallationandAdministration PBISFeatureReview
BeyondTrust
®
June21,2013 32

PlanningYourInstallationandDeployment
InstallationandProvisioningOverview
Theinstallationanddeploymentprocesstypicallyproceedsasfollows:
1.Makesureyourcomputersmeettheinstallationrequirementsandthen
obtainthePowerBrokerIdentityServicessoftwarepackagefrom
www.beyondtrust.com.
2.Planyourinstallation,testenvironment,andproductiondeployment.
MakedecisionsaboutwhethertousePBISindirectoryintegratedmode
orschemalessmode;whethertomanageasingleforestormultiple
forestsandtoassignUID-GIDrangesaccordingly;howtoconfigurea
PowerBrokercelltopologyforyouruniqueneeds;whethertomigrate
NISusersandwhattodowithlocaluseraccountsaftermigration;and
whethertousespecificcellsforaliasing.
3.BeforeyouinstalltheBeyondTrustManagementConsole,checkActive
DirectorytomakesureitisreadyforPBISbymeetingourremediation
requirements.
4.InstalltheBeyondTrustManagementConsole,whichincludes
managementtools,onaWindowsadministrativeworkstationthatyou
usetomanageActiveDirectory.
5.Optionally,installareportingdatabaseonaWindowsadministrative
workstationconnectedtoadomaincontroller.Thereportingdatabase,
whichcanbeeitherMySQLorSQLServer,storesaccessinformation
andsecurityeventsforcompliancereports.
6.UseaPBISwizardtoconfigureyourActiveDirectorydomainineither
DirectoryIntegratedorSchemalessmode.
7.ConfigureacelltopologyinActiveDirectoryUsersandComputers.
8.Optionallyusetheconsole'smigrationtooltomigrateUnixandLinux
usersandgroupstoActiveDirectory.
9.Checkthesystemhealth,orreadiness,ofyourLinux,Unix,andMac
computersbeforeinstallingthePBISagent.Forexample,youmustmake
sureresolv.confisconfiguredforPBIS.
10.InstallthePBISagentoneachUnix,Linux,orMacOSXcomputerthat
youwanttojointotheActiveDirectorydomain.
11.JoinyourUnixandLinuxcomputerstoanActiveDirectorydomain.
12.Optional.PlananddeployGroupPolicysettingstomanageyourUnix,
Linux,andMacOSXcomputersinActiveDirectory.
13.Troubleshootanydeploymentissuesandoptimizethedeploymentfor
youruniquemixednetwork.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 33

PlanningYourDeployment
Thekeytoasuccessfuldeploymentisplanning.Beforeyoubegindeploying
PBISinanenterprise,developaplanthataddressesatleastthefollowing
aspectsofinstallationanddeployment:
•Setupatestenvironment.ItisrecommendedthatyoufirstdeployPBIS
inatestenvironmentsothatyoucanidentifyandresolveanyissues
specifictoyourmixednetworkbeforeyouputthesysteminto
production.
•DeterminewhethertousePBISinDirectoryIntegrationorSchemaless
mode.WhenyouconfigureyourdomainwiththePBISdomain
configurationwizard,youmustchoosethemodetouse.
Important:BackupActiveDirectorybeforeyourunthePBISdomain
configurationwizard.
•DecidewhethertoconfigurePBIStomanageasingleforestormultiple
forests.Ifyoumanagemultipleforests,theUID-GIDrangeassignedtoa
forestshouldnotoverlapwiththerangeofanotherforest.
•DeterminehowyouwillmigrateLinux,Unix,andMacOSXusersto
ActiveDirectory.Forexample,ifyouareusingNIS,decidewhetheryou
willmigratethoseaccountstoActiveDirectoryandwhetheryouwill
migratelocalaccountsandthendeletethemorleavethem.Itisusually
recommendedthatyoudeleteinteractivelocalaccountsotherthanthe
rootaccount.
•Identifythestructureoftheorganizationalunits—orcelltopology—that
youwillneed,includingtheUID-GIDranges.IfyouhavemultipleNIS
serversinplace,yourusersmayhavedifferentUID-GIDmapsineach
NISdomain.YoumaywanttoeliminatetheNISserversbutretainthe
NISmappinginformationinActiveDirectory.Todoso,youcanuse
PowerBrokercells.
•Determinewhetheryouwillusealiasing.Ifyouplantousealiasing,you
mustassociateuserswithaspecificPowerBrokercell;youcannotuse
thedefaultcell.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 34

BestPracticesforModes,Cells,andUserRights
Ingeneral,theoptimalsetupisaDirectoryIntegratedMode-DefaultCell
configuration.
Keepthefollowinginmindwhenconsideringmodetype:
•WhenUnixidentityinformationdoesnotoverlap,useaDirectory
IntegratedMode-DefaultCellconfiguration.
•IfyourequiremultiplecellstokeepUnixidentitiesfromconflicting,use
aDirectoryIntegratedMode-NamedCellsconfiguration.
NumberofCells
•TrytominimizethenumberofNamedCellsyouuse,preferablynomore
thanfour.
StorageMode
•DirectoryIntegratedModeisstronglypreferredbecauselookupsuse
attributesindexedinActiveDirectory,reducingnetworktrafficandthe
processingloadondomaincontrollers.
•BecauseoftheperformancebenefitsofDirectoryIntegratedMode,
avoidSchemalessModewheneveryoucan.Schemalessmode,however,
remainsfullysupportedbyPBIS.
MigratingCells
MigratingfromaSchemaless-DefaultCellconfigurationtoaDirectory
IntegratedMode-DefaultCellconfigurationrequiresmoreworkandis
riskierthananyotherkindofcellmigration.
Toeasemigrationinthefutureandtoimprovesupport,createSchemaless
modecellsasNamedCellsonly—thatis,cellsassociatedwithOUs.
UserRights
CellsaredesignedonlyasamethodtomanageconflictingUnixidentitiesin
anenvironment.
UsethePBISsettingstomanageaccess:
•"RequireMembershipOf"registrysetting
•"AllowLogonRights"GPOsetting
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 35

Itisstronglyrecommendedthatcellsnotbeusedforaccesscontrol
(authorization).Whiletechnically,acellcanbeusedtolimitend-useraccess
toacomputer,thisisagainstthedesignofActiveDirectory,whichallowsall
userstobe"seen"byanyjoinedclient,butlimitsauthorizationbasedon
othermethods.
Pre-stageUnixComputerAccounts
BecausePBISjoinstheUnixcomputerstoADwiththesameAPIcallsas
MicrosoftWindowsuses,thesamerightsasWindowsadministratorsare
requiredinADforUnixadministratorstojoinadomain.
Considerpre-stagingUnixcomputeraccountsordelegatingtoUnixsystem
administratorscontroloftheOUwheretheUnixcomputerswillbejoined.
Forinformationonhowtodelegatecontrol,seeBestPracticesfor
DelegatingActiveDirectoryAdministration.
Forinformationonhowtopre-createcomputeraccounts,seeDomainUsers
CannotJoinWorkstationorServertoaDomain.
Inadditiontotherecommendationsinthatarticle,itisrecommendedthat
youdelegatereadandwriteaccesstothefollowingattributes:Operating
System,OperatingSystemVersion,operatingSystemServicePack,
operatingSystemHotFix.
BestPracticesforWindows
PowerBrokerIdentityServicesEnterpriseEditionsupportsWindowsand
WindowsServer.
ThefollowingtopicsrecommendbestpracticesforusingPBISEnterprisein
WindowsandWindowsServerenvironments.
PBISEnterpriseToolsBestPractices
ThePBISEnterpriseToolscanbeinstalledoneither32-bitor64-bit
WindowsorWindowsServeroperatingsystems.
•InstallPBISonamanagementworkstation.Domaincontrollersarenot
recommended.
•InstallingPBISonamanagementworkstationoronseveralmanagement
workstationsisrecommended.
PBISauthenticationarchitectureinstallsnoservicesthatneedtorunon
aWindowsServer.Becauseofthis,administratorscankeepDomain
Controllersfreeofnon-Microsoftsoftware,andtheycanmaintainthese
serverswithnospecialconsiderationsforPBISclientcomputers.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 36

FollowMicrosoftBestPracticesforGroupPolicyadministrationwhen
workingwithGPOsandPBISEnterprise(availableat
http://www.microsoft.com/downloads/details.aspx?FamilyID=237b03af-
fa8c-4362-8b03-90c47b9b8be2&DisplayLang=en).Formoreinformation
aboutGroupPolicy,seehttp://www.microsoft.com/gp.
Installationon64-bitWindowsManagementWorkstationsissupported,but
requiresspecialconsiderationsforrunningtoolssuchasGroupPolicy
ManagementConsole(GPMC)orActiveDirectoryUsersandComputers
(ADUC).
ActiveDirectoryBestPractices
PowerBrokercellsprovideameansofdirectlymanagingUnixidentitiesin
ActiveDirectory.PBISOpendoesnotusecells,butcellsupportcanbe
purchased.Therecommendedbestpracticeistousecellsratherthan
Unprovisionedmodewhereverpossible.
ReportingToolsBestPractices
PBISReportingrequiresaSQLdatabaseandservicestocollectandforward
data.
Database
PBISReportingrequiresaSQLdatabasecalledthePBISEnterprise
Database(EDB)whichcanbeeitherMySQLorMicrosoftSQL(MSSQL).
MSSQListhepreferreddatabaseplatformforPBISreportingforthe
followingreasons:
•FullyintegrateswithAD.Databaseownershipandrightscanbeset
directlyforADusers.
•SupportsIntegratedSecurity(whichdoesnotrequire
username/passwordcombinationsinconnectionstrings).
•MySQLdoesnotsupportPBISentitlementreporting.
DatabaseGrowth
PBISReportingusesapproximately1MBofspaceintheEDBforevery
1000recordslogged.
Bestpracticeforenvironmentswithalotofauditdatabeingcapturedisto
sizethedatabasetogrow2MBperPBISEnterpriseagentperday.Most
environmentswillonlygrow1MBperPBISagentperday.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 37

CollectorServices
PBISReportingrequiresWindowsplatformstoruntheCollectorserverand
EnterpriseDatabaseForwarder.ThesearetheonlyWindowsservicesthat
PBISrequires.
BestpracticefornetworkdesignandWANtrafficmanagementistoplace
theCollectorserversclosertothePBISagents.
TosupportauditingincaseofaCollectorfailure,thePBISagentsonlyneed
tobepointedtoadifferentcollector.Tosupportthissituation,itis
recommendedthatyoubuildanumberofCollectorserversequaltoor
greaterthanthefollowingformula:
TotalCollectors=((numberofPBISagents)/400)+1
EachCollectorserverwillneedlocalstoragefortheCollectordatabaseequal
to10MBperPBISagent.
UserMonitorforEntitlementReports
PBISEnterpriseincludesaUserMonitorserviceforentitlementreports.
Thisfeatureisdesignedtosupportcomputersthatarecriticaltoregulatory
complianceandforwhichrestrictedaccessbyonlyessentialstaffisvital.A
computerthatisopenlyaccessibletohundredsofuserswouldbeasourceof
unnecessaryauditactivityinsuchasituationandwouldsignificantlyincrease
resourcerequirements,suchasforAuditingDatabasesizing.
PBISEnterpriseincludesGroupPolicysettingsforfine-tuningtheUser
Monitor.Asabestpractice,itisrecommendedthatyoudonotenablethe
UserMonitoroncomputerstowhichmorethan100userscanlogonorfor
userswhoaremembersofmorethan100PBIS-relatedgroups.
GroupPolicyBestPractices
ThefollowingbestpracticesarerecommendedforGroupPolicy.
GeneralBestPractices
•FollowthesamebestpracticesforapplyingGroupPolicyObjects
(GPOs)thatMicrosoftrecommendsonTechNet.
•PBISprovidesa“TargetPlatformFilter”thatyoucanusetolimitthe
applicationofGroupPolicytoselectedoperatingsystems.Tosimplify
troubleshootingacrossmultipleoperatingsystems,avoidheavyuseof
thePBIStargetplatformfilterforGroupPolicysettings.
ReportingBestPractices
TousethefullfunctionalityofPBISreporting,followthesebestpractices:
•Configureallofthe"EnablePBISAuditing"settingsinGroupPolicy.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 38

•ConfiguretheSyslogAuditingpolicysothatyoucanobtainacomplete
pictureofauditeventsacrossallPBISagents.
Settings
TheNewCellWizardinthePBISConsoleprovidestheinitialbestpractices
foryourPBISEnterprisesettings.Thosesettingsnotenforcedinthisinitial
GroupPolicyObjecthavebeenoptimizedontheclientforeachversionof
PBIS.
PBISSettings
•Authorization
–EnableuseoftheEventLog
–EnableusercredentialrefreshingonWorkstations
–DisableusercredentialrefreshingonServers
•Logon
–DisablecreationofhomedirectoryonNFSmountedhome
directories
–Disablecreationof.k5loginonNFSmountedhomedirectories
•GroupPolicy
–EnableuseoftheEventLog
•EventLog
–Keepa90-plusdayhistoryintheEventLog
–Setamaximumdisksizeat75MB
–Removeeventsasneeded
•LoggingandAuditSettings
–EnablePBISAuditingintheSyslogsettings
GroupPolicyObjectCreation
ManyPBISEnterprisepolicysettingscontrolspecificUnixfiles.For
example,thesudoersandAutomountpolicysettings.
Whenthesepolicysettingsareused,itisstronglyrecommendedthatthe
filesbecreatedandtestedonaUnixcomputer,thentransferreddirectlyto
GroupPolicyusingoneofthefollowing:
•thegp-admintoolfromaLinuxcomputer
•binarytransfertoaWindowscomputertouploadwithGroupPolicy
ManagementConsole(GPMC).
Asabestpractice,nevermodifythesesettingsonaWindowscomputer.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 39

BestPracticesforUnix,Linux,andMacOS X
ThefollowingarerecommendbestpracticesforusingPowerBrokerIdentity
ServicesinUnix,Linux,andMacOSXenvironments.
•AnytimeSSHisupgraded,runthefollowingcommandtoverifythe
sshd_configfileissetupproperlytoworkwithPBIS:
domainjoin-cliconfigure--enablessh
•Afteranymajorupgrade(kernelpatch,operatingsystemupgrade,or
similarupgrade),rejointhedomain.
ThiswillensurethatallOS-specificfilesareconfiguredproperly,and
willalsoupdatethe"operatingSystemVersion"and
"operatingSystemServicePack"valuesinActiveDirectorysothatthe
PBISReporting(orotherreporting)systemcanaccuratelyreflectthe
environment.
•Applyallvendorpatchesaccordingtothevendor’sschedule.
AIXBestPractices
ItisrecommendedthatPAMsupportbeenabledandtestedwithallclient
applicationspriortoinstallingPBIS.WhileLAMissupported,PAM
authenticationprovidesstandardizedauthenticationacrossallenvironments,
includingAIX.
Itisrecommendedthatyoudeprecatethepracticeofusingthesuroot
groupinfavorofPAM-enabledsudo(availablefromIBMat
http://www.ibm.com/developerworks/aix/library/au-sudo/)forallend-
usersandapplicationownersontheAIXenvironment,duetodifficulties
managingthesurootgroupforADusersafterPBISisinstalled.
LinuxBestPractices
ThefollowingarebestpracticesforusingPBISwithspecificLinuxvariants.
DebianLinuxvariants(Ubuntu)
LikewiseOpen5.4fromUbunturepositoriesshouldbereplacedwiththe
currentversionofPBISOpentoimplementimportantfixestotheregistry.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 40

RedHatEnterpriseLinuxvariants(CentOSandFedora)
InRPM-basedsystems,eachpackageownsitsownPAMfile,whichis
written,thenupdatedbytheauthconfigprocess.Therefore,whenever
authconfig,yumupgrade,orasimilarcommandisrun,youshouldrun
domainjoin-cliconfigure--enablepamtoensurethatthepam_
lsass.soentriesareaddedbackintotheproperplacesinthePAM
configuration.Ofparticularnoteisthatinsomeenvironmentscustomers
scheduleabackgroundupdatefromRHNoncomputers.Afterthis
backgroundupdateiscomplete,domainjoin-cliconfigure--enable
pamshouldalsoberun.
MacOSXBestPractices
AllPPCsystemsshouldbeupgradedtoOSX10.5orlaterforseveral
updatestotheAppleDirectoryServiceprocess.
OSX10.6systemsmustberunning10.6.4orlaterforseveralimportant
updatestotheAppleDirectoryServiceprocess.
OSX10.5systemsmustberunning10.5.6orlaterforimportantupdatesto
theAppleDirectoryServiceprocess.
OSXsystemsshouldberejoinedtoADusingthePBISDomainJoinplug-
ininDirectoryUtilityafteranyOSXkernelupdate.
BecauseOSXDirectoryServicecachesinformationincludingnegative
lookups,itisrecommendedthatyoucleartheagentcache(ad-cache--
delete-all)andrebootauser'sMacafteranychangetothatuser'sUnix
attributesinthePBISSettingstab.
SolarisBestPractices
UsingSolaris10U5orlaterisrecommended.TherearemanyfixesinU2,
U4andU5forpthreadssupport,whichPBISusesextensively.
LargeSolarisenvironmentsshouldenableonlytheADgroupsrequiredfor
Unixfile/sudoaccess,becauseSolaris10stillhasamaximumof32groups
peruser.
SolarisFullRootZones
ItisrecommendedthatyouinstallPBISonSolarisZonesindividually.This
givestheUnixadministratortheflexibilitytoupgradezonesindividually,
separatefromtheupgradestateoftheglobalzone.Additionally,becausethe
joinstateismanagedonaper-zonebasis,theentirePBISinstallationcanbe
managedtogetheroneachindividualzone.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 41

SolarisSparseRootZones
SolarisSparseRootzonesshouldbemanagedwitha“wholesystem”
philosophy.Becausecertainfilesareonlycreatedintheglobalzone,when
theyareupgraded,allchildzonesshouldbeupgradedatthesametimeas
well.ThisishandledbythePBISinstallerautomatically.Thejoinstateis
stillmanagedindividuallyoneachchildzone.Incaseswhereallthezones
cannotbeupgradedsimultaneously,thenon-upgradablesystemsmustbe
migratedtoanewhost.
UnixApplicationsBestPractices
ToachievebestperformanceforKerberosSSO,SSHplatformsbasedon
OpenSSH4.3orlaterarerecommended.SunSolarisSunSSH1.2andHP-
UXSSH2.0alsoperformoptimally.
Forbestperformance,thePBISNssEnumerationEnabled setting(config
--detailNssEnumerationEnabled)shouldbesettofalse,whichisthe
default.However,manyapplicationsusethegetent()familyoffunctions
forPAM-basedauthentication,particularlygetpwent()andgetgrent().
ForapplicationsthatclaimPAMsupportbutdonotworkinitially,youmay
needtosetNssEnumerationEnabled totrue.
AccountManagement BestPractices
Thefollowingarerecommendedbestpracticesformanagingservice
accounts,applicationaccounts,anduseraccountswhenusingPowerBroker
IdentityServicesinaUnix,Linux,orMacOSXenvironment.
Note:SomeUnixoperatingsystemsmaylimithowmanygroupscanbe
nestedorofhowmanygroupsausercanbeamember.
ServiceAccounts
AnyapplicationthatrunsasaprocessonahostasauserIDshouldberunas
alocalserviceaccount.Usersshouldnotauthenticateastheseaccounts,but
insteadshouldusesudoorasimilarprocesstoauthenticateasthemselves
withtheauthorizationtoruncommandsonbehalfoftheserviceaccount.
ApplicationAccounts
ApplicationsthatauthenticatetoanotherhostasauserIDshouldusean
applicationaccountbasedinActiveDirectory(AD),andmanagedbyyour
SOPforapplicationandserviceaccountsinAD.
UserAccounts
Allaccountsthatcanbemappedbacktoasinglepersonshouldbebasedin
ADandnotexistlocally.IfthereisnoaccountforapersoninAD,thenthe
accountshouldbemovedtoAD.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 42

BestPracticesforOperations
ThefollowingarerecommendbestpracticesforusingPowerBrokerIdentity
Servicesforoperations.
SSHLogons
BecausePBIScanonicalizesNT4-styleandUPN-stylelogonnamestothe
chosendisplaymethod(alias,short,orlongname),usersshouldbe
encouragedtousethesameusernameonWindowsandUnixcomputers.
Thisprovideslogonnamesimplicityfortheend-userandgivesanysupport
personnelaclearknowledgeofthespecificActiveDirectory(AD)userin
question,aswellastheknowledgethattheend-userisanADuser.End-
userswillstillbepresentedwiththeiraliasnameonceloggedintotheserver.
LookupsandConfiguration
ManyUnixapplications,suchassudoandchown,lookupADusersthrough
thePBIS-providedinterfaces.Wherepossible,thebestpracticeisto
configuretheseapplicationstousethecanonical(displayedoralias)namefor
alllookupsratherthantheNT4-styleorUPN-stylenamesthatPBISuses.
OperatingSystemPatchingandUpgrades
WhenanyUnixoperatingsystemisupgradedorpatched,itishighlylikely
thatPBIS-relatedfileswillbechanged.RPM-basedLinuxsystems,for
example,overwritePAMconfigurationforanypackagewhichusesPAM
whenthatpackageisupgraded.MacOSXcomputersoftenreconfigurethe
DirectoryServicessubsystemwhennewOSXkernelpatchesareapplied.
Itisrecommendedthatthecomputerbefullyrejoinedtothedomainafter
eachOSupgrade.
MinorpatchesthatonlyaffectPAMorNSSwitchconfigurationcanbe
followedwiththedomainjoin-cliconfigurecommand.
Inallcases,allOSupgradesandpatchesshouldbetestedforcompatibility
withthePBISconfigurationchangespriortowidecompanyadoption.
PBISEnterpriseInstallationandAdministration PlanningYourInstallationandDeployment
BeyondTrust
®
June21,2013 43

II.InstallingandProvisioningPBIS
ThissectionoftheInstallationandAdministrationGuideincludesthekey
stepsneededtogetyouupandrunningusingPBIS,including:
•InstallingtheManagementConsole
•RunningtheInitializationWizard
•ConfiguringClientsBeforePBISAgentInstallation
•InstallingthePBISAgent
•ConfiguringClientsAfterPBISAgentInstallation
•JoininganActiveDirectoryDomain
AfteryouinitiallyconfigurePBIScomponents,youcanmanagethe
propertiesthatyouconfigured.Formoreinformation,seeAdministration.
PBISEnterpriseInstallationandAdministration II.InstallingandProvisioningPBIS
BeyondTrust
®
June21,2013 44

InstallingtheManagement Console
Thissectionprovidesinformationonmanagementconsolerequirementsand
installingtheconsole.
Requirements
ThissectionliststherequirementstousePBISEnterprisewithActive
Directory.
Youmusthaveatleastthefollowingcomponents:
•AnActiveDirectorydomaincontroller.
•AWindowsadministrativeworkstationthatisrunningADUCandis
connectedtoyourActiveDirectorydomaincontroller.
•OneormoreUnixorLinuxcomputersrunninganoperatingsystemthat
PBISsupports,suchasversionsofMacOSX,RedHat,SUSELinux,
Fedora,CentOS,Debian,SunSolaris,IBMAIX,HP-UX,andUbuntu.
Foracompletelistofsupportedplatforms,seewww.beyondtrust.com.
RequirementsforthePBISagent—thesoftwarethatrunsontheLinux,
Unix,andMacOSXcomputersthatyouwanttoconnecttoAD—arelisted
inInstallingtheAgent.
MicrosoftManagement Tools
PBISworkswithADUC,GPOE,andGPMC.EnsurethattheMicrosoft
managementtoolsareinstalledbeforeyouinstallPBIS.
TheMicrosoftmanagementtoolsvarybyWindowsversion,butinclude:
•TheAdminPackforWindowsXPandWindowsVista
•TheRemoteServerAdministrationTools(RSAT)forWindows7and
WindowsServer2008R2
ForWindows7andWindows2008R2,turnonthefollowingRSAT
features.GotoControlPanel,selectPrograms,andthenselectTurn
Windowsfeaturesonoroff:
•GroupPolicyAdministrationTools
•ActiveDirectoryModuleforWindowsPowerShell
•ActiveDirectoryAdministrativeCenter
•ADDSSnap-insandCommand-LineTools
Formoreinformation,seeRemoteServerAdministrationToolsfor
Windows7andyourMicrosoftWindowsdocumentation.
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 45

AdministratorPrivileges
•RootaccessorsudopermissionontheUnix,Linux,andMacOSX
computersthatyouwanttojointothedomain.
•ActiveDirectorycredentialsthatallowyoutoaddcomputerstoan
ActiveDirectorydomain—forexample,membershipintheDomain
AdministratorssecuritygrouportheEnterpriseAdministratorssecurity
group.
ActiveDirectoryRequirements
•Windows2003SP1orR2StandardandEnterprise
•WindowsServer2008
•Windows2000SP4Server
WindowsRequirements fortheConsole
•Oneofthefollowingoperatingsystems:
–WindowsServer2008SP1orR2
–WindowsServer2003SP1orR2(orlater),32-bitversion
–Windows7Professional
–WindowsVistaSP1
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 46

–WindowsXPProfessional,SP3—requirestheWindowsAdminPack
Note:The64-bitversionofWindowsServer2003andthe64-bit
versionofWindowsXParenotsupported.
•Microsoft.NET1.1Framework
•Microsoft.NET2.0Framework
•MSXML6.0Parser(fordisplayingreportsintheGPMC)
•MMC3.0Update
Note:YoucannotinstallMMC3.0onaWindows2000computer,and
thusyoucannotinstalltheBeyondTrustManagementConsole
onaWindows2000computer.
•50MBoffreespace
Requirements toRunPBISinDirectoryIntegratedMode
•ActiveDirectoryinstallationsthatcomplywithRFC2307,suchas
WindowsServer2003R2.
•DomainandforestfunctionallevelshavebeenraisedtoWindowsServer
2003orlater.
•NoWindows2000domaincontrollers(raisingtheforestfunctionallevel
toWindowsServer2003excludesWindows2000domaincontrollers
fromthedomain).
Formoreinformation,seeStorageModesandProsandConsoftheModes.
Networking
ThesubnetswithyourLinux,Unix,andMaccomputersmustbeaddedto
ActiveDirectorysitesbeforejoiningthecomputerstoActiveDirectoryso
thatthePBISagentcandetecttheoptimaldomaincontrollerandglobal
catalog.
Replication
MakesureyourADreplicationsystemisuptodateandfunctioningproperly
byusingthefollowingdiagnostictoolsfrom
http://www.microsoft.com/downloadtotestreplication.Forinstructions,
seetheMicrosoftdocumentationforeachtool.
•DCDiag.PartofMicrosoft'ssupporttoolsforWindowsServer2003,
dcdiag.exeshouldberunwiththe/v/c/eswitchestotestallthe
domaincontrollersinallyoursites.
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 47

•FRSDiag.Usefrsdiag.exetool,availablefromtheMicrosoftResource
Kittools,tochecktheFileReplicationService(FRS).
Inaddition,thefollowingtoolscanhelpyoureviewandtroubleshootFRS
problems.
•Sonar.OptionallyuseittoperformaquickreviewofFRSstatus.
•Ultrasound.OptionallyuseittomonitorandtroubleshootFRS.
•ReplMon.IncludedintheMicrosoftResourceKitTools.Useitto
investigatereplicationproblemsacrosslinkswhereDCDiagshowed
failures.
SupportedPlatformsand Applications
Platforms
PBISsupportsmanyUnix,Linux,Mac,andvirtualizationplatforms.Fora
list,visitwww.beyondtrust.com.
Applications
AdvancedGroupPolicyManagement(AGPM)Tool
YoucanusetheAGPMtooltomanageyourGPOs.AnyPBISsettings
appliedtoyourGPOswillbemaintained.
InstalltheBeyondTrustManagement Console
InstalltheBeyondTrustManagementConsoleonaWindowsadministrative
workstationthatcanconnecttoyourActiveDirectorydomaincontroller.
Itisrecommendedthatyoudonotinstalltheconsoleonadomain
controller.
ForinstructionsonhowtousethePBISmetainstallertoinstalltheconsole
andothercomponents,seethePowerBrokerIdentityServicesEvaluationGuide.
ImportantNoteAboutUpgrading:Toupgradetothelatestversionof
PBISEnterprise,firstuninstalltheexistingversion.Then,beforeinstalling
thelatestversionofPBISEnterprise,installthelatestversionofGPMCand
runWindowsupdatetomakesureyourworkstationhasthelatestXML
patches.
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 48

Checkpoint
–Reviewtherequirementsbeforeproceedingwiththeinstallation.See
Requirements.
–Ensuretheaccountyouareusingtoruntheinstallisamemberof
theDomainAdminsgrouporEnterpriseAdminsgroup.Theaccount
needsprivilegestochangeobjectsandchildobjectsinActive
Directory.
1.EnsuretheMicrosoftmanagementtoolsforActiveDirectoryare
installedbeforeyouinstalltheconsole.
SeeMicrosoftManagementTools.
2.LocateandcopytheinstallfiletoyourWindowsworkstation:
SetupPBIS-*.exeorSetupPBIS64-*.exe
Thefilenamemightalsocontainaversionandbuildnumber.Itisa
standardMSIinstaller.
3.RunSetupPBIS-*.exeorSetupPBIS64-*.exe.
4.Followtheinstructionsintheinstallationwizard.
5.SelectthePBISfeaturesyouwanttoinstall:
6.IfyoudonothaveMMC3.0installed,youarepromptedtoinstallit.
7.Ifyoudonothave.NET2.0installed,youarepromptedtoinstallit.
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 49

RuntheInitializationWizard
Afteryourunthroughthemanagementconsoleinstallation,theinitialization
wizardstarts.
TheinitializationwizardcreatesacellinanActiveDirectorydomainorOU.
ThecellcontainsUNIXsettingsforActiveDirectorysothatauserorgroup
canlogontoaLinux,UNIX,orMacOSXcomputer.
Checkpoint
–BesureyouarefamiliarwiththefollowingPBISfeaturessothatyou
choosethecorrectoptionsforyourenvironment:PowerBroker
Cells,StorageModes.
1.ClickNextonthefirstpage.
2.SelectthedomainwhereyouwanttojointheLinux,UNIX,orMac
computers.
3.OntheVerifyStorageModepage,clickNexttousethedefaultstorage
mode:DirectoryIntegratedmode.
4.OntheSelectcelllocationpage,selectanodeinActiveDirectoryor
clickNewOUtocreateanewActiveDirectoryOU.ClickNext.
IfyoucreateanOUhere,thecellisaNamedcellsinceitisassociated
withanOU.Ifyoucreateacellatthedomainlevel,thenthecellisa
defaultcell.
5.Enterthehomedirectoryandloginshellinformation.Orusethedefault
values.ClickNext.
6.CreateaGroupPolicyObjectfortheLinux,UNIX,andMaccomputers
(Optional).
7.Enterdetailsinthecommentbox,andthenclickStarttocreatethecell.
PBISEnterpriseInstallationandAdministration InstallingtheManagementConsole
BeyondTrust
®
June21,2013 50

ConfiguringClientsBeforePBISAgentInstallation
BeforeyouinstallthePBISagent,configureclientcomputersasindicatedin
thefollowingtopics.
Configurensswitch.conf
BeforeyouattempttojoinanActiveDirectorydomain,makesurethe
/etc/nsswitch.conffilecontainsthefollowingline:
hosts:filesdns
Thehostslinecancontainadditionalinformation,butitmustincludethe
dnsentry,anditisrecommendedthatthednsentryappearafterthefiles
entry.
ComputersrunningSolaris,inparticular,maynotcontainthislinein
nsswitch.confuntilyouaddit.
WhenyouusePowerBrokerIdentityServiceswithMulticastDNS4
(mDNS4)andhaveadomaininyourenvironmentthatendsin.local,you
mustplacethednsentrybeforethemdns4_minimalentryandbeforethe
mdns4entry:
hosts:filesdnsmdns4_minimal[NOTFOUND=return] mdns4
ThedefaultsettingformanyLinuxsystemsistolistthemdns4entries
beforethednsentry—aconfigurationthatleavesPBISunabletofindthe
domain.
Important:ForPBIStoprocesschangestoyournsswitch.conffile,you
mustrestartthePBISinput-outputservice(lwio)andtheauthentication
service(lsass).Runningthefollowingcommandasrootrestartsboth
services:
/opt/pbis/bin/lwsm restartlwio
ForPBIStoworkcorrectly,thensswitch.conffilemustbereadableby
user,group,andworld.
Formoreinformationonconfiguringnsswitch,seethemanpagefor
nsswitch.conf.
PBISEnterpriseInstallationandAdministrationConfiguringClientsBeforePBISAgent
BeyondTrust
®
June21,2013 51

Configureresolv.conf
BeforeyouattempttojoinanActiveDirectorydomain,makesurethat
/etc/resolv.confonyourLinux,Unix,orMacclientincludesaDNS
serverthatcanresolveSRVrecordsforyourdomain.
Example:
[root@rhel5dDesktop]#cat/etc/resolv.conf
searchexample.com
nameserver192.168.100.132
Formoreinformationonresolv.conf,seeyouroperatingsystem'sman
page.
ConfigureFirewallPorts
ThePBISagentrequiresseveralfirewallportstobeopenforoutbound
traffic.Foralistoftherequiredports,seeMakeSureOutboundPortsAre
Open.
ExtendPartitionSize(IBMAIX)
OnAIX5.2and5.3,youmayneedtoextendthesizeofcertainpartitionsto
beabletocompletetheinstallation.
Todoso,useIBM'schfscommandtochangethepartitionsizes—for
example:
#chfs-asize=+200M/opt
Thiscommandincreasesthesizeoftheoptpartitionby200megabytes,
whichshouldbesufficientforasuccessfulinstallation.
PBISEnterpriseInstallationandAdministrationConfiguringClientsBeforePBISAgent
BeyondTrust
®
June21,2013 52

IncreaseMaxUserNameLength(IBMAIX)
Bydefault,IBMAIXisnotconfiguredtosupportlonguserandgroup
names,whichmightpresentaconflictwhenyoutrytologonwithalong
ActiveDirectoryusername.OnAIX5.3andAIX6.1,thesymptomisthat
groupnames,whenenumeratedthroughthegroupscommand,are
truncated.
ToincreasethemaxusernamelengthonAIX5.3,usethefollowingsyntax:
#chdev-lsys0-amax_logname=MaxUserNameLength+1
Example:
#chdev-lsys0-amax_logname=255
Thiscommandallocates254charactersfortheuserand1fortheterminating
null.
Thesafestvaluethatyoucansetmax_lognametois255.
Youmustrebootforthechangestotakeeffect:
#shutdown-Fr
Note:AIX5.2doesnotsupportincreasingthemaximumusernamelength.
PBISEnterpriseInstallationandAdministrationConfiguringClientsBeforePBISAgent
BeyondTrust
®
June21,2013 53

InstallingthePBISAgent
ThefollowingsectionsprovidedetailsoninstallingthePBISagenttoyour
computers.
InstalltheCorrectVersionforYourOperatingSystem
YoumustinstallthePBISagent—theidentityservicethatauthenticates
users—oneachLinux,Unix,orMacOSXcomputerthatyouwantto
connecttoActiveDirectory.
Toobtaintheinstallerortoviewalistofsupportedplatforms,see
www.beyondtrust.com.YoucandownloadthePBISOpeninstallation
packageforfreefromtheBeyondTrustwebsite.IfyouareusingPBIS
Enterprise,makesureyouinstallthePBISEnterpriseversionoftheagent.
Important:Beforeyouinstalltheagent,itisrecommendedthatyou
upgradeyoursystemwiththelatestsecuritypatches.Patchrequirementsfor
Unixsystemsarelistedbelow.
TheprocedureforinstallingthePBISOpenagentorthePBISEnterprise
agentdependsontheoperatingsystemofyourtargetcomputerorvirtual
machine.Eachprocedureisdocumentedinaseparatesectionofthis
chapter.
OperatingSystem ProcedurebyTitle
Linuxplatformsrunningkernelreleasenumber2.6or
lateraresupportedbyPBIS6.1orlater.
Linuxplatformsrunningkernelreleasenumber2.4or
lateraresupportedbyPBIS6.0orearlier.
InstalltheAgentonLinuxor
UnixwiththeShellScript
Unix:SunSolaris,HP-UX,IBMAIX InstalltheAgentonUnixwith
theCommandLine
VMwareESX3.0and3.5(hypervisor) InstalltheAgentonLinuxor
UnixwiththeShellScript
MacOSX10.4,10.5and10.6aresupportedbyPBIS
6.1andearlier.
MacOSX10.5,10.6and10.7aresupportedbyPBIS
6.1andlater.
InstalltheAgentonaMac
Computer
Youalsohavetheoptionofinstallingtheagentinunattendedmode;see
InstalltheAgentonLinuxinUnattendedorTextModeandInstallthe
AgentonaMacinUnattendedMode.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 54

CheckingYourLinuxKernelReleaseNumber
TodeterminethereleasenumberofthekernelonyourLinuxmachine,run
thefollowingcommand:
uname-r
FortheLinuxmachinetobesupportedbyPBIS,thekernelreleasenumber
mustbe2.6orlater.
PackageManagement Commands
Foranoverviewofcommandssuchasrpmanddpkgthatcanhelpyou
managePBISonLinuxandUnixplatforms,seePowerBrokerIdentityServices
PackageManagementCommands.
Requirements fortheAgent
ThissectionlistsrequirementsforinstallingandrunningthePBISagent.
EnvironmentalVariables
PBISdoesnotsupportinstallationsthatusetheseenvironmentalvariables.
BeforeyouinstallthePBISagent,makesurethatthefollowing
environmentalvariablesarenotset:
LD_LIBRARY_PATH,LIBPATH,SHLIB_PATH,LD_PRELOAD
Settinganyoftheseenvironmentalvariablesviolatesbestpracticesfor
managingUnixandLinuxcomputersbecauseitcausesPBIStousenon-
PBISlibrariesforitsservices.Formoreinformationonbestpractices,see
http://linuxmafia.com/faq/Admin/ld-lib-path.html.
IfyoumustsetLD_LIBRARY_PATH,LIBPATH,orSHLIB_PATHforanother
program,putthePBISlibrarypath(/opt/pbis/libor/opt/pbis/lib64)
beforeanyotherpath—butkeepinmindthatdoingsomayresultinside
effectsforyourotherprograms,astheywillnowusePBISlibrariesfortheir
services.
Ifjoiningthedomainfailswithanerrormessagethatoneofthese
environmentalvariablesisset,stopallthePBISservices,clearthe
environmentalvariable,makesureitisnotautomaticallysetwhenthe
computerrestarts,andthentrytojointhedomainagain.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 55

PatchRequirements
Itisrecommendedthatyouapplythelatestpatchesforyouroperating
systembeforeyouinstallPBIS.Knownpatchrequirementsarelistedbelow.
SunSolaris
AllSolarisversionsrequirethemd5sumutility,whichcanbefoundonthe
companionCD.
SunSolaris10requiresupdate5orlater.TheSolaris1005/08(orlater)
patchbundleisavailableathttp://sunsolve.sun.com/.Thisimportantpatch
setfixesseveralopenthreadingandlibcissuesinthebaseoperatingsystem.
Suchpatchesinclude120037-19and/or120473-09,whicharenowmade
obsoleteby120012-14(x86)and120011-14(sparc).Youalsoneedthenscd
patch142910-17(x86)or142909-17(sparc).Threadingissuesarealso
addressedinpatches127128-11(x86)or127127-11(sparc).
Solaris8SparcshouldbefullypatchedaccordingtoSun's
recommendations.PBISdependsonthelatestpatchforlibuuid.OnSparc
systems,thepatchforlibuuidis115831.Sunpatch110934-28forSolaris
5.8isalsorequiredforSolaris8.
Solaris8Intelsystemsalsorequirethelatestpatchforlibuuid:115832-01.
Sunpatches110403-06and110935-26arealsorequired.Patch110403-06
mustbeinstalledbeforeyouinstallpatch110935-26.
Solaris9requiresSunpatch113713-28forSolaris5.9.
OpenSolarisiscompatiblewithPBISwithoutanypatches.
HP-UX
SecureShell:ForallHP-UXplatforms,itisrecommendedthatarecent
versionofHP'sSecureShellbeinstalled.Itisrecommendedthatyouuse
HP-UXSecureShellA.05.00.014orlater.
Sudo:Bydefault,theversionsofsudoavailablefromtheHP-UXPorting
CenterdonotincludethePluggableAuthenticationModule,orPAM,which
PBISrequirestoallowdomainuserstoexecutesudocommandswithsuper-
usercredentials.ItisrecommendedthatyoudownloadsudofromtheHP-
UXPortingCenterandmakesurethatyouusethewith-pamconfiguration
optionwhenyoubuildit.
HP-UX11iv1requiresthefollowingpatches:PHCO_36229,PHSS_35381,
PHKL_34805,PHCO_31923,PHCO_31903,andPHKL_29243.Although
thesepatchesmaybesupercededbysubsequentpatches,thesepatches
representtheminimumpatchlevelforproperoperation.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 56

Kerberosclientlibraries:Forsinglesign-onwithHP-UX11.11and11.23,
youmustdownloadandinstallthelatestKRB5-ClientlibrariesfromtheHP
SoftwareDepot.(Bydefault,HP-UX11.31includesthelibraries.)
OtherRequirements fortheAgent
Locale
Theoperatingsystemoneachcomputeronwhichtheagentwillbeinstalled
mustbeconfiguredtousealocalewithUTF-8encoding.Merelyhaving
UTF-8encodingsupportonthecomputerisnotsufficient.
SecureShell
ToproperlyprocesslogoneventswithPBIS,yourSSHserverorclientmust
supporttheUsePamyesoption.Forsinglesign-on,boththeSSHserver
andtheSSHclientmustsupportGSSAPIauthentication.
OtherSoftware
Telnet,rsh,rcp,rlogin,andotherprogramsthatusesPAMforprocessing
authenticationrequestsarecompatiblewithPBIS.
NetworkingRequirements
EachUnix,Linux,orMaccomputermusthavefullyroutednetwork
connectivitytoallthedomaincontrollersthatservicethecomputer'sActive
Directorysite.EachcomputermustbeabletoresolveA,PTR,andSRV
recordsfortheActiveDirectorydomain,includingatleastthefollowing:
•Adomain.tld
•SRV_kerberos._tcp.domain.tld
•SRV_ldap._tcp.domain.tld
•SRV_kerberos._udp.sitename.Sites._ msdcs.domain.tld
•Adomaincontroller.domain.tld
Inaddition,severalportsmustbeopen;seeMakeSureOutboundPortsAre
Open.
DiskSpaceRequirements
ThePBISagentrequires100MBofdiskspaceinthe/optmountpoint.The
agentalsocreatesconfigurationfilesin/etc/pbisandofflinelogon
informationin/var/lib/pbis.Inaddition,thePBISEnterpriseagentcaches
GroupPolicyObjects(GPOs)in/var/lib/pbis.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 57

MemoryandCPURequirements
Theagentconsistsofseveralservicesanddaemonsthattypicallyuse
between9MBand14MBofRAM.Memoryutilizationofthe
authenticationserviceona300-usermailserveristypically7MB;theother
servicesanddaemonsrequirebetween500KBand2MBeach.CPU
utilizationona2.0gigahertzsingle-coreprocessorunderheavyloadwith
authenticationrequestsisabout2percent.ForadescriptionofthePBIS
servicesanddaemons,seePBISAgent.
ClockSkewRequirements
ForthePBISagenttocommunicateoverKerberoswiththedomain
controller'sKerberoskeydistributioncenter,theclockoftheclientmustbe
withinthedomaincontroller'smaximumclockskew,whichis300seconds,
or5minutes,bydefault.Formoreinformationontimesynchronization,see
PBISAgent.
AdditionalRequirements forSpecificOperatingSystems
AIX
OnAIXcomputers,PAMmustbeenabled.LAMissupportedonlyonAIX
5.x.PAMmustbeusedexclusivelyonAIX6.x.
InstalltheAgentonLinuxorUnixwiththeShellScript
YouinstallthePBISEnterpriseagentbyusingashellscriptthatcontainsa
self-extractingexecutable.ThefilenameoftheSFXinstallerendsinsh.
Example:pbis-enterprise-7.5.0.3499.linux.i386.rpm.sh .
TheexamplesshownareforLinuxRPM-basedplatforms.ForotherLinux
andUnixplatforms—suchasDebian,HP-UX,AIX,andSolaris—simply
substitutetherightinstaller.Theinstaller'snameincludestheproductname,
versionandbuildnumbers,operatingsystem,computertype,andplatform
type.
Performthefollowingprocedurewiththerootaccount.Toview
informationabouttheinstallerortoviewalistofcommand-lineoptions,run
thefollowingcommand,replacing7.5.0.3499withtheversionandbuild
numberindicatedinthefilenameoftheSFXinstallerthatyouhave:
./pbis-enterprise-7.5.0.3499.linux.i386.rpm.sh --help
Afterthewizardfinishes,theuserinterfaceforjoiningadomainappears.To
suppressit,youcanruntheinstallerwithits--dont-joinargument.Inthe
followingprocedure,replace7.5.0.3499withtheversionandbuild
numberindicatedinthefilenameoftheSFXinstallerthatyouhave
available.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 58

1.DownloadorcopytheshellscripttoyourLinuxorUnixcomputer's
desktop.
Important:IfyouFTPthefiletothedesktopofthetargetLinuxor
Unixcomputer,youmustselectbinary,orBIN,forthetransfer.Most
FTPclientsdefaulttoAUTOorASCII,buttheinstallerincludessome
binarycodethatbecomescorruptedinAUTOorASCIImode.
2.Changedirectoriestothedesktop.
3.Asroot,changethemodeoftheinstallertoexecutable.
chmoda+xpbis-enterprise-7.5.0.3499.linux.i386.rpm.sh
OnUbuntu,executethesudocommandbeforeyouexecutethechmod
command:
sudochmoda+xpbis-enterprise-
7.5.0.3499.linux.i386.rpm.sh
4.Asroot,runtheinstaller:
./pbis-enterprise-7.5.0.3499.linux.i386.rpm.sh
5.Followtheinstructionsintheinstaller.
Note:OnSLESandothersystemsonwhichthepagerissettoless,you
mustexittheenduserlicenseagreement,orEULA,bytypingthe
followingcommand:q
InstalltheAgentonLinuxinUnattendedMode
Youcaninstalltheagentinunattendedmodebyusingtheinstall
command.Replace7.5.0.3499withtheversionandbuildnumber
indicatedinthefilenameoftheSFXinstallerthatyouhaveavailablefor
yourplatform.
Forexample,ona32-bitRPM-basedLinuxsystem,theinstallation
commandwouldlooklikethefollowing:
./pbis-enterprise-7.5.0.3499.linux.i386.rpm.sh install
InstalltheAgentonUnixfromtheCommand Line
YouinstallthePBISOpenagentorthePBISEnterpriseagentonSun
Solaris,HP-UX,andIBMAIXbyusingashellscriptthatcontainsaself-
extractingexecutable—anSFXinstallerwithafilenamethatendsinsh.
Example:pbis-enterprise-7.5.0.70.solaris.sparc.pkg.sh .
TheexamplesshownbelowareforSolarisSparcsystems.ForotherUnix
platforms,simplysubstitutetherightinstaller.Theinstaller'snameincludes
theproductname,versionandbuildnumbers,operatingsystem,computer
type,andplatformtype.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 59

Note:ThenameofaUnixinstallerforPBISEnterpriseoninstallation
mediamightbetruncatedtoaneight-characterfilenamewithan
extension.Forexample,l3499sus.shisthetruncatedversionof
pbis-enterprise-7.5.0.3499.solaris.sparc.pkg.sh .
Performthefollowingprocedurewiththerootaccount.Replace7.5.0.70
withtheversionandbuildnumberindicatedinthefilenameoftheSFX
installerthatyouhaveavailable.
1.DownloadorcopytheinstallertotheUnixcomputer'sdesktop.
2.Changedirectoriestothedesktop.
3.Asroot,changethemodeoftheinstallertoexecutable:
chmoda+xpbis-enterprise-7.5.0.70.solaris.sparc.pkg.sh
Tip:
Toviewalistofcommand-lineoptions,runthefollowing
command:
./pbis-enterprise-7.5.0.70.solaris.sparc.pkg.sh --
help
4.Asroot,runtheinstaller:
./pbis-enterprise-7.5.0.70.solaris.sparc.pkg.sh
5.Followtheinstructionsintheinstaller.
InstalltheAgentonaMacOS XComputer
ToinstallthePBISagentonacomputerrunningMacOSX,youmusthave
administrativeprivilegesontheMac.PBISsupportsMacOSX10.5orlater.
1.ObtainthePBISagentinstallationpackageforyourMacfrom
BeyondTrustSoftware,Inc.,andsaveittoyourdesktop.
2.LogontotheMacwithalocalaccountthathasadministrativeprivileges.
3.OntheApplemenu,clickSystemPreferences.
4.UnderInternet&Network,clickSharing,andthenselectthe
RemoteLogincheckbox.TurningonRemoteLoginletsyouaccess
theMacwithSSHafteryouinstallPBIS.
5.OntheMaccomputer,gototheDesktopanddouble-clickthePBIS
.dmgfile.
6.IntheFinderwindow,double-clickthePBIS.mpkgfile.
7.Followtheinstructionsintheinstallationwizard.
Whenthewizardfinishesinstallingthepackage,youarereadytojointhe
MaccomputertoanActiveDirectorydomain.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 60

InstalltheAgentonaMacinUnattendedMode
ThePBIScommand-linetoolscanremotelydeploytheshellversionofthe
PBISagenttomultipleMacOSXcomputers,andyoucanautomatethe
installationoftheagentbyusingtheinstallationcommandinunattended
mode.
Thecommandsinthisprocedurerequireadministrativeprivileges.Replace
7.5.0.1038withtheversionandbuildnumberindicatedinthefilenameof
theSFXinstallerthatyouhaveavailable.
1.UseSSHtoconnecttothetargetMacOSXcomputerandthenuseSCP
tocopythe.dmginstallationfiletothedesktopoftheMacortoa
locationthatcanbeaccessedremotely.Therestofthisprocedure
assumesthatyoucopiedtheinstallationfiletothedesktop.
2.OnthetargetMac,openTerminalandthenusethehdiutilmount
commandtomountthe.dmgfileunderVolumes:
/usr/bin/hdiutil mountDesktop/pbis-enterprise-
7.5.0.1038.dmg
3.Executethefollowingcommandtoopenthe.pkgvolume:
/usr/bin/openVolumes/pbis-enterprise
4.Executethefollowingcommandtoinstalltheagent:
sudoinstaller-pkg/Volumes/pbis-enterprise/pbis-
enterprise-7.5.0.1038.pkg -targetLocalSystem
Note:Formoreinformationabouttheinstallercommand,in
Terminalexecutetheman installercommand.
5.Tojointhedomain,executethefollowingcommandintheTerminal,
replacingdomainNamewiththeFQDNofthedomainthatyouwantto
joinandjoinAccountwiththeusernameofanaccountthathas
privilegestojoincomputerstothedomain:
sudo/opt/pbis/bin/domainjoin- clijoindomainName
joinAccount
Example:sudo/opt/pbis/bin/domainjoin- clijoin
example.comAdministrator
Terminalpromptsyoufortwopasswords:Thefirstisforauseraccount
ontheMacthathasadminprivileges;thesecondisfortheuseraccount
inActiveDirectorythatyouspecifiedinthejoincommand.
Note:Youcanalsoaddthepasswordforjoiningthedomaintothe
command,butitisrecommendedthatyoudonotusethis
approachbecauseanotherusercouldviewandinterceptthefull
commandthatyouarerunning,includingthepassword:
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 61

sudo/opt/pbis/bin/domainjoin- clijoindomainName
joinAccountjoinPassword
Example:sudo/opt/pbis/bin/domainjoin- clijoin
example.comAdministratorYourPasswordHere
InstalltheAgentinSolarisZones
SolarisZonesareavirtualizationtechnologycreatedbySunMicrosystemsto
consolidateservers.Primarilyusedtoisolateanapplication,SolarisZones
actasisolatedvirtualserversrunningonasingleoperatingsystem,making
eachapplicationinacollectionofapplicationsseemasthoughitisrunning
onitsownserver.ASolarisContainercombinessystemresourcecontrols
withthevirtualisolationprovidedbyzones.
Everyzoneservercontainsaglobalzonethatretainsvisibilityandcontrolin
anyinstallednon-globalzones.Bydefault,thenon-globalzonessharecertain
directories,including/usr,whicharemountedread-only.Theshared
directoriesarewritableonlyfortheglobalzone.
Bydefault,installingPBISintheglobalzoneresultsinitbeinginstalledin
allthenon-globalzones.Youcan,however,controlthetargetofthe
installationbyusingthefollowingoptionsoftheSFXinstaller.Replace
7.5.0.97withtheversionandbuildnumberindicatedinthefilenameof
theSFXinstallerthatyouhaveavailable.
./pbis-enterprise-7.5.0.97.solaris.i386.pkg.sh --help
...
--all-zones (Solaris)Installtoallzones
(default)
--current-zone (Solaris)Installonlytocurrent
zone
Afteranewchildzoneisinstalled,booted,andconfigured,youmustrunthe
followingcommandasroottocompletetheinstallation:
/opt/pbis/bin/postinstall.sh
YoucannotjoinzonestoActiveDirectoryasagroup.Eachzone,including
theglobalzone,mustbejoinedtothedomainindependentlyoftheother
zones.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 62

Caveats
TherearesomecaveatswhenusingPBISwithSolarisZones:
•Whenyoujoinanon-globalzonetoAD,youwillreceiveanerroras
PBISattemptstosynchronizetheSolarisclockwithAD.Theerror
occursbecausetherootuserofthenon-globalzonedoesnothaveroot
accesstotheunderlyingglobalsystemandthuscannotsetthesystem
clock.Iftheclocksarewithinthe5-minuteclockskewpermittedby
Kerberos,theerrorwillnotbeanissue.Otherwise,youcanresolvethe
issuebymanuallysettingtheclockintheglobalzonetomatchADorby
joiningtheglobalzonetoADbeforejoiningthenon-globalzone.
•SomeGroupPolicysettingsmaylogPAMerrorsinthenon-globalzones
eventhoughtheyfunctionasexpected.ThecronGroupPolicysettingis
oneexample:
WedNov716:26:02PST2009RunningCronjob1(sh)
Nov716:26:01zone01lastmessagerepeated1time
Nov716:27:00zone01cron[19781]:pam_lsass(cron):
requestfailed
DependingontheGroupPolicysetting,theseerrorsmayresultfromfile
accesspermissions,attemptstowritetoread-onlydirectories,orboth.
•Bydefault,Solarisdisplaysauth.noticesyslogmessagesonthesystem
console.SomeversionsofPBISgeneratesignificantauthentication
trafficonthisfacility-prioritylevel,whichmayleadtoanundesirable
amountofchatterontheconsoleorclutteronthescreen.
Toredirectthetraffictoafileinsteadofdisplayingitontheconsole,edit
your/etc/syslog.conffileasfollows:
Changethis:
*.err;kern.notice;auth.notice /dev/sysmsg
Tothis:
*.err;kern.notice /dev/sysmsg
auth.notice/var/adm/authlog
Important:Makesurethatyouusetabs,notspaces,toseparatethe
facility.priorityinformation(ontheleft)fromtheactionfield(ontheright).
Usingspaceswillcuesyslogtoignoretheentireline.
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 63

UpgradingYourOperatingSystem
Followthisseriesofstepstoupgradeyouroperatingsystem:
–Leavethedomain
–Uninstalltheagent
Formoreinformationaboutuninstallingagents,see:
UninstalltheAgentonaLinuxorUnixComputer
UninstalltheAgentonaMac
–Upgradeyouroperatingsystem
–Installthecorrectagentforthenewversionoftheoperatingsystem
–JoinanActiveDirectoryDomain
ConfiguringSELinux
PBIScurrentlysupportsSELinuxpolicyforthefollowingplatforms:
•Fedora13—Fedora17
•RedHatEnterpriseLinuxversion6
BesuretoreviewthelatestSELinuxdocumentation.Youcanstartwiththe
SELinuxwiki,http://www.selinuxproject.org/page/Main_Page
InstallingSELinuxonUnsupportedPlatforms
IfyouareinstallingSELinuxonanunsupportedplatform,amessagesimilar
tothefollowingisdisplayed:
SELinuxfoundtobepresent,enabled,andenforcing.Youmayeither
provideapolicyat/opt/pbis/share/pbis.pp--OR--SELinuxmustbe
disabledorsettopermissivemodebyeditingthefile
/etc/selinux/configandrebooting.Forinstructionsonhowtoeditthe
filetodisableSELinux,seetheSELinuxmanpage.
ToinstallSELinuxonanunsupportedplatform:
1.Createacompiledpolicy.
TogetstartedcreatinganSELinuxpolicyforPBIS,youcanstartwith
existingpolicysourceslocatedunderversiondirectories:
/opt/pbis/share/rhelorin/opt/pbis/share/fedora.
2.Renamethepolicypbis.ppandplaceitinthefollowingdirectory:
\opt\pbis\share
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 64

3.Runtheinstallationagain.Thepbis.ppfilewillbeinstalled.
ConfiguringSELinuxAfterInstalling
AfterinstallingPBISwithSELinux,securitydenialsmightoccur.
Securitydenialscausedbythecurrentpolicyarereportedinthefollowing
logfile:/var/log/audit/audit.log
Youcanfixsecuritydenialissuesautomaticallyormanually.
AutomaticallyFixSecurityDenials
Tocreateapolicytofixexistingdenialsinvolvingapplicationsandresources
with'pbis'inthename:
greppbis/var/log/audit/audit.log |audit2allow-M
pbislocal
Thefilepbislocal.ppwillbeacompiledpolicymoduleandcanbeloaded
withsemodule-ipbislocal.pp.
ManuallyFixSecurityDenials
Theprocedureissimilartoautomaticallyfixingsecuritydenials.However,
youcaneditthepolicyfilepbislocal.te:
greppbis/var/log/audit/audit.log |audit2allow-m
pbislocal>pbislocal.te
Tobuildacompiledpolicy,executethefollowingcommandinthedirectory
wherepbislocal.teislocated:
make-f/usr/share/selinux/devel/Makefile
Loadthemodulewithsemodule-ipbislocal.pp
PBISEnterpriseInstallationandAdministration InstallingthePBISAgent
BeyondTrust
®
June21,2013 65

ConfiguringClientsAfterPBISAgentInstallation
AfteryouinstallthePBISagentonclientcomputers,youcan
•Configureend-usersettingsfortheagent
•Adddomainaccountstolocalgroups
•AddActiveDirectoryentriestoyoursudoersfile
IfPBIScannotfindyoursudoersfileautomatically,youcanspecifyasearch
pathforthefile.
OnAIX computers,afteryouinstallthePBISagent,youcanconfigurethe
computertomonitoruserswhologonwithActiveDirectorycredentials.
ModifySettingswiththeConfigTool
Toquicklychangeanend-usersettingforthePBISagent,youcanrunthe
configcommand-linetoolasroot:
/opt/pbis/bin/config
Thesyntaxtochangethevalueofasettingisasfollows,wheresettingis
replacedbytheregistryentrythatyouwanttochangeandvaluebythenew
valuethatyouwanttoset:
/opt/pbis/bin/config settingvalue
Hereisanexampleofhowtouseconfigtochangethe
AssumeDefaultDomainsetting:
[root@rhel5dbin]#./config--detailAssumeDefaultDomain
Name:AssumeDefaultDomain
Description:Applydomainnameprefixtoaccountnameat
logon
Type:boolean
CurrentValue:false
AcceptedValues:true,false
CurrentValueisdeterminedbylocalpolicy.
[root@rhel5dbin]#./configAssumeDefaultDomain true
[root@rhel5dbin]#./config--showAssumeDefaultDomain
boolean
true
localpolicy
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 66

Usethe--detailoptiontoviewthesetting'scurrentvalue
andtodeterminethevaluesthatitaccepts.
Setthevaluetotrue.
Usethe--showoptiontoconfirmthatthevaluewassetto
true.
Toviewthesettingsthatyoucanchangewithconfig,executethe
followingcommand:
/opt/pbis/bin/config --list
Youcanalsoimportandapplyanumberofsettingswithonecommandusing
the--fileoptioncombinedwithatextfilethatcontainsthesettingsthat
youwanttochangefollowedbythevaluesthatyouwanttoset.Each
setting-valuepairmustbeononeline.
Forexample,thecontentsoftheflatfile,namednewRegistryValuesFile
andsavedtothedesktopofaRedHatcomputer,lookslikethis:
AssumeDefaultDomain true
RequireMembershipOf "example\\support"
"example\\domain^admins"
HomeDirPrefix/home/ludwig
LoginShellTemplate /bash/sh
Toimportthefileandautomaticallychangethesettingslistedinthefileto
thenewvalues,executethefollowingcommandasroot:
/opt/pbis/bin/config --file
/root/Desktop/newRegistryValuesFile
Formoreinformationandexamples,seeModifySettingswiththeconfig
Tool.
AddDomainAccountstoLocalGroups
YoucanadddomainuserstoyourlocalgroupsonaLinux,Unix,andMac
OSXcomputerbyplacinganentryfortheuserorgroupinthe/etc/group
file.AddinganentryforanActiveDirectoryusertoyourlocalgroupscan
givetheuserlocaladministrativerights.Theentriesmustadheretothe
followingrules:
•Usethecorrectcase;entriesarecasesensitive.
•Useauserorgroup'saliasiftheuserorgrouphasoneinActive
Directory.
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 67

•Iftheuserorgroupdoesnothaveanalias,youmustsettheuseror
groupinthePBIScanonicalnameformatof
NetBIOSdomainName\SAMaccountName .
Note:Forusersorgroupswithanalias,thePBIScanonicalname
formatisthealias,whichyoumustuse;youcannotusethe
formatofNetBIOSdomainname\SAMaccountname.
Forusersandgroupswithoutanalias,theformofanentryisasfollows:
root:x:0:EXAMPLE\kristeva
Forusersandgroupswithanalias,theformofanentryisasfollows:
root:x:0:kris
In/etc/group,theslashcharacterseparatingthedomainnamefromthe
accountnamedoesnottypicallyneedtobeescaped.
Tip:OnUbuntu,youcangiveadomainuseradministrativeprivilegesby
addingtheusertotheadmingroupasfollows:
admin:x:119:EXAMPLE\bakhtin
OnaMacOSXcomputer,youcanadduserstoalocalgroupwithApple's
directoryservicecommand-lineutility:dscl.Indscl,gotothe
/Local/Default/Groups directoryandthenadduserstoagroupbyusing
theappendcommand.
ConfigureEntriesinYoursudoersFiles
WhenyouaddActiveDirectoryentriestoyoursudoersfile—typically,
/etc/sudoers—youmustadheretoatleastthefollowingrules:
•ALLmustbeinuppercaseletters.
•UseaslashcharactertoescapetheslashthatseparatestheActive
Directorydomainfromtheuserorgroupname.
•Usethecorrectcase;entriesarecasesensitive.
•Useauserorgroup'saliasiftheuserorgrouphasoneinActive
Directory.
•Iftheuserorgroupdoesnothaveanalias,youmustsettheuseror
groupinthePBIScanonicalnameformatof
NetBIOSdomainName\SAMaccountName (andescapetheslash
character).
Note:Forusersorgroupswithanalias,thePBIScanonicalname
formatisthealias,whichyoumustuse;youcannotusethe
formatofNetBIOSdomainname\SAMaccountname.
Forusersandgroupswithoutanalias,theformofanentryinthesudoersfile
isasfollows:
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 68

DOMAIN\\username
DOMAIN\\groupname
Exampleentryofagroup:
%EXAMPLE\\LinuxFullAdmins ALL=(ALL)ALL
Exampleentryofauserwithanalias:
kyleALL=(ALL)ALL
Formoreinformationabouthowtoformatyoursudoersfile,seeyour
computer'smanpageforsudo.
CheckaUser'sCanonicalNameonLinux
TodeterminethecanonicalnameofaPBISuseronLinux,executethe
followingcommand,replacingthedomainanduserintheexamplewithyour
domainanduser:
getentpasswdexample.com\\hab
EXAMPLE\hab:x:593495196:593494529: Jurgen
Habermas:/home/local/ EXAMPLE/hab:/bin/sh
Intheresults,theuser'sPBIScanonicalnameisthefirstfield.
SetasudoersSearchPath
AlthoughPowerBrokerIdentityServicessearchesanumberofcommon
locationsforyoursudoersfile,onsomeplatformsPBISmightnotfindit.In
suchcases,youcanspecifythelocationofyoursudoersfilebyaddingthe
followinglinetotheSudoGPExtensionsectionof
/etc/pbis/grouppolicy.conf :
SudoersSearchPath =/your/search/path
Example:SudoersSearchPath ="/opt/sfw/etc";
Hereisanexampleinthecontextofthe/etc/pbis/grouppolicy.conf
file:
[{20D139DE-D892-419f-96E5-0C3A997CB9C4}]
Name="PBISEnterpriseSudoGPExtension";
DllName="liblwisudo.so";
EnableAsynchronousProcessing =0;
NoBackgroundPolicy =0;
NoGPOListChanges=1;
NoMachinePolicy=0;
NoSlowLink=1;
NoUserPolicy=1;
PerUserLocalSettings =0;
ProcessGroupPolicy ="ProcessSudoGroupPolicy";
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 69

