PowerBroker Identity Services Group Policy Guide

PowerBroker Identity Services
Group Policy Guide
Revision/Update Information: May 2015
Corporate Headquarters
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2015 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable,
is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”)
or BeyondTrust’s authorized remarketer, if and when applicable.
TRADE SECRET NOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author,
and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation,
as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on
copying, modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties
expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR
PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights.
This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express
limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes:
manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is
subject to limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at
DFARS 252.227-7013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops,
PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker
Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust.
ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The
SSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certain
jurisdictions.
This application contains software powered by PKAIP®, the leading solution for enabling efficient and secure data storage and
transmission. PKAIP® is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used with
permission.
FICTITIOUS USE OF NAMES
All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is
entirely coincidental.
OTHER NOTICES
If and when applicable the following additional provisions are so noted:
The PBISOpen software is free to download and use according to the terms of the Limited GPL 2.1 for client libraries and the
GPL 2 for daemons. The licenses for PBISEnterprise and for PBISUID-GID Module are different. For complete information on the
software licenses and terms of use for BeyondTrust products, see www.beyondtrust.com.
PBIS Enterprise Group Policy Guide
Contents
Contents
Introduction
6
Conventions
Font Conventions
Linespacing Conventions
Where to Go Next?
Documentation for PBIS
Contacting Support
Telephone
Online
6
6
6
6
7
7
7
7
Working with PBIS Group Policy Settings
8
About Group Policy Settings
User Settings
PBIS Group Policy Agent
PBIS GPO Refresh Tool
Inheritance
Filtering by Target Platform
Managing GPOs
View a Report on a GPO's Policy Settings
Walkthrough: Creating a sudo GPO
Create a sudo GPO
Test the sudo GPO
Test sudo Security
PBIS Settings
16
Show a Password Expiration Warning
Authorization and Identification
Set the Cache Expiration Time
Set the Domain Separator Character
Set the Home Directory Template and Path Prefix
Set a Remote Directory Path for AD Accounts
Set the Login Shell
Set the Maximum Tolerance for Kerberos Clock Skew
Trust Enumeration Settings
Require Trust Enumeration Completion at Startup
Ignore User or Group Names
Prepend Domain Name for AD Users and Groups
Change NSS Membership and NSS Cache Settings
Turn On Event Logging with a GPO
Stop Refreshing User Credentials
Sign and Seal LDAP Traffic with a GPO
Force Authentication to Use Unprovisioned Mode
Turn Off Logging of Network Events
BeyondTrust®
8
8
9
9
9
9
10
11
12
12
15
15
May 2015
16
17
17
18
19
21
22
23
23
25
26
27
28
30
30
31
32
33
3
PBIS Enterprise Group Policy Guide
Contents
Turn Off System Time Synchronization with a GPO
Set the Machine Account Password Expiration Time
Replace Spaces in Names with a Character
Logon
Allow Logon Rights (RequireMembershipOf)
Create a .k5login File in a User's Home Directory
Create a Home Directory for a User Account at Logon
Set Permissions with a File Creation Mask
Show a Denied Logon Rights Message
Set the Local Account Password Lifespan
Log PAM Debugging Information
Copy Template Files When Creating a Home Directory
Smart Card
Reaper Syslog Settings
Group Policy Agent
Set the Computer Policy Refresh Interval
Set the User Policy Refresh Interval
Turn On Event Logging for the Group Policy Agent
Set the User Policy Loopback Processing Mode
Turn Off User Logon Group Policies
Event Log
Set Access Rights to Delete, Read, and Write Events
Set Maximums for Events, Disk Usage, and Lifespans
Event Forwarder
User Monitor
Enable Monitoring of Users and Groups
Monitoring Check Interval
SNMP Settings
Account Override
Override Files
User Account Override
Group Account Override
Managing Duplicate Entries
PowerBroker Servers Settings
55
PowerBroker Policy Rules Data
Priority of Rules Within a GPO
PowerBroker Server Policy Rules Data
Create or Modify a PBUL Rule
Change the Priority of PBUL Rules
Disable or Enable PBUL Rules
Export, Manually Edit, and Import PBUL Rules
PBUL Configuration
Message Settings
55
55
55
57
62
62
62
63
66
Display a Message with a Login Prompt Policy
BeyondTrust®
33
34
35
35
36
37
38
38
39
39
40
40
41
41
41
42
42
43
44
45
46
46
47
48
48
49
50
50
52
52
52
53
54
May 2015
66
4
PBIS Enterprise Group Policy Guide
Contents
Display a Message of the Day
66
Logging and Audit Settings
68
Create a SysLog Policy
Secure Computers with an AppArmor Policy
Secure Computers with an SELinux Policy
Rotate Logs
File System Settings
73
Automount a File System
Example Usage
Inheritance and Backup
Automount a File System
Create Directories, Files, and Links
Specify the File System Mounts (fstab)
73
73
74
74
74
76
Task Settings
78
Schedule Cron Jobs with a crontab or cron.d Policy
Run a Script File
Security Group Policies
Security Settings
78
78
79
82
Sudo Command
Auto Enrollment of Certificates
Applying a GPO Policy
Turning on Auto Enrollment
Applying the Settings Using the Config Tool
Network Settings
82
82
82
83
83
84
Set DNS Servers and Search Domains
Set Wireless Properties
Preparing to Use the Wireless Policy
Configuring a GPO Policy
Configuring a Policy to Only Issue Certificates
Applying the Settings Using the Config Tool
Troubleshooting Connection Issues
Appendix A: Troubleshooting the PBIS Group Policy Agent
Force PBIS Group Policy Objects to Refresh
Check the Status of the PBIS Group Policy Daemon
Restart the PBIS Group Policy Daemon
Generate a PBIS Group Policy Agent Debug Log
Modify or Inspect GPOs from the gp-admin Command
BeyondTrust®
68
69
70
71
May 2015
84
86
86
87
87
88
89
90
90
90
90
90
91
5
PBIS Enterprise Group Policy Guide
Introduction
Introduction
PowerBroker Identity Services (PBIS) joins Unix, Linux, and Mac OS X computers to Active Directory so that
you can centrally manage all your computers from one source, authenticate users with the highly secure
Kerberos 5 protocol, control access to resources, and apply group policies to non-Windows computers.
This guide describes how to manage Unix, Linux, and Mac OS X computers using Group Policy settings
provided with PowerBroker Identity Services Enterprise Edition (PBIS Enterprise).
Conventions
Specific font and linespacing conventions are used to ensure readability and to highlight important
information such as commands, syntax, and examples.
Font Conventions
The font conventions are:
•
Courier New Font is used for program names, commands, command arguments, directory
paths, variable names, text input, text output, configuration file listings, and source code. For
example:
/etc/powerbroker/product.cfg
•
Courier New Bold Font is used for information that should be entered into the system exactly as
shown. For example:
pbcheck -v
•
Courier New Italics Font is used for input variables that need to be replaced by actual values.
In the following example, variable-name, must be replaced by an actual environment variable
name. For example:
result = getenv (variable-name);
•
Bold is used for Windows buttons. For example:
Click OK.
Linespacing Conventions
The linespacing of commands, syntax, examples, and computer code may vary from actual Windows and
Unix/Linux usage because of space limitations. For example, if the number of characters required for a
single line does not fit within the text margins for this book, the text is displayed on two lines with the
second line indented as shown in the following sample:
result = sprintf ("System administrator Ids: %s %s %s", "Adm1", "Adm2",
"Adm3");
Where to Go Next?
For more information, see the documentation and resources listed in the following sections.
