This is another quick write-up on getting Debian/Ubuntu to play nicely with LDAP groups. This includes logins, sudoers, home directories, default shells, the works.
This is tested and working on Ubuntu 18 and 20.04 and Windows Server 2016. This setup assumes you already have users/groups in AD/LDAP and have a basic understanding of users/groups.
While this guide is written toward Debian-based systems, some tweaks and downloading the appropriate PBIS script will allow this to work on any Linux-based system.
PBIS_SCRIPT="pbis-open-9.1.0.551.linux.x86_64.deb.sh"
PBIS_URL="https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/$PBIS_SCRIPT"
wget $PBIS_URL
chmod +x $PBIS_SCRIPT
sudo ./$PBIS_SCRIPT
rm -f $PBIS_SCRIPTNote: Replace <ca-url> with the URL of your PEM-encoded CA file, and <ca-name> with the name of your org. Something that makes sense and you can find later.
sudo wget <ca-url> -O /usr/local/share/ca-certificates/<ca-name>-root-ca.crt
sudo update-ca-certificates
We'll start with some basic config. This configuration script allows you to create rules and set options for anyone logging in through the domain that can't already be set through the UNIX groups/users it creates.
Note: replace <DOMAIN> with your AD domain. eg. If you log in to your Windows environment as COMPANY\user, your <DOMAIN> is COMPANY.
sudo /opt/pbis/bin/config UserDomainPrefix <DOMAIN>
sudo /opt/pbis/bin/config AssumeDefaultDomain True
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U # Users logging in through LDAP will have their home dir set to /home/<user>
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash # Users logging in through LDAP will use /bin/bash as their shell
sudo /opt/pbis/bin/config RequireMembershipOf '<DOMAIN>\linux^users' # Users require the group "Linux Users" to be able to log in. No, the capitalization is not a mistake.Add the Domain Admins group to the list of sudoers. Anyone logging in with the Domain Admins group is automatically a sudoer. Change as you see fit. No, the capitalization is not a mistake.
echo "%domain^admins ALL=(ALL) ALL" | sudo tee --append /etc/sudoersIt may be a good idea to edit /etc/adduser.conf and uncomment/edit the EXTRA_GROUPS and ADD_EXTRA_GROUPS options in it to give new users groups like netdev, etc so they can do things like connect to their home network on, say, a Linux laptop.
Uncommenting those lines should give the new users enough access to be able to perform "normal" operations, but it's always worth a look to see if you're missing anything or giving them too much access.
Now we need to let PBIS have access to all forms of uthentication through PAM.
sudo sed -i $'s/session\toptional\tpam_lsass.so/session\t[success=ok default=ignore]\tpam_lsass.so/g' /etc/pam.d/common-sessionWe also need to actually join the machine to the domain.
Note: replace <domain>, <com>, <DOMAIN>, and <COM> with the appropriate DCs. eg. If your domain is company.org, your <domain> is company and your <com> is org.
Your <domain-admin> and <password> is the account you will use to join this computer to the domain. Make sure this account has appropriate permissions. Because this is only adding the machine to the domain, you can use the same account for multiple machines.
If you are adding a server-type machine which requires SSH access, use the following:
/opt/pbis/bin/domainjoin-cli join --ou 'OU=Computers,DC=<domain>,DC=<com>' <DOMAIN>.<COM> <domain-admin> '<password>'If you are adding a desktop/laptop-type machine which doesn't use SSH, use the following:
/opt/pbis/bin/domainjoin-cli join --disable ssh --ou 'OU=Computers,DC=<domain>,DC=<com>' <DOMAIN>.<COM> <domain-admin> '<password>'Finally, restart the machine:
sudo reboot now