ResetGroupPolicy="ResetSudoGroupPolicy";
RequireSuccessfulRegistry =1;
SudoersSearchPath ="/opt/sfw/etc";
AIX:CreateAuditClassestoMonitorEvents
OnAIX,youcancreateauditclassestomonitortheactivitiesofuserswho
logonwiththeirActiveDirectorycredentials.Thefilenamed
/etc/pbis/auditclasses.sample isatemplatethatyoucanusetocreate
auditclassesforADusers.
Tocreateandconfigureanauditclass,makeacopyofthefile,nameit
/etc/pbis/auditclasses,andtheneditthefiletospecifytheaudit
classesthatyouwant.
Afteryouconfigureauditclassesforauser,theauditingwilltakeplacethe
nexttimetheuserlogsin.
ThesamplePBISauditclassesfilelookslikethis:
#
#Sampleauditclassesfile.
#
#Alinewithnolabelspecifiesthedefaultaudit
classesfor
#usersthatarenotexplicitlylisted:
#
general,files
#
#Alinestartingwithausernamespecifiestheaudit
classesfor
#thatADuser.Theusernamemustbespecifiedasthe
"canonical"
#namefortheuser:either"DOMAIN\username" orjust
"username"
#if"--assumeDefaultDomain yes"waspassedto
domainjoin-cli
#with"--userDomainPrefixDOMAIN".InPBISEnterprise,
if
#theuserhasanaliasspecifiedinthecellthealias
namemust
#beusedhere.
#
DOMAIN\user1:general,files,tcpip
user2:general,cron
#
#Alinestartingwithan@specifiestheauditclasses
formembers
#ofanADgroup.Theseclassesareaddedtotheaudit
classes
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 70

#fortheuser(orthedefault,iftheuserisnotlisted
here).
#Whethertospecify"DOMAIN\groupname" orjust
"groupname"follows
#thesamerulesasforusers.
#
@DOMAIN\mail_users:mail
group2:cron
ForinformationonAIXauditclasses,seetheIBMdocumentationforyour
versionofAIX.
PBISEnterpriseInstallationandAdministrationConfiguringClientsAfterPBISAgentInstallation
BeyondTrust
®
June21,2013 71

JoininganActiveDirectoryDomain
WhenPBISjoinsacomputertoanActiveDirectorydomain,itusesthe
hostnameofthecomputertocreatethenameofthecomputerobjectin
ActiveDirectory.Fromthehostname,thePBISdomainjointoolattempts
toderiveafullyqualifieddomainname.Bydefault,thePBISdomainjoin
toolcreatestheLinuxandUnixcomputeraccountsinthedefaultComputers
containerinActiveDirectory.
Formoreinformationaboutthedomain-jointool,seeUsingtheDomain-
JoinTool.
Afteryoujoinadomainforthefirsttime,youmustrestartthecomputer
beforeyoucanlogon.Ifyoucannotrestartthecomputer,youmustrestart
eachserviceordaemonthatlooksupusersorgroupsthroughthestandard
nsswitchinterface,whichincludesmostservicesthatauthenticateusers,
groups,orcomputers.Youmust,forinstance,restarttheservicesthatuse
Kerberos,suchassshd.
Pre-CreateAccountsinActiveDirectory
Youcanchoosetopre-createcomputeraccountsinActiveDirectorybefore
youjoinyourcomputerstothedomain.Whenyoujoinacomputertoa
domain,PBISassociatesthecomputerwiththepre-existingcomputer
accountwhenPBIScanfindit.
Tolocatethecomputeraccount,PBISfirstlooksforacomputeraccount
withaDNShostnamethatmatchesthehostnameofthecomputer.Ifthe
DNShostnameisnotset,PBISthenlooksforthenameofacomputer
accountthatmatchesthecomputer'shostname,butonlywhenthe
computer'shostnameis15charactersorless.
Therefore,whenthehostnameofyourcomputerismorethan15characters,
settheDNShostnameforthecomputeraccounttoensurethatthecorrect
computeraccountisfound.Ifnomatchisfound,PBIScreatesacomputer
account.
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 72

PrivilegesandPermissions
Tojoinacomputertoadomain,usecredentialsforanActiveDirectory
accountthathasprivilegestojoincomputerstothedomainandthefull
nameofthedomainthatyouwanttojoin.
Forinstructionsonhowtodelegaterightstojoinacomputertoadomain,
seehttp://support.microsoft.com/kb/932455.Thelevelofprivilegesthat
youneedissetbyMicrosoftActiveDirectoryandistypicallythesameas
performingthecorrespondingactiononaWindowscomputer.
FormoreinformationaboutActiveDirectoryprivileges,permissions,and
securitygroups,seethefollowingreferencesontheMicrosoftTechNet
website:
•ActiveDirectoryPrivileges
•ActiveDirectoryObjectPermissions
•ActiveDirectoryUsers,Computers,andGroups
•SecuringActiveDirectoryAdministrativeGroupsandAccounts
CreationofLocalAccounts
Afteryoujoinadomain,PBIScreatestwolocaluseraccounts:
–ComputerName\Administrator–Theaccountisdisableduntilyou
runmod-userwiththerootaccount.Youarepromptedtoresetthe
passwordthefirsttimeyouusetheaccount.
–ComputerName\Guest
Youcanviewinformationabouttheseaccountsbyexecutingthefollowing
command:
/opt/pbis/bin/enum-users
Exampleoutput:
Userinfo(Level-2):
====================
Name: EXAMPLE-01\Administrator
UPN: Administrator@EXAMPLE-01
GeneratedUPN: YES
Uid: 1500
Gid: 1544
Gecos: <null>Shell:/bin/sh
Homedir: /
LMHashlength: 0
NTHashlength: 0
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 73

LocalUser: YES
Accountdisabled: TRUE
AccountExpired: FALSE
AccountLocked: FALSE
Passwordneverexpires: FALSE
PasswordExpired: TRUE
Promptforpasswordchange:YES
Usercanchangepassword: NO
Daystillpasswordexpires:-149314
Userinfo(Level-2):
====================
Name: EXAMPLE-01\Guest
UPN: Guest@EXAMPLE-01
GeneratedUPN: YES
Uid: 1501
Gid: 1546
Gecos: <null>Shell:/bin/sh
Homedir: /tmp
LMHashlength: 0
NTHashlength: 0
LocalUser: YES
Accountdisabled: TRUE
AccountExpired: FALSE
AccountLocked: TRUE
Passwordneverexpires: FALSE
PasswordExpired: FALSE
Promptforpasswordchange:YES
Usercanchangepassword: NO
Daystillpasswordexpires:-149314
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 74

JoinActiveDirectoryfromtheCommand Line
OnLinux,Unix,andMacOSXcomputers,thelocationofthedomainjoin
command-lineutilityisasfollows:
/opt/pbis/bin/domainjoin- cli
Important:Torunthecommand-lineutility,youmustusearootaccount.
Formoreinformationabouttheaccountyoumustuse,seePrivilegesand
Permissions.
Whenyoujoinadomainbyusingthecommand-lineutility,PBISusesthe
hostnameofthecomputertoderiveafullyqualifieddomainname(FQDN)
andthenautomaticallysetstheFQDNinthe/etc/hostsfile.Youcanalso
joinadomainwithoutchangingthe/etc/hostsfile;seeJoinActive
DirectoryWithoutChanging/etc/hosts.
BeforeJoiningaDomain
Tojoinadomain,thecomputer'snameservermustbeabletofindthe
domainandthecomputermustbeabletoreachthedomaincontroller.
Youcanmakesurethenameservercanfindthedomainbyrunningthis
command:
nslookupdomainName
Youcanverifythatyourcomputercanreachthedomaincontrollerby
pingingit:
pingdomainName
Ifeitherofthesetestsfails,seeCheckSystemHealthBeforeInstallingthe
AgentandTroubleshootingDomain-JoinProblems.
JoinaLinuxorUnixComputertoActiveDirectory
ForLinuxcomputers,thereisanoptionalgraphicalversionofthePBIS
domainjointool.ItisinstalledonLinuxplatformsthatarerunningGTK+
version2.6orlater.Formoreinformation,seeJoinaLinuxComputerto
ActiveDirectorywiththeGUI.
Executethefollowingcommandasroot,replacingdomainNamewiththe
FQDNofthedomainthatyouwanttojoinandjoinAccountwiththeuser
nameofanaccountthathasprivilegestojoincomputerstothedomain:
/opt/pbis/bin/domainjoin- clijoindomainNamejoinAccount
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 75

Example:/opt/pbis/bin/domainjoin- clijoinexample.com
Administrator
Tip:OnUbuntu,executethesudosucommandbeforeyourunthe
domainjoin-clicommand.
JoinaMacComputertoActiveDirectory
Usingsudo,executethefollowingcommandinTerminal,replacing
domainNamewiththeFQDNofthedomainthatyouwanttojoinand
joinAccountwiththeusernameofanaccountthathasprivilegestojoin
computerstothedomain:
sudo/opt/pbis/bin/domainjoin- clijoindomainName
joinAccount
Example:sudo/opt/pbis/bin/domainjoin- clijoinexample.com
Administrator
Theterminalpromptsyoufortwopasswords:
•ForauseraccountontheMacthathasadministrativeprivileges
•FortheaccountinActiveDirectorythatyouspecifiedinthejoin
command.
JoinaLinuxorUnixComputertoanOrganizationalUnit
Executethefollowingcommandasroot,replacing
organizationalUnitName withthepathandnameoftheorganizational
unitthatyouwanttojoin,domainNamewiththeFQDNofthedomain,and
joinAccountwiththeusernameofanaccountthathasprivilegestojoin
computerstothetargetOU:
/opt/pbis/bin/domainjoin- clijoin--ou
organizationalUnitName domainName joinAccount
Example:/opt/pbis/bin/domainjoin- clijoin--ouEngineering
example.comAdministrator
JoinaLinuxorUnixComputertoaNestedOrganizationalUnit
Executethefollowingcommandasroot,replacingthesevalues:
•pathwiththeADpathtotheOUfromthetopdown,witheachnode
separatedbyaforwardslash(/).
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 76

•organizationalUnitName withthenameoftheorganizationalunit
thatyouwanttojoin.
•domainNamewiththeFQDNofthedomain.
•joinAccountwiththeusernameofanADaccountthathasprivileges
tojoincomputerstothetargetOU:
/opt/pbis/bin/domainjoin- clijoin--ou
path/organizationalUnitName domainNamejoinAccount
HereisanexampleofhowtojoinadeeplynestedOU:
domainjoin-clijoin--ou
topLevelOU/middleLevelOU/LowerLevelOU/TargetOU example.com
Administrator
domainjoin-cliOptions,Commands, andArguments
Thedomainjoin-clicommand-lineinterfaceincludesthefollowing
options:
OptionDescription Example
--helpDisplaysthecommand-line
optionsandcommands.
domainjoin-cli--help
--help-
internal
Displaysalistofthe
internaldebuggingand
configurationcommands.
domainjoin-cli--help-internal
--
logfile
{.|path}
Generatesalogfileor
printsthelogtothe
console.
domainjoin-cli--logfile
/var/log/domainjoin.log join
example.comAdministrator
domainjoin-cli--logfile.join
example.comAdministrator
BasicCommands
Thedomainjoincommand-lineinterfaceincludesthefollowingbasic
commands:
Command Description Example
query Displaysthehostname,current
domain,anddistinguished
name,whichincludestheOUto
whichthecomputerbelongs.
domainjoin-cli
query
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 77

Command Description Example
Ifthecomputerisnotjoinedto
adomain,itdisplaysonlythe
hostname.
setname
computerName
Renamesthecomputerand
modifiesthe/etc/hostsfile
withthenamethatyouspecify.
domainjoin-cli
setnameRHEL44ID
fixfqdn Fixesacomputer'sfully
qualifieddomainname.
domainjoin-cli
fixfqdn
join[--ou
organizationalUnit
]domainName
userName
Joinsthecomputertothe
domainthatyouspecifyby
usingtheaccountthatyou
specify.
Youcanusethe--ouoptionto
jointhecomputertoanOU
withinthedomainbyspecifying
thepathtotheOUandthe
OU'sname.Whenyouusethis
option,youmustuseanaccount
thathasmembershipinthe
DomainAdministrators
securitygroup.Thepathtothe
OUistopdown.
domainjoin-cli
join--ou
Engineering
example.com
Administrator
join--notimesyncJoinsthecomputertothe
domainwithoutsynchronizing
thecomputer'stimewiththe
domaincontroller's.Whenyou
usethisoption,thesync-
system-timevalueforlsass
issettono.
domainjoin-cli
join--notimesync
example.com
Administrator
leave[userName] Removesthecomputerfrom
theActiveDirectorydomain.
IftheuserNameisprovided,
thecomputeraccountis
disabledinActiveDirectory.
domainjoin-cli
leave
domainjoin-cli
leave
[email protected]
AdvancedCommands
Thecommand-lineinterfaceincludesadvancedcommandsthatyoucanuse
to:
•Previewthestagesofjoiningorleavingadomain
•Checkconfigurationsrequiredforyoursystem
•Viewinformationaboutamodulethatwillbechanged
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 78

•Configureamodulesuchasnsswitch
•Enableordisableamodule.
Theadvancedcommandscanbeusedfortroubleshootingissueswhile
configuringaLinuxorUnixcomputertoworkwithActiveDirectory.
Thefollowingdiagramshowshowsystemsinteractwhenyoujoinadomain.
Figure 2.DomainJoinDataflow
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 79

PreviewtheStagesoftheDomainJoinforYourComputer
Topreviewthedomain,DNSname,andconfigurationstagesthatwillbe
usedtojoinacomputertoadomain,executethefollowingcommandatthe
commandline:
domainjoin-clijoin--previewdomainName
Example:domainjoin-clijoin--previewexample.com
Hereisanexampleoftheresults,whichcanvarybycomputer:
[root@rhel4dbin]#domainjoin-clijoin--preview
example.com
JoiningtoADDomain: example.com
WithComputerDNSName:rhel4d.example.com
Thefollowingstagesarecurrentlyconfiguredtoberun
duringthedomainjoin:
join -joincomputertoAD
krb5 -configurekrb5.conf
nsswitch -enable/disablePowerBrokerIdentity
Servicesnsswitchmodule
start -startdaemons
pam -configurepam.d/pam.conf
ssh -configuresshandsshd
CheckRequiredConfigurations
Tolistthemodulesthatapplytoyouroperatingsystem,includingthose
modulesthatwillnotberun,executeeitherthefollowingjoinorleave
command:
domainjoin-clijoin--advanced--previewdomainName
domainjoin-clileave--advanced--previewdomainName
Example:domainjoin-clijoin--advanced--previewexample.com
Theresultvariesbycomputer:
[root@rhel4dbin]#domainjoin-clijoin--advanced--
previewexample.com
JoiningtoADDomain: example.com
WithComputerDNSName:rhel4d.example.com
[X][F]stop -stopdaemons
[F]hostname -setcomputerhostname
[F]keytab -initializekerberoskeytab
[X][N]join -joincomputertoAD
[X][N]nsswitch -enable/disablePowerBroker
IdentityServicesnsswitchmodule
[X][N]cache -managecachesforthishost
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 80

[X][N]start -startdaemons
[X][N]krb5 -configurekrb5.conf
[F]bash -fixbashpromptforbackslashes
inusernames
[X][N]pam -configurepam.d/pam.conf
[X][S]ssh -configuresshandsshd
[F]DDNS -ConfigureDynamicDNSEntryfor
thishost
Keytoflags
[F]ullyconfigured -thesystemisalready
configuredforthisstep
[S]ufficientlyconfigured-thesystemmeetstheminimum
configuration
requirementsforthisstep
[N]ecessary -thisstepmustberunor
manuallyperformed.
[X] -thisstepisenabledandwill
makechanges
[ ] -thisstepisdisabledand
willnotmakechanges
ViewDetailsaboutaModule
ThePBISdomainjointoolincludesthefollowingmodules—the
componentsandservicesthatthetoolmustconfigurebeforeitcanjoina
computertoadomain:
ModuleDescription
join JoinsthecomputertoActiveDirectory
leaveDeletesthemachineaccountinActiveDirectory
dspluginEnablesthePBISdirectoryservicespluginonaMaccomputer
stop Stopsservicessothatthesystemcanbeconfigured
startStartsservicesafterconfiguration
firewallOpensportstothedomaincontroller
hostnamesetsthecomputerhostname
krb5 Configureskrb5.conf
pam-modeSwitchesauthenticationfromLAMtoPAM
nsswitchEnablesordisablesPBISnsswitchmodule
pam Configurespam.dandpam.conf
lam-authConfiguresLAMforActiveDirectoryauthentication
ssh Configuressshandsshd
bash Fixesthebashpromptforbackslashesinusernames
gdm Fixesgdmpresessionscriptforspacesinusernames
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 81

Astheprevioussectionillustrated,youcanseethemodulesthatmustbe
configuredonyourcomputerbyexecutingthefollowingcommand:
domainjoin-clijoin--advanced--previewdomainName
Youcanfurtherboredownintothedetailsofthechangesthatamodulewill
makebyusingeitherthefollowingjoinorleavecommand:
domainjoin-clijoin--detailsmoduledomainNamejoinAccount
domainjoin-clileave--detailsmoduledomainNamejoinAccount
Example:domainjoin-clijoin--detailsnsswitchexample.com
Administrator
Theresultvariesdependingonyoursystem'sconfiguration:
domainjoin-clijoin--detailsnsswitchexample.com
Administrator
[X][N]nsswitch -enable/disablePowerBroker
IdentityServicesnsswitchmodule
Keytoflags
[F]ullyconfigured -thesystemisalready
configuredforthisstep
[S]ufficientlyconfigured-thesystemmeetstheminimum
configuration
requirementsforthisstep
[N]ecessary -thisstepmustberunor
manuallyperformed.
[X] -thisstepisenabledandwill
makechanges
[ ] -thisstepisdisabledand
willnotmakechanges
Detailsfor'enable/disablePowerBrokerIdentityServices
nsswitchmodule':
Thefollowingstepsarerequiredandcanbeperformed
automatically:
*Editnsswitchapparmorprofiletoallowlibraries
inthe/opt/pbis/lib
and/opt/pbis/lib64directories
*Listlwidentitymodulein
/usr/lib/security/methods.cfg (AIXonly)
*Addlwidentitytopasswdandgroup/groupsline
/etc/nsswitch.conf or
/etc/netsvc.conf
Ifanychangesareperformed,thenthefollowingservices
mustberestarted:
*GDM
*XDM
*Cron
*Dbus
*Nscd
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 82

TurnOnorTurnOffDomain-JoinModules
Youcanexplicitlyenableordisableamodulewhenyoujoinorleavea
domain.Disablingamodulecanbeusefulincaseswhereamodulehasbeen
manuallyconfiguredorincaseswhereyoumustensurethatcertainsystem
fileswillnotbemodified.
Note:Ifyoudisableanecessarymoduleandyouhavenotmanually
configuredit,thedomainjoinutilitywillnotjoinyourcomputerto
thedomain.
Thefollowingcommand,witheitherjoinorleave,canbeusedtodisable
amodule:
domainjoin-clijoin--disablemoduledomainName
accountName
domainjoin-clileave--disablemoduledomainName
accountName
Example:domainjoin-clijoin--disablepamexample.com
Administrator
Toenableamodule,executethefollowingcommandatthecommandline:
domainjoin-clijoin--enablemoduledomainName
accountName
Example:domainjoin-clijoin--enablepamexample.com
Administrator
ConfigurationandDebuggingCommands
Thedomainjoin-clitoolincludescommandsfordebuggingthedomain-
joinprocessandforconfiguringorpreconfiguringamodule.Youcan,for
example,runtheconfigurecommandtopreconfigureasystembeforeyou
joinadomain—ausefulstrategywhenyouaredeployingPBISinavirtual
environmentandyouneedtopreconfigurethensswitch,ssh,orPAM
moduleofthetargetcomputerstoavoidrestartingthemaftertheyareadded
tothedomain.Hereisanexamplewithnsswitch:
domainjoin-cliconfigure--enablensswitch
Runthefollowingtoviewtheadditionalcommandsavailable:
domainjoin-cli--help-internal
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 83

fixfqdn
configure{ --enable|--disable}pam[--testprefix
<dir>]
configure{ --enable|--disable}nsswitch[--
testprefix<dir>]
configure{ --enable|--disable}ssh[--testprefix
<dir>]
configure{ --enable|--disable}[--testprefix
<dir>]
[--long<longdomain>][--short
<shortdomain>]krb5
configure{ --enable|--disable}firewall[--
testprefix<dir>]
configure{ --enable|--disable}eventfwd
configure{ --enable|--disable}reapsysl
get_os_type
get_arch
get_distro
get_distro_version
raise_error<errorcode|errorname|0xhexerror
code>
JoinActiveDirectoryWithoutChanging/etc/hosts
WhenyoujoinacomputertoadomainbyusingthePBISdomainjointool,
PBISusesthehostnameofthecomputertoderiveafullyqualifieddomain
name(FQDN)andautomaticallysetsthecomputer’sFQDNinthe
/etc/hostsfile.
TojoinaLinuxcomputertothedomainwithoutchangingthe/etc/hosts
file,executethefollowingcommandasroot,replacingdomainNamewiththe
FQDNofthedomainthatyouwanttojoinandjoinAccountwiththeuser
nameofanaccountthathasprivilegestojoincomputerstothedomain:
/opt/pbis/bin/domainjoin- clijoin--disablehostname
domainNamejoinAccount
Example:/opt/pbis/bin/domainjoin- clijoin--disablehostname
example.comAdministrator
Afteryoujoinadomainforthefirsttime,youmustrestartthecomputer
beforeyoucanlogon.
IftheComputerFailstoJointheDomain
Makesurethecomputer'sFQDNiscorrectin/etc/hosts.Forthe
computertoprocessticketsincompliancewiththeKerberosprotocoland
tofunctionproperlywhenitusescachedcredentialsinofflinemodeor
whenitsDNSserverisoffline,theremustbeacorrectFQDNin
/etc/hosts.FormoreinformationonGSS-APIrequirements,seeRFC
2743.
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 84

Youcandeterminethefullyqualifieddomainnameofacomputerrunning
Linux,Unix,orMacOSXbyexecutingthefollowingcommand:
ping-c1`hostname`
Whenyouexecutethiscommand,thecomputerlooksuptheprimaryhost
entryforitshostname.Inmostcases,thismeansthatitlooksforits
hostnamein/etc/hosts,returningthefirstFQDNnameonthesameline.
Forexample,thecorrectentryforthehostnameqaserver,in/etc/hosts:
10.100.10.10qaserver.corpqa.example.com qaserver
Iftheentryin/etc/hostsincorrectlyliststhehostname(oranythingelse)
beforetheFQDN,thecomputer'sFQDNbecomes,usingthemalformed
examplebelow,qaserver:
10.100.10.10qaserverqaserver.corpqa.example.com
Ifthehostentrycannotbefoundin/etc/hosts,thecomputerlooksfor
theresultsinDNSinstead.Thismeansthatthecomputermusthavea
correctArecordinDNS.IftheDNSinformationiswrongandyoucannot
correctit,addanentryto/etc/hosts.
JoinaLinuxComputertoActiveDirectory
Agraphicaluserinterfaceforjoiningadomainisincludedwhenyouinstall
thePBISagent.
Important:Tojoinacomputertoadomain,youmusthavetheusername
andpasswordofauserwhohasprivilegestojoincomputerstoadomainand
thefullnameofthedomainthatyouwanttojoin.
1.Withrootprivileges,runthefollowingcommandattheshellpromptofa
Linuxcomputer:
/opt/pbis/bin/domainjoin- gui
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 85

2.Continuingasroot,intheDomainbox,entertheFullyQualified
DomainName(FQDN)ofyourActiveDirectorydomain.Example:
CORP.EXAMPLE.COM
Note:Thedomainjointoolautomaticallysetsthecomputer’sFQDN
bymodifyingthe/etc/hostsfile.Forexample,ifyour
computer'snameisqaserverandthedomainis
corpqa.example.com,thedomainjointooladdsthefollowing
entrytothe/etc/hostsfile:
qaserver.corpqa.example.com .Tomanuallysetthe
computer'sFQDN,seeJoinActiveDirectoryWithoutChanging
/etc/hosts.
3.Toavoidtypingthedomainprefixbeforeyouruserorgroupnameeach
timeyoulogon—thatis,toforcethecomputertoassumethedefault
domain—selectEnabledefaultusernameprefixandenteryour
domainprefixinthebox.Example:CORP
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 86

4.UnderOrganizationalUnit,youcanoptionallyjointhecomputertoan
OUbyselectingSpecificOUpathandthentypingapathinthebox.
TheOUpathisfromthetopoftheActiveDirectorydomaindownto
theOUthatyouwant.
Or,tojointhecomputertotheComputerscontainer,selectDefault.
5.ClickJoinDomain.
6.EntertheusernameandpasswordofanActiveDirectoryaccountthat
hasprivilegestojoincomputerstothedomainandthenclickOK.
Note:IfyoudonotuseanActiveDirectoryDomainAdministrator
account,youmightnothavesufficientprivilegestochangea
machineobjectinActiveDirectory.
Afteryoujoinadomainforthefirsttime,youmustrestartthecomputer
beforeyoucanlogon.
JoinaMacComputertoActiveDirectory
Note:ForMacOS10.8andlater,theGUIisnolongersupported.
ForPBIS7.0andlater,GUIonanyMacisnotsupported.
UsetheCLIcommands.SeeJoinActiveDirectoryfromthe
CommandLine.
TojoinacomputerrunningMacOSX10.6orlatertoanActiveDirectory
domain,youmusthaveadministrativeprivilegesontheMacandprivileges
ontheActiveDirectorydomainthatallowyoutojoinacomputer.
Important:Apple'sbuilt-inserviceforinteroperatingwithActiveDirectory
mustnotbeboundtoanypreviousdomainsforPBIStoworkproperly.If
youaremigratingfromOpenDirectoryorActiveDirectoryseeTurnOffOS
XDirectoryServiceAuthentication.
1.InFinder,clickApplications.Inthelistofapplications,double-click
PBISUtilities,andthenclickDomainJoin.
2.Enteranameandpasswordofalocalmachineaccountwith
administrativeprivileges.
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 87

3.IntheComputernamebox,typethelocalhostnameoftheMac
withoutthe.localextension.BecauseofalimitationwithActive
Directory,thelocalhostnamecannotbemorethan15characters.Also:
localhostisnotavalidname.
Tip:
TofindthelocalhostnameofaMac,ontheApplemenu,click
SystemPreferences,andthenclickSharing.Underthe
ComputerNamebox,clickEdit.YourMac'slocalhostnameis
displayed.
4.IntheDomaintojoinbox,typethefullyqualifieddomainnameofthe
ActiveDirectorydomainthatyouwanttojoin.
5.UnderOrganizationalUnit,youcanjointhecomputertoanOUinthe
domainbyselectingOUPathandthentypingapathintheOUPath
box.
Note:TojointhecomputertoanOU,youmustbeamemberofthe
DomainAdministratorsecuritygroup.
Or,tojointhecomputertotheComputerscontainer,select
Defaultto"Computers"container.
6.ClickJoin.
7.Afteryouarejoinedtothedomain,youcansetthedisplayloginwindow
preferenceontheMac:OntheApplemenu,clickSystem
Preferences,andthenunderSystem,clickAccounts.
8.Clickthelockandenteranadministrator'snameandpasswordto
unlockit.
9.ClickLoginOptions,andthenunderDisplayloginwindowas,select
Nameandpassword.
WithPBISEnterprise,thedomainjoinutilityincludesatooltomigratea
Macuser'sprofilefromalocaluseraccounttothehomedirectoryspecified
fortheuserinActiveDirectory;seeMigrateaUserProfileonaMac.
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 88

TurnOffOSXDirectoryServiceAuthentication
IfyouaremigratingfromOpenDirectoryorActiveDirectoryandyouhad
setauthenticationfromthecommandlinewithdsconfigador
dsconfigldap,youmustrunthefollowingcommandstostopthe
computerfromtryingtousethebuilt-indirectoryserviceeveniftheMacis
notboundtoit:
dscl.-delete/Computers
dscl/Search-delete/CSPSearchPath
/LDAPv3/FQDNforYourDomainController
dscl/Search-delete/CSPSearchPath/Active\
Directory/All\Domains
dscl/Search/Contacts-delete/CSPSearchPath/Active\
Directory/All\Domains
dscl/Search/Contacts-delete/CSPSearchPath
/LDAPv3/FQDNforYourDomainController
FilesModifiedWhenYouJoinaDomain
WhenPBISaddsacomputertoadomain,itmodifiessomesystemfiles.The
filesthataremodifieddependontheplatform,thedistribution,andthe
system'sconfiguration.Thefollowingfilesmightbemodified.
Toseealistofthechangesthatjoiningadomainwillmaketoyouroperating
system,executethefollowingjoincommand:
domainjoin-clijoin--advanced--previewdomainName
Note:Notallthefollowingfilesarepresentonallcomputers.
•/etc/nsswitch.conf(OnAIX,thefileis/etc/netsvcs.conf.)
•/etc/pam.confonAIX,HP-UX,andSolaris
•/etc/pam.d/*onLinux
•/etc/ssh/{ssh_config,sshd_config}(orwhereversshdconfigurationis
located)
•/etc/hosts(Tojoinadomainwithoutmodifying/etc/hosts,seeJoin
ActiveDirectoryWithoutChanging/etc/hosts.)
•/etc/apparmor.d/abstractions/nameservice
•/etc/X11/gdm/PreSession/Default
•/etc/vmware/firewall/services.xml
•/usr/lib/security/methods.cfg
•/etc/security/user
•/etc/security/login.cfg
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 89

•/etc/netsvc.conf
•/etc/krb5.conf
•/etc/krb5/krb5.conf
•/etc/rc.config.d/netconf
•/etc/nodename
•/etc/{hostname,HOSTNAME,hostname.*}
•/etc/sysconfig/network/config
•/etc/sysconfig/network/dhcp
•/etc/sysconfig/network/ifcfg-*
•/etc/sysconfig/network-scripts/ifcfg-*
•/etc/init.dor/sbin/init.d
•/etc/rcX.d/(newfilesandlinkscreated)
•/etc/inet/ipnodes
Asanexample,thefollowingtableliststhefilesthataremodifiedforthe
defaultconfigurationoftheoperatingsystemofafewselectedplatforms.
ModifiedFiles
Solaris
9
Solaris
10
AIX
5.3
AIX
6.1
RedHat
Enterprises
Linux5
/etc/nsswitch.conf(OnAIX,thefileis
/etc/netsvcs.conf.)
ü ü ü
/etc/pam.confonAIX,HP-UX,and
Solaris
ü ü üü
/etc/pam.d/*onLinux ü
/etc/ssh/{ssh_config,sshd_config}(or
whereversshdconfigurationislocated)
ü ü ü
/etc/hosts ü ü üü ü
/etc/a-
pparmor.d/abstractions/nameservice
/etc/X11/gdm/PreSession/Default
/etc/vmware/firewall/services.xml
/usr/lib/security/methods.cfg üü
/etc/security/user üü
/etc/security/login.cfg ü
/etc/netsvc.conf üü
/etc/krb5.conf üü ü
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 90

ModifiedFiles
Solaris
9
Solaris
10
AIX
5.3
AIX
6.1
RedHat
Enterprises
Linux5
/etc/krb5/krb5.conf ü ü
/etc/rc.config.d/netconf
/etc/nodename ü ü
/etc/{hostname,HOSTNAME,
hostname.*}
ü
/etc/sysconfig/network/config
/etc/sysconfig/network/dhcp
/etc/sysconfig/network/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-*
/etc/init.dor/sbin/init.d
/etc/rcX.d/(newfilesandlinkscreated) ü
/etc/inet/ipnodes ü ü
PBISEnterpriseInstallationandAdministration JoininganActiveDirectoryDomain
BeyondTrust
®
June21,2013 91

LoggingonwithDomainCredentials
PBISincludesthefollowinglogonoptions:
•Fulldomaincredentials—example:example.com\\hoenstiv
•Singledomainusername—example:example\\hoenstiv
•Alias—example:stiv
(ForPBISEnterprise,seeSetaUserAliasandSetaGroupAlias.)
•Cachedcredentials
Important:Whenyoulogonfromthecommandline,youmustuseaslash
toescapetheslashcharacter,makingthelogonformDOMAIN\\username.
WhenyoulogonaLinux,Unix,orMacOSXcomputerusingyourdomain
credentials,PBISusestheKerberosprotocoltoconnecttoActive
Directory'skeydistributioncenter,orKDC,toestablishakeyandto
requestaKerberosticketgrantingticket(TGT).TheTGTletsyoulogonto
othercomputersjoinedtoActiveDirectoryorapplicationsprovisionedwith
aserviceprincipalnameandbeautomaticallyauthenticatedwithKerberos
andauthorizedforaccessthroughActiveDirectory.
Afterlogon,PBISstoresthepasswordinmemoryandsecurelybacksitup
ondisk.Youcan,however,configurePBIStostorelogoninformationina
SQLitedatabase,butitisnotthedefaultmethod.Thepasswordisusedto
refreshtheuser'sKerberosTGTandtoprovideNTLM-basedsinglesign-on
throughthePBISGSSAPIlibrary.Inaddition,theNTLMverifierhash—a
hashoftheNTLMhash—isstoredtodisktohandleofflinelogonsby
comparingthepasswordwiththecachedcredentials.
PBISstoresanNTLMhashandLMhashonlyforaccountsinPBIS'slocal
provider.ThehashesareusedtoauthenticateusersoverCIFS.SincePBIS
doesnotsupportofflinelogonsfordomainusersoverCIFS,itdoesnot
storetheLMhashfordomainusers.
UPNNames
TouseUPNnames,youmustraiseyourActiveDirectoryforestfunctional
leveltoWindowsServer2003,butraisingtheforestfunctionallevelto
WindowsServer2003willexcludeWindows2000domaincontrollersfrom
thedomain.Formoreinformation,seeStorageModes.
SeeAlso
UsingPBISforSingleSign-On
ConfigurePuTTYforWindows-BasedSSO
PBISEnterpriseInstallationandAdministration LoggingonwithDomainCredentials
BeyondTrust
®
June21,2013 92

LogonwithADCredentials
AfterthePBISagentisinstalledandtheLinuxorUnixcomputerisjoinedto
adomain,youcanlogonwithyourActiveDirectorycredentials.
•Logonfromthecommandline.Useaslashcharactertoescapetheslash,
makingthelogonformDOMAIN\\username.
Examplewithssh:sshexample.com\\hoenstiv@localhost
•LogonthesystemconsoleorthetextloginpromptusinganActive
DirectoryuseraccountintheformofDOMAIN\username,whereDOMAIN
istheActiveDirectoryshortname.
Note:Afteryoujoinadomainforthefirsttime,youmustrebootyour
computerbeforeyoucanlogoninteractivelythroughthe
console.
ExampleonUbuntu:
LogonwithSSH
YoucanlogonwithSSHbyexecutingthesshcommandattheshellprompt
inthefollowingformat:
sshDOMAIN\\username@localhost
Example:sshexample.com\\hoenstiv@localhost
PBISEnterpriseInstallationandAdministration LoggingonwithDomainCredentials
BeyondTrust
®
June21,2013 93

III.Administration
Inthissection,reviewdetailedinformationaboutusingPBIS:
•UsingtheManagementConsole
•WorkingwithCells
•ManagingUsers,Groups,andComputers
•UsingtheDomain-JoinTool
•MigratingUserstoActiveDirectory
•LeavingaDomainandUninstallingthePBISAgent
•UsingSmartCardswithPBIS
•ManagingPBISLicenses
•PBISReporting
•MonitoringEventswiththeEventLog
•SingleSign-onUsingPBIS
•Command-LineReference
•ConfiguringPBISwiththeRegistry
PBISEnterpriseInstallationandAdministration III.Administration
BeyondTrust
®
June21,2013 94

UsingtheManagement Console
Youcanusetheconsoletodothefollowingtasks:
•Runmultipleinstancesoftheconsoleandpointthematdifferent
domains.
•Runtheconsolewithadifferentuseraccount.
•UpgradeyourActiveDirectoryschema.
•ObtainstatusinformationaboutyourActiveDirectoryforestsand
domains.
•MigrateUnixandLinuxusersandgroupsbyimportingpasswdand
groupfilesandmappingtheinformationtousersandgroupsinActive
Directory.
•Removeorphanedobjects.
•Generatereportsaboutusers,groups,andcomputers.
•StartActiveDirectoryUsersandComputers(ADUC),CellManager,and
theMigrationtool.
StarttheBeyondTrustManagement Console
Dependingontheoptionschosenduringinstallation,theconsolecanbe
startedinthefollowingways:
•OnthedesktopofaWindowsadministrativeworkstation,double-click
theBeyondTrustManagementConsoleicon.
•ClickStart,pointtoAllPrograms,clickBeyondTrustPBIS,andthen
clickBeyondTrustEnterpriseConsole.
•Atthecommandprompt,executethefollowingcommands:
cd%ProgramFiles%\BeyondTrust\PBIS\Enterprise\
iConsole.bmc
Afteryoustarttheconsole,youcannavigatetoallotherpagesinthe
console,includingthePBISStatuspage.
PBISEnterpriseInstallationandAdministration UsingtheManagementConsole
BeyondTrust
®
June21,2013 95

ThePBISStatuspagedisplaysthefollowinginformationfortheselected
ActiveDirectoryforest.Afteryoustarttheconsole,itmaytakeafew
momentstoretrieveinformationaboutyourdomains.
PBISVersion:ThePBISversionandbuildnumber.Technicalsupport
personnelmayaskyouforthisinformationwhenyoucontactthemfor
assistance.
Consistencycheck:IndicateswhetherActiveDirectoryhasbeenproperly
preparedforthecurrentoperatingmode.Typicallythisstatusindicatorreads
asGood.
Cellcount:Displaysthenumberofcellsthatareassociatedwith
organizationalunitsintheselecteddomain,includingthedefaultcell.
Mode:EitherDirectoryIntegratedorSchemaless.DirectoryIntegrated
indicatesthattheselectedforestisusingtheRFC2307-compliantschema.
Schemalessindicatesthatitisnot.
LicensesInstalled:Indicatesifvalidproductlicensesaredeployed.
PBISEnterpriseInstallationandAdministration UsingtheManagementConsole
BeyondTrust
®
June21,2013 96

ConnecttoaDomain
IfPBISdetectsmorethanoneActiveDirectoryforest,itdisplaysthemon
thePBISStatuspage.Youcanconnecttoaforestbydouble-clickingthe
forestname.
Youcanconnecttoanotherdomainasfollows:
1.IntheBeyondTrustManagementConsoletree,right-clickthe
EnterpriseConsolenode,andthenclickConnecttoDomain.
2.EntertheFQDNofthedomainthatyouwanttoconnectto.
3.EnterthecredentialsofanActiveDirectoryadministrator.
ItisrecommendedthatyouusetheADEnterpriseAdministrators
securitygroupaccount.
RuntheDirectoryIntegratedModeWizard
AfteryouinstalltheBeyondTrustManagementConsoleforthefirsttime,
youcanruntheDirectoryIntegratedModeWizardtoupgradeyourActive
DirectoryschematoMicrosoftWindowsServer2003R2,whichprovides
supportforRFC2307.
BeforeyouraisetheforestfunctionalleveltoWindows2003,youmustraise
thedomainfunctionallevelforeachdomaininyourforesttoWindows
2003.Formoreinformation,seeActiveDirectoryDomainsandTrusts
Help.
Note:RaisingtheforestfunctionalleveltoWindowsServer2003will
excludeWindows2000domaincontrollersfromthedomain.
ForeststhatareinWindows2008ForestModearealreadyinPBIS
DirectoryIntegratedmode.ForestsinWindows2003ForestModewith
Windows2003R2domaincontrollerscanbemovedtoDirectoryIntegrated
modewithoutextendingtheADschema.
YoucannotrollbackthechangesthattheDirectoryIntegrated
modewizardmakestotheActiveDirectoryschema.Backup
ActiveDirectorybeforeyourunthewizard.
RunningtheDirectoryIntegratedModeWizard
YouonlyneedtoruntheDirectoryIntegratedModeWizardifyoudecided
touseDirectoryIntegratedModeasyourstoragemode.
Ensurethatyouarefamiliarwiththestoragemodesbeforeupgradingyour
schema.SeeStorageModes.
PBISEnterpriseInstallationandAdministration UsingtheManagementConsole
BeyondTrust
®
June21,2013 97

ThewizardupgradesyourschematoRFC2307.Ifyouarealreadyusing
WindowsServer2003R2,runningthewizardindexesfrequentlysearched
attributesintheActiveDirectoryglobalcatalog.
1.OnyourWindowsadministrativeworkstation,useActiveDirectory
DomainsandTruststoraisetheforestfunctionallevelofyourActive
DirectoryforesttoWindows2003.
2.IntheBeyondTrustManagementConsoletree,clickStatus.
3.Intheleftpane,clicktheforestforwhichyouwanttoupgradethe
schema.
4.ClickRunDirectoryIntegratedModeWizard:
Note:TheRunDirectoryIntegratedModeWizardbuttonappearsonly
iftheforesthasnotbeenconfiguredforPBISandifyouhave
notcreatedanyPowerBrokercells.
InSchemalessmode,thebuttonwillreappearafteryouremoveall
yourPowerBrokercells.
5.Followtheinstructionsinthewizard.
ChangesMadebytheDirectoryIntegratedModeWizard
TheActiveDirectoryschemachangesareappliedfromasetofLDAPData
InterchangeFormat(LDIF)files.Thestandardinstallationplacesthesefiles
inthefollowingdirectory:
\ProgramFiles\BeyondTrust\PBIS\Enterprise\Resources\LDF
Afteryouhaveraisedthedomainandforestto2003functionallevels,the
PBISdomainconfigurationwizardmakesthefollowingchanges,whichare
requiredforPBIStoruninDirectoryIntegratedmode:
PBISEnterpriseInstallationandAdministration UsingtheManagementConsole
BeyondTrust
®
June21,2013 98

•AddstheWindowsServer2003R2schemaextensionsforUnixifthey
arenotalreadypartoftheschema.Specifically,thewizardaddsuid,
uidNumber,gidNumber,gecos,unixHomeDirectory,and
loginShell.
•Promotestheuid,uidNumber,andgidNumberattributestotheglobal
catalog.
•Indexestheuidattribute.
ReplicationinaLargeForestorinMultipleDomains
WhenyousetupPBISinanenvironmentwithalargeforestormultiple
domains,itmaytakesometimeforthePBISobjectsandtheschemaupdate
toreplicatetotherestofthedomain.
Replicationmustcompletebeforethedomainanditschilddomainsarefully
enabledforPBIS.Youwillbeunabletoconnecttoachilddomainuntil
replicationfinishes.
AddaPlug-In
Theconsoleincludesseveralplug-ins:AccessandAuditReporting,
EnterpriseDatabaseManagement,andtheOperationsDashboard.
1.Intheconsole,ontheFilemenu,clickAdd/RemovePlug-in.
2.ClickAdd.
3.Clicktheplug-inthatyouwant,andthenclickAdd.
4.ClickClose,andthenclickOK.
PBISEnterpriseInstallationandAdministration UsingtheManagementConsole
BeyondTrust
®
June21,2013 99

WorkingwithCells
APowerBrokercellcontainsUnixsettingsforActiveDirectoryusersand
groupssotheycanlogontoLinux,Unix,andMacOSXcomputers.
Foreachuser,thesettingsincludeaUnixuseridentifier(UID),thegroup
identifier(GID)oftheprimarygroup,ahomedirectory,andashell.
FormoreaboutwhataPowerBrokercellis,seePowerBrokerCells.
Checkpoint
–EnsuretheaccountyouareusingtomanagePowerBrokercell
propertiesisamemberoftheDomainAdminsgrouporEnterprise
Adminsgroup.Theaccountneedsprivilegestocreateandchange
objectsandchildobjectsinActiveDirectory.
ThefollowingtopicsexplainhowtocreateandusePowerBrokercells.
CreateaCellandAssociateitwithanOUoraDomain
ToassociateacellwithanOU,forexample,youmustbeamemberofthe
DomainAdministratorssecuritygroup,oryoumusthavebeendelegated
controltocreatecontainerobjectswithintheOU.
Important:BeforeyouassociateacellwithanOU,makesureyouchose
theschemamodethatyouwant.Youcannoteasilychangetheschemamode
afteryoucreateacell,includingadefaultcell.
1.StartActiveDirectoryUsersandComputers.
2.Intheconsoletree,right-clicktheOUorthedomainforwhichyou
wanttocreateacell,clickProperties,andthenclickthePowerBroker
CellSettingstab.
Important:Donotcreateacellinthebuilt-inOUnamedDomain
Controllers.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 100

3.UnderPowerBrokerCellInformation,selecttheCreateAssociated
PowerBrokerCellcheckbox,andthenclickOK.
Youcannowassociateuserswiththecell.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 101

MovingaComputertoAnotherCell
Whenyoumoveacomputerfromonecelltoanother,youmustdothe
followingifyouwantthecellinformationtobeupdatedimmediatelyonthe
client:
•Cleartheauthenticationcacheforuserandgroupmembership:lsass-
adcache.db.Forinstructions,seeCleartheAuthenticationCache.
•RestartthePBISauthenticationservicebyrunningthiscommandas
root:/opt/pbis/bin/lwsm restartlsass
•ForcethecomputertorefreshitsGroupPolicysettingsbyrunningthis
commandasroot:/opt/pbis/bin/gporefresh
CreateaDefaultCell
YoucancreateadefaultcellthatmapscomputersthatarenotinanOUwith
anassociatedcell.Thedefaultcellcancontainthemappinginformationfor
allyourLinuxandUnixcomputers.PBISEnterprisedoesnotrequirea
defaultcell.
ALinuxorUnixcomputercanbeamemberofanOUthatdoesnothavea
cellassociatedwithit.Insuchcases,thegrouppoliciesassociatedwiththe
OUapplytotheLinuxandUnixcomputer,butuserUID-GIDmappings
followthepolicyofthenearestparentcell,orthedefaultcell.
Tocreateadefaultcell:
1.StartActiveDirectoryUsersandComputers.
2.Right-clickthenameofyourdomain,andthenselectProperties.
3.SelectthePowerBrokerCellSettingstab,andthenselectCreate
AssociatedPowerBrokerCellcheckbox.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 102

UsePre-ExistingRFC2307Data
Torecognizeandusepre-existingUnixdatathatisstoredinActive
DirectorywithRFC2307attributes,makesurePowerBrokerIdentity
Servicesisinschemamodeandthencreateadefaultcell.
AssociateaUserwithCells
InActiveDirectoryUsersandComputers,youcanassociateauserwithone
ormorePowerBrokercellstogivetheuseraccesstotheLinux,Unix,and
MacOSXcomputersthataremembersofeachcell.
Note:Toassociateauserwithacell,youmustlogonwithsufficient
administrativeprivileges—forexample,asamemberoftheDomain
Administratorsgroup.
1.StartActiveDirectoryUsersandComputers.
2.Intheconsoletree,clickUsers.
3.Inthedetailspane,right-clicktheuserthatyouwant,andthenclick
Properties.
4.SelectthePowerBrokerCellSettingstab.
5.UnderPowerBrokerCells,selectthecheckboxforthecellthatyou
wanttoassociatetheuserwith.
Youcanselectmorethanonecell.
UnderUserinfoforcell,adefaultGIDvalue,typically100000,is
automaticallypopulatedintheGIDbox.
Note:Theuser'ssettingscanvarybycell.
6.TosettheUID,clickSuggest,ortypeavalueintheUIDbox.
SeeAlso
AssignaGroupID
AddaGrouptoaCell
YoucanaddanActiveDirectorygrouptoacellafteryouhaveassociateda
cellwithanorganizationalunit(OU).
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 103

2.Intheconsoletree,right-clicktheOUwithanassociatedcelltowhich
youwanttoaddagroup,clickProperties,andthenclickthe
PowerBrokerCellSettingstab:
3.ClickAdd,selectthegroupthatyouwanttoadd,andthenclickOK.
AddaUsertoaCell
YoucanaddanActiveDirectoryusertoacellafteryouhaveassociateda
cellwithanorganizationalunit(OU).
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 104

1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,right-clicktheOUwithanassociatedcelltowhich
youwanttoaddauser,clickProperties,andthenclickthe
PowerBrokerCellSettingstab:
3.ClickAdd,locateandselecttheuserthatyouwanttoadd,andthen
clickOK.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 105

ModifyPowerBroker CellSettingsinADUC
InMicrosoftActiveDirectoryUsersandComputers,youcanmodifyyour
PowerBrokercellsettingsforadomain,anorganizationalunit,agroup,ora
user.
PBISaddsatabtothedialogofthefollowingobjectsintheActive
DirectoryUsersandComputersMMCsnap-in:
•Domain:PowerBrokerCellSettings
•Users:PowerBrokerCellSettings
•Groups:PowerBrokerCellSettings
•OrganizationalUnits:
–PowerBrokerCellSettings(fortheassociatedcell)
–GroupPolicy(withPBISEnterprise)
Important:Tochangethesettings,youmustlogonasamemberofthe
DomainAdministratorssecuritygroup,theEnterpriseAdministrators
securitygroup,oranothergroupthatgivesyousufficientprivilegesto
modifyobjectsinActiveDirectory.Oryoumusthavebeendelegated
privilegestomodifythesettingsoftheobjectsthatyouwanttochange;for
moreinformation,seeDelegateManagement.
1.StartActiveDirectoryUsersandComputers.
2.Intheconsoletree,right-clicktheobjectthatyouwanttochange,click
Properties,andthenclickthePowerBrokerCellSettingstab.
3.Changethepropertiesasrequired,andthenclickOK.
LinkCells
Whenyoulinkcells,computersinonecellcanbeaccessedbytheusersin
thecellthatyoulinkto(thelinkedcell).
Formoreinformationaboutlinkingcells,seePowerBrokerCells.
Inthefollowingscenario,alinkiscreatedtotheEngineeringcell.Withthis
link,usersintheEngineeringcellcanaccessthecomputersinthe
Accountingcell:
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 106

1.Onyouradministrativeworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,right-clicktheorganizationalunitthatisassociated
withthecellyouwanttolinktoanothercell,andthenclickProperties.
3.ClickthePowerBrokerCellSettingstab.
4.ClickLinkedCells,clickAdd,clickthecellthatyouwant,andthen
clickOK.
5.Whenyoulinktomultiplecells,theorderthatyousetisimportant
becauseitcontrolsthesearchorder.Thecellsaresearchedintheorder
listed.UseMoveUporMoveDowntosettheorderofthecells.See
LinkingtoMultipleCells.
6.ClickOK.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 107

DelegateControltoCreateContainerObjects
ToassociateaPowerBrokercellwithanActiveDirectoryorganizational
unit,anadministratormusthavepermissiontocreatecontainerobjects
withintheOU.AmemberoftheDomainAdministratorsorEnterprise
AdministratorssecuritygroupcandelegatecontroloftheOUtoanother
administrator.
1.InActiveDirectoryUsersandComputers,intheconsoletree,right-
clicktheOUforwhichyouwanttodelegatepermissions,andthenclick
DelegateControl.
2.ClickNext.
3.ClickAdd,findtheuserthatyouwant,clickOK,andthenclickNext.
4.SelectCreateacustomtasktodelegate,andthenclickNext.
5.SelectThisfolder,existingobjectsinthisfolder,andcreationof
newobjectsinthisfolder,andthenclickNext.
6.UnderPermissions,selectthefollowing,andthenclickNext:
Read
Write
CreateAllChildObjects
DeleteAllChildObjects
ReadAllProperties
WriteAllProperties
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 108

7.ClickFinish.
Formoreinformationaboutdelegatingcontrol,seeDelegating
AdministrationinActiveDirectoryUsersandComputersHelp.
AdministeringCellswithCellManager
CellManagerisaPBISMMCsnap-informanagingcellsassociatedwith
ActiveDirectoryorganizationalunits.
WithCellManager,youcandelegatemanagement,changepermissionsfora
cell,addcells,viewcells,andassociatecellswithOUstoprovideusersand
groupswithLinuxandUnixaccess.CellManageralsoletsyouconnectto
anotherdomainandfiltercellstoreduceclutter.
CellManagerisautomaticallyinstalledwhenyouinstalltheBeyondTrust
ManagementConsole.
ThefollowingtopicscoverusingCellManagertoperformspecifictasks.
StartCellManager
TostartCellManager:
1.IntheBeyondTrustManagementConsole,expandEnterpriseConsole
andclickDiagnostics&Migration.
2.UnderTasks,clickLaunchCellManager.
Tip:
TostartCellManagerfromtheStartmenu,clickStart,pointtoAll
Programs,clickBeyondTrustPBIS,andthenclick
PowerBrokerCellManager.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 109

DelegateManagement
YoucanuseCellManagertocreateanaccesscontrollist(ACL)thatallows
usersorgroupswithoutadministrativeprivilegestomanagePowerBroker
cells.
Forexample,youcanassignpermissionstoparticularuserstoaddusersor
removeusersfromacell.
1.IntheCellManagerconsoletree,right-clickthefolderofthecell,and
thenclickDelegateControl.
2.ClickStart.
3.ClickAdd,andthenchoosetheusersorgroupsthatyouaredelegating
permissionsto.
4.ClickNext,andthenselectthepermissionsthatyouwanttoassign.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 110

Reviewtheinformationthatyouentered,andthenclickFinish.
ChangePermissionsofaCell,Group,orUser
Tochangethepermissionsofacell,agroup,orauser:
1.IntheCellManagerconsoletreeorinthedetailspane,right-clickthe
objectthatyouwanttochangepermissionsfor,andthenclick
Properties.
Tip:
Toselectmultipleusersorgroups,inthedetailspane,holddown
CTRLandclicktheusersorgroupsthatyouwanttochange.
2.ClickPermissions.
3.Changethepermissions,andthenclickOK.
AddaCell
Whenyouaddacell,youmustattachittoanorganizationalunit(OU)in
ActiveDirectory.Toaddacell:
1.IntheCellManagerconsoletree,right-clickthetop-levelCell
Managerdomainnode,pointtoNew,andthenclickCell.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 111

2.InthelistofOUs,expandthetreeandthenclicktheOUtowhichyou
wanttoattachthecell.
Note:Youcannotattachacelltothetop-levelnode(thedomain).
3.OntheCellDefaultspage,selectthefollowing:
–DefaultHomedirectory–typethepathforthehomedirectory
thatyouwanttosetforusersinthecell—forexample,
/home/%D/%U.
Important:Whenyousetthehomedirectory,youmustusethe
defaultusernamevariable(%U).Youcansetthedefaultdomainname
usingthedomainnamevariable(%D)butitisnotrequired.
–Defaultloginshell–typethepathtothedefaultshellthatyou
wanttouse—forexample,/bin/sh.
–Enableyouruseraccountinthecell–selecttoaddyouraccount
tothecell.
4.SelecttheCreateGroupPolicyObjectcheckboxtocreateaGPOfor
theOU.
–Forwardauditeventto
–PrependdefaultdomainnametoADusersandgroups
–Setgrouppolicyrefreshinterval
5.ClickStart.
GiveaUserAccesstoaCell
WhenyougiveauseraccesstoacellusingCellManager,youcanaddthe
newusertothecellonlywithdefaultattributes.
YoucanchangetheattributeslaterusingActiveDirectoryUsersand
Computers;seeSpecifyaUserIDandUnixorLinuxSettings.
1.IntheCellManagerconsoletree,right-clickthecellthatyouwantto
giveauseraccessto,pointtoNew,andthenclickUser.
2.ClickOK.
3.OntheSelectUsersdialogbox,enterthenameoftheuser,andthen
clickOK.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 112

GiveaGroupAccesstoaCell
WhenyougiveagroupaccesstoacellusingCellManager,youcanaddthe
newgrouptothecellonlywithdefaultattributes.Youcanchangethe
attributeslaterusingActiveDirectoryUsersandComputers.
1.IntheCellManagerconsoletree,right-clickthecellthatyouwantto
giveauseraccessto,pointtoNew,andthenclickGroup.
2.ClickOK.
3.OntheSelectGroupsdialogbox,enterthenameoftheuser,andthen
clickOK.
FilterCells
Youcanusefilteringtosetthemaximumnumberofcellstodisplayand
showonlythecellsthatmatchapattern.
1.IntheCellManagerconsoletree,right-clickthetop-levelCell
Managerdomainnode,andthenclickFilter.
2.Setthefilteringvaluesthatyouwanttouse:
–Maximumnumberofcellstodisplay–Enterthenumberofcellsto
display.Thedefaultis300.
–Onlyshowcellsthatmatchpattern–
–Interpretpatternasregularexpression
3.ClickOK.
ConnecttoaDifferentDomain
Eventhoughusersandgroupsimportedfromadifferentdomainappearin
CellManager,youcannotmodifytheirsettingsfromoutsidetheiroriginal
domain.
Tomodifythesettingsofauserorgroupimportedfromanotherdomain,
useCellManagertoconnecttothatdomainandthenmakethechangesthat
youwant.
1.IntheCellManagerconsoletree,right-clickthetop-levelCell
Managerdomainnode,andthenclickConnectToDomain.
2.IntheDomainbox,typethedomain,orclickBrowse,andthenlocate
thedomainthatyouwant.
PBISEnterpriseInstallationandAdministration WorkingwithCells
BeyondTrust
®
June21,2013 113

ManagingUsers,Groups,andComputers
UsingPBISEnterprise,youcanmanageusers,groups,andcomputers—
includingUnix,Linux,andMaccomputers—inActiveDirectoryUsersand
Computers.
CreateaUser
TocreateaUnixorLinuxuseraccountinActiveDirectory,youmusthave
sufficientadministrativeprivileges—forexample,asamemberofthe
EnterpriseAdministratorsgroup,theDomainAdministratorsgroup,orasa
delegate.
OnyourWindowsadministrativeworkstation,startActiveDirectoryUsers
andComputers.
1.Intheconsoletree,right-clickUsers,pointtoNew,andthenclick
User.
2.Enterthenameandlogonnameinformationfortheuser,andthenclick
Next.
Tip:
Formoreinformation,see"CreateaNewUserAccount"inActive
DirectoryUsersandComputersHelp.
3.Typeapasswordfortheuser,selectthepasswordoptionsthatyouwant,
andthenclickNext.
4.ClickFinish.
5.Intheconsoletree,right-clicktheuserthatyoujustcreated,andthen
clickProperties.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 114

6.ClickthePowerBrokerCellSettingstab.
7.Selectthecheckboxforthecellthatyouwanttoassociatetheuser
with.Theuser'ssettingscanvarybycell.
8.IntheUserinfoforcellsection,setthefollowing:
–UID–ClickSuggest,ortypeavalueinthebox.
–GID–SelectDomainUsersfromthelist.Avalueisautomatically
populatedinthebox.
–LoginName–Enteralogonname.(Optional).Youcanenteralogon
namethatisdifferentthantheuser'sActiveDirectorylogonname.
TheusermustlogontoLinuxandUnixcomputersusingtheActive
Directorylogonaccountifyoudonotenteralogonname.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 115

–HomeDirectory–Tooverridethedefaulthomedirectory,typethe
directorythatyouwanttosetfortheuser.
–LoginShell–Enteraloginshellifyouwanttooverridethedefault.
–Comment(GECOS)–Enteracomment.(Optional).
SeeAlso
CreateaCell
FindingUsersandGroupsinADUC
BecauseofalimitationwiththeActiveDirectoryUsersandComputers
snap-in,whenyoutrytofindaPBISuserorgroupbyright-clickinganOU
andthenclickingFind,theuserorgroupwillnotappearintheresultseven
whentheuserorgroupisintheOU.TheFindcommanddoes,however,
workatthedomainlevel.
Asanalternative,youcanfindPBISusersandgroupsinanOUusingthe
followingprocedure:
1.Intheconsoletree,right-clicktheOUwithanassociatedcellinwhich
youwanttofindauseroragroup,clickProperties,andthenclickthe
PowerBrokerCellSettingstab:
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 116

2.ClickAddandusethedialogboxthatappearstofindtheobjectthatyou
want.
ProvisionaUserwithLinuxorUnixAccess
ToprovideanActiveDirectoryuserwithUnix,Linux,orMacaccess,you
musthavesufficientadministrativeprivileges—forexample,asamemberof
theEnterpriseAdministratorsgroup,theDomainAdministratorsgroup,or
asadelegate.
Tip:ForaMacOSXuser,limitgroupmembershiptolessthan45groups
thatareenabledforUnixaccess.BecauseofalimitationwithMacOSX,
membershipingroupsotherthantheprimarygroupisnotenumeratedfora
userwhobelongstomorethan45groups.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 117

1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,right-clicktheuserthatyouwant,andthenclick
Properties.
3.ClickthePBISSettingstab.
4.UnderPowerBrokerCellSettings,selectthecheckboxforthecell
thatyouwanttogivetheuserLinuxorUnixaccess.
Note:IfnocellsappearunderPowerBrokerCells,seeCreateaCellor
CreateaDefaultCell.
5.IntheUserinfoforcellsection,setthefollowing:
–UID–ClickSuggest,ortypeavalueintheUIDbox.
Note:Theuser'ssettingscanvarybycell.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 118

–GID–Thedefaultvalue,typicallytheGIDfortheDomainUsers
group,isautomaticallypopulatedintheGIDbox.Tochangethe
GID,selectgroupthatyouwantfromthedrop-downlist.
Note:Ifthegroupthatyouwantisunavailable,youmustfirstadd
thegrouptothecell;seeAddaGrouptoaCell.
–LoginName–Enteralogonname.(Optional).Youcanenteralogon
namethatisdifferentthantheuser'sActiveDirectorylogonname.
TheusermustlogontoLinuxandUnixcomputersusingtheActive
Directorylogonaccountifyoudonotenteralogonname.
–HomeDirectory–Tooverridethedefaulthomedirectory,typethe
directorythatyouwanttosetfortheuser.
–LoginShell–Enteraloginshellifyouwanttooverridethedefault.
–Comment(GECOS)–Enteracomment.(Optional).
ProvisionaGroupwithLinuxorUnixAccess
ToprovideanActiveDirectorygroupwithUnix,Linux,orMacaccess,you
musthavesufficientadministrativeprivileges—forexample,asamemberof
theEnterpriseAdministratorsgroup,theDomainAdministratorsgroup,or
asadelegate.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,right-clickthegroupthatyouwant,andthenclick
Properties.
3.ClickthePBISSettingstab.
4.UnderCells,selectthecheckboxforthecellthatyouwanttoprovide
thegroupaccessto.
Note:IfnocellsappearunderPowerBrokerCells,seeCreateaCellor
CreateaDefaultCell.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 119

2.IntheGroupinfoforcellsection,setthefollowing:
–GID–ClickSuggest,ortypeavalueintheGIDbox.
–GroupAlias–Setanaliasforthegroup.(Optional).Thealiasapplies
onlywithinthecell.
SpecifyaUserIDandUnixorLinuxSettings
Youcansetauser'sidentifier(UID)andspecifytheuser'sUnix,Linux,or
MacOSXsettings.
Note:ToprovideauserwithaUIDandUnixorLinuxsettings,youmust
havesufficientadministrativeprivileges—forexample,asadomain
administratororasadelegate.Todelegateadministrativeprivileges
toanotheruser,seeDelegateManagement.
1.Onyouradministrativeworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,clickUsers.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 120

3.Inthedetailspane,right-clicktheuserthatyouwant,andthenclick
Properties.
4.ClickthePBISSettingstab.
5.InthePowerBrokerCellssection,selectthecheckboxforthecellthat
youwanttoassociatetheuserwith.
6.IntheUserinfoforcellsection,setthefollowing:
–UID–ClickSuggest,ortypeavalueintheUIDbox.
–GID–TheGIDisautomaticallypopulated.Selectagroupfromthe
listtochangetheprimarygroupfortheuseraccount.
Tip:GenerateareportshowingduplicateUIDs
YoucangenerateareportthatshowsduplicateUIDs.Formore
information,seeConfiguringthePBISReportingDatabaseand
GenerateaSampleReport.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 121