BeyondTrust®
May 2015
6
PBIS Enterprise Group Policy Guide
Introduction
Documentation for PBIS
The PBIS documentation includes:
•
PBIS Enterprise Installation Guide
•
PBIS Enterprise Administration Guide
•
PBIS Enterprise Linux Administration Guide
•
PBIS Enterprise Auditing & Reporting Guide
•
PBIS Enterprise Group Policy Administration Guide
•
PBIS Release Notes
•
Report Book
•
Best Practices (go to the BeyondTrust web site)
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and
chat, along with product downloads, product installers, license management, account, latest product
releases, product documentation, webcasts and product demos.
Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Vulnerability Management Support
North/South America: 866.529.2201 | 949.333.1997
+ enter access code
All other Regions:
Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code
Online
http://www.beyondtrust.com/Resources/Support/
BeyondTrust®
May 2015
7
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
Working with PBIS Group Policy Settings
This section contains general information about PBIS Group Policy settings.
About Group Policy Settings
PBIS Enterprise enables you to configure Group Policy settings for computers running Linux, Unix, and
Mac OS X. PBIS Enterprise includes more than 100 policy settings that are designed to manage nonWindows computers.
All the policy settings are integrated with the Microsoft Group Policy Management Editor, part of the
Microsoft Group Policy Management Console (GPMC).
For example, you can use a Group Policy setting to control who can use sudo for access to root-level
privileges by specifying a common sudoers file for target computers. You could create an Active
Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo
Group Policy setting to the container, giving those users sudo access on their Linux and Unix computers.
In the sudoers file, you can specify Windows-style user names and identities. Using a Group Policy
setting for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix
and Linux resources.
PBIS stores its Unix and Linux policy settings in Group Policy Objects (GPOs) in the same location and in
the same format as the default GPOs in Windows Server: in the system volume (sysvol) shared folder.
Unix and Linux computers that are joined to an Active Directory domain receive GPOs in the same way
that a Windows computer does:
User Settings
The following user settings are available:
•
Several hundred Linux policy settings
•
Mac system Workgroup Manager settings
•
Files, Directories, Links, and Scripts policy setting
BeyondTrust®
May 2015
8
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
PBIS Group Policy Agent
The PBIS Group Policy Agent is automatically installed when you install the PBIS agent.
To apply and enforce policy settings, the PBIS Group Policy Agent runs continuously as a daemon
processing user policy and computer policy:
•
Computer policy processing – The agent traverses the computer's distinguished name (DN) path in
Active Directory.
•
User policy processing – Occurs when a user logs on, the agent traverses the user's DN path in Active
Directory.
The PBIS Group Policy Agent connects to Active Directory, retrieves changes, and applies them once every
30 minutes, when a computer starts or restarts, or when requested by the GPO refresh tool.
The PBIS Group Policy Agent uses the computer account credentials to securely retrieve policy template
files over the network from the domain’s protected system volume shared folder.
The PBIS Group Policy Agent applies only PBIS Group Policy settings—those in the Unix and Linux Settings
collection in the Group Policy Management Editor; it does not apply any other Group Policy settings that
may be specified in the GPOs.
PBIS GPO Refresh Tool
To force a computer to pull the latest version of its Group Policy settings, you can run the PBIS GPO
refresh tool at any time by executing the following command at the shell prompt:
/opt/pbis/bin/gporefresh
On target computers, PBIS stores policy settings in /var/lib/pbis/grouppolicy.
Inheritance
There are two types of policy settings:
•
File-based – File-based policy settings, such as sudo and automount, typically replace the local file.
File-based policy settings are not inherited and do not merge with the local file.
•
Property-based – Property-based policy settings are inherited, meaning that the location of a GPO in
the Active Directory hierarchy can affect its application. Property-based settings merge with local
policy settings. Local policy settings are not replaced by property-based settings.
Most policy settings are based on properties.
Filtering by Target Platform
You can set the target platforms for a GPO. The GPO is applied only to the platforms that you select.
You can select the target platforms by operating system, distribution, and version. For example, you can
target a GPO at:
•
Only computers running SUSE Linux Enterprise Server
BeyondTrust®
May 2015
9
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
•
A mixture of operating systems and distributions, such as Red Hat Linux, Sun Solaris, Ubuntu
Desktop, and HP-UX
•
Computers running Mac OS X
Some policy settings, however, apply only to specific platforms. For more information, see the Help for
the policy setting that you want to use.
Target Platforms
Mac OS X
CentOS Linux
Debian Linux
Fedora Linux
Hewlett-Packard HP-UX
IBM AIX
OpenSUSE Linux
Red Hat Linux
Red Hat Enterprise Linux
(ES and AS)
Sun Solaris
SUSE Linux
SUSE Linux Enterprise Desktop
SUSE Linux Enterprise
Server
Ubuntu Linux
Go to the Target Platform Filter policy to select targets for the GPO:
Managing GPOs
You can create or edit Group Policy Objects (GPOs) and configure policy settings for computers running
Linux, Unix, and Mac OS X by using the Group Policy Management Console (GPMC).
Note: To manage a GPO, you must log on as a member of the Domain Administrators security group,
the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
BeyondTrust®
May 2015
10
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
You can download the Microsoft Group Policy Management Console at
http://www.microsoft.com/downloads/.
To create a GPO using GPMC:
1. Click Start, Administrative Tools, and click Group Policy Management.
2. Right-click the organizational unit, and then select Create a GPO in this domain, and Link it here.
3. Type a name for your GPO.
4. Click OK.
5. Right-click the GPO that you created, and then click Edit.
Note: The PBIS Group Policy settings are in the Unix and Linux Settings collection. For more
information about each policy, see the Help for the policy setting that you want to use.
View a Report on a GPO's Policy Settings
In GPMC, you can view details on PBIS policy settings defined in a GPO.
Go to the GPO and select the Settings tab. Here is an example:
BeyondTrust®
May 2015
11
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
Walkthrough: Creating a sudo GPO
You can create a GPO to specify a sudo configuration file for target computers.
Sudo, or superuser do, allows a user to run a command as root or as another user. You can use this GPO
to control sudo access in a centralized and uniform way.
The sudo configuration file is copied to the local computer and replaces the local sudoers file. A sudo file
can reference Active Directory users and groups. For more information about sudo, see the man pages
for your system.
When you define the GPO, you can also set its target platforms. The GPO settings are applied only to the
operating systems, distributions, and versions that you choose. For more information, see Specify Target
Platforms.
Note: The PBIS entries in your sudoers file must conform to the rules set in "Configure Entries in Your
Sudoers Files" in the PowerBroker Identity Services Enterprise Edition Administration Guide.
Create a sudo GPO
Note: To create or edit a GPO, you must log on as a member of the Domain Administrators security
group, the Enterprise Administrators security group, or the Group Policy Creator Owners security
group.
To create sudo GPO:
1. In the Group Policy Management Editor, expand either Computer Configuration or User
Configuration, expand Policies, Unix and Linux Settings.
2. Expand Security Settings, and then select SUDO command.
3. Double-click Define Sudoer file.
BeyondTrust®
May 2015
12
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
4. Select the Define this Policy Setting check box, and then in the Current file content box, type your
commands.
Or, to import a sudo configuration file, click Import.
5. Select Target Platform Filter.
BeyondTrust®
May 2015
13
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
6. Double-click Target platforms.
7. To target all the platforms, select All.
To choose platforms, click Select from the List, and then select the platforms.
BeyondTrust®
May 2015
14
PBIS Enterprise Group Policy Guide
Working with PBIS Group Policy Settings
Test the sudo GPO
After you set the sudo GPO, you can test it on a target computer. The target computer must be in a cell
associated with the organizational unit where you linked the sudo GPO.
