Centos 6.6 Minimal & Beyond Trust's Power Broker Identity Services aka Likewise - rharmonson/richtech GitHub Wiki
CentOS 6.6 Minimal & Beyond Trust's Power Broker Identity Services aka Likewise-open
PBIS, previously known as Likewise, permits integration of Linux hosts with Microsoft Windows Active Directory for identity and authentication. The version of PBIS from the repository at this date is 8.2.2.
Installation
- PREREQUISITE: Install Windows AD DS & DNS. I used Server 2012 R2 Standard.
- Complete Base CentOS 6.6 Minimal installation. Guide found here:
https://github.com/rharmonson/richtech/wiki/CentOS-6.5-Minimal-x86_64-Base-Installation-Guide # vi /etc/selinux/configand udpate withSELINUX=permissive# yum install ntp -y# ntpdate 172.16.1.21where the IP address is your NTP time source(s)# yum install wget -y# rpm --import http://repo.pbis.beyondtrust.com/yum/RPM-GPG-KEY-pbis# wget -O /etc/yum.repos.d/pbiso.repo http://repo.pbis.beyondtrust.com/yum/pbiso.repo# yum clean all# yum install pbis-open
results:
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
pbis-open x86_64 8.2.2-2993 pbiso 17 M
Installing for dependencies:
pbis-open-upgrade x86_64 8.2.2-2993 pbiso 15 k
Transaction Summary
================================================================================
Install 2 Package(s)
Total download size: 17 M
Installed size: 43 M
Is this ok [y/N]:
Domain Membership & DNS
# domainjoin-cli join yourdomain.com Administratorwhere yourdomain.com is the AD DS domain to join and Administrator is the domain account used to join.# /opt/pbis/bin/update-dnsto dynamically create a DNS record (DDNS) for the Linux host in your AD DS domain zone.# reboot
What Comes Next?
At this point, you have some basic enhancements, however, you are probably going to use PBIS to enable some other product. For example, my reason for this post is that I will be using PBIS as part of a two-factor authentication solution. It may be advisable for you to complete you build before moving to the next section titled "SSHD," however, please read the "Warning" at the end of this document.
SSHD
At this point, all domain users can login user the local console or SSH. To deny SSH logins for all "domain users" edit "sshd_config" and scroll to the bottom of the file.
# vi /etc/ssh/sshd_config
Find the following item, usually at the end of the file:
...
KbdInteractiveAuthentication yes
then add
DenyGroups domain^users
resulting with
...
KbdInteractiveAuthentication yes
DenyGroups domain^users
Warning
The PBIS package modifies a variety of files including file within /etc/pam.d and /etc/ssh, however, it does create a backup of the original file and appends .lwidentity.orig. I would advise utilizing locate from the "mlocate" package and recover the originally configuration files unless domain accounts access is intended. It is disappointing the installation script doesn't ask before enabling PBIS for services.
Feedback
Github user docsmooth on February 17, 2017, provided this very insightful and helpful feedback on PBIS and the topic above.
The following options are more "PBIS-like" methods of doing the same thing:
rather than edit sshd_config to block domain^users, run "/opt/pbis/bin/config RequireMembershipOf nonexistentgroup". This will only allow members of "nonexistentgroup" to log into the box, which won't exist, so PBIS users will be effectively blocked.
Even better, however, is to simply NOT enable pam when you do the join:
domainjoin-cli join --disable pam domain.com username
now no PAM modifications will be done. The same can be done with "--disable ssh" and "--disable nsswitch". if you do all 3 of these, however, you'll need to have your software make direct calls into PBIS to find AD users, since they won't be exposed to the OS.
You can change these configurations live with: domainjoin-cli configure --enable domainjoin-cli configure --disable
See the full list in domainjoin-cli --help and domainjoin-cli --help-internal.