Ubuntu 16.04 + PBIS
(Update 17-Aug-2016: This article has been revised and now incorporates the latest version of PBIS)
The setup is pretty similar to the setup with Ubuntu 14.04 (See: http://techtalkblog.ch/ubuntu-14-04-3-pbis-ad-domain/)
Before we get started I need to point out a few things …
The following steps will be based on these specifications:
- MS Windows Server 2012 Domain Name: techtalk.local
- Domain admin username: administrator
- Domain user username: bob
When installing Ubuntu you are requested to create a user. I am going to end up using this user as a kind of local administrator user account on the PC for use ONLY when the domain user login is not working. This user account will be hidden from the Ubuntu login screen.
- Local PC Administrator user name: temp
So basically what I will end up with on this PC when it’s finished being setup is:
- User “temp” – Local PC Administrator account completely non-related to the Domain
- User “administrator” – Domain administrator account
- User “bob” – Domain user account
REMEMBER: You must be connected to the Domain network!!
Install Ubuntu 16.04
I am installing Ubuntu 16.04.1
Install the OS as you normally would and when prompted create the Local PC Administration account. I use ‘temp’ for the username … you can use whatever you like of course.
Update Ubuntu
sudo apt update
sudo apt dist-upgrade
Edit avahi config
If you don’t do this you will get conflicts later when installing PBIS.
sudo nano /etc/avahi/avahi-daemon.conf
replace: #domain-name=local
with: domain-name=.alocal
Install ssh:
sudo apt install ssh
Install PBIS:
- Download install file >
(Download website: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True)
- Make install file executable >
sudo chmod +x Downloads/pbis-open-8.5.0.153.linux.x86_64.deb.sh
- Execute install file
sudo ./Downloads/pbis-open-8.5.0.153.linux.x86_64.deb.sh
Install package for legacy links? -> no
Would you like to install now? -> yes
After install you might get a GUI tool asking you to join the domain. I prefer to close it and to continue via the terminal.
Restart avahi service
sudo service avahi-daemon restart
Join PC to domain
sudo domainjoin-cli join domain.local domain-administrator-username
So for our example it would be:
sudo domainjoin-cli join techtalk.local administrator
You will be prompted for the Domain Administrator password and then should see “SUCCESS”.
Restart ssh service
sudo service ssh restart
Set AD login settings
sudo /opt/pbis/bin/config UserDomainPrefix techtalk
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers
DomainUsers = Domain Users Security Group
Edit lightdm (login screen settings)
sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
- Insert the following >
allow-guest=false
greeter-show-manual-login=true
… then Reboot
Domain administrator account setup
- Login as Domain Administrator
This may work right off the bat or it may fail. If it fails see “Domain User Login Fails!” issue under the Troubleshooting section at the bottom of this article.
- Logout of Domain Administrator account and login as local user ‘temp’
- Add Domain Administrator account to ‘sudo’ group
The reason we do this is to allow the Domain Administrator to make administrative changes to the local PC.
sudo usermod -aG sudo administrator
- Logout of ‘temp’ and login as Domain Administrator
Hide user “temp”
- As Domain Administrator open terminal and do
sudo nano /var/lib/AccountsService/users/temp
change:
[User]
SystemAccount=false
to:
[User]
SystemAccount=true
Save file and exit.
Finishing
You are basically done. Now all you need to do is add the Domain User account to the PC. This is done simply by logging into Ubuntu as the Domain User.
You don’t have to enter the username with the domain prefix either, but just the username itself.
If you want the Domain User to also have administrative rights on the local PC you need to add it to the ‘sudo’ group with
sudo usermod -aG sudo bob
And it may also be a good idea to add the Domain User to the ‘sambashare’ group in the same way
sudo usermod -aG sambashare bob
TIP: Once a Domain User/Administrator has been successfully added to the PC (by logging in) the login will work when disconnected from the Domain’s network.
Troubleshooting
- Domain User Login Fails!
Login with the Local PC Administrator account ‘temp’.
Open a terminal and check your connection to the domain:
sudo domainjoin-cli query
If you get something back like
“LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]”
you will need to rejoin the domain once more with:
sudo domainjoin-cli join techtalk.local administrator
Once you are reconnected to the domain, logout of user ‘temp’ and login now as domain user or administrator – this time it should work.
REMEMBER: When making an initial login attempt with any Domain user account you must be connected to the Domain’s network!!