1. On a target Linux or Unix computer, log on as an administrator and execute the following command
to force PBIS Group Policy settings to refresh:
/opt/pbis/bin/gporefresh
2. Check whether your sudoers file is on the computer:
cat /etc/sudoers
Note: The location of the sudoers file varies by platform. For example, on Solaris it is in
/opt/sfw/etc or /opt/csw/etc. On other platforms, it is in /usr/local/etc.
3. Log on to the Unix or Linux computer as a regular user who has sudo privileges as specified in the
sudoers configuration file.
4. Try to access a system resource that requires root access using sudo. When prompted, use the
password of the user you are logged on as, unless targetpw is set in the sudoers file.
Verify that the user was authenticated and that the user can access the system resource.
Test sudo Security
To test sudo security:
1. Log on as a user who is not enabled with sudo in the sudoers file that you used to set the Group
Policy Object (GPO).
2. Verify that the user cannot perform root functions using sudo with his or her Active Directory
credentials.
BeyondTrust®
May 2015
15
PBIS Enterprise Group Policy Guide
PBIS Settings
PBIS Settings
This section describes how to configure each policy setting included with PBIS Enterprise. The policy
settings that follow are organized into sections that match their location in the console tree of the Group
Policy Management Editor.
Show a Password Expiration Warning
This policy setting configures the number of days to display a warning before a local account password
expires on a target Linux computer.
By default, the warning message is displayed for 5 days. Set the value to 0 to disable the warning.
This policy setting is only for computers running Linux.
To configure a password expiration warning:
1. In GPMC, create or edit a GPO for the organizational unit that you want, and then edit it in the Group
Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings,
BeyondTrust Settings, PBIS Settings, and then click Logon:
3. Double-click Local account password expiration warning, and then select the Define this policy
setting check box.
4. Enter the number of days to display the warning message.
BeyondTrust®
May 2015
16
PBIS Enterprise Group Policy Guide
PBIS Settings
Authorization and Identification
The following group policies are in the Authorization and Identification folder located in the PBIS
Settings folder.
Set the Cache Expiration Time
You can set how long the PBIS agent caches information about a user's home directory, logon shell, and
the mapping between the user or group and the security identifier (SID) on target Unix and Linux
computers. Features that are using offline cached credentials re-attempt to log on to the Active Directory
domain controller at the interval that you set. When online, the PBIS agent also caches the information
for the specified time period.
You can use this policy to improve the performance of your system by increasing the expiration time of
the cache.
This policy works on computers running Linux, Unix, or Mac OS X. The policy, which is inherited, does not
replace local policies; it merges with them. For more information, see “About Group Policy Settings,”
page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
17
PBIS Enterprise Group Policy Guide
PBIS Settings
3. In the details pane, double-click Cache expiration time, and then select the Define this Policy
Setting check box.
4. In the Cache timeout box, enter the time, in minutes.
Set the Domain Separator Character
The default domain separator character is set to \.By default, the Active Directory group
DOMAIN\Administrators appears as DOMAIN\administrators on target PBIS clients. The PBIS
authentication daemon renders all names of Active Directory users and groups lowercase.
You can, however, replace the slash that acts as the separator between an Active Directory domain name
and the SAM account name with a character that you choose.
The following characters cannot be used as the separator:
•
alphanumeric characters - letters and digits
•
@
•
#
•
And not the character that you used for the space-replacement setting; for more information,
see “Replace Spaces in Names with a Character,” page 35.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see Managing GPOs.
2. In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings,
BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
18
PBIS Enterprise Group Policy Guide
PBIS Settings
3. In the details pane, double-click Domain Separator Character, and then select the Define this
Policy Setting check box.
4. In the String Value box, type the character that you want to use. For example, ~
Set the Home Directory Template and Path Prefix
Use the home directory path template and path prefix policy settings together to customize the way that
the home directory path is determined for a user account.
In the Group Policy Management Editor, the policy settings are under Authorization and Identification:
Home directory path template
Set a home directory path template for target systems running lsassd.
Note: Home directory settings configured at the Cell level (either using PowerBroker Cell Manager or the
PowerBroker Cell Settings in ADUC), override the settings provided at the policy level.
The Login Shell Template setting can affect a user's home directory when the home directory is not
configured in the Cell.
Two home directory path templates policies are available:
•
Home directory path template – use for an Active Directory account. Policy settings apply to users
logging on to a computer using Active Directory domain credentials.
BeyondTrust®
May 2015
19
PBIS Enterprise Group Policy Guide
•
PBIS Settings
Local home directory path template – use for a local PBIS account. Policy settings apply to users
logging on to a computer using PBIS local provider credentials.
You can use the following variables when configuring the home directory path template policy:
Variable Description
%U
Required. The default user name.
%D
Optional. The default domain name.
%H
Optional. The default home directory prefix. If set in the path prefix policy, it must be set as an
absolute path. This value, if used, is typically the first variable in the sequence.
%L
Optional. The host name of the computer.
The following example shows the default values for the Home directory path template policy.
Note that the %H variable is not preceded by a slash. The slash is included when you configure the prefix.
By default, the %H variable creates a home directory path compatible with the target OS. For example:
•
Solaris – Maps to /export/home
On Solaris, you cannot create a local home directory in /home, because /home is used by autofs,
Sun's automatic mounting service. The standard on Solaris is to create local home directories in
/export/home.
•
Mac OS X – Maps to /Users
On Mac OS X, to mount a remote home directory, you must first create the directory on the remote
server as well as the folders for music, movies, and so forth. See Use the createhomedir Command
to Create Home Directories and other information on Apple's website.
•
Linux – Maps to /home
BeyondTrust®
May 2015
20
PBIS Enterprise Group Policy Guide
PBIS Settings
To configure home directories other than the defaults, however, you must explicitly configure the home
directory path and prefix for each target operating system using PBIS's target platform filter; see “Filtering
by Target Platform,” page 9.
Home directory path prefix
The prefix that you configure in the prefix policy replaces the %H variable if configured in the home
directory path template policy.
Two home directory path prefix policies are available:
•
Home directory path prefix – use for an Active Directory account.
•
Local home directory path prefix – use for a local PBIS account.
The prefix must be an absolute path. Precede the entry with a slash, as the following default setting
illustrates:
Set a Remote Directory Path for AD Accounts
You can use the Remote directory path template policy setting to automatically connect (mount) Linux
and Unix computers to the share locations that are defined in each user's Active Directory account profile
so that documents and settings specific to the user are available on any computer from which they log on
to on your network.
If the share path is represented as a DFS URL, PBIS translates these paths to SMB server\share\paths that
the native CIFS mount support can use. In newer Linux distributions, the user's logon single sign-on,
Kerberos credentials are used to connect to the shares.
You can use these shares in either of the following ways:
l
l
As a resource folder accessible to the user's local home directory.
As the actual user home directory for a network-mounted user account profile.
When the user logs off, the network mount connection is automatically removed.
BeyondTrust®
May 2015
21
PBIS Enterprise Group Policy Guide
PBIS Settings
To use this policy setting to mount a remote file share specific to the user:
Note: Before this policy setting can be effective, in Active Directory Users and Computers (ADUC), you
must first configure the network share to be mounted.
1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the
Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Unix and Linux Settings,
BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. In the details pane, double-click Remote directory path template, and then select the Define this
policy setting check box.
4. In the Path template box, enter the local folder to which the share should be mounted using the
following variables, and then click OK.
Variable Description
%U
Required. The default user name.