–LoginName–Enteralogonname.(Optional).Youcanenteralogon
namethatisdifferentthantheuser'sActiveDirectorylogonname.
TheusermustlogontoLinuxandUnixcomputersusingtheActive
Directorylogonaccountifyoudonotenteralogonname.
–HomeDirectory–Tooverridethedefaulthomedirectory,typethe
directorythatyouwanttosetfortheuser.
–LoginShell–Enteraloginshellifyouwanttooverridethedefault.
–Comment(GECOS)–Enteracomment.(Optional).
SeeAlso
ResolveanADAliasConflictwithaLocalAccount
ApplyUnixorLinuxSettingstoMultipleUsers
PowerBrokerIdentityServicesletsyouapplyUnix,Linux,andMacOSX
settingstomultipleusersatthesametime.Forexample,youcanassign
multipleuserstoacellandthensettheirhomedirectory.
Theusersmustbemembersofagroupthatisassociatedwithacellandeach
usermusthaveaUID-GIDmapping.
Note:Tochangeusers'settings,youmustlogonasamemberofthe
DomainAdministratorssecuritygrouportheEnterprise
Administratorssecuritygroup.Or,youmusthavebeendelegated
privilegestomodifythesettingsoftheuserobjectsthatyouwantto
change;formoreinformation,seeDelegateManagement.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,clickUsers,orexpandthecontainerthatholdsthe
usersthatyouwant.
3.Inthedetailspane,holddownCTRLandclicktheusersthatyouwant.
4.Right-clicktheselectedrangeofusers,clickProperties,andthenclick
thePowerBrokerCellSettingstab.
5.UnderUNIX/LinuxUserInformation,selectthecheckboxforthe
celltowhichyouwanttoassigntheusers.
Byassigningtheuserstoacell,youareenablingthemforaccesstothe
Unix,Linux,andMacOScomputersthatareinthecell.
6.UnderUserInfo,makethechangesthatyouwant.
YoucanspecifyaGIDfortheusers,andyoucansettheirloginshelland
homedirectory.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 122

SetaUserAlias
YoucansetanaliasforanActiveDirectoryusersothattheusercanusethe
aliastologonaLinux,Unix,orMacOSXcomputerjoinedtoActive
Directory.Thealiasissetonlyforthecellthatyouselectwhenyousetit.
1.OnyourWindowsadministrativeworkstation,inActiveDirectoryUsers
andComputers,expandthefolderforyourdomain,andthenexpand
Users.
2.Right-clicktheuserthatyouwant,clickProperties,andthenclickthe
PowerBrokerCellSettingstab.
3.InthePowerBrokerCellssection,clickthecellthatyouwantthe
user'saliastoapplyin.
4.IntheLoginNamebox,typeanaliasfortheuser.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 123

SetaGroupAlias
YoucancreateanaliasforagroupthatispartofaPowerBrokercell,
includingthedefaultcell.Thegroupcanusethealiaswithinthecell.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,clickUsers.
3.Inthelistofusers,right-clickthegroupthatyouwant,clickProperties.
4.ClickthePowerBrokerCellSettingstab.
5.InthePowerBrokerCellssection,selectthecheckboxforthecellthat
youwanttosetagroupaliasfor.
6.TypeanaliasintheGroupAliasbox.
Tip:Generateareportshowingduplicategroupaliases
Youcangenerateareportthatshowsduplicategroupaliases.For
moreinformation,seeConfiguringthePBISReportingDatabase
andGenerateaSampleReport.
SettheDefaultHomeDirectory
TherearethreewaysthatyoucansetthedefaulthomedirectoryforLinux,
Unix,andMacOSXusers:
•OnthePowerBrokerCellSettingstabforanorganizationalunit's
propertiesinActiveDirectoryUsersandComputers.
•SelectmultipleusersinActiveDirectoryUsersandComputersandthen
settheirdefaulthomedirectory.
•OnthePowerBrokerCellSettingstabfortheuser'spropertiesinActive
DirectoryUsersandComputers.
Whenyousetthedefaulthomedirectory,youmustusethedefaultuser
namevariable(%U).Youcanusethedefaultdomainnameusingthedomain
namevariable(%D)butitisnotrequired.
Important:OnSolaris,youcannotcreatealocalhomedirectoryin/home,
because/homeisusedbyautofs,Sun'sautomaticmountingservice.The
standardonSolarisistocreatelocalhomedirectoriesin/export/home.
Seealso:
nSettheHomeDirectoryforaCell
nSettheHomeDirectoryforMultipleUsers
nSettheHomeDirectoryforaSingleUser
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 124

SettheHomeDirectoryforaCell
Tosetadefaulthomedirectoryforacell,youmusthaveActiveDirectory
administrativeprivilegestomodifyOUobjects.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,right-clicktheOU,andthenclickProperties.
3.ClickthePowerBrokerCellSettingstab.
4.UnderPowerBrokerCellInformation,intheDefaultHomeDirectory
box,typethehomedirectorythatyouwanttosetforthegroupsand
usersinthecell.
SettheHomeDirectoryforMultipleUsers
Tochangeusers'settings,youmustlogonasamemberoftheDomain
AdministratorssecuritygrouportheEnterpriseAdministratorssecurity
group.Or,youmusthavebeendelegatedprivilegestomodifyusersettings;
seeDelegateManagement.
1.Onyouradministrativeworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,expandUsers,orexpandthecontainerthatholds
theusersthatyouwant.
3.Inthedetailspane,holddownCTRLandclicktheusersthatyouwant.
4.Right-clickontheselectedrangeofusers,clickProperties,andthen
clickthePowerBrokerCellSettingstab.
5.IntheUNIX/LinuxUserInformationsection,selectthecheckboxfor
thecellthatcontainstheuserswhosehomedirectoryyouwanttoset.
Note:Selectingacheckboxforacellassignstheselecteduserstothe
cellandgivesthemaccesstotheUnix,Linux,andMacOS
computersthatareinthecell.
Ifthecheckboxforthecellthatyouwantisalreadyselected,clickthe
nameofthecell.
6.IntheHomeDirectorybox,typethepathforthehomedirectorythat
youwanttoset—forexample,/home/%D/%U.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 125

SettheHomeDirectoryforaSingleUser
Tochangeauser'ssettings,youmustlogonasamemberoftheDomain
AdministratorssecuritygrouportheEnterpriseAdministratorssecurity
group.Or,youmusthavebeendelegatedprivilegestomodifyusersettings;
seeDelegateManagement.
1.Onyouradministrativeworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,expandUsers.
3.Right-clicktheuserthatyouwant,clickProperties.
4.ClickthePowerBrokerCellSettingstab.
5.InthePowerBrokerCellssection,selectthecellwheretheuserisa
member.
6.IntheHomeDirectorybox,typethepathforthehomedirectorythat
youwanttoset—forexample,/home/%D/%U.
SettheDefaultLoginShell
ByusingPowerBrokerIdentityServices,therearethreewaystosetthe
defaultloginshellforLinux,Unix,andMacOSXusers:
•UsingthePowerBrokerCellSettingstabforanorganizationalunit's
propertiesinActiveDirectoryUsersandComputers.
•SelectmultipleusersinActiveDirectoryUsersandComputersandthen
settheirdefaultloginshell.
•Setauser'sdefaultloginshellusingthePowerBrokerCellSettingstabin
ActiveDirectoryUsersandComputers.
Seealso:
nSettheLoginShellforaCell
nSettheLoginShellforMultipleUsers
nSettheLoginShellforaSingleUser
SettheLoginShellforaCell
Tosetadefaultloginshellforacell,youmusthaveActiveDirectory
administrativeprivilegestomodifyOUobjects.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,right-clicktheOUwhereyouwanttosetalogin
shell,clickProperties.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 126

3.ClickthePowerBrokerCellSettingstab.
4.InthePowerBrokerCellInformationsection,intheDefaultLogin
Shellbox,typetheloginshellthatyouwanttosetfortheusersand
groupsinthecell.
SettheLoginShellforMultipleUsers
Tochangeusers'settings,youmustlogonasamemberoftheDomain
AdministratorssecuritygrouportheEnterpriseAdministratorssecurity
group.Or,youmusthavebeendelegatedprivilegestomodifyusersettings;
seeDelegateManagement.
1.Onyouradministratorworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,expandUsers,orexpandthecontainerthatholds
theusersthatyouwant.
3.Inthedetailspane,holddownCTRLandclicktheusersthatyouwant.
4.Right-clickontheselectedrangeofusers,clickProperties,andthen
clickthePowerBrokerCellSettingstab.
5.IntheUNIX/LinuxUserInformationsection,selectthecheckboxfor
thecellthatcontainstheuserswhosehomedirectoryyouwanttoset.
Note:Selectingacheckboxforacellassignstheselecteduserstothe
cellandgivesthemaccesstotheUnix,Linux,andMacOScomputers
thatareinthecell.
Ifthecheckboxforthecellthatyouwantisalreadyselected,clickthe
nameofthecell.
6.IntheLoginShellbox,typetheloginshellthatyouwanttoset—for
example,/bin/sh.
SettheLoginShellforaSingleUser
Tochangeauser'ssettings,youmustlogonasamemberoftheDomain
AdministratorssecuritygrouportheEnterpriseAdministratorssecurity
group.Or,youmusthavebeendelegatedprivilegestomodifyusersettings;
seeDelegateManagement.
1.Onyouradministratorworkstation,startActiveDirectoryUsersand
Computers.
2.Intheconsoletree,expandUsers.
3.Right-clicktheuserthatyouwant,clickProperties,andthenclickthe
PowerBrokerCellSettingstab.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 127

4.InthePowerBrokerCellssection,clickthecellforwhichyouwantto
settheuser'shomedirectory.
5.IntheLoginShellbox,typetheloginshellthatyouwanttoset—for
example,/bin/bash.
AssignaGroupID
Youcanassignagroupidentifier(GID)toanActiveDirectorygroupby
associatingthegroupobjectwithacellandspecifyingaGIDvalueforthe
groupobject.
TheGIDinformationthatyouenterisappliedtoallobjectsinthegroup.
However,subgroupsnestedwithinthesettingsdonotcarrydown;youmust
applytheGIDinformationtosubgroupsindividually.
Note:ToassignagroupID,youmustlogonwithprivilegessufficientto
modifytheobject.
1.OnyourWindowsadministrativeworkstation,StartActiveDirectory
UsersandComputers.
2.Intheconsoletree,clickUsers.
3.Inthedetailspane,right-clickagroupobjectoranycontainerobject,
andthenclickProperties.
4.ClickthePowerBrokerCellSettingstab.
5.IntheCellssection,selectthecheckboxforthecellthatyouwantto
associatewiththegroupobject.
6.IntheGroupinfoforcellsection,setthefollowing:
–GID–ClickSuggest,orintheGIDboxtypethegroupidentifier
thatyouwanttoassigntothegroup.
Tip:GenerateareportshowingduplicateGIDs
YoucangenerateareportthatshowsduplicateGIDs.Formore
information,seeConfiguringthePBISReportingDatabaseand
GenerateaSampleReport.
–GroupAlias–Typeanaliasforthegroup.(Optional).
–Description–Enteradescription.(Optional).
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 128

DisableaUser
Todisableauser,youmustlogonasadomainadministratororasamember
ofanothergroupthatgivesyouprivilegessufficienttomodifyActive
Directoryuserobjects.
Note:Whenacomputercannotcommunicatewithadomaincontroller,a
userwhoseaccountwasdisabledonthedomaincontroller,butwho
loggedontothecomputerpriortotheiraccountbeingdisabled,can
continuetologonuntilyouclearthecacheoruntilthecomputer
regainscommunicationwiththedomaincontroller.Bydefault,the
cacheexpiresafter4hours.Youcanconfiguretheintervalusinga
PBISGroupPolicysettingor,ifthepolicysettinghasnotbeen
configured,bymodifyingtheregistryusingthePBISconfigtool.
1.OnyourWindowsadministrativeworkstation,startActiveDirectory
UsersandComputers.
2.Intheconsoletree,clickUsers.
3.Inthedetailspane,right-clicktheuserthatyouwanttodisable,andthen
clickProperties.
4.ClickthePowerBrokerCellSettingstab.
5.InthePowerBrokerCellssection,clearthecheckboxesforthecells
whereyouwanttodisabletheuser.
Todisabletheuser'saccesstoallLinux,Unix,andMacOSX
computers,clearallthecheckboxes.
ImproveMMCPerformanceWhenAccessingSettingsin
ADUC
WhentheMicrosoftManagementConsole(MMC)loadsasnap-insuchas
ActiveDirectoryUsersandComputers(ADUC),itchecksforcertificate
revocations.ToimproveMMCperformanceafterPBISisinstalledonyour
Windowsadministrativeworkstation,youcanreconfigureInternet
Explorer'ssecurityoptionstonotcheckforcertificaterevocationand
reconfigureWindowstonotupdaterootcertificates.
Important:Althoughthesechangescanimproveperformance,theycanalso
affectyouradministrativeworkstation'ssecuritypolicy.Beforemakingthese
changes,determinewhethertheyarepermittedbyyourITsecuritypolicy.
1.CloseallinstancesoftheMicrosoftManagementConsole.Windows
TaskManagershouldshownoinstancesofmmc.exe.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 129

2.StartInternetExplorer.ThefollowingstepsassumeyouareusingIE7;
foradditionalinformationorinstructionsforotherversionsofWindows,
seeMicrosoft.com.
3.OntheToolsmenu,clickInternetOptions.
4.ClicktheAdvancedtab,andtheninthelistunderSecurityclearthe
checkboxesforthefollowingoptions:
nCheckforpublisher'scertificaterevocation
nCheckforservercertificaterevocation
nCheckforsignaturesondownloadedprograms
nAllowsoftwaretorunorinstallevenifthesignatureisinvalid
5.ClickOK.
6.InControlPanel,gotoAddorRemovePrograms.Thefollowing
stepsassumeyouareusingWindowsServer2003.
Foradditionalinformationandinstructionsforotherversionsof
Windows,seeMicrosoft.com.ForcomputersrunningWindows2008,
forinstance,youcanturnoffautomaticrootcertificatesupdatesbyusing
aMicrosoftGroupPolicysetting;seeCertificateSupportandtheUpdate
RootCertificatesComponent.
7.ClickAdd/RemoveWindowsComponents,andtheninthelistunder
ComponentscleartheUpdateRootCertificatescheckbox.
8.ApplythechangesandthenrestarttheMicrosoftManagementConsole.
ExtendFileModePermissionswithPOSIXACLs
Whenyouhavetograntmultipleusersorgroupsaccesstoafile,directory,
orSambashareonaLinuxserver,youcanusePOSIXaccesscontrolliststo
extendthestandardfilemodepermissions.
BecauseLinuxandUnixfilemodepermissionscontrolaccessonlyfora
singleuser,asinglegroup,andtheneveryoneelse,theonlymeansof
grantingaccesstomorethanonegroupwiththestandardfilemodesisto
eithernestthegroupstogetherortogiveeveryoneaccess—approachesthat
areoftenunacceptable.Nestedgroupscanbeamaintenanceburden,and
grantingaccesstoeveryonecanunderminesecurity.AsforSambashares,it
isinsufficienttoaddmultipleusersandgroupstothevalidusers
parameterinsmb.confiftheunderlyingfilesystemdoesnotallowthem
access.
Prerequisites
Youmusthavetheaclpackageinstalled.Youcandeterminethisasfollows:
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 130

#rpm–qa|grepacl
libacl-2.2.23-5
acl-2.2.23-5
Thefilesystemmustbemountedwithaclintheoptionlist.Youcan
determinethisusingthemountcommand:
#mount
/dev/sda1on/typeext3(rw,acl)
Asshownabove,therootfilesystemhasbeenmountedwithread-write(rw)
andacloptions.Ifyoudon’tseeaclintheoptionsforthefilesystemyou
areworkingwith,modify/etc/fstabtoincludethisoption,andthen
remountthefilesystem.Inthecaseoftherootfilesystem,youmayneedto
rebootthesystem.
AllusersandgroupsmustbecreatedbeforeaddingthemtotheACL.Inthe
caseofActiveDirectoryusers,theymustbeprecededbythedomainunless
useraliaseshavebetoconfigured(forexample,DOMAIN\username).
Example
Thisexampleusesadirectorycalledtestdir.Theprocessisthesamefor
files.
Herearethestandardfilemodepermissionsofthetestdirdirectory.
[aciarochi@rhel4-develtmp]$ ls-ldtestdir
drwxrwx--- 2rootroot4096Dec1413:28testdir
YoucanviewtheextendedACLusingthegetfaclutility.Inthiscase,it
showsthesameinformation,inadifferentformat:
[aciarochi@rhel4-develtmp]$ getfacltestdir
#file:testdir
#owner:root
#group:root
user::rwx
group::rwx
other::---
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 131

Withthesepermissions,onlytherootuserandmembersoftherootgroup
areallowedtoopenthedirectory.Sincetheaciarochiuserisnotinthe
rootgroup,heisdeniedaccess:
[aciarochi@rhel4-develtmp]$ cdtestdir
-bash:cd:testdir:Permissiondenied
However,wecangrantaccesstoaciarochibyusingthesetfaclutilityto
addhimtotheACL.Wemustswitchtotherootuser,ofcourse,sincethat
isthedirectoryowner.OncetheACLisset,aciarochicanopenthe
directory:
[root@rhel4-devel~]#setfacl-mu:aciarochi:rwx
/tmp/testdir/
[root@rhel4-devel~]#exit
logout
[aciarochi@rhel4-develtmp]$ cdtestdir
[aciarochi@rhel4-develtestdir]$ pwd
/tmp/testdir
Noticethatthestandardfilemodepermissionshavenotchanged,exceptfor
theadditionofa+attheend,indicatingthatextendedfilepermissionsarein
effect:
[aciarochi@rhel4-develtmp]$ ls-ld/tmp/testdir/
drwxrwx---+2rootroot4096Dec1413:28/tmp/testdir/
Additionalgroupscanbeaddedinthesamemanner—usingag:insteadofa
u:—toindicateagroup.Inthefollowingexample,wegrantreadandexecute
(open)accesstotheftpgroup:
[root@rhel4-devel~]#setfacl-mg:ftp:r-x/tmp/testdir
[root@rhel4-devel~]#getfacltestdir
#file:testdir
#owner:root
#group:root
user::rwx
user:aciarochi:rwx
group::rwx
group:ftp:r-x
mask::rwx
other::---
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 132

UsingPOSIXACLstoGrantADAccountsAccesstoSubversion
WithPowerBrokerIdentityServices,youcanuseADaccountswith
Subversion.ThetrickistousePOSIXACLstogiveadomaingroupwrite
accesstotheSVNrepository.
Hereisanexample:
$ svnadmincreate/data/foo
##Adddomainadminstothedefaultdirectoryace
$ find/data/foo-typed|xargssetfacl-d-m
“g:AD\domain^admins:rwx”
##Adddomainadminstothedirectoryace
$ find/data/foo-typed|xargssetfacl-m
“g:AD\domain^admins:rwx”
##Adddomainadminstotheaceforfiles
$ find/data/foo-typef|xargssetfacl-m
“g:AD\domain^admins:rw”
$ getfacl/data/foo
#file:foo
#owner:AD\134gjones
#group:AD\134unixusers
user::rwx
group::r-x
group:AD\134domain^admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:AD\134domain^admins:rwx
default:mask::rwx
default:other::r-x
Donotforgettouseonlyoneforwardslash(\)in/etc/group.Notetoo
thattheentryiscasesensitive.Youmustspecifythedomainnamein
uppercaseandtheusernameinlowercase.
PBISEnterpriseInstallationandAdministration ManagingUsers,Groups,andComputers
BeyondTrust
®
June21,2013 133

UsingtheDomain-JoinTool
JoiningadomainisapartoftheinitialprovisioningofPBIS.Formore
information,seeJoininganActiveDirectoryDomain.
UsePBISwithaSingleOrganizationalUnit
Ifyouhavewriteprivilegesonlyforanorganizationalunit(OU)inActive
Directory(AD),youcanstillusePBIS.YourADrightstocreateobjectsin
anOUallowyoutojoinLinuxandUnixcomputerstotheOUeventhough
youdonothaveActiveDirectoryDomainAdministratororEnterprise
Administratorprivileges.(SeeDelegateControltoCreateContainer
Objects.)
Thereareadditionallimitationstothisapproach:
•YoumustjointhecomputertoaspecificOU,andyoumustknowthe
pathtothatOU.
•YoucannotusePBISEnterpriseinschemamodeunlessyouhave
EnterpriseAdministratorprivileges,whicharerequiredtoupgradethe
schema.
JoinaLinuxComputertoanOrganizationalUnit
Tojoinacomputertoadomain,youmusthavetheusernameandpassword
ofanaccountthathasprivilegestojoincomputerstotheOUandthefull
nameofthedomainthatyouwanttojoin.TheOUpathisfromthetopOU
downtotheOUthatyouwant.
Asroot,executethefollowingcommand,replacing
organizationalUnitName withthepathandnameoftheorganizational
unitthatyouwanttojoin,domainNamewiththeFQDNofthedomain,and
joinAccountwiththeusernameofanaccountthathasprivilegestojoin
computerstothedomain:
/opt/pbis/bin/domainjoin- clijoin--ou
organizationalUnitName domainNamejoinAccount
Example:/opt/pbis/bin/domainjoin- clijoin--ouEngineering
example.comAdministrator
ExampleofhowtojoinanestedOU:
domainjoin-clijoin--ou
topLevelOU/middleLevelOU/LowerLevelOU/TargetOU example.com
Administrator
PBISEnterpriseInstallationandAdministration UsingtheDomain-JoinTool
BeyondTrust
®
June21,2013 134

Afteryoujoinadomainforthefirsttime,youmustrestartthecomputer
beforeyoucanlogon.
RenameaJoinedComputer
TorenameacomputerthathasbeenjoinedtoActiveDirectory,youmust
firstleavethedomain.Youcanthenrenamethecomputerbyusingthe
domainjoincommand-lineinterface.
Afteryourenamethecomputer,youmustrejoinittothedomain.Renaming
ajoinedcomputerrequirestheusernameandpasswordofauserwith
privilegestojoinacomputertoadomain.
Important:DonotchangethenameofaLinux,Unix,orMaccomputer
usingthehostnamecommandbecausesomedistributionsdonot
permanentlyapplythechanges.
PBISEnterpriseInstallationandAdministration UsingtheDomain-JoinTool
BeyondTrust
®
June21,2013 135

RenameaComputerUsingtheCommand- LineTool
ThefollowingprocedureremovesaUnixorLinuxcomputerfromthe
domain,renamesthecomputer,andthenrejoinsittothedomain.
1.Withrootprivileges,attheshellpromptofaUnixcomputer,executethe
followingcommand:
/opt/pbis/bin/domainjoin- clileave
2.Torenamethecomputerin/etc/hosts,executethefollowing
command,replacingcomputerNamewiththenewnameofthe
computer:
/opt/pbis/bin/domainjoin- clisetnamecomputerName
Example:/opt/pbis/bin/domainjoin- clisetnameRHEL44ID
3.Torejointherenamedcomputertothedomain,executethefollowing
commandattheshellprompt,replacingDomainNamewiththenameof
thedomainthatyouwanttojoinandUserNamewiththeusernameofa
userwhohasprivilegestojoinadomain:
/opt/pbis/bin/domainjoin- clijoinDomainNameUserName
Example:/opt/pbis/bin/domainjoin- clijoinexample.com
Administrator
Itmaytakeafewmomentsbeforethecomputerisjoinedtothedomain.
4.Afteryouchangethehostnameofacomputer,youmustalsochangethe
nameinthePBISlocalproviderdatabasesothatthelocalPBISaccounts
usethecorrectprefix.Todoso,executethefollowingcommandasroot,
replacinghostNamewiththenamethatyouwant:
/opt/pbis/bin/set-machine-namehostName
RenameaComputerbyUsingtheDomainJoinToolGUI
1.Fromthedesktopwithrootprivileges,double-clickthePBISDomain
JoinTool,orattheshellpromptofaLinuxcomputer,typethefollowing
command:
/opt/pbis/bin/domainjoin- gui
2.ClickLeave,andthenclickOK.
3.Startthedomainjointoolagainbydouble-clickingthePBISDomain
JoinToolonthedesktop,orbytypingthefollowingcommandatthe
shellpromptofaLinuxcomputer:
/opt/pbis/bin/domainjoin- gui
4.ClickNext.
PBISEnterpriseInstallationandAdministration UsingtheDomain-JoinTool
BeyondTrust
®
June21,2013 136

5.IntheComputernamebox,renamethecomputerbytypinganew
name.
6.IntheDomainbox,entertheFullyQualifiedDomainName(FQDN)
oftheActiveDirectorydomain.
7.UnderOrganizationalUnit,youcanjointhecomputertoanOUinthe
domainbyselectingOUPathandthentypingapathintheSpecific
OUpathbox.
Or,tojointhecomputertotheComputerscontainer,selectDefault.
8.ClickNext.
9.EntertheusernameandpasswordofanActiveDirectoryuserwith
authoritytojoinamachinetotheActiveDirectorydomain,andthen
clickOK.
Thecomputer'snamein/etc/hostshasbeenchangedtothenamethat
youspecifiedandthecomputerhasbeenjoinedtotheActiveDirectory
domainwiththenewname.
10.Afteryouchangethehostnameofacomputer,youmustalsochangethe
nameinthePBISlocalproviderdatabasesothatthelocalPBISaccounts
usethecorrectprefix.Todoso,executethefollowingcommandasroot,
replacinghostNamewiththenamethatyouwant:
/opt/pbis/bin/set-machine-namehostName
PBISEnterpriseInstallationandAdministration UsingtheDomain-JoinTool
BeyondTrust
®
June21,2013 137

RemovingaComputerfromaDomain
Youcanremoveacomputerfromthedomaineitherbyremovingthe
computer'saccountfromActiveDirectoryUsersandComputersorby
runningthedomainjointoolontheUnix,Linux,orMacOSXcomputer
thatyouwanttoremove;seeLeaveaDomain.
NetworkManager: UseaWiredConnectiontoJoinaDomain
OnLinuxcomputersrunningNetworkManager—whichisoftenusedfor
wirelessconnections—youmustmakesurebeforeyoujoinadomainthat
thecomputerhasanon-wirelessnetworkconnectionandthatthenon-
wirelessconnectionisconfiguredtostartwhenthenetworkingcableis
pluggedin.Youmustcontinuetousethenon-wirelessnetworkconnection
duringthepost-joinprocessofrestartingyourcomputerandloggingonwith
yourActiveDirectorydomaincredentials.
AfteryoujointhedomainandlogonforthefirsttimewithyourADdomain
credentialsusinganon-wirelessconnection,youcanthenreverttousing
yourwirelessconnectionbecauseyourADlogoncredentialsarecached.
(Youwillnot,however,benotifiedwhenyourADpasswordissettoexpire
untilyoueitherrunasudocommandorlogonusinganon-wireless
connection.)
If,instead,youattempttouseawirelessconnectionwhenyoujointhe
domain,youcannotlogontoyourcomputerwithADdomaincredentials
afteryourcomputerrestarts.
Hereiswhy:NetworkManageriscomposedofadaemonthatrunsatstartup
andauser-modeapplicationthatrunsonlyafteryoulogon.
NetworkManageristypicallyconfiguredtoauto-startwirednetwork
connectionswhentheyarepluggedinandwirelessconnectionswhenthey
aredetected.Theproblemisthatthewirelessnetworkisnotdetecteduntil
theuser-modeapplicationstarts—whichoccursonlyafteryoulogon.
InformationaboutNetworkManagerisavailableat
http://projects.gnome.org/NetworkManager/.
PBISEnterpriseInstallationandAdministration UsingtheDomain-JoinTool
BeyondTrust
®
June21,2013 138

MigratingUserstoActiveDirectory
ThePBISDiagnosticsandMigrationpageintheBeyondTrustManagement
Consoleincludestwotoolstohelpmanageamixednetwork:
•FindOrphanedObjects-Anorphanedobjectisalinkedobject,suchas
aUnixuserIDorgroupID,thatremainsinacellafteryoudeletea
grouporuser'ssecurityidentifier,orSID,fromanActiveDirectory
domain.TheFindOrphanedObjectstoolcleansupmanuallyassigned
userIDsandimprovessearchspeed.
•RunMigrationTool-TheNISmigrationtoolimportsLinux,Unix,and
MacOSXpasswdfilesandgroupfilesandmapsthemtousersand
groupsinActiveDirectory.Thetoolletsyouresolveconflictsand
ambiguoususernamesbeforeyoucommitthechanges.
ThemigrationtoolincludesoptionstoeaseyourNISmigrationtoActive
Directoryandtohandlevariousrequirements:
•Migrateaccountinformationtotheorganizationalunitsthatyouwant.
•CreategroupsinActiveDirectorytomatchyourLinuxandUnixgroups.
•Generatescriptstorepairfileownershipandgroupsettings.
•ChangetheGIDofimporteduserstothatoftheADDomainUsers
group.
•Automaticallysetanaliasforeachmigrateduser.
•GenerateVisualBasicscriptstomigrateusersandgroupsinan
automatedandcustomway.
•ModifyGIDsduringmigration.
•Selectonlythegroupsandusersthatyouwanttomigratefromyourfull
listofgroupsandusers.
•Setthehomedirectoryandshellformigratedusers.
•FilteroutstandardUnixandLinuxaccounts,suchasmailandnews.
•ModifyUIDinformationduringmigration.
•UseNISmapfilestomigratenetgroups,automounts,andotherservices
toActiveDirectory.
OnaMacOSXcomputer,thePBISdomainjoinutilityincludesatoolto
migrateauserprofilefromalocaluseraccounttothehomedirectory
specifiedfortheuserinActiveDirectory.Formoreinformation,seeMigrate
aUserProfileonaMac.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 139

MigrateUserstoActiveDirectory
ThePBISNISmigrationtoolcanimportLinux,Unix,andMacOSX
passwordandgroupfiles—typically/etc/passwdand/etc/group—and
automaticallymaptheirUIDsandGIDstousersandgroupsdefinedin
ActiveDirectory.
YoucanalsogenerateaWindowsautomationscripttoassociatetheUnix
andLinuxUIDsandGIDswithActiveDirectoryusersandgroups.Before
youcommitthechanges,youcanresolveambiguoususernamesandother
conflicts.
Important:Beforeyoumigrateuserstoadomainthatoperatesinnon-
schemamode,itisrecommendedthatyoufindandremoveorphaned
objects.TheIDsassociatedwithorphanedobjectsarereserveduntilyou
removetheorphanedobjects.SeeFindOrphanedObjects.
BeforeRunningtheMigrationTool
Beforerunningthemigrationtool,obtainthefollowinginformation:
•Thenameofthedomainwhereyouwanttomigratetheaccount
information.
•Credentialsthatallowyoutomodifythedomain.
•TheUnixorLinuxpasswdfileandcorrespondinggroupfilethatyou
wanttoaddtoActiveDirectoryandmanagewithPBIS.Thepassword
andgroupfilescanbefromacomputeroranNISserver.
RuntheMigrationTool
ToimportLinux,Unix,andMacOSXpasswordandgroupfilesand
automaticallymapUIDsandGIDstousersandgroupsinActiveDirectory:
1.IntheBeyondTrustManagementConsoletree,expandEnterprise
Console,andthenclicktheDiagnostics&Migration.
2.FromtheTaskslist,clickRunMigrationTool.
3.ClickNext.
4.IntheDomainbox,typethedomainnamethatyouwanttomigratethe
accountinformationto.
5.Selectcredentials:
–Uselogoncredentials–Selectifyourlogoncredentialsallowyou
tomodifythedomain.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 140

–Usealternatecredentials–Selectifyourlogoncredentialsarenot
allowedtomodifythedomain,andthenentercredentialsthathave
theappropriateprivileges.
6.ClickNext.
7.Selectyourmappingfiles:
–ClickImporttoimportaLinux/Unixpasswordandgroupfile,and
thenprovidethefollowinginformation.
–Mapname–Themigrationtoolimportsthepasswdfileand
groupfileintothemapfile,whichisthenmatchedtoexisting
ActiveDirectoryuserandgroupnames.
–Passwdfile–Typethepathandnameofthefilethatyouwant
toimport,orclickBrowsetofindthefile.
–Groupfile–Typethepathandnameofthepasswdfile's
correspondinggroupfile,orclickBrowseandthenfindthefile.
–ToimportdefaultUnixorLinuxuseraccountssuchasrootand
public,cleartheOmitstandardLinux/UNIXuser
accountscheckbox.
–InthelistunderUsers,cleartheImportcheckboxforanyuser
thatyoudonotwanttoimport,andthenclickNext.
–ClickImportNISMaptoimportanNISMapFile:
YoucanruntheypcatcommandontheNISservertocreatethe
mapfile.
–NISMapfile–ClickRowsetofindthemapfile.
–Maptype–Selectthemapfiletype:Netgroups,Automounts,or
Services.
8.SelecttheOUwhereyouwanttomigratetheLinuxorUnixaccount
information.
Ifyouselectthetopofyourdomain,theinformationismigratedtothe
defaultPowerBrokercellofyourActiveDirectoryforestandUID
numbersareautomaticallyassignedwithinthedomain'srange.
IfyouselectanOU,PBIScreatesacellfortheOUandmigratesthe
accountinformationtoit.UIDsandGIDsaremaintainedifthepasswd
andgroupfilesagree,andiftheUIDsandGIDsdonotconflictwith
existingusersorgroups.
Themigratedaccountinformationappliesonlytocomputersthatare
membersoftheOU.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 141

9.ClickNext.
10.Selectfromthefollowinglistofmigrationoptions:
–CreategroupsinActiveDirectorytomatchLinux/Unixgroups–
CreategroupsinActiveDirectorythatmatchyourLinuxorUnix
groups
–CreateallgroupsinAD–CreateallgroupsinActiveDirectory—not
justthereferencesones.Toselectthisoption,youmustfirstselect
theCreategroupsinActiveDirectorytomatchLinux/UNIX
groupscheckbox.
–Generatescriptstorepairfileownershipandgroupsettings–Run
scriptsthatcanrepairownershipissuesandgroupsettingsissues.
–ChangeGIDofimporteduserstoDomainUsers
–AlwayssetLoginName(alias),evenwhensameas
sAMAcountName
–GenerateVBScripttoperformmigration–Enterthenameofthe
scriptintheScriptnamebox.Enterthedirectorywherethescriptis
located.
11.ClickNext.
12.ClicktheUserstabandverifythattheinformationiscorrect.
13.ClicktheGroupstabandverifythattheinformationiscorrect.
14.Toimportthepasswdandgroupfilesafteryouverifythatthe
informationiscorrect,clickNext.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 142

FindOrphanedObjects
YoucanusetheBeyondTrustManagementConsoletofindandremove
orphanedobjects.Anorphanedobjectisalinkedobject,suchasaUnixor
LinuxuserIDorgroupID,thatremainsinacellafteryoudeleteagroupor
user'ssecurityidentifier,orSID,fromanActiveDirectorydomain.
RemovingorphanedobjectsfromActiveDirectorycancleanupmanually
assigneduserIDsandimprovesearchspeed.Itisrecommendedthatyou
removeorphanedobjectsbeforeyouusethemigrationtoolwithadomain
thatoperatesinSchemalessmode.
1.IntheBeyondTrustManagementConsoletree,expandEnterprise
Console,andthenclickDiagnostics&Migration.
2.FromtheTaskslist,clickFindOrphanedObjects.
3.ClickSelectDomains,selectthedomainsthatyouwanttoscan,and
thenclickOK.
4.ClickBeginScan.
5.ToremovetheobjectsthatappearintheOrphanedobjectstodelete
box,clickDeleteObjects.
MigrateaUserProfileonaMac
OnaMacOSXcomputer,thePBISdomainjoinutilityincludesatoolto
migrateauser'sprofilefromalocaluseraccounttothehomedirectory
specifiedfortheuserinActiveDirectory.
Whenyoumigratetheuser'sprofile,youcaneithercopyormoveitfromthe
localaccounttotheuser'sActiveDirectoryaccount.Copyingtheprofile
leavesacopyoftheuser'sfilesintheiroriginallocation,butdoublesthe
spaceontheharddiskrequiredtokeeptheuser'sfiles.
YoucanmigrateauserbyusingtheGUIorbyusingthecommandline.In
addition,youcancustomizethemigrationshellscripttosuityour
requirements.
Important:Tomigrateauser'sprofile,youmusthavealocalorADaccount
withadministrativeprivileges.Theaccountthatyouusemustnotbethe
accountthatyouaremigrating.
Seealso:
nMigrateaUserProfilefromtheGUI
nMigrateaUserProfilefromtheCommandLine
nSee"CustomizetheMigrationScript"
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 143

MigrateaUserProfilefromtheGUI
Note:ForMacOS10.8andlater,theGUIisnolongersupported.
ForPBIS7.0andlater,GUIonanyMacisnotsupported.
UsetheCLIcommands.SeeMigrateaUserProfilefromthe
CommandLine.
TomigrateauserprofileonaMactoActiveDirectory:
1.Saveandcloseanydocumentsthattheuserhasopen.
2.Logonwithanadministratoraccountthatisnotbeingmigrated.
3.InTerminal,executethefollowingcommandtoopenthePBISDomain
Joindialog:
open/opt/pbis/bin/Domain\ Join.app
Ifprompted,enteranameandpasswordofanaccountwith
administrativeprivileges.Theaccountcanbeeitheralocalmachine
accountoranADaccount,butmustnotbetheaccountthatyouare
migrating.
4.IntheDomainJoindialog,clickMigrate.
Note:TheDomainJoindialogmightbebehindyourTerminalwindow
orbehindanotherwindow.
5.UnderSource-LocalAccount,inthelist,clicktheuserthatyouwant.
6.IntheboxunderDestination-LikewiseADAccount,typethename
oftheActiveDirectoryuseraccountthatyouwanttomigratethelocal
accountto,andthenclicktocheckthattheaccountisinActive
Directory.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 144

7.UnderOptions,dooneofthefollowing:
To DoThis
Movetheuser'sfilesanddatafromtheuser'shomedirectorytoa
homedirectoryspecifiedinActiveDirectory.
Selectanyofthecheckboxes,asneeded:
-Removelocalaccountwhenfinished:Deletestheaccountafterthe
accountismigratedtoAD.
-Retainlocalaccount'sadminrights:Maintainsthepermissionsof
theaccountaftermigration.
-UseSpotlighttofinduserprofilefiles.
SelectMove
Profile.
Copyauser'sfilesanddatafromtheuser'shomedirectorytoa
homedirectoryspecifiedinActiveDirectory.
Note:Thisoptiondoublestheamountofharddiskspacerequired
tostoretheuser'sfilesanddataonthecomputer.
SelectCopy
Profile.
8.ClickMigrate.
MigrateaUserProfilefromtheCommand Line
Youcanmigrateauser'sprofileusingthecommandline.OnaMacOSX
computer,thelocationofthemigrationshellscriptisasfollows:
/opt/pbis/bin/lw-local-user-migrate.sh
Youcanrunthescriptlocallyorremotely.ConnecttoaMacusingSSHand
thenrunthemigrationscripttoremotelymigrateusersfromanother
computer.
Forinformationaboutthecommand'ssyntaxandarguments,executethe
followingcommandinTerminal:
/opt/pbis/bin/lw-local-user-migrate.sh--help
CustomizetheMigrationScript
Youcancustomizethemigrationscripttosuityourneedsbyopeningthe
scriptandeditingit.ThescriptiswritteninBashshell.
Important:ThereisnoPBISsupportforcustomizingthescriptorfor
modifiedscripts.ChangestothescriptprecludePBISsupport.
PBISEnterpriseInstallationandAdministration MigratingUserstoActiveDirectory
BeyondTrust
®
June21,2013 145

LeavingaDomainandUninstallingthePBISAgent
Youcanremoveacomputerfromadomainwithoutnecessarilydisablingor
deletingthecomputer'saccountinActiveDirectory.Ifneeded,youcan
uninstallthePBISagentfromaclientcomputer.
LeaveaDomain
Whenyouremoveacomputerfromadomain,PBISretainsthesettingsthat
weremadetothecomputer'sconfigurationwhenitwasjoinedtothe
domain.Changestothensswitchmodulearealsopreserveduntilyou
uninstallPBIS,atwhichtimetheyarereverted.
Beforeyouleaveadomain,youcanexecutethefollowingcommandtoview
thechangesthatwilltakeplace:
domainjoin-clileave--advanced--previewdomainName
Example:
[root@rhel4dexample]#domainjoin-clileave--advanced--
previewexample.com
LeavingADDomain: EXAMPLE.COM
[X][S]ssh -configuresshandsshd
[X][N]pam -configurepam.d/pam.conf
[X][N]nsswitch -enable/disablePowerBroker
IdentityServicesnsswitchmodule
[X][N]stop -stopdaemons
[X][N]leave -disablemachineaccount
[X][N]krb5 -configurekrb5.conf
[F]keytab -initializekerberoskeytab
Keytoflags
[F]ullyconfigured -thesystemisalready
configuredforthisstep
[S]ufficientlyconfigured-thesystemmeetstheminimum
configuration
requirementsforthisstep
[N]ecessary -thisstepmustberunor
manuallyperformed.
[X] -thisstepisenabledandwill
makechanges
[ ] -thisstepisdisabledand
willnotmakechanges
Forinformationonadvancedcommandsforleavingadomain,seeJoin
ActiveDirectoryfromtheCommandLine.
PBISEnterpriseInstallationandAdministrationLeavingaDomainandUninstallingthePBIS
BeyondTrust
®
June21,2013 146

RemovetheComputerAccountinActiveDirectory
Bydefault,whenyouremoveacomputerfromadomain,thecomputer's
accountinActiveDirectoryisneitherdisablednordeleted.
Ifyouwanttodisablebutnotdeletethecomputer'saccount,includethe
usernameaspartoftheleavecommand.Youcanincludetheusernameas
partoftheleavecommandasfollows;youwillbepromptedforthe
passwordoftheuseraccount:
domainjoin-clileaveuserName
Example:domainjoin-clileavebrsmith
RemoveaLinuxorUnixComputerfromaDomain
OntheLinuxorUnixcomputerthatyouwanttoremovefromtheActive
Directorydomain,usearootaccounttorunthefollowingcommand:
/opt/pbis/bin/domainjoin- clileave
RemoveaMacfromaDomain
Note:ForMacOS10.8andlater,theGUIisnolongersupported.
ForPBIS7.0andlater,GUIonanyMacisnotsupported.
UsetheCLIcommands.SeeRemoveaMacfromaDomainfromthe
CommandLine.
ToleaveadomainonaMacOSXcomputer,youmusthaveadministrative
privilegesontheMac.
1.InFinder,clickApplications.
2.Inthelistofapplications,double-clickUtilities,andthendouble-click
DirectoryAccess.
3.OntheServicestab,clickthelockandenteranadministratorname
andpasswordtounlockit.
4.Inthelist,clickLikewise,andthenclickConfigure.
5.Enteranameandpasswordofalocalmachineaccountwith
administrativeprivileges.
6.Onthemenubaratthetopofthescreen,clicktheDomainJoinTool
menu,andthenclickJoinorLeaveDomain.
7.ClickLeave.
PBISEnterpriseInstallationandAdministrationLeavingaDomainandUninstallingthePBIS
BeyondTrust
®
June21,2013 147

RemoveaMacfromaDomainfromtheCommand Line
Executethefollowingcommandwithanaccountthatallowsyoutouse
sudo:
sudo/opt/pbis/bin/domainjoin- clileave
UninstalltheAgentonaLinuxorUnixComputer
YoucanuninstallPBISbyusingashellscriptorbyusingacommand.
UsingaShellScripttoUninstall
Important:Beforeuninstallingtheagent,youmustleavethedomain.Then
executetheuninstallcommandfromadirectoryotherthanpbissothat
theuninstallprogramcandeletethepbisdirectoryandallits
subdirectories—forexample,executethecommandfromtherootdirectory.
IfyouinstalledtheagentonaLinuxorUnixcomputerbyusingtheshell
script,youcanuninstallthePBISagentfromthecommandlinebyusingthe
sameshellscriptwiththeuninstalloption.(Touninstalltheagent,you
mustusetheshellscriptwiththesameversionandbuildnumberthatyou
usedtoinstallit.)Forexample,onaLinuxcomputerrunningglibc,change
directoriestothelocationofPBISandthenrunthefollowingcommandas
root,replacingthenameofthescriptwiththeversionyouinstalled:
./pbis-open-7.5.0.94.linux.oldlibc.i386.rpm.sh uninstall
Forinformationaboutthescript'soptionsandcommands,executethe
followingcommand:
./pbis-open-7.5.0.8011.linux.i386.rpm.sh help
UsingaCommand toUninstall
TouninstallPBISbyusingacommand,runthefollowingcommand:
/opt/pbis/bin/uninstall.sh uninstall
TocompletelyremoveallfilesrelatedtoPBISfromyourcomputer,runthe
commandasfollowsinstead.Ifusingthiscommandandoption,youdonot
needtoleavethedomainbeforeuninstalling.
/opt/pbis/bin/uninstall.sh purge
UninstalltheAgentonaMac
OnaMacOSXcomputer,youmustuninstallthePBISagentbyusing
Terminal.
PBISEnterpriseInstallationandAdministrationLeavingaDomainandUninstallingthePBIS
BeyondTrust
®
June21,2013 148

Note:Choosetheappropriateactiondependingonwhetheryouplantore-
installtheproduct.
–Ifyouarenotplanningtore-installtheproduct,leavethedomain
beforeuninstallingtheagent.
–Ifyouareplanningtore-installtheproduct,remaininthe
domainwhileuninstallingtheagent.
1.LogontotheMacusingalocalaccountwithprivilegesthatallowyouto
usesudo.
2.OpenaTerminalwindow:InFinder,ontheGomenu,clickUtilities,
andthendouble-clickTerminal.
3.AttheTerminalshellprompt,executethefollowingcommand:
sudo/opt/pbis/bin/macuninstall.sh
PBISEnterpriseInstallationandAdministrationLeavingaDomainandUninstallingthePBIS
BeyondTrust
®
June21,2013 149

UsingSmartCardswithPBIS
WithPBISEnterprise,youcansecureaLinuxcomputerusingasmartcard
associatedwithanActiveDirectoryaccount.ThePBISauthentication
servicelinksthesmartcard'scryptography-basedidentificationwithan
ActiveDirectorydomainaccounttoputinplaceastronglayeroftamper-
resistantsecurityforloggingontoaLinuxcomputer.
ThesecuritycanbestrengthenedbysettingPBISGroupPolicysettingsto
allowlogononlywithasmartcardandtolockthecomputerwhenthecard
isremoved.
SmartCardSetup
Hereiswhatyouneedtogetstarted:
•ALinuxplatformsupportedbythePBISsmartcardservice.
•AnActiveDirectorysystemconfiguredtomanagesmartcardlogons.
•AsmartcardpreparedwithActiveDirectorycredentialsandapersonal
identificationnumbertologontotheLinuxcomputer.
•ACCID-compliantsmartcardreader.
•PBISEnterprise6.0orlater.WhenyouinstallPBISEnterprise,you
mustincludethesmartcardoption.Theinstallationincludes
ActivIdentity'sActivClientsmartcardsoftwareforLinux.
SupportedLinuxPlatforms
ThePBISsmartcardservicesupportsthe32-and64-bitversionsofthe
followingplatforms:RedHatEnterpriseLinux5.3,5.4,and5.5.
YoucanchecktheversionofyourRedHatcomputerlikethis:
[root@rhel5d~]#cat/etc/redhat-release
RedHatEnterpriseLinuxClientrelease5.5(Tikanga)
PrepareActiveDirectoryforSmartCardLogon
ToprepareActiveDirectoryforsmartcardlogon,seetheMicrosoftwebsite
forinformationandinstructions:
•IfyouplantouseMicrosoft'scertificationauthoritytoconfiguresmart
cardlogon,seecertificateenrollmentusingsmartcards.
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 150

•Ifyouplantouseathird-partycertificationauthoritywithActive
Directory,seeguidelinesforenablingsmartcardlogonwiththird-party
certificationauthorities.
•Foranoverviewofhowtoimplementsmartcardauthentication,see
Checklist:Deployingsmartcards.
AfteryouconfigureActiveDirectorytoworkwithsmartcards,youcanuse
anenrollmentstation,whichistypicallyaWindowsadministrative
workstationconnectedtoActiveDirectory,toprepareasmartcardwith
ActiveDirectorycredentialsandapersonalidentificationnumber(PIN).For
moreinformation,seecertificateenrollmentusingsmartcards.
PrepareaLinuxComputerforSmartCardLogon
ToinstallthePBISandActivIdentitycomponentsthatsupportsmartcards,
youmustincludethesmartcardoptionwhenyourunthePBISEnterprise
installer.IfPBISisalreadyinstalled,runtheinstalleragainwiththe
smartcardoption.
Replace7.5.0.375withtheversionandbuildnumberindicatedinthe
installerfilenamethatyouhaveavailable:
./pbis-enterprise-7.5.0.375.linux.i386.rpm.sh ----smartcard
install
ToprepareaRedHatEnterpriseLinuxcomputerforsmartcardlogonwith
PBIS,twopiecesmustbeinplace:ActivIdentity'sActivClientsoftwarefor
Linux,version3.0orlater,andaCCID-compliantsmartcardreader.
TheActivClientsoftware,manufacturedbyActivIdentity
(http://www.actividentity.com/),isincludedwithPBISEnterprise6.0or
laterandautomaticallyinstalledat/usr/local/ActivIdentity whenyou
installthePBISagentonaLinuxcomputerwiththeinstaller'ssmartcard
option.YoucanverifyinstallationbycheckingfortheActivIdentity
directorylikethis:
[root@rhel5d~]#ls/usr/local
ActivIdentity binetcgamesincludeliblibexec
sbinsharesrc
YoucanverifythatyouarerunningActivClientversion3.0orlateras
follows:
[root@rhel5d~]#rpm-qa|grepactiv
ai-activclient-scmw-3.0.0-31
ai-activclient-apps-3.0.0-31
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 151

TheActivClientsoftwaredependsonthepresenceofapackage,pcsc-
lite.Tomakesureitisinstalled,executethefollowingcommand:
rpm-qpcsc-lite
HereisanexampleonRedHatthatshowsthepresenceofthepackage:
[root@rhel5dlw]#rpm-qpcsc-lite
pcsc-lite-1.3.1-7
Note:AlthoughPBISincludestheActivClientsoftware,youmustcontact
ActivIdentitytoobtainlicensestousetheirsoftwareforanything
otherthana30-daytrial.
PBISacceptsthesmartcardsthataresupportedbyActivClient.Thelistof
supportedcardsincludesPIV-compliantcardsandtheCommonAccess
Card(CAC)usedbytheU.S.government.ChecktheActivClient
documentationtodeterminewhetherthetypeofsmartcardyouplantouse
issupported.
YoumustinstallaCCID-compliantsmartcardreader.Thereadersare
availablefromavarietyofmanufacturers.Beforeyoubuyareader,you
shouldcheckwiththevendortomakesureitworkswithyourLinux
platformandyourtypeofsmartcard.Followthesetupinstructionsfromthe
manufacturerofthesmartcardreader.ForinformationaboutCCID-
compliantsmartcardreaders,seetheUSBChip/SmartCardInterface
Devices(CCID)Specification.
Whenallthesepiecesareinplace,youarereadytoinstallPBISEnterprise
onyourLinuxcomputerandaddthecomputertoActiveDirectory.Seethe
chaptersoninstallingthePBISagentandjoiningadomain.
LogonwithaSmartCard
Tologontoacomputerwithasmartcard,insertthesmartcardintothe
smartcardreader.Thecomputerpromptsyouforyourpersonal
identificationnumber(PIN)insteadofyourdomain,username,and
password.
IfthePINyouenterisrecognizedaslegitimate,youareloggedontothe
computerandthedomainusingthepermissionsassignedtoyouruser
accountinActiveDirectory.
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 152

IfyouentertheincorrectPINforasmartcardseveraltimesinarow,you
mightbeunabletologontothecomputerwiththatsmartcard.Thenumber
ofallowableinvalidlogonattemptsthatcanoccurbeforelockoutvariesby
smartcardmanufacturerandyoursecuritypolicy.Ifyouinsertthesmartcard
backwardorupsidedown,thesmartcardwillnotberecognized.Smartcard
logonworksonlyforcomputersjoinedtoadomain.
Important:WithActiveDirectory,therearetwowaystoforceausertolog
onwithasmartcard:
lOnaper-computerbasis,bysettingaPBISGroupPolicysetting(which
correspondstoaMicrosoftGroupPolicysettingwithasimilarname)to
requireasmartcardtologontothecomputersinaPowerBrokercell.
Thepolicysetting'sdefaultistoallowausertologonwitheithera
smartcardanditsPINorauseraccountanditspassword.Thesettings
thatyouchoosedependonyourITsecuritypolicies.
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 153

lOnaper-userbasis,byselectingtheoptiontorequireasmartcardon
theAccounttabofauser'spropertiesinADUC,asshowninthe
followingscreenshot.
Youcangeneratealogtohelptroubleshootproblemsloggingonwitha
smartcard;formoreinformation,seeTroubleshootingthePBISAgent.
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 154

SmartCardGroupPolicySettings
PBISEnterpriseincludesthefollowingGroupPolicysettingsformanaging
smartcardsontargetLinuxcomputers.
Policy
SettingDescription
Require
smart
cardfor
login
Specifiestherequirementsforusingasmartcardtoaccessatargetcomputer.
Whensmartcardauthenticationisenabled,itispossibletologononlywitha
smartcardanditsPIN.Whenthissettingisdisabled,logonispossiblebyusing
eitheranaccountusernamewithapasswordorasmartcardwithitsPIN.
Smart
card
removal
policy
Specifiestheactiontakenwhenasmartcardisremovedfromatarget
computer.Whensmartcardtwo-factorauthenticationisusedtogainaccess
toacomputer,enforcementoflogonsecuritycanbemadestricterifthe
removalactionissettoLockorLogout.Thedefaultsettingwithoutthispolicy
settingisNoAction.
ToconfigurepolicysettingstomanagesmartcardsonLinuxcomputers:
1.IntheGroupPolicyManagementConsole(GPMC),createoredita
GroupPolicyObject(GPO)fortheorganizationunitthatyouwant,and
thenopenitwiththeGroupPolicyManagementEditor(ortheGroup
PolicyObjectEditor).
2.IntheconsoletreeoftheGroupPolicyManagementEditor,expand
ComputerConfiguration,UnixandLinuxSettings,BeyondTrust
Settings,PBISSettings,SmartCard:
3.Inthedetailspane,double-clickthepolicysettingthatyouwantto
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 155

configure,andthenselecttheDefinethisPolicySettingcheckbox.
4.Makethechangesthatyouwant:
ForthisPolicySettingDoThis
SmartcardremovalpolicyInthelist,clicktheoptionthatyouwanttoconfigure.
RequiresmartcardforloginClickEnabledorDisabled.
PBISEnterpriseInstallationandAdministration UsingSmartCardswithPBIS
BeyondTrust
®
June21,2013 156

ManagingPBISLicenses
TherearetwooptionstomanagetheassignmentofPBISlicenses:
•GloballyusingtheLicenseManagementpageintheBeyondTrust
ManagementConsoleonaWindowsadministrativeworkstation
connectedtoMicrosoftActiveDirectory.
Itisrecommendedthatyoumanageyourlicensesthroughthe
BeyondTrustManagementConsole.
•LocallyusingaPBIScommand-lineutility—setkey-cli—onaLinux,
Unix,orMacOSXcomputer.
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 157

EvaluationLicensesandPermanent Licenses
WhenyouinstallthePBISagentwithoutapermanentlicenseonaUnixor
Linuxcomputer,a30-dayproductevaluationkeyisautomaticallygenerated.
Ifapermanentlicensekeyoranextendedevaluationlicensekeyis
unavailable,PBISwillstopauthenticatingusersandapplyingGroupPolicy
settingsafter30days.Theexpirationdateofanevaluationlicenseapplies
onlytothecomputeronwhichthelicenseisinstalled.
Toobtainapermanentlicenseortoconvertatriallicensetoafulllicense,
pleasecontactaBeyondTrustsalesrepresentativebysendinganemailto
[email protected]
States.FromoutsidetheUnitedStates,call+1-818-575-4040.
Youcanupgradeanevaluationlicensetoapermanentlicensebyimporting
thepermanentlicensekeyintotheBeyondTrustManagementConsole,and
applyingittoaclientcomputer.Iftheautomaticassignmentfeatureisin
use,thePBISagentwillautomaticallyapplyapermanentlicensewhenyou
logonaclientwithanADaccount,restartthePBISauthenticationservice,
orrunthecommand-lineutilityformanaginglicenses.
SiteLicensesandSingle-ComputerLicenses
BeyondTrustofferssitelicensesandsingle-computerlicenses.
•Asitelicensecoversallthecomputersinadomainanditschild
domains.Todeterminewhetheracomputerfallsunderasitelicense,
PBISchecksthelasttwocomponentsofthedomainname.
Forexample,example.comisthedomaingovernedbyasitelicenseand
oneofthechilddomainsisnamedchild.example.com.Thechilddomain
iscoveredbythesitelicensebecausethelasttwocomponentsofthe
domainnamematch.
•Iftherearemultipledomains,adifferentlicensefileisrequiredforeach
domain,regardlessofwhetheryouareusingasitelicenseorasetof
single-computerlicenses.Tospreadasetofsingle-computerlicenses
acrosstwoormoredomains,youcanrequestBeyondTrustsalesto
distributethelicensesintwoormorelicensefiles.
WorkstationandServerLicenses
BeyondTrustofferstwokindsoflicenses:workstationandserver.Both
single-computerlicensesandsitelicensesdistinguishbetweenserversand
workstations.Whenacomputerjoinsadomain,PBISlooksattheversionof
theoperatingsystemtodeterminewhethertoassignaworkstationora
serverlicense.Ifaserverlicenseisunavailable,aworkstationlicenseis
automaticallyused.
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 158

Aworkstationlicenselimitsthenumberofconcurrentloginstofivediscrete
useraccounts.Withaserverlicense,thenumberofconcurrentloginsis
unlimited.Ifthecomputerisaserverbutisusingaworkstationlicense
becausenoserverlicenseswereavailable,pleasecontactBeyondTrustsales
[email protected]
adjustthelicensetypethatyouwanttheagenttoobtainbyusingthe
command-lineutilityformanaginglicenses.
ThePBISagentverifiesalicensewhenyourunthesetkey-cliutility,
whenyoustartthePBISauthenticationservice,andwhenyoulogon.To
verifyalicense,thesetkey-cliutilityusesthecomputer'sActive
Directoryaccounttosearchforlicensesinthecomputer'sOUhierarchyup
tothetopofthedomain.Otherdomainsintheforestarenotsearched.If
theutilitycannotfindalicenseintheOUhierarchy,asalastresortitchecks
thelegacyPBIScontainerintheProgramDatacontainer.Whenthe
computers'sdomaincontrollerisdown,theutilityloadsthelicensefromthe
diskwithoutverifyingitsassignmentinActiveDirectory.
ThePBISGroupPolicyservicealsochecksforalicensewhenitrefreshes
thecomputer'sGroupPolicyObjects(GPOs).Ifthelicenseisinvalid,the
serviceignorestheGPOs.Oncethelicensebecomespermanentandvalid,
theserviceappliestheGPOswhenitrestarts.
Note:IfthemessageInvalidcomputer!isdisplayedintheAssignedTo
column,revokethelicenseandreturnittothepoolofavailable
licenses.Formoreinformation,seeRevokeaLicense.
Licensescontaincodesthatcanincludeorexcludethefollowingfeatures.
Whenalicenseisdisplayedintheconsole,thecodesthatappearinthe
Featurescolumnindicatetheentitlementsthatthelicensecovers.
Thefollowingtabledescribesthemeaningofeachfeaturecode:
FeatureCodeDescription
SC Coverstheuseoftwo-factorauthenticationwithasmartcard.
GP CoverstheapplicationofGPOs.
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 159

FeatureCodeDescription
AU Coverstheauditingandreportingcomponents.
AD CoverstheuseofthePBISmanagementtoolsforActiveDirectory.
CreateaLicenseContainer
YoucaninstallPowerBrokerIdentityServiceslicensesmanuallyoneach
Linux,Unix,andMacOSXcomputer,oryoucaninstallthelicensesin
ActiveDirectoryandmanagethemfromacentrallocation.InActive
Directory,youmustcreatealicensecontainerbeforeyoucanimportaPBIS
licensekeyfile.
Recommendations
Reviewthefollowingrecommendationsforcreatingalicensecontainer.
•ManagelicensesinActiveDirectoryandcreateyourlicensecontainerin
acommonlocationatthehighestleveloftheorganizationalunit(OU)
hierarchytowhichyouhavewriteaccess.
Forinstance,ifyouhaveseparateOUsforyourLinuxandMac
computers,creatingthelicensingcontainerinacommonlocationabove
theOUsfortheMacandLinuxcomputerscansimplifylicense
management.
•Ifyouhaveadefaultcell,createthelicensecontaineratthelevelofthe
domain.
AnyOUmayhavealicensecontainer.Thecontainerneednotbeinthe
sameOUasaPowerBrokercell.ThePBISagentsearchestheOUhierarchy
foralicensecontainerinthesamewaythatitsearchesforacell.Whena
licensecontainerisfound,theagentstopstryingtofindakeyinanother
container(evenifthecontaineritfindsisempty)andcheckswhetherthe
licenseisassignedtothecomputer.WhentheagentfindsalicenseinActive
Directory,itmarksitasassignedtothecomputer.
Whenyoucreatealicensecontainer,computerscanautomaticallyacquirea
license.Youcanturnoffautomaticlicensingdependingonyour
requirements.However,afteryoucreatethelicensecontaineryoumust
assignalicensetoeachcomputermanually.SeeAssignaLicensetoa
ComputerinAD.
Note:Ifneeded,youcanturnonautomaticlicensingagainatanytimeafter
youcreatethecontainer.SeeTurnonAutomaticLicensing.
IfthereisnolicensecontainerinActiveDirectory,theagentverifiesthe
licenselocally—ascenarioreservedforlicensessetwithsetkey-cli.
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 160

Important:YoumustbeamemberoftheDomainAdministratorssecurity
grouporhaveprivilegessufficienttocreateandmodifycontainerswhere
youwanttocreatethelicensingcontainer.Itisrecommendedthatyoudo
notcreatealicensecontainerintheDomainControllersOU.
Tocreatealicensecontainer:
1.IntheBeyondTrustManagementConsole,expandtheEnterprise
Consolenode,right-clicktheLicenseManagementnode,andthen
clickCreateLicenseContainer.
2.CleartheAllowComputerstoAcquireLicensesAutomatically
checkboxtopreventcomputersfromobtainingalicense.(Optional).
Ifyouclearthecheckbox,youmustmanuallyassignalicensetoeach
computer.
3.Selectthelocationwhereyouwanttocreateacontainerandthenclick
OK:
Youarenowreadytoimportalicensefile,whichwillpopulatethePBIS
licensescontainerinActiveDirectorywithlicensesforyourUnix,Linux,
andMacOSXcomputers.
TurnonAutomaticLicensing
Ifyouturnedoffautomaticlicensingwhenyoucreatedthelicensecontainer,
youcanturnonthefeatureatanytime.
Toturnonautomaticlicensing:
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 161

1.IntheBeyondTrustManagementConsole,expandtheEnterprise
Consolenode,right-clicktheLicenseManagementnode,andthen
clickAssignPolicy.
2.SelectthecheckboxtoallowautomaticlicensingandclickOK.
ImportaLicenseFile
PBISlicensekeysandsitelicensesaredistributedinanXMLfile.Usingthe
BeyondTrustManagementConsoleonyourWindowsadministrative
workstation,youcanimportalicensekeyfilecontaininglicenses.
YoumustcreatealicensecontainerinActiveDirectorybeforeyoucan
importalicensekeyfile.
1.MakesuretheXMLfilecontainingthelicensesisavailableonyour
WindowsadministrativeworkstationthatisrunningtheBeyondTrust
ManagementConsole.
2.UnderEnterpriseConsole,right-clickLicenseManagement,and
thenclickImportLicenseFile.
3.LocatetheXMLfilethatcontainsthelicenses,andthenclickOpen.
AssignaLicensetoaComputerinAD
Bydefault,PBISautomaticallyassignslicensestocomputersrunningthe
PBISagentwhenthecomputersconnecttothedomain.Ifyouturnoffthe
defaultsetting,thenacomputercannotautomaticallyobtainalicense.
However,youcanmanuallyassignalicenseusingtheBeyondTrust
ManagementConsole.
Tomanuallyassignalicense:
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 162