NOTE: In previous how-to’s there was a need to manually create a lwsmd.service file and symlinks etc. This is no longer needed!
Create the file lwsmd.service in /lib/systemd/system like this:
sudo nano /lib/systemd/system/lwsmd.service
Paste the following into this file:
[Unit]
Description=BeyondTrust PBIS Service Manager
After=network.target
[Service]
Type=forking
EnvironmentFile=/opt/pbis/libexec/init-base.sh
ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon
ExecReload=/opt/pbis/bin/lwsm refresh
ExecStop=/opt/pbis/bin/lwsm shutdown
# We want systemd to give lwsmd some time to finish gracefully, but still want
# it to kill lwsmd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill lwsmd. We are sending useless SIGCONT here to give
# lwsmd time to finish.
KillSignal=SIGCONT
PrivateTmp=false
[Install]
WantedBy=multi-user.target nss-lookup.target
Save and close the file.
Now make a symlink to this file in /etc/systemd/system:
cd /etc/systemd/system
sudo ln -s /lib/systemd/system/lwsmd.service /etc/systemd/system/lwsmd.service
You can check the status of the service with:
service lwsmd status
To start the service do:
service lwsmd start
Enable the service to start on boot with:
sudo systemctl enable /lib/systemd/system/lwsmd.service
You should get an output similar to:
Created symlink from /etc/systemd/system/multi-user.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service.
Created symlink from /etc/systemd/system/nss-lookup.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service.
Done. Reboot and login to, or join, the domain.
Every time I attempt to follow these steps I run into a lwsmd error:
20160523145935:ALWAYS: Logging started
20160523145935:INFO: Likewise Service Manager starting up
20160523145935:INFO:lwsm-ipc: Listener started
20160523145935:VERBOSE: Bootstrapping
20160523145935:INFO: Starting service: lwreg
20160523145935:VERBOSE: Populating service table
Segmentation fault (core dumped)
It seems to fail in Populating the service table and I can not figure out why.
I have installed a fresh copy of Ubuntu 16.04, followed your walk-through precisely, but encounter this error every time.
I also receive this error when attempting to domainjoin-cli:
Error: Received error while querying lwsmd. [code 0x00000002]
Received error while querying lwsmd.
Any thoughts on why lwsmd is failing?
I have not seen this behavior before. Can you get lwsmd to start manually in the terminal? At what point in the posted steps do you get that error?
Sorry I haven’t had a chance to respond. We have had to switch gears and work on other projects and now I am back to this issue with ubuntu 16.04 and lwsmd.
When following your steps it errors at any point lwsmd needs to be started. So during initial pbis script setup and any way I try to start the /opt/pbis/sbin/lwsmd.
Something seems to be causing this issue, I am starting to think it is a hardware issue specific to the optiplex 7040.
Ok, I need to do this all from scratch again some time to test it out because at the moment I have an image which I built before (which works) which I just deploy onto systems.
One thing I may have done differently on 16.04 is uninstalling avahi-daemon – but I have to double check that.
I think it has something to do with my hardware specifics. I am using the following:
[OptiPlex 7040]
OS: Ubuntu 16.04
Arch: x86_64
Tower: OptiPlex 7040
Memory: 32G
Processor: Intel Core i7-6700 x 8
I was able to use a OptiPlex 7010, make install on it, then tar everything up and make install on the 7040.
It’s not an ideal solution, but after a week or two of getting nowhere it seemed the most pragmatic solution.
Here is a link to my tutorial on how I did it specifically.
https://drive.google.com/open?id=1i3ATKJrqCArOrrfiRf3rRp3BB9dqskFpb2QuFPSHdxk
Hello, is there any solution? I have to installations on two different machines of Linux Mint 18 (Ubuntu 16.04 based). One is all right and functional. The other one shows Brandon’s behaviour in spite of multiple new installtions.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.
passwd: compat lsass
group: compat lsass
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
Hey, same issue here. lwsmd is throwing a segmentation fault error when trying to join a domain with an new optiplex 7040. Did you find any workarounds?
So I finally had a chance to tackle this. Basically I boiled the entire thing down to:
– Install Ubuntu 16.04
– Install SSH
– Edit Avahi-Daemon
– Edit Login (lightdm)
– Install PBIS
– Reboot
– Join Domain
– Reboot
– Login as AD User/Admin
In my latest tests there was no need for a manually created service.
