Ubuntu 16.04 + PBIS | TechTalk

Talking a bit of Tech

Ubuntu 16.04 + PBIS

Xerus_Orange-1-e1461768714287(Update 17-Aug-2016: This article has been revised and now incorporates the latest version of PBIS)

The setup is pretty similar to the setup with Ubuntu 14.04 (See: http://swissperience.ch/techtalk/ubuntu-14-04-3-pbis-ad-domain/)

Before we get started I need to point out a few things …

The following steps will be based on these specifications:

  • MS Windows Server 2012 Domain Name: techtalk.local
  • Domain admin username: administrator
  • Domain user username: bob

When installing Ubuntu you are requested to create a user. I am going to end up using this user as a kind of local administrator user account on the PC for use ONLY when the domain user login is not working. This user account will be hidden from the Ubuntu login screen.

  • Local PC Administrator user name: temp

So basically what I will end up with on this PC when it’s finished being setup is:

  • User “temp” – Local PC Administrator account completely non-related to the Domain
  • User “administrator” – Domain administrator account
  • User “bob” – Domain user account

REMEMBER: You must be connected to the Domain network!!


Install Ubuntu 16.04

I am installing Ubuntu 16.04.1

Install the OS as you normally would and when prompted create the Local PC Administration account. I use ‘temp’ for the username … you can use whatever you like of course.

Update Ubuntu

sudo apt update
sudo apt dist-upgrade

Edit avahi config

If you don’t do this you will get conflicts later when installing PBIS.

sudo nano /etc/avahi/avahi-daemon.conf

replace: #domain-name=local

with: domain-name=.alocal

Install ssh:

sudo apt install ssh

Install PBIS:

  • Download install file >

LINK

(Download website: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True)

  • Make install file executable >

sudo chmod +x Downloads/pbis-open-8.5.0.153.linux.x86_64.deb.sh

  • Execute install file

sudo ./Downloads/pbis-open-8.5.0.153.linux.x86_64.deb.sh

Install package for legacy links? -> no
Would you like to install now? -> yes

After install you might get a GUI tool asking you to join the domain. I prefer to close it and to continue via the terminal.

Restart avahi service

sudo service avahi-daemon restart

Join PC to domain

sudo domainjoin-cli join domain.local domain-administrator-username

So for our example it would be:

sudo domainjoin-cli join techtalk.local administrator

You will be prompted for the Domain Administrator password and then should see “SUCCESS”.

Restart ssh service

sudo service ssh restart

Set AD login settings

sudo /opt/pbis/bin/config UserDomainPrefix techtalk
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers

DomainUsers = Domain Users Security Group

Edit lightdm (login screen settings)

sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

  • Insert the following >

allow-guest=false
greeter-show-manual-login=true

… then Reboot

Domain administrator account setup

  • Login as Domain Administrator

This may work right off the bat or it may fail. If it fails see “Domain User Login Fails!” issue under the Troubleshooting section at the bottom of this article.

  • Logout of Domain Administrator account and login as local user ‘temp’
  • Add Domain Administrator account to ‘sudo’ group

The reason we do this is to allow the Domain Administrator to make administrative changes to the local PC.

sudo usermod -aG sudo administrator

  • Logout of ‘temp’ and login as Domain Administrator

Hide user “temp”

  • As Domain Administrator open terminal and do

sudo nano /var/lib/AccountsService/users/temp

change:

[User]
SystemAccount=false

to:

[User]
SystemAccount=true

Save file and exit.

Finishing

You are basically done. Now all you need to do is add the Domain User account to the PC. This is done simply by logging into Ubuntu as the Domain User.

You don’t have to enter the username with the domain prefix either, but just the username itself.

If you want the Domain User to also have administrative rights on the local PC you need to add it to the ‘sudo’ group with

sudo usermod -aG sudo bob

And it may also be a good idea to add the Domain User to the ‘sambashare’ group in the same way

sudo usermod -aG sambashare bob

TIP: Once a Domain User/Administrator has been successfully added to the PC (by logging in) the login will work when disconnected from the Domain’s network.

Troubleshooting

  • Domain User Login Fails!

Login with the Local PC Administrator account ‘temp’.