1.IntheBeyondTrustManagementConsole,expandEnterpriseConsole,
andthenclickLicenseManagement.
2.Inthelistoflicenses,right-clickthelicensethatyouwanttoassign,and
thenclickAssignLicense.
3.IntheSelectComputerdialogbox,clickLocations,selectthelocation
thatcontainsthecomputeryouwant,andthenclickOK.
4.IntheEntertheobjectnamestoselectbox,typethenameofoneor
morecomputers—forexample,AppSrvSeattle-1.
Separatemultipleentrieswithsemicolons.Foralistofexamples,click
examples.
5.ClickCheckNames,andthenclickOK.
Tip:Touseadditionalcriteriatosearchforandselectcomputers,click
Advanced.Then,toshowmoreinformationaboutacomputerinthe
Searchresultsbox,clickColumns,andaddorremovecolumns.
ManageaLicenseKeyfromtheCommand Line
AlthoughitisrecommendedthatyoumanagelicensesintheBeyondTrust
ManagementConsole,youcanalsomanagealicenselocallyfromthe
commandlineonaLinux,Unix,orMacOS Xcomputer.
FromthecommandlineofaPBISclient,youcancheckthecomputer's
license,setalicensekey,releasealicense,andadjustthetypeoflicensethat
youwantthecomputertoobtain.
Formoreinformation,runthefollowingcommand:
/opt/pbis/bin/setkey- cli--help
ChecktheLicenseKey
ToviewthelicensekeythatisinstalledonaUnix,Linux,orMacOSX
computer,executethefollowingcommandattheshellprompt:
/opt/pbis/bin/setkey- cli
Hereisanexample:
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 163

SetaLicenseKey
YoucansetalicensekeyforthePBISagentbyusingthecommandline.
Youshould,however,usethismethodofsettingakeyonlywhenthereisno
licensingcontainerinActiveDirectoryandyouwanttheagenttoverifythe
licenselocally.
Tosetalicensekey,runthefollowingcommandasroot,replacing
LicenseKeyNumberwithavalidlicensekeynumber:
/opt/pbis/bin/setkey- cli--keyLicenseKeyNumber
Note:IfthereisalicensecontainerinActiveDirectory,youcannotusethe
commandtoapplyanadditionallicenseortoselectalicensefrom
thelicensecontainer;instead,assignthelicensefromActive
Directory.
ReleaseaLicenseKey
Whenyoudecommisionacomputer,youcanreleaseacomputer'slicenseso
itcanbeusedbyanothercomputer.Whenyoureleaseapermanentlicense
key,itisreplacedbyatemporaryevaluationlicense.
Youcanalsoreleasealicensetoapplyadifferentpermanentlicensetothe
computer.
/opt/pbis/bin/setkey- cli--release
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 164

ChangetheTypeofLicense
Youcanchangethetypeoflicensethatthecomputerobtainswhenit
connectstoActiveDirectorybyexecutingthefollowingcommandasroot,
replacingtypeOfLicensewitheitherworkstationorserver.
/opt/pbis/bin/setkey- cli--key-preferencetypeOfLicense
Ifthelicensetypeyousetisunavailablethenon-preferredtypeisobtained.
DeleteaLicense
WhenyourenameorremoveadomainfromActiveDirectory,youmight
alsoneedtodeletePBISlicensekeysfromActiveDirectory.Ifyourename
anActiveDirectorydomain,youmustobtainnewlicensekeysfrom
BeyondTrust.
Licensesareprovidedonaper-domainbasis;domainlicensesapplyonlyto
thefullyqualifieddomainnameorchilddomaintowhichtheywereissued.
1.IntheBeyondTrustManagementConsole,expandEnterpriseConsole,
andthenclickLicenseManagement.
2.Inthelistoflicenses,underKey,right-clickthelicensethatyouwantto
deleteandthenclickDelete.
Tip:Ifyouinadvertentlydeletealicense,youcanrestoreitbyimportingthe
licensefilethatcontainsit.
RevokeaLicense
TorevokeaPBISlicense:
1.IntheBeyondTrustManagementConsole,expandEnterpriseConsole,
andthenclickLicenseManagement.
2.Inthelistoflicenses,underKey,right-clickthelicensethatyouwantto
revoke,andthenclickRevokeLicense.
PBISEnterpriseInstallationandAdministration ManagingPBISLicenses
BeyondTrust
®
June21,2013 165

PBISReporting
ThefollowingPBISEnterprisereportingcomponentsdependontheuseof
thedatabaseandthedatacollectors:
•AuditandAccessReporting
•OperationsDashboard
•EnterpriseDatabaseManagement
ThefollowingtopicsdescribehowtosetupthePBISdatabaseanditsevent
collectorssoyoucangenerateaccessreports,audityournetwork,archive
records,andmonitorsecurityevents.
OverviewofthePBISReportingSystem
ThePBISreportingsystemiscomposedofthefollowingcomponents:
•ASQLServerorMySQLdatabasesetuponadedicateddatabaseserver
•AdedicateddatacollectionserversetuponaWindowscomputer
•TwoPBISdatacollectorsthatrunonthedatacollectionserver.
PBISDataCollectors
WhenyouinstallthePBISEnterprisedatabaseutilitiespackage
(PowerBrokerDBUtilities.exe )onyourdatacollectionserver,the
followingPBISdatacollectorsareinstalledandstartedautomatically:
•BTCollector.ItcontainsPBIS'sRPCservercodetoenablethePBIS
agent'sforwardingservice,eventfwd,touploadeventstothePBIS
databaseserverbyusingsecure,authenticatedtransportprotocols.
BTCollectorrunsasaWindowsauto-startserviceandcanbemanaged
fromthecommandline.
•BTEventDBReaper.Itcopieseventsfromthecollectorservertothe
centralPBISdatabase.TheprocessrunsasaWindowsauto-startservice
andcanbemanagedfromthecommandline.BTEventDBReaper
dependsonBTCollectortofunctionproperly:IfBTCollectorisnot
running,BTEventDBReaperwillfail.
Forthesecomponentstoworktogethersothatyoucanmonitoreventsand
generatereports,youmustusetheBeyondTrustManagementConsole's
EnterpriseDatabaseManagementplug-intoconnecttothedatabaseserver
andyoumustsetyourLinux,Unix,andMacOSXcomputerstoforward
eventstothedatacollector.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 166

ReportingSetupPreview
TheprocessofsettingupthePBISdatabaseandtheotherreporting
componentstypicallyproceedsinthefollowingorder:
1.SetupthedatabaseinstanceandnameitLikewiseEnterprise.
2.RunthePBISdatabasecreationscripttoformatthedatabaseforPBIS.
3.InstallthePBISDBUtilitiespackage,whichcontainsthecollectors,on
aserverdedicatedtodatacollection.
4.UsetheBeyondTrustManagementConsole'sEnterpriseDatabase
Managementplug-intoconnecttothedatabaseserver.
5.Configurethedatabaseanditsaccountstomeetyoursecuritypolicies.
6.SetyourLinux,Unix,andMacOSXcomputerstoforwardeventstothe
datacollectoreitherbysettingaPBISGroupPolicysettingorby
modifyingalocalsetting.
7.Optionally,configurethecollectorstomeettheneedsofyour
environmentifthedefaultsettingsdonotworkforyou.
Requirements forthePBISReportingSystem
ThefollowingaretherequirementsforthePBISreportingsystem.
General
•AdatabasenamedLikewiseEnterpriserunning:
–SQLServer2008orlater
–SQLServerExpress2008orlater
–MySQL4.0orlater
SQLServerExpress2008andMySQLareavailableforfreefrom
MicrosoftandOraclerespectively.
•TheMicrosoftReportViewer8.0(ReportViewer.exe)mustbeinstalled.
TodownloadtheReportViewer,goto
http://ww-
w.microsoft.com/downloads/details.aspx?FamilyID=82833F27-081D-
4B72-83EF-2836360A904D&displaylang=en.
•TheBeyondTrustManagementConsoleanditsreportingcomponents
mustbeinstalled.Formoreinformation,seeInstallingtheConsole.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 167

WhenyouinstallPBISEnterpriseonyourWindowsadministrative
workstation,youmustinstallthefollowingcomponentsofthe
BeyondTrustManagementConsole,oryoumustruntheinstalleragain
andselectthesecomponentsforinstallation:ReportingComponents,
DatabaseUpdateandManagementTools,OperationsDashboard.
MySQL
•InstalltheMySQLConnector/Netversion6.0—MySQL'sfullymanaged
ADO.Netprovider.Youmustuseversion6.0.Itisavailableforfreeat
http://dev.mysql.com/downloads/connector/net/6.0.html.
Note:PBISentitlementreportsarenotsupportedonaMySQL
database.
SQLServer
•InstallthefreeSQLServerManagementStudioExpresspackagesoyou
cancreatethePBISdatabaseandsetsecurityoptions.
PBISDataCollector
•.NETFrameworkversion2.0.
•32-bitversionofMicrosoftVista,MicrosoftWindowsServer2003,or
MicrosoftWindowsServer2008toactasaserverfortheeventcollector
server.
•Therequirementstorunthecollectorinanenterpriseareasfollows.
Therequirementsmightvarywiththesizeofyournetwork.Itis
suggestedthatyouuseaseparatecollectorforevery1,000computers
thatareforwardingeventstoacollector.
Item Requirement
Memory2Gb
Disk
space
10Gbfreediskspace(forlocaleventstoragebeforecopyingtothecentral
database).Thesizeyourequiremightvarydependingonthenumberof
events,thenumberofsystems,andotherfactors.
Processor2GHzdualcore
Network1GbEthernet(atleast,todatabaseserver)
ConfiguringSQLServer
Thissectionprovidesinformationonconfiguringadatabaseinstanceona
WindowsServerusingSQLServerExpress.
TheprocedureissimilaronanyversionsofWindowsandwithanyversion
ofSQLServer,butthevendor'srequirementsforthoseproductsmight
differ.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 168

Important:Thissectionassumesyouareadatabaseadministratorwho
knowshowtosetupandadministerSQLServer,includingconfiguringthe
databasetocomplywithyourITsecuritypolicy.Youareresponsiblefor
tailoringthesettingstomeetyournetworkingandsecurityrequirements.
Theexamplesetupandbriefdiscussionofsecurityissuesserveonlyasa
primer.Yoursetupandconfigurationwilldependontheintricaciesofyour
mixednetworkandyourorganization'ssecuritypolicies.
ForacompletelistofprerequisitesforMicrosoft'sSQLServer2008,see
http://msdn.microsoft.com/en-us/library/ms143506.aspx.
InstallandConfigureSQLServer
Itisrecommendedthatyousetupthedatabaseonanewserver.
Important:Thefollowingsteps,includingthescreenshots,areintended
onlytoorientyoutosettingupSQLServerinthecontextofconfiguringthe
PBISreportingcomponents.TheinstructionsforsettingupSQLServerare
intheMicrosoftSQLServerdocumentationat
http://technet.microsoft.com/sqlserver/.
1.ObtainSQLServerExpressfrom
http://www.microsoft.com/express/sql/download/andinstalliton
yourWindowsServer2003computer.
2.OntheFeatureSelectionpage,selectthefollowingfeatures:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 169

3.OntheInstanceConfigurationpage,selectDefaultinstance.Ifthereis
morethanonedatabaseinstanceonthecomputer,selectaNamed
Instance.Rememberthenameofyourinstance;you'llneeditlater.
4.OntheServerConfigurationpage,selecttheServiceAccountstab,and
thencreateaserviceaccount.
Theserviceaccountsthatyoucreateandconfigurewilldependona
rangeoffactors,includingyourenvironmentandyourITsecuritypolicy.
Formoreinformation,seeyourSQLServerdocumentationandthe
sectionPlanningSQLServerDatabaseSecurity.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 170

5.UnderServerConfiguration,ontheServiceAccountstab,enablethe
SequelServerBrowserservice.
6.OntheDatabaseEngineConfigurationpage,selecttheAccount
Provisioningtab,andthenselectWindowsauthenticationmode.
7.IntheSpecifySQLServeradministratorssection,addyouradministrator
account.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 171

8.ClickNextandfollowtheinstructionsintheSQLServer2008Setup
wizard.
9.UsingSQLServerConfigurationManager,settheSQLServerNetwork
Configurationprotocolstoallowexternalconnectionswithnamedpipes:
CreatetheLikewiseEnterpriseDatabase
TocreatethePBISReportingDatabaseusingSQLServer:
1.StartMicrosoftSQLServerManagementStudioandconnecttothe
databaseengine.
2.CreateadatabasenamedLikewiseEnterprise.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 172

3.CopytheSQLServerdatabasecreationscriptfromtheinstallation
media—CreateLikewiseEnterpriseDatabase.sql —toalocation
accessiblefromSQLServer.
4.InSQLServerManagementStudioExpress,ontheFilemenu,click
OpenandloadthePBISEnterprisedatabasecreationscriptforSQL
Server:
CreateLikewiseEnterpriseDatabase.sql
Warning:Makesurethatyouconnecttothenewlycreated
LikewiseEnterprisedatabase.Failuretoconnecttothecorrect
databasemightcreatetablesandviewsinthewrongdatabase,
possiblyrenderingitunusable.
5.AftermakingsurethatyouareconnectedtotheLikewiseEnterprise
database,executethescript.
Ifthescriptexecuteswitherrors,tryrunningitagain.
YoucannowuseSQLServerManagementStudioExpresstoexplorethe
structureoftheLikewiseEnterprisedatabase.
InstallthePBISDatabaseUtilities
ThePBISDBUtilitiesexecutableinstallsthecollectors.Itisrecommended
thatyouinstallthecollectorsonadedicatedserver.
Inanetworkwithonlyafewcomputersorfortesting,youcaninstallthe
collectorsonthesameserverasthePBISdatabase.
1.RunthePBISDatabaseUtilitiesinstallerprogram(typically,
PowerBrokerDBUtilities- 7.5.<build_version>.exein
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise oronyour
PBISinstallationmedia).
Followtheinstructionsintheinstaller.Installallthedatabasetools
listedintheinstaller.
2.IntheDatabaseProviderLibrarybox,enterthefollowingstring:
System.Data.SqlClient
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 173

3.IntheConnectionStringbox,enterthefollowingstring,where
DBSERVERNAMEisthenameoftheserverrunningSQLServerand
containingtheEnterprisedatabase.
TheInitialCatalogclauseidentifiesthedatabasetousewhile
IntegratedSecurity=TruespecifiesthatWindowsauthentication
shouldbeusedwhenconnectingtothedatabaseserver.
DataSource=DBSERVERNAME;Initial
Catalog=LikewiseEnterprise;Integrated Security=True
Example:
DataSource=W2K3-R2\SQLEXPRESS;Initial
Catalog=LikewiseEnterprise;Integrated Security=True
4.ClickNext.
5.ClickInstall.
SettheStartOrderforCollectorProcesses
Ifthecollectorsareinstalledonthesamemachineasthedatabase,the
collectorservices—BTCollectorandBTEventDBReaper—muststartafter
theMicrosoftSQLEngine.Inaddition,BTCollectorshouldstartbefore
BTEventDBReaper.Forinformationaboutsettingdependenciesforsystem
services,seeMSDN.Foranexampleofhowtocreateaservicedependency,
seethearticleaboutdelayingstartupservices.
PlanningSQLServerDatabaseSecurity
AlthoughtheSQLServerdatabasewillcontainnouserpasswordsorother
highlyconfidentialinformation,itwillcontainalistofuseraccounts,
informationaboutwhatusersareallowedtoaccesswhatresources,andother
informationthatcouldbeusedfornefariouspurposes.Inconsideringthe
securityofthedatabase,youshouldaskyourselfseveralquestions:
•Whowillbeallowedtowritetothedatabase?
•Whowillbeallowedtoreadfromthedatabase?
•Whataccountswillbeusedtoaccessthedatabase?
Dataiswrittentothedatabaseinseveralcases:
•Whenacollectorcopieseventstothedatabase.
•WhentheLDBUpdateprocesswritesinformationfromActiveDirectory
tothedatabase.
•Whenadministratorsperformmaintenanceoperationsonthedatabase
(forexample,creatingorrestoringeventarchives).
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 174

Ingeneral,tominimizesecurityrisks,youshoulddefineanduseprivileged
accountsinasnarrowafashionaspossible.Onepossiblesetofanswersto
theabovequestionsthatmeetsthesesecuritycriteriaisasfollows:
•Thecollectorcomputersneedtobeabletowritetothedatabase.To
allowthiswhilemaintainingstringentsecurity,wewillcreateasecurity
groupinADcalledPBISCollectors.Thecollectorcomputeraccounts
willbemademembersofthegroup.Thegroupwillbegivenread-write
accesstotheevents,collectors,andCollectorStatstablesinthedatabase.
•TheLDBUpdateprocessneedstowritetomanytablesinthedatabase.
Toallowthis,wewillcreateanADusercalledLDBUpdateUser.Wewill
givethisuserread-writeaccesstoalltablesinthedatabasebutwewill
notallowthisusertologoninteractivelyonanymachine.Wewillcreate
aWindowsscheduledtasktoperiodicallyrunLDBUpdateusing
LDBUpdateUser.WewillsetLDBUpdateUser’spasswordtonever
expiresorouradministratorswillmanuallyupdatetheaccount
passwordandupdatescheduledtaskswiththenewpasswordas
necessary.
•Interactivedatabaseadministrationwillbeallowedonlybycertain
administrators.Anewsecuritygroup,PBISArchiveAdministrators,will
becreatedandgivenreadaccesstoalltablesandwriteaccesstothe
archivesandevents.
•Reportingwillbeallowedonlybytrainedadministrators.Tosecurethis,
wewillcreateanewsecuritygroupcalledPBISAdministrators.Wewill
givethisgroupandthePBISArchiveAdministratorsreadaccesstoallof
thetablesinthedatabase.
•IfwearetoallowuserstomanuallyrunLDBUpdatefromthe
BeyondTrustManagementConsole,theseusersmusthavethesame
rightsastheLDBUpdateUserdescribedabove.
Thefollowingtablesummarizesthesuggestionsabove:
AdGroup ReadAccess WriteAccess
PBISCollectorsgroup collectors,CollectorStats,
Eventstables
collectors,CollectorStats,
Eventstables
LDBUpdateUseruser Alltables Alltables
PBISArchiveAdministrators
group
Alltables Archives,collectors,Events
tables
PBISAdministratorsgroupAlltables None
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 175

ThesesuggestionsareallbasedonusingWindowsauthenticationratherthan
SQLServerauthentication.WindowsAuthenticationgreatlysimplifiesthe
implementationofdatabasesecurity.IfyouwanttouseSQLServer
authentication,youmustembedusernamesandpasswordsinthecollector
serversandintheBeyondTrustManagementConsole—apracticethatisnot
recommended.Ifyouneverthelesswanttotakethisapproach,consultthe
MySQLSecurityNotes;muchoftheMySQLsecurityinformationappliesto
usingSQLServerwithSQLServerAuthentication.
HereisanexampleofSQLServeraccountsinADUC:
ConfiguringMySQL
Thissectionprovidesinformationonconfiguringadatabaseinstanceona
Windows2003ServerusingMySQLServer5.1.
Theprocedureissimilaronotheroperatingsystems,includingLinux.
Itisrecommendedthatyousetupthedatabaseonanewserver.
FormoreinformationaboutMySQLServer,seetheMySQLdocumentation.
Important:Thissectionassumesyouareadatabaseadministratorwho
knowshowtosetupandadministerMySQL,includingconfiguringthe
databasetocomplywithyourITsecuritypolicy.Youareresponsiblefor
tailoringthesettingstomeetyournetworkingandsecurityrequirements.
Theexamplesetupandbriefdiscussionofsecurityissuesbelowserveonly
asaprimer.Yoursetupandconfigurationwilldependontheintricaciesof
yourmixednetworkandyourorganization'ssecuritypolicies.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 176

CreatetheLikewiseEnterpriseDatabase
TocreatethePBISReportingDatabasebyusingMySQL:
1.AfteryouhaveinstalledMySQL,createadatabasenamed
LikewiseEnterprise:
C:\ProgramFiles\SupportTools>mysql--user=root--
password=password
WelcometotheMySQLmonitor.Commandsendwith;or
\g.
YourMySQLconnectionidis8
Serverversion:5.1.36-communityMySQLCommunity
Server(GPL)
Type'help;'or'\h'forhelp.Type'\c'toclearthe
currentinputstatement.
mysql>createdatabaseLikewiseEnterprise;
QueryOK,1rowaffected(0.14sec)
2.IntheMySQLutility,setthedatabasetouseLikewiseEnterprise:
mysql>useLikewiseEnterprise;
Databasechanged
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 177

3.Allowthedatabasetoacceptexternalconnectionsfromthedatabase
defineraccount.
YoumustconfiguretheMySQLdatabasetoallowexternaldatabase
connectionsfortheaccountthatconnectstothedatabase—your
databasedefineraccount.ThecodeblockbelowconfigurestheMySQL
rootaccounttoconnecttothedatabasewithlocalorexternal
connections.
Theaccountsthatyouusetoconnecttothedatabaseandthe
permissionsthatyougrantthoseaccountswilldependonyour
environmentandyoursecuritypolicy;seethesectionbelowonMySQL
SecurityNotes.
mysql>GRANTALLPRIVILEGESON*.*TO
'root'@'localhost' WITHGRANTOPTION;
QueryOK,0rowsaffected(0.00sec)
mysql>CREATEUSER'root'@'%'IDENTIFIEDBY
'password';
QueryOK,0rowsaffected(0.02sec)
mysql>GRANTALLPRIVILEGESON*.*TO'root'@'%'WITH
GRANTOPTION;
QueryOK,0rowsaffected(0.00sec)
4.CopytheMySQLdatabasecreationscriptfromtheinstallationmediato
alocationaccessiblefromtheMySQLserver.
5.RunthePBISEnterprisedatabasecreationscriptforMySQL:
mysql>sourceCreateLikewiseEnterpriseDatabase.msql;
Ifthescriptexecuteswitherrors,tryrunningitagain.
InstallthePBISDatabaseUtilities
ThePBISDBUtilitiesexecutableinstallsthecollectors.Itisrecommended
thatyouinstallthecollectorsonadedicatedserver.
Inanetworkwithonlyafewcomputersorfortesting,youcaninstallthe
collectorsonthesameserverasthePBISdatabase.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 178

1.RunthePBISDatabaseUtilitiesinstallerprogram(typically,
PowerBrokerDBUtilities- 7.1.<build_version>.exein
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise oronyour
PBISinstallationmedia).
Followtheinstructionsintheinstaller.Installallthedatabasetools
listedintheinstaller.
2.IntheDatabaseProviderLibrarybox,enterthefollowingstring:
MySql.Data.MySqlClient
3.IntheConnectionStringbox,enterthefollowingstring,where
dbUserAccountisyourdatabasedefineraccountforyourMySQL
LikewiseEnterprisedatabaseanddbUserAccountPasswordisthe
account'spassword.Theaccountmustbegrantedallprivilegesforlocal
andexternalconnections.Rememberthenameandpasswordofthis
account—youmustenteritlatertoconnecttothedatabasefromthe
BeyondTrustManagementConsole.
server=yourDBse-
rverInstanceName;database=LikewiseEnterprise;user
id=dbUserAccount;password=dbUserAccountPassword;
Example:
server=steveh-dc;database=LikewiseEnterprise;user
id=root;password=password;
4.ClickNext.
5.ClickInstall.
CustomizeYourMySQLSecuritySettings
BecauseMySQLdoesnotsupportintegratedWindowsAuthentication,you
mustincludeanexplicitusernameandpasswordinthedatabaseconnection
stringsthatPBIScomponentsusetoconnecttothedatabase.
MySQLdoes,however,supportsecurityrestrictionsbasedonIPaddresses.
ThefollowingaretherecommendedbestpracticesforusingMySQLwith
PBISEnterprise:
1.CreateaMySQLusercalledBTCollector@hostnameforeachcollector
server,wherehostnameisthenameofthecollectorserver.Thispractice
willrestricttheuseofBTCollectortothecollectormachines.
2.GranttheBTCollectorreadandwriteaccesstothedatabasetablesas
showninthetablebelow.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 179

3.CreateanLwDbUpdate@hostnameuser,wherehostnameisthenameof
thecomputeronwhichtheLDBUpdatescheduledtaskwillberun.
4.Grantthisuserreadandwriteaccessasshowninthetablebelow.
5.CreateaLwArchiveAdminuser.
6.Grantthisuserreadandwriteaccesstotablesasshowninthetable
below.
7.CreateaLwAdminuser.
8.Grantthisuserreadandwriteaccesstotablesasshowninthetable
below.
Theresultshouldbeasfollows:
MySQLUser ReadAccess WriteAccess
BTCollector@hostnamecollectors,CollectorStats,
Eventstables
collectors,CollectorStats,
Eventstables
LwDbUpdate Alltables Alltables
LwArchiveAdmin Alltables Archives,Eventstables
LwAdmin Alltables None
Alltheseusersshouldgetdifferentpasswords.Theusernamesand
passwordsmustbespecifiedinthedatabaseconnectionstringsusedwhen
configuringPBIScollectors,reportingcomponents,andtheOperations
Dashboard.
ConnectingthePBISConsoletotheDatabase
ThissectionassumestheBeyondTrustManagementConsoleandthe
followingPBISreportingcomponentsareinstalledonyourWindows
administrativeworkstation:ReportingComponents,DatabaseUpdateand
ManagementTools,OperationsDashboard.
ConnectthePBISConsoletotheDatabase
IntheBeyondTrustManagementConsole,loadtheEnterpriseDatabase
Managementplug-inandconnecttothedatabaseserverinstance(whichis
typicallybutnotnecessarilyyourserver'scomputername).
1.Intheconsole,ontheFilemenu,clickAdd/RemovePlug-in.
2.ClickAdd.
3.ClickEnterpriseDatabaseManagement,andthenclickAdd.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 180

4.ClickClose,andthenclickOK.
5.Intheconsoletree,right-clicktheEnterpriseDatabase
ManagementnodeandthenclickConnecttodatabase.
6.ClickChange.
7.SelectMySQL,andthenenterthenameofyourdatabaseserver
instanceintheServer/Instancebox.
8.Enterthecredentialsofyourdatabasedefineraccount.
VerifyThattheCollectorProcessesAreRunning
AlthoughBTCollectorandBTEventDBReaperaretypicallystarted
automatically,runthefollowingcommandstoensuretheprocessesare
running.
VerifyBTCollectorisRunning
1.RunthefollowingcommandontheWindowscomputerrunningthe
collector:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc query
BTCollector
SERVICE_NAME:BTCollector
TYPE :10WIN32_OWN_PROCESS
STATE :4RUNNING
(STOPPABLE,NOT_PAUSABLE,
IGNORES_SHUTDOWN))
WIN32_EXIT_CODE :0(0x0)
SERVICE_EXIT_CODE:0(0x0)
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 181

CHECKPOINT :0x0
WAIT_HINT :0x0
2.Runthefollowingcommandifthecollectorisnotrunning:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc start
BTCollector
VerifyBTEventDBReaperisRunning
1.Runthefollowingcommand:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc query
BTEventDBReaper
SERVICE_NAME:BTEventDBReaper
TYPE :10WIN32_OWN_PROCESS
STATE :4RUNNING
(STOPPABLE,NOT_PAUSABLE,
ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE :0(0x0)
SERVICE_EXIT_CODE:0(0x0)
CHECKPOINT :0x0
WAIT_HINT :0x0
2.Runthefollowingcommandifthecollectorisnotrunning:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc start
BTEventDBReaper
RuntheDatabaseUpdateScript
TheLDBUpdatescriptisabatchprogramforWindowsthatreads
informationfromActiveDirectoryandwritesittothePBISdatabasesoyou
cangeneratereportsaboutcomputersandusersinActiveDirectory.You
canruntheupdatescriptondemandfromtheBeyondTrustManagement
Console,oryoucansetitupasascheduledtask.
IftheinformationinActiveDirectoryhaschangedsinceyoulastranthe
scriptandifyouwantthosechangesincludedinyourreports,runthescript
beforeyougenerateyourreports.
ToaccessActiveDirectory,theLDBUpdatescriptusestheLDAPandRPC
ports.
TheUpdateDBbuttonwillonlybeenablediftheupdateutilityisavailable
onthecurrentmachine.ThePBISEnterpriseinstallerallowsyoutoselect
whethertheutilityisinstalledonamachine.
Ensurethefollowingisinplacebeforeyourunthescript:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 182

•Toruntheutility,thecurrentusermusthaveprivilegestoreadandwrite
toanytableintheEnterprisedatabase.
•TheWindowsadministrativeworkstationwhereyourunthescriptmust
beconnectedtoActiveDirectory.
•Theuseraccountthatrunsthescriptmusthaveatleastreadpermission
forobjectsandchildobjectsinActiveDirectory.
1.IntheBeyondTrustManagementConsole,ontheFilemenu,click
Add/RemovePlug-in.
2.ClickAdd.
3.ClickAuditandAccessReporting,andthenclickAdd.
4.ClickClose,andthenclickOK.
5.Intheconsoletree,clicktheAuditandAccessReportingnodeand
thenclickAdvanced.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 183

6.ClickUpdateDB,andthenclickRun.
7.ClickClose.
RuntheDatabaseUpdateScriptfromtheCommand Line
TheLDBUpdatescriptreadsinformationfromActiveDirectoryandwritesit
tothePBISdatabasesoyoucangeneratereportsaboutcomputersandusers
inActiveDirectory.Youcanmanagetheupdatescriptondemandfromthe
shellpromptofyourWindowsadministrativeworkstationrunningPBIS
Enterprise.
Ensurethefollowingisinplacebeforeyourunthescript:
•TheWindowsadministrativeworkstationwhereyourunthescriptmust
beconnectedtoActiveDirectory.
•Tousetheshellcommands,thecurrentusermusthaveprivilegesto
readandwritetoanytableintheEnterprisedatabase.
•Theuseraccountthatrunsthescriptmusthaveatleastreadpermission
forobjectsandchildobjectsinActiveDirectory.
C:\Program
Files\BeyondTrust\PBIS\Enterprise>ldbupdate.exe /?
Usage:LDBUpdateOPTIONS
WhereOPTIONSinclude:
-fLDAPPATH Pathoftheforesttosynchronize;
required
-dFQDN Domain(inforestorintrusts)to
process;canrepeat
-oFILE SendoutputtoFILE
-pPROVIDER UsePROVIDERasthedatabasetype
(default:System.Data.SqlClient
-cSTRING UseSTRINGasthedatabaseconnection
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 184

parameter
-nogpo Don'tanalyzeGPOs(faster)
-v Displayverboseoutput
--force Ignorethedatabasestatusandperform
updateevenif
markedasbusy
--debug Displaydebugleveloutput
--transaction Performalldatabaseoperationsundera
singletransaction.Allowinteractions
tothedatabasewithreportingtools
whileupdateisperformedinthebackground.
--classSTRINGIdentifytheobjectstoupdate,leaving
othersasisfromapreviousupdate.
(Examples:Users,Groups,GPOLinks,
GPOs,Computers).
Canberepeatedtoidentifyseveral
classtypes.
LDBUpdate--classUsers--classGroups-
f<domain>...
--help Displaythishelpoutput
Ifthe-doptionisnotspecified,allthedomainsinthe
forestandin
anytrustedforestswillbeprocessed.
Hereisanexampleofhowtousethecommand-lineutilitytosetthe
providerandtheconnectionstringforaSQLServerdatabase:
ldbupdate.exe-fdc=example,dc=com-pSystem.Data.SqlClient
-c"DataSource=RVLN-BUILD;Initial
Catalog=LikewiseEnterprise; IntegratedSecurity=True" --
force
ConfiguringComputerstoForwardEventstoBTCollector
YoucansetcomputerstoforwardeventstoBTCollectorintwoways:
•GloballybyconfiguringaPBISGroupPolicysettingtomodifythe
configurationfortheeventforwardingserviceontargetcomputers.
•LocallybyeditingthePBISregistry.
Youcanalsoculleventsfromsyslog.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 185

ConfigureEventForwardingwithGroupPolicy
ThisGroupPolicysettingmodifiesthesettingsinthePBISregistryto
forwardeventsfromtargetLinux,Unix,andMacOSXcomputerstothe
PBISdatabasecollectorservice,BTCollector,onaWindowscomputer.
Youcanusethispolicysettingtoimprovesecuritymonitoringbylogging
authenticationandauthorizationeventsandviewingtheminthePBIS
OperationsDashboard.
Important:Tousethispolicy,youmustfirstturnoneventlogging.For
moreinformation,seethePowerBrokerIdentityServicesGroupPolicy
AdministrationGuide.Dependingonyournetworkconfiguration,youmay
alsohavetoconfigureapolicysettingtospecifytheserviceprincipalofthe
collector.
Toconfigureeventforwardingusingpolicysettings:
1.InActiveDirectoryUsersandComputersorintheGroupPolicy
ManagementConsole,createaGroupPolicyObject(GPO)forthe
organizationalunitthatyouwant,andthenedititintheGroupPolicy
ManagementEditor(orGroupPolicyObjectEditor).
2.Intheconsoletree,expandComputerConfiguration,Policies,Unix
andLinuxSettings,BeyondTrustSettings,PBISSettings,andthen
clickEventForwarder:
3.Inthedetailspane,double-clickEventlogcollector,andthenselect
theDefinethispolicysettingcheckbox.
4.EnterthehostnameofthecomputerrunningBTCollector.Example:
w2k3-r2.example.com
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 186

ConfigureEventForwardingwithLocalSettings
Important:Beforeyoucanforwardevents,youmustturnontheeventlog;
seeTurnonEventLogging.
ThefollowingprocedureassumesyouknowhowtoeditthePBISregistry.
Formoreinformation,seeConfiguringPBISwiththeRegistry.
1.OnthetargetLinux,Unix,orMacOSXcomputer,edittheregistryto
setthevalueofthefollowinglinetothehostnameofthecomputer
runningBTCollector.
[HKEY_THIS_MACHINE\Services\eventfwd\Parameters]
"Collector"=""
Example:"Collector"="w2k3-r2.example.com"
2.Or,setanIPaddressforthecollector.Ifyoudoso,youmustalso
specifytheserviceprincipalofthecollectoronthefollowingline:
[HKEY_THIS_MACHINE\Services\eventfwd\Parameters]
"CollectorPrincipal"=""
3.Afteryouchangetheservice'ssettingsintheregistry,youmustforcethe
servicetoloadthechangebyrestarting,withsuper-userprivileges,
eventfwd:
/opt/pbis/bin/lwsm restarteventfwd
CullEventsfromSyslog
Tocollectsudoeventsandothersystemeventsthatappearinsyslog,you
mustconfiguresyslogtowritedatatoalocationwherethePBISreapsysl
servicecanfinditandcopyittothelocaleventlog.
Note:YoucansetaPBISGroupPolicysettingtomodify
/etc/syslog.confontargetcomputers.
Thereapsyslservicecreatesthreenamedpipesandpicksupthesyslog
informationwrittentothem:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 187

/var/lib/pbis/syslog-reaper/error
/var/lib/pbis/syslog-reaper/warning
/var/lib/pbis/syslog-reaper/information
Toconfiguresyslogtowritetothepipes,addthefollowinglinesto
/etc/syslog.conf:
*.err /var/lib/pbis/syslog-reaper/error
*.warning /var/lib/pbis/syslog-reaper/warning
*.debug /var/lib/pbis/syslog-reaper/information
Thelastentryisnotanalogoustothefirsttwo.Someversionsofsyslog
requireatabcharacterinsteadofspacestoseparatethetwocomponentsof
eachline;formoreinformation,seeyoursyslogdocumentation.
Afteryoumodifysyslog.conf,youmustrestartthesyslogserviceforthe
changestotakeeffect:
/etc/init.d/syslog restart
GenerateaSampleReport
YoucangeneratereportsusingtheAuditandAccessReportingplug-infor
theBeyondTrustManagementConsole.
Thefollowingprocedureshowshowtocreateaninventoryreportofusers
withdisabledaccounts.
1.IntheBeyondTrustManagementConsoletree,clicktheAuditand
AccessReportingnode.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 188

2.UnderReportNames,expandInventory,expandUsers,andthenclick
DisabledAccounts.
3.ClickRunReport.
EntitlementReporting
Entitlementreportingcanprovideadetailedanalysisofaccounts.Youcan
useittohelpreviewhowgroupmembershipsimpactaccessforusers.You
canalsouseentitlementreportsaspartofyourregulatorycompliance
efforts.
ThePBISagentincludesaUserMonitorservicethatlogsentitlement
changesdetectedfromlocalaccountsandgroupsoneachend-point
computer,aswellasActiveDirectory(AD)changesthatcouldaffect
accountaccessandrolesoncomputers.
AlldetectedchangesinentitlementarerecordedintheEventLog
subsystemforeachPBISagent.Usingeventforwarding,thisdatacanbe
senttoaPBISauditcollectorcomputerthatcanprovidereportingacrossa
centralized,enterprise-widedatabase.
Notes:
lForADusers,theUserMonitorreportsonlytheuserswhohaveaccess
tothecomputerduetotheRequireMembershipOfsetting.If
RequireMembershipOfisnotenabled,aspecialpseudouseris
reported.Ifthecomputerisrunninginunprovisionedmode,thepseudo
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 189

userusestheAllUsersaccessiblefromdomain%sformat;
otherwisethepseudouserusestheAllUsersincell%sformat.
lTheUserMonitoronlyreportstheADgroupsofwhichatleastoneof
thereportedADusersisamember.
Thefollowingentitlementreportsareavailable.
AccessPrivilegesbyUser
Thisentitlementreport,organizedbyusername,showswhichuserscanlog
intowhichcomputersandhowthatlisthaschangedovertime.Thestateof
accessprivilegesatthestartdateandenddatearecompared.Intermediate
changesarenotshown,soifanewuserisaddedthendeletedinthemiddle
ofthereportingtimespan,nochangeisshowninthereport.
Thestatusdatefieldindicatesthedateofthelastchangetotheuserduring
thereporttimespan.Ifauserwasaddedandlatertheuser'sUIDwas
changed,thedateoftheUIDchangeisshowninthereport.
WhenallofthefieldsinmultiplerowsmatchexceptforComputerName
andStatusDate,thoserowsarecollapsedsothatonerowisshownwitha
spaceseparatedlistofthecomputerstowhichitapplies.
WhentheUserDisplayName,UID,orAccountTypeischanged,thenew
valueisshownfollowedbyanasterisk.
AccessPrivilegesbyComputer
Thisentitlementreport,organizedbycomputername,showswhichusers
canlogintowhichcomputersandhowthatlisthaschangedovertime.The
stateofaccessprivilegesatthestartdateandenddatearecompared.
Intermediatechangesarenotshown,soifanewuserisaddedthendeleted
inthemiddleofthereportingtimespan,nochangeisshowninthereport.
Thestatusdatefieldindicatesthedateofthelastchangetotheuserduring
thereporttimespan.Ifauserwasaddedandlatertheuser'sUIDwas
changed,thedateoftheUIDchangeisshowninthereport.
WhentheUserDisplayName,UID,orAccountTypeischanged,thenew
valueisshownfollowedbyanasterisk.
AccessPrivilegeChanges
Thisentitlementreportshowschangestouserprivilegesbydate.Every
changeisshown,includingchangesthatarelaterundone.Thisreportdoes
notprovidealistofalluserswhocanlogintothecomputers,onlythose
usersforwhichtherehavebeenchanges.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 190

WhentheUserDisplayName,UID,orAccountTypeischanged,thenew
valueisshownfollowedbyanasterisk.
AccessPrivilegeDailyChanges
Thisentitlementreportshowschangestouserprivilegesonadailybasis.
Everychangeisshown,includingchangesthatarelaterundone.Thisreport
doesnotprovidealistofalluserswhocanlogintothecomputers,only
thoseusersforwhichtherehavebeenchanges.
ThisreportprovidesthesameinformationasthesameastheAccess
PrivilegeChangesbyUserreport,butwithsimplifiedsearchcriteria.
WhentheUserDisplayName,UID,orAccountTypeischanged,thenew
valueisshownfollowedbyanasterisk.
AccountAttributeInconsistencies
ThisentitlementreportshowsconflictsbetweenUID,username,and
GECOS.
MonitoringEventswiththeOperationsDashboard
ThePBISOperationsDashboardisamanagementplug-inforthe
BeyondTrustManagementConsole.ThedashboardrunsonaWindows
administrativeworkstationconnectedtothePBISReportingDatabaseand
anActiveDirectorydomaincontroller.
ThedashboardretrievesinformationfromthePBISdatabasetodisplay
authenticationtransactions,authorizationrequests,networkevents,and
othersecurityeventsonLinux,Unix,andMacOSXcomputers.
Monitoringeventssuchasfailedlogonattemptsandfailedsudoattemptscan
helppreventunauthorizedaccesstocommands,applications,andsensitive
resources.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 191

Herearesomeoftheeventsthedashboardcandisplay.Youcanalsocreate
andmonitorcustomevents.
AllSuccessAuditEvents
AllSystemLogErrorEvents
ConsoleLogons(ADorLocal)
DomainJoins
DomainLeaves
FailedConsoleLogons(ADorLocal)
FailedGroupPolicyUpdates
FailedKerberosRefresh
FailedPasswordChange
FailedRootLogons(Local)
FailedSSHLogons(ADorLocal)
FailedSudo
PBISServicesFailures
NetworkOfflineWarning
RootAccountLogons(Local)
SSHLogons(ADorLocal)
Sudo
StarttheOperationsDashboard
YoucanruntheOperationsDashboardintheBeyondTrustManagement
Console.
StarttheDashboard
YoucanstarttheOperationsDashboardusingeitherofthefollowing
methods:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 192

•OnthedesktopofaWindowsadministrativeworkstation,double-click
theBeyondTrustPBISEnterpriseicon.IntheBeyondTrust
ManagementConsole,clickOperationsDashboard.
•ClickStart,pointtoAllPrograms,clickBeyondTrustPBIS,andthen
clickBeyondTrustEnterpriseConsole.IntheBeyondTrust
ManagementConsole,clickOperationsDashboard.
AddtheDashboardtotheConsole
Bydefault,theOperationsDashboardnodeisdisplayedintheBeyondTrust
ManagementConsole.Ifitisnotdisplayed,youcanaddit.
1.OnaWindowsadministrativeworkstation,starttheBeyondTrust
ManagementConsole.
2.FromtheFilemenu,clickAdd/RemovePlug-in.
3.ClickAdd.
4.ClickOperationsDashboard,clickAdd,andthenclickClose.
5.ClickOK.
ConnecttoaDatabase
Toconnecttoadatabaseorchangeyourdatabaseconnection:
1.Intheconsoletree,right-clickOperationsDashboardandthenclick
Connectto.
2.ClickChange.
3.Selectthedatabasetypeyouwanttoconnectto.
4.IntheServer/Instancebox,clickthedrop-downlistandselectthe
instancethatyouwant,ortypethenameofyourserver/instance.
5.ClickOK.
ChangetheRefreshRate
Tochangetherefreshrate:
1.Intheconsoletree,right-clickOperationsDashboardandthenclick
Metricsettings.
2.IntheRefreshIntervalbox,entertheminutesthatpassbeforethe
informationonthedashboardisupdatedwiththelatestmetrics.
3.ClickClose.
ConfiguringthePBISDataCollectors
YoucanmanagethePBISdatacollectors,BTCollectorand
BTEventDBReaper,intwoways:
•Usingtheshellprompt
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 193

•UsingthePBISEnterpriseDatabaseplug-infortheBeyondTrust
ManagementConsole.
ConfiguringBTCollectorUsingtheShellPrompt
Aprovidernameandaconnectionstringaretheonlyrequiredparametersto
runtheBTCollector,whichisauto-startedasaWindowsprocessat
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise .
YoucanchangethedefaultsusingtheEnterpriseDatabaseManagement
plug-inorthecommandline.
ToviewtheargumentsofBTCollector,executethefollowingcommandat
theshellprompt:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>BTCollector /h
Table1.BTCollectorarguments
Option Description
/h Displayhelp.
/p<integer> Settherecordsthattheeventforwardercansend
perperiod.Aperiodconsistsofsendingmultiple
batchesandthensleepinguntiltheperiodisover.
Sothisnumberisthemaximumnumberofevents
thatcanbesentbeforetheeventforwarder
sleeps.
/b<integer> Settherecordsthattheeventforwardercansend
perbatch.AbatchissentwithasingleRPCcall,
sosettingthistoohighdelaysaddinganyrecords
inthebatchuntiltheentirebatchissent.
/t<integer> Setthenumberofsecondsinaperiod.Ifanevent
forwarderfinishessendingitseventsbeforethis
lengthoftimeisup,itwillsleeptofinishthe
period.
/a<string> SettheremoteaccesssecuritydescriptorinSDDL
syntax.Thedefaultvalueis"O:LSG:BAD:PAR
(A;;CCDCRP;;;BA)(A;;CCDCRP;;;DA)
(A;;CC;;;DC)".
/l<level> Setthelogleveltoerror,warning,info,verbose,
ordebug.
/s Showthecurrentsettings.
Theserviceincludes/b,/p,and/soptions,eachofwhichisdiscussedin
thissection.Theoptionsconfigurethesizeandtimeperiodforthedatathat
theendpointsonthecomputersrunningthePBISagentsendtothe
collector.Youconfigurethecollectorwithparametersfortheendpoints.
Theendpointsquerythecollectorfortheircommunicationparameters.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 194

•The/tparametercontrolshowoftentheendpointconnectstothe
collectortoforwardevents.
Theparametersetstheforwardingperiodinseconds.Iftheforwarding
periodissetto300seconds,forexample,theendpointeventforwarder
servicesendseventstoacollectoronceevery5minutes.
Thesmallerthenumberis,themorefrequentlyendpointscommunicate
withcollectorsandthesmallerthelatencybetweenthetimewhenan
eventisgeneratedandwhenitappearsinthedatabase.
Ifthenumberistoosmall,however,itcanresultinexcessiveloadon
theendpointsandinexcessivenetworktraffic.
•The/pparametercontrolsthemaximumnumberofeventsthatan
endpointsendstothecollectorduringeachperiod.
Thisnumber,incombinationwiththe/tparameter,canbesetto
controltheloadonendpointsimposedbytheeventforwardingservice
(eventfwd)sendingeventstocollectors.
Ifthisnumberislarge,theeventforwardermightconsumeexcessive
CPUtimeandnetworkbandwidth.
Ifthenumberissmall,however,theendpointmightfallbehindwiththe
incomingeventrateandendupwithalargebacklogofuncollected
events.
•The/bparametercontrolshowmanyeventsaresentperbatch.
Thecollectorsendseventsinbatchesuntilthenumberofsentevents
reachesthevaluethatyouset(oruntiltherearenomorelefttosend,
whichevernumberissmaller).
Ifthe/bparameterissettoohigh,thenetworktransactionmightfail
becauseofaconnectionthattimesout.
Iftheparameterissettoolow,theeventforwardingservicemight
consumetoomuchCPUtimeandbandwidthbecausetherearemore
networktransactions.
•The/aparameterspecifiestheaccesscontrollist(ACL)ofthe
computersallowedtocommunicatewiththecollector.
Theparametersetsconfigurationinformationthataffectsthecollector
ratherthantheendpointsthatcommunicatewithit.Bydefault,theACL
forthecollector'sRPCportissettoallowcomputersintheActive
DirectoryDomainComputersgrouptowritetothecollector.Thisis
thepermissionsetbythelongSDDLformattedstringshowninthe
usageinformationforthe/aparameter.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 195

Inthecaseofcollectorsthatareservicingmultipledomains,however,
thisACLisinsufficientasitallowsonlyendpointsjoinedtothesame
domainasthecollectortowritetoit.Insuchcases,youcanusethe/a
parametertospecifyamoreinclusiveACL.
The/sparametershowsthedefaultsettings:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>BTCollector
/s
Currentsettings:
Recordsperperiod 10000
Recordsperbatch 100
Secondsinaperiod 10
DatabaselocationC:\Program
Files\BeyondTrust\PBIS\Enterprise\BTCollector.db
RemoteaccesssecuritydescriptorO:LSG:BAD:P(A;;CC;;;DC)
(A;;CC;;;DA)(A;;RP;;;DA)(A;;DC;;;DA)(A;;CC;;;BA)
(A;;RP;;;BA)(A;;DC;;;BA)(A;;CC;;;S-1-5-21-418081286-
1191099226-2202501032-515)
Theremoteaccesssecuritydescriptorshownintheaboveoutputisthe
default.Itprovidesthefollowinggroupaccountswiththesepermissions:
•DomainComputersareallowedtocreatechildren(addevents)
•DomainAdministratorsareallowedtocreatechildren(addevents)
•DomainAdministratorsareallowedtoreadproperties(readevents)
•DomainAdministratorsareallowedtodeletechildren(deleteevents)
•Built-inPBISAdministratorsareallowedtocreatechildren(addevents)
•Built-inPBISAdministratorsareallowedtoreadproperties(readevents)
•Built-inPBISAdministratorsareallowedtodeletechildren(delete
events)
TheACLisstoredintheWindowsregistryofthecollectorserver.The
PBISconsolewritestheACLtothePBISEnterprisedatabase.The
BTEventDBReaperservicepullsitfromthedatabaseandwritesittothe
registry.
ConfiguringBTEventDBReaper UsingtheShellPrompt
BTEventDBReapergatherseventsfromacollector(forwardedby
endpoints)andwritestheseeventstothedatabase.BTCollectorstores
incomingeventsinalocal,intermediate,databasewhileBTEventDBReaper
takestheseeventsandwritesthemtothecentraldatabase.
ToviewBTEventDBReaperarguments,executethefollowingcommand:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 196

C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>BTEventDBReaper
/?
BTEventDBReaper-PowerBrokerEventReaperagentfor
Windows.Copies
eventsfromaBeyondTrustEventCollectorservertothe
central
BeyondTrustSQLServerdatabase.Thisprogramisrunasa
Windowsservice,
butcanberunfromthecommandlinetosetupparameters
fortheservice.
Usage:
BTEventDBReaperOPTIONS
Options:
/? Showsthishelp
/gui Showsgraphicaldatabaseconfiguration
form(donot
specify/dor/cifusingthis
option).
/dPROVIDER Specifiesthedatabaseprovidertobe
used.Specify
System.Data.SqlClient forSQLServer
(default)or
MySql.Data.MySqlClient forMySQL.
/cDBSTRING Specifiesthedatabaseconnection
stringtobe
usedtotalktotheBeyondTrust
database.
/fNUMBER Specifiestheearliestrecordidthat
shouldbe
copiedwhentheagentruns.USEWITH
CAUTION!
/r Refreshestheagentwithnewregistry
settings.
/s Showsthecurrentstatus
/debug Runascommandlineapplicationwith
logging
The/dand/cparametersareusedtosetthedatabaseproviderand
connectionstringsfortheservice.Or,youcanrunthefollowingcommand
toopenthedialogboxforchangingthedatabaseproviderandconnection
strings:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 197

C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>BTEventDBReaper
/gui
The/fparameterisusedtocontrolthepointatwhichthefirsteventinthe
localcollectordatabaseiswrittentothecentralPBISdatabase.Under
normalcircumstances,itshouldnotbenecessarytosetthisparameter.
Anyparameterssetfromthecommandlinewilltakeeffectthenexttime
thatBTEventDBReaperruns.Ifyouwanttheservicetoimmediatelymake
useofthenewparameters,youcanrunBTEventDBReaperwiththe/r
command-lineargument.
The/sisusedtodisplaythecurrentconfigurationsettingsfortheservice:
C:\Program
Files\BeyondTrust\PBIS\Enterprise>BTEventDBReaper /s
Currentsettings:
Databaseprovider: System.Data.SqlClient
Connectionstring: DataSource=RVLN-BUILD;
Initial
Catalog=LikewiseEnterprise;
IntegratedSecurity=True
Recordidlastcopied:1794
Recordsperperiod: 300
Secondsinaperiod: 1200
Althoughthesettingsincluderecordsperperiodandsecondsina
period,theparameterscannotbeconfiguredfromthecommand-line.The
defaultvaluescanbechangedusingtheEnterpriseDatabaseManagement
plug-in.
UsingtheEnterpriseDatabaseManagement Plug-in
YoucanusetheEnterpriseDatabaseManagementplug-intomonitorand
configurethePBISEnterprisedatabaseandtomanipulatearchivedevent
information.
Youaddtheplug-intotheconsoleinthesamewaythatyouaddotherplug-
ins;foranexample,seeStarttheOperationsDashboard.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 198

ConnecttoaDatabase
Youcanconnecttoadatabaseorchangeyourdatabaseconnection.
1.Intheconsoletree,right-clickEnterpriseDatabaseManagement
andthenclickConnecttodatabase.
2.ClickChange.
3.Selectthedatabasetypeyouwanttoconnectto.
4.Clickthedrop-downlistandselecttheinstancethatyouwant,ortype
thenameofyourserver/instance.
ChangetheParametersoftheCollectors
YoucanusetheEnterpriseDatabaseManagementplug-intosetparameters
forthecollectors.
1.Intheconsoletree,expandEnterpriseDatabaseManagement.
2.Right-clickCollectorStatus,andthenselectSetcollector
parameters.
Alternatively,inthelistofcollectors,right-clickthecollectorthatyou
wanttomodify,andthenselectSetcollectorparameters.
3.Entertheparametersthatyouwant.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 199

ConfiguretheACLforRPCAccess
Youcanconfiguretheaccesscontrollist(ACL)fortheremoteprocedure
callsthattakeplacebetweenthecollectoranditsendpoints.
1.Intheconsoletree,expandEnterpriseDatabaseManagement.
2.Right-clickCollectorStatus,andthenselectSetcollector
parameters.
Alternatively,inthelistofcollectors,right-clickthenameofthe
collector,andthenselectSetcollectorparameters.
3.ClickSetPermissions:
4.SetthepermissionsthatyouwanttoapplytotheRPCsbetweenthe
collectorandendpoints.
ArchivingEvents
Youcanarchiveeventsintwoways:eitherwiththeEnterpriseDatabase
Managementplug-inorwiththecommandline.
ThePBISevent-archivingutility—BTArchive—combineseventsolderthan
oneyearintocompressedarchivesandstorestheminaseparatedatabase
table.Aseparatearchiveiscreatedforeachmonthofoldeventdata.After
eventsarearchived,theyaredeleted.Theevent-archivingutilityisintended
toberunaccordingtoamonthlyschedule.
ArchiveEventswiththeConsole
Toarchiveeventsusingtheconsole:
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 200

1.Intheconsoletree,expandEnterpriseDatabaseManagement.
2.Right-clickArchiveStatus,andthenselectCreatearchive.
3.Followtheinstructionsinthewizard.
ArchiveEventswiththeCommand Line
ToviewtheargumentsofBTArchive,executethefollowingcommandat
theshellpromptonaWindowscomputerrunningthePBIScollectors:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>btarchive --
help
•The–pand–coptionsidentifythedatabasetypeandconnectionstring
ofthecentralPBISEnterprisedatabase.
Theconnectionstringisthesameastheonethatyouusedwhenyou
configuredtheconnectiontothedatabase.WithSQLServer,for
example,youenterastringlikethis:
DataSource=DBSERVERNAME;Initial
Catalog=LikewiseEnterprise;Integrated Security=True
Hereisanexample:
DataSource=W2K3-R2\SQLEXPRESS;Initial
Catalog=LikewiseEnterprise;Integrated Security=True
WithMySQL,youenterastringlikethis:
server=yourDBse-
rverInstanceName;database=LikewiseEnterprise;user
id=dbUserAccount;password=dbUserAccountPassword;
Hereisanexample:
server=steveh-dc;database=LikewiseEnterprise;user
id=root;password=password;
•The-aand–toptionsareusedtocontrolthearchivetimeunitandthe
datethresholdforarchiving.
Note:Itissuggestedthatyouusethedefaultsettings,whichare-a
monthlyand-t12.Thesedefaultscreatemonthlyarchivesfordata
olderthan12months.
•The–ooptionisusedtocontrolwherethelogoutputofBTArchiveis
written.
Bydefault,theoutputiswrittentotheconsole.
PBISEnterpriseInstallationandAdministration PBISReporting
BeyondTrust
®
June21,2013 201

MonitoringEventswiththeEventLog
ThePBISEventLogrecordsandcategorizesinformationabout
authenticationtransactions,authorizationrequests,networkevents,and
othersecurityeventsonLinux,Unix,andMacOSXcomputers.Monitoring
eventssuchasfailedlogonattemptsandfailedsudoattemptscanhelp
preventunauthorizedaccesstocommands,applications,andsensitive
resources.
TheeventsarestoredinaSQLitedatabase,whichisincludedwhenyou
installthePBISagent.Thedatabaseisat/var/lib/pbis/db/lwi_
events.dbanditslibrariesareat/opt/pbis/lib/.Toviewandmodify
thedatabase,PBISincludesacommand-lineutilityat
/opt/pbis/bin/sqlite3.ForinformationaboutSQLiteandinstructions
onhowtousethecommand-lineutility,seehttp://www.sqlite.org/.
Theeventlogrecordsthefollowingevents:serviceinitializations,successful
logins,failedlogins,deniedsudoattempts,theapplicationofnewGroup
PolicyObjects(GPOs),offline-onlinetransitionsandothernetwork
connectivityevents,andaperiodicheartbeatthatidentifieswhetherthe
computerisactive.
PBISincludesmethodstosetwhichuserandgroupaccountshavereador
writeaccesspermissionstotheeventlog.Setpermissionsusingeitherthe
localPBISconfigurationregistryorPBISGroupPolicysettingsadministered
fromActiveDirectory.Youcanfiltereventsintheeventlogandyoucan
decidewhicheventcategoriestolog.
TurnonandConfigureEventLogging
Eventloggingisturnedoffbydefault.
Turnoneventlogginginoneofthefollowingways:
•Editingtheregistry
•UsingaGroupPolicysetting.
Configuretheoptionsfortheeventlogintheregistryorusingthe
correspondingGroupPolicysettings.KeepinmindthatGroupPolicy
settingsareavailableonlywithPBISEnterprise;PBISOpendoesnotapply
GroupPolicysettings.
Afteryoumodifythesettingsintheregistry,youmustrestarttheeventlog
servicewiththerootaccountforthechangestotakeeffect:
/opt/pbis/bin/lwsm refresheventlog
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 202

Forinformationaboutmanagingtheeventlogwiththeregistry,see
ConfiguringPBISwiththeRegistry.Forinformationaboutmanagingthe
eventlogwithGroupPolicysettings,seethePowerBrokerIdentityServices
GroupPolicyAdministrationGuide.
ViewtheLocalEventLog
OnaLinux,Unix,orMacOSXcomputer,youviewthelocalPBISEvent
Logbyusingtheeventlogcommand-lineutilitywiththerootaccount:
/opt/pbis/bin/eventlog- cli
Toviewthecommand'sarguments,executethefollowingcommand:
/opt/pbis/bin/eventlog- cli-h
Youcangainaccesstotheeventlogbyusingeitherlocalhostorthe
virtualloopbackinterfaceofthecomputer,whichistypicallyassignedtothe
address127.0.0.1.
Toviewasummaryofevents,executethefollowingcommandwiththeroot
account:
/opt/pbis/bin/eventlog- cli-s-localhost
Exampleoutput:
========================================
EventRecord:(392/396)(392total)
========================================
EventRecordID.........392
EventTableCategory....System
EventType.............. Information
EventDate.............. 2010-02-16
EventTime.............. 07:37:58AM
EventSource............ LikewiseLSASS
EventCategory.......... Service
EventSourceID.........1004
EventUser.............. SYSTEM
EventComputer.......... example03
EventDescription....... Likewiseauthenticationservice
providerconfigurationsettingshavebeenreloaded.
Authenticationprovider: lsa-
activedirectory-provider
Currentsettingsare...
Cachereapertimeout(secs): 2592000
Cacheentryexpiry(secs): 14400
Spacereplacementcharacter: '^'
Domainseparatorcharacter: '\'
Enableeventlog: true
Logonmembershiprequirements:
CORP\EXAMPLE03_Users
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 203

CORP\EnterpriseTeam
Lognetworkconnectionevents: false
CreateK5Loginfile: true
Createhomedirectory: true
SignandsealLDAPtraffic: false
Assumedefaultdomain: false
Syncsystemtime: true
Refreshusercredentials: true
Machinepasswordsynclifetime: 2592000
DefaultShell: /bin/sh
Defaulthomedirectoryprefix: /Users
Homedirectorytemplate: %H/local/%D/%U
Umask: 18
Skeletondirectory:
System/Library/User Template/Non_localized,
/System/Library/User Template/English.lproj
Cellsupport: Invalid
Trimusermembership: true
NSSgroupmembersfromcacheonly:false
NSSusermembersfromcacheonly:false
NSSenumerationenabled: true
DomainManagercheckdomainonline(secs):
300
DomainManagerunknowndomaincachetimeout(secs):
3600
========================================
Or,withthefollowingcommand,youcanviewtheeventlogintableformat:
/opt/pbis/bin/eventlog- cli-t-localhost
Example:
[root@rhel5dbin]#suexample\\user2
[EXAMPLE\user2@rhel5d bin]$ sudoblah
Password:
Sorry,tryagain.
Password:
Sorry,tryagain.
Password:
sudo:2incorrectpasswordattempts
[EXAMPLE\user2@rhel5d bin]$ exit
[root@rhel5dbin]#/opt/pbis/bin/eventlog-cli-t-
localhost
Id:|Type |Time |Source |
Category |Event|User
83|Information |02:11:29PM|LikewiseLSASS|
Service |1004|SYSTEM
84|SuccessAudit|02:13:07PM|LikewiseLSASS|
Login/Logoff|1201|EXAMPLE\user2
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 204

85|FailureAudit|02:13:30PM|LikewiseLSASS|
Login/Logoff|1205|EXAMPLE\user2
86|FailureAudit|02:13:33PM|LikewiseLSASS|
Login/Logoff|1205|EXAMPLE\user2
87|FailureAudit|02:13:39PM|LikewiseLSASS|
Login/Logoff|1205|EXAMPLE\user2
88|SuccessAudit|02:14:57PM|LikewiseLSASS|
Login/Logoff|1220|EXAMPLE\user2
[root@rhel5dbin]#
YoucanalsouseSQLfilterstoquerytheeventlogbyeventtype,source
ID,andavarietyofotherfieldnames.Example:
[root@rhel5dbin]#/opt/pbis/bin/eventlog-cli-s"
(EventType='FailureAudit')AND(EventSourceId=1205)"
localhost
EventRecord:(1/3)(1total)
========================================
EventRecordID.........85
EventTableCategory....Security
EventType.............. FailureAudit
EventDate.............. 2009-07-29
EventTime.............. 02:13:30PM
EventSource............ LikewiseLSASS
EventCategory.......... Login/Logoff
EventSourceID.........1205
EventUser.............. EXAMPLE\user2
EventComputer.......... rhel5d
EventDescription....... LogonFailure:
Authenticationprovider:lsa-activedirectory-
provider
Reason: Unknownusernameorbad
password
UserName: EXAMPLE\user2
Loginphase: Userauthenticate
EventData.............. Error:Thepasswordisincorrect
forthegivenusername[errorcode:32789]
========================================
EventTypes
TheEventTypeistypicallyoneofthefollowing:
SUCCESS_AUDIT_EVENT_TYPE "SuccessAudit"
FAILURE_AUDIT_EVENT_TYPE "FailureAudit"
INFORMATION_EVENT_TYPE "Information"
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 205

WARNING_EVENT_TYPE "Warning"
ERROR_EVENT_TYPE "Error"
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 206

EventSources
TheEventSourceistypicallyoneofthefollowingvalues:
lLikewiseLSASS
lLikewiseGPAGENT
lLikewiseDomainJoin
lLikewiseNETLOGON
lSystemLog
EventSourceIDs
EacheventsourcedefinesitsownlistofEventSourceIdvalues.Hereis
alistofeventscategorizedbysource.
========================================
EventSource=“LikewiseLSASS”
LSASS_EVENT_INFO_SERVICE_STARTED
1000
LSASS_EVENT_ERROR_SERVICE_START_FAILURE
1001
LSASS_EVENT_INFO_SERVICE_STOPPED
1002
LSASS_EVENT_ERROR_SERVICE_STOPPED
1003
LSASS_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED
1004
//Logonevents
LSASS_EVENT_SUCCESSFUL_LOGON_AUTHENTICATE
1200
LSASS_EVENT_SUCCESSFUL_LOGON_CREATE_SESSION
1201
LSASS_EVENT_SUCCESSFUL_LOGON_CHECK_USER
1203
LSASS_EVENT_FAILED_LOGON_UNKNOWN_USERNAME_OR_BAD_PASSWORD
1205
LSASS_EVENT_FAILED_LOGON_TIME_RESTRICTION_VIOLATION
1206
LSASS_EVENT_FAILED_LOGON_ACCOUNT_DISABLED
1207
LSASS_EVENT_FAILED_LOGON_ACCOUNT_EXPIRED
1208
LSASS_EVENT_FAILED_LOGON_MACHINE_RESTRICTION_VIOLATION
1209
LSASS_EVENT_FAILED_LOGON_TYPE_OF_LOGON_NOT_GRANTED
1210
LSASS_EVENT_FAILED_LOGON_PASSWORD_EXPIRED
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 207