%D
Optional. The default domain name.
%H
Optional. The default home directory prefix. If set in path prefix policy, it must be set as an
absolute path. This value, if used, is typically the first variable in the sequence.
%L
Optional. The host name of the computer.
Example: If none of the defaults have been modified, the following command mounts the home folder
specified in ADUC in the user's home folder as MyHome.
%H/local/%D/%U/MyHome
Set the Login Shell
There are two policies available to set the login shell:
•
Login shell template - used for an Active Directory account.
•
Local account login shell template - used for a local PBIS account.
Note: The login shell template policy defines the login shell for an AD account only when it is not set on
the PowerBroker Cell Settings tab in Active Directory.
BeyondTrust®
May 2015
22
PBIS Enterprise Group Policy Guide
PBIS Settings
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see Create or Edit a Group Policy.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification.
3. Double-click either Login shell template or Local account login shell template, and then select the
Define this Policy Setting check box.
4. In the Shell box, type the shell you want; for example, /bin/bash.
Set the Maximum Tolerance for Kerberos Clock Skew
You can create a group policy to set the maximum amount of time that the clock of the Kerberos
Distribution Center (KDC) can deviate from the clock of target hosts. For security, a host rejects responses
from any KDC whose clock is not within the maximum clock skew, as set in the host's krb5.conf file.
The default clock skew is 300 seconds, or 5 minutes. This policy changes the clock skew value in the
krb5.conf file of target Linux, Unix, and Mac OS X hosts.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see Managing GPOs.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification.
3. Double-click Kerberos: Set the Maximum tolerance for Kerberos clock Skew (clockskew), and
then select the Define this policy setting check box.
4. In the Maximum tolerance box, enter the maximum amount of time, in minutes, to allow for the
clock skew.
Trust Enumeration Settings
PBIS Enterprise includes the following set of group policies for controlling how PBIS's domain manager
enumerates trusts on target Linux, Unix, and Mac OS X computers. The policies can help improve
performance of the authentication service in an extended AD topology.
BeyondTrust®
May 2015
23
PBIS Enterprise Group Policy Guide
PBIS Settings
Note: The policy that specifies an include list is dependent on defining the policy for ignoring all trusts.
To use the include list, you must first enable the policy to ignore all trusts. The include-list policy
must explicitly contain every domain that you want to enumerate. It is insufficient to include only
the forests that contain the domains.
For a domain that is added to the include list, PBIS tries to discover its trust. If some of the domains are
not included in the list, the resulting trust relationships might run counter to your intentions: The PBIS
agent might process the trust as a one-way forest child trust when it is not.
Here's an example. Suppose you have the following forests:
•
FOREST-A with child DOMAIN-A
•
FOREST-B with child DOMAIN-B
Assume that FOREST-A and FOREST-B have a two-way trust and that the target computer is joined to
DOMAIN-A. The include list contains DOMAIN-B but not DOMAIN-A. During the main trust enumeration,
no trusts are added because the group policy to ignore all the trusts is enabled. The PBIS agent then adds
DOMAIN-B because it is in the include list. Since the PBIS agent ignores DOMAIN-A, however, the agent
adds DOMAIN-B as a 1-way forest child; its trust relationship is incorrectly recognized. If your intention is
to add it with its 2-way trust relationship intact, you must make sure to put the other domain and forest
in the include list -- in this case, both FOREST-A with child DOMAIN-A and FOREST-B with child DOMAIN-B.
Tip:
To check your trust relationships, use the Microsoft Active Directory Domains
and Trusts MMC snap-in. In the snap-in, right-click a domain, click Properties,
and then click the Trusts tab.
Trust Enumeration Policy
Lsass: Ignore all
trusts during
domain
enumeration
Description
Determines whether the authentication service discovers domain trusts.
In the default configuration of disabled, the service enumerates all the parent and
child domains as well as forest trusts to other domains. For each domain, the
service establishes a preferred domain controller by checking for site affinity and
testing server responsiveness, a process that can be slowed by WAN links, subnet
firewall blocks, stale AD site topology data, or invalid DNS information.
When it is unnecessary to enumerate all the trusts -- for example, the intended
users of the target computer are only from the forest that the computer is joined
to -- turning on this setting can improve startup times of the authentication
service.
Lsass: Domain
When the policy Lsass: Ignore all trusts during domain
trust enumeration enumeration is enabled, only the domain names in the include list are
include list
enumerated for trusts and checked for server availability.
Lsass: Domain
When the policy Lsass: Ignore all trusts during domain
trust enumeration enumeration is disabled (its default setting), the domain names in the exclude
exclude list
list are not enumerated for trusts and not checked for server availability.
BeyondTrust®
May 2015
24
PBIS Enterprise Group Policy Guide
PBIS Settings
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification.
3. Double-click the Lsass: Ignore all trusts during domain enumeration policy and select the Define
this Policy Setting check box.
4. Select one of the following:
– Enabled - If you click Enabled, define the Lsass: Domain trust enumeration include list policy to
add a comma-separated list of trusts that you want to include for enumeration.
–
Disabled - If you click Disabled, you can optionally define the Lsass: Domain trust enumeration
exclude list to specify a comma-separated list of trusts that you want to exclude from
enumeration.
5. Click OK.
The settings take effect when you restart either the target computer or the PBIS authentication service
(lsass).
Require Trust Enumeration Completion at Startup
There are two policies that work together to control trust enumeration when a PBIS client starts up:
•
Require trust enumeration to complete during startup: This policy sets the PBIS authentication
service (Lsass) to finish enumerating all the domain trusts before the service indicates that it has
started. You can use this policy to help sequence services, such as crond, that depend on Lsass for
user and group object lookups.
For quicker startup times, the setting's default is disabled. You should enable it when Lsass must be
completely operational before subsequent services start. When enabled, Lsass finishes starting only
after it finds all the domains and domain controllers that are available to log on users and look up
identities. After trust enumeration completes, or the trust enumeration completion time is reached,
Lsass signals its running status to the PBIS Service Manager, which then reports on the dependent
PBIS services.
•
Trust enumeration completion time: This policy determines how long Lsass waits for trust
enumeration to finish during startup when the policy to require trust enumeration to complete
during startup is enabled. The default is 0 -- which indicates an unlimited wait time.
The policies can be applied to Linux, Unix, and Mac OS X computers.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
25
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Lsass: Require trust enumeration to complete during startup, and then select the
Define this policy setting check box.
4. To require all trusts to enumerate before Lsass starts up, click Enabled, and then click OK.
5. In the details pane, double-click Lsass: Trust enumeration completion time and then select the
Define this policy setting check box.
6. In the box, enter the time, in seconds, that you want Lsass to wait for trusts to enumerate before
starting up. The default setting of 0 indicates an unlimited wait time.
Ignore User or Group Names
There are two policies that you can set to prevent PBIS's Active Directory provider from performing name
service queries for entries that are not in Active Directory:
•
group names to ignore – Specifies the group names to ignore on target PBIS clients. The policy
can contain a comma-separated list of group names.
•
user names to ignore – Specifies the user account names to ignore on target PBIS clients. The
policy can contain a comma-separated list of account names.
To set an ignore policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
26
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Lsass: User names to ignore or Lsass: Group names to ignore, and then select the
Define this policy setting check box.
4. In the text box, type a comma-separated list of names that you want PBIS to ignore.
Prepend Domain Name for AD Users and Groups
This group policy changes the assume-default-domain setting for the PBIS agent to yes, adding the
default domain before the names of Active Directory users and groups on target Linux, Unix, and Mac OS
X computers. You can use this policy to spare users from typing the name of their Active Directory domain
each time they log on to a computer or switch users.