Open a terminal and check your connection to the domain:

sudo domainjoin-cli query

If you get something back like

“LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]”

you will need to rejoin the domain once more with:

sudo domainjoin-cli join techtalk.local administrator

Once you are reconnected to the domain, logout of user ‘temp’ and login now as domain user or administrator – this time it should work.

REMEMBER: When making an initial login attempt with any Domain user account you must be connected to the Domain’s network!!

NOTE: In previous how-to’s there was a need to manually create a lwsmd.service file and symlinks etc. This is no longer needed!
Create the file lwsmd.service in /lib/systemd/system like this:

sudo nano /lib/systemd/system/lwsmd.service

Paste the following into this file:

[Unit]
Description=BeyondTrust PBIS Service Manager
After=network.target

[Service]
Type=forking
EnvironmentFile=/opt/pbis/libexec/init-base.sh
ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon
ExecReload=/opt/pbis/bin/lwsm refresh
ExecStop=/opt/pbis/bin/lwsm shutdown
# We want systemd to give lwsmd some time to finish gracefully, but still want
# it to kill lwsmd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill lwsmd. We are sending useless SIGCONT here to give
# lwsmd time to finish.
KillSignal=SIGCONT
PrivateTmp=false

[Install]
WantedBy=multi-user.target nss-lookup.target

Save and close the file.

Now make a symlink to this file in /etc/systemd/system:

cd /etc/systemd/system
sudo ln -s /lib/systemd/system/lwsmd.service /etc/systemd/system/lwsmd.service

You can check the status of the service with:

service lwsmd status

To start the service do:

service lwsmd start

Enable the service to start on boot with:

sudo systemctl enable /lib/systemd/system/lwsmd.service

You should get an output similar to:

Created symlink from /etc/systemd/system/multi-user.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service.
Created symlink from /etc/systemd/system/nss-lookup.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service.

Done. Reboot and login to, or join, the domain.


46 Comments

  • Every time I attempt to follow these steps I run into a lwsmd error:

    20160523145935:ALWAYS: Logging started
    20160523145935:INFO: Likewise Service Manager starting up
    20160523145935:INFO:lwsm-ipc: Listener started
    20160523145935:VERBOSE: Bootstrapping
    20160523145935:INFO: Starting service: lwreg
    20160523145935:VERBOSE: Populating service table
    Segmentation fault (core dumped)

    It seems to fail in Populating the service table and I can not figure out why.

    I have installed a fresh copy of Ubuntu 16.04, followed your walk-through precisely, but encounter this error every time.

    I also receive this error when attempting to domainjoin-cli:
    Error: Received error while querying lwsmd. [code 0x00000002]

    Received error while querying lwsmd.

    Any thoughts on why lwsmd is failing?

    • I have not seen this behavior before. Can you get lwsmd to start manually in the terminal? At what point in the posted steps do you get that error?

      • Sorry I haven’t had a chance to respond. We have had to switch gears and work on other projects and now I am back to this issue with ubuntu 16.04 and lwsmd.

        When following your steps it errors at any point lwsmd needs to be started. So during initial pbis script setup and any way I try to start the /opt/pbis/sbin/lwsmd.

        Something seems to be causing this issue, I am starting to think it is a hardware issue specific to the optiplex 7040.

        • Ok, I need to do this all from scratch again some time to test it out because at the moment I have an image which I built before (which works) which I just deploy onto systems.
          One thing I may have done differently on 16.04 is uninstalling avahi-daemon – but I have to double check that.

          • I think it has something to do with my hardware specifics. I am using the following:

            [OptiPlex 7040]
            OS: Ubuntu 16.04
            Arch: x86_64
            Tower: OptiPlex 7040
            Memory: 32G
            Processor: Intel Core i7-6700 x 8

            I was able to use a OptiPlex 7010, make install on it, then tar everything up and make install on the 7040.

            It’s not an ideal solution, but after a week or two of getting nowhere it seemed the most pragmatic solution.

          • Hello, is there any solution? I have to installations on two different machines of Linux Mint 18 (Ubuntu 16.04 based). One is all right and functional. The other one shows Brandon’s behaviour in spite of multiple new installtions.