All is much more simpler if –start-as-daemon is used instead of indicated –start-as-daemon…
O – website auto corrects two – and – to just one -…
I have the same error in a fresh installed ubuntu 16.04.
The manual start of lwsmd give the coredump in the console.
Andreas,
Give this tutorial a try and let me know if it works for you.
https://drive.google.com/open?id=1i3ATKJrqCArOrrfiRf3rRp3BB9dqskFpb2QuFPSHdxk
I tried it and it worked! Thanks alot 🙂
Thank you. I’ve followed the instructions and it worked perfect on Ubuntu 16.04.1
I’ve had to reboot once as per instructions and logged on straight away 🙂
Good to hear. Thanks for the feedback!
Techtalk,
I tried ur article and it worked for me, i didnt get any error but am unable to login with domain users. it shows access denied. Pls Help
Regards,
James
Ok, here is something you can try.
> Log in as the local user (non-AD account)
> Lock account (don’t ‘Log Out’)
> Switch Account to get you back to the login screen
> Login as AD user
If that works then you should be good to go.
it didnt work
> Reboot PC (why not?)
> login as the local user (non-AD account)
> rejoin domain as AD admin user (only proceed if you have success and no errors)
> Lock account (don’t ‘Log Out’)
> Switch Account to get you back to the login screen
> Login as AD user
you should end up being logged in to two accounts – the non-AD account and the AD account.
I have followed the steps and succeed to join domain but on login screen it shows “access denied” I tried both solution as you given but till not working… any help?
Thank you
If you got access denied you probably didnt at the users to the “RequireMembershipOf”
Try /opt/pbis/bin/config RequireMembershipOf “domain.local\\user”
You can do that for any user you want to grand access to login on the domain.
below is the domainjoin query output
sudo domainjoin-cli query
[sudo] password for user100:
Name = node100
Domain = KNH.LOCAL
Distinguished Name = CN=NODE100,CN=Computers,DC=knh,DC=local
james
Got access denied error while login with domain user
anyone have the solution on this
i tried above step but not able to login with A.D. user its showing the massage of invalid password while i tried the below command
sudo domainjoin-cli query
the domain is joined
any one have solution on this
Are you using Ubuntu 16.04?
> Reboot PC (why not?)
> login as the local user (non-AD account)
> rejoin domain as AD admin user (only proceed if you have success and no errors)
> Lock account (don’t ‘Log Out’)
> Switch Account to get you back to the login screen
> Login as AD user
you should end up being logged in to two accounts – the non-AD account and the AD account.
Hello All,
PBIS Open version 8.3 on CentOS release 6.7(Final) .
I get same segmentation error and lsass service is “dead” .
Below is the error log .
lwsmd[7581]: segfault at 0 ip 00007f3ef8093043 sp 00007f3ef9931b90 error 4 in ad_open.so[7f3ef804b000+bf000]
Saved core dump of pid 7568 (/opt/pbis/sbin/lwsmd) to /var/spool/abrt/ccpp-2016-10-11-05:45:14-7568 (159498240 bytes)
Any advise to solve this ?
Thanks,
Chitta
please help me
After filling the password m getting this error
Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
A bad packet was received from a DNS server. Potentially the requested address does not exist.
After entering password, it throws “Access Denied”.
No error while running “sudo domainjoin-cli query”.
sudo domainjoin-cli join my.domain administrator throws “usermod: group ‘administrator’ does not exist”.
Pls help me to resolve.
Well you have to join the PC to the domain, and you need an AD administrative account to do this. Does your AD have an administrator account and are you using it to join the PC to AD?
Hello! I stuck at the login part. I also get the “access denied” error. I tried the other solutions you mentioned but none of those worked. Any tips?
No, sorry. If your PC is joined to the domain and you have tried to login with AD credentials while being also logged in as the local temp user and it’s still not working then I don’t have any solutions.
View your auth.log and other logs – maybe there is something in there.
Hello ,
I’m also facing some issues. I cannot login the ubuntu with domain user.It keeps saying invalid password
The ubuntu machine has successfully joined the AD and I have verified the same from AD users/computer panel.
When I have issued the command “sudo domainjoin-cli query”
I got
root@acp-box16:~# sudo domainjoin-cli query
Name = acp-box16
Domain = MY.LOCAL
Distinguished Name = CN=ACP-BOX16,CN=Computers,DC=MY,DC=local
Do you have any idea why I’m getting invalid password error?