This policy replaces the local setting, the default of which is no.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. Double-click Lsassd: Prepend default domain name for AD users and groups, and then select the
Define this policy setting check box.
4. Select Enabled.
BeyondTrust®
May 2015
27
PBIS Enterprise Group Policy Guide
PBIS Settings
Change NSS Membership and NSS Cache Settings
To customize PBIS Enterprise to meet the performance needs of your network, you can set several group
policies to specify how the PBIS agent parses and caches group and user membership information.
The policies described in the table below populate the following value entries in the PBIS registry, shown
here with their default values:
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
"TrimUserMembership"=dword:00000001
"NssGroupMembersQueryCacheOnly"=dword:00000001
"NssUserMembershipQueryCacheOnly"=dword:00000000
"NssEnumerationEnabled"=dword:00000000
Group Policy
Description
Lsass: Enable user
group
membership
trimming
Specifies whether to discard cached information from a Privilege Attribute
Certificate (PAC) entry when it conflicts with new information retrieved through
LDAP. Otherwise, PAC information, which does not expire, is updated the next time
the user logs on.
It is turned on by default.
Lsass: Enable
cache only group
membership
enumeration for
NSS
Specifies whether to return only cached information for the members of a group
when queried through the name service switch, or nsswitch. The setting determines
whether nsswitch-based group APIs obtain group membership information
exclusively from the cache, or whether they search for additional group
membership data through LDAP.
The LDAP enumeration can be slow and can affect performance with a large amount
of data. To improve performance for groups with more than 10,000 users, set this
option to enabled.
Without the LDAP enumeration, only when a user logs on can that user's complete
group membership be retrieved based on the PAC.
It is turned on by default.
Lsass: Enable
cache only user
membership
enumeration for
NSS
When set to enabled, enumerates the groups to which a user belongs using
information based solely on the cache. When set to disabled, it checks the cache
and searches for more information over LDAP.
Lsass: Enable NSS
Enumeration
Controls whether all users or all groups can be incrementally listed through NSS. On
Linux computers and Unix computers other than Mac, the default setting is set in
the registry as 0, or turned off. On Mac OS X computers, the default setting is 1, or
turned on.
It is turned off by default.
To allow third-party software to show Active Directory users and groups in lists, you
can turn on this setting, but performance might be affected.
BeyondTrust®
May 2015
28
PBIS Enterprise Group Policy Guide
Group Policy
PBIS Settings
Description
Note: When you run the id command for an Active Directory user other than the
current user on some Linux systems, such as SLES 10 and SLED 10, the
command returns only that user's primary group. The command
enumerates all the groups and searches for the user in the groups'
membership. To properly find another user's membership with the id
command on SLES 10 and SLED 10, you must turn on NSS enumeration.
BeyondTrust®
May 2015
29
PBIS Enterprise Group Policy Guide
PBIS Settings
Turn On Event Logging with a GPO
This group policy turns on logging for events on target Linux, Unix, and Mac OS X computers. You can use
this policy to improve security monitoring by logging authentication and authorization requests.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. Double-click Lsassd: Enable use of the event log, and then select the Define this policy setting
check box.
4. Select Enabled.
Stop Refreshing User Credentials
By default, PBIS automatically refreshes user credentials, but you can turn off automatic refreshes with a
group policy.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
30
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Lsassd: Enable user credential refreshing, and then select the Define this policy
setting check box.
4. Select Disabled to stop automatically refreshing user credentials.
Sign and Seal LDAP Traffic with a GPO
You can sign and seal LDAP traffic to certify it and to encrypt it so that others cannot see your LDAP traffic
on your network as it travels between a PBIS client and a domain controller. This policy can help improve
network security.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. Double-click Lsassd: Enable signing and sealing for LDAP traffic, and then select the Define this
policy setting check box.
4. Select Enabled.
BeyondTrust®
May 2015
31
PBIS Enterprise Group Policy Guide
PBIS Settings
Force Authentication to Use Unprovisioned Mode
To use the PBIS Enterprise agent to join a Linux, Unix, or Mac OS X computer to a domain that has not
been configured with cell information, you must set this group policy to unprovisioned mode (PBIS
Open). This setting, which applies only to PBIS Enterprise, forces the authentication service to ignore the
following Unix information even though it is set in Active Directory:
•
Home directory
•
UID
•
GID
•
Unix shell
Instead of using the information from Active Directory, the unprovisioned value sets the
authentication service to hash the user's security identifier and use local settings for the Unix shell and
the home directory.
Note: The default is support cell mode, a setting that requires you to create a cell in Active
Directory before you join a client running PBIS Enterprise to it. If you are using PBIS Enterprise
with cells and you want to use the Unix settings in AD, it is recommended that you do not set this
group policy or that you leave it set to its default value.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. In the details pane, double-click Lsass: Force authentication to use unprovisioned mode , and
then select the Define this policy setting check box.
4. Select Unprovisioned mode (PBIS Open).
BeyondTrust®
May 2015
32
PBIS Enterprise Group Policy Guide
PBIS Settings
Turn Off Logging of Network Events
This group policy turns off logging for network events on target Linux, Unix, and Mac OS X computers.
You can apply this policy to laptop computers, computers with a wireless connection, or other
computers whose network status might be influx so that you do not flood the event log with connectivity
events.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
3. Double-click Lsassd: Log network connectivity events, and then select the Define this policy
setting check box.
4. Select Enabled.
Turn Off System Time Synchronization with a GPO
This group policy changes the sync-system-time setting of the PBIS agent to disabled or enabled
on target Linux, Unix, and Mac OS X computers.
This policy replaces the local setting, the default of which is enabled: The PBIS authentication daemon,
lsassd, synchronizes the system time of the client with that of the Active Directory domain controller.
You can apply this policy when an alternative time synchronization process is in use.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification:
BeyondTrust®
May 2015
33
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Lsassd: System time synchronizaton, and then select the Define this policy setting
check box.
4. Select Enabled.
Set the Machine Account Password Expiration Time
You can define a group policy to set the machine account password's expiration time on target Unix and
Linux computers. The expiration time specifies when machine account passwords are reset in Active
Directory.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification.
3. Double-click Machine account password expiration time (machine password timeout), and then
select the Define this Policy Setting check box.
4. In the Expiration Time box, enter the time, in days, that you want.
Note: To avoid issues with Kerberos key tables and single sign-on, the value you set in the Expiration
Time box must be at least twice the maximum lifetime for user tickets, plus a little more time to
account for the permitted clock skew. The expiration time for a user ticket is set using an Active
Directory group policy called Maximum lifetime for user ticket. The default user ticket lifetime is
10 hours; the default PBISmachine password lifetime is 30 days.
Check the Maximum Lifetime for a User Ticket
1. Open the default domain policy in the Group Policy Management Editor.
2. Expand Computer Configuration, Windows Settings, Security Settings, Account Policies, and
then click Kerberos policy.
BeyondTrust®
May 2015
34
PBIS Enterprise Group Policy Guide
PBIS Settings
3. In the details pane, double-click Maximum lifetime for user ticket.
4. In the Ticket expires in box, make sure that the number of hours is no more than half that of the
value you set in the Expiration Time box of the PBIS group policy for the machine account password
expiration time.
Replace Spaces in Names with a Character
You can define a group policy on target Unix and Linux computers to replace spaces in Active Directory
user and group names with a character that you choose.
For example, when you set the replacement character to ^, the group DOMAIN\Domain Users in Active
Directory appears as DOMAIN\domain^users on target Linux and Unix computers.