          • # /etc/nsswitch.conf
            #
            # Example configuration of GNU Name Service Switch functionality.
            # If you have the `glibc-doc-reference’ and `info’ packages installed, try:
            # `info libc “Name Service Switch”‘ for information about this file.
            passwd: compat lsass
            group: compat lsass
            shadow: compat
            hosts: files dns
            networks: files
            protocols: db files
            services: db files
            ethers: db files
            rpc: db files
            netgroup: nis
            sudoers: files

        • Hey, same issue here. lwsmd is throwing a segmentation fault error when trying to join a domain with an new optiplex 7040. Did you find any workarounds?

    • So I finally had a chance to tackle this. Basically I boiled the entire thing down to:

      – Install Ubuntu 16.04
      – Install SSH
      – Edit Avahi-Daemon
      – Edit Login (lightdm)
      – Install PBIS
      – Reboot
      – Join Domain
      – Reboot
      – Login as AD User/Admin

      In my latest tests there was no need for a manually created service.

  • I have the same error in a fresh installed ubuntu 16.04.

    The manual start of lwsmd give the coredump in the console.

  • Thank you. I’ve followed the instructions and it worked perfect on Ubuntu 16.04.1

    I’ve had to reboot once as per instructions and logged on straight away 🙂

  • Techtalk,

    I tried ur article and it worked for me, i didnt get any error but am unable to login with domain users. it shows access denied. Pls Help

    Regards,
    James

    • Ok, here is something you can try.

      > Log in as the local user (non-AD account)
      > Lock account (don’t ‘Log Out’)
      > Switch Account to get you back to the login screen
      > Login as AD user

      If that works then you should be good to go.

        • > Reboot PC (why not?)
          > login as the local user (non-AD account)
          > rejoin domain as AD admin user (only proceed if you have success and no errors)
          > Lock account (don’t ‘Log Out’)
          > Switch Account to get you back to the login screen
          > Login as AD user

          you should end up being logged in to two accounts – the non-AD account and the AD account.

    • If you got access denied you probably didnt at the users to the “RequireMembershipOf”

      Try /opt/pbis/bin/config RequireMembershipOf “domain.local\\user”

      You can do that for any user you want to grand access to login on the domain.

  • below is the domainjoin query output

    sudo domainjoin-cli query
    [sudo] password for user100:
    Name = node100
    Domain = KNH.LOCAL
    Distinguished Name = CN=NODE100,CN=Computers,DC=knh,DC=local

    james

  • i tried above step but not able to login with A.D. user its showing the massage of invalid password while i tried the below command
    sudo domainjoin-cli query

    the domain is joined
    any one have solution on this

    • Are you using Ubuntu 16.04?

      > Reboot PC (why not?)
      > login as the local user (non-AD account)
      > rejoin domain as AD admin user (only proceed if you have success and no errors)
      > Lock account (don’t ‘Log Out’)
      > Switch Account to get you back to the login screen
      > Login as AD user

      you should end up being logged in to two accounts – the non-AD account and the AD account.

  • Hello All,

    PBIS Open version 8.3 on CentOS release 6.7(Final) .
    I get same segmentation error and lsass service is “dead” .
    Below is the error log .

    lwsmd[7581]: segfault at 0 ip 00007f3ef8093043 sp 00007f3ef9931b90 error 4 in ad_open.so[7f3ef804b000+bf000]
    Saved core dump of pid 7568 (/opt/pbis/sbin/lwsmd) to /var/spool/abrt/ccpp-2016-10-11-05:45:14-7568 (159498240 bytes)

    Any advise to solve this ?

    Thanks,
    Chitta

  • please help me
    After filling the password m getting this error

    Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
    A bad packet was received from a DNS server. Potentially the requested address does not exist.

  • After entering password, it throws “Access Denied”.

    No error while running “sudo domainjoin-cli query”.

    sudo domainjoin-cli join my.domain administrator throws “usermod: group ‘administrator’ does not exist”.

    Pls help me to resolve.

    • Well you have to join the PC to the domain, and you need an AD administrative account to do this. Does your AD have an administrator account and are you using it to join the PC to AD?

  • Hello! I stuck at the login part. I also get the “access denied” error. I tried the other solutions you mentioned but none of those worked. Any tips?

    • No, sorry. If your PC is joined to the domain and you have tried to login with AD credentials while being also logged in as the local temp user and it’s still not working then I don’t have any solutions.
      View your auth.log and other logs – maybe there is something in there.