1211
LSASS_EVENT_FAILED_LOGON_NETLOGON_FAILED
1212
LSASS_EVENT_FAILED_LOGON_UNEXPECTED_ERROR
1213
LSASS_EVENT_FAILED_LOGON_ACCOUNT_LOCKED
1214
LSASS_EVENT_FAILED_LOGON_CHECK_USER
1215
LSASS_EVENT_LOGON_PHASE_AUTHENTICATE
1
LSASS_EVENT_LOGON_PHASE_CREATE_SESSION
2
LSASS_EVENT_LOGON_PHASE_CHECK_USER
3
//Logoffevents
LSASS_EVENT_SUCCESSFUL_LOGOFF
1220
//Userpasswordchangeevents
LSASS_EVENT_SUCCESSFUL_PASSWORD_CHANGE
1300
LSASS_EVENT_FAILED_PASSWORD_CHANGE
1301
LSASS_EVENT_SUCCESSFUL_USER_ACCOUNT_KERB_REFRESH
1302
LSASS_EVENT_FAILED_USER_ACCOUNT_KERB_REFRESH
1303
//Machinepasswordchangeevents
LSASS_EVENT_SUCCESSFUL_MACHINE_ACCOUNT_PASSWORD_UPDATE
1320
LSASS_EVENT_FAILED_MACHINE_ACCOUNT_PASSWORD_UPDATE
1321
LSASS_EVENT_SUCCESSFUL_MACHINE_ACCOUNT_TGT_REFRESH
1322
LSASS_EVENT_FAILED_MACHINE_ACCOUNT_TGT_REFRESH
1323
//Accountmanagementevents
LSASS_EVENT_ADD_USER_ACCOUNT
1400
LSASS_EVENT_DELETE_USER_ACCOUNT
1401
LSASS_EVENT_ADD_GROUP
1402
LSASS_EVENT_DELETE_GROUP
1403
//Lsassproviderevents
LSASS_EVENT_SUCCESSFUL_PROVIDER_INITIALIZATION
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 208

1500
LSASS_EVENT_FAILED_PROVIDER_INITIALIZATION
1501
LSASS_EVENT_INFO_REQUIRE_MEMBERSHIP_OF_UPDATED
1502
LSASS_EVENT_INFO_AUDITING_CONFIGURATION_ENABLED
1503
LSASS_EVENT_INFO_AUDITING_CONFIGURATION_DISABLED
1504
//Runtimewarnings
LSASS_EVENT_WARNING_CONFIGURATION_ID_CONFLICT
1601
LSASS_EVENT_WARNING_CONFIGURATION_ALIAS_CONFLICT
1602
//Networkevents
LSASS_EVENT_INFO_NETWORK_DOMAIN_ONLINE_TRANSITION
1700
LSASS_EVENT_WARNING_NETWORK_DOMAIN_OFFLINE_TRANSITION
1701
========================================
EventSource=“LikewiseDomainJoin”
DOMAINJOIN_EVENT_INFO_JOINED_DOMAIN 1000
DOMAINJOIN_EVENT_ERROR_DOMAIN_JOIN_FAILURE 1001
DOMAINJOIN_EVENT_INFO_LEFT_DOMAIN 1002
DOMAINJOIN_EVENT_ERROR_DOMAIN_LEAVE_FAILURE 1003
========================================
EventSource=“LikewiseGPAGENT”
GPAGENT_EVENT_INFO_SERVICE_STARTED
1000
GPAGENT_EVENT_ERROR_SERVICE_START_FAILURE
1001
GPAGENT_EVENT_INFO_SERVICE_STOPPED
1002
GPAGENT_EVENT_ERROR_SERVICE_STOPPED
1003
GPAGENT_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED
1004
//GPAgentpolicyupdateevents
GPAGENT_EVENT_POLICY_UPDATED
1100
GPAGENT_EVENT_POLICY_UPDATE_FAILURE
1101
//GPAgentpolicyprocessingissueevents
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 209

GPAGENT_EVENT_INFO_POLICY_PROCESSING_ISSUE_RESOLVED
1200
GPAGENT_EVENT_ERROR_POLICY_PROCESSING_ISSUE_ENCOUNTERED
1201
========================================
EventSource=“LikewiseNETLOGON”
//Netlogonserviceevents
LWNET_EVENT_INFO_SERVICE_STARTED
1000
LWNET_EVENT_ERROR_SERVICE_START_FAILURE
1001
LWNET_EVENT_INFO_SERVICE_STOPPED
1002
LWNET_EVENT_ERROR_SERVICE_STOPPED
1003
LWNET_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED
1004
========================================
EventSource=“SystemLog”
Syslogentriesareparsedbythereapsyslservice
tocreatePBISeventlogentriesforthefollowing:
Textconsolelogonfailure
1
Textconsolelogonsuccess
2
SSHlogonfailure
3
SSHlogonsuccess
4
SUDObadpassword
5
SUDOaccessdenied
6
SUDOsuccess
7
SSHwithADaccountfailure
8
SSHwithADaccountsuccess
9
TextconsoleloginwithADaccountfailure
10
TextconsoleloginwithADaccountsuccess
11
PBISEnterpriseInstallationandAdministration MonitoringEventswiththeEventLog
BeyondTrust
®
June21,2013 210

SingleSign-OnUsingPBIS
WhenyoulogontoaLinux,Unix,orMacOSXcomputerusingyour
ActiveDirectorydomaincredentials,PowerBrokerIdentityServices
initializesandmaintainsaKerberosticketgrantingticket(TGT).
TheTGTletsyoulogontoothercomputersjoinedtoActiveDirectoryor
applicationsprovisionedwithaserviceprincipalnameandcanbe
automaticallyauthenticatedwithKerberosandauthorizedforaccessthrough
ActiveDirectory.Inatransparentprocess,theunderlyingGenericSecurity
Services(GSS)systemrequestsaKerberosserviceticketfortheKerberos-
enabledapplicationorserver.Theresult:singlesign-on.
Togainaccesstoanothercomputer,youcanusevariousprotocolsand
applications:
•SSH(Seehowtoconfiguresinglesign-onforSSH,includingplatform-
specificissues.)
•rlogin
•rsh
•Telnet
•FTP
•Firefox(forbrowsingofintranetsites)
•LDAPqueriesagainstActiveDirectory
•HTTPwithanApacheHTTPServer
HowPBISMakesSSOHappen
SinceMicrosoftWindows2000wasreleased,ActiveDirectory'sprimary
authenticationprotocolhasbeenKerberos.Whenauserlogsontoa
Windowscomputerthatisjoinedtoadomain,theoperatingsystemusesthe
Kerberosprotocoltoestablishakeyandtorequestaticketfortheuser.
ActiveDirectoryservesastheKerberoskeydistributioncenter,orKDC.
PBISconfiguresLinuxandUnixcomputerstointeractwithActive
Directoryinasimilarway.WhenauserlogsontoaLinuxandUnix
computerjoinedtoadomain,PBISrequestsaticketfortheuser.Theticket
canthenbeusedtoimplementSSOwithotherapplications.
PBISfosterstheuseofthehighlysecureKerberos5protocolbyautomating
itsconfigurationonLinuxandUnixcomputers.ToensurethattheKerberos
authenticationserviceisproperlyconfigured,PBISdoesthefollowing:
•EnsuresthatDNSisproperlyconfiguredtoresolvenamesassociated
withActiveDirectory(AD).
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 211

•Performssecure,dynamicDNSupdatestoensurethatLinuxandUnix
computernamescanberesolvedwithAD-integratedDNSservers.
•ConfiguresKerberos.InanenvironmentwithmultipleKDCs,PBIS
makessurethatKerberosselectstherightserver.
•ConfiguresSSHDtosupportSSOthroughKerberosbyusingGSSAPI.
•Createsakeytabforthecomputerinthefollowingway:Whenyoujoina
LinuxorUnixcomputertoAD,PBIScreatesacomputeraccountforthe
computer.PBISthenautomaticallycreatesakeytabfortheSPNand
placesitinthestandardsystemlocation(typically/etc/krb5.keytab).
•Createsakeytabfortheuserduringlogon.Onmostsystems,theuser
keytabisplacedinthe/tmpdirectoryandnamedkrb5cc_UID,where
UIDisthenumericuserIDassignedbythesystem.
HowtoImplementSSOwithPBIS
WhenyouinstallPBISonaLinux,Unix,orMacOSXcomputerandjoinit
toActiveDirectory,PBISpreparesitforsinglesign-onbycreatingakeytab
forthecomputer.However,whenyouusePBIStoimplementSSOwith
otherapplicationsorservices,youwilllikelyhavetoconfigurethe
applicationtouseGSSAPIandKerberos5authenticationandyouwilllikely
havetoprovisioneachapplicationuserforexternalKerberosauthentication.
Attheveryleast,youwillhavetoprovisionyourapplicationwithaservice
principalnameinActiveDirectory.Aserviceprincipalname,orSPN,isthe
namewithwhichaclientuniquelyidentifiesaninstanceofaservice.
KerberosthenusestheSPNtoauthenticateaservice.
Note:ConfiguringanexternalapplicationforSSOwithKerberosisbeyond
thescopeofthePBISdocumentation.Formoreinformation,seethe
vendor'smanualforyourapplication.
Thefollowingprocessoutlinesthestepsforsettingupanapplicationor
servicetousePBISforsinglesign-on.Foradetailedexampleofhowto
configureanapplicationforSSO,seeConfigureApacheforSSO.For
examplesofhowtocreateaserviceaccountinAD,registeranSPNforthe
serviceaccount,andcreateakeytabfortheSPN,seecreatingaKerberos
serviceprincipalandkeytabfileforSSOontheIBMwebsite.
1.CreateaserviceaccountfortheapplicationinActiveDirectory.
2.Associateaserviceprincipalname,orSPN,withtheserviceaccountin
ActiveDirectory;seetheoverviewofsetspn.exeonMicrosoftTechNet.
3.CreateakeytabfortheSPNwiththektpassutility.
4.PlacethekeytabintheappropriatelocationontheLinuxorUnix
computer.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 212

5.ConfiguretheauthenticationmoduletogetitsKerberoskeyfromthe
generatedkeytab.
6.Configuretheauthenticationmoduletodetermineappropriaterolesby
examiningActiveDirectorygroupmembership.
7.ConfigureanapplicationtorestrictaccesstoActiveDirectory
authenticatedusersincertainroles.
8.TestSSObyaccessingrestrictedwebsitesfromaWindowsclient
runningMicrosoftInternetExplorerorMozillaFirefox.Repeatthisstep
onLinuxandUnixusingFirefox.
EnablePAMforSSH
IfyourActiveDirectoryaccountisnotworkingwithSSH,makesurethat
UsePAMisenabledinsshd_configandmakesurethatyoursshdislinked
tothePAMlibraries.
1.Determinewhichsshdisrunningbyexecutingthefollowingcommand:
bash-3.2#ps-ef|grepsshd
root8199 10Feb6? 0:00
/opt/ssh/sbin/sshd
root298781990Mar3? 0:04sshd:
root@notty
root248648199012:16:25? 0:00sshd:
root@pts/0
root299881990Mar3? 0:05sshd:
root@notty
root2488224880012:16:54pts/0 0:00grep
sshd
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 213

2.Eitheruselsoftofindoutwhichconffileitisreading,orstartitup
withdebuggingtofigureoutthedefaultpath.Example:
username@computer:~$ /usr/sbin/sshd-dd-t
debug2:load_server_config:filename/etc/ssh/sshd_
config
debug2:load_server_config:doneconfiglen=664
debug2:parse_server_config:config/etc/ssh/sshd_
configlen664
debug1:sshdversionOpenSSH_5.1p1Debian-3ubuntu1
Couldnotloadhostkey:/etc/ssh/ssh_host_rsa_key
Couldnotloadhostkey:/etc/ssh/ssh_host_dsa_key
3.VerifythatUsePAMisenabledintheconfigfile.Asabestpractice,make
abackupcopyoftheconfigurationfilebeforeyouchangeit.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 214

4.Runlddonsshdtomakesureitlinkswithlibpam.Examplefroman
IA64HPsystem:
bash-3.2#ldd/opt/ssh/sbin/sshd
libpam.so.1=>/usr/lib/hpux64/libpam.so.1
libdl.so.1=>/usr/lib/hpux64/libdl.so.1
libnsl.so.1=>/usr/lib/hpux64/libnsl.so.1
libxnet.so.1=>/usr/lib/hpux64/libxnet.so.1
libsec.so.1=>/usr/lib/hpux64/libsec.so.1
libgssapi_krb5.so=>
/usr/lib/hpux64/libgssapi_ krb5.so
libkrb5.so=>/usr/lib/hpux64/libkrb5.so
libpthread.so.1=>
/usr/lib/hpux64/libpthread.so.1
libc.so.1=> /usr/lib/hpux64/libc.so.1
libxti.so.1=>/usr/lib/hpux64/libxti.so.1
libxti.so.1=>/usr/lib/hpux64/libxti.so.1
libm.so.1=> /usr/lib/hpux64/libm.so.1
libk5crypto.so=>
/usr/lib/hpux64/libk5crypto.so
libcom_err.so=>
/usr/lib/hpux64/libcom_err.so
libk5crypto.so=>
/usr/lib/hpux64/libk5crypto.so
libcom_err.so=>
/usr/lib/hpux64/libcom_err.so
libdl.so.1=>/usr/lib/hpux64/libdl.so.1
bash-3.2#
ConfigurePuTTYforWindows-BasedSSO
TousePuTTYtoconnecttoaLinuxorUnixmachinefromaWindows
machineandthenconnecttoasecondLinuxorUnixmachine,youmust
configurePuTTYtouseGSSAPIauthenticationsettings.
Important:ThefollowingprocedureassumesthatyouareusingaGSSAPI-
enhancedversionofPuTTY(forexample,PuTTYdownload).The
procedurealsoassumesthatthereareDNSentriesforallthreecomputers
andthatyouusehostnamestoconnecttothetargetcomputers.IfDNS
searchdomainsareproperlysetuponyourclientsystems,youcanuseshort
hostnames.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 215

ConfigurePuTTY
1.OnthePuTTYConfigurationdialogbox,selecttheGSSAPIoptions.
TheoptionnamesmightvarydependingonyourversionofPuTTY.
–AttemptGSSAPIauthentication(SSH-2only).Withsome
versionsofPuTTY,theoptionisnamedAttempt
GSSAPI/Kerberos5authentication.
–AllowGSSAPIcredentialdelegation.
ConfiguretheBaseLinuxComputerinActiveDirectory
ThisprocedureassumesthebaseLinuxorUnixcomputerisjoinedtoActive
DirectorywithPBIS.Toperformthisprocedure,youmustbeamemberof
theDomainAdministratorssecuritygrouportheEnterpriseAdministrators
securitygroup,oryoumusthavebeendelegatedauthority.
WindowsServer2003R2
1.InActiveDirectoryUsersandComputers,intheconsoletree,click
Computers.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 216

2.Inthedetailspane,right-clickthecomputerthatyouwant,andthen
clickProperties.
3.OntheDelegationtab,clickTrustthiscomputerfordelegationto
specifiedservicesonly:
4.ConfirmthatUseKerberosonlyisselected.
5.ClickAddand,inAddServices,clickUsersandComputers.
6.InEntertheobjectnamestoselect,typethenameoftheuseror
computerthatthecomputerwillbetrustedtodelegatefor,andthen
clickOK.
7.InAddServices,clicktheserviceorservicesthatwillbetrustedfor
delegationandthenclickOK.
Windows2000
1.InActiveDirectoryUsersandComputers,intheconsoletree,click
Computers.
2.Inthedetailspane,right-clickthecomputerthatyouwant,andthen
clickProperties.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 217

3.OntheGeneraltab,selectTrustcomputerfordelegation:
ConfigureApacheforSSO
ThistopicdescribeshowtoconfigurePowerBrokerIdentityServicesand
theApacheHTTPServertoprovidesinglesign-onauthenticationthrough
ActiveDirectorywithKerberos5.Theinstructionsassumethatyouknow
howtoadministerActiveDirectory,theApacheHTTPServer,and
computersrunningLinux.
Singlesign-onfortheApacheHTTPserverusestheSimpleandProtected
GSS-APINegotiationMechanism,orSPNEGO,tonegotiateauthentication
withKerberos.SPNEGOisanInternetstandarddocumentedinRFC2478
andiscommonlyreferredtoasthenegotiateauthenticationprotocol.The
PBISmod_auth_kerbmoduleletsanApachewebserverrunningona
LinuxorUnixsystemauthenticateandauthorizeusersbasedontheirActive
Directorydomaincredentials.
ForinformationaboutconfiguringwebbrowserstouseSSOafteryouhave
configuredApache,seeConfigureFirefoxforSSOorConfigureInternet
ExplorerforSSO.
ForinformationaboutresolvingissueswithKerberosauthentication,see
TroubleshootingKerberosAuthentication.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 218

Prerequisites
•PBISOpenorPBISEnterpriseinstalledontheLinuxcomputerrunning
yourApacheHTTP Server.
•TheApachemoduleshipswiththePBISagentandislocatedinthe
followingdirectory:
/opt/pbis/lib64/apache2.2
/opt/pbis/lib(32-bit)
ThisinstallstheApachemod_auth_kerbmodulethatisrequiredto
configureyourApacheHTTPServerforsinglesign-on.
•TheLinuxorUnixcomputerthatishostingtheApachewebserveris
joinedtoActiveDirectory.
•AnApacheHTTPServer2.0or2.2thatsupportsdynamicallyloaded
modules.TocheckwhetheryourApachewebserversupports
dynamicallyloadedmodules,executethefollowingcommandandverify
thatmod_so.cappearsinthelistofcompiledmodules:
httpd-l
Compiledinmodules:
core.c
prefork.c
http_core.c
mod_so.c
ForApacheinstallationsthatarecompiledfromthesourcecode,make
surethat--enable-module=soisspecifiedwhen./configureis
executed:
./configure--enable-module=so
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 219

•YourKerberoslibrariesmustsupportSPNEGO.Forexample,MIT
Kerberoslibrariesthatareversion1.5andlatersupportSPNEGO;
earlierversionsdonot.MakesureyourKerberoslibrariessupport
SPNEGObyrunningldd:
whichhttpd
/usr/sbin/httpd
ldd/usr/sbin/httpd
Intheresults,findthelinethatreferenceslibgssapi:
libgssapi_krb5.so.2=>/usr/lib/libgssapi_krb5.so.2
(0x00231000)
Finally,querytheversionnumberofthelibraryandmakesureitis1.5or
later:
rpm-qif/usr/lib/libgssapi_krb5.so.2
Name       :krb5-libs
                   Relocations: (notrelocatable)
Version    :1.5
                              Vendor: RedHat,
Inc.
Release    :17                           Build
Date:Tue16Jan200710:01:00AMPST
InstallDate:Fri14Dec200709:09:44AMPST
     BuildHost:ls20-bc1-13.build.redhat.com
Group      :SystemEnvironment/Libraries
  SourceRPM:krb5-1.5-17.src.rpm
Size       :1333337
                         License: MIT,freely
distributable.
Signature  :DSA/SHA1,Wed17Jan200710:57:33
AMPST,KeyID5326810137017186
Packager   :RedHat,Inc.
<http://bugzilla.redhat.com/bugzilla>
URL        :http://web.mit.edu/kerberos/www/
Summary    :Thesharedlibrariesusedby
Kerberos5.
Description:
Kerberosisanetworkauthentication system.The
krb5-libspackage
containsthesharedlibrariesneededbyKerberos
5.Ifyouareusing
Kerberos,youneedtoinstallthispackage.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 220

[root@rhel5dsbin]#
ConfigureApacheHTTPServer2.2forSSOonRHEL5
ThefollowinginstructionsdemonstratehowtoconfigurePBISandApache
forSSOonaRedHatEnterpriseLinux5computer.Thestepsvaryby
operatingsystemandbyApacheversion.Ubuntu,inparticular,uses
apache2insteadofhttpdforcommands,thenameofthedaemon,the
configurationdirectory,thenameoftheconfigurationfile,etc.
Important:Configuringwebserversiscomplex.Implementandtestyour
configurationinatestenvironmentfirst.
Beforeyouchangeyourwebserver'sconfiguration:
–ReadtheApacheHTTPServerdocumentationat
http://httpd.apache.org/docs/
–Readthemod_auth_kerbdocumentationat
http://modauthkerb.sourceforge.net/configure.html.
Backupafilebeforeapplyinganychanges.
1.DeterminewhetheryourApacheserveris2.0or2.2byrunningthe
followingcommand:
httpd-v
Serverversion:Apache/2.2.3
Serverbuilt: Nov29200606:33:19
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 221

2.EdityourApacheconfigurationfile—
/etc/httpd/conf/httpd.conf —toaddadirectivetoloadthePBIS
auth_kerb_moduleforyourversionofApache.SincemyRedHat
computerisrunningApache2.2.3,Ihaveaddedthe2.2versionofthe
moduletothelistaftertheotherauthmodules(whichwerealready
listedinthefile):
LoadModuleauth_basic_modulemodules/mod_auth_
basic.so
LoadModuleauth_kerb_module
/opt/pbis/apache/2.2/mod_ auth_kerb.so
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 222

3.In/etc/httpd/conf/httpd.conf ,configureauthenticationfora
directoryandthenrestartthewebserver;example:
<Directory"/var/www/html/secure">Options Indexes
MultiViewsFollowSymLinks
AllowOverrideNone
Orderdeny,allow
Denyfromall
Allowfrom127.0.0.0/255.0.0.0 ::1/128
AuthTypeKerberos
AuthName"KerberosLogin"
KrbAuthRealmsEXAMPLE.COM
Krb5Keytab/etc/apache2/http.ktb
Requirevalid-user
</Directory>
Tip:Youcanrequirethatauserbeamemberofasecuritygroupto
accesstheApachewebserverbyreplacingRequirevalid-userwith
Requiregroupname-of-your-group,asshownintheexample
below.Tocontrolgroupaccessbyrequiringgroupmembership,
however,youmustfirstinstallandloadmod_auth_pam;forinstructions
onhowtosetupmod_auth_pam,seehttp://pam.sourceforge.net/mod_
auth_pam/install.html.(Becausemod_auth_pamisnolongermaintained,
youshouldconsiderusingmod_authz_unixgroupinstead;seethe
instructionslaterinthissection.)
<Directory"/var/www/html/secure">Options Indexes
MultiViewsFollowSymLinks
AllowOverrideNone
Orderdeny,allow
Denyfromall
Allowfrom127.0.0.0/255.0.0.0 ::1/128
AuthTypeKerberos
AuthName"KerberosLogin"
KrbAuthRealmsEXAMPLE.COM
Krb5Keytab/etc/apache2/http.ktb
Requiregrouplinuxfulladmins
</Directory>
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 223

4.ConfigureyourwebserverforSecureSocketLayer(SSL).For
instructions,seetheApacheHTTPServerdocumentation.
Important:IfSSOfailsandyouhavenotturnedonSSL,yourserver
willpromptyouforanIDandpassword—whichwillbesentinclear
text.SSLencryptsalldatathatpassesbetweentheclientbrowserandthe
webserver.SSLcanalsoperformBasicAuthenticationsecurely,
providingafallbackmechanismifKerberosauthenticationfails.Using
SSLisespeciallyimportantiftheprotectedwebsitealsoneedstobe
accessiblefromoutsidethecorporatenetwork.Formoreinformation,
seehttp://modauthkerb.sourceforge.net/configure.html.
5.InActiveDirectory,createauseraccountfortheApachewebserverin
thesameOU(or,withPBISEnterprise,cell)towhichtheLinux
computerhostingthewebserverisjoined.Setthepasswordoftheuser
accounttoneverexpire.Intheexamplesthatfollow,theuseraccount
fortheApachewebserverisnamedhttpUser.
6.Onthedomaincontroller,createanRC4-HMACkeytabfortheApache
webserverusingMicrosoft'sktpassutility.Forinformationonktpass,
seehttp://technet.microsoft.com/en-us/library/cc776746.aspx.The
keytabthatyoumustcreatecanvarybyWindowsversion.
Example:
C:\>ktpass/outkeytabfile/princ
HTTP/[email protected] /passSkiAlta2008
/mapuserexample\httpUser/ptypeKRB5_NT_PRINCIPAL
Targetingdomaincontroller:steveh-dc.example.com
Usinglegacypasswordsettingmethod
SuccessfullymappedHTTP/rhel5d.example.com to
httpUser.
Keycreated.
Outputkeytabtokeytabfile:
Keytabversion:0x502
keysize80HTTP/[email protected] ptype0
(KRB5_NT_UNKNOWN)vno3etype0x17(RC4-HMAC)
keylength16(0x2998807dc299940e2c6c81a08315c596)
Note:OnWindows2000,donotspecifythedomainnameaspartof
the/mapuserparameter;justenterthenameoftheuser.
7.UsesecureFTPoranothermethodtotransferthekeytabfiletothe
LinuxcomputerthathostsyourApachewebserverandcopythefileto
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 224

thelocationspecifiedinyour<Directory>configurationin
httpd.conf.Forexample,usingtheconfigurationshowninStep3,
copythekeytabfileto/etc/apache2/http.ktb.
8.SetthepermissionsofthekeytabfiletobereadablebytheIDunder
whichtheApachewebserverrunsandnooneelse.
Important:TheKerberoskeytabfileisnecessarytoauthenticate
incomingrequests.Itcontainsanencrypted,localcopyofthehost’skey
and,ifcompromised,mightallowunrestrictedaccesstothehost
computer.Itisthereforecrucialtoprotectitwithfile-access
permissions.
ControlGroupAccesswithmod_authz_unixgroup
Sincemod_auth_pamisnolongermaintained,youcanrequirethatauserbe
amemberofasecuritygrouptoaccesstheApachewebserverusingmod_
authz_unixgroup.
First,installmod_authz_unixgroup:
yuminstallhttpd-devel
wgethttp://mod-auth-external.googlecode.com/files/mod_
authz_unixgroup-1.0.2.tar.gz
tar-xzvfmod_authz_unixgroup-1.0.2.tar.gz
cdmod_authz_unixgroup-1.0.2
apxs-cmod_authz_unixgroup.c
apxs-i-amod_authz_unixgroup.la
Then,in/etc/httpd/conf/httpd.conf ,replaceRequirevalid-user
withAuthzUnixgroup onandRequiregroupname-of-your-group:
<Directory"/var/www/html/secure">...
KrbAuthRealmsEXAMPLE.COM
Krb5Keytab/etc/apache2/http.ktb
AuthzUnixgroupon
Requiregrouplinuxfulladmins
</Directory>
Formoreinformation,seethedocumentationformod_authz_unixgroup.
ConfigureFirefoxforSSO
TosetupFirefoxforsinglesign-on,youmustturnontheSimpleand
ProtectedGSS-APINegotiationMechanism,orSPNEGO,tonegotiate
authenticationwithKerberos.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 225

1.OpenFirefox.
2.IntheGobox,typeabout:config,andthenclickGo.
3.IntheFilterbox,typeuris.
4.Double-clicknetwork.negotiate-auth.trusted-uris,enteracomma-
separatedlistofURLprefixesordomainsthatarepermittedtoengagein
SPNEGOauthenticationwiththebrowser,andthenclickOK.Example:
5.Double-clicknetwork.negotiate-auth.delegation-uris,enteracomma-
separatedlistofthesitesforwhichthebrowsermaydelegateuser
authorizationtotheserver,andthenclickOK.
FormoreinformationonhowtoconfigureFirefox,see
http://grolmsnet.de/kerbtut/firefox.html.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 226

6.TonegotiatewithyourwebserverthroughtheGSSAPIbyusingNTLM
asthepreferredauthenticationprotocolonaMacOSXcomputer,you
mustalsomodifytheGSSpreferencesasfollows.Tofindthe
preferences,typegssintoFirefox'sfilterbox:
network.negotiate-auth.gsslib usersetstring
/opt/pbis/lib/libgssapi_ krb5.2.2.dylib
network.negotiate-auth.using-native-gsslibuserset
boolean false
ConfigureInternetExplorerforSSO
HereishowtoconfigureInternetExplorertouseSPNEGOandKerberos.
ThesettingsforotherversionsofIEmightvary;seeyourbrowser's
documentationformoreinformation.
1.StartInternetExplorer.
2.OntheToolsmenu,clickInternetOptions.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 227

3.ClicktheAdvancedtabandmakesurethattheEnableIntegrated
WindowsAuthenticationboxisselected:
4.ClicktheSecuritytab.
5.Selectazone—forexample,Localintranet—andthenclickCustom
level.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 228

6.IntheSettingslist,underUserAuthentication,clickAutomatic
logonwithcurrentusernameandpasswordforatrustedsite,or
AutomaticlogononlyinIntranetzoneforasiteyouaddedtoIE'slist
ofIntranetsites.Formoreinformation,seeyourbrowser's
documentation.
7.ReturntotheSecuritytabforInternetOptionsandsetyourweb
serverasatrustedsite.
8.RestartInternetExplorer.
Examples
ToviewsamplecodethatshowsyouhowtousePowerBrokerIdentity
Servicesforsinglesign-onwithprotocolssuchasFTPandTelnet,seeSingle
Sign-OnExamplesontheBeyondTrustwebsite.
PBISEnterpriseInstallationandAdministration SingleSign-OnUsingPBIS
BeyondTrust
®
June21,2013 229

Command- LineReference
Thischapterprovidesanoverviewofthecommandsin/opt/pbis/bin.
Mostofthecommandsareintendedtoberunasroot.
Additionaltroubleshootinginformation,someofwhichinvolvescommand-
lineutilities,isprovidedinTroubleshootingthePBISAgent.Commandsfor
managingtheeventlogarecoveredinMonitoringEventswiththeEvent
Log.
ForinformationabouttroubleshootingtheGroupPolicycommandsfor
PBISEnterprise,seethePowerBrokerIdentityServicesGroupPolicyAdministration
Guide.
Foranoverviewofcommandssuchasrpmanddpkgthatcanhelpyou
managePBISonLinuxandUnixplatforms,seePackageManagementCommands.
ManagePBISServices(lwsm)
ThePBISServiceManagerletsyoutrackandtroubleshootallthePBIS
serviceswithasinglecommand-lineutility.Youcan,forinstance,checkthe
statusoftheservicesandstartorstopthem.Theservicemanageristhe
preferredmethodforrestartingaservicebecauseitautomaticallyidentifiesa
service'sdependenciesandrestartsthemintherightorder.Inaddition,you
canusetheservicemanagertosettheloggingdestinationandtheloglevel.
Tolistthestatusoftheservices,runthefollowingcommandwithsuperuser
privilegesatthecommandline:
/opt/pbis/bin/lwsm list
Example:
root@bvt-ubu1104-32d:/home/testuser# /opt/pbis/bin/lwsm
list
lwreg running(container:23349)
dcerpc stopped
eventfwd running(container:23673)
eventlog running(container:23364)
gpagent running(container:23575)
lsass running(container:23399)
lwio running(container:23386)
lwpkcs11 stopped
lwsc stopped
netlogon running(container:23376)
rdr running(io:23386)
reapsysl running(container:23413)
usermonitor running(container:23686)
root@bvt-ubu1104-32d:/home/testuser#
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 230

Torestartthelsassservice,runthefollowingcommandwithsuperuser
privileges:
/opt/pbis/bin/lwsm restartlsass
Afteryouchangeasettingintheregistry,youmustusetheservicemanager
toforcetheservicetobeginusingthenewconfigurationbyexecutingthe
followingcommandwithsuper-userprivileges.Thisexamplerefreshesthe
lsassservice:
/opt/pbis/bin/lwsm refreshlsass
Toviewinformationaboutthelsassservice,includingitsdependencies,
runthefollowingcommand:
/opt/pbis/bin/lwsm infolsass
Example:
[root@rhel5dbin]#/opt/pbis/bin/lwsm infolsass
Service:lsass
Description:SecurityandAuthenticationSubsystem
Type:module
Autostart:yes
Path:/opt/pbis/lib/lw-svcm/lsass.so
Arguments:
Environment:
Dependencies:netlogonlwiolwregrdr
ServiceGroup:lsass
Filedescriptorlimit:1024
Coredumpsizelimit:inherit
Toviewalltheservicemanager'scommandsandarguments,runthe
followingcommand:
/opt/pbis/bin/lwsm --help
ModifySettings(config)
Toquicklychangeanend-usersettingintheregistryforthePBISagent,you
canruntheconfigcommand-linetoolasroot:
/opt/pbis/bin/config
Formoreinformation,seeModifySettingswiththeconfigTool.
StarttheRegistryShell(regshell)
YoucanaccessandmodifythePBISregistrybyusingtheregistryshell—
regshell.TheshellworksinawaythatissimilartoBASH.Youcanviewa
listofthecommandsthatyoucanexecuteintheshellbyenteringhelp:
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 231

/opt/pbis/bin/regshell
\>help
Youcanalsomanagetheregistrybyexecutingtheregistry'scommandsfrom
thecommandline.Formoreinformation,seeConfiguringPBISwith
RegistrySettings.
ExporttheRegistrytoanEditor(edit-reg)
ExecutingthefollowingcommandexportsthecontentsofthePBISregistry
totheeditorspecifiedbyyourEDITORenvironmentvariable.Youcanuse
theedit-regcommandtoquicklyviewthecontentsoftheregistryand
makechangestothesettings.Then,youcanlaunchtheregistryshelland
importthemodifiedfilesothatyourchangestakeeffect.
/opt/pbis/bin/edit-reg
Ifyouhavenotsetadefaulteditor,thescriptsearchesforanavailableeditor
inthefollowingorder:gedit,vi,friends,emacs.Onplatformswithoutgedit,
anerrormayoccur.YoucancorrecttheerrorbysettingtheEDITOR
environmentvariabletoanavailableeditor,suchasvi:
exportEDITOR=vi
ChangetheHostNameintheLocalProvider(set-machine-
name)
Afteryouchangethehostnameofacomputer,youmustalsochangethe
nameinthePBISlocalproviderdatabasesothatthelocalPBISaccountsuse
thecorrectprefix.Todoso,executethefollowingcommandasroot,
replacinghostNamewiththenamethatyouwant:
/opt/pbis/bin/lsa/set- machine-namehostName
FindaUseroraGroup
OnaUnixorLinuxcomputerthatisjoinedtoanActiveDirectorydomain,
youcancheckadomainuser'sorgroup'sinformationbyeithernameorID.
Thesecommandscanverifythattheclientcanlocatetheuserorgroupin
ActiveDirectory.
FindaUserbyName
Executethefollowingcommand,replacingdomain\\usernamewiththefull
domainusernameorthesingledomainusernameoftheuserthatyouwant
tocheck:
/opt/pbis/bin/find-user-by-namedomain\\username
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 232

Example:/opt/pbis/bin/find-user-by-namemydomain\\trejo
Youcanoptionallyspecifythelevelofdetailofinformationthatisreturned.
Example:
/opt/pbis/bin/find-user-by-name--level2mydomain\\trejo
Userinfo(Level-2):
====================
Name: trejo
SID: S-1-5-21-3447809367-
3151979076-456401374-1135
UPN: [email protected]
Generated UPN: NO
DN: CN=trejo,CN=Users,
DC=MYDOMAIN,DC=EXAMPLE,DC=COM
Uid: 239600751
Gid: 239600770
Gecos: MarkusTrejo
Shell: /bin/sh
Homedir: /home/MYDOMAIN/trejo-
macbook/trejo-bvt
LMHashlength: 0
NTHashlength: 0
LocalUser: NO
Accountdisabled(orlocked):FALSE
Accountexpired: FALSE
Passwordneverexpires: TRUE
PasswordExpired: FALSE
Promptforpasswordchange: YES
Usercanchangepassword: YES
Daystillpasswordexpires: 0
Logonrestriction: NO
trejo-macbook:~root#
Formoreinformation,executethefollowingcommand:
/opt/pbis/bin/find-user-by-name--help
FindaUserbyUID
TofindauserbyUID,executethefollowingcommand,replacingUIDwith
theuser'sID:
/opt/pbis/bin/find-user-by-idUID
Example:
/opt/pbis/bin/find-user-by-id593495196
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 233

FindaUserbySID
OnaLinux,Unix,orMacOSXcomputerthatisjoinedtoadomain,youcan
findauserinActiveDirectorybyhisorhersecurityidentifier(SID).To
findauserbySID,executethefollowingcommandasroot,replacingSID
withtheuser'ssecurityidentifier:
/opt/pbis/bin/find-by-sidSID
Example:
[root@rhel4dbin]#/opt/pbis/bin/find-by-sidS-1-5-21-
382349973-3885793314-468868962-1180
Userinfo(Level-0):
====================
Name: EXAMPLE\hab
SID: S-1-5-21-382349973-3885793314-468868962-1180
Uid: 593495196
Gid: 593494529
Gecos: JurgenHabermas
Shell: /bin/sh
Homedir:/home/EXAMPLE/hab
Tip:Toviewthecommand'soptions,typethefollowingcommand:
/opt/pbis/bin/find-by-sid--help
FindaGroupbyName
/opt/pbis/bin/find-group-by-namedomain\\groupname
Example:
/opt/pbis/bin/find-group-by-nameexample.com\\dnsadmins
FindaGroupbyID
/opt/pbis/bin/find- group-by-idGID
Example:
[root@rhel4dbin]#/opt/pbis/bin/find-group-by-id
593494534
Groupinfo(Level-0):
====================
Name: EXAMPLE\schema^admins
Gid: 593494534
SID: S-1-5-21-382349973-3885793314-468868962-518
Tip:Toviewthiscommand'soptions,typethefollowingcommand:
/opt/pbis/bin/find-group-by-id--help
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 234

ListGroupsforaUser(list-groups-for-user)
Tofindthegroupsthatauserisamemberof,executethefollowing
commandfollowedbyeithertheuser'snameorUID:
/opt/pbis/bin/list-groups-for-user
Example:/opt/pbis/bin/list-groups-for-user--uid593495196
Hereisthecommandanditsresultfortheuserexample\\hab:
[root@rhel5dbin]#./list-groups-for-userexample\\hab
Numberofgroupsfoundforuser'example\hab':2
Group[1of2]name=EXAMPLE\enterprise^admins (gid=
593494535)
Group[2of2]name=EXAMPLE\domain^users (gid=
593494529)
Tip:Toviewthiscommand'soptions,typethefollowingcommand:
/opt/pbis/bin/list-groups-for-user--help
ListGroups(enum-groups)
OnaLinux,Unix,orMacOSXcomputerthatisjoinedtoadomain,youcan
enumeratethegroupsinActiveDirectoryandviewtheirmembers,GIDs,
andSIDs:
/opt/pbis/bin/enum- groups--level1
ThePBISagentenumeratesgroupsintheprimarydomain.Groupsintrusted
domainsandlinkedcellsarenotenumerated.NSSmembershipsettingsin
theregistrydonotaffecttheresultofthecommand.
Tip:Toviewthecommand'soptions,typethefollowingcommand:
/opt/pbis/bin/enum-groups--help
ListUsers(enum-users)
OnaLinux,Unix,orMacOSXcomputerthatisjoinedtoadomain,youcan
enumeratetheusersinActiveDirectoryandviewtheirmembers,GIDs,and
SIDs:
/opt/pbis/bin/enum- users
ThePBISagentenumeratesusersintheprimarydomain.Usersintrusted
domainsandlinkedcellsarenotenumerated.NSSmembershipsettingsin
theregistrydonotaffecttheresultofthecommand.
Tip:Toviewthecommand'soptions,typethefollowingcommand:
/opt/pbis/bin/enum-users--help
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 235

Toviewfullinformationabouttheusers,includetheleveloptionwhen
youexecutethecommand:
/opt/pbis/bin/enum-users--level2
Exampleresultforaone-userbatch:
Userinfo(Level-2):
====================
Name: EXAMPLE\sduval
UPN: [email protected]
GeneratedUPN: NO
Uid: 593495151
Gid: 593494529
Gecos: ShelleyDuval
Shell: /bin/sh
Homedir: /home/EXAMPLE/sduval
LMHashlength: 0
NTHashlength: 0
LocalUser: NO
Accountdisabled: FALSE
AccountExpired: FALSE
AccountLocked: FALSE
Passwordneverexpires: FALSE
PasswordExpired: FALSE
Promptforpasswordchange:NO
ListtheStatusofAuthenticationProviders(get-status)
PowerBrokerIdentityServicesincludestwoauthenticationproviders:
1.Alocalprovider
2.AnActiveDirectoryprovider
IftheADproviderisoffline,youwillbeunabletologonwithyourAD
credentials.Tocheckthestatusoftheauthenticationproviders,executethe
followingcommandasroot:
/opt/pbis/bin/get-status
Ahealthyresultshouldlooklikethis:
LSAServerStatus:
Agentversion:5.4.0
Uptime: 22days21hours16minutes29seconds
[Authenticationprovider:lsa-local-provider]
Status: Online
Mode: Localsystem
[Authenticationprovider:lsa-activedirectory-provider]
Status: Online
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 236

Mode: Un-provisioned
Domain: example.com
Forest: example.com
Site: Default-First-Site-Name
AnunhealthyresultwillnotincludetheADauthenticationproviderorwill
indicatethatitisoffline.IftheADauthenticationproviderisnotlistedin
theresults,restarttheauthenticationservice.
Iftheresultlookslikethelinebelow,checkthestatusofthePBISservices
tomakesuretheyarerunning.
FailedtoquerystatusfromLSAservice. TheLSASSserver
isnotresponding.
Tocheckthestatusoftheservices,runthefollowingcommandasroot:
/opt/pbis/bin/lwsm list
ListtheDomain
ThiscommandretrievestheActiveDirectorydomaintowhichthe
computerisconnected.Thecommand'slocationisasfollows:
/opt/pbis/bin/lsa ad-get-machineaccount
ListDomainControllers(get-dc-list)
Thiscommandliststhedomaincontrollersforatargetdomain.Youcan
delimitthelistinseveralways,includingbysite.Thecommand'slocationis
asfollows:
/opt/pbis/bin/get-dc-list
Exampleusage:
[root@rhel5dbin]#./get-dc-listexample.com
Got1DCs:
===========
DC1:Name='steveh-dc.example.com',Address=
'192.168.100.132'
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/get-dc-list--help
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 237

ListDomainControllerInformation(get-dc-name)
Thiscommanddisplaysthenameofthecurrentdomaincontrollerforthe
domainyouspecify.Thecommandcanhelpyouselectadomaincontroller.
Thecommand'slocationisasfollows:
/opt/pbis/bin/get-dc-nameDomainName
Toselectadomaincontroller,runthefollowingcommandasrootuntilthe
domaincontrolleryouwantisdisplayed.ReplaceDomainNamewiththe
nameofyourdomain:
/opt/pbis/bin/get-dc-nameDomainName--force
ListDomainControllerTime(get-dc-time)
Thiscommanddisplaysthetimeofthecurrentdomaincontrollerforthe
domainthatyouspecify.Thecommandcanhelpyoudeterminewhether
thereisaKerberostime-skewerrorbetweenaPBISclientandadomain
controller.Thecommand'slocationisasfollows:
/opt/pbis/bin/get-dc-time
Example:
[root@rhel5dbin]#./get-dc-timeexample.com
DCTIME:2009-09-0814:54:18PDT
ListComputerAccountInformation(lsaad-get-machine)
Youcanprintoutthecomputeraccountname,computeraccountpassword,
SID,andotherinformationbyrunningthefollowingcommandasroot.
/opt/pbis/bin/lsa ad-get-machineaccountdomainDNSName
Example:/opt/pbis/bin/lsa ad-get-machineaccountexample.com
DynamicallyUpdateDNS(update-dns)
ThiscommandregistersanIPaddressforthecomputerinDNS.The
commandisusefulwhenyouwanttoregisterAandPTRrecordsforyour
computerandtheDHCPserverisnotregisteringthem.
Note:--fqdnisthefullyqualifieddomainnamefortheclientcomputer.
/opt/pbis/bin/update- dns
HereisanexampleofhowtouseittoregisteranIPaddress:
/opt/pbis/bin/update- dns--ipaddress192.168.100.4--fqdn
bvt-deb506-64.lampi.centeris.com
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 238

IfyoursystemhasmultipleNICsandyouaretryingtoregisteralltheirIP
addressesinDNS,runthecommandoncewithmultipleinstancesofthe
ipaddressoption:
/opt/pbis/bin/update- dns--fqdncorp.example.com --
ipaddress192.168.100.4--ipaddress192.168.100.7--
ipaddress192.168.100.9
Totroubleshoot,youcanaddthelogleveloptionwiththedebug
parametertothecommand:
/opt/pbis/bin/update- dns--logleveldebug--fqdn
corp.example.com --ipaddress192.168.100.4--ipaddress
192.168.100.7
Formoreinformationonthecommand'ssyntaxandarguments,executethe
followingcommand:
/opt/pbis/bin/update- dns--help
ManagetheADCache(ad-cache)
ThiscommandmanagesthePBIScacheforActiveDirectoryusersand
groupsonLinuxandUnixcomputers.Thecommand'slocationisasfollows:
/opt/pbis/bin/ad-cache
Youcanusethecommandtoclearthecache.Thecommand'sargumentscan
deletefromthecacheauser,agroup,orallusersandgroups.Thefollowing
exampledemonstrateshowtodeletealltheusersandgroupsfromthecache:
/opt/pbis/bin/ad-cache--delete-all
Tip:ToreclaimdiskspacefromSQLiteafteryouclearthecachewhenyou
areusingthenon-defaultSQLitecachingoption,executethefollowing
commandasroot,replacingfqdnwithyourfullyqualifieddomainname:
/opt/pbis/bin/sqlite3/var/lib/pbis/db/lsass-
adcache.filedb.fqdn vacuum
Youcanalsousethead-cachecommandtoenumerateusersinthecache,
whichmaybehelpfulintroubleshooting.Example:
[root@rhel5dbin]#./ad-cache--enum-users
TotalNumUsersFound: 0
[root@rhel5dbin]#sshexample.com\\hab@localhost
Password:
Lastlogin:TueAug1115:30:052009from
rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$ exit
logout
Connectiontolocalhostclosed.
[root@rhel5dbin]#./ad-cache--enum-users
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 239

Userinfo(Level-0):
====================
Name: EXAMPLE\hab
Uid: 593495196
Gid: 593494529
Gecos: <null>Shell: /bin/bash
Homedir:/home/EXAMPLE/hab
TotalNumUsersFound: 1
[root@rhel5dbin]#
Toviewallthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/ad-cache--help
OnMacOSX
OnaMacOSXcomputer,cleartheDirectoryServicecache(notthePBIS
cache)byrunningthefollowingcommandwithsuperuserprivilegesin
Terminal:
dscacheutil-flushcache
JoinorLeaveaDomain(domainjoin-cli)
domainjoin-cliisthecommand-lineutilityforjoiningorleavinga
domain.Forinstructionsonhowtouseit,seeJoinActiveDirectoryfrom
theCommandLine.
DisplayNISMap(ypcat)
ThiscommandisthePBISNetworkInformationServices(NIS)ypcat
functionforgrouppasswdandnetgroupmaps.
/opt/pbis/bin/ypcat
Exampleusage:
/opt/pbis/bin/ypcat -dexample.com-kmap-name
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/ypcat --help
DisplaytheValueofaKeyinanNISMap(ypmatch)
ThiscommandisthePBISNetworkInformationServices(NIS)ypmatch
functionforgrouppasswdandnetgroupmaps.
/opt/pbis/bin/ypmatch
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 240

Exampleusage:
/opt/pbis/bin/ypmatch -dexample.com-kkey-namemap-name
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/ypmatch --help
ModifyObjectsinAD(adtool)
PBISEnterpriseincludesatooltomodifyobjectsinActiveDirectoryfrom
thecommandlineofaLinux,Unix,orMacOSXcomputer.Locatedat
/opt/pbis/bin/adtool,thetoolhastwointerrelatedfunctions:
•QueryandmodifyobjectsinActiveDirectory.
•FindandmanageobjectsinPowerBrokercells.
Youcanviewalistofthesetwocategoriesbyexecutingthefollowing
command:
/opt/pbis/bin/adtool --help-a
Hereiswhattheoutputofthecommandlookslike:
[root@rhel5dbin]#./adtool--help-a
ListofActions
GenericActiveDirectoryactions:
--------------------------------
add-to-group-addadomainuser/grouptoasecurity
group.
delete-object-deleteanobject.
disable-user-disableauseraccountinActive
Directory.
enable-user-enableauseraccountinActive
Directory.
unlock-account-unlockuserorcomputeraccount.
lookup-object-retrieveobjectattributes.
move-object-move/renameanobject.
new-computer-createanewcomputerobject.
new-group-createanewglobalsecuritygroup.
new-ou-createaneworganizationalunit.
new-user-createanewuseraccount.
remove-from-group-removeauser/groupfromasecurity
group.
reset-user-password-resetuser'spassword.
search-computer-searchforcomputerobjects,print
DNs.
search-group-searchforgroupobjects,printDNs.
search-object-searchforanytypeofobjectsusing
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 241

LDAPfilter.
search-ou-searchfororganizationalunits,printDNs
search-user-searchforusers,printDNs.
PowerBrokercellmanagementactions:
--------------------------------
add-to-cell-adduser/grouptoaPowerBrokercell.
delete-cell-deleteaPowerBrokercell.
edit-cell-modifyPowerBrokercellproperties.
edit-cell-group-modifypropertiesofacell'sgroup.
edit-cell-user-modifypropertiesofacell'suser.
link-cell-linkPowerBrokercells.
lookup-cell-retrievePowerBrokercellproperties.
lookup-cell-group-retrievepropertiesofcell's
group.
lookup-cell-user-retrievepropertiesofcell'suser.
new-cell-createanewPowerBrokercell.
remove-from-cell-removeuser/groupfromaPowerBroker
cell.
search-cells-searchforPowerBrokercells.
unlink-cell-unlinkPowerBrokercells.
Togetinformationabouttheoptionsforeachaction,usethefollowing
syntax:
/opt/pbis/bin/adtool --help-a<ACTION>
Hereisanexamplewiththeinformationthatisreturned:
/opt/pbis/bin/adtool --help-anew-user
Usage:adtool[OPTIONS](-a|--action)new-user
<ARGUMENTS>new-user-createanewuseraccount.
Acceptablearguments([X]-required):
--dn=STRING DN/RDNoftheparent
container/OUcontainingthe
user.(use'-'for
stdininput)
--cn=STRING Commonname(CN)of
thenewuser.(use'-'for
stdininput)
--logon-name=STRING Logonnameofthe
newuser.(use'-'forstdin
input)[X]
--pre-win-2000-name=STRING PreWindows-2000
logonname.
--first-name=STRING Firstnameofthe
newuser.
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 242

--last-name=STRING Lastnameofthenew
user.
--description=STRING Descriptionofthe
user.
--password=STRING User'spassword.
(use'-'forstdininput)
--no-must-change-password Userisnotrequired
tochangethepasswordatnext
logon.Ifomitted
usermustchangepasswordatnext
logonunless"--no-
password-expires'optionisspecified.
--no-password-expires Thepasswordnever
expires.Ifomitted-user
mustchangepassword
onnextlogon.
--account-enabled Useraccountwillbe
enabled.Bydefaultitis
disabledoncreation
UsingtheTool
Privileges:Whenyourunthetool,youmustuseanActiveDirectory
accountwithprivilegesthatallowyoutoperformthecommand'saction.
ThelevelofprivilegesthatyouneedissetbyMicrosoftActiveDirectory
andistypicallythesameasperformingthecorrespondingactioninMicrosoft
ActiveDirectoryUsersandComputers.Forexample,toaddausertoa
securitygroup,youmustbeamemberofasecuritygroup,suchasthe
enterpriseadministratorssecuritygroup,thathasprivilegestoperformthe
action.
FormoreinformationonActiveDirectoryprivileges,permissions,and
securitygroups,seethefollowingreferencesontheMicrosoftTechNet
website:
lActiveDirectoryPrivileges
lActiveDirectoryobjectpermissions
lActiveDirectoryUsers,Computers,andGroups
lSecuringActiveDirectoryAdministrativeGroupsandAccounts
Options:Thereareshortandlongoptions.Youseparateargumentsfrom
optionswitheitherspaceorequalsign.Ifyouarenotsureabouttheresults
ofanactionyouwanttoexecute,runitinread-onlymodefirst(-r).Alsoit
canbeusefultosetlogleveltoTRACE(-l5)toseealltheexecutionsteps
thetoolistaking.
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 243

Authentication:SSObydefaultifthecomputerisdomain-joined.
Otherwise,KRB5viaacachedticket,keytabfile,orname/password(unless
secureauthenticationisturned-off(--no-sec))
Nameresolution:InmostcasesyoucanreferenceobjectsbyFQDN,
RDN,UPN,orjustnamesthatmakesenseforaspecificaction.Use“-“ if
youwantthetooltoreadvaluesfromstdin.Thisallowsyoutocombine
commandsviapipes,e.g.searchandlookupactions.
Multi-forestsupport:Youcanreferenceanobjectfromanamecontext
(forest)differentfromtheoneyouarecurrentlyconnectedto,providedthat
thereisapropertrustrelationbetweenthem.Inthisway,forinstance,you
canaddauserthatlivesinoneforesttoacelldefinedinanotherforest.
CreatingaNewCell:Whenyoucreateanewcell,thetooladdsthedefault
primarygroup(domainusers)tothecell.Ifyouareaddingausertothecell
andtheuserhasaprimarygroupdifferentfromthedefaultgroup,whichis
anatypicalcase,youmustaddtheprimarygrouptothecell,too.Thetool
doesnotdoitautomatically.
AddingUsersorGroupsAcrossDomains:Ifyouareaddingauseror
grouptoacell,andtheuserorgroupisinadomaindifferentfromtheone
hostingthecell,youmustuseanaccountthathaswritepermissionsinthe
celldomainandatleastreadpermissionsinthedomainhostingtheuseror
group.
Forexample,youwanttoaddausersuchasCORP\kathy,whoseprimary
groupis,say,domainusers,toacellinadomainnamedCORPQA.Two
conditionsmustbemet:
•YoumustbeauthenticatedtotheCORPQAdomainasauserwith
administrativerightsintheCORPQAdomain;
•YouruseraccountmustexistintheCORPdomainwithatleastread
permissionsfortheCORPdomain.
Further:SinceinthisexampletheprimarygroupofCORP\kathyis
CORP\domainusers,youmustaddCORP\domainuserstothecellinthe
CORPQAdomain,too.
AutomatingCommandswithaServiceAccount:Torunthetoolundera
serviceaccount,suchasacronjob,avoidusingkrb5ticketsfor
authentication,especiallythosecachedbythePBISauthenticationservicein
the/tmpdirectory.Theticketsmayexpireandthetoolwillnotrenewthem.
Instead,itisrecommendedthatyoucreateanentryfortheserviceaccount
inakeytabfileandusethekeytabfileforauthentication.
WorkingwithaDefaultCell:Thetoolusesthedefaultcellonlywhenthe
valueofthednparameteristherootnamingcontext,suchaswhenyouuse
anexpressionlike--dnDC=corp,DC=example,DC=comtorepresent
corp.example.com.
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 244

Options
Toviewthetool'soptionsandtoseeexamplesofhowtousethem,execute
thefollowingcommand:
/opt/pbis/bin/adtool --help
[root@rhel5dbin]#./adtool--help
Usage:adtool[OPTIONS]<ACTION>[ACTION_ARGUMENTS]
HELPOPTIONS
-u,--usage Displaybriefusage
message
-?,--help Showthismessage,help
onallactions(-a),orhelp
onaspecificaction(-a
<ACTION>).
-v,--version Printprogramversionand
exit.
COMMONOPTIONS
-l,--log-level=LOG_LEVEL Acceptablevalues:1
(error),2(warning),3(info),
4(verbose)5(trace)
(Default:warning).
-q,--quiet Suppressprintingto
stdout.Justsetthereturncode.
print-dnoptionmakesan
exception.
-t,--print-dn PrintDNsoftheobjects
tobelookedup,modifiedor
searchedfor.
-r,--read-only Donotactuallymodify
directoryobjectswhen
executingactions.
CONNECTIONOPTIONS
-s,--server=STRING ActiveDirectoryserver
toconnectto.
-d,--domain=STRING Domaintoconnectto.
-p,--port=INT TCPportnumber
-m,--non-schema Turnoffschemamode
AUTHENTICATIONOPTIONS
-n,--logon-as=STRING UsernameorUPN.
-x,--passwd=STRING Passwordfor
authentication.(use'-'forstdininput)
-k,--keytab=STRING Fullpathofkeytabfile,
e.g./etc/krb5.keytab
-c,--krb5cc=STRING Fullpathofkrb5ticket
cachefile,e.g.
/tmp/krb5cc_
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 245

[email protected]
-z,--no-sec Turnsoffsecure
authentication.Simplebindwillbe
used.Usewithcaution!
ACTION
-a,--action[=<ACTION>] Actiontoexecute.Type
'--help-a'foralistof
actions,or'--help-a
<ACTION>'forinformationona
specificaction.
Try'--help-a'foralistofactions.
Examples
Hereisanexamplethatshowshowtousetwoauthenticationoptions—
logon-asandpasswd—tosearchActiveDirectoryeventhoughthe
computeronwhichthecommandwasexecutedwasnotconnectedtothe
domain.Theaccountspecifiedinthelogon-asoptionisanActive
Directoryadministrativeaccount.
root@ubuntu:/opt/pbis/bin# ./adtool-asearch-cells--
search-basedc=connecticut,dc=com--logon-as=Administrator -
-passwd=-
Inthiscase,thesuccessfulresultlookedlikethis:
Enterpassword:
CN=$LikewiseIdentityCell, DC=connecticut,DC=com
CN=$LikewiseIdentityCell, OU=mySecureOU,DC=connecticut,
DC=com
Totalcells:2
Hereareavarietyofexamples.Insomeofthem,thecommandisbroken
intotwolinesandthelinebreakismarkedbyabackslash(\).Insuchcases,
thebackslashisnotpartofthecommand.
CreateOUinarootnamingcontext:
adtool-anew-ou--dnOU=TestOu
CreateOUinDC=department,DC=company,DC=com:
adtool-anew-ou--dnOU=TestOu,DC=department,DC=company,
DC=com
CreatePowerBrokercellinOUTestOUsettingthedefault
loginshellpropertyto/bin/ksh:
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 246

adtool-anew-ou--dnOU=TestOu--default-login-
shell=/bin/ksh
CreateanewaccountforuserTestUserinOU=Users,
OU=TestOu:
adtool-anew-user--dnOU=Users,OU=TestOu--
cn=TestUserCN--logon-name=TestUser--password=$PASSWD
Enabletheuseraccount:
adtool-aenable-user--name=TestUser
Resetuser'spasswordreadingthepasswordfrom
TestUser.pwdfile:
catTestUser.pwd|adtool-areset-user-password--
name=TestUser--password=---no-password-expires
CreateanewgroupinOU=Groups,OU=TestOu:
adtool-anew-group--dnOU=Groups,OU=TestOu--pre-win-
2000-name=TestGrooup--name=TestGroup
Lookup"description"attributeofanOUspecifiedby
namewithawildcard:
adtool-asearch-ou--name='*RootOu'-t|adtool-a
lookup-object--dn=---attr=description
Lookup"unixHomeDirectory" attributeofauserwith
samAccountNameTestUser:
adtool-asearch-user--nameTestUser-t|adtool-a
lookup-object--dn=---attr=unixHomeDirectory
Lookup"userAccountControl" attributeofauserwithCN
TestUserCN:
adtool-asearch-user--nameCN=TestUserCN-t|adtool-a
lookup-object--dn=---attr=userAccountControl
LookupallattributesofanADobjectusingfilter-based
search:
adtool-asearch-object--filter'(&(objectClass=person)
(displayName=TestUser))'-t|adtool-alookup-object
AdduserTestUsertogroupTestGroup:
adtool-aadd-to-group--userTestUser--to-
group=TestGroup
AddgroupTestGroup2togroupTestGroup:
adtool-aadd-to-group--groupTestGroup2--to-
group=TestGroup
RemoveuserTestUserfromgroupTestGroup:
adtool-aremove-from-group--userTestUser--from-
group=TestGroup
RenameADobjectOU=OldNameandmoveittoanew
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 247

location:
adtool-amove-object--fromOU=OldName,DC=department,
DC=company,DC=com\
--toOU=NewName,OU=TestOU,DC=department,DC=company,DC=com
AddgroupTestGrouptoPowerBrokercellinTestOU:
adtool-aadd-to-cell--dnOU=TestOU,DC=department,
DC=company,DC=com--group=TestGroup
RemoveuserTestUserfromPowerBrokercellinTestOU:
adtool-aremove-from-cell--dnOU=TestOU,DC=department,
DC=company,DC=com--user=TestUser
Searchforcellsinaspecificlocation:
adtool-asearch-cells--search-baseOU=department,
DC=country,DC=company,DC=com
LinkcellinOU=TestOU1tothedefaultcellin
DC=country:
adtool-alink-cell--source-dnOU=TestOU1,DC=department,
DC=company,DC=com\
--target-dnDC=country,DC=company,DC=com
UnlinkcellinOU=TestOU1fromthedefaultcellin
DC=country:
adtool-aunlink-cell--source-dnOU=TestOU1,
DC=department,DC=company,DC=com\
--target-dnDC=country,DC=company,DC=com
ChangethedefaultloginshellpropertyofPowerBroker
cellinTestOU:
adtool-aedit-cell--dnOU=TestOU--default-login-
shell=/bin/csh
FindcellslinkedtoPowerBrokercellinOU=TestOU,
DC=department,DC=company,DC=com:
adtool-alookup-cell--dnOU=TestOU--linked-cells
LookuploginshellpropertyofuserTestUserincell
createdinTestOU:
adtool-alookup-cell-user--dnOU=TestOU--userTestUser
--login-shell
ChangeloginshellpropertyofuserTestUserincell
createdinTestOU:
adtool-aedit-cell-user--dnOU=TestOU--userTestUser-
-login-shell=/usr/bin/ksh
Deleteacellobjectandallitschildrenifany(--
force):
adtool-adelete-object--dnOU=TestOU--force
SearchforPowerBrokercellsinrootnamingcontext
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 248

containinguserTestUser:
adtool-asearch-cells--userTestUser
CopyFilesAcrossDisparateOperatingSystems(lwio-copy)
Thelwio-copycommand-lineutilityletsyoucopyfilesacrosscomputers
runningdifferentoperatingsystems.Youcan,forexample,copyfilesfroma
LinuxcomputertoaWindowscomputer.
Therearetwoprerequisitestouselwio-copy:
•Thelwioservicemustberunning
•Therdrdrivermustbeavailableasspecifiedbytheregistry.Bydefault,
therdrdriverisavailable:
/opt/pbis/lib/lwio-driver/rdr.so
Thelocationofthetoolisasfollows:
/opt/pbis/bin/lwio-copy
Toviewthetool'sarguments,executethefollowingcommandonyourUnix,
Linux,orMaccomputer:
/opt/pbis/bin/lwio-copy--help
ModifyLocalAccounts
ThePBISlocalauthenticationproviderforlocalusersandgroupsincludesa
fulllocalauthenticationdatabase.WithfunctionalitysimilartothelocalSAM
authenticationdatabaseoneveryWindowscomputer,thelocal
authenticationproviderletsyoucreate,modify,anddeletelocalusersand
groupsonLinux,Unix,andMacOSXcomputersbyusingthefollowing
commands.
Toexecutethecommandsthatmodifylocalaccounts,youmustuseeither
therootaccountoranaccountthathasmembershipinthelocal
administratorsgroup.TheaccountcanbeanActiveDirectoryaccountifyou
manuallyaddittothelocaladministratorsgroup.Forexample,youcould
addtheDomainAdministratorssecuritygroupfromActiveDirectorytothe
localadministratorsgroup,andthenuseanaccountwithmembershipinthe
DomainAdministratorssecuritygrouptoexecutethecommands.
Note:Toauthenticatealocalprovideruserbeforethemachineisjoinedto
adomain,youmustrunthefollowingcommandstoenablepamand
nsswitch:
domainjoin-cliconfigure--enablensswitch
domainjoin-cliconfigure--enablepam
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 249