Note: The PBIS authentication daemon renders all names of Active Directory users and groups
lowercase.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
To replace spaces in names with a character:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Authorization and Identification.
3. Double-click Replacement character for names with spaces, and then select the Define this Policy
Setting check box.
4. In the Character to replace spaces in names with box, type the character that you want -- for
example, ^.
Logon
The group policies that are described in this section are in the Logon folder located in the PBIS Settings
folder:
BeyondTrust®
May 2015
35
PBIS Enterprise Group Policy Guide
PBIS Settings
Allow Logon Rights (RequireMembershipOf)
You can create a group policy to specify the Active Directory users and groups allowed to log on to target
Unix and Linux computers. Users and groups who have logon rights can log on to the target computers
either locally or remotely. You can also use this policy to enforce logon rules for local users and groups.
To use this policy, you must grant the users access to the PBIS cell that contains the target computer
object. By default, all Unix and Linux computers are joined to the default cell, and all members of the
Domain Users group are allowed to access the default cell. PBIS checks requiremembershipof
information in both the authentication phase and the account phase.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
Note: You can also define logon rights manually for a computer. For more information, see Restrict
Logon Rights by Group.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon:
3. Double-click Allow logon rights, and then select the Define this Policy Setting check box.
4. Click
BeyondTrust®
and then locate the users or groups that you want to grant logon rights.
May 2015
36
PBIS Enterprise Group Policy Guide
PBIS Settings
Optionally, in the Users and/or Groups box, type a comma-separated list of the users and groups
that you want. In the list, you can use short domain names with Active Directory account names and
group names, that is, the NT4-style name. You can also use local account names and local user
groups as well as security identifiers (SIDs) in string format. In addition, you can add a group that is
not enabled in the cell to the list to give them access to the target computer. You cannot, however,
use an alias for an AD group or user. If you have configured PBIS to assume the default domain, you
must still use the NT4-style name.
For example, you could enter the following comma-separated list:
CORP\johndoe, janedoe@corp.mycorp.com, CORP\domain^users, S-1-1-0
In the example, the entry s-1-1-0 is a SID in string format.
Note: To separate the domain name from the user name or the group name in the AD account
logon syntax, you must use a backslash (\). Example: pbisdemo.com\steve.
5. Grant the users and groups access to the PBIS cell that contains the target computer object.
Host Name Substitution
This policy substitutes the host name of the target computer for the variable %hostname (or its
shorthand version, %L) when the variable is included in the list of users and groups. You can, for example,
set a string with the host name variable like this:
CORP\Domain Administrators,CORP\%hostname_Users,CORP\%L_Testers
When the group policy object is applied to a target computer named test-machine, the variables are
substituted as follows:
CORP\Domain Administrators,CORP\TEST-MACHINE_Users,CORP\TEST-MACHINE_Testers
Create a .k5login File in a User's Home Directory
You can define a group policy to create a .k5login file in the home directory of a user account on target
Linux and Unix computers that log on to the Windows NT domain using the Kerberos authentication
protocol.
The .k5login file contains the user's Kerberos principal, which uniquely identifies the user within the
Kerberos authentication protocol. Kerberos can use the .k5login file to check whether a principal is
allowed to log on as a user. A .k5login file is useful when your computers and your users are in
different Kerberos realms or different Active Directory domains, which can occur when you use Active
Directory trusts.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon.
BeyondTrust®
May 2015
37
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Create a .k5login file in user home directory (create_k5login), and then select the
Define this Policy Setting check box.
4. Select Enabled or Disabled.
When enabled, Kerberos is allowed to create a .k5login file in the home directory of a given user
account. When disabled, Kerberos is not allowed to create a .k5login file.
Create a Home Directory for a User Account at Logon
You can automatically create a home directory for an AD user account or a local PBIS user account on
target PBIS clients. When the user logs on the computer, the home directory is created if it does not exist.
For AD accounts, the location of the home directory is specified in the PBIS settings of the user account in
Active Directory Users and Computers.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon.
3. Double-click Create home directory at logon (AD user accounts) or Create home directory at
logon (Local user accounts), and then select the Define this Policy Setting check box.
4. Select Enabled or Disabled.
Set Permissions with a File Creation Mask
PBIS can set permissions for the home directory that is created when a user logs on target PBIS clients.
The home directory and all the files in the directory are preset with the ownership settings of the file
creation mask, or umask. There is a umask policy for local accounts and a umask policy for AD accounts.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon.
3. Double-click Home directory creation mask (Local user accounts) or Home directory creation
mask (AD user accounts), which is for AD accounts, and then select the Define this Policy Setting
check box.
4. Under Default File Permissions and under Default Directory Permissions, select the options that
you want.
Or, in the Umask value box, type a umask value for the permission level that you want, and then click
Set.
BeyondTrust®
May 2015
38
PBIS Enterprise Group Policy Guide
PBIS Settings
For example, if you specify an umask value of 022, the file permissions are set as follows: Read-write
access for files and read-write-search for directories you own. All others have read access only to your files
and read-search access to your directories.
Show a Denied Logon Rights Message
This group policy displays a message when an Active Directory user cannot log on a target computer
because the user is not in the list of the users or groups defined in the Allow Logon Rights
(requiremembershipof) group policy.
When you set the policy, you specify the message that is displayed for the not_a_member_error. This
policy applies to computers running Linux, Unix, and Mac OS X.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon:
3. Double-click Denied logon rights message, and then select the Define this policy setting check
box.
4. In the Logon error message box, type the text that you want to display.
Set the Local Account Password Lifespan
This policy specifies the number of days during which an account password is valid for local PBIS system
accounts on Linux computers. This setting applies only to user accounts maintained by the PBIS local
provider; it does not affect local passwd accounts.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon:
BeyondTrust®
May 2015
39
PBIS Enterprise Group Policy Guide
PBIS Settings
3. Double-click Local account password lifespan, and then select the Define this policy setting check
box.
4. In the Lifespan box, enter the number of days that a password is valid.
Log PAM Debugging Information
To monitor and troubleshoot the PAM module, you can define a PBIS group policy that logs debugging
information for the PBIS agent on target computers running Linux, Unix, or Mac OS X.
This policy, which is inherited, does not replace local policies; it merges with them. For more information,
see “About Group Policy Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon.
3. Double-click Log PAM debugging information, and then select the Define this Policy Setting check
box.
4. Select either Enabled or Disabled.
Copy Template Files When Creating a Home Directory
PBIS can add the contents of skel to the home directory created for an AD user account or a PBIS local
user account on target PBIS clients. Using the skel directory ensures that all users begin with the same
settings or environment.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy, which is inherited,
does not replace local policies; it merges with them. For more information, see “About Group Policy
Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Logon.
3. Double-click one of the following:
BeyondTrust®
May 2015
40
PBIS Enterprise Group Policy Guide
PBIS Settings
–
Template files for a new new user home directory(AD user accounts
–
Template files for a new user home directory(Local user accounts)
4. Select the Define this Policy Setting check box.
5. In the Path to skeleton template directory box, type the path that you want -- for example,
/etc/skel.
Smart Card
You can set Smart Card policies to use Smart Card authentication for your target assets.
To configure Smart Card policy settings:
1. In the Group Policy Management Console (GPMC), create or edit a Group Policy Object (GPO) for the
organization unit that you want, and then open it with the Group Policy Management Editor.
2. Expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS
Settings, Smart Card.
3. Turn on the following Smart Card policies:
– Smart card removal policy – Specifies the action taken when a smart card is removed from a
target computer. When smart card two-factor authentication is used to gain access to a
computer, enforcement of logon security can be made stricter if the removal action is set to Lock
or Logout. The default setting without this policy setting is No Action.