Have you tried the following?
> login as the local user (non-AD account)
> rejoin domain as AD admin user (only proceed if you have success and no errors)
> Lock account (don’t ‘Log Out’)
> Switch Account to get you back to the login screen
> Login as AD user or admin
I got the same issue aswell,
$ sudo domainjoin-cli query
Name = phu-vir-198u1sb
Domain = AUT.EDU
Distinguished Name = CN=PHU-VIR-198U1SB,CN=Computers,DC=aut,DC=edu
Have been tried the way you show but problem still there.
If you got access denied you probably didnt at the users to the “RequireMembershipOf”
Try /opt/pbis/bin/config RequireMembershipOf “domain.local\\user”
You can do that for any user you want to grand access to login on the domain.
That works for me .
Hi everyone,
I’ve been for so long stuck with the same “access denied” problem that I finally was able to fix that I wanted to share what I did just and I thought it may help others.
First, after having fiddled with the config here and there, I just decided once again go to the drawing board, and did what techtalk (some comments up on this thread)
– Install Ubuntu 16.04 (in my case Ubuntu 16.10)
– Install SSH
– Edit Avahi-Daemon
– Edit Login (lightdm)
– Install PBIS
– Reboot
– Join Domain
– Reboot
– Login as AD User/Admin
This didn’t work out right off and it continue to give me “Login incorrect” (not “Access denied” yet at this point)
So I decided to leave the domain
pbis leave ….. success.
remove it from the AD manually
and ran pbis from the domainjoin-gui this time,not from the command line. So, I just typed the domain name, click ok, type “Administrador” (I’m using a Spanish version on my AD; the default version of puts Administrator, which of course won’t work) and voilá. It says I’m using the AD login method for the very fist time so I need to restart my computer. After that, the “SUCCESS” message pop ups and that’s it.
I restarted Ubuntu but it seemed, again, not to work, but this time the error message wasn’t “Login incorrect” but “Access denied” so what I did was:
sudo /opt/pbis/bin/config UserDomainPrefix my_domain_name
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config RequireMembershipOf domain_name\\Usuarios^del^dominio
O restarted again (I think that this time around this restart wouldn’t have been necessary though) and VOILA!! it worked!
Tried to login using both, graphical and terminal with no problems.
** I realized that, for some reason, AD group names weren’t for all languages the same (which is rather weird IMHO), so, for what an English-based ADs would be “DomainUsers”, for me (Spanish version of AD) was “Usuarios^del^dominio”. (you can check it by doing pbis enum-groups and looking for the corresponding group name)
And that’s it. I want to believe that after all this struggle this was what made it to work and not because of something else!!
Hope this helps.
Hello sudo’s,
The same issue is here, It’s gives me back “access denied”
The ubuntu machine has successfully joined the AD and I have verified the same from AD users/computer panel.
I used to check status by “sudo domainjoin-cli query”
and the Output is:
Name = hp
Domain = MYDOMAIN.COM
Distinguished Name = CN=HP,CN=Computers,DC=MYDOMAIN,DC=COM
@techtalk
@Eugen
@fls
I have tried your trubleshooting option but still not able to login as domain user, your help will strongly appreciative, Thank you!
Have a look at this: https://serverfault.com/questions/630746/pbis-open-ad-authentication-stops-working-on-ubuntu-with-errors-user-accout-ha
I have tried but problem is still there and I think that is with lwsmd.service
I was successfully joined windows domain with pbis-open everything was working smoothly but when I restarted my system I unable to login with the domain credentials then I tried to login with local user and checked logs the I saw the lwsmd.service is crashed. I restarted the service manually then it’s running good and I’m able to login with domain credintial but again on restart I’m facing same issue and really got irritated to restart the service manually. is there any way to solve this…?
and I tried it on VM also there is it’s rocking but on physical machine it’s crashing lwsmd
Yes, my mistake, sorry.
I thought i did it when i modified this line ( sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers ) whit this one ( sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\Administrator )
Administrator = username for my AD administrator account.
This works, but only for Administrator account, when i try another user from domain, acces denied …..
Now i try whit Linux Mint, i find another tutorial, seems to work.
Sorry for my bad english 😀 .
No worry… if you get succseed with mint then make a document that will help us… thanks for reply.. 🙂
It’s working for me
make a security group in your AD as “Linux” and add those users which you wants to login from Linux Machine.
