Deddy916

Configure PBIS

PBIS Configuration

We are ready to proceed with configuration. Please navigate to /opt/pbis/bin/ directory and run domainjoin-cli command to join a host to an Active directory domain.

cd /opt/pbis/bin/
sudo domainjoin-cli join [DomainName [DomainAccount]

where,

DomainName – the name of your domain
DomainAccount – your domain account (user@domainname)

Example: sudo domainjoin-cli join example.com administrator

When prompted, please provide Active Directory administrator’s password. On successful authentication, the command adds your Ubuntu computer as a member of the domain. The command also adds entries in the /etc/hosts file.
To check Ubuntu domain setting you need to run the following command from your terminal:

sudo domainjoin-cli query

The command will display the name of the domain to which your Ubuntu computer has joined.

Example:

Name = username
Domain = example.com
Distinguished Name = CN=username,CN=Computers,DC=example,DC=com

Note: If you want to remove your Ubuntu computer from the domain, you need to run

sudo domainjoin-cli leave

Once joined to the domain important thing to do is to restrict access to sudoers group to members of Domain Admin group only. This can be accomplished by updating /etc/sudoers file by adding %domain^admins ALL=(ALL) ALL in group section so sudoers file section looks as follows:

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL
%domain^admins ALL=(ALL) ALL

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system.
Please open the terminal and run following commands:

Set domain prefix

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set this to ‘true’ avoid entering domain names all the time

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set default shell

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set specific Active Directory security groups

sudo /opt/pbis/bin/config RequireMembershipOf “[Domain]\[SecurityGroup]”

Update dns

sudo /opt/pbis/bin/update-dns

Clear cache
sudo /opt/pbis/bin/ad-cache –delete-all

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vi /etc/pam.d/common-session

Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vi /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

allow-guest=false
greeter-show-manual-login=true

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

source:

https://linoxide.com/configure-pbis-join-ubuntu-windows-ad/

Leave a comment