(Update 17-Aug-2016: This article has been revised and now incorporates the latest version of PBIS)
The setup is pretty similar to the setup with Ubuntu 14.04 (See: http://swissperience.ch/techtalk/ubuntu-14-04-3-pbis-ad-domain/)
Before we get started I need to point out a few things …
The following steps will be based on these specifications:
- MS Windows Server 2012 Domain Name: techtalk.local
- Domain admin username: administrator
- Domain user username: bob
When installing Ubuntu you are requested to create a user. I am going to end up using this user as a kind of local administrator user account on the PC for use ONLY when the domain user login is not working. This user account will be hidden from the Ubuntu login screen.
- Local PC Administrator user name: temp
So basically what I will end up with on this PC when it’s finished being setup is:
- User “temp” – Local PC Administrator account completely non-related to the Domain
- User “administrator” – Domain administrator account
- User “bob” – Domain user account
REMEMBER: You must be connected to the Domain network!!
Install Ubuntu 16.04
I am installing Ubuntu 16.04.1
Install the OS as you normally would and when prompted create the Local PC Administration account. I use ‘temp’ for the username … you can use whatever you like of course.
sudo apt update
sudo apt dist-upgrade
Edit avahi config
If you don’t do this you will get conflicts later when installing PBIS.
sudo nano /etc/avahi/avahi-daemon.conf
sudo apt install ssh
- Download install file >
- Make install file executable >
sudo chmod +x Downloads/pbis-open-188.8.131.52.linux.x86_64.deb.sh
- Execute install file
Install package for legacy links? -> no
Would you like to install now? -> yes
After install you might get a GUI tool asking you to join the domain. I prefer to close it and to continue via the terminal.
Restart avahi service
sudo service avahi-daemon restart
Join PC to domain
sudo domainjoin-cli join domain.local domain-administrator-username
So for our example it would be:
sudo domainjoin-cli join techtalk.local administrator
You will be prompted for the Domain Administrator password and then should see “SUCCESS”.
Restart ssh service
sudo service ssh restart
Set AD login settings
sudo /opt/pbis/bin/config UserDomainPrefix techtalk
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers
DomainUsers = Domain Users Security Group
Edit lightdm (login screen settings)
sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
- Insert the following >
… then Reboot
Domain administrator account setup
- Login as Domain Administrator
This may work right off the bat or it may fail. If it fails see “Domain User Login Fails!” issue under the Troubleshooting section at the bottom of this article.
- Logout of Domain Administrator account and login as local user ‘temp’
- Add Domain Administrator account to ‘sudo’ group
The reason we do this is to allow the Domain Administrator to make administrative changes to the local PC.
sudo usermod -aG sudo administrator
- Logout of ‘temp’ and login as Domain Administrator
Hide user “temp”
- As Domain Administrator open terminal and do
sudo nano /var/lib/AccountsService/users/temp
Save file and exit.
You are basically done. Now all you need to do is add the Domain User account to the PC. This is done simply by logging into Ubuntu as the Domain User.
You don’t have to enter the username with the domain prefix either, but just the username itself.
If you want the Domain User to also have administrative rights on the local PC you need to add it to the ‘sudo’ group with
sudo usermod -aG sudo bob
And it may also be a good idea to add the Domain User to the ‘sambashare’ group in the same way
sudo usermod -aG sambashare bob
TIP: Once a Domain User/Administrator has been successfully added to the PC (by logging in) the login will work when disconnected from the Domain’s network.
- Domain User Login Fails!
Login with the Local PC Administrator account ‘temp’.
Open a terminal and check your connection to the domain:
sudo domainjoin-cli query
If you get something back like
“LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]”
you will need to rejoin the domain once more with:
sudo domainjoin-cli join techtalk.local administrator
Once you are reconnected to the domain, logout of user ‘temp’ and login now as domain user or administrator – this time it should work.
REMEMBER: When making an initial login attempt with any Domain user account you must be connected to the Domain’s network!!
NOTE: In previous how-to’s there was a need to manually create a lwsmd.service file and symlinks etc. This is no longer needed!
Create the file lwsmd.service in /lib/systemd/system like this:
sudo nano /lib/systemd/system/lwsmd.service Paste the following into this file:
Description=BeyondTrust PBIS Service Manager
# We want systemd to give lwsmd some time to finish gracefully, but still want
# it to kill lwsmd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill lwsmd. We are sending useless SIGCONT here to give
# lwsmd time to finish.
WantedBy=multi-user.target nss-lookup.target Save and close the file. Now make a symlink to this file in /etc/systemd/system:
sudo ln -s /lib/systemd/system/lwsmd.service /etc/systemd/system/lwsmd.service You can check the status of the service with:
service lwsmd status To start the service do:
service lwsmd start Enable the service to start on boot with:
sudo systemctl enable /lib/systemd/system/lwsmd.service You should get an output similar to:
Created symlink from /etc/systemd/system/multi-user.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service.
Created symlink from /etc/systemd/system/nss-lookup.target.wants/lwsmd.service to /lib/systemd/system/lwsmd.service. Done. Reboot and login to, or join, the domain.