AddaLocalUser(add-user)
Thiscommandaddsausertothelocalauthenticationdatabase.The
command'slocationisasfollows:
/opt/pbis/bin/add-user
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/add-user--help
AddaLocalGroupMember(add-group)
Thiscommandaddsagroupmembertothelocalauthenticationdatabase.
Thecommand'slocationisasfollows:
/opt/pbis/bin/add-group
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/add-group--help
RemoveaLocalUser(del-user)
Thiscommanddeletesauserfromthelocalauthenticationdatabase.The
command'slocationisasfollows:
/opt/pbis/bin/del-user
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/del-user--help
RemoveaLocalGroup(del-group)
Thiscommanddeletesagroupfromthelocalauthenticationdatabase.The
command'slocationisasfollows:
/opt/pbis/bin/del-group
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/del-group--help
ModifyaLocalUser(mod-user)
Thiscommandmodifiesauser'saccountsettingsinthelocalauthentication
database,includinganaccount'sexpirationdateandpassword.Youcanalso
enableauser,disableauser,unlockanaccount,orremoveauserfroma
group.Thecommand'slocationisasfollows:
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 250

/opt/pbis/bin/mod-user
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/mod-user--help
ModifytheMembership ofaLocalGroup(mod-group)
Thiscommandaddsmemberstoorremovesmembersfromagroupinthe
localauthenticationdatabase.Thecommand'slocationisasfollows:
/opt/pbis/bin/mod-group
Hereisanexamplethatdemonstrateshowtoadddomainaccountstoalocal
group:
/opt/pbis/bin/mod-group--add-membersDOMAIN\\Administrator
BUILTIN\\Administrators
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/mod-group--help
KerberosCommands
PowerBrokerIdentityServicesincludesseveralcommand-lineutilitiesfor
workingwithKerberos.ItisrecommendedthatyouusetheseKerberos
utilities,locatedin/opt/pbis/bin,tomanagethoseaspectsofKerberos
authenticationthatareassociatedwithPBIS.Forcompleteinstructionson
howtousetheKerberoscommands,seethemanpageforthecommand.
DestroytheKerberosTicketCache(kdestroy)
Thekdestroyutilitydestroystheuser'sactiveKerberosauthorization
ticketsobtainedthroughPowerBrokerIdentityServices.Destroyingthe
user'sticketscanhelpsolvelogonproblems.
Note:ThiscommanddestroysonlytheticketsinthePBISKerberoscache
oftheuseraccountthatisusedtoexecutethekdestroycommand;
ticketsinotherKerberoscaches,includingroot,arenotdestroyed.
Todestroyanotheruser'scache,usethecommandwithits-c
option.
Todestroyauser'sPBISKerberostickets,executethefollowingcommand
withtheuser'saccount:
/opt/pbis/bin/kdestroy
Tip:Toviewthiscommand'soptions,typethefollowingcommand:
/opt/pbis/bin/kdestroy -
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 251

ViewKerberosTickets(klist)
OnatargetLinuxorUnixcomputer,youcanseealistofKerberostickets
byexecutingthefollowingcommand:
/opt/pbis/bin/klist
Thecommandliststhelocationofthecredentialscache,theexpirationtime
ofeachticket,andtheflagsthatapplytothetickets.Formoreinformation,
seethemanpageforklist.
BecausePowerBrokerIdentityServicesincludesitsownKerberos5
libraries(in/opt/pbis/lib),youmustusethePBISklistcommandby
eitherchangingdirectoriesto/opt/pbis/binorincludingthepathinthe
command.
Example:
-sh-3.00$ /opt/pbis/bin/klist
Ticketcache:FILE:/tmp/krb5cc_593495191
Defaultprincipal:[email protected]
Validstarting Expires Serviceprincipal
07/22/0816:07:2307/23/0802:06:39
krbtgt/[email protected]
renewuntil07/23/0804:07:23
07/22/0816:06:3907/23/0802:06:39
host/rhel4d.EXAMPLE.COM@
renewuntil07/23/0804:07:23
07/22/0816:06:3907/23/0802:06:39
host/[email protected]
renewuntil07/23/0804:07:23
07/22/0816:06:4007/23/0802:06:[email protected]
renewuntil07/23/0804:07:23
Note:ToaddressKerberosissues,seeTroubleshootingKerberosErrorsat
http://technet.microsoft.com/en-us/library/cc728430
(WS.10).aspx.
ObtainandCacheaTGT(kinit)
Thiscommandobtainsandcachesaninitialticket-grantingticketfora
principal.Thecommand'slocationisasfollows:
/opt/pbis/bin/kinit
Toviewthecommand'soptionsandarguments,executethefollowing
command:
mankinit
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 252

ChangeaPassword(kpasswd)
ThekpasswdcommandchangesaKerberosprincipal'spasswordonaLinux
orUnixcomputer.(OnaMaccomputer,usetheMacOSXgraphicaluser
interfacetochangeaKerberosprincipal'spassword.)Thecommand's
locationisasfollows:
/opt/pbis/bin/kpasswd
Toviewthecommand'soptionsandarguments,executethefollowing
command:
mankpasswd
TheKeytabFileMaintenanceUtility(ktutil)
Thiscommandinvokesashellfromwhichyoucanread,write,oredit
entriesinaKerberoskeytab.Thecommand'slocationisasfollows:
/opt/pbis/bin/ktutil
Toviewthecommand'soptionsandarguments,executethefollowing
command:
manktutil
Youcanusektutiltoaddakeytabfiletoanon-defaultlocation.Whenyou
joinadomain,PowerBrokerIdentityServicesinitializesaKerberoskeytab
byaddingthedefault_keytab_namesettingtokrb5.confandsettingit
to/etc/krb5.keytab.Ifthekeytabfilereferencedinkrb5.confdoesnot
exist,thePBISdomain-joinutilitychangesthesettingto/etc/krb5.conf.
Youcansetthekeytabfiletobeinalocationthatisdifferentfromthe
default.Todoso,youmustpre-createthekeytabfileinthelocationyou
wantandsetasymlinktoitin/etc/krb5.keytab.Then,youmustsetthe
default_keytab_namein/etc/krb5.conftopointtoeitherthesymlink
ortherealfile.Theresultisthatthekeytabfilewillalreadyexistandthe
PBISdomain-joinutilitywillnotmodifyitslocationsetting.
Thekeytab'sformatdoesnotletyoucreateakeytabfilewithoutakeytab,
butyoucanusektutiltomanuallycreateonewithaplace-holderentry.
WhenPBISaddsyourcomputertothedomain,acorrectentrywillbeadded
tothefile.
/opt/pbis/bin/ktutil
ktutil:addent-password-pnonexistent@nonexistent -k1
-eRC4-HMAC
Passwordfornonexistent@nonexistent:
ktutil:wkt/var/OtherPlace/etc/krb5.keytab
ktutil:quit
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 253

AcquireaServiceTicketandPrintKeyVersionNumber(kvno)
ThiscommandacquiresaserviceticketforthespecifiedKerberosprincipals
andprintsoutthekeyversionnumbersofeach.Thecommand'slocationis
asfollows:
/opt/pbis/bin/kvno
Toviewthecommand'soptionsandarguments,executethefollowing
command:
mankvno
ManagePBISEnterprisefromtheWindowsCommand Line
(btopt.exe)
Btopt.exeisacommand-linetoolinstalledonWindowscomputersrunning
PBISEnterprise.ItisinstalledintheC:\Program
Files\BeyondTrust\PBIS\Enterprise folder.Command-linetoolsfor
thePBISEnterprisedatabasearediscussedinsettingupthedatabase.
Btopt.exeletsyoumanageoptionsforPBISEnterprisefromthecommand-
lineofaWindowsadministrativeworkstationconnectedtoActive
Directory.Youcan,forexample,setanoptiontousesequentialIDsinstead
ofhashedIDs.Inaddition,afteryousettheoptiontousesequentialIDs,
youcansettheinitialUIDnumberforacell.SettingUIDsbelow1,000is
ill-advised,astheycanresultinasecurityvulnerability.
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>btopt
btopt-configureslocalWindowsoptionsforPowerBroker
IdentityServices
Usage:btoptOPTIONS
OPTIONS:
--status Showcurrentconfigurationstatus
--narrowsearch Onlysearchthedefaultcellonthe
localdomain
--widesearch Searchthedefaultcellacrossall
domainsand
two-wayforesttrusts
--sequential UsesequentialIDsinsteadof
hashedIDs
--hashed UsehashedIDs
--foreignaliases Allowtheuseofaliasesforusers
andgroups
fromotherdomains.
--noforeignaliasesDisallowtheuseofaliasesfor
usersandgroups
fromotherdomains.
--usegc UsetheGlobalCatalogtospeedup
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 254

searches(default)
--ignoregc DonotusetheGlobalCatalogto
speedupsearches
--startUID=# SetstheinitialUIDnumberfora
cell(if--sequential)
--startGID=# SetstheinitialGIDnumberfora
cell(if--sequential)
--minID=# SetsminimumUIDandGIDnumber
configurablethrough
theUI
--cell=LDAPPATH Identifiesthecellwhoseinitial
IDs(if--sequential)
Example:LDAP://somedc/ou=anou,
dc=somecom,dc=com
--enableloginnames Setsthedefaultloginnamesto
alltheusersenabled
inallthecells.
--disableloginnames Disabletheenabledefaultlogin
namesoptiontoall
usersenabledinallthecells.
--disablesuggestbutton Disable"Suggest"button,which
isusedtosuggestUID/GID
assignmenttousersandgroups
inthecells.
--enablesuggestbutton Enable"Suggest"button,which
isusedtosuggestUID/GID
assignmenttousersandgroups
inthecells.
--help Displaysthisusageinformation
Ifthe--startUIDor--startGIDoptionsareset,the--
celloptionmustalso
beset.
PBISEnterpriseInstallationandAdministration Command-LineReference
BeyondTrust
®
June21,2013 255

ConfiguringPBISwiththeRegistry
ThePBISregistryisahierarchicaldatabasethatstoresconfiguration
informationforPBISservices,authenticationproviders,drivers,andother
services.OnLinux,Unix,andMaccomputers,thePBISservicescontinually
accesstheregistrytoobtainsettingsfortheirparameters.ThePBIS
authenticationservice,forexample,queriestheregistrytodeterminewhich
logleveltouseorwhichhomedirectorytemplatetoapplytoauser.In
version5.4orlater,theregistryreplacesthetext-basedconfigurationfiles
likelsassd.confthatwereusedinversion5.3orearlier.
WhenyouinstallthePBISagentonaLinux,Unix,orMaccomputerbutdo
notinstallPBISEnterpriseonaWindowsadministrativeworkstation
connectedtoActiveDirectory,youcannotconfigurelocalPBISsettings
withGroupPolicysettings.Instead,youmusteditthelocalPBISregistry.
YoucanaccesstheregistryandmodifyitssettingsbyusingthePBISregistry
shell—regshell—in/opt/pbis/bin/.
Thischapterdescribesthestructureoftheregistry,demonstrateshowto
changeavalueinit,andliststhelocalPBISconfigurationoptions.
Note:MostoftheregistrysettingscanbecentrallymanagedwithGroup
PolicysettingswhenyouusePBISEnterprise;seethePowerBroker
IdentityServicesGroupPolicyAdministrationGuide.Ifyoumodifya
settingintheregistrythatismanagedbyaGroupPolicysetting,the
changewillnotpersist:Itwillbeoverwrittenbythesettinginthe
GroupPolicyObject(GPO)assoonastheGPOisupdated,which
typicallytakesplaceonceevery30minutes.PBISOpendoesnot
applyGroupPolicysettings.
TheStructureoftheRegistry
ThePBISregistrycontainsonepredefinedtop-level,orroot,key:HKEY_
THIS_MACHINE.Withintherootkey,thestructureoftheregistryis
delineatedbyserviceintobranchesofkeys,subkeys,andvalues.
•Akeyissimilartoafolder;itcancontainadditionalkeysandoneor
morevalueentries.
•Avalueentryisanorderedpairwithanameandavalue.
•Asubkey,similartoasubfolder,issimplyachildkeythatappearsunder
anotherkey,theparent.
•Abranchdescribesakeyandallofitscontents,includingsubkeysand
valueentries.
TheupperlevelofthePBISregistry'shierarchicalstructurelookslikethe
following:
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 256

[root@bvt-cen62-64testuser]#/opt/pbis/bin/regshell
\>cdH
\>cd[HKEY_THIS_MACHINE]
HKEY_THIS_MACHINE\>ls
[HKEY_THIS_MACHINE]
[HKEY_THIS_MACHINE\Services]
HKEY_THIS_MACHINE\>cdSer\
HKEY_THIS_MACHINE\>cdServices\
HKEY_THIS_MACHINE\Services> ls
[HKEY_THIS_MACHINE\Services\]
[HKEY_THIS_MACHINE\Services\dcerpc]
[HKEY_THIS_MACHINE\Services\eventfwd]
[HKEY_THIS_MACHINE\Services\eventlog]
[HKEY_THIS_MACHINE\Services\gpagent]
[HKEY_THIS_MACHINE\Services\lsass]
[HKEY_THIS_MACHINE\Services\lwio]
[HKEY_THIS_MACHINE\Services\lwpkcs11]
[HKEY_THIS_MACHINE\Services\lwreg]
[HKEY_THIS_MACHINE\Services\lwsc]
[HKEY_THIS_MACHINE\Services\netlogon]
[HKEY_THIS_MACHINE\Services\rdr]
[HKEY_THIS_MACHINE\Services\reapsysl]
[HKEY_THIS_MACHINE\Services\usermonitor]
HKEY_THIS_MACHINE\Services>
EachoftheservicescorrespondstoaPBISservicesordriver.Thesubkeys
withineachservicecontainvalueentries.Avaluespecifiesthesettingforan
entry,oftenpresentedundertheparameterskey.
DataTypes
ThePBISregistryemploysfourdatatypestostorevalues.Thevaluesof
datatypesarecasesensitive.Thefollowingtableliststhedatatypesthatare
definedandusedbyPBIS.Themaximumsizeofakeyis255characters
(absolutepath).
Name
Data
Type Description
Binary
Value
REG_
BINARY
Asequenceofbytes.Displayedintheregistryshellin
hexadecimalformat.Themaximumsizeis1024bytes.
DWORD
Value
REG_
DWORD
Datarepresentedbya32-bitinteger.Parametersandservices
aretypicallysetasthisdatatype.Thevaluesaredisplayedinthe
registryshellinhexadecimalanddecimalformat.Whena
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 257

Name
Data
Type Description
parameteristurnedoff,itissetto0;whenaparameteristurned
on,itissetto1.
Multi-
String
Value
REG_
MULTI_
SZ
Amultiplestring.Valuesthatincludelistsormultiplevalues
typicallyusethisdatatype.Valuesarestringsinquotationmarks
separatedbyspaces.InanimportofaPBISregistryfile,the
multi-stringvaluestypicallycontainansza:prefix.Inanexport
oftheregistry,themulti-stringvaluestypicallycontainanhex
(7):prefix.ThemaximumsizeofaREG_MULTI_SZis1024
bytes,total,noteachstringinthemultistring.Thereare,
however,nullbytesbetweenstringsthatcontributetothecount,
sotheactualbytecountisslightlyless.
String
Value
REG_SZAtextstring.ThemaximumsizeofaREG_SZvalueis1023
characters(1024bytes,includingthenullterminator).
ModifySettingswiththeconfigTool
Toquicklychangeanend-usersettingintheregistrythatisnotmanagedby
aGroupPolicysetting,youcanruntheconfigcommand-linetoolasroot:
/opt/pbis/bin/config
Thesyntaxtochangethevalueofasettingisasfollows,wheresettingis
replacedbytheregistryentrythatyouwanttochangeandvaluebythenew
valuethatyouwanttoset:
/opt/pbis/bin/config settingvalue
Example1
Hereisanexampleofhowtouseconfigtochangethe
AssumeDefaultDomainsetting:
[root@rhel5dbin]#./config--detailAssumeDefaultDomain
Name:AssumeDefaultDomain
Description:Applydomainnameprefixtoaccountnameat
logon
Type:boolean
CurrentValue:false
AcceptedValues:true,false
CurrentValueisdeterminedbylocalpolicy.
[root@rhel5dbin]#./configAssumeDefaultDomain true
[root@rhel5dbin]#./config--showAssumeDefaultDomain
boolean
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 258

true
localpolicy
Usethe--detailoptiontoviewthesetting'scurrentvalueandto
determinethevaluesthatitaccepts.
Setthevaluetotrue.
Usethe--showoptiontoconfirmthatthevaluewassettotrue.
Toviewtheregistrysettingsthatyoucanchangewithconfig,executethe
followingcommand:
/opt/pbis/bin/config --list
Youcanalsoimportandapplyanumberofsettingswithasinglecommand
byusingthe--fileoptioncombinedwithatextfilethatcontainsthe
settingsthatyouwanttochangefollowedbythevaluesthatyouwanttoset.
Eachsetting-valuepairmustbeonasingleline.
Forexample,thecontentsofaflatfile,namednewRegistryValuesFile
andsavedtothedesktopofaRedHatcomputer,lookslikethis:
AssumeDefaultDomain true
RequireMembershipOf "example\\support"
"example\\domain^admins"
HomeDirPrefix/home/ludwig
LoginShellTemplate /bash/sh
Toimportthefileandautomaticallychangethesettingslistedinthefileto
thenewvalues,runthefollowingcommandasroot:
/opt/pbis/bin/config --file
/root/Desktop/newRegistryValuesFile
Example2
Hereisanotherexampleofhowtouseconfigtofindasettingandchangeit.
Supposeyouwanttoviewtheavailabletrustsettingsbecauseyouknow
thereareinaccessibletrustsinyourActiveDirectorynetworkandyouwant
tosetPBIStoignoreallthetrustsbeforeyoutrytojoinadomain.
Todoso,usegrepwiththelistoption:
/opt/pbis/bin/config --list|grep-itrust
Theresultswilllooksomethinglikethis:
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 259

DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
Next,usethedetailsoptiontolistthevaluesthatthe
DomainManagerIgnoreAllTrusts settingaccepts:
[root@rhel5dbin]#./config--details
DomainManagerIgnoreAllTrusts
Name:DomainManagerIgnoreAllTrusts
Description:Whentrue,ignorealltrustsduringdomain
enumeration.
Type:boolean
CurrentValue:false
AcceptedValues:true,false
CurrentValueisdeterminedbylocalpolicy.
NowchangethesettingtotruesothatPBISwillignoretrustswhenyoutry
tojoinadomain.
[root@rhel5dbin]#./configDomainManagerIgnoreAllTrusts
true
Finally,checktomakesurethechangetookeffect:
[root@rhel5dbin]#./config--show
DomainManagerIgnoreAllTrusts
boolean
true
localpolicy
Intheexampleoutputthatshowsthesetting'scurrentvalues,local
policyislisted—meaningthatthepolicyismanagedlocallythrough
configbecauseaPBISGroupPolicysettingisnotmanagingthesetting.
YoucannotlocallymodifyasettingthatismanagedbyaGroupPolicy
setting.
Example3
YoucanusePBIStomakeMacandLinuxcomputersautomaticallyconnect
(mount)thesharelocationsthataredefinedineachuser'sActiveDirectory
accountprofilesothatdocumentsandsettingsspecifictotheuserare
availableonanycomputerfromwhichtheylogontoyournetwork.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 260

IfthesharepathisrepresentedasaDFSURL,PBIStranslatesthesepathsto
SMBserver\share\pathsthatthenativeCIFSmountsupportcanuse.In
newerLinuxdistributionsandMacoperatingsystems,theuser'slogonsingle
sign-on,Kerberoscredentialsareusedtoconnecttotheshares.
Youcanusethesesharesineitherofthefollowingways:
•Asaresourcefolderaccessibletotheuser'slocalhomedirectory.
•Astheactualuserhomedirectoryforanetwork-mounteduseraccount
profile.
Whentheuserlogsoff,thenetworkmountconnectionisautomatically
removed.
Tousetheconfigtooltomountaremotefilesharespecifictotheuser:
1.InActiveDirectoryUsersandComputers(ADUC),youmustfirst
configurethenetworksharetobemounted.
2.Usingtheconfigtool,setthelocalfolderwheretheshareshouldbe
mounted.Ifnoneofthedefaultshavebeenmodified,thefollowing
commandmountsthehomefolderspecifiedinADUCintheuser's
homefolderasMyHome.
/opt/pbis/bin/config RemoteHomeDirTemplate
"%H/local/%D/%U/MyHome"
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Formoreinformationabouttheargumentsofconfig,runthefollowing
command:
/opt/pbis/bin/config --help
AccesstheRegistry
Youcanaccessandmodifytheregistrybyusingtheregistryshell—
regshell—in/opt/pbis/bin.Theshellworksinawaythatissimilarto
BASH.Youcannavigatetheregistry'shierarchywiththefollowing
commands:
cd
ls
pwd
Youcanviewalistofcommandsthatyoucanexecuteintheshellby
enteringhelp:
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 261

/opt/pbis/bin/regshell
\>help
usage:regshell[--file|-f]command_file.txt
add_key[[KeyName]]
list_keys[[keyName]]
delete_key[KeyName]
delete_tree[KeyName]
cd[KeyName]
pwd
add_value[[KeyName]]"ValueName"Type"Value"
["Value2"][...]
set_value[[KeyName]]"ValueName""Value"
["Value2"][...]
list_values[[keyName]]
delete_value[[KeyName]]"ValueName"
set_hiveHIVE_NAME
importfile.reg
export[[keyName]]file.reg
upgradefile.reg
exit|quit|^D
Type:REG_SZ|REG_DWORD|REG_BINARY|REG_
MULTI_SZ
REG_DWORDandREG_BINARYvaluesare
hexadecimal
Note:cdandpwdonlyfunctionininteractive
mode
Note:HKEY_THIS_MACHINEistheonlysupported
hive
\>
Note:Intheunlikelyeventthatyouwanttorestorealltheregistry'sdefault
values,youmustleavethedomain,stopallthePBISservices,
manuallydelete/var/lib/pbis/db/registry.db ,andthen
reinstallPBIS.
ChangeaRegistryValueUsingtheShell
Youcanchangeavalueintheregistrybyexecutingtheset_value
commandwiththeshell.Thefollowingproceduredemonstrateshowto
changethevalueofthePAMkey'sLogLevelentry.Theprocedureto
changeotherkeysissimilar.AfteryoumodifyaregistrysettingforaPBIS
service,youmustrefreshthecorrespondingservicewiththePBISService
Managerforthechangestotakeeffect.
1.Withtherootaccount,startregshell:
/opt/pbis/bin/regshell
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 262

2.ChangedirectoriestothelocationofthePAMkeyandlistitscurrent
settings:
[root@rhel5dbin]#./regshell
\>cdHKEY_THIS_MACHINE\Services\lsass\Parameters\PAM
HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM> ls
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]
"DisplayMotd" REG_DWORD 0x00000001(1)
"LogLevel" REG_SZ "error"
"UserNotAllowedError" REG_SZ "Access
denied"
3.Executetheset_valuecommandwiththenameofthevalueasthefirst
argumentandthenewvalueasthesecondargument:
HKEY_THIS_MACHINE\services\lsass\Parameters\PAM> set_
valueLogLeveldebug
4.Listthekey'svalueentriestoconfirmthatthevaluewaschanged:
HKEY_THIS_MACHINE\services\lsass\Parameters\PAM> ls
[HKEY_THIS_MACHINE\services\lsass\Parameters\PAM\]
"DisplayMotd" REG_DWORD 0x00000001(1)
"LogLevel" REG_SZ "debug"
"UserNotAllowedError" REG_SZ "Access
denied"
5.Exittheshell:
HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM> quit
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 263

6.Afteryouchangeasettingintheregistry,youmustusethePBISService
Manager—lwsm—toforcetheservicetobeginusingthenew
configuration.Becausewechangedaconfigurationofthelsassservice,
wemustrefreshitbyexecutingthefollowingcommandwithsuper-user
privileges:
/opt/pbis/bin/lwsm refreshlsass
SetCommon OptionswiththeRegistryShell
ThissectionshowsyouhowtomodifyseveralcommonPBISsettingsby
usingtheregistryshell:thedefaultdomain,thehomedirectory,andthe
shell.
1.Asrootorwithsudo,starttheregistryshell:
/opt/pbis/bin/regshell
2.Changedirectoriestothefollowinglocation:
cdHKEY_THIS_
MACHINE\Ser-
vices\lsass\Parameters\Providers\ActiveDirectory
3.Changetheshellto,forexample,bash:
set_valueLoginShellTemplate /bin/bash
Formoreinformation,seeSettheHomeDirectoryandShellforDomain
Users.
4.Settheoptiontousethedefaultdomain:
set_valueAssumeDefaultDomain 1
5.Leavetheshell:
quit
6.Afteryouchangeasettingintheregistry,youmustusethePBISService
Manager—lwsm—toforcetheservicetobeginusingthenew
configuration.Becausewechangedaconfigurationofthelsassservice,
wemustrefreshitbyexecutingthefollowingcommandwithsuper-user
privileges:
/opt/pbis/bin/lwsm refreshlsass
Hereishowthestringofcommandslooksintheregistryshell:
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 264

[root@rhel5ddocs]#/opt/pbis/bin/regshell
\>cdHKEY_THIS_
MACHINE\Ser-
vices\lsass\Parameters\Providers\ActiveDirectory
HKEY_THIS_
MACHINE\Ser-
vices\lsass\Parameters\Providers\ActiveDirectory> set_
valueAssumeDefaultDomain 1
HKEY_THIS_
MACHINE\Ser-
vices\lsass\Parameters\Providers\ActiveDirectory> set_
valueLoginShellTemplate /bin/bash
HKEY_THIS_
MACHINE\Ser-
vices\lsass\Parameters\Providers\ActiveDirectory> quit
[root@rhel5ddocs]#/opt/pbis/bin/lwsm refreshlsass
ChangeaRegistryValuefromtheCommand Line
Youcanchangeavalueintheregistrybyexecutingtheset_value
commandfromthecommandline.
AfteryoumodifyaregistrysettingforaPBISservice,youmustrefreshthe
correspondingservicewiththePBISServiceManagerforthechangesto
takeeffect.
Thefollowingcodeblockdemonstrateshowtochangethevalueofthe
PAMkey'sLogLevelentrywithoutusingtheshell.
/opt/pbis/bin/regshell ls'[HKEY_THIS_
MACHINE\Services\lsass\Parameters\PAM\] '
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
"DisplayMotd" REG_DWORD 0x00000001(1)
"LogLevel" REG_SZ "error"
"UserNotAllowedError" REG_SZ "Accessdenied"
/opt/pbis/bin/regshell set_value'[HKEY_THIS_
MACHINE\Services\lsass\Parameters\PAM\] 'LogLeveldebug
/opt/pbis/bin/regshell ls'[HKEY_THIS_
MACHINE\Services\lsass\Parameters\PAM\] '
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
"DisplayMotd" REG_DWORD 0x00000001(1)
"LogLevel" REG_SZ "debug"
"UserNotAllowedError" REG_SZ "Accessdenied"
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 265

FindaRegistrySetting
Whenyou'reunsurewheretofindasettingthatyouwanttochange,youcan
exporttheregistry'sstructuretoafileandthensearchthefileforthevalue
entry'slocation.
Important:Youmustexporttheregistryasroot.
1.Withtherootaccount,startregshell:
/opt/pbis/bin/regshell
2.Intheshell,executetheexportcommandwiththerootkeyasthefirst
argumentandatargetfileasthesecondargument:
exportHKEY_THIS_MACHINE\lwregistry.reg
Thefileisexportedtoyourcurrentdirectoryunlessyouspecifyapath.
Inatexteditorsuchasvi,openthefiletowhichyouexportedthe
registryandsearchfortheentrythatyouarewanttofind.
lsassSettings
Thissectionlistsvaluesinthelsassbranchoftheregistry.
LogLevelValueEntries
ThereisaLogLevelvalueentryunderseveralkeys,including
lsass/ParametersandPAM.Althoughthedefaultvalueistypicallyerror,
youcanchangeittoanyofthefollowingvalues:disabled,error,warning,
info,verbose.
Locations
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
ValueEntry
LogLevel
Examplewithdefaultvalue:
"LogLevel"="error"
TurnonEventLogging
Youcancaptureinformationaboutauthenticationtransactions,authorization
requests,andothersecurityeventsbyturningoneventlogging.For
informationaboutmanagingandviewingevents,seeMonitoringEventswith
theEventLog.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 266

Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
ValueEntry
EnableEventlog
Examplewithdefaultvalue:
"EnableEventlog"=dword:00000000
TurnoffNetworkEventLogging
Afteryouturnoneventlogging,networkconnectioneventsareloggedby
default.Onlaptopcomputers,computerswithawirelessconnection,or
othercomputerswhosenetworkstatusmightbeinflux,youcanturnoff
eventloggingsothattheeventlogisnotinundatedwithconnectivity
events.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
LogNetworkConnectionEvents
Examplewithdefaultvalue:
"LogNetworkConnectionEvents"=dword:00000001
RestrictLogonRights
Youcanrequirethatauserbeamemberofagrouptologonacomputer,or
youcanlimitlogontoonlytheusersthatyouspecify.PBISchecks
requiremembershipofinformationinboththeauthenticationphaseand
theaccountphase.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 267

ValueEntry
RequireMembershipOf
Notes
AddeachuserorgrouptothevalueentrybyusinganNT4-stylename(the
shortdomainnamewiththegroupname)oranActiveDirectorysecurity
identifier(SID).Aliasesarenotsupported.Theentriesmustbeintheform
ofalistofquotedentries:Eachentrymustbeenclosedinquotationmarks.
Aslashcharactermustbeescapedbybeingprecededbyaslash.Example:
"RequireMembershipOf"="example\\support"
"example\\domain^admins" "example\\joe" "S-1-5-21-
3447809367-3151979076-456401374-513"
Onlytheusersthatyouspecifyandtheuserswhoaremembersofthe
groupsthatyouspecifyareallowedtologonthecomputer.
DisplayanErrortoUsersWithoutAccessRights
YoucansetPBIStodisplayanerrormessagewhenauserattemptstologon
acomputerwithouttherighttoaccessit.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
ValueEntry
UserNotAllowedError
Notes
Addthetextoftheerrormessagethatyouwanttodisplaytothevalueof
theentry.Examplewithdefaultvalue:
"UserNotAllowedError"="Access denied"
DisplayaMessageoftheDay
YoucansetPBIStodisplayamessageoftheday(MOTD).Itappearsaftera
userlogsonbutbeforethelogonscriptexecutestogiveusersinformation
aboutacomputer.Themessagecan,forinstance,remindusersofthenext
scheduledmaintenancewindow.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Locationinregistry:
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 268

ValueEntry
DisplayMotd
Examplewiththevaluesetto1,ortrue,todisplayamessage:
"DisplayMotd"=dword:00000001
ChangetheDomainSeparatorCharacter
Thedefaultdomainseparatorcharacterissetto\.Bydefault,theActive
DirectorygroupDOMAIN\Administrators appearsas
DOMAIN\administrators ontargetLinuxandUnixcomputers.ThePBIS
authenticationservicerendersallnamesofActiveDirectoryusersand
groupslowercase.
Youcan,however,replacetheslashthatactsastheseparatorbetweenan
ActiveDirectorydomainnameandtheSAMaccountnamewithacharacter
thatyouchoosebymodifyingtheDomainSeparatorvalueentryinthe
registry.
Thefollowingcharacterscannotbeusedastheseparator:
lalphanumericcharacters(lettersanddigits)
l@
l#
lAndnotthecharacterthatyouusedforthespace-replacement
setting;formoreinformation,seeChangetheReplacementCharacterfor
Spaces.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
ValueEntry
DomainSeparator
Exampleentrywithdefaultvalue:
"DomainSeparator"="\\"
Note:Inthedefaultvalue,theslashcharacterisescapedbytheslashthat
precedesit.
ChangeReplacement CharacterforSpaces
Thedefaultreplacementcharacterissetto^.Bydefault,theActive
DirectorygroupDOMAIN\DomainUsersappearsasDOMAIN\domain^users
ontargetLinuxandUnixcomputers.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 269

Youcan,however,replacethespacesinActiveDirectoryuserandgroup
nameswithacharacterthatyouchoosebyeditingtheSpaceReplacement
valueentryintheregistry.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
ValueEntry
SpaceReplacement
Examplewithdefaultvalue:
"SpaceReplacement"="^"
Notes
Thefollowingcharacterscannotbeusedastheseparator:
lwhitespace-spacesandtabs
lalphanumericcharacters-lettersanddigits
l@
l\
l#
ThePBISauthenticationservicerendersallnamesofActiveDirectoryusers
andgroupslowercase.
TurnOffSystemTimeSynchronization
WithPBISOpenandPBISEnterprise,youcanspecifywhetherajoined
computersynchronizesitstimewiththatofthedomaincontroller.By
default,whenacomputerisjoinedtoadomainwithoutusingthe
notimesynccommand-lineoption,thecomputer'stimeissynchronized
withthedomaincontroller'swhenthereisadifferenceofmorethan60
secondsbutlessthanthemaximumclockskew,whichistypically5
minutes.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
SyncSystemTime
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 270

Examplewithdefaultvalue:
"SyncSystemTime"=dword:00000001
SettheDefaultDomain
IfyourActiveDirectoryenvironmenthasonlyonedomain,youcanset
PBIStoassumethedefaultdomain,liberatingusersfromtypingthedomain
namebeforetheiruserorgroupnameeachtimetheylogonacomputeror
switchusers.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
AssumeDefaultDomain
Examplewithdefaultvalue:
"AssumeDefaultDomain"=dword:00000000
SettheHomeDirectoryandShellforDomainUsers
WhenyouinstallPowerBrokerIdentityServicesonaLinux,Unix,orMac
computerbutnotonActiveDirectory,youcannotassociateaPowerBroker
cellwithanorganizationalunit,andthusyouhavenowaytodefineahome
directoryorshellinActiveDirectoryforuserswhologonthecomputer
withtheirdomaincredentials.
TosetthehomedirectoryandshellforaLinux,Unix,orMaccomputerthat
isusingPBISOpenorPBISEnterprisewithoutacell,editthevalueentryin
registry.
IfyouusePBISEnterprisetosettheshellandhomedirectorybothin
ActiveDirectoryandintheregistry,thesettingsinActiveDirectorytake
precedence.
Afteryouchangethehomedirectoryorshellintheregistry,youmustclear
thePBISauthenticationcache,logoff,andthenlogonbeforeyourchanges
willtakeeffect.
Inthelsassbranch,therearetwokeysthatcontainvalueentriesforthe
homedirectoryandshell.Oneisforthelocalprovider,theotherisforthe
ActiveDirectoryprovider.Locations:
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 271

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
Thefollowingvalueentriesforthehomedirectoryandshell,shownwith
theirdefaultsettings,appearunderboththeActiveDirectoryandLocal
providerkeys:
"LoginShellTemplate"="/bin/sh"
"HomeDirTemplate"="%H/local/%D/%U"
"HomeDirPrefix"="/home"
"CreateHomeDir"=dword:00000001
SettheShell
Underthekeyforaprovider,modifythevalueofthefollowingentrytoset
theshellthatyouwant:
LoginShellTemplate
Examplewithdefaultvalue:
"LoginShellTemplate"="/bin/sh"
Note:/bin/bashmightnotbeavailableonallsystems.
SettheHomeDirectory
ThefollowingvariablesareavailablewiththeHomeDirTemplatevalue
entry:
VariableDescription
%U Thedefaultusername.Required.
%D Thedefaultdomainname.Optional.
%H Thedefaulthomedirectory.Optional.
Itmustbesetasanabsolutepath.Thisvalue,ifused,istypically
thefirstvariableinthesequence.
%L Thehostnameofthecomputer.Optional.
Hereisanexamplewithallfourvariablesset:%H/%L/%D/%U
Inthefollowingexample,theHomeDirTemplateisusingthe%Hvariablefor
theHomeDirPrefixtosettheuser'shomedirectory:
"HomeDirTemplate"="%H/local/%D/%U"
Intheexample,theHomeDirPrefixisnotprecededbyaslashbecausethe
slashisincludedinthedefaultHomeDirPrefixtoensurethatthepathis
absolute.
Bydefault,the%Hvariableautomaticallychangestobecompatiblewiththe
operatingsystemtogenerateahomedirectorypath:
–OnSolaris,the%Hvariablemapsto/export/home.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 272

–OnMacOSX,%Hmapsto/Users
–OnLinux,%Hmapsto/home
Optionally,youcansettheHomeDirPrefixbychangingtheprefixtothe
paththatyouwant.However,theHomeDirPrefixmustbeanabsolute
path—soyoumustprecedeitwithaslash.Examplewithdefaultvalue:
"HomeDirPrefix"="/home"
AlltheuserswhologontothecomputerusingtheirActiveDirectory
domaincredentialswillhavetheshellandhomedirectorythatyousetunder
theProviders\ActiveDirectory key.Alltheuserswhologontothe
computerusingtheirlocalPBISprovidercredentialswillhavetheshelland
homedirectorythatyousetundertheProviders\Localkey.
Important:OnSolaris,youcannotcreatealocalhomedirectoryin/home,
because/homeisusedbyautofs,Sun'sautomaticmountingservice.The
standardonSolarisistocreatelocalhomedirectoriesin/export/home.
OnMacOSX,tomountaremotehomedirectory,youmustfirstcreatethe
directoryontheremoteserveraswellasthefoldersformusic,movies,and
soforth.SeeUsethecreatehomedirCommandtoCreateHomeDirectories
andotherinformationonApple'swebsite.
TurnOffHomeDirectories
Bydefault,auser'shomedirectoryiscreateduponlogon.Toturnoffthe
creationofhomedirectories,changevalueofthefollowingentryto0,for
false:
CreateHomeDir
Examplewithdefaultsettingof1,whichcreatesahomedirectory:
"CreateHomeDir"=dword:00000001
SeeAlso
FixtheShellandHomeDirectoryPaths
SettheUmaskforHomeDirectories
PBISpresetstheumaskforthehomedirectoryandallthefilesinitto022.
Withaumaskvalueof022,thedefaultfilepermissionsforyourADuser
accountareasfollows:
•Read-writeaccessforfiles
•Read-write-searchfordirectoriesyouown.
Allothershavereadaccessonlytoyourfilesandread-searchaccesstoyour
directories.Youcan,however,settheumaskforhomedirectoriesby
modifyingitsvalueentryintheregistry.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 273

Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Locations
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
ValueEntry
HomeDirUmask
Examplewithdefaultvalue:
"HomeDirUmask"="022"
SettheSkeletonDirectory
Bydefault,PBISaddsthecontentsof/etc/skeltothehomedirectory
createdforanewuseraccountonLinuxandUnixcomputers.Using
/etc/skeloradirectorythatyoudesignateensuresthatallusersbeginwith
thesamesettingsorenvironment.
OnMacOSXcomputers,thedefaultskeletondirectoryisasfollows:
System/Library/User Template/Non_localized,
/System/Library/User Template/English.lproj
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Locations
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
ValueEntry
SkeletonDirs
Examplewithdefaultvalue:
"SkeletonDirs"="/etc/skel"
Note:Addtheskeletondirectorythatyouwanttosettotheentry.Youcan
addmultipleentries,buteachentrymustbeenclosedinquotation
marksandseparatedbyaspace.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 274

ForcePBISEnterprisetoWorkWithoutCellInformation
TousethePBISEnterpriseagenttojoinaLinux,Unix,orMacOSX
computertoadomainthathasnotbeenconfiguredwithcellinformation,
youmustchangethevalueofCellSupporttounprovisioned.
Thissetting,whichappliesonlytoPBISEnterprise,forcesthe
authenticationservicetoignorethefollowingUnixinformationeventhough
itissetinActiveDirectory:
•Homedirectory
•UID
•GID
•Unixshell
InsteadofusingtheinformationfromActiveDirectory,the
unprovisionedvaluesetstheauthenticationservicetohashtheuser's
securityidentifieranduselocalsettingsfortheUnixshellandthehome
directory.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 275

Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
CellSupport
Notes
Thevaluemustbesetasoneofthefollowing:no-unprovisioned,fullor
unprovisioned.
Thedefaultisno-unprovisioned,asettingthatrequiresyoutocreatea
cellinActiveDirectorybeforeyoujoinaPBISclienttoit.Ifyouareusing
PBISEnterprisewithcellsandyouwanttousetheUnixsettingsinAD,itis
recommendedthatyouleavecell-supportsettoitsdefaultvalueofno-
unprovisioned:
"CellSupport"="no-unprovisioned"
HereisanexamplewiththevaluesettounprovisionedtoforcePBIS
EnterprisetoignoreUnixsettingsandothercellinformationinAD:
"CellSupport"="unprovisioned"
SettingthevaluetofullconfiguresthePBISEnterpriseagenttousecell
informationwhenitappearsinADandlocalsettingswhennocellsarein
AD:
"CellSupport"="full"
RefreshUserCredentials
Bydefault,PBISautomaticallyrefreshesusercredentials,butyoucanturn
offautomaticrefreshesbymodifyingtheconfigurationofthePBIS
authenticationservice.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
RefreshUserCredentials
Examplewithdefaultsetting:
"RefreshUserCredentials"=dword:00000001
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 276

TurnOffK5LogonFileCreation
Bydefault,PBIScreatesa.k5loginfileinthehomedirectoryofanActive
DirectoryuserwhoisauthenticatedbyKerberoswhenloggingonaLinux,
Unix,orMacOSXcomputer.Youcan,however,stopthecreationofa
.k5loginfile.
The.k5loginfilecontainstheuser'sKerberosprincipal,whichuniquely
identifiestheuserwithintheKerberosauthenticationprotocol.Kerberos
canusethe.k5loginfiletocheckwhetheraprincipalisallowedtologonas
auser.A.k5loginfileisusefulwhenyourcomputersandyourusersarein
differentKerberosrealmsordifferentActiveDirectorydomains,whichcan
occurwhenyouuseActiveDirectorytrusts.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
CreateK5Login
Examplewithdefaultvalue:
"CreateK5Login"=dword:00000001
ChangetheDurationoftheComputerPassword
Youcansetthecomputeraccountpassword'sexpirationtime.The
expirationtimespecifieswhenacomputeraccountpasswordisresetin
ActiveDirectoryiftheaccountisnotused.Thedefaultis30days.
ActiveDirectoryhandlescomputeraccountsforLinux,Unix,andMacinthe
samewayasthoseforWindowscomputers;formoreinformation,seethe
MicrosoftActiveDirectorydocumentation.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
MachinePasswordLifespan
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 277

Examplewithdefaultvalue,whichisshownassecondsinhexadecimal
format:
"MachinePasswordLifespan"=dword:000927c0
Notes
Settingthevalueto0disablesexpiration.Theminimumvalueis1hour,
expressedinseconds,andthemaximumis60days,expressedinseconds.To
avoidissueswithKerberoskeytablesandsinglesign-on,the
MachinePasswordLifespan mustbeatleasttwicethemaximumlifetime
forusertickets,plusalittlemoretimetoaccountforthepermittedclock
skew.TheexpirationtimeforauserticketissetbyusinganActive
DirectoryGroupPolicysettingcalledMaximumlifetimeforuserticket.
Thedefaultuserticketlifetimeis10hours;thedefaultPBIScomputer
passwordlifetimeis30days.
ChecktheMaximum LifetimeforaUserTicket
1.OpenthedefaultdomainpolicyintheGroupPolicyManagement
Editor.
2.IntheconsoletreeunderComputerConfiguration,expandWindows
Settings,expandSecuritySettings,expandAccountPolicies,and
thenclickKerberospolicy.
3.Inthedetailspane,double-clickMaximumlifetimeforuserticket.
4.IntheTicketexpiresinbox,makesurethatthenumberofhoursisno
morethanhalfthatoftheMachinePasswordLifespan yousetinthe
registry.
SeeAlso
FixaKeyTableEntry-TicketMismatch
SignandSealLDAPTraffic
YoucansignandsealLDAPtraffictocertifyitandtoencryptitsothat
otherscannotseeyourLDAPtrafficonyournetwork.Thissettingcanhelp
improvenetworksecurity.
Location
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 278

[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
LdapSignAndSeal
Examplewithdefaultvalue:
"LdapSignAndSeal"=dword:00000000
NTLMSettings
ThereareanumberofNTLMsettingsthatsystemadministratorscanuseto
manageNTLMsessions.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
ValueEntrywithDefaultValues
"AcceptNTLMv1"=dword:00000001
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\NTLM]
ValueEntrieswithDefaultValues
"SendNTLMv2"=dword:00000000
"Support128bit"=dword:00000001
"Support56bit"=dword:00000001
"SupportKeyExchange"=dword:00000001
"SupportNTLM2SessionSecurity"=dword:00000001
"SupportUnicode"=dword:00000001
EachNTLMvalueentryisdescribedinthefollowingtable.Foradditional
information,seeMicrosoft'sdescriptionoftheLANManagerauthentication
levels.
ValueEntry Description
AcceptNTLMv1 ControlswhetherthePBISlocalprovideracceptsthe
olderandlesssecureNTLMprotocolfor
authenticationinadditiontoNTLMv2.Thissetting
doesnotapplytotheActiveDirectoryprovider
becauseitpassesoffNTLMandNTLMv2
authenticationtoadomaincontrollerthrough
schannel;itisthedomaincontroller'ssettingsthat
determinewhichversionsofNTLMareallowed.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 279

ValueEntry Description
SendNTLMv2 ForceslsasstouseNTLMv2ratherthantheolder
andlesssecureNTLMwhenlsassactsasaclient.
(LsasstypicallyservesasanNTLMclientinrelation
todomaincontrollers.)
Support128bitand
Support56bit
Controlthelengthoftheencryptionkey.Theyare
intendedtoserveasamechanismfordebugging
NTLMsessions.Therearenocorrespondingsettings
inWindows.
SupportKeyExchange Allowstheprotocoltoexchangeasessionkey—
Kerberoshasasimilarfeature.Duringauthentication,
analternatekeyisexchangedforsubsequent
encryptiontoreducetheriskofexposingapassword.
Itisrecommendedthatyouusethedefaultsetting.
SupportNTLM2SessionSecurityPermitstheclienttouseamoresecurevariationof
theprotocoliftheclientdiscoversthattheserver
supportsit.Correspondstoasimilarsettingin
Windows.
SupportUnicode SetsNTLMtorepresenttextaccordingtothe
Unicodeindustrystandard.Itisrecommendedthat
youusethedefaultsetting—whichistosupport
Unicode.
AdditionalSubkeys
Thereareadditionalsubkeysinthelsassbranchthatthelsassserviceusesto
storeinformationforthePBISapplication.Itisrecommendedthatyoudo
notchangethesesubkeysortheirvalueentries.
•[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\DomainTrust]
Storesinformationaboutdomaintrusts.
•[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\ProviderData]
StoresdatausedbytheActiveDirectoryauthenticationprovider.
•[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\Pstore]
Cachesinformationaboutthecomputerandtheuser'sActiveDirectory
account,includingthecomputerpassword.Thecomputerpasswordis
visibleonlytorootuserswhentheyvieworexporttheregistry.
•[HKEY_THIS_MACHINE\Services\lsass\Parameters\RPCServers]
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 280

Storesinformationthatthesystemusestoexecuteremoteprocedure
calls.
AddDomainGroupstoLocalGroups
Thisvalueentrycontrolswhetherthedomain-joinprocessaddsdomain
groupstothelocalPBISgroupsandwhetherthedomain-leaveprocess
removesdomaingroupsfromthelocalPBISgroups.Thedefaultsettingis0,
fordisabled—nodomaingroupsareaddedtolocalgroups.
Whenthesettingisenabled,theADgroupDomainAdminsisaddedto
BUILTIN\\Administrators,andDomainUsersisaddedto
BUILTIN\\Users.
Afterjoiningorleavingadomain,youcanverifythatthedomaingroups
wereaddedtoorremovedfromthelocalgroupsbyrunningthelsaenum-
memberscommandfortheBUILTIN\\Administrators groupandthe
BUILTIN\\Usersgroup.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
AddDomainToLocalGroupsEnabled
ControlTrustEnumeration
PBISincludesthefollowingsettingsforcontrollinghowthedomain
managercomponentoftheauthenticationserviceenumeratestrusts.The
settingscanhelpimproveperformanceoftheauthenticationserviceinan
extendedADtopology.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Important:Thesettingthatspecifiesanincludelistisdependenton
definingthesettingforignoringalltrusts:Tousetheincludelist,youmust
firstenablethesettingtoignorealltrusts.Theinclude-listsettingmust
explicitlycontaineverydomainthatyouwanttoenumerate.Itisinsufficient
toincludeonlytheforeststhatcontainthedomains.
Foradomainthatisaddedtotheincludelist,PBIStriestodiscoverits
trust.Ifsomeofthedomainsarenotincludedinthespace-separatedlist,the
resultingtrustrelationshipsmightruncountertoyourintentions:ThePBIS
agentmightprocessthetrustasaone-wayforestchildtrustwhenitisnot.
Changestothetrustenumerationsettingstakeeffectwhenyourestarteither
thecomputerorthePBISauthenticationservice(lsass).
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 281

Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntries
ValueEntry Description
DomainManagerIgnoreAllTrustsDetermineswhethertheauthenticationservice
discoversdomaintrusts.
Inthedefaultconfigurationofdisabled,the
serviceenumeratesalltheparentandchild
domainsaswellasforesttruststootherdomains.
Foreachdomain,theserviceestablishesa
preferreddomaincontrollerbycheckingforsite
affinityandtestingserverresponsiveness,a
processthatcanbeslowedbyWANlinks,subnet
firewallblocks,staleADsitetopologydata,or
invalidDNSinformation.
Whenitisunnecessarytoenumerateallthe
trusts—because,forexample,theintendedusers
ofthetargetcomputerareonlyfromtheforest
thatthecomputerisjoinedto—turningonthis
settingcanimprovestartuptimesofthe
authenticationservice.
DomainManagerIncludeTrustsListWhenthesetting
DomainManagerIgnoreAllTrusts is
turnedon,onlythedomainnamesinthespace-
separatedincludelistareenumeratedfortrusts
andcheckedforserveravailability.Eachitemin
thelistmustbeseparatedbyaspace.
DomainManagerExcludeTrustsListWhenthesetting
DomainManagerIgnoreAllTrusts is
turnedoff(itsdefaultsetting),thedomainnames
inthespace-separatedexcludelistarenot
enumeratedfortrustsandnotcheckedforserver
availability.Eachiteminthelistmustbeseparated
byaspace.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 282

ModifySmartCardSettings
ThefollowingsettingsareavailableonlywithPBISEnterprise.
Locationinregistry:
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
ValueEntries
SmartCardPromptGecos
SmartCardServices
SettheIntervalforCheckingtheStatusofaDomain
ThisvalueentrydetermineshowfrequentlythePBISdomainmanager
checkswhetheradomainisonline.Thedefaultis5minutes.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
DomainManagerCheckDomainOnlineInterval
Examplewithdefaultvalue:
"DomainManagerCheckDomainOnlineInterval"=dword:0000012c
SettheIntervalforCachinganUnknown Domain
ThisvalueentrydetermineshowlongthePBISdomainmanagercachesan
unknowndomainasunknown.Thedefaultis1hour.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
DomainManagerUnknownDomainCacheTimeout
Examplewithdefaultvalue:
"DomainManagerUnknownDomainCacheTimeout"=dword:00000e10
lsassCacheSettings
ManyofthefollowingcachesettingscanbemanagedbytheGroupPolicy
settingsofPBISEnterprise.Formoreinformation,seethePowerBroker
IdentityServicesGroupPolicyAdministrationGuide.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 283

SettheCacheType
Bydefault,thelsassserviceusesSQLitetocacheinformationaboutusers,
groups,andthestateofthecomputer.Youcan,however,changethecache
tostoretheinformationinmemory,whichmightimprovetheperformance
ofyoursystem.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
CacheType
Examplewithdefaultvalue:
"CacheType"="sqlite"
Notes
Tousethememorycache,changethevaluetomemory.Example:
"CacheType"="memory"
CaptheSizeoftheMemoryCache
Bydefault,thelsassservicecachesinformationaboutusers,groups,andthe
stateofthecomputerinaSQLitedatabase.If,however,youchangethe
cachetostorethedatainmemory,youcanlimitthesizeofthecacheto
preventitfromconsumingtoomuchmemory.Itissuggestedthatthesize
ofthecachebebetween1MBand10MB,butthesizelimitthatyou
choosewilldependonyourenvironment.Groupswithmanymemberscall
foralargermemorycachetoenumeratealltheusers.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
MemoryCacheSizeCap
Examplewithdefaultvalue:
"MemoryCacheSizeCap"=dword:00000000
Notes
Tolimitthememorycachetoamaximumvalue,changethevaluetothe
bytecountthatyouwant.Whenthetotalcachesizeexceedsthelimit,old
dataispurged.Thedefaultvalueis0:nolimitisset.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 284

ChangetheDurationofCachedCredentials
YoucanspecifyhowlongthePBISagentcachesinformationaboutan
ActiveDirectoryuser'shomedirectory,logonshell,andthemapping
betweentheuserorgroupanditssecurityidentifier(SID).Thissettingcan
improvetheperformanceofyoursystembyincreasingtheexpirationtimeof
thecache.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntry
CacheEntryExpiry
Examplewithdefaultvalue:
"CacheEntryExpiry"=dword:00003840
Note:Setthevaluetoaninterval,inseconds.Theminimumentryis0
secondsandthemaximumis1day,expressedinseconds.
ChangeNSSMembership andNSSCacheSettings
TocustomizePBIStomeettheperformanceneedsofyournetwork,you
canspecifyhowthePBISagentparsesandcachesgroupanduser
membershipinformationwiththefollowingvalueentriesintheregistry:
Location
[HKEY_THIS_
MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
ValueEntries
Herearethevalueentrieswiththeirdefaultvalues:
"TrimUserMembership"=dword:00000001
"NssGroupMembersQueryCacheOnly"=dword:00000001
"NssUserMembershipQueryCacheOnly"=dword:00000000
"NssEnumerationEnabled"=dword:00000000
Eachsettingisdescribedinthetablethatfollows.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 285

Setting Description
TrimUserMembership Specifieswhethertodiscardcached
informationfromaPrivilegeAttribute
Certificate(PAC)entrywhenitconflicts
withnewinformationretrievedthrough
LDAP.Otherwise,PACinformation,
whichdoesnotexpire,isupdatedthe
nexttimetheuserlogson.
Thedefaultsettingis1:Itisturnedon.
NssGroupMembersQueryCacheOnly Specifieswhethertoreturnonlycached
informationforthemembersofagroup
whenqueriedthroughnsswitch.More
specifically,thesettingdetermines
whethernsswitch-basedgroupAPIs
obtaingroupmembershipinformation
exclusivelyfromthecache,orwhether
theysearchforadditionalgroup
membershipdatathroughLDAP.
Thissettingismadeavailablebecause,
withlargeamountsofdata,theLDAP
enumerationcanbeslowandcanaffect
performance.Toimproveperformance
forgroupswithmorethan10,000users,
setthisoptiontoyes.Withoutthe
LDAPenumeration,onlywhenauser
logsoncanthatuser'scompletegroup
membershipberetrievedbasedonthe
PAC.
Thedefaultsettingis1:Itisturnedon.
NssUserMembershipQueryCacheOnly Whensettoyes,enumeratesthe
groupstowhichauserbelongsusing
informationbasedsolelyonthecache.
Whensettono,itchecksthecacheand
searchesformoreinformationover
LDAP.
Thedefaultsettingis0:Itisturnedoff.
NssEnumerationEnabled Controlswhetherallusersorallgroups
canbeincrementallylistedthroughNSS.
OnLinuxcomputersandUnix
computersotherthanMac,thedefault
settingis0,orturnedoff.OnMacOSX
computers,thedefaultsettingis1,or
turnedon.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 286

Setting Description
Toallowthird-partysoftwareshow
ActiveDirectoryusersandgroupsin
lists,youcanchangethissettingto1,but
performancemightbeaffected.
Note:Whenyouruntheid
commandforanActive
Directoryuserotherthanthe
currentuseronsomeLinux
systems,suchasSLES10and
SLED10,thecommand
returnsonlythatuser'sprimary
group.Thecommand
enumeratesallthegroupsand
searchesfortheuserinthe
groups'membership.To
properlyfindanotheruser's
membershipwiththeid
commandonSLES10and
SLED10,youmustturnon
NSSenumeration.
eventlogSettings
Thissectionlistsvaluesintheeventlogbranchoftheregistry.
AllowUsersandGroupstoDeleteEvents
ThisentryspecifiestheActiveDirectoryusersandgroupswhocandelete
eventsfromthePBISeventlog.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
AllowDeleteTo
Notes
Addtheusersandgroups,separatedbycommas,tothevalueentrybyusing
NT4-stylenames(theshortdomainnamewiththegroupname),theuser's
orgroup'salias,oranActiveDirectorysecurityidentifier(SID).The
comma-separatedlistmustbeenclosedinquotationmarks.Example:
AllowDeleteTo="example\support, example\domain^admins,
example\joe,jane,S-1-5-21-3447809367-3151979076-456401374-
513,sales^admins"
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 287

AllowUsersandGroupstoReadEvents
ThisvalueentryspecifiestheActiveDirectoryusersandgroupswhocan
readeventsinthePBISeventlog.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
AllowReadTo
Notes
Addtheusersandgroups,separatedbycommas,tothevalueentrybyusing
NT4-stylenames(theshortdomainnamewiththegroupname),theuser's
orgroup'salias,oranActiveDirectorysecurityidentifier(SID).The
comma-separatedlistmustbeenclosedinquotationmarks.Example:
AllowReadTo="example\support, example\domain^admins,
example\joe,jane,S-1-5-21-3447809367-3151979076-456401374-
513,sales^admins"
AllowUsersandGroupstoWriteEvents
ThisvalueentryspecifiestheActiveDirectoryusersandgroupswhocan
writeeventsinthePBISeventlog.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
AllowWriteTo
Notes
Addtheusersandgroups,separatedbycommas,tothevalueentrybyusing
NT4-stylenames(theshortdomainnamewiththegroupname),theuser's
orgroup'salias,oranActiveDirectorysecurityidentifier(SID).The
comma-separatedlistmustbeenclosedinquotationmarks.Example:
AllowWriteTo="example\support, example\domain^admins,
example\joe,jane,S-1-5-21-3447809367-3151979076-456401374-
513,sales^admins"
SettheMaximum DiskSize
Thisvalueentryspecifiesthemaximumsizeoftheeventlog.Thedefaultis
102400KB.Theminimumsizeis100KB.Themaximumis2097152KB.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 288

ValueEntry
MaxDiskUsage
Examplewithdefaultvalue:
"MaxDiskUsage"=dword:06400000
SettheMaximum NumberofEvents
Thisvalueentrydefinesthemaximumnumberofeventsthatcanresidein
theeventlog.Thedefaultis100,000.Theminimumnumberis100.The
maximumis2,000,000.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
MaxNumEvents
Examplewithdefaultvalue:
"MaxNumEvents"=dword:000186a0
SettheMaximum EventTimespan
Thisvalueentrydefinesmaximumlengthoftime,indays,thateventscan
remainintheeventlog.Eventsolderthanthespecifiedtimespanare
removed.Thedefaultis90days.Themaximumis365days.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
MaxEventLifespan
Examplewiththedefaultvalueof90days:
"MaxEventLifespan"=dword:0000005a
ChangethePurgeInterval
Thisvalueentrydefinesthenumberofdaysafterwhichtopurgethe
databaseofevents.Thedefaultis1day.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
ValueEntry
EventDbPurgeInterval
Examplewithdefaultvalueof1day:
"EventDbPurgeInterval"=dword:00000001
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 289

netlogonSettings
Thenetlogonbranchcontainsregistryvaluesforsettingtheexpirationof
thecachethatholdsinformationforthesiteaffinityservice,includingthe
optimaldomaincontrollerandglobalcatalog.Thenetlogonservice
generatesthevalueentriesunderthe[HKEY_THIS_
MACHINE\Services\netlogon\cachedb] subkeytocacheinformation
aboutyourdomaincontrollersandglobalcatalog.Itisrecommendedthat
youdonotchangetheregistryvaluesunderthecachedbsubkey.
[HKEY_THIS_MACHINE\Services\netlogon]
"Arguments" REG_SZ ""
"Autostart" REG_DWORD 0x00000001(1)
"CoreSize" REG_DWORD 0x00000000(0)
"Dependencies"REG_SZ "lwreg"
"Description" REG_SZ "SiteAffinityService"
"Environment" REG_SZ ""
"Path" REG_SZ "/opt/pbis/lib64/lw-
svcm/netlogon.so"
"Type" REG_DWORD 0x00000002(2)
[HKEY_THIS_MACHINE\Services\netlogon\cachedb]
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
"CLdapMaximumConnections" REG_DWORD
0x00000064(100)
"CLdapSearchTimeout" REG_DWORD
0x0000000f(15)
"CLdapSingleConnectionTimeout" REG_DWORD
0x0000000f(15)
"NegativeCacheTimeout" REG_DWORD
0x0000003c(60)
"NetBiosUdpTimeout" REG_DWORD
0x00000001(1)
"NetBiosWinsPrimary" REG_SZ ""
"NetBiosWinsSecondary" REG_SZ ""
"PingAgainTimeout" REG_DWORD
0x00000384(900)
"ResolveNameOrder" REG_SZ "DNS"
"WritableRediscoveryTimeout" REG_DWORD
0x00000708(1800)
"WritableTimestampMinimumChange" REG_DWORD
0x00000000(0)
OnlythevaluesundertheParameterssubkeyaredocumentedinthis
section.
SettheNegativeCacheTimeout
Thissettingisreservedforinternaluseonly.
Location
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 290

[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
ValueEntry
NegativeCacheTimeout
Examplewithdefaultvalue:
"NegativeCacheTimeout"=dword:0000003c
SetthePingAgainTimeout
Thenetlogonserviceperiodicallytestswhethercacheddomaincontrollers
areavailable.Thissettingcontrolshowoftenitdoesso.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
ValueEntry
PingAgainTimeout
Examplewithdefaultvalue:
"PingAgainTimeout"=dword:00000384
SettheWritableRediscoveryTimeout
Whenaservicerequestsawritabledomaincontrollerandonedoesnotexist
inthelocalsite,thissettingcontrolshowlongtheservicestaysaffinitizedto
thewritabledomaincontrollerbeforereaffinitizingtoacloserread-only
domaincontroller.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
ValueEntry
WritableRediscoveryTimeout
Examplewithdefaultvalue:
"WritableRediscoveryTimeout"=dword:00000708
SettheWritableTimestamp MinimumChange
Netlogonkeepstrackofwhenawritabledomaincontrollerwaslast
requested.RelatedtoWritableDiscoveryTimeout ,thissettingcontrols
howoftenthattimestampischanged.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
ValueEntry
WritableTimestampMinimumChange
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 291

Examplewithdefaultvalue:
"WritableTimestampMinimumChange"=dword:00000000
SetCLdapOptions
ThenetlogonserviceusesmultipleasynchronousCLDAPsearchesina
singlethreadtofindserversthatactasdomaincontrollersandglobal
catalogs.Toimproveperformanceinthecontextofyouruniquenetwork,
youcanadjustthefollowingsettingsfortheConnection-lessLightweight
DirectoryAccessProtocol.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
ValueEntries
CLdapMaximumConnections isthemaximumnumberofserversthatwillbe
pingedsimultaneously.Thedefaultis100.
CLdapSearchTimeoutisthetimeoutfortheentiresearch(inseconds).The
defaultis15seconds.
CLdapSingleConnectionTimeout isthetimeoutforpingingasingleserver
(inseconds).Thedefaultis15seconds.
lwioSettings
Thelwiobranchcontainsregistrysettingsfortheinput-outputservice,
lwio.
Thesettingsunderthesharessubkeydefinesharedfoldersandthesecurity
descriptorsthatcontrolaccesstothem.Itisrecommendedthatyoudonot
directlychangethevaluesunderthesharessubkeywhilethelwioserviceis
running.
SignMessagesIfSupported
Althoughsigningmessagesisturnedoffbydefault,youcansettheinput-
outputservicetosignmessages.Doingso,however,candegrade
performance.Whensigningisturnedoff,theinput-outputservicewillreject
clientsthatrequiresigning.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters]
ValueEntry
SignMessagesIfSupported
Examplewithdefaultvalue:
"SignMessagesIfSupported"=dword:00000000
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 292

EnableSecuritySignatures
Thisregistrysetting,whichisturnedonbydefault,setstheCIFSfileserver
tosignresponseswhenitreceivessignedmessagesfromaclient.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
ValueEntry
EnableSecuritySignatures
Examplewithdefaultvalue:
"EnableSecuritySignatures"=dword:00000001
RequireSecuritySignatures
ThisregistrysettingdetermineswhethertheCIFSfileserverwillreject
clientsthatdonotsupportsigning.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
ValueEntry
RequireSecuritySignatures
Examplewithdefaultvalue:
"RequireSecuritySignatures"=dword:00000001
SetSupportforSMB2
ThisregistrysettingdetermineswhethertheCIFSfileserverwillengagethe
SMB2protocolmodule.Whenthesettingisturnedoff,theserverwillnot
negotiatewithSMB2.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
ValueEntry
SupportSmb2
Examplewithdefaultvalue:
"SupportSmb2"=dword:00000000
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 293