  • Hello ,

    I’m also facing some issues. I cannot login the ubuntu with domain user.It keeps saying invalid password

    The ubuntu machine has successfully joined the AD and I have verified the same from AD users/computer panel.

    When I have issued the command “sudo domainjoin-cli query”
    I got
    root@acp-box16:~# sudo domainjoin-cli query
    Name = acp-box16
    Domain = MY.LOCAL
    Distinguished Name = CN=ACP-BOX16,CN=Computers,DC=MY,DC=local

    Do you have any idea why I’m getting invalid password error?

    • Have you tried the following?

      > login as the local user (non-AD account)
      > rejoin domain as AD admin user (only proceed if you have success and no errors)
      > Lock account (don’t ‘Log Out’)
      > Switch Account to get you back to the login screen
      > Login as AD user or admin

      • I got the same issue aswell,
        $ sudo domainjoin-cli query
        Name = phu-vir-198u1sb
        Domain = AUT.EDU
        Distinguished Name = CN=PHU-VIR-198U1SB,CN=Computers,DC=aut,DC=edu
        Have been tried the way you show but problem still there.

        • If you got access denied you probably didnt at the users to the “RequireMembershipOf”

          Try /opt/pbis/bin/config RequireMembershipOf “domain.local\\user”

          You can do that for any user you want to grand access to login on the domain.

          That works for me .

  • Hi everyone,

    I’ve been for so long stuck with the same “access denied” problem that I finally was able to fix that I wanted to share what I did just and I thought it may help others.

    First, after having fiddled with the config here and there, I just decided once again go to the drawing board, and did what techtalk (some comments up on this thread)

    – Install Ubuntu 16.04 (in my case Ubuntu 16.10)
    – Install SSH
    – Edit Avahi-Daemon
    – Edit Login (lightdm)
    – Install PBIS
    – Reboot
    – Join Domain
    – Reboot
    – Login as AD User/Admin

    This didn’t work out right off and it continue to give me “Login incorrect” (not “Access denied” yet at this point)

    So I decided to leave the domain

    pbis leave ….. success.
    remove it from the AD manually

    and ran pbis from the domainjoin-gui this time,not from the command line. So, I just typed the domain name, click ok, type “Administrador” (I’m using a Spanish version on my AD; the default version of puts Administrator, which of course won’t work) and voilá. It says I’m using the AD login method for the very fist time so I need to restart my computer. After that, the “SUCCESS” message pop ups and that’s it.

    I restarted Ubuntu but it seemed, again, not to work, but this time the error message wasn’t “Login incorrect” but “Access denied” so what I did was:

    sudo /opt/pbis/bin/config UserDomainPrefix my_domain_name
    sudo /opt/pbis/bin/config AssumeDefaultDomain true
    sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
    sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
    sudo /opt/pbis/bin/config RequireMembershipOf domain_name\\Usuarios^del^dominio

    O restarted again (I think that this time around this restart wouldn’t have been necessary though) and VOILA!! it worked!

    Tried to login using both, graphical and terminal with no problems.

    ** I realized that, for some reason, AD group names weren’t for all languages the same (which is rather weird IMHO), so, for what an English-based ADs would be “DomainUsers”, for me (Spanish version of AD) was “Usuarios^del^dominio”. (you can check it by doing pbis enum-groups and looking for the corresponding group name)

    And that’s it. I want to believe that after all this struggle this was what made it to work and not because of something else!!

    Hope this helps.

  • Hello sudo’s,

    The same issue is here, It’s gives me back “access denied”

    The ubuntu machine has successfully joined the AD and I have verified the same from AD users/computer panel.

    I used to check status by “sudo domainjoin-cli query”

    and the Output is:

    Name = hp
    Domain = MYDOMAIN.COM
    Distinguished Name = CN=HP,CN=Computers,DC=MYDOMAIN,DC=COM

    @techtalk
    @Eugen
    @fls

    I have tried your trubleshooting option but still not able to login as domain user, your help will strongly appreciative, Thank you!