Bellow Settings for you have to for domain group
sudo /opt/pbis/bin/config RequireMembershipOf domain\\Linux
Follow the Error
Error: /bin/systemctl enable lwsmd.service returned 1
Synchronizing state of lwsmd.service with SysV init with /lib/systemd/systemd-sysv-install… Executing /lib/systemd/systemd-sysv-install enable lwsmd Failed to execute operation: Too many levels of symbolic links
smof@lubuntu:~$ systemctl status lwsmd
● lwsmd.service – BeyondTrust PBIS Service Manager
Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: en
Active: active (running) since Thu 2017-06-15 14:17:58 IST; 6h ago
Process: 789 ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon (code=exited, st
Main PID: 878 (lwsmd)
CGroup: /system.slice/lwsmd.service
├─ 878 /opt/pbis/sbin/lwsmd –start-as-daemon
├─ 886 lw-container lwreg
├─ 909 lw-container eventlog
├─ 936 lw-container netlogon
├─ 965 lw-container lwio
├─1034 lw-container lsass
└─1054 lw-container reapsysl
Jun 15 14:17:52 lubuntu systemd[1]: Starting BeyondTrust PBIS Service Manager…
Jun 15 14:17:56 lubuntu /opt/pbis/sbin/lwsmd[878]: Logging started
Jun 15 14:17:56 lubuntu lwreg[886]: Logging started
Jun 15 14:17:56 lubuntu eventlog[909]: Logging started
Jun 15 14:17:57 lubuntu netlogon[936]: Logging started
Jun 15 14:17:57 lubuntu lwio[965]: Logging started
Jun 15 14:17:57 lubuntu lsass[1034]: Logging started
Jun 15 14:17:58 lubuntu reapsysl[1054]: Logging started
Jun 15 14:17:58 lubuntu systemd[1]: Started BeyondTrust PBIS Service Manager.
lines 1-23…skipping…
● lwsmd.service – BeyondTrust PBIS Service Manager
Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-06-15 14:17:58 IST; 6h ago
Process: 789 ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon (code=exited, status=0/SUCCESS)
Main PID: 878 (lwsmd)
CGroup: /system.slice/lwsmd.service
├─ 878 /opt/pbis/sbin/lwsmd –start-as-daemon
├─ 886 lw-container lwreg
├─ 909 lw-container eventlog
├─ 936 lw-container netlogon
├─ 965 lw-container lwio
├─1034 lw-container lsass
└─1054 lw-container reapsysl
Jun 15 14:17:52 lubuntu systemd[1]: Starting BeyondTrust PBIS Service Manager…
Jun 15 14:17:56 lubuntu /opt/pbis/sbin/lwsmd[878]: Logging started
Jun 15 14:17:56 lubuntu lwreg[886]: Logging started
Jun 15 14:17:56 lubuntu eventlog[909]: Logging started
Jun 15 14:17:57 lubuntu netlogon[936]: Logging started
Jun 15 14:17:57 lubuntu lwio[965]: Logging started
Jun 15 14:17:57 lubuntu lsass[1034]: Logging started
Jun 15 14:17:58 lubuntu reapsysl[1054]: Logging started
Jun 15 14:17:58 lubuntu systemd[1]: Started BeyondTrust PBIS Service Manager.
Jun 15 14:17:59 lubuntu lsass[1034]: [lsass] Fatal error enumerating trusts for domain SMDOMAIN.COM. Error was ERROR_GEN_FAILURE (31)
~
~
~
~
~
~
~
~
~
~
~
Hi,
I was getting the access denied issue but found after running “pbis enum-groups” the groups with spaces ie. domain users needed to be input as “domain^users”. I made the following change to the command below and it works.
sudo /opt/pbis/bin/config RequireMembershipOf domain_name\domain^users
I hope this helps.
Before i restart the machine its working great. but After i restart the machine the users domain cannot login again the error is “access denied”. i login into local admin an do sudo
/opt/pbis/bin/config RequireMembershipOf domain_name\domain^users
and its working again. How can this work without do that again?
Please help. thx
I can only say what works for me. When I get ‘access denied’ after a reboot I do the following:
– Log in as local user
– do: sudo domainjoin-cli join *domain*.local administrator
– Then Lock/Switch Account (Ctl+Alt+L) – – – (Not ‘Log Out’)
– Login as domain user
If this works then I can usually reboot the systems and login straight away with the domain user.