LwedspluginSettingsforMacComputers
ThePBISregistryincludesthefollowingsettingstomanagethedirectory
servicespluginonaMacOSXcomputer.
Note:WithPBISEnterprise,youcanmanagethisfeaturebyusingaPBIS
GroupPolicysetting.Forinformation,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Hereisanexampleconfigurationintheregistry:
[HKEY_THIS_MACHINE\Services\lwedsplugin\Parameters\]
"AllowAdministrationBy" REG_SZ ""
"EnableForceHomedirOnStartupDisk" REG_DWORD
0x00000000(0)
"EnableMergeAdmins" REG_DWORD
0x00000000(0)
"EnableMergeModeMCX" REG_DWORD
0x00000000(0)
"UncProtocolForHomeLocation" REG_SZ "smb"
"UseADUncForHomeLocation" REG_DWORD
0x00000000(0)
Eachsettingisdescribedinthefollowingtable.
DSPlugin
Settinginthe
Registry Description
Allow
administration
by
Specifiestheadministratorsincludedthelocaladmingroup(GID:80)
onthecomputer.ThesettingcanspecifyActiveDirectoryusersor
groups.Localentriesareoverwrittenunlessyoualsosettheparameter
tomergeadministratorswhoaredefinedlocally.
Forcehome
directoryon
startupdisk
Setsacomputertousealocalhomedirectorypath.Whenauserwith
ahomefolderconnectiondefinedinActiveDirectorylogson,the
connectioniscreatedinthedockunder
/Network/Servers/homeFolderName .
Merge
Administrators
Preservesmembersoftheadmingroupwhoaredefinedlocallybut
arenotspecifiedintheallowadministration bypolicy.
SettheUNC
Protocolforthe
HomeLocation
Setstheprotocolforthehomelocation.
UseUNCpath
fromActive
Directoryto
createhome
location
Setsthecomputertoconnecttothenetworksharedefinedinthe
ActiveDirectoryuseraccount.TheUNCpathisconvertedtoSMB
whenthetargetshareisrunningWindowsorAFPwhenthetargetis
runningMacOSX.
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 294

DSPlugin
Settinginthe
Registry Description
Ifthesettingforforcingthehomedirectoryonthestartupdiskis
enabled,theUNCpathisusedtocreateafolderintheuser'sdockand
thehomedirectoryissettotheuser'slocalhomedirectorypath.
Tosetthepathforthehomedirectory,gototheProfiletabofthe
user'spropertiesinADUCandunderHomefolderselectConnect,
chooseadriveletter(whichisignoredbyaMacOSXcomputer),and
thenintheToboxtypetheUNCpaththatyouwant.
Hereistheformthepathtakes:\\server\share\folder
Hereisanexampleofapath:\\example\homes\fanthony
PBISEnterpriseInstallationandAdministration ConfiguringPBISwiththeRegistry
BeyondTrust
®
June21,2013 295

IV.Troubleshooting
Inthissection,reviewsometroubleshootingsuggestions.
•TroubleshootingDomainJoinProblems
•TroubleshootingthePBISAgent
•TroubleshootingLogonIssues
•TroubleshootingKerberos
•TroubleshootingthePBISDatabase
PBISEnterpriseInstallationandAdministration IV.Troubleshooting
BeyondTrust
®
June21,2013 296

Troubleshooting Domain-JoinProblems
Reviewthesectionsinthischaptertoresolvedomain-joinproblems.
Top10ReasonsDomain-JoinFail
Herearethetop10reasonsthatanattempttojoinadomainfails:
1.Rootwasnotusedtorunthedomain-joincommand(ortorunthe
domain-joingraphicaluserinterface).
2.Theusernameorpasswordoftheaccountusedtojointhedomainis
incorrect.
3.Thenameofthedomainismistyped.
4.ThenameoftheOUismistyped.
5.Thelocalhostnameisinvalid.
6.Thedomaincontrollerisunreachablefromtheclientbecauseofa
firewallorbecausetheNTPserviceisnotrunningonthedomain
controller.(SeeMakeSureOutboundPortsAreOpenandDiagnose
NTPonPort123.)
7.TheclientisrunningRHEL2.1andhasanoldversionofSSH.
8.OnSUSE,GDM(dbus)mustberestarted.Thisdaemoncannotbe
automaticallyrestartediftheuserloggedonwiththegraphicaluser
interface.
9.OnHP-UXandSolaris,dtloginmustberestarted.Thisdaemoncannot
beautomaticallyrestartediftheuserloggedonwiththeHP-UXor
Solarisgraphicaluserinterface.Torestartdtlogin,runthefollowing
command:/sbin/init.d/dtlogin.rc start
10.SELinuxisturnedonbybeingsettoeitherenforcingor
permissive—whichisespeciallylikelyonFedoraandsomeversionsof
RedHat.SELinuxmustbesettodisabledbeforethecomputercanbe
joinedtothedomain.
ToturnoffSELinux,editthefollowingfile,whichistheprimary
configurationfileforenablinganddisablingSELinux:
/etc/sysconfig/selinux
or
/etc/selinux/config
ForinstructionsonhowtoeditthefiletodisableSELinux,seethe
SELinuxmanpage.
SeeAlso
GenerateaDomain-JoinLog
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 297

GenerateaDomain-JoinLog
Tohelptroubleshootproblemswithjoiningadomain,youcanusethe
command-lineutility'slogfileoptionwiththejoincommand.The
logfileoptioncapturesinformationabouttheattempttojointhedomain
onthescreenorinafile.Whenanattempttojoinadomainfails,alogis
generatedbydefaultat/var/log/domainjoin- cli.logor
/var/adm/domainjoin- cli.log.
•Todisplaytheinformationintheterminal,executethefollowing
command;thedotafterthelogfileoptiondenotesthatthe
informationistobeshownintheconsole:
domainjoin-cli--logfile.joindomainNameuserName
•Tosavetheinformationinalogfile,executethefollowingcommand:
domainjoin-cli--logfilepathjoindomainNameuserName
Example:
domainjoin-cli--logfile/var/log/domainjoin.log join
example.comAdministrator
SolveDomain-JoinProblems
TotroubleshootproblemswithjoiningaLinuxcomputertoadomain,
performthefollowingseriesofdiagnostictestssequentiallyontheLinux
computerwitharootaccount.
Thetestscanalsobeusedtotroubleshootdomain-joinproblemsonaUnix
orMacOSXcomputer;however,thesyntaxofthecommandsonUnixand
Macmightbeslightlydifferent.
Theproceduresinthistopicassumethatyouhavealreadycheckedwhether
theproblemfallsundertheTop10ReasonsDomainJoinFails.Itisalso
recommendedthatyougenerateadomain-joinlog.
VerifythattheNameServerCanFindtheDomain
Runthefollowingcommandasroot:
nslookupYourADrootDomain.com
MakeSuretheClientCanReachtheDomainController
Youcanverifythatyourcomputercanreachthedomaincontrollerby
pingingit:
pingYourDomainName
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 298

CheckDNSConnectivity
ThecomputermightbeusingthewrongDNSserverornoneatall.Make
surethenameserverentryin/etc/resolv.confcontainstheIPaddressof
aDNSserverthatcanresolvethenameofthedomainyouaretryingtojoin.
TheIPaddressislikelytobethatofoneofyourdomaincontrollers.
MakeSurensswitch.confIsConfiguredtoCheckDNSforHostNames
The/etc/nsswitch.conffilemustcontainthefollowingline.(OnAIX,
thefileis/etc/netsvc.conf.)
hosts:filesdns
ComputersrunningSolaris,inparticular,maynotcontainthislinein
nsswitch.confuntilyouaddit.
EnsurethatDNSQueriesUsetheCorrectNetworkInterfaceCard
Ifthecomputerismulti-homed,theDNSqueriesmightbegoingoutthe
wrongnetworkinterfacecard.
TemporarilydisablealltheNICsexceptforthecardonthesamesubnetas
yourdomaincontrollerorDNSserverandthentestDNSlookupstothe
ADdomain.
Ifthisworks,re-enablealltheNICsandeditthelocalornetworkrouting
tablessothattheADdomaincontrollersareaccessiblefromthehost.
DetermineIfDNSServerIsConfiguredtoReturnSRVRecords
YourDNSservermustbesettoreturnSRVrecordssothedomain
controllercanbelocated.Itiscommonfornon-Windows(bind)DNS
serverstonotbeconfiguredtoreturnSRVrecords.
Diagnoseitbyexecutingthefollowingcommand:
nslookup-q=srv_ldap._tcp.ADdomainToJoin.com
MakeSurethattheGlobalCatalogIsAccessible
TheglobalcatalogforActiveDirectorymustbeaccessible.Aglobalcatalog
inadifferentzonemightnotshowupinDNS.Diagnoseitbyexecutingthe
followingcommand:
nslookup-q=srv_ldap._tcp.gc._msdcs.ADrootDomain.com
FromthelistofIPaddressesintheresults,chooseoneormoreaddresses
andtestwhethertheyareaccessibleonPort3268usingtelnet.
telnet192.168.100.20 3268
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 299

Trying192.168.100.20... Connectedtosales-dc.example.com
(192.168.100.20). Escapecharacteris'^]'.Pressthe
Enterkeytoclosetheconnection:Connectionclosedby
foreignhost.
VerifythattheClientCanConnecttotheDomainonPort123
Thefollowingtestcheckswhethertheclientcanconnecttothedomain
controlleronPort123andwhethertheNetworkTimeProtocol(NTP)
serviceisrunningonthedomaincontroller.Fortheclienttojointhe
domain,NTP—theWindowstimeservice—mustberunningonthedomain
controller.
OnaLinuxcomputer,runthefollowingcommandasroot:
ntpdate-d-uDC_hostname
Example:ntpdate-d-usales-dc
Formoreinformation,seeDiagnoseNTPonPort123.
Inaddition,checkthelogsonthedomaincontrollerforerrorsfromthe
sourcenamedw32tm,whichistheWindowstimeservice.
FreeBSD:RunldconfigIfYouCannotRestartComputer
WheninstallingPBISonanewFreeBSDcomputerwithnothingin
/usr/local,run/etc/rc.d/ldconfig startaftertheinstallationifyou
cannotrestartthecomputer.Otherwise,/usr/local/libwillnotbeinthe
librarysearchpath.
IgnoreInaccessibleTrusts
Aninaccessibletrustcanblockyoufromsuccessfullyjoiningadomain.If
youknowthatthereareinaccessibletrustsinyourActiveDirectory
network,youcansetPowerBrokerIdentityServicestoignoreallthetrusts
beforeyoutrytojoinadomain.Todoso,usetheconfigtooltomodifythe
valuesoftheDomainManagerIgnoreAllTrusts setting.
First,listtheavailabletrustsettings:
/opt/pbis/bin/config --list|grep-itrust
Theresultswilllooksomethinglikethis.Thesettingatissueis
DomainManagerIgnoreAllTrusts .
DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 300

Second,listthedetailsoftheDomainManagerIgnoreAllTrusts settingto
seethevaluesitaccepts:
[root@rhel5dbin]#./config--details
DomainManagerIgnoreAllTrusts
Name:DomainManagerIgnoreAllTrusts
Description:Whentrue,ignorealltrustsduringdomain
enumeration.
Type:boolean
CurrentValue:false
AcceptedValues:true,false
CurrentValueisdeterminedbylocalpolicy.
Third,changethesettingtotruesothatPBISwillignoretrustswhenyou
trytojoinadomain.
[root@rhel5dbin]#./configDomainManagerIgnoreAllTrusts
true
Finally,checktomakesurethechangetookeffect:
[root@rhel5dbin]#./config--show
DomainManagerIgnoreAllTrusts
boolean
true
localpolicy
Nowtrytojointhedomainagain.Ifsuccessful,keepinmindthatonlyusers
andgroupswhoareinthelocaldomainwillbeabletologonthecomputer.
Intheexampleoutputabovethatshowsthesetting'scurrentvalues,local
policyislisted—meaningthatthesettingismanagedlocallythrough
configbecauseaPBISGroupPolicysettingisnotmanagingthesetting.
Typically,withPBISEnterprise,youwouldmanagethe
DomainManagerIgnoreAllTrusts settingbyusingthecorresponding
GroupPolicysetting,butyoucannotapplyGroupPolicyObjects(GPOs)to
thecomputeruntilafteritisaddedtothedomain.ThecorrespondingPBIS
policysettingisnamedLsass:Ignorealltrustsduringdomain
enumeration.Formoreinformationonthedomainmanagerpolicysettings
toconfigurewhitelistsandblacklistsfortrusts,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Forinformationontheargumentsofconfig,runthefollowingcommand:
/opt/pbis/bin/config --help
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 301

ResolvingCommon ErrorMessages
Thissectionlistssolutionstocommonerrorsthatcanoccurwhenyoutryto
joinadomain.
ConfigurationofKrb5
ErrorMessage:
Warning:Aresumableerroroccurredwhileprocessinga
module.
Eventhoughtheconfigurationof'krb5'wasexecuted,the
configurationdidnot
fullycomplete.PleasecontactBeyondTrustsupport.
Solution:
Delete/etc/krb5.confandtrytojointhedomainagain.
ChkconfigFailed
Thiserrorcanoccurwhenyoutrytojoinadomainoryoutrytoexecutethe
domain-joincommandwithanoptionbutthenetlogonddaemonisnot
alreadyrunning.
ErrorMessage:
Error:chkconfigfailed[code0x00080019]
Description:Anerroroccurredwhileusingchkconfigtoprocessthe
netlogonddaemon,whichmustbeaddedtothelistofprocessestostart
whenthecomputerisrebooted.Theproblemmaybecausedbystartup
scriptsinthe/etc/rc.d/treethatarenotLSB-compliant.
Verification:Runningthefollowingcommandasrootcanprovide
informationabouttheerror:
chkconfig--addnetlogond
Solution:
RemovestartupscriptsthatarenotLSB-compliantfromthe/etc/rc.d/
tree.
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 302

ReplicationIssues
Thefollowingerrormightoccuriftherearereplicationdelaysinyour
environment.Areplicationdelaymightoccurwhentheclientisinthesame
siteasanRODC.
ErrorMessage:
Error:LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN[code
0x0000a309]
ClientnotfoundinKerberosdatabase
[root@rhel6-1~]#echo$?
1
[root@rhel6-1~]#/opt/pbis/bin/domainjoin- cliquery
Error:LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN[code
0x0000a309]
ClientnotfoundinKerberosdatabase
Solution:
Aftertheerroroccurs,wait15minutes,andthenrunthefollowing
commandtorestartPBIS:
/opt/pbis/bin/lwsm restartlwreg
DiagnoseNTPonPort123
WhenyouusethePBISdomain-joinutilitytojoinaLinuxorUnixclientto
adomain,theutilitymightbeunabletocontactthedomaincontrolleron
Port123withUDP.ThePBISagentrequiresthatPort123beopenonthe
clientsothatitcanreceiveNTPdatafromthedomaincontroller.In
addition,thetimeservicemustberunningonthedomaincontroller.
YoucandiagnoseNTPconnectivitybyexecutingthefollowingcommandas
rootattheshellpromptofyourLinuxcomputer:
ntpdate-d-uDC_hostname
Example:ntpdate-d-usales-dc
Ifalliswell,theresultshouldlooklikethis:
[root@rhel44id~]#ntpdate-d-usales-dc
2May14:19:20ntpdate[20232]:[email protected]
ThuApr2011:28:37EDT2006(1)
Lookingforhostsales-dcandservicentp
hostfound:sales-dc.example.com
transmit(192.168.100.20)
receive(192.168.100.20)
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 303

transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
server192.168.100.20,port123
stratum1,precision-6,leap00,trust000
refid[LOCL],delay0.04173,dispersion0.00182
transmitted4,infilter4
referencetime: cbc5d3b8.b7439581 Fri,May22008
10:54:00.715
originatetimestamp:cbc603d8.df333333 Fri,May22008
14:19:20.871
transmittimestamp: cbc603d8.dda43782 Fri,May22008
14:19:20.865
filterdelay:0.042070.041730.043350.04178
0.000000.000000.000000.00000
filteroffset:0.0095220.0087340.0073470.005818
0.0000000.0000000.0000000.000000
delay0.04173,dispersion0.00182
offset0.008734
2May14:19:20ntpdate[20232]:adjusttimeserver
192.168.100.20offset0.008734sec
OutputWhenThereIsNoNTPService
IfthedomaincontrollerisnotrunningNTPonPort123,thecommand
returnsaresponsesuchasnoserversuitableforsynchronization
found,asinthefollowingoutput:
5May16:00:41ntpdate[8557]:[email protected]
Apr2011:28:37EDT2006(1)
LookingforhostRHEL44IDandservicentp
hostfound:rhel44id.example.com
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
127.0.0.1:Serverdropped:nodata
server127.0.0.1,port123
stratum0,precision0,leap00,trust000
refid[127.0.0.1],delay0.00000,dispersion64.00000
transmitted4,infilter4
referencetime: 00000000.00000000 Wed,Feb62036
22:28:16.000
originatetimestamp:00000000.00000000 Wed,Feb62036
22:28:16.000
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 304

transmittimestamp: cbca101c.914a2b9d Mon,May52008
16:00:44.567
filterdelay:0.000000.000000.000000.00000
0.000000.000000.000000.00000
filteroffset:0.0000000.0000000.0000000.000000
0.0000000.0000000.0000000.000000
delay0.00000,dispersion64.00000
offset0.000000
5May16:00:45ntpdate[8557]:noserversuitablefor
synchronizationfound
TurnoffApachetoJoinaDomain
TheApachewebserverlocksthekeytabfile,whichcanblockanattemptto
joinadomain.IfthecomputerisrunningApache,stopApache,jointhe
domain,andthenrestartApache.
PBISEnterpriseInstallationandAdministration TroubleshootingDomain-JoinProblems
BeyondTrust
®
June21,2013 305

Troubleshooting thePBISAgent
ThischaptercontainsinformationonhowtotroubleshootthePBISagent,
includingtheauthenticationservice,theinput-outputservice,andthe
networklogonservice.
Troubleshootingguidancerelatedtospecificsubjectsisalsoprovidedin
otherguides:
•ForinformationabouttroubleshootingtheGroupPolicyAgent,seethe
PowerBrokerIdentityServicesGroupPolicyAdministrationGuide.
•ForinformationabouttroubleshootingSambaintegration,seethe
PowerBrokerIdentityServicesSambaGuide.
•Foranoverviewofcommandssuchasrpmanddpkgthatcanhelp
troubleshootPBISpackagesonLinuxandUnixplatforms,see
PowerBrokerIdentityServicesPackageManagementCommands.
PBISServices
ThePBISServiceManagerletsyoutroubleshootallthePBISservicesfrom
asinglecommand-lineutility.Youcan,forexample,checkthestatusofthe
servicesandstartorstopthem.Theservicemanageristhepreferredmethod
forrestartingaservicebecauseitautomaticallyidentifiesaservice's
dependenciesandrestartsthemintherightorder.
Tolistthestatusoftheservices,runthefollowingcommandwithsuperuser
privilegesatthecommandline:
/opt/pbis/bin/lwsm list
Hereisanexample:
[root@cent64b62 ~]#/opt/pbis/bin/lwsm list
lwreg running (container:4241)
dcerpc stopped
eventfwd running (container:4436)
eventlog running (container:4300)
gpagent running (container:4351)
lsass running (container:4335)
lwio running (container:4319)
lwpkcs11 stopped
lwsc stopped
netlogon running (container:4310)
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 306

rdr running (io:4319)
reapsysl running (container:4400)
usermonitor running (container:4447)
Torestartthelsassservice,runthefollowingcommandwithsuperuser
privileges:
/opt/pbis/bin/lwsm restartlsass
Toviewalltheservicemanager'scommandsandarguments,executethe
followingcommand:
/opt/pbis/bin/lwsm --help
FormoreaboutPBISservices,seeServices.
ChecktheStatusoftheAuthenticationService
YoucancheckthestatusoftheauthenticationserviceonaUnixorLinux
computerrunningthePBISagentbyexecutingthefollowingcommandat
theshellpromptastherootuser:
/opt/pbis/bin/lwsm statuslsass
Iftheserviceisnotrunning,executethefollowingcommand:
/opt/pbis/bin/lwsm startlsass
ChecktheStatusoftheDCE/RPC Service
TheDCE/RPCservicemanagescommunicationbetweenPBISclientsand
MicrosoftActiveDirectory.
OnLinuxandUnix
YoucancheckthestatusofdcerpcdonaUnixorLinuxcomputerrunning
thePBISagentrunthefollowingcommandastherootuser:
/opt/pbis/bin/lwsm statusdcerpc
Iftheserviceisnotrunning,runthefollowingcommand:
/opt/pbis/bin/lwsm startdcerpc
OnMacOSX
OnaMacOSXcomputer,youcannotusethestatuscommand,butyou
canmonitortheserviceusingActivityMonitor:
InFinder,clickApplications,clickUtilities,andthenclickActivity
Monitor.
InthelistunderProcessName,makesuredcerpcdappears.Iftheprocess
doesnotappearinthelist,youmightneedtostartit.
Tomonitorthestatusoftheprocess,inthelistunderProcessName,click
theprocess,andthenclickInspect.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 307

ChecktheStatusoftheNetworkLogonService
Thenetlogonservicedetectstheoptimaldomaincontrollerandglobal
catalogandcachesthedata.
OnLinux,Unix,andMac
YoucancheckthestatusofnetlogononaUnix,Linux,orMaccomputer
runningthePBISagentbyexecutingthefollowingcommandastheroot
user:
/opt/pbis/bin/lwsm statusnetlogon
Iftheserviceisnotrunning,executethefollowingcommand:
/opt/pbis/bin/lwsm startnetlogon
OnMacOSX
OnaMacOSXcomputer,youcanmonitortheservicebyusingActivity
Monitor:
1.InFinder,clickApplications,clickUtilities,andthenclickActivity
Monitor.
2.InthelistunderProcessName,makesuretheprocessnameappears.
Iftheprocessdoesnotappearinthelist,youmayneedtostartit.
3.Tomonitorthestatusoftheprocess,inthelistunderProcessName,
clicktheprocess,andthenclickInspect.
ChecktheStatusoftheInput-OutputService
ThePBISinput-outputservice—lwio—communicatesoverSMBwith
externalSMBserversandinternalprocesses.
YoucancheckthestatusoflwioonaUnix,Linux,orMaccomputer
runningthePBISagentbyexecutingthefollowingcommandastheroot
user:
/opt/pbis/bin/lwsm statuslwio
Iftheserviceisnotrunning,executethefollowingcommand:
/opt/pbis/bin/lwsm startlwio
RestarttheAuthenticationService
Theauthenticationservicehandlesauthentication,authorization,caching,
andidmaplookups.Formoreinformation,seePBISAgent.
YoucanrestartthePBISauthenticationservicebyexecutingthefollowing
commandattheshellprompt:
/opt/pbis/bin/lwsm restartlsass
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 308

Tostoptheservice,typethiscommand:
/opt/pbis/bin/lwsm stoplsass
Tostarttheservice,typethiscommand:
/opt/pbis/bin/lwsm startlsass
RestarttheDEC/RPC Service
ThePBISDCE/RPCservicehelpsrouteremoteprocedurecallsbetween
computersonanetworkbyservingasanend-pointmapper.Formore
information,seePBISAgent.
YoucanrestarttheDCE/RPCservicebyrunningthefollowingcommandat
theshellprompt:
/opt/pbis/bin/lwsm restartdcerpc
Tostopthedaemon,typethiscommand:
/opt/pbis/bin/lwsm stopdcerpc
Tostartthedaemon,typethiscommand:
/opt/pbis/bin/lwsm startdcerpc
RestarttheNetworkLogonService
Thenetlogonservicedeterminestheoptimaldomaincontrollerandglobal
catalogandcachesthedata.Formoreinformationandalistofstart-order
dependencies,seePBISAgent.
YoucanrestartthePBISnetworklogonservicebyexecutingthefollowing
commandattheshellprompt:
/opt/pbis/bin/lwsm restartnetlogon
Tostoptheservice,typethiscommand:
/opt/pbis/bin/lwsm stopnetlogon
Tostarttheservice,typethiscommand:
/opt/pbis/bin/lwsm startnetlogon
RestarttheInput-OutputService
ThePBISinput-outputservice—lwio—communicatesoverSMBwith
SMBservers;authenticationiswithKerberos5.
Youcanrestarttheinput-outputservicebyexecutingthefollowing
commandattheshellprompt:
/opt/pbis/bin/lwsm restartlwio
Tostoptheservice,typethiscommand:
/opt/pbis/bin/lwsm stoplwio
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 309

Tostarttheservice,typethiscommand:
/opt/pbis/bin/lwsm startlwio
Note:Ifyoustartthelwioserviceandtherdrservicedoesnotalsostart,
usethefollowingcommandtostarttherdrservice:
/opt/pbis/bin/lwsm startrdr
Logging
Loggingcanhelpidentifyandsolveproblems.Therearedebuglogsforthe
followingservicesinPBISOpenandPBISEnterprise:
•lsass-Theauthenticationservice.Generateadebuglogforlsass
whenyouneedtotroubleshootauthenticationerrorsorfailures.
•PAM-ThepluggableauthenticationmodulesusedbyPBIS.Createa
debuglogforPAMwhenyouneedtotroubleshootlogonor
authenticationproblems.
•netlogon-Thesiteaffinityservicethatdetectstheoptimaldomain
controllerandglobalcatalog.Generateadebuglogfornetlogonwhen
youneedtotroubleshootproblemswithsendingrequeststodomain
controllersorgettinginformationfromtheglobalcatalog.
•lwio-Theinput-outputservicethatmanagesinterprocess
communication.
•eventlog-Theeventcollectionservice.Generateadebuglogfor
eventlogtotroubleshootthecollectionandprocessingofsecurity
events.
•lwreg-ThePBISregistryservice.Generateadebuglogforlwregto
troubleshootill-fatedconfigurationchangestotheregistry.
•lwsm-Theservicemanager.
•reapsysl-Partofthedatacollectionservice.Captureadebuglogfor
reapsysltoinvestigatethecollectionandprocessingofevents.
•MacOSXdirectoryserviceplug-in
Inaddition,thefollowingservicesarepartofPBISEnterpriseonly:
•gpagent-TheGroupPolicyagent.Generateadebuglogforgpagent
totroubleshoottheapplicationorprocessingofGroupPolicyObjects
(GPOs).
•eventfwd-Theeventforwardingservice.Generateadebuglogto
verifythattheserviceisreceivingeventsandforwardingthemtoa
collectorserver.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 310

•lwsc-Thesmartcardservice.Gatherlogginginformationforthesmart
cardservicewhencard-insertionorcard-removalbehaviorisotherthan
expected.
•lwpkcs11-Aservicethataidsinloggingonandloggingoffwithasmart
card.Gatherlogginginformationaboutitwhenthereisaproblem
loggingonorloggingoffwithasmartcard.
Bydefault,logmessagesareprocessedbysyslog,typicallythroughthe
daemonfacility.Althoughthepathandfilenameofthelogvarybyplatform,
theytypicallyappearinasubdirectoryof/var/log.Notethatwhenyou
changetheloglevelofaPBISservicetodebug,youmayalsoneedto
updatesyslogconfiguration(typically/etc/syslog.conf)withthe
followingcommandandthenrestartthesyslogservice:
*.debug/tmp/debug.log
Alternatively,youcanlogdirectlytoafile,astheproceduretoChangethe
Targetillustrates.
Loglevelscanbechangedtemporarilyorpermanently.
•Totemporarilychangetheloglevel,youcanuse/opt/pbis/bin/lwsm
tospecifytheloglevelandwhethertologtothesyslogordirectlytoa
file.
•Topermanentlychangetheloglevel,youmustmodifytheservice's
entryinthePBISregistry.
ThefollowingloglevelsareavailableformostPBISservices:always,
debug,error,warning,info,verbose,andtrace.Thedefaultiserror.
Totroubleshoot,itisrecommendedthatyouchangetheleveltodebug.
However,toconservediskspace,itisrecommendedthatyousetthelog
leveltothedefaultlevelwhenyoufinishtroubleshooting.
Tip:Ignoreerrorscausedbyreapsyslservice
Thefollowingarethepipesbywhichsu,sudo,andlocaluser
(root)sshdlogonsarecapturedwiththePBISauditingsystem.
Theyaresystempipescreatedbythereapsyslservice.PBIS
cannotstartthereapsyslservicebeforesyslogstartsbecauseofa
complexseriesofdependenciesonthesystem.Therefore,these
errorsaregeneratedandshouldbeignored.Reapsyslwillrecreate
thepipesasnecessary.
robbie@example:~$ sudols-la/var/lib/pbis/syslog-
reaper/total28
drwx------2rootroot4096Mar712:54.
drwxr-xr-x8rootroot4096May1013:27..
prwx------1rootroot0Mar712:54error
prwx------1rootroot0Mar712:54information
prwx------1rootroot0Mar712:54warning
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 311

TemporarilyChangetheLogLevelandTargetforaService
Theservicemanagersupportsper-service,per-facilitylogging.Eachservice
hasadefaultlogtarget(syslog)andlevel(WARNING).
ChangetheTarget
Youcanusethefollowingcommandtochangethelogtargetforaparticular
serviceandfacilitytologtoafile:
/opt/pbis/bin/lwsm set-log-target<service><facility>file
<path>
Youcanusethefollowingcommandtochangethelogtargetforaparticular
serviceandfacilitytothesyslog:
/opt/pbis/bin/lwsm set-log-target<service><facility>
syslog
TheservicecanbeanyPBISserviceexceptdcerpc,whichhasitsown
loggingmechanism.
Thefacilityisaportionoftheserviceandthedefaultfacilityisaccessedas
-.Forexample,totargettheloggingmessagesfromdefaultfacilityoflsass
toafile/var/log/lsass.log:
/opt/pbis/bin/lwsm set-log-targetlsass-file
/var/log/lsass.log
Ifyouwanttodebugtheinterprocesscommunicationsoflsass(something
rarelyrequired),youcanusethelsass-ipcfacility:
/opt/pbis/bin/lwsm set-log-targetlsasslsass-ipcfile
/tmp/lsass-ipc.log
ChangetheLogLevel
Tochangetheleveloflogginginthedefaultfacilityoflsasstodebug:
/opt/pbis/bin/lwsm set-log-levellsass–debug
Thesupportedloglevelsarealways,error,warning,info,verbose,
debug,trace.
Changingthelogleveltemporarilycanhelpyouisolateandcapture
informationwhenacommandoroperationfails.Forexample,ifyouruna
commandanditfails,youcanchangetheloglevelandthenrunthe
commandagaintogetinformationaboutthefailure.
ViewLogSettings
Toviewthecurrentlevelandtargetofloggingofaservice,enterthe
followingcommand:
/opt/pbis/bin/lwsm get-log<service>
Forexample,enteringthefollowingcommand
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 312

/opt/pbis/bin/lwsm get-loglsass
producesthefollowingresult
<default>:syslogLOG_DAEMONatERROR
Thisindicatesthatthelsassservice'sdefaultlogleveliserrorandis
directedtosyslog’sdaemonfacility.
GenerateaDirectoryServiceLogonaMac
TotroubleshootlogonfailuresonaMacOSXcomputer,youcangeneratea
debug-leveldirectoryservicelog.Forinformationonturningondebug-level
logs,seeEnablingDirectoryServiceDebugLoggingontheApplesupport
website.
Usingthekillall-USR1commandthatApplesuggests,however,putsthe
directoryserviceintodebugloggingmodeforonlyabout5minutes.Instead,
tryusingthefollowingcommands:
sudotouch
/Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudokillallDirectoryService
Reproducetheerrorandthenscanthelogsnamed
DirectoryService.debug.log in/Library/Logs/DirectoryService .
LookformessagescontainingthestringLWEDS,whichindicatesthattheyare
producedbythePBISdirectoryserviceplug-in.
Examinethelogsfromthetimetheuserenteredapassword.Ifthelogs
suggestthattheremaybeanetworkingissue,obtainatcpdumpfromthe
timethepasswordisentereduntilyounoticethelogonfailure:
tcpdump-s0-wnetwork.pcap
Whenyouaredonetroubleshooting,turnoffdebugloggingandrestartthe
directoryservicebyissuingthefollowingcommands:
sudorm
/Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudokillallDirectoryService
OnMacOS XLion
OntheMacOSXLionoperatingsystem,usethefollowingcommandto
enablelogging:
sudoodutilsetlogdebug
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 313

Logsarestoredin/var/log/opendirectoryd.log .
Youcanreverttostandardloggingbyusingthefollowingcommand:
odutilsetlogdefault
GenerateaNetworkTrace
Executethefollowingcommandinaseparatesessiontodumpnetwork
trafficastherootuserandinterruptthetracewithCTRL-C:
tcpdump-s0-ieth0-wtrace.pcap
Theresultshouldlooksomethinglikethis:
tcpdump:listeningoneth0
28packetsreceivedbyfilter
0packetsdroppedbykernel
BasicTroubleshooting
ThefollowingarebasicstepsfortroubleshootingissuesrelatedtothePBIS
agent.
ChecktheVersionandBuildNumber
YoucanchecktheversionandbuildnumberofthePBISagentfrom
computersthatarerunningLinux,Unix,orMacOSX,orfromacomputer
thatisconnectedtothedomaincontrollerandisrunningWindows.
CheckFromLinux,Unix,orMacOSX
TochecktheversionnumberofthePBISagentfromacomputerrunning
Linux,Unix,orMacOSX,executethefollowingcommand:
cat/opt/pbis/data/ENTERPRISE_ VERSION
Anotheroptionistoexecutethefollowingcommand:
/opt/pbis/bin/get-status
ChecktheBuildNumberoftheAgent
OnLinuxdistributionsthatsupportRPM—forexample,RedHatEnterprise
Linux,Fedora,SUSELinuxEnterprise,OpenSUSE,andCentOS—youcan
determinetheversionandbuildnumberoftheagent(7.5.0.xxxxinthe
examplesbelow)byexecutingthefollowingcommandattheshellprompt:
rpm-qa|greppbis
Theresultshowsthebuildversionaftertheversionnumber:
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 314

pbis-enterprise-gui-7.5.0-881.x86_64
pbis-enterprise-7.5.0-881.x86_64
OnUnixcomputersandLinuxdistributionsthatdonotsupportRPM,the
commandtocheckthebuildnumbervariesbyplatform:
Platform Command
DebianandUbuntudpkg–S/opt/pbis/
Solaris pkginfo|grep-ipbis
AIX lslpp–l|greppbis
HP-UX swlist|grep-ipbis
CheckFromWindows
TochecktheversionandbuildnumberofthePBISagentfromaWindows
administrationworkstationthatisconnectedtoyourdomaincontroller:
1.InActiveDirectoryUsersandComputers,right-clicktheLinux,Unix,
orMaccomputerthatyouwant,andthenclickProperties.
2.ClicktheOperatingSystemtab.Thebuildnumberisshowninthe
Servicepackbox.
DetermineaComputer'sFQDN
Youcandeterminethefullyqualifieddomainnameofacomputerrunning
Linux,Unix,orMacOSXbyexecutingthefollowingcommandattheshell
prompt:
ping-c1`hostname`
OnHP-UX
ThecommandisdifferentonHP-UX:
ping`hostname`-n1
OnSolaris
OnSunSolaris,youcanfindtheFQDNbyexecutingthefollowing
command(thecomputer'sconfigurationcanaffecttheresults):
FQDN=`/usr/lib/mail/sh/check-hostname|cut-d""-
f7`;echo$FQDN
SeeAlso
JoinActiveDirectoryWithoutChanging/etc/hosts
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 315

MakeSureOutboundPortsAreOpen
Ifyouareusinglocalfirewallsettings,suchasiptables,onacomputer
runningthePBISagent,makesurethefollowingportsareopenfor
outboundtraffic.
Note:ThePBISagentisaclientonly;itdoesnotlistenonanyports.
PortProtocolUse
53UDP/
TCP
DNS
88UDP/TCPKerberos5
123UDP NTP
389UDP/TCPLDAP
445TCP SMBoverTCP
464UDP/TCPComputerpasswordchanges(typicallyafter30days)
1433TCP ConnectiontoSQLServer(WhateverportyouareusingforSQL
mustbeopen.ThedefaultportforSQLis1433.)
3268TCP GlobalCatalogsearch
Tip:ToviewthefirewallrulesonaLinuxcomputerusingiptables,
executethefollowingcommand:
iptables-nL
ChecktheFilePermissionsofnsswitch.conf
ForPowerBrokerIdentityServicestoworkcorrectly,the
/etc/nsswitch.conffilemustbereadablebyuser,group,andworld.The
followingsymptomsindicatethatyoushouldcheckthepermissionsof
nsswitch.conf:
•RunningtheidcommandwithanADaccountastheargument
(example:idexample.com\\kathy)workswhenitisexecutedasroot,
butwhenthesamecommandisexecutedbytheADuser,itreturnsonly
aUIDandGIDwithoutaname.
•Gettingan"Ihavenoname!"or"intruderalert"errormessagefornon-
rootusers.
•OnHP-UX,runningthewhoamicommandwithanADuseraccount
returns“Intruderalert.”
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 316

ConfigureSSHAfterUpgradingIt
AfterSSHisupgraded,runthefollowingcommandasroottomakesurethat
thesshd_configfileissetupproperlytoworkwithPowerBrokerIdentity
Services:
domainjoin-cliconfigure--enablessh
UpgradinganOperatingSystem
Afterupgradinganoperatingsystemorinstallingakernelpatch,youshould
rerunthedomain-joincommandtomakesurethatthefilesrelatedtothe
operatingsystem,suchasPAMandnsswitch,areconfiguredproperlyto
workwithPowerBrokerIdentityServices.Re-executingthedomain-join
commandalsoupdatestheoperatingSystemVersion valueandthe
operatingSystemServicePack valueinActiveDirectorysothePBIS
reportingtoolreflectsthecorrectversionnumbers.
Anothersuggestion,nearlyuniversalinscope,istoapplyupdatestotest
systemsbeforeyouapplyupdatestoproductionsystems,givingyouthe
opportunitytoidentifyandresolvepotentialissuesbeforetheycanaffect
productionmachines.
Accounts
Thefollowingtopicsprovidehelpwithtroubleshootingaccountissues.
AllowAccesstoAccountAttributes
PBISEnterpriseiscompatiblewithSmallBusinessServer2003.However,
becausetheserverlocksdownseveraluseraccountvaluesbydefault,you
mustcreateagroupinActiveDirectoryforyourUnixcomputers,addeach
PBISclientcomputertoit,andconfigurethegrouptoreadalluser
information.
OnotherversionsofWindowsServer,theuseraccountvaluesareavailable
bydefault.If,however,youuseanADsecuritysettingtolockthemdown,
theywillbeunavailabletothePBISagent.
TofindUnixaccountinformation,thePBISagentrequiresthattheAD
computeraccountforthemachinerunningPBIScanaccesstheattributesin
thefollowingtable.
Attribute Requirement
uid RequiredwhenyouusePBISEnterpriseinschemamode.
uidNumber RequiredwhenyouusePBISEnterpriseinschemamode.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 317

Attribute Requirement
gidNumber RequiredwhenyouusePBISEnterpriseinschemamode.
userAccountControlRequiredforDirectoryIntegratedmodeandSchemalessmode.
Itisalsorequiredforunprovisionedmode,whichmeansthatyou
havenotcreatedaPowerBrokercellinActiveDirectory,aswill
bethecaseifyouareusingPBISOpen.
Toallowaccesstoaccountattributes:
1.InActiveDirectoryUsersandComputers,createagroupnamedUnix
Computers.
2.AddeachPBISclientcomputertothegroup.
3.Intheconsoletree,right-clickthedomain,chooseDelegateControl,
clickNext,clickAdd,andthenenterthegroupnamedUnix
Computers.
4.ClickNext,selectDelegatethefollowingcommontasks,andthenin
thelistselectReadalluserinformation.
5.ClickNext,andthenclickFinish.
6.OnthetargetUnix,Linux,orMaccomputer,restartthePBISagentto
reinitializethecomputeraccount’slogontoActiveDirectoryandtoget
thenewinformationaboutgroupmembership.
7.Run/opt/pbis/enum-userstoverifythatyoucanreaduser
information.
SeeAlso
StorageModes
UserSettingsAreNotDisplayedinADUC
Ifthereisnogroupinacellthatcanserveastheuser'sprimaryGID—for
instance,becausethedefaultprimarygroup,domainusers,hasbeen
removedfromthecell—thePBISSettingstabforauserinADUCwillnot
displaytheuserorgroupsettings,asshowninthescreenshotbelow.To
displaythesettings,enableagroupthattheuserisamemberof.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 318

ResolveanADAliasConflictwithaLocalAccount
WhenyouusePowerBrokerIdentityServicestosetanActiveDirectory
aliasforauser,theusercanhaveafile-ownershipconflictunderthe
followingconditionsiftheuserlogsonwiththeADaccount:
•TheADaliasisthesamealiasastheoriginallocalaccountname.
•ThehomedirectoryassignedtotheuserinActiveDirectoryisthesame
asthelocaluser'shomedirectory.
•TheownerUID-GIDoftheADaccountisdifferentfromthatofthe
localaccount.
Toavoidsuchconflicts,bydefaultPBISincludestheshortADdomain
nameineachuser'shomedirectory.Iftheconflictneverthelessoccurs,
therearetwooptionstoresolveit:
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 319

•MakesurethattheUIDassignedtotheuser'sADaliasisthesameas
thatoftheuser'slocalaccount.SeeSpecifyaUserIDandUnixorLinux
Settings.
•Logonasrootandusethechowncommandtorecursivelychangethe
ownershipofthelocalaccount'sresourcestotheADuseralias.
ChangeOwnership
Logonthecomputerasrootandexecutethefollowingcommands:
cd<usershomedirectoryroot>
chown–R<ADuserUID>:<ADprimarygroupID>*.*
Or:chown–R<shortdomainname>\\<account name>:<short
domainname>\\<ADgroupname>*.*
Tip:Generatereporttoidentifyproblems
Youcangeneratereportstohelpidentifyduplicatesand
inconsistencies.Formoreinformation,seeConfiguringthePBIS
ReportingDatabaseandGenerateaSampleReport.
FixtheShellandHomeDirectoryPaths
Symptom:Alocaldirectoryisinthehomedirectorypathandthehome
directorypathdoesnotmatchthepathspecifiedinActiveDirectoryorin
/etc/password.
Example:/home/local/DOMAIN/USER insteadof/home/DOMAIN/USER
TheshellmightalsobedifferentfromwhatissetinActiveDirectory—for
example,/bin/kshinsteadof/bin/bash.
Problem:ThecomputerisnotinaPowerBrokercellinActiveDirectory.
Solution:MakesurethecomputerisinaPowerBrokercell.Formore
information,seeAssociateaCellwithanOUoraDomain,orCreatea
DefaultCell.
AdefaultcellhandlesmappingforcomputersthatarenotinanOUwithan
associatedcell.Thedefaultcellcancontainthemappinginformationforall
yourLinuxandUnixcomputers.Forinstance,aLinuxorUnixcomputercan
beamemberofanOUthatdoesnothaveacellassociatedwithit.Insucha
case,thehomedirectoryandshellsettingsareobtainedfromthenearest
parentcellorthedefaultcell.Ifthereisnoparentcellandnodefaultcell,
thecomputerwillnotreceiveitsshellandhomedirectorypathsfromActive
Directory.
SeeAlso
SettheDefaultHomeDirectory
SettheDefaultLoginShell
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 320

TroubleshootwiththeGetStatusCommand
The/opt/pbis/bin/get-statuscommandshowswhetherthedomainor
thePBISADproviderisoffline.Theresultsofthecommandinclude
informationusefulforgeneraltroubleshooting.
/opt/pbis/bin/get-status
Hereisanexampleoftheinformationthecommandreturns:
[root@rhel5dbin]#/opt/pbis/bin/get-status
LSAServerStatus:
Compileddaemonversion:6.1.272.54796
Packagedproductversion:6.1.272.54796
Uptime: 15days21hours24minutes1seconds
[Authenticationprovider:lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: EXAMPLE.COM
Forest: example.com
Site: Default-First-Site-Name
Onlinecheckinterval:300seconds
[TrustedDomains:1]
[Domain:EXAMPLE]
DNSDomain: example.com
Netbiosname: EXAMPLE
Forestname: example.com
TrusteeDNSname:
Clientsitename:Default-First-Site-Name
DomainSID: S-1-5-21-3190566242-
1409930201-3490955248
DomainGUID: 71c19eb5-1835-f345-
ba15-0595fb5b62e3
TrustFlags: [0x000d]
[0x0001-Inforest]
[0x0004-Treeroot]
[0x0008-Primary]
Trusttype: UpLevel
TrustAttributes:[0x0000]
TrustDirection: PrimaryDomain
TrustMode: InmyforestTrust
(MFT)
Domainflags: [0x0001]
[0x0001-Primary]
[DomainController(DC)Information]
DCName: w2k3-
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 321

r2.example.com
DCAddress:
192.168.92.20
DCSite: Default-
First-Site-Name
DCFlags:
[0x000003fd]
DCIsPDC: yes
DCistimeserver: yes
DChaswriteableDS:yes
DCisGlobalCatalog:yes
DCisrunningKDC: yes
[Authenticationprovider:lsa-local-provider]
Status: Online
Mode: Localsystem
Domain: RHEL5D
TroubleshootUserRightswithLdp.exeandGroupPolicyModeling
ThefollowingMicrosoftdefaultdomainpolicyanddefaultdomaincontroller
policycancauseaPBISclienttofailtojoinadomainortofailtoenumerate
trusts:
•Accessthiscomputerfromthenetwork.Usersandcomputersthat
interactwithremotedomaincontrollersrequiretheAccessthis
computerfromthenetworkuserright.Users,computers,andservice
accountscanlosetheuserrightbybeingremovedfromasecuritygroup
thathasbeengrantedtheright.Removingtheadministratorsgroupor
theauthenticatedusersgroupfromthepolicysettingcancausedomain
jointofail.Microsoftsays,"Thereisnovalidreasonforremoving
EnterpriseDomainControllersgroupfromthisuserright."
•Denyaccesstothiscomputerfromthenetwork.Includingthedomain
computersgroupinthepolicysetting,forinstance,causesdomain-join
tofail.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 322

Thesymptomsofauser-rightproblemcanincludethefollowing:
•Anattempttojointhedomainisunsuccessful.
•ThePBISauthenticationservice,lsass,doesnotstart.
•The/opt/pbis/bin/get-statuscommandshowsthedomainorthe
ADproviderasoffline.
Youcanpindowntheissuebyusingtheldp.exetooltocheckwhetheryou
canaccessADbyusingthemachineaccountandmachinepassword.
Ldp.exeistypicallyincludedinthesupporttools(suptools.msi)for
WindowsandlocatedontheWindowsinstallationCD(Supportfolder,
Toolssubfolder).Youmightalsobeabletodownloadthesupporttoolsthat
containldp.exefromtheMicrosoftwebsite.
Toresolveauser-rightissue,youcanuseGroupPolicyModelinginthe
GroupPolicyManagementConsole(GPMC)tofindtheoffendingpolicy
settingandthenmodifyitwiththeGroupPolicyManagementEditor(orthe
GroupPolicyObjectEditor).
1.OnthePBISclient,runthe/opt/pbis/bin/lsa ad-get-machine
passwordcommandasroottogetthemachinepasswordstoredin
ActiveDirectory:
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 323

/opt/pbis/bin/lsa ad-get-machinepassword
MachinePasswordInfo:
DNSDomainName:EXAMPLE.COM
NetBIOSDomainName:EXAMPLE
DomainSID:S-1-5-21-3190566242-1409930201-3490955248
SAMAccountName:
RHEL5D$
FQDN:rhel5d.example.com
JoinType:1
KeyVersion:0
LastChangeTime:129401233790000000
Password:i(2H2e41F7tHN275
2.OnaWindowsadministrativeworkstationthatcanconnecttoAD,start
ldp.exeandconnecttothedomain.(SeetheLDPUIarticleformore
information.)
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 324

3.InLDP,ontheConnectionmenu,clickBind,andthenusethePBIS
client'sSAMaccountnameandmachinepasswordfromtheoutputof
thelsaad-get-machinepasswordcommandtobindtothe
directory.
Iftheattempttobindwiththemachineaccountandthemachine
passwordfailsbecauseofinvalidcredentials,asshownintheLDP
outputbelow,gototheGPMCanduseGroupPolicyModelingtotryto
identifythepolicysettingcausingtheproblem.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 325

4.IntheGPMC,runGroupPolicyModelingtopinpointtheoffending
policysettingandthenmodifythepolicysettingtograntthecorrect
levelofuserrighttothecomputeroruser.Formoreinformation,see
GroupPolicyModeling.
Inthefollowingscreenshot,forexample,thecauseoftheproblemis
thattheDenyaccesstothiscomputerfromthenetworkpolicy
settingintheDefaultDomainPolicyGPOcontainsthedomain
computersgroup.
FixSelectiveAuthenticationinaTrustedDomain
Whenyouturnonselectiveauthenticationforatrusteddomain,
PowerBrokerIdentityServicescanfailtolookupusersinthetrusted
domainbecausethemachineaccountisnotallowedtoauthenticatewiththe
domaincontrollersinthetrusteddomain.Hereishowtograntthemachine
accountaccesstothetrusteddomain:
1.Inthedomainthecomputerisjoinedto,createaglobalgroupandadd
thecomputer'smachineaccounttothegroup.
2.Inthetrusteddomain,inActiveDirectoryUsersandComputers,select
theDomainControllerscontainerandopenProperties.
3.OntheSecuritytab,clickAdvanced,clickAdd,entertheglobalgroup,
andthenclickOK.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 326

4.InthePermissionEntrybox,underApplyonto,selectComputer
objects.UnderPermissions,findAllowedtoAuthenticateandenable
it.ClickOKandthenclickApplyintheAdvancedSecuritySettings
box.
5.IfyouhavealreadyjoinedthePBISclientcomputertothedomain,
restartthePBISauthenticationservice:
/opt/pbis/bin/lwsm restartlsass
Cache
Ifacachebecomescorruptedorifcertainconditionsoccur,youmayneedto
clearcaches.
CleartheAuthenticationCache
Therearecertainconditionsunderwhichyoumightneedtoclearthecache
sothatauser'sIDisrecognizedonatargetcomputer.
Bydefault,theuser'sIDiscachedfor4hours.Ifyouchangeauser'sUID
foraPowerBrokercellwithPBISEnterprise,duringthe4hoursafteryou
changetheUIDyoumustclearthecacheonatargetcomputerinthecell
beforetheusercanlogon.Ifyoudonotclearthecacheafterchangingthe
UID,thecomputerwillfindtheoldUIDuntilthecacheexpires.
OnePBISGroupPolicysettingcanaffectthecachetime:CacheExpiration
Time.ThispolicysettingstoresUID-SIDmappings,user/group
enumerationlists,getgrnam(),andgetpwnam().Itsdefaultexpirationtime
is4hours.
Formoreinformationaboutthispolicysetting,seethePowerBrokerIdentity
ServicesGroupPolicyAdministrationGuide.
Tip:WhileyouaredeployingandtestingPBIS,setthecacheexpirationtime
ofthePBISagent'scachetoashortperiodoftime,suchas1minute.
CleartheCacheonaUnixorLinuxComputer
TodeletealltheusersandgroupsfromthePBISADprovidercacheona
LinuxorUnixcomputer,executethefollowingcommandwithsuperuser
privileges:
/opt/pbis/bin/ad-cache--delete-all
Youcanalsousethecommandtoenumerateusersinthecache,whichmay
behelpfulintroubleshooting.Hereisanexample:
[root@rhel5dbin]#./ad-cache--enum-users
TotalNumUsersFound: 0
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 327

[root@rhel5dbin]#sshexample.com\\hab@localhost
Password:
Lastlogin:TueAug1115:30:052009from
rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$ exit
logout
Connectiontolocalhostclosed.
[root@rhel5dbin]#./ad-cache--enum-users
Userinfo(Level-0):
====================
Name: EXAMPLE\hab
Uid: 593495196
Gid: 593494529
Gecos: <null>Shell: /bin/bash
Homedir:/home/EXAMPLE/hab
TotalNumUsersFound: 1
[root@rhel5dbin]#
Toviewthecommand'ssyntaxandarguments,executethefollowing
command:
/opt/pbis/bin/ad-cache--help
CleartheCacheonaMacOSXComputer
OnaMacOSXcomputer,cleartheDirectoryServicecache(notthePBIS
cache)byrunningthefollowingcommandwithsuperuserprivilegesin
Terminal:
dscacheutil-flushcache
ClearaCorruptedSQLiteCache
ToclearthecachewhenPowerBrokerIdentityServicesiscaching
credentialsinitsSQLitedatabaseandtheentriesinthecachearecorrupted,
usethefollowingprocedureforyourtypeofoperatingsystem.
Note:OnaMac,executethesecommandsassudo.Todoso,precedeeach
commandwithsudo.
CleartheSQLitecache:
1.StopthePBISauthenticationservicebyexecutingthefollowing
commandasroot:
/opt/pbis/bin/lwsm stoplsass
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 328

2.CleartheAD-providercacheandthelocal-providercachebyremoving
thefollowingtwofiles,subsitutingafully-qualifieddomainnamefor
FQDN:
rm-f/var/lib/pbis/db/lsass- adcache.filedb.FQDN
rm-f/var/lib/pbis/db/lsass- local.db
Important:Donotdeletetheother.dbfilesinthe/var/lib/pbis/db
directory.
3.StartthePBISauthenticationservice:
/opt/pbis/bin/lwsm startlsass
PAM
ForinstructionsonhowtogenerateaPAMdebuglog,seeGenerateaPAM
DebugLog.
DismisstheNetworkCredentialsRequiredMessage
AfterleavingthescreensaveronaGnomedesktopthatisrunningthe
GnomeDisplayManager,orGDM,youmightseeapop-upnotification
sayingthatnetworkauthenticationisrequiredorthatnetworkcredentialsare
required.Youcanignorethenotification.TheGDMprocessthattracksthe
expirationtimeofaKerberosTGTmightnotrecognizetheupdated
expirationtimeofaKerberosTGTafteritisrefreshedbyPowerBroker
IdentityServices.
GenerateaPAMDebugLog
YoucansetthelevelofreportinginthePAMdebuglogforthePBIS
authenticationserviceonaLinuxorUnixcomputer.PAMstandsfor
pluggableauthenticationmodules.
Theloglevelsaredisabled,error,warning,info,andverbose.Thelogged
dataissenttoyoursystem'ssyslogmessagerepositoryforsecurityand
authentication.Thelocationoftherepositoryvariesbyoperatingsystem.
Herearethetypicallocationsforafewplatforms:
•Ubuntu:/var/log/auth.log
•RedHat:/var/log/secure
•Solaris:/var/log/authlog
•MacOSX:/var/log/secure.log
ThefollowingproceduredemonstrateshowtochangethevalueofthePAM
key'sLogLevelentrywiththeconfigcommand-lineutility.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 329

First,usethedetailsoptiontolistthevaluesthatthe
DomainManagerIgnoreAllTrusts settingaccepts:
/opt/pbis/bin/config --detailsPAMLogLevel
Name:PAMLogLevel
Description:ConfigurePAMlsassloggingdetaillevel
Type:string
CurrentValue:"disabled"
AcceptableValue:"disabled"
AcceptableValue:"error"
AcceptableValue:"warning"
AcceptableValue:"info"
AcceptableValue:"verbose"
CurrentValueisdeterminedbylocalpolicy.
Now,asrootchangethesettingtoerrorsothatPBISwilllogPAMerrors:
/opt/pbis/bin/config PAMLogLevelerror
Finally,confirmthatthechangetookeffect:
/opt/pbis/bin/config --showPAMLogLevel
string
error
localpolicy
Formoreinformationontheargumentsofconfig,runthefollowing
command:
/opt/pbis/bin/config --help
OS-SpecificTroubleshooting
ThefollowingtopicsprovidePBISagenttroubleshootingguidancethatis
uniquetoindividualoperatingsystems.
RedHatandCentOS
ThefollowingproceduresmayhelpresolveissueswiththePBISagenton
computersrunningtheRedHatorCentOSoperatingsystems.
ModifyPAMtoHandleUIDsLessThan500
Bydefault,theconfigurationfileforPAMsystemauthentication—
/etc/pam.d/system-auth—onRedHatEnterpriseLinux5andCentOS5
containsthefollowingline,whichblocksauserwithaUIDvaluelessthan
orequalto500fromloggingontoacomputerrunningthePBISagent.The
symptomisaloginfailurewithanever-endingpasswordprompt.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 330

authrequisitepam_succeed_if.souid>=500quiet
Solution:Eitherdeletethelinefrom/etc/pam.d/system-authormodify
ittoallowuserswithUIDslowerthan500:
authrequisitepam_succeed_if.souid>=50quiet
EnsureThattheCorrectVersionofthecoreutilsRPMIs
Installed
SomepatchlevelsofthecoreutilsRPMonRedHatEnterpriseLinux3have
aversionoftheidcommandthatdoesnotreturncompletegroup
membershipinformationwhenthecommandisrunwiththeidusername
syntax.ThecommandreturnsonlytheUIDandprimaryGIDforauser.
Secondarygroupsmaybeomitted.
OnLinux,therearefourcommandstogetgroupmemberships:
•Callgetgroups.ItreturnstheprimaryandsecondaryGIDsofthe
currentprocess.Theidcommandcallsthiswhenausernameisnot
passed.
•Callinitgroupsfollowedbygetgroups.Theinitgroupscallwill
querynsswitchfortheusersprimaryandsecondarygroups.Theresultis
storedintheprocess,whichisthenreturnedbygetgroups.Youneed
rootaccesstocallinitgroups,soidsometimesdoesthiswhenyourun
thecommandasroot.
•Callgetgrouplist.Thisfunctioncallsnsswitchtoreturnthegrouplist
ofauser,anditdoesnotrequirerootaccess.Unfortunatelythisfunction
wasaddedinglibc2.2.4,andtheidcommandstartedusingitafterthat.
•Callgetgrenttoenumerateallthegroupsonthesystem,andsearchfor
theuserinthegr_memfield.
OnRHEL3,idfromcoreutilsversion4.5.3-28.4canusethe
getgrouplistfunction,butthatcodewasremovedin4.5.3-28.7.To
checkyourcoreutilsversionforglibc:
rpm-qcoreutilsglibccoreutils-4.5.3-28.7glibc-2.3.2-
95.50
Withoutthegetgrouplistfunction,theidcommandfallsbackonusing
getgrenttogetthegroups.Bydefault,PBISreturnsabbreviatedresults
whenenumeratingallgroups,soiddoesnotfindtheuserinthemember's
field.Youcouldturnonfullgroupenumeration,butthentheidcommand
woulddownloadthegroupmembershipofeveryoneinActiveDirectoryjust
toobtaintheresultsforoneuser.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 331

Hereisanexample.
1.Checktheuser.
[root@example-03293broot]#su-corpqa\\user0001
[CORPQA\user0001@example- 03293buser0001]$ id
CORPQA\\user0002
uid=105559(CORPQA\user0002) gid=1661993473
(CORPQA\domain^users) groups=1661993473
(CORPQA\domain^users)
[CORPQA\user0001@example- 03293buser0001]$ logout
2.Turnonfullgroupenumerationlocallybyusingconfig.
[root@example-03293broot]#/opt/pbis/bin/config
NssGroupMembersQueryCacheOnly false
[root@example-03293broot]#/opt/pbis/bin/config
NssEnumerationEnabled true
3.Checktheuseragain:
[root@example-03293broot]#su-corpqa\\user0001
[CORPQA\user0001@example- 03293buser0001]$ id
CORPQA\\user0002
uid=105559(CORPQA\user0002) gid=1661993473
(CORPQA\domain^users)
groups=1661993473(CORPQA\domain^users), 1662020290
(CORPQA\enabled),
1662020291(CORPQA\enabledparent), 100395
(CORPQA\innergroup1),
100401(CORPQA\loopgroup),100394(CORPQA\outergroup),
100381(CORPQA\usergroup0001), 100382
(CORPQA\usergroup0002),
1662002383(CORPQA\usergroup0009), 1662002420
(CORPQA\usergroup0047),
1662003573(CORPQA\usergroup0200)
EvenwithNSSsettingsenabled,theidcommanddoesacase-sensitive
searcheventhoughPBISdoesnottreattheusernamesascasesensitive.
Therefore,ifyouusethenon-canonicalcase,thegroupsarenotdisplayed.
TofixtheoutputoftheidcommandonRHEL3computerswherethis
problemoccurs,ensurethatthecorrectversionofthecoreutilsRPMis
installed.
Ubuntu
TrythefollowingtoresolveissueswiththePBISagentoncomputers
runningUbuntu.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 332

susegfaults
On32-bitversionsofUbuntu10.10runningPBIS,sumightsegfault.
UpgradingtoUbuntu10.2orlaterresolvestheissue.
SUSELinuxEnterpriseDesktop(SLED)
ReviewthefollowingsectionstofixSUSEissues.
HomeDirectoryonSLED11
WhenausergainsaccesstoSLED11throughNomad—aremotedesktop
usingRDPprotocolwithsessionmanagement—thedefaulthomedirectory
specifiedin/lib/security/pam_lsass.soisignored.
Tocorrecttheissue,change/etc/pam.d/xrdp-sesmantoincludethe
followingline:
sessionsufficient/lib/security/pam_lsass.so
UpdatingPAMonSLED11
NovellhasissuedaPAMupdate(pam-config-0.68-1.22)forSLED11that
modifiesthecommon-session-pcfiletoincludethefollowingentry:
sessionoptionalpam_gnome_keyring.soauto_start_if=gdm
BecausethePAMupdatemakesabackupofthefileandreplacesitwiththe
modifiedversion,thechangesthatPBIShadmadetothefilearenolonger
present,whichblocksnewADusersfromloggingon.Thefollowingerror
messagesmayappear:
CouldnotupdateICEauthorityfile
/home/john/.ICEauthority
Thereisaproblemwiththeconfigurationserver.
(/user/lib/gconf/2/gconf- sanity-check-2exitedwith
status256)
Solution:AfteryouupdatePAM,runthefollowingcommandasroot:
/opt/pbis/bin/domainjoin- cliconfigure--enablepam
Or,youcanmakethechangesmanually:Openthebackedupversionofthe
common-session-pcfile,addthefollowinglinetoit,andthenuseitto
overwritethenewversionofthecommon-session-pcfile:
sessionoptional pam_gnome_keyring.so auto_
start_if=gdm
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 333

AIX
TrythefollowingtoresolveissueswiththePBISagentoncomputers
runningAIX.
IncreaseMaxUsername LengthonAIX
Bydefault,AIXisnotconfiguredtosupportlonguserandgroupnames,
whichmightpresentaconflictwhenyoutrytologonwithalongActive
Directoryusername.OnAIX5.3andAIX6.1,thesymptomisthatgroup
names,whenenumeratedthroughthegroupscommand,aretruncated.
ToincreasethemaxusernamelengthonAIX5.3,usethefollowingsyntax:
#chdev-lsys0-amax_logname=MaxUserNameLength+1
Example:
#chdev-lsys0-amax_logname=255
Thiscommandallocates254charactersfortheuserand1fortheterminating
null.
Thesafestvaluetowhichyoucansetmax_lognameis255.
Youmustrebootforthechangestotakeeffect:
#shutdown–Fr
Note:AIX5.2doesnotsupportincreasingthemaximumusernamelength.
UpdatingAIX
WhenyouupdateAIX,theauthenticationofusers,groups,andcomputers
mightfailbecausetheAIXupgradeprocessoverwriteschangesthat
PowerBrokerIdentityServicesmakestosystemfiles.Specifically,upgrading
AIXtoversion6.1tl3overwrites/lib/security/methods.cfg ,soyou
mustmanuallyaddthefollowingcodetothelastlinesofthefileafteryou
finishupgrading:
LSASS:
program=/usr/lib/security/LSASS
FreeBSD
TrythefollowingtoresolveissueswiththePBISagentoncomputers
runningFreeBSD.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 334