      • I have tried but problem is still there and I think that is with lwsmd.service

        I was successfully joined windows domain with pbis-open everything was working smoothly but when I restarted my system I unable to login with the domain credentials then I tried to login with local user and checked logs the I saw the lwsmd.service is crashed. I restarted the service manually then it’s running good and I’m able to login with domain credintial but again on restart I’m facing same issue and really got irritated to restart the service manually. is there any way to solve this…?

    • Yes, my mistake, sorry.

      I thought i did it when i modified this line ( sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers ) whit this one ( sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\Administrator )

      Administrator = username for my AD administrator account.

      This works, but only for Administrator account, when i try another user from domain, acces denied …..

      Now i try whit Linux Mint, i find another tutorial, seems to work.

      Sorry for my bad english 😀 .

  • Follow the Error

    Error: /bin/systemctl enable lwsmd.service returned 1
    Synchronizing state of lwsmd.service with SysV init with /lib/systemd/systemd-sysv-install… Executing /lib/systemd/systemd-sysv-install enable lwsmd Failed to execute operation: Too many levels of symbolic links

  • smof@lubuntu:~$ systemctl status lwsmd
    ● lwsmd.service – BeyondTrust PBIS Service Manager
    Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: en
    Active: active (running) since Thu 2017-06-15 14:17:58 IST; 6h ago
    Process: 789 ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon (code=exited, st
    Main PID: 878 (lwsmd)
    CGroup: /system.slice/lwsmd.service
    ├─ 878 /opt/pbis/sbin/lwsmd –start-as-daemon
    ├─ 886 lw-container lwreg
    ├─ 909 lw-container eventlog
    ├─ 936 lw-container netlogon
    ├─ 965 lw-container lwio
    ├─1034 lw-container lsass
    └─1054 lw-container reapsysl

    Jun 15 14:17:52 lubuntu systemd[1]: Starting BeyondTrust PBIS Service Manager…
    Jun 15 14:17:56 lubuntu /opt/pbis/sbin/lwsmd[878]: Logging started
    Jun 15 14:17:56 lubuntu lwreg[886]: Logging started
    Jun 15 14:17:56 lubuntu eventlog[909]: Logging started
    Jun 15 14:17:57 lubuntu netlogon[936]: Logging started
    Jun 15 14:17:57 lubuntu lwio[965]: Logging started
    Jun 15 14:17:57 lubuntu lsass[1034]: Logging started
    Jun 15 14:17:58 lubuntu reapsysl[1054]: Logging started
    Jun 15 14:17:58 lubuntu systemd[1]: Started BeyondTrust PBIS Service Manager.
    lines 1-23…skipping…
    ● lwsmd.service – BeyondTrust PBIS Service Manager
    Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2017-06-15 14:17:58 IST; 6h ago
    Process: 789 ExecStart=/opt/pbis/sbin/lwsmd –start-as-daemon (code=exited, status=0/SUCCESS)
    Main PID: 878 (lwsmd)
    CGroup: /system.slice/lwsmd.service
    ├─ 878 /opt/pbis/sbin/lwsmd –start-as-daemon
    ├─ 886 lw-container lwreg
    ├─ 909 lw-container eventlog
    ├─ 936 lw-container netlogon
    ├─ 965 lw-container lwio
    ├─1034 lw-container lsass
    └─1054 lw-container reapsysl

    Jun 15 14:17:52 lubuntu systemd[1]: Starting BeyondTrust PBIS Service Manager…
    Jun 15 14:17:56 lubuntu /opt/pbis/sbin/lwsmd[878]: Logging started
    Jun 15 14:17:56 lubuntu lwreg[886]: Logging started
    Jun 15 14:17:56 lubuntu eventlog[909]: Logging started
    Jun 15 14:17:57 lubuntu netlogon[936]: Logging started
    Jun 15 14:17:57 lubuntu lwio[965]: Logging started
    Jun 15 14:17:57 lubuntu lsass[1034]: Logging started
    Jun 15 14:17:58 lubuntu reapsysl[1054]: Logging started
    Jun 15 14:17:58 lubuntu systemd[1]: Started BeyondTrust PBIS Service Manager.
    Jun 15 14:17:59 lubuntu lsass[1034]: [lsass] Fatal error enumerating trusts for domain SMDOMAIN.COM. Error was ERROR_GEN_FAILURE (31)
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~

Post a Comment

Your email address will not be published. Required fields are marked *

  • Categories