–
Require smart card for login – When smart card authentication is enabled, it is possible to log on
only with a smart card and its PIN. When this setting is disabled, logon is possible by using either
an account user name with a password or a smart card with its PIN.
Reaper Syslog Settings
The reaper syslog policies are discussed in the section on setting up the reporting database in the PBIS
Enterprise Installation and Administration Guide.
Group Policy Agent
The group policies described in this section are in the Group Policy Agent folder, located in the PBIS
Settings folder:
BeyondTrust®
May 2015
41
PBIS Enterprise Group Policy Guide
PBIS Settings
Set the Computer Policy Refresh Interval
You can set a group policy that specifies how often a computer's group policies are updated while the
computer is in use. The scope of this policy is the group policies in the Unix and Linux Settings folder
under Computer Configuration in the Group Policy Management Editor.
By default, when this policy is undefined, a computer's group policies are updated when the system
starts and every 30 minutes while the computer is in use. The updates take place in the background
without interrupting the user.
Note: Some settings might not take effect until the computer restarts or the user logs off and logs on
again.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent:
3. Double-click Computer policy refresh interval, and then select the Define this policy setting check
box.
4. In the Refresh interval box, enter the time in minutes that you want to set.
You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days.
Set the User Policy Refresh Interval
You can define a group policy that specifies how often the user settings are updated while the user is
logged on. The scope of this policy is the user policies in the Unix and Linux Settings folder under User
Configuration in the Group Policy Management Editor.
By default, when this policy is undefined, a user's settings are updated when the user logs on and every
30 minutes while the user is logged on. The updates take place in the background without interrupting
the user.
Note: Some settings might not take effect until the computer restarts or the user logs off and logs back
on.
BeyondTrust®
May 2015
42
PBIS Enterprise Group Policy Guide
PBIS Settings
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent:
3. Double-click User policy refresh interval, and then select the Define this policy setting check box.
4. In the Refresh interval box, enter the time in minutes that you want to set.
You can set the refresh interval from 5 minutes to 9999 minutes, or about 7 days.
Turn On Event Logging for the Group Policy Agent
This group policy turns on logging for group policy events on target Linux, Unix, and Mac OS X computers.
You can use this policy to help improve security and to troubleshoot group policies by capturing
information in the PBIS event log about the application and processing of group policy objects, including
such events as errors, adding a new GPO, updating a GPO for a new version, and removing a GPO that no
longer applies to a user or computer.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent:
3. Double-click Enable use of event log, and then select the Define this policy setting check box.
4. Select Enabled.
BeyondTrust®
May 2015
43
PBIS Enterprise Group Policy Guide
PBIS Settings
Set the User Policy Loopback Processing Mode
You can define a group policy that applies alternate user settings when a user logs on to a computer
affected by this setting. The policy applies the group policy objects that you specify to any user who logs
on to a computer affected by this setting. The policy is designed for special-use computers, such as those
in public places, laboratories, and classrooms, where you must modify the user setting based on the
computer that is being used.
By default, the user's group policy objects determine which user settings apply. If this setting is enabled,
when a user logs on to this computer, the computer's group policy objects determine which set of group
policy objects applies.
You can set the following modes for this policy:
Mode
Description
Replace
The user settings defined in the computer's group policy objects replace the user settings
normally applied to the user.
Merge
The user settings defined in the computer's group policy objects and the user settings
normally applied to the user are combined. If the settings conflict, the user settings in the
computer's group policy objects take precedence over the user's normal settings.
Loopback
disabled
If you disable this setting or do not configure it, the user's group policy objects determine
which user settings apply.
To configure the user policy loopback processing mode:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent:
3. Double-click User policy loopback processing mode, and then select the Define this policy setting
check box.
4. In the list, click the loopback processing mode that you want to set.
BeyondTrust®
May 2015
44
PBIS Enterprise Group Policy Guide
PBIS Settings
Turn Off User Logon Group Policies
By default, the PBIS group policy agent processes and applies user policies when a user logs on with an
Active Directory account—a process that can delay logon. If no user group policy objects apply to a target
set of computers and the users who access them, defining this group policy and setting it to disabled
stops the PBIS group policy agent from attempting to process user policies, resulting in faster logons.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Group Policy Agent:
3. Double-click Enable user logon group policies, and then select the Define this policy setting check
box.
4. Select Disabled.
BeyondTrust®
May 2015
45
PBIS Enterprise Group Policy Guide
PBIS Settings
Event Log
The following group policies to manage the event log are in the Event Log folder located in the PBIS
Settings folder:
Set Access Rights to Delete, Read, and Write Events
The following policies specify the Active Directory users and groups who can read events in, delete events
from, or write events to the PBIS event log:
•
Allow delete-event access
•
Allow read-event access
•
Allow write-event access
These policies can help manage the security of PBIS clients. Only users and groups who need to use the
event log should be granted access to it. The users and groups that you specify must have access to the
cell that contains the target computer.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Event Log.
3. Double-click one of the following policies: Allow delete-event access, Allow read-event access,
Allow write-event access.
Select the Define this Policy Setting check box.
4. Click
and then locate the users or groups that you want to grant logon rights.
Optionally, in the Users and/or Groups box, type a comma-separated list of the users and groups
that you want. You can use:
–
Short domain names with Active Directory account names and group names, that is, the NT4style name.
–
Local account names and local user groups and security identifiers (SIDs) in string format.
BeyondTrust®
May 2015
46
PBIS Enterprise Group Policy Guide
–
PBIS Settings
Add a group that is not enabled in the cell to give them access to the target computer.
You cannot use an alias for an AD group or user. If you configure PBIS to assume the default domain,
you must use the NT4-style name.
For example, you could enter the following comma-separated list:
CORP\johndoe, Ando@corp.mycorp.com, CORP\domain^users, S-1-1-0
In the example, the entry S-1-1-0 is a SID in string format.
Note: To separate the domain name from the user name or the group name in the AD account
logon syntax, you must use a backslash (\). Example: demo.com\steve.
5. Make sure the users and groups have access to the PBIS cell that contains the target computer
object.
Set Maximums for Events, Disk Usage, and Lifespans
The following policies define the maximums for the following event log thresholds to help you manage
the size of the event log database:
•
Max disk usage
•
Max event lifespan
•
Max number of events
To set threshold policies on the event log:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click Event Log.
3. Double-click one of the policies, and then select the Define this Policy Setting check box.
4. Enter the maximum threshold that you want to set in the box:
For This Policy
Do This
Max disk usage
In the Max Log Size box, enter the size that you want to set, in KBs,
for the maximum size of the event log.
Note: To delete events when the maximum disk usage threshold is
reached, you must turn on the policy Remove events as
needed.
Max event lifespan
In the Lifespan box, enter the period in days for how long you want
to keep events.
Max number of
events
In the Max Number of Events box, enter the maximum number of
events to save in the event log.
BeyondTrust®
May 2015
47
PBIS Enterprise Group Policy Guide
PBIS Settings
Event Forwarder
Configure the Event Forwarder group policy to improve security monitoring by logging authentication
and authorization events.
You can view event metrics later on the Operations Dashboard.
To configure event forwarding:
1. Start GPMC, create or edit a group policy, and then open it in Group Policy Management Editor.
2. Expand Computer Configuration, Policies, Unix and Linux Settings, BeyondTrust Settings, PBIS
Settings, Event Forwarder.