KeepUsernames to16CharactersorLess
OnFreeBSD,usernamesthatarelongerthan16characters,includingthe
domainname,exceedtheFreeBSDusernamelengthlimit.Attemptsto
connectbyssh,forexample,toaFreeBSDcomputerwithausernamethat
exceedsthelimitcanresultinthefollowingnotification:
bvt-fbs72-64#sshtestuser1@localhost
Password:
Connectiontolocalhostclosedbyremotehost.
Connectiontolocalhostclosed.
Thelogforsshd,meanwhile,mightshowanerrorthatlookssomethinglike
this:
Oct718:22:57vermont02sshd[66387]:setlogin
(EXAMPLE\adm.kathy):
Invalidargument
Oct718:25:02vermont02sshd[66521]:setlogin
(EXAMPLE\adm.kathy):
Invalidargument
Althoughtestuser1islessthan16characters,whenyouusetheid
commandtochecktheaccount,somethinglongerthan16charactersis
returned:
[root@bvt-fbs72-64/home/testuser]#idtestuser1
uid=1100(BVT-FBS72-64\testuser1)gid=1801(BVT-FBS72-
64\testgrp)
groups=1801(BVT-FBS72-64\testgrp)
TheresultoftheidcommandexceedstheFreeBSDusernamelengthlimit.
Thereareseveralsolutions:setthedefaultdomain,changetheusernameto
16charactersorless,orwithPBISEnterpriseusealiases.Keepinmind,
though,thataliaseswillnotsolvetheprobleminrelationtothePBISlocal
provider.
Solaris
TrythefollowingtoresolveissueswiththePBISagentoncomputers
runningSolaris.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 335

TurnOnCoreDumpsonSolaris10
IfyouareinvestigatingaprocessthatiscrashingonSolaris10orSolaris
Sparc10,butacoredumpisnotbeinggenerated,it'sprobablybecauseper-
processcoredumpsareturnedoff.Youcanusethecoreadmcommandto
managethecoredumps.Thesettingsaresavedinthe/etc/coreadm.conf
file.
Aconfigurationforcoredumpswiththeper-processoptionturnedofflooks
likethis:
#coreadm
globalcorefilepattern:
globalcorefilecontent:default
initcorefilepattern:core
initcorefilecontent:default
globalcoredumps:disabled
per-processcoredumps:disabled
globalsetidcoredumps:disabled
per-processsetidcoredumps:disabled
globalcoredumplogging:disabled
You'llneedper-processcoredumps,though,totroubleshootaprocessthat
isterminatingunexpectedly.Toturnoncoredumpsforaprocess,execute
thefollowingcommandasroot:
coreadm-eprocess
Formoreinformation,seeCoreDumpManagementontheSolarisOSand
themanpageforcoreadm.
MacOSX
TrythefollowingtoresolveissueswiththePBISagentoncomputers
runningMacOSX.
FindthePBISServiceManagerDaemononaMac
TolocatethePBISservicemanagerprocessonaMacOSXcomputer,
executethefollowingcommandinTerminal:
sudolaunchctllist|greppbis
OnaMaccomputer,thenameofthedaemonfortheservicemanagerisas
follows:
com.beyondtrust.pbis.lwsmd
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 336

RemoveDockItemsbyUsingWorkgroup Manager
IfyouhaveintegratedPBISEnterprisewithApple'sWorkgroupManagerby
followingtheinstructionsinthisguide,youcanremovedockitemsbyusing
anMCXpolicysetting.Forinstructions,seeApple'ssupportpageon
ManagedClient:ItemsremovedinWorkgroupManagerremaininauser's
Dock.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISAgent
BeyondTrust
®
June21,2013 337

Troubleshooting LogonIssues
SolveLogonProblemsfromWindows
TotroubleshootaproblemwithauserwhocannotlogonatoLinuxorUnix
computer,performthefollowingseriesofdiagnostictestssequentially.
1.OnaWindowscomputer,logoffandthenlogonagainwiththeproblem
user'sADcredentialstoverifythatthepasswordiscorrectandthatthe
accountisnotlockedordisabled.
2.TrytoSSHtothetargetLinuxorUnixcomputeragainwiththeuser's
fullNT4-stylecredentialsandpassword,notjusttheuser'salias.Inyour
SSHcommand,makesuretouseaslashcharactertoescapetheslash.
3.IfyouareusingPBISEnterprise,makesurethattheuser'scomputeris
inthecorrectPowerBrokercell.
4.Makesurethattheuserisenabledtologonthecomputer,eitherby
beingenabledinthecell(withPBISEnterprise)orbybeinginagroup
allowedtoaccessthecomputer.Thentrytologonthetargetcomputer
again.
5.EnsurethatthePBISclientcancommunicatewiththeActiveDirectory
domaincontroller.
6.MakesurethattheshellspecifiedfortheuseraccountinActive
Directoryisavailableonthetargetcomputer.Specifyingashellthatis
unavailablewillblocktheuseraccountfromloggingon.
7.Verifythatthehomedirectoryissetandcanbecreated.Ahome
directorythatcannotbecreatedbecausethepathisincorrectorthe
permissionsareinsufficientcanblockanattempttologon.
8.Makesuretherearenologonrestrictionsinplace—forexample,the
GroupPolicysettingthatrestrictslogontocertainusersorgroups—that
preventtheuseraccountfromloggingonthecomputer.
9.Logonthecomputerwithadifferentuseraccount—onethatisenabled
foraccesstothecomputer.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 338

SolveLogonProblemsonLinuxorUnix
TotroubleshootproblemsloggingonaLinuxcomputerwithActive
Directorycredentialsafteryoujoinedthecomputertoadomain,performthe
followingseriesofdiagnostictestssequentiallywitharootaccount.
ThetestscanalsobeusedtotroubleshootlogonproblemsonaUnixorMac
OSXcomputer;however,thesyntaxofthecommandsonUnixandMac
mightbeslightlydifferent.
MakeSureYouAreJoinedtotheDomain
Executethefollowingcommand:
/opt/pbis/bin/domainjoin- cliquery
Ifyouarenotjoined,seeJoinActiveDirectorywiththeCommandLine.
CheckWhetherYouAreUsingaValidLogonForm
Whentroubleshootingalogonproblem,useyourfulldomaincredentials:
DOMAIN\username.Example:example.com\hoenstiv.
Whenloggingonfromthecommandline,youmustescapetheslash
characterwithaslashcharacter,makingthelogonformDOMAIN\\username.
Example:example.com\\hoenstiv.
Toviewalistoflogonoptions,seeLoggingOnwithDomainCredentials.
CleartheCache
Youmayneedtoclearthecachetoensurethattheclientcomputer
recognizestheuser'sID.SeeCleartheAuthenticationCache.
DestroytheKerberosCache
ClearthePBISKerberoscachetomakesurethereisnotanissuewitha
user'sKerberostickets.Executethefollowingcommandwiththeuser
accountthatyouaretroubleshooting:
/opt/pbis/bin/kdestroy
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 339

ChecktheStatusofthePBISAuthenticationService
CheckthestatusoftheauthenticationserviceonaUnixorLinuxcomputer
runningthePBISAgentbyexecutingthefollowingcommandastheroot
user:
/opt/pbis/bin/lwsm statuslsass
If DoThis
Theresultlookslikethis:
lsassisstopped
Restarttheservice.
Theresultlookslikethis:
lsass(pid1783)is
running...
Proceedtothenexttest.
CheckCommunication betweenthePBISServiceandAD
VerifythatthePBISservicecanexchangedatawithADbyexecutingthis
command:
/opt/pbis/bin/get-dc-nameFullDomainName
Example:/opt/pbis/bin/get-dc-nameexample.com
If DoThis
TheresultdoesnotshowthenameandIP
addressofyourdomaincontroller
1.Makesurethedomaincontrolleris
onlineandoperational.
2.Checknetworkconnectivitybetween
theclientandthedomaincontroller.
3.Jointhedomainagain.
4.Viewlogfiles.
Theresultshowsthecorrectdomain
controllernameandIPaddress
Proceedtothenexttest.
VerifythatPBISCanFindaUserinAD
VerifythatthePBISagentcanfindyouruserbyexecutingthefollowing
command,substitutingthenameofavalidADdomainfordomainNameand
avaliduserforADuserName:
/opt/pbis/bin/find-user-by-namedomainName\\ADuserName
Example:/opt/pbis/bin/find-user-by-nameexample\\hab
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 340

If DoThis
The
command
failstofind
theuser
1.Checkwhetherthecomputerisjoinedtothedomainbyexecutingthe
followingcommandasroot:
domainjoin-cliquery
Displaysthehostname,currentdomain,anddistinguishedname,
whichincludestheOUtowhichthecomputerbelongs.Makesurethe
OUiscorrect.Ifthecomputerisnotjoinedtoadomain,itdisplays
onlythehostname.
2.CheckActiveDirectorytomakesuretheuserhasanaccount.Ifyou
areusingPBISEnterprise,alsoensurethattheuserisassociatedwith
thecorrectcell.
3.Checkwhetherthesameuserisinthe/etc/passwdfile.If
necessary,migratetheusertoActiveDirectory.
4.MakesuretheADauthenticationproviderisrunningbyproceedingto
thenexttest.
Theuseris
found
ProceedtothePAMtestlaterinthistopic.
MakeSuretheADAuthenticationProviderIsRunning
PBISincludestwoauthenticationproviders:
•Thelocalprovider
•TheActiveDirectoryprovider
IftheADproviderisnotonline,usersareunabletologonwiththeirAD
credentials.Tocheckthestatusoftheauthenticationproviders,executethe
followingcommandasroot:
/opt/pbis/bin/get-status
Ahealthyresultshouldlooklikethis:
LSAServerStatus:
Compileddaemonversion:7.5.561.63589
Packagedproductversion:7.5.725.63590
Uptime: 6days23hours36minutes29seconds
[Authenticationprovider:lsa-activedirectory-provider]
Status: Online
Mode: DefaultCell
Domain: EXAMPLE.COM
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 341

DomainSID:
Forest: example.com
Site: Default-First-Site-Name
AnunhealthyresultwillnotincludetheADauthenticationproviderorwill
indicatethatitisoffline.IftheADauthenticationproviderisnotlistedin
theresults,restarttheauthenticationservice.
Iftheresultlookslikethelinebelow,checkthestatusofthePBISservices
tomakesuretheyarerunning.
FailedtoquerystatusfromLSAservice.
TheLSASSserverisnotresponding.
RuntheidCommand toChecktheUser
Runthefollowingidcommandtocheckwhethernsswitchisproperly
configuredtohandleADuseraccountinformation:
idDOMAIN\\username
Example:idexample\\kathy
Ifthecommanddoesnotshowinformationfortheuser,checkwhetherthe
/etc/nsswitch.conffileisproperlyconfiguredforpasswdandgroup:
Bothentriesshouldincludethelsassparameter.
If/etc/nsswitch.confisproperlyconfigured,thePBISnameservice
librariesmightbemissingormisplaced.ItisalsopossiblethattheLD_
PRELOADorLD_LIBRARY_PATHvariablesaredefinedwithoutincludingthe
PBISlibraries.
SwitchUsertoCheckPAM
Verifythatauser'spasswordcanbevalidatedthroughPAMbyusingthe
switchuserservice.Eitherswitchfromanon-rootusertoadomainuseror
fromroottoadomainuser.Ifyouswitchfromroottoadomainuser,run
thecommandbelowtwicesothatyouarepromptedforthedomainuser's
password:
suDOMAIN\\username
Example:suexample\\hoenstiv
If DoThis
Theswitchusercommand
failstovalidatetheuser
GenerateaPAMdebuglog.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 342

If DoThis
Also,checkthefollowinglogfilesforerrormessages(the
locationofthelogfilesvariesbyoperatingsystem):
/var/log/messages
/var/log/secure
TestSSH
CheckwhetheryoucanlogonwithSSHbyexecutingthefollowing
command:
sshDOMAIN\\username@localhost
Example:sshexample.com\\hoenstiv@localhost
IfyoubelievetheissuemightbespecifictoSSH,seeTroubleshootingSSH
SSOProblems.
RuntheAuthenticationServiceinDebugMode
TotroubleshootthelookupofauserorgroupID,youcansetthePBIS
authenticationservicetorunindebugmodeandshowthelogintheconsole
byexecutingthiscommand:
/opt/pbis/sbin/lsass --logleveldebug
CheckNsswitch.Conf
Makesure/etc/nsswitch.confisconfiguredcorrectlytoworkwithPBIS.
Formoreinformation,seeConfiguringClientsBeforeAgentInstallation.
OnHP-UX,EscapeSpecialCharactersattheConsole
WhenyoulogontotheconsoleonsomeversionsofHP-UX,suchas11.23,
youmightneedtoescapespecialcharacters,suchas@and#,bypreceding
themwithaslash(\).Formoreinformation,seeyourHP-UX
documentation.
AdditionalDiagnosticTools
Thereareadditionalcommand-lineutilitiesthatyoucanusetotroubleshoot
logonproblemsinthefollowingdirectory:
/opt/pbis/bin
SeeAlso
ResolveanADAliasConflictwithaLocalAccount
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 343

TroubleshootingSSHSSOProblems
SolveproblemsloggingonwithSSHtoLinux,Unix,andMacOSX
computersrunningPBIS.
Tip:Beforeyoubegintroubleshooting
Makesureyouarejoinedtothedomainbyexecutingthefollowing
commandasroot:
/opt/pbis/bin/domainjoin- cliquery
Ifyouarenotjoined,seeJoinActiveDirectorywiththeCommand
Line.
Youcanusethefollowingstepstotroubleshootproblemsloggingonto
Linux,Unix,andMacOSXcomputerswithssh.Itisassumedthatthe
computerisconnectedtoMicrosoftActiveDirectorywithPBISOpenor
PBISEnterpriseandthatyouaretryingtologonwithanActiveDirectory
account.
UseNT4-styleCredentialsandEscapetheSlashCharacter
TrytoSSHtothetargetLinuxorUnixcomputeragainwiththeuser'sfull
NT4-stylecredentials,nottheuser'salias.InyourSSHcommand,makesure
touseaslashcharactertoescapetheslash.
Hereisanexample:
sshexample.com\\kathy@localhost
PerformGeneralLogonTroubleshooting
IfyoucannotlogonafteryouescapedtheslashcharacterinyourfullNT4-
stylecredentialsandusedyourpassword,executethegenerallogon
troubleshootingstepsinSolveLogonProblemsfromWindowsandSolve
LogonProblemsonLinuxandUnix.Ifthosestepsdonothelpsolvethe
problem,returntothispageandperformthefollowingPBIS-specificssh
troubleshootingstepsintheorderlisted.
ThisdocumentcontainslittlegeneralSSHtroubleshootinginformation.If
youbelieveyourissueisnotspecifictoPBISoriftheinformationheredoes
notsolveyourproblem,seeSSH:TheSecureShell:TheDefinitiveGuide,
publishedbyO'Reilly.Seeespeciallythesectionsontroubleshooting,
logginganddebugging,andpasswordauthentication.
GetanSSHLog
YoushouldobtaindebuglogsforthePBISauthenticationservice(lsass),
PAM,andsshd.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 344

Togetansshlog,locatesshdandthenstartitinaseparateterminalwindow
withthefollowingoptions:
`whichsshd`-vvv-p9999>/tmp/sshd.log 2>&1
ThecommandstartsaninstanceofsshdlisteningonPort9999androutes
logginginformationtoalogfilein/tmp/sshd.log.
Nowtrytosshtothelocalhostatthatport:
ssh-ddd-p9999yourADuserName@localhost
Whenthelogonfails,killssh;thesshdsessionwillstopaswell.
Finally,checkthelogfileat/tmp/sshd.logforinformationthatmighthelp
youresolvetheissue.Inaddition,checkthelogfilesforlsassandPAM.For
moreinformationonhowtogeneratealogforSSH,seeloggingand
debuggingorthemanpageforssh.
AfteranUpgrade,ReconfigureSSHforPBIS
IfSSHwasrecentlyupgraded,runthefollowingcommandasroottomake
surethatthesshd_configfileissetupproperlytoworkwithPBIS:
domainjoin-cliconfigure--enablessh
VerifythatPort22IsOpen
AcommonproblemisthatafirewallisblockingtheportusedbySSH.Take
amomenttoverifythatPort22,whichSSHtypicallyconnectsto,is
availablebytelnetingtoit.Failurelookslikethis:
root@example:~#telnet10.0.0.1722
Trying10.0.0.18...
telnet:Unabletoconnecttoremotehost:Connection
refused
Successlookslikethis:
root@example:~#telnet10.0.0.1722
Trying10.0.0.17...
Connectedto10.0.0.17.
Escapecharacteris'^]'.
SSH-2.0-OpenSSH_5.1p1Debian-5
MakeSurePAMIsEnabledforSSH
IfyourActiveDirectoryaccountisnotworkingwithSSH,makesurethat
UsePAMisenabledinsshd_configandmakesurethatyoursshd
applicationislinkedtothePAMlibraries.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 345

1.Determinewhichsshdisrunningbyexecutingthefollowingcommand:
bash-3.2#ps-ef|grepsshd
root8199 10Feb6? 0:00
/opt/ssh/sbin/sshd
root298781990Mar3? 0:04sshd:
root@notty
root248648199012:16:25? 0:00sshd:
root@pts/0
root299881990Mar3? 0:05sshd:
root@notty
root2488224880012:16:54pts/0 0:00grepsshd
2.Eitheruselsoftofindoutwhichconfigurationfileitisreadingorstartit
upwithdebuggingtofigureoutthedefaultpath.Example:
username@computer:~$ /usr/sbin/sshd-dd-t
debug2:load_server_config:filename/etc/ssh/sshd_
config
debug2:load_server_config:doneconfiglen=664
debug2:parse_server_config:config/etc/ssh/sshd_
configlen664
debug1:sshdversionOpenSSH_5.1p1Debian-3ubuntu1
Couldnotloadhostkey:/etc/ssh/ssh_host_rsa_key
Couldnotloadhostkey:/etc/ssh/ssh_host_dsa_key
3.VerifythatUsePAMisenabledintheconfigfile.Asabestpractice,makea
backupcopyoftheconfigurationfilebeforeyouchangeit.
4.Runlddonsshdtomakesureitlinkswithlibpam.Hereisanexample
fromanIA64HPsystem:
bash-3.2#ldd/opt/ssh/sbin/sshd
libpam.so.1=>/usr/lib/hpux64/libpam.so.1
libdl.so.1=>/usr/lib/hpux64/libdl.so.1
libnsl.so.1=>/usr/lib/hpux64/libnsl.so.1
libxnet.so.1=>/usr/lib/hpux64/libxnet.so.1
libsec.so.1=>/usr/lib/hpux64/libsec.so.1
libgssapi_krb5.so=>
/usr/lib/hpux64/libgssapi_ krb5.so
libkrb5.so=>/usr/lib/hpux64/libkrb5.so
libpthread.so.1=>
/usr/lib/hpux64/libpthread.so.1
libc.so.1=> /usr/lib/hpux64/libc.so.1
libxti.so.1=>/usr/lib/hpux64/libxti.so.1
libxti.so.1=>/usr/lib/hpux64/libxti.so.1
libm.so.1=> /usr/lib/hpux64/libm.so.1
libk5crypto.so=>
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 346

/usr/lib/hpux64/libk5crypto.so
libcom_err.so=> /usr/lib/hpux64/libcom_
err.so
libk5crypto.so=>
/usr/lib/hpux64/libk5crypto.so
libcom_err.so=> /usr/lib/hpux64/libcom_
err.so
libdl.so.1=>/usr/lib/hpux64/libdl.so.1
MakeSureGSSAPIIsConfiguredforSSH
Loggingontoasystemwithkeysdoesnotprovidethatsystemwiththe
meansofgettingaPACfromthedomaincontroller.WithoutaPACthereis
nogroupmembershipinformationfortheuser.AutomatedKerberosticket
renewalwillalsobeunavailable.So,whenthesshloginhitsthelogin
restrictionsintheaccountphaseasittestsforthegroupmemberships,it
willnotfindtheuser'sgroupinformation,causinganssherrorlikethis:
NotinanAllowedGroup!
Aworkaroundistohaveeachuserloginoncewithapassword.Subsequent
loginswithkeysshouldworkuntiltheADcacheisflushed,afterwhichthe
userwillhavetologinagain.
ChecktheConfigurationofSSHforSSO
AlthoughPBISautomaticallyconfiguresOpenSSHtosupportSSOthrough
KerberosusingGSSAPI,itisworthwhiletoreviewhowPBISdoes.Since
youmightneedtoconfigureortroubleshoototherapplicationsforSSO,
understandingtheprocesswillmakeiteasiertoapplythetechniquetoother
applications.
Note:NotallversionsofOpenSSHsupportKerberos.Versionsolderthan
4.2p1mightnotworkormightworkimproperly.Forimportant
informationonKerberosandGSSAPIsupportinOpenSSH,see
http://www.sxw.org.uk/computing/patches/openssh.html.
SSHServicePrincipalName
ThefirstthingthatneedstobeconsideredistheKerberosserviceprincipal
name(SPN)usedbySSHandSSHD.TheSPNisastringthatidentifiesthe
serviceforwhichanauthenticationticketistobegenerated.Inthecaseof
SSH,theSPNhastheform:
host/<servername>@<REALMNAME>
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 347

Forexample,whenauserusessshtoconnecttoacomputernamed
fozzie.mycorp.com,thesshprogramrequestsaserviceticketfortheSPN:
host/[email protected]
TheKerberosrealmisthecomputer'sdomainnameinuppercaseletters.
SystemKeytabGeneration
InorderforMicrosoftActiveDirectorytogenerateaKerberosticketfor
thisSPN,aserviceaccountmustexistforit.Additionally,akeytabmustbe
createdfortheserviceaccountandplacedonthesshdserver.PBIS
completelyautomatesthisoperation.WhenaLinuxorUnixcomputeris
joinedtoAD,amachineaccountiscreatedforthecomputer.Ifthe
computeriscalledfozzie,amachineaccountcalledfozzie$iscreatedin
AD.PBISthenautomaticallycreatesakeytabfortheSPNandplacesitin
thestandardsystemlocation(typically,/etc/krb5.keytab).
UserKeytabGeneration
WhentheuserrunsthesshprogramandOpenSSHdeterminesthatitwill
useKerberosauthentication,itwillneedtoaccessakeytabfortheuserso
thatitcanobtainaserviceticketfortheservice/computertowhichitis
tryingtoconnect.Thiskeytabmustbecreatedusingtheuser'saccount
nameandpassword.Manually,thiscanbeperformedbyusingthekinit
utility.PBIS,however,doesitautomaticallywhentheuserlogsonthe
computer.Onmostsystems,theuserkeytabisplacedinthe/tmpdirectory
andnamedkrb5cc_UIDwhereUIDisthenumericuserIDassignedbythe
system.
ConfiguringOpenSSH
PBISautomaticallyconfiguresOpenSSHatboththeclientandserver
computer.Ontheclient,thessh_configfile(typicallyin/etc/ssh/ssh_
config)ismodified.Ontheserver,sshd_config(typicallyin
/etc/ssh/sshd_config)ismodified.PBISaddsthefollowinglinesof
codetotherightfilesiftheyarenotalreadypresentandiftheyarerequired
bythesystem'sversionofsshd:
Intheserver,thefollowinglinesmustbepresentinsshd_config—ifyou
aretroubleshooting,makesuretheselinesarethere:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Ontheclient,thefollowinglinemustbepresentinssh_config:
GSSAPIAuthentication yes
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 348

Ontheclient,GSSAPIDelegateCredentials yesisanoptionalsetting
thatinstructsthesshclienttodelegatethekrb5TGTtothedestination
machinewhenSSHsinglesign-onisused.
Inaddition,ifanyofthefollowingoptionsarevalidforthesystem'sversion
ofsshd,theyarerequiredandconfiguredbyPBIS:
ChallengeResponseAuthentication yes
UsePAMyes
PAMAuthenticationViaKBDInt yes
KbdInteractiveAuthentication yes
SettingtheseoptionstoyesinstructsSSHtousethekbdinteractivessh
authenticationmechanismandallowsthatmechanismtousePAM—settings
thatarerequiredforPBIStofunctionproperly.
Formoreinformation,seethemanpagesforssh,sshd,andthecommentsin
thesshandsshdconfigurationfiles.
TestingSSO
WithOpenSSHproperlyconfigured,demonstratingSSOsupportissimple:
LogonaLinuxorUnixmachinerunningPBISbyusingyourActive
Directorycredentialsandthenusesshtoconnecttoanothermachinethatis
alsorunningPBIS.OpenSSHshouldestablishaconnectionwithout
promptingforausernameorpassword.
Platform-SpecificIssues
IfyouareusingRedHat,CentOS,Fedora,FreeBSD,orAIXoperating
systems,reviewanyofthefollowingsectionsthatarerelevantforyour
operatingsystem.
RedHatandCentOS:SolvetheSSOProblem
ThereisaknownbugwithsomeversionsofRedHatandCentOSthat
preventsSSOfromworkingwithSSH,SSHD,andPuTTY.Thefollowing
versionsareknowntobeaffected:
•CentOS5
•RedHatEnterpriseLinux5
ThesystemincorrectlyconcatenatestheKerberosticket'sserviceprincipal
nameonthetargetLinuxcomputer.Forexample,inthefinalentryofthe
resultsoftheklistcommandbelow,thefullnameoftheserviceprincipal
iscutoffafterthe@symbol:
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 349

[EXAMPLE\fanthony@centos52 ~]$ /opt/pbis/bin/klist
Ticketcache:FILE:/tmp/krb5cc_1689257039
Defaultprincipal:[email protected]
Validstarting    Expires           Service principal
07/31/0809:25:13 07/31/0819:25:31
krbtgt/[email protected]
    renewuntil08/07/0809:25:13
07/31/0809:25:31 07/31/0819:25:31
[email protected]
    renewuntil08/07/0809:25:13
07/31/0809:30:04 07/31/0819:25:31
host/centos52.example.com@
   renewuntil08/07/0809:25:13
Todeterminewhetheryouneedtoimplementthesolutionbelowonyour
RedHatorCentOScomputer,executethefollowingseriesoftests:
1.ConnecttoyourtargetmachinewithSSHbyusingPuTTYandavalid
ActiveDirectoryuser.BesuretousetheFQDNofthehost.
2.Executethefollowingcommand:
/opt/pbis/bin/klist
Theresultsshouldlooklikethis:
EXAMPLE\fanthony@centos52 ~]$ klist
Ticketcache:FILE:/tmp/krb5cc_1689257039
Defaultprincipal:[email protected]
Validstarting    Expires           Service
principal
07/31/0809:25:13 07/31/0819:25:31
krbtgt/[email protected]
renewuntil08/07/0809:25:13
07/31/0809:25:31 07/31/0819:25:31
[email protected]
renewuntil08/07/0809:25:13
3.SSHagaintothesamehostandwhenpromptedforthepassword,type
CTRL+C.
4.Executetheklistcommandagain:
/opt/pbis/bin/klist
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 350

5.Checktheresultstodeterminewhetherthereisanincorrectly
concatenatedserviceprincipal,asthereisinthefollowingoutput:
[EXAMPLE\fanthony@centos52 ~]$ klist
Ticketcache:FILE:/tmp/krb5cc_1689257039
Defaultprincipal:[email protected]
Validstarting Expires Service
principal
07/31/0809:25:13 07/31/0819:25:31
krbtgt/[email protected]
renewuntil08/07/0809:25:13
07/31/0809:25:31 07/31/0819:25:31
[email protected]
renewuntil08/07/0809:25:13
07/31/0809:30:04 07/31/0819:25:31
host/centos52.example.com@
renewuntil08/07/0809:25:13
Ifthetestsconfirmthattheproblemexists,implementthefollowing
solution:
1.OnRedHatEnterpriseLinux5,makesurethatthereversePTRhost
definitionsaredefinedinDNS.
2.OnthetargetLinuxcomputer,addthefollowinglineto
/etc/krb5.confunderthe[domain_realm]entryofthefile:
.yourdomainname.com =YOURDOMAINNAME.COM
Example:
[domain_realm]
.example.com=EXAMPLE.COM
3.RestartSSHDbyrunningthefollowingcommandattheshellprompt:
/sbin/servicesshdrestart
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 351

RedHatandFedora:SolveSSHConfigProblem
OnFedora14andRedHat5,thereisanissuewiththeconfigurationofthe
platformthatblocksSSHSSO.Youmusteitheruseaworkaroundto
connecttotheclientormodifythesshd_configfileontheserverside.
Thissectionillustratestheproblemandshowsyouhowtoconnecttothe
clientorfixtheserver.
AfteryoujoinadomainwithPBIS,NetworkManagerrestartsandleavesthe
/etc/hostsfilelookinglikethis:
[root@nile-fedora14etc]#cat/etc/hosts
10.100.0.26nile-fedora14.nile-domain.example.com nile-
fedora14#AddedbyNetworkManager
127.0.0.1localhost.localdomain localhostlocalhost4
::1nile-fedora14.nile-domain.example.com nile-fedora14
localhost6nile-fedora14.ramp.example.com
Itshould,however,looklikethis,butNetworkManagerkeepsresettingit:
10.100.0.26 nile-fedora14.nile-domain.example.com
nile-fedora14 #AddedbyNetworkManager
127.0.0.1nile-fedoar14.nile-domain.example.com nile-
fedora14localhost.localdomain localhostlocalhost4
::1nile-fedora14.nile-domain.example.com nile-
fedora14 localhost6.localdomain6 localhost6
TheconfigurationsetbyNetworkManagerblocksSSObecauseitendsup
restrictingreversenamelookupstoipv4only.
Whenusingtheclient,youcanworkaroundtheproblembyconnectingby
theexternalIPaddress.Inotherwords,insteadofusingssh-luser
nile-fedora14.nile-domain.example.comtoconnect,usethe
followingform:
ssh-luser10.100.0.26
Alternatively,tofixtheproblem,youcanturnoff
GSSAPIStrictAcceptorCheck insshd_configontheserver,butsucha
resolutionmightbeunavailablewhenyoudonothaveadministrativeaccess
totheserverorwhendoingsomightcauseintractablesideeffectsor
securityholes.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 352

AnotherwaytofixtheproblemistoturnoffreverseDNSlookupsin
Kerberos—butagain,suchasolutionmightresultinsideeffectsthatblock
otherapplicationsoroperations.
FreeBSD:InvalidArgumentwithSSHD
OnFreeBSD,usernamesthatarelongerthan16characters,includingthe
domainname,exceedtheFreeBSDusernamelengthlimit.Attemptsto
connectbysshwithausernamethatexceedsthelimitcanresultinthe
followingnotification:
bvt-fbs72-64#sshtestuser1@localhost
Password:
Connectiontolocalhostclosedbyremotehost.
Connectiontolocalhostclosed.
Thelogforsshd,meanwhile,mightshowanerrorthatlookssomethinglike
this:
Oct718:22:57vermont02sshd[66387]:setlogin
(EXAMPLE\adm.kathy):
Invalidargument
Oct718:25:02vermont02sshd[66521]:setlogin
(EXAMPLE\adm.kathy):
Invalidargument
Althoughtestuser1islessthan16characters,whenyouusetheid
commandtochecktheaccount,somethinglongerthan16charactersis
returned:
[root@bvt-fbs72-64/home/testuser]#idtestuser1
uid=1100(BVT-FBS72-64\testuser1)gid=1801(BVT-FBS72-
64\testgrp)
groups=1801(BVT-FBS72-64\testgrp)
TheresultoftheidcommandexceedstheFreeBSDusernamelengthlimit.
Thereareseveralsolutions:setthedefaultdomain,changetheusernameto
16charactersorless,orwithPBISEnterpriseusealiases.Keepinmind,
though,thataliaseswillnotsolvetheprobleminrelationtothePBISlocal
provider.
AIXandRedHat:SetReversePTRHostDefinitionsforSSO
Forsinglesign-onwithSSHtoworkonRedHatEnterpriseLinux5and
AIX,reversePTRhostdefinitionsmustbesetinDNS.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 353

AIX:ConfigureforOutboundSingleSign-On
OnAIX5.3,client-sideSSHisnotsetupbydefault.Hereishowto
configureitsothatitwillworkwithPBIS.
1.OnyourAIX5.3computer,makesurethenetworkauthentication
service,version1.4.0.8,isinstalled;example:
-bash-3.00$ lslpp-l|grepkrb
krb5.client.rte1.4.0.8COMMITTEDNetwork
AuthenticationService
Ifitisnotinstalled,obtainitfromtheIBMAIXwebsiteat
http://www.ibm.com/developerworks/aix/library/au-nas_
relatedtech/index.htmlandinstallit.
2.AfterjoininganActiveDirectorydomainwithPBIS,appendthe
followinglinestotheendof/etc/krb5/krb5.conf:
[domain_realm]
.demo.example.com =DEMO.EXAMPLE.COM
demo.example.com=DEMO.EXAMPLE.COM
3.Makesurethat/etc/krb5/krb5.conflinksto/etc/krb5.conf.
4.Alsomakesurethat/etc/krb5/krb5.keytab linksto
/etc/krb5.keytab.
5.Makeabackupofthecredentialsdirectorybyexecutingthefollowing
commandasroot:
mv/var/krb5/security/creds /var/krb5/security/creds_ old
6.Asroot,makeasymboliclinktothe/tmpdirectorysothattheAIX
KerberoslibrariescanaccessthedirectoryinwhichPBISstoresits
credentialcaches:
ln-s/tmp/var/krb5/security/creds
7.Open/etc/environment—whichcontainsthelistofenvironmental
variablesthataresetwhenauserlogson—andaddthefollowinglineto
theendofit:
KRB5_CONFIG=/var/lib/pbis/krb5-
affinity.conf:/etc/krb5.conf
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 354

8.Ifyouareloggedonthemachinewhoseenvironmentalvariableyou
changed,youmustlogoffandlogonagainforthechangetotakeeffect.
PBISEnterpriseInstallationandAdministration TroubleshootingLogonIssues
BeyondTrust
®
June21,2013 355

Troubleshooting Kerberos
Thefollowingresourcescanhelpyoutroubleshoottimesynchronizationand
otherKerberosissues:
•KerberosAuthenticationToolsandSettings:
http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx
•AuthenticationErrorsCausedbyUnsynchronizedClocks:
http://technet.microsoft.com/en-us/library/cc780011(WS.10).aspx
•KerberosTechnicalSupplementforWindows:
http://msdn2.microsoft.com/en-us/library/aa480609.aspx
•TheKerberosNetworkAuthenticationService(V5)RFC:
http://www.ietf.org/rfc/rfc4120.txt
•TroubleshootingWindowsServerIssues(includingKerberoserrors):
http://technet.microsoft.com/en-us/windowsserver/default.aspx
•KerberosandLDAPTroubleshootingTips:
http://www.microsoft.com/technet/solutionaccelerators/cits/
interopmigration/unix/usecdirw/17wsdsu.mspx
Thefollowingtopicscanhelpyouaddresscommonissuesrelatedto
KerberosandPowerBrokerIdentityServices.
FixaKeyTableEntry-TicketMismatch
WhenanADcomputeraccountpasswordchangestwoormoretimesduring
thelifetimeofadomainuser'scredentials,thecomputer'sentrythatmatches
theKerberosserviceticketisdroppedfromtheKerberoskeytable.Even
thoughtheservicetickethasnotexpired,anactionthatdependsonthe
entry,suchasreadingtheeventlogorusingsinglesign-on,willfail.
ToavoidissueswithKerberoskeytables,keytabs,andsinglesign-on,the
computerpasswordexpirationtimemustbeatleasttwicethemaximum
lifetimeforusertickets,plusalittlemoretimetoaccountforthepermitted
clockskew.
TheexpirationtimeforauserticketissetbyusinganActiveDirectory
GroupPolicysettingcalledMaximumlifetimeforuserticket.Thedefault
userticketlifetimeis10hours;thedefaultPBIScomputerpassword
lifetimeis30days.
Causes
Thecomputeraccountpasswordcanchangemorefrequentlythantheuser's
ADcredentialsunderthefollowingconditions:
•Joiningadomaintwoormoretimes.
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 356

•SettingtheexpirationtimeofthecomputeraccountpasswordGroup
Policysettingtobelessthantwicethemaximumlifetimeofusertickets.
Formoreinformation,seethePowerBrokerIdentityServicesGroupPolicy
AdministrationGuide.
•Settingthelocalmachine-password-lifespanforthelsassservicein
thePBISregistrytobelessthantwicethemaximumlifetimeforuser
tickets.
Solution
Ifacomputer'sentryisdroppedfromtheKerberoskeytable,youmust
removetheunexpiredserviceticketsfromtheuser’scredentialscacheby
reinitializingthecache.Hereishow:
OnLinuxandUnix,reinitializethecredentialscachebyexecutingthe
followingcommandwiththeaccountoftheuserwhoishavingtheproblem:
/opt/pbis/bin/kinit
OnMac,youmustrunboththenativekinitcommandandthePBISkinit
commandwiththeaccountoftheuserwhoishavingtheproblem.Youmust
runbothcommandsbecausethenativesshclientusesthenativecredentials
cachewhilethePBISprocesses,suchasthosethataccesstheeventlog,use
theMITcredentialscache:
/opt/pbis/bin/kinit
kinit
FixaKRBErrorDuringSSOinaDisjointNamespace
Whenyouareworkinginanetworkwithadisjointnamespaceinwhichthe
ActiveDirectorydomainnameisdifferentfromtheDNSdomainsuffixfor
computers,youmayneedtomodifythedomain_realmsectionof
/etc/krb5.confonyourtargetcomputereventhoughyourDNSAand
PTRrecordsarecorrectforbothDNSdomainsandcanbefoundbothways.
Thefollowingerror,inparticular,indicatesthatyoumighthavetomodify
yourkrb5.conffilebeforesinglesign-on(withSSH,forexample)will
work:
KRBERRORBADOPTION
Assumeyourcomputer'sActiveDirectorydomainis
bluesky.example.comandyourcomputer'sFQDNis
somehostname.green.example.com andyouhavealreadycreatedthe
followingentriesinDNS:
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 357

_kerberos._tcp.green.example.com 0100389
ad2.bluesky.example.com
_kerberos._udp.green.example.com 0100389
ad2.bluesky.example.com
Meantime,onthetargetcomputer,the[domain_realm]entryofyour
/etc/krb5.conffilelookslikethis:
[domain_realm]
.bluesky.example.com =BLUESKY.EXAMPLE.COM
bluesky.example.com =BLUESKY.EXAMPLE.COM
Toresolvetheerror,addthefollowingtwolinestothe[domain_realm]
entryofyour/etc/krb5.conffile:
.green.example.com =BLUESKY.EXAMPLE.COM
green.example.com =BLUESKY.EXAMPLE.COM
Afteraddingthetwolinesabove,thecomplete[domain_realm]entrynow
lookslikethis:
[domain_realm]
.bluesky.example.com =BLUESKY.EXAMPLE.COM
bluesky.example.com =BLUESKY.EXAMPLE.COM
.green.example.com =BLUESKY.EXAMPLE.COM
green.example.com =BLUESKY.EXAMPLE.COM
Finally,makesurethatyouhaveacorrect.k5loginfileandthentrytolog
onagain.
EliminateLogonDelaysWhenDNSConnectivityIsPoor
IfconnectivitytoyourDNSserversistenuousorbecomesunavailable,
nameresolutioncantimeout,delayingthelogonprocess.BecauseActive
Directoryisheavilydependentonawell-functioningDNSsystem,you
shouldworktoresolveyourDNSissues.
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 358

IfyoucannotfixyourDNSsystem,however,youcanasalastresortsetupa
caching-forwardingnameserveronthePBISclienttoeliminatethelogon
delay.Forinstance,youcansetupaBINDserveroneachLinuxorUnix
computeronwhichyouarerunningPBIS.ThenyoucanconfigureBINDas
alocalcachingresolverandaddyournameserveraddressestotheforwarder
list,leaving/etc/resolv.confwithonlythelocalloopbackaddress:
searchexample.com
nameserver127.0.0.1
ForinstructionsonhowtosetupBIND,seetheBINDdocumentation.
EliminateKerberosTicketRenewalDialogBox
Thereisanappletcalledkrb5-auth-dialogthatbydefaultisactiveon
manyLinuxdistributions.Itisintendedtoassistyouwithrenewingyour
Kerberosticketsbeforetheyexpire.BecausePowerBrokerIdentityServices
renewsyourticketsforyou,thedialogboxissuperfluousandcanbea
nuisance.
Todisablethedialogbox:
1.Inthemenu,clickSystem,Preferences,MorePreferences,Session.
2.ClicktheStartupProgramstabanddisablethekrb5-auth-dialog
program.Thischangepreventsitfromrestartingnexttimeyoulogon.
3.ClosetheSessionswindowandthenrunthiscommandfromtheshell:
pkillkrb5-auth-dialog
TroubleshootingSingleSign-onandKerberos
Authentication
Thefollowingtoolsandprocedurescanhelpdiagnoseandresolveproblems
withKerberosauthenticationwhenusingtheApacheHTTPServerfor
singlesign-on(SSO).
ApacheLogFile
ThelocationoftheApacheerrorlogsisspecifiedintheApache
configurationfileundertheErrorLogdirective.Hereisanexample
directivefrom/etc/httpd/conf/httpd.conf onRHEL5:ErrorLog
logs/error_log
MicrosoftKerbtrayUtility
TheMicrosoftKerbtray.exeutility,partoftheWindows2000ResourceKit,
canverifywhetherInternetExplorerobtainedaKerberosticketforyour
webserver.YoucandownloadtheutilityatthefollowingURL:
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 359

http://www.microsoft.com/downloads/details.aspx?familyid=4E3A58BE-
29F6-49F6-85BE-E866AF8E7A88
KlistUtility
Youcanusetheklistutilityin/opt/pbis/bin/klisttocheckthe
KerberoskeytabfileonaLinuxorUnixcomputer.Thecommandshowsall
theserviceprincipalticketscontainedinthekeytabfilesoyoucanverify
thatthecorrectserviceprincipalnamesappear.Confirmthat
HTTP/[email protected] and
HTTP/[email protected] appearinthelist.Itis
normaltoseemultipleentriesforthesamename.
Example:
klist-kkrb5_myserver.keytab
Keytabname:FILE:krb5_myserver.keytab
KVNOPrincipal
------------------------------------------
   6HTTP/[email protected]
   6HTTP/[email protected]
   6HTTP/[email protected]
   6HTTP/[email protected]
   6HTTP/[email protected]
   6HTTP/[email protected]
Ifyourserviceprincipalnamesareincorrect,generateanewKerberos
keytabfile.
Tip:UseanAlternateKerberosCredentialsCache
Becauseyoucannotstorecredentialsformorethanoneprincipalin
aKerberoscredentialscacheatatime,youmustmaintaintwoor
morecredentialcachesbyusingtheKRB5CCNAMEenvironment
variableandthenswitchtothecachethatyouwanttouse.Touse
analternateKerberoscachewithPBIS,forexample,youcould
executethefollowingsequenceofcommandsasroot:
[root@oracle1~]#KRB5CCNAME=/var/lib/pbis/krb5cc_
lsass
[root@oracle1~]#exportKRB5CCNAME
[root@oracle1~]#klist
Ticketcache:FILE:/var/lib/pbis/krb5cc_ lsass
ResolvingCommon Problems
Authenticationproblemscanbedifficulttodiagnose.First,checkallthe
configurationparameters,includingthevalidityofthekeytabfile.Second,
reviewthecommonproblemsinthefollowingtable.
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 360

Problem Solution
Thesystem'sclockis
outofsync.
TheKerberosstandardrequiresthatsystemclocksbenomore
than5minutesapart.Makesurethatthesystemclocksonthe
ActiveDirectorydomaincontroller,theLinuxorUnixweb
server,andtheclientaresynchronized.
Theuseraccessingthe
websiteisnotonthe
requirelist
IfKerberosticketwasobtainedontheclientortheuser
correctlyenteredhiscredentialsduringtheBasic
Authenticationprompt,itmightbebecauseauthentication
workedbuttheauthorizationfailed.Ifso,theApacheerror_
logwillcontainalinelikethis:
accessto/failed,reason:user
EXAMPLE\\usernotallowedaccess
Addtheusertotherequireuserdirectiveoraddthe
user’sgrouptotherequiregroupdirective.
Theuseraccessingthe
websiteisloggedon
thewrongdomain.
Iftheclientuserisloggedonadomaindifferentfromthe
domainofthewebserver,oneoftwothingswillhappen:
1.IftheKrbMethodK5Passwddirectiveissettoon,or
wasnotspecifiedandthusdefaultstoon,theuserwillbe
promptedforcredentials.
2.IfKrbMethodK5Passwdissettooff,authentication
willfailandtheAuthorizationRequiredpagewill
bedisplayed.
InternetExplorerdoes
notconsidertheURL
tobepartoftheLocal
Intranetzoneorthe
Trustedsites.
Thisproblemcommonlyoccurswhenthewebsiteisaccessed
byusingaURLthatincludesthefulldomainname,suchas
https://myserver.example.com .InternetExplorer
triestoobtainKerberosticketsonlyforwebsitesthatareinthe
LocalIntranetzone.
Trytoaccessthewebsitebyusingonlytheservername,for
examplehttps://myserver.
Or,youcanaddtheURLtoalistofLocalIntranetsitesorthe
trustedsitesbychangingyouroptionsinInternetExplorer.
Theserviceprincipal
nameofthewebsiteis
mappedtomorethan
oneobjectintheActive
Directory.
Althoughthisproblemisrare,itisdifficulttodiagnosebecause
theerrormessagesarevague.Theproblemcanoccurafterthe
ktpassutilitywasusedrepeatedlytogenerateaKerberos
keytabfileforthewebserver.
Tocheckforthisproblem,logonyourActiveDirectory
domaincontrollerandopentheEventViewer.Lookforan
eventoftype=Error,source=KDC,andeventID=11.The
textoftheeventwillbesimilartothemessagebelow:
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 361

Problem Solution
Therearemultipleaccountswithname
HTTP/myserver.example.com oftypeDS_
SERVICE_PRINCIPAL_NAME.
Tofixtheproblem,findthecomputeroruserobjectsthat
wereusedtomaptheserviceprincipalnameinActive
DirectoryandthenusetheADSIEdittomanuallyremovethe
“HTTP/myserver.example.com”stringfromthe
servicePrincipalNameobjectproperty.
Belowthetableisascreenshotthatprovidesanexampleof
howtofindanobjectnamedHTTPbyusingLdp:
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 362

ResolvingKerberosLibraryMismatch
Becausesomeoperatingsystems,suchasthe64-bitversionofRedHat
EnterpriseLinux5,useanoutdatedversionof/lib/libcom_err.so,the
PBISauthenticationagentcannotthelocatethepropersystemlibrary,
leadingtoanerrorthatlookslikethis:
httpd:Syntaxerroronline202of
/etc/httpd/conf/httpd.conf:
Cannotload/opt/pbis/apache/2.2/mod_ auth_kerb.sointo
server:
/opt/pbis/lib/libcom_err.so.3:symbolkrb5int_strlcpy,
version
krb5support_0_MITnotdefinedinfilelibkrb5support.so.0
withlinktimereference
Solution:ForcethehttpddaemontousethePBISkrb5librariesby
openingthestartupscriptfortheApacheHTTPServer—
/etc/init.d/httpd—andaddingthepathtothePBISKerberoslibraries
onthelinethatstartsApache.Thelinethatstartsthedaemoncanvaryby
operatingsystem.Exampleona64-bitsystem:
LD_LIBRARY_PATH=/opt/pbis/lib64 LANG=$HTTPD_LANGdaemon
$httpd$OPTIONS
Ona32-bitsystem,thepathwouldlooklikethis:
/opt/pbis/lib
Note:ThismodificationchangestheversionoftheKerberoslibrariesthat
areusedbytheApacheHTTPServer.Thechangemightresultin
compatibilityissueswithothermodulesofApachethatuse
Kerberos.
PBISEnterpriseInstallationandAdministration TroubleshootingKerberos
BeyondTrust
®
June21,2013 363

Troubleshooting thePBISDatabase
IftheinformationinyourreportsortheeventsdisplayedintheOperations
Dashboardseemincomplete,performthefollowingseriesofdiagnostictests
sequentially:
•Startwiththeendpoints—yourLinux,Unix,andMacOSXcomputers
thatlogeventsandsendthemtothecollectorserver.
•Checkthecollectorserver—theserverthatprocessesandforwards
eventsfromthePBISclientstothedatabase.
•Checkthedatabase.
ChecktheEndpoints
Totroubleshootpotentialendpointproblems:
1.Logontoacomputerthatyoususpectmighthaveaproblematic
endpointandconfirmthateventsareloggedinthelocaleventdatabase.
RunthefollowingcommandasrootorasanADuserwithadministrator
privileges:
/opt/pbis/bin/eventlog- cli–s–localhost
2.Ifnorecenteventsaredisplayedorifthecommandreturnserrors,make
surethattheeventlogserviceisrunning:
/opt/pbis/bin/lwsm statuseventlog
3.Ifitisnotrunning,check/var/log/messagestofindoutwhyand
reporttheinformationtoBeyondTrustsupport.Then,restartthe
service:
/opt/pbis/bin/lwsm starteventlog
Note:OnHP-UX,PBISusesHP'srpcserviceinsteadofdcerpc.If
theHP-UXrpcservicedoesnotalloweventlogtoregisteran
RPCendpoint,restarttherpcserviceandthenrestart
eventlog.
4.Ifrecenteventsarepresentbutarenotbeingforwarded,makesurethat
theeventforwardingserviceisrunning:
/opt/pbis/bin/lwsm statuseventfwd
5.Ifitisnotrunning,check/var/log/messagestotrytoidentifythe
causeandreporttheinformationtoBeyondTrustsupport.Then,restart
theservice:
/opt/pbis/bin/lwsm starteventfwd
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 364

6.Checktheeventforwardingservice'sconfigurationinthePBISregistry
tomakesurethatitproperlyidentifiesacollectorserverand,ifthe
collectorserverisidentifiedbyitsIPaddress,itscollector-principal.If
youmodifythesettingsoftheeventfwdservice,youmustrestartthe
serviceforthechangestotakeeffect.
Exampleofaconfigurationthatusesthehostnameofitscollector:
[HKEY_THIS_MACHINE\Services\eventfwd\Parameters]
"Collector"="w2k3-r2.example.com"
7.Makesurethecollectorcanberesolved:
[root@rhel5dbin]#nslookupw2k3-r2.example.com
Server: 192.168.1.20
Address: 192.168.1.20#53
Name: w2k3-r2.example.com
Address:192.168.1.20
8.Makesurethecollectorservercanbereached:
[root@rhel5dbin]#pingw2k3-r2.example.com
PINGw2k3-r2.example.com(192.168.1.20)56(84)bytes
ofdata.
64bytesfrom192.168.1.20:icmp_seq=1ttl=128
time=1.40ms
9.IfthecollectorisidentifiedbyIPaddress,makesurethecollector-
principalisproperlyset.Forexample,ifthecollectorserverisatIP
address192.168.1.255andhasaKerberosmachinenameof
EventCollectorintheADdomainexample.com,thecollector-
principalparameterwouldbe:
collector-principal=host/[email protected]
10.Check/var/log/messagesforerrors.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 365

11.Stoptheeventfwdserviceandthenrunitfromthecommandlineto
displayerrorinformationabouttheeventforwarder'scommunication
withthecollectorserver:
/opt/pbis/bin/lwsm stopeventfwd
/opt/pbis/sbin/eventfwd --logleveldebug
Afteryouruneventfwdfromthecommandline,stopitwithCTRL-C
andthenrestartit:
/opt/pbis/bin/lwsm starteventfwd
Afteryouverifythattheendpointisproperlyreceivingeventsand
forwardingthemtoacollectorserver,checkthecollector.Iftherearerecent
events,makeanoteofthelastevent'stimestamp,eventcategory,andevent
description.Next,seeChecktheCollectorforhowtocheckwhetherthe
collectorreceivedtheevent.
ChecktheCollector
1.MakesureBTCollectorisrunningbyexecutingthefollowing
commandattheshellpromptoftheWindowscomputerrunningthe
collector:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc query
BTCollector
SERVICE_NAME:BTCollector
TYPE :10WIN32_OWN_PROCESS
STATE :4RUNNING
2.Iftheprocessisstopped,useeventvwr.exetochecktheWindows
eventlogforinformationaboutwhytheservicefailed.
Note:IfthereareunusualRPCerrorsintheWindowseventlog,make
surePowerBrokerDBUtilitiesisnotinstalledonaWindowsXP
machine.WindowsXP,bydefault,restrictstheincomingTCP-
basedRPCusedbyBTCollector.
ThecollectorservermustberunningWindows2003or
Windows2008.
3.Iftheprocessisnotrunning,startitbyexecutingthefollowing
command:
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 366

C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>sc start
BTCollector
4.Verifythattheserviceisreceivingforwardedeventsbyviewingthe
contentsofthecollector'slocalSQLitedatabase.Toexecutethe
followingcommand,theBTCollectorprocessmustberunningandyou
musthavereadprivilegesintheaccesscontrollist:
C:\ProgramFiles\BeyondTrust\PBIS\Enterprise>BTCollector-
cli-s-localhost
Thecommandshouldreturnalistoftheeventscollectedfromthe
endpoints.Ifthereisnodata,itislikelythatyourendpointsare
improperlyconfigured(seetheprevioussection).Iftheeventthatyou
notedwhenyoucheckedtheeventforwarderintheprevioussectionis
amongtheresults,makesuretheBTEventDBReaperserviceis
functioningproperly.
5.VerifythatBTEventDBReaperisrunning:
C:>scqueryBTEventDBReaper
6.Iftheprocessisstopped,useeventvwr.exetochecktheWindows
eventlogforinformationaboutwhytheservicefailed.Restartthe
servicewith:
C:>scstartBTEventDBReaper
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 367

7.Checkthedatabaseconnectionstringandtheservice'sotherexecution
parameters:
C:\Program
Files\BeyondTrust\PBIS\Enterprise>BTEventDBReaper /s
Theresultsshouldlooksomethinglikethis:
Databaseprovider: System.Data.SqlClient
Connectionstring: Data
Source=SomeCollector;Initial
Catalog=LikewiseEnterprise;Integrated Security=yes
Recordidlastcopied:487
Recordsperperiod: 120
Secondsinaperiod: 10000
Ifthedatabaseserver(DataSource=forSQLServerorServer=for
MySQL)isidentifiedbyname(asintheexample),verifythatthename
canberesolvedtoanaddressbyusingnslookupandverifythatthe
addressisreachablefromthecollectorserverbyusingping.
8.Useeventvwr.exetochecktheWindowseventlogformessages.If
BTEventDBReaperisfailingtowritetothecentralPBISEnterprise
databaseandifyouareusingSQLServerwithintegratedsecurity,make
surethatthecollectorserver’smachineaccounthassufficientprivileges
towritetothePBISEnterprisedatabase.
ChecktheDatabase
1.CheckthePBISEnterprisedatabaseonthedatabaseservertocheck
whetherthetablecontainingeventsiscomplete.Ifnecessary,writea
manualquerytoviewrecenteventsortolookforanevent.
Forexample,withMySQLyoucanusetheMySQLcommand-lineutility
toopentheLikewiseEnterprisedatabaseandrunthefollowingcommand
todisplayalltheeventsinthetablenamedEvents:
select*fromEvents;
2.Ifyoucannotopenorreadthedatabase,youmightnothavesufficient
privilegestoaccessit—whichcanresultinproblemswhenyourun
reportsinthePBISConsoleorusetheOperationsDashboard.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 368

3.IfyouareusingSQLServerandtheEventstableisempty,usetheSQL
ServerConfigurationManagertomakesurethatthename-pipeclient
protocolisenabled.Ifitisnotandyouhavetoenableit,youmust
restarttheSQLServerserviceforthechangestotakeeffect.
4.IfyoufindeventsintheEventstable,checkwhethertheeventsarealso
presentintheEventsViewWithOUNameview.Ifaneventappearsinthe
EventstablebutnotintheEventsWIthOUNameview,itisbecausethe
databasecannotassociateyoureventwithacomputerinActive
Directory.Runtheldbupdate.exescriptandthencheckwhetherthe
eventnowappearsinbothviews.
TroubleshootingChecklists
Thechecklistsinthissectioncanhelpyoutroubleshootproblemswiththe
reportingcomponents.
Endpoints
Tocheckforendpointproblems,confirmthefollowing:
•eventlogservicerunning
•eventfwdservicerunning
•reapsyslservicerunning
•eventfwdserviceproperlyconfigured
•Collectornameresolvableandaddressreachable
•Collectorprincipalproperlyset
•/etc/syslog.confproperlyconfigured
•Eventspresentinlocaleventlog(testwitheventlog-cli)
•eventfwdserviceseemstoforwardingmessagesproperly(runfrom
command-linetotest)
•FirewallnotblockingRPCaccessofcollectorserver
CollectorServers
Tocheckforproblemswiththecollectorservers,confirmthefollowing:
•BTCollectorservicerunning
•BTEventDBReaperservicerunning
•Eventspresentinlocalcollectordatabase(testwithBTCollector-cli)
•BTEventDBReaperproperlyconfigured(testwithBTEventDBReaper
/s)
•Databaseproviderandconnectionstringproperlyset
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 369

•CollectorACLallowsendpointstowritetoit(setwithEvent
ManagementConsole)
•Collectormachineaccounthassufficientprivilegestowritetodatabase
•NounusualerrorsinWindowseventlog(runeventvwr.exe)
•FirewallnotblockingincomingRPCconnectionsoroutgoingdatabase
connections
Database
Tocheckforproblemswiththedatabase,confirmthefollowing:
•CanconnecttoitwithSQLServerManagementStudioorMySQLutility
•Eventstablecontainsevents
•EventsWithOUNameviewcontainsevents
•Databasesecuritysettoallowwritingbycollectorservers,byldbupdate
user,andbyadministrators
•ldbupdateutilityrecentlyruntoaccountfornewendpointsjoinedto
AD
•Named-pipeclientaccessenabledinSQLServer
•Firewallnotblockingincomingdatabaseconnection
WindowsReportingComponents
TocheckforproblemswiththeWindowsreportingcomponents,confirm
thefollowing:
•Databaseconnectionstringssetproperly
•Userhassufficientprivilegestoaccessdatabase
•Firewallnotblockingdatabaseconnections
SwitchingBetweenDatabases
Tosendeventstoadifferentdatabase,youmustchangethedatabase
connectionstringinatleasttwoplaces:
•Thereaperserviceforthedatabase(BTEventDBReaper)
•TheEnterpriseDatabaseManagementpageintheBeyondTrust
ManagementConsole.
ChangingthesettingontheEnterpriseDatabaseManagementpage
automaticallychangesthesamesettingontheconsole'sAuditand
AccessReportingpageandtheOperationsDashboard.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 370

However,ifyouinstalleddifferentplug-insoftheBeyondTrustManagement
Consoleondifferentcomputers—forexample,toruntheOperations
Dashboardonaseparatecomputer—thenyoumustchangethedatabase
connectionstringoneachcomputerandyoumighthavetochangeitinthe
followingadditionallocations,especiallyifthecomputer'sPBISconsole
doesnotincludetheEnterpriseDatabaseManagementplug-in:theAudit
andAccessReportingpageandtheOperationsDashboardpage.
Aftermakingthechanges,youmustresetthereaperservicesoitbegins
sendingeventstothenewdatabase.
1.InthePBISconsoletreeonyourWindowsadministrativeworkstation,
right-clicktheEnterpriseDatabaseManagementnodeandthen
clickConnecttodatabase.
a.ClickChange.UnderDatabaseType,selectMySQLor
MicrosoftSQLServer,andthenenterthenameofthedatabase
serverinstanceintheServer/Instancebox.
b.IntheUsernameandPasswordboxes,enterthecredentialsof
thedatabasedefineraccountifrequiredfortheauthentication
typethatyouselected,andthenclickOK.
2.Intheconsoletree,right-clicktheOperationsDashboardnodeand
thenclickConnectto.
a.ClickChange.
b.Changethedatabasesettingsasneeded,andthenclickOK.
3.Intheconsoletree,right-clicktheAuditandAccessReportingnode,
andthenclickAdvanced.
a.ClickChange.
b.Changethedatabasesettingsasneeded,andthenclickOK.
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 371

4.Openacommandpromptwindowasanadministratorandthenchange
directoriestoC:\ProgramFiles\BeyondTrust\PBIS\Enterprise ,
andthenrunthefollowingcommand:
BTEventDBReaper /gui
a.Makethechangesthatyouwant,andthenclickOK.
5.Resettheeventdbreaperto0andthenrefreshitssettingstopromptitto
sendtheeventstothenewdatabase.Todoso,fromtheC:\Program
Files\BeyondTrust\PBIS\Enterprise folder,runthefollowing
commandsasanadministrator:
BTEventDBReaper/f0
BTEventDBReaper/r
PBISEnterpriseInstallationandAdministration TroubleshootingthePBISDatabase
BeyondTrust
®
June21,2013 372

ContactTechnicalSupport
BeyondTrustSoftware,Inc.providesanonlineknowledgebase,aswellas
telephoneandweb-basedsupport.
Thereisalsoadetailedtroubleshootingsectioninthisguide.
BeforeContactingTechnicalSupport
Toexpeditesupport,collectthefollowinginformationtoprovideto
TechnicalSupport:
•PBISEnterpriseversion(AvailableinthePBISConsolebyclicking
Help,Aboutonthemenubar.)
•PBISAgentversionandbuildnumber(SeeChecktheVersionandBuild
Number.)
•LinuxorUnixversion
•WindowsorWindowsServerversion
Asabestpractice,ifyouarecontactingTechnicalSupportaboutoneofthe
followingproblems,alsoprovidethediagnosticinformationspecified.
Segmentation Faults
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•CoredumpofthePowerBrokerIdentityServicesapplication:
ulimit-cunlimited
•Exactpatchlevelorexactversionsofallinstalledpackages.(SeeCheck
theVersionandBuildNumber.)
ProgramFreezes
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•Debuglogs
•tcpdump
•Anstraceoftheprogram
Domain-JoinErrors
SeeTroubleshootingDomain-JoinProblems.
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
PBISEnterpriseInstallationandAdministration ContactTechnicalSupport
BeyondTrust
®
June21,2013 373

•Debuglogs(SeeGenerateaDomain-JoinLogorgrabthelogfilefrom
/var/log/pbis-join.log.)
•tcpdump
AllActiveDirectoryUsersAreMissing
SeeSolveLogonProblemsonLinuxorUnixorSolveLogonProblemsfrom
Windows.
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•Run/opt/pbis/bin/get-status(SeeListtheStatusofthe
AuthenticationProviders.)
•Contentsofnsswitch.conf
AllActiveDirectoryUsersCannotLogOn
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•Outputofid<user>
•Outputofsu-c'su<user>'<user>
•Lsassdebuglogs(SeeGenerateanAuthenticationAgentDebugLog.)
•Contentsofpam.d/pam.conf
•Thesshdandsshdebuglogsandsyslog
ADUsersorGroupsareMissing
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•Thedebuglogsforlsass
•Outputforgetentpasswdorgetentgroupforthemissingobject
•Outputforid<user>ifuser
•tcpdump
•Copyoflsasscachefile.(Formoreaboutthefilenameandlocationof
thecachefiles,seePBISAgent.)
PoorPerformance WhenLoggingOnorLookingUpUsers
ProvidethefollowingadditionalinformationwhencontactingTechnical
Support:
•Outputofid<user>
•Thelsassdebuglog
PBISEnterpriseInstallationandAdministration ContactTechnicalSupport
BeyondTrust
®
June21,2013 374

•Copyoflsasscachefile.(Formoreaboutthefilenameandlocationof
thecachefiles,seePBISAgent.)
•tcpdump
ContactingSupport
Ifyouencounterproblemsthatarenotcoveredinthedocumentation,
contactBeyondTrustTechnicalSupport.
WhencontactingTechnicalSupport,providethefollowinginformation:
lYourcompanyname
lTelephoneandemailaddresswhereyoucanbecontacted
lDescriptionoftheproblemandthestepsyouhavetakentoresolveit
lDiagnosticinformationrequestedinBeforeContactingTechnical
Support
YoucancontactBeyondTrustTechnicalSupportbyemailorthroughthe
BeyondTrustwebsite.IfyouarelocatedintheUnitedStates,youcanalso
contactTechnicalSupportbytelephone.Supportisstaffed24hoursperday,
sevendaysperweek.
Telephone:+1800-234-9072or+1818-575-4040
Email:[email protected]
Web:Tosubmitasupportrequestonline:
1.Browsetohttp://www.beyondtrust.com.
2.ClickSupportatthetopofanypage.
3.OntheBeyondTrustTechnicalSupportpage,scrolltotheCustomer
SupportPortalssectionandclickthePowerBrokerIdentityServices
tab.
4.IfyoudonothaveaPBISSupportpassword,click
[email protected]
besenttoyouremailaddress.
Note:Thisisadifferentpasswordthantheoneprovidedforusewith
theBeyondTrustCustomer/PartnerPortal.
5.ForUsername,enteryouremailaddress.
6.ForPassword,enterthepasswordprovidedtoyoubyPBISSupport
andclickSubmit.
PBISEnterpriseInstallationandAdministration ContactTechnicalSupport
BeyondTrust
®
June21,2013 375

PBISE : Installation and Administration Guide v7.5

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

PBISE : Installation and Administration Guide v7.5

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77