3. Double-click Event log collector, and then select the Define this Policy Setting check box.
4. Enter the host name of the computer running BTCollector. Example: w2k3-r2.example.com
User Monitor
PBIS Enterprise includes a User Monitor service for entitlement reports. This feature is designed to
support computers that are critical to regulatory compliance and for which restricted access by only
essential staff is vital. A computer that is openly accessible to hundreds of users would be a source of
unnecessary audit activity in such a situation and would significantly increase resource requirements,
such as for Auditing Database sizing.
Notes:
•
For Active Directory (AD) users, the User Monitor only reports the users who have access to the
computer due to the RequireMembershipOf setting. If RequireMembershipOf is not enabled, a
special pseudo user is reported.
If the computer is running in unprovisioned mode, the pseudo user is:
All Users accessible from domain DomainName
Otherwise the pseudo user is: All Users in cell CellName
•
The User Monitor only reports the AD groups of which at least one of the reported AD users is a
member.
BeyondTrust®
May 2015
48
PBIS Enterprise Group Policy Guide
PBIS Settings
PBIS Enterprise includes the following Group Policy settings for fine-tuning the User Monitor.
Enable Monitoring of Users and Groups
This policy setting turns on the User Monitor service to monitor account and group changes.
The service queries all local user accounts, local groups, and Active Directory users and groups.
The service detects additions, deletions, and modifications that occur. Information is then sent to the
Eventlog service for reporting purposes.
To turn on monitoring of users and groups:
1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the
Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click User Monitor:
3. Double-click Enable monitoring of users and groups, and then select the Define this policy setting
check box.
4. In the Setting box, select Enabled to turn on monitoring, and then click OK.
BeyondTrust®
May 2015
49
PBIS Enterprise Group Policy Guide
PBIS Settings
Monitoring Check Interval
This policy setting specifies the frequency with which the User Monitor service attempts to detect user
and group changes on target computers.
Default value: 1800 seconds (30 minutes)
To configure the frequency of monitoring:
1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the
Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click User Monitor:
3. Double-click Monitoring check interval, and then select the Define this policy setting check box.
4. Enter, in seconds, the frequency that the User Monitor detects user and group changes, and then
click OK.
SNMP Settings
The following groups of SNMP trap settings can be applied using a GPO:
•
Account
•
Domain
•
Logon Authentication
•
SUDO
•
System Services
Note: To use SNMP policies, you must also turn on Lsassd: Enable use of the event log in the
Authorization and Identification group policy.
BeyondTrust®
May 2015
50
PBIS Enterprise Group Policy Guide
PBIS Settings
To turn on SNMP traps:
1. In GPMC, create or edit a GPO for the organizational unit that you want, and then open it with the
Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PBIS Settings, and then click SNMP Settings:
3. Double-click Configure SNMP.
4. Select the Define SNMP traps policy settings check box.
5. Enter the target IP address to apply the policy to.
6. Select the port number.
7. Enter the SNMP community string.
8. Select the Trap Groups check box to select all of the trap groups available.
Alternatively, select only the trap group check boxes that meet your particular requirements.
9. Click OK.
BeyondTrust®
May 2015
51
PBIS Enterprise Group Policy Guide
PBIS Settings
Account Override
You can override attributes on user accounts and group accounts.
The attributes will be in override for the duration of the user's logon session. Overrides only apply to
Active Directory users authenticated by PBIS authentication provider (lsass).
Override Files
The following override files are located in /etc/pbis and can be accessed only by root:
•
user-override
•
group-override
A default override file is installed when the PBIS agent is installed. The file is empty and can be used as a
template if you want to add override attributes manually.
The following formats can be used if you want to manually override attributes:
User_name : UID:PGID:HOME_DIRECTORY:LOGIN_SHELL:GECOS
Group_name : OriginalGID : GID
Use the colon as a separator.
If you do not want to override a particular attribute, you can use a | delimiter. For example, to override
only on the Login shell attribute:
User_name ::::/bin/sh:
User Account Override
You can override the following user attributes:
•
UID
•
Primary GID
•
Home directory
•
Login shell
•
Description (GECOS)
To set an override:
1.
2.
3.
4.
In GPME, expand Policies > Unix and Linux Settings > BeyondTrust Settings > PBIS Settings.
Select Account Override.
Double-click User Account Attributes.
Select the Define this policy setting check box.
Note that you can click Disable to remove the override temporarily—the users added to the override
policy will remain in the list. Click Enable to activate the policy again.
5. Click + to add user accounts.
6. On the Add User Dialog, click Browse to search for the user account.
7. Enter the attributes that you want to override.
BeyondTrust®
May 2015
52
PBIS Enterprise Group Policy Guide
PBIS Settings
8. Click Add.
9. After you add the users that you want in the policy, click Apply.
Group Account Override
You can override the following user attributes:
•
GID
To set an override:
1.
2.
3.
4.
In GPME, expand Policies > Unix and Linux Settings > BeyondTrust Settings > PBIS Settings.
Select Account Override.
Double-click Group Account Attributes.
Select the Define this policy setting check box.
You can click Disable to remove the override temporarily—the groups added to the override policy
will remain in the list. Click Enable to activate the policy again.
5.
6.
7.
8.
9.
Click + to add groups.
On the Add User Dialog, click Browse to search for the user account.
Enter the GID to override.
Click Add.
After you add the groups to the policy, click Apply.
BeyondTrust®
May 2015
53
PBIS Enterprise Group Policy Guide
PBIS Settings
Managing Duplicate Entries
You can compare duplicate entries if a duplicate entry is detected (either user or group). You can edit or
delete any duplicate entries, as needed.
The following attributes are not permitted:
•
Duplicate user names or UIDs
•
Duplicate group names or GIDs
Click Inspect when duplicate entries are detected. Review the information, and select Keep this to retain
the settings for an account (or group). Any other account (or group) will be removed from the policy.
BeyondTrust®
May 2015
54
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
PowerBroker Servers Settings
This section describes how to use PBIS to configure policy settings to support PowerBroker Servers
UNIX/Linux Edition (PBUL).
Using the PBUL Rule Editor and the PBUL configuration file, you can create and change simple PBUL policy
rules.
Using the PBUL Rule Editor, you can enable or disable specific rules.
PBUL policy data can be exported to a local file, edited manually, and imported to Active Directory from a
local file.
PowerBroker Policy Rules Data
The PBUL policy data is saved to a .CSV file. When the client-side agent applies the data from this Group
Policy setting to a PB Master, the resulting collection of policy rules data will be at the following location:
/etc/pb/Policy.csv.
If more than one Group Policy Object (GPO) has defined PowerBroker Policy Rules Data in the Active
Directory policy hierarchy that applies to a given PB Master computer, the client-side agent determines
which of all the policy settings should be applied based on targeting (filtering by host, system type), and
precedence (link order and hierarchy). The resultant set of policy rules data is combined and written to
the final /etc/pb/Policy.csv file to represent the union of all rules.
For more information, see Export, Manually Edit, and Import PBUL Policy Data.
Priority of Rules Within a GPO
Priority of rules within a single GPO is defined in the PBUL GPO Properties dialog. If multiple GPOs
containing PBUL policy settings are applicable to a PBUL master, the GPOs' processing order is defined by
their relative position in the Active Directory hierarchy. The closer a GPO is to the PBUL master, the higher
priority it has.
PowerBroker Server Policy Rules Data
The process of defining a PBUL rule begins by creating a GPO in an Active Directory (AD) hierarchy leading
to a pbmaster computer object.
Note: Before PBUL rules can be deployed, a PBUL configuration file must be defined. For more
information, see “PBUL Configuration,” page 63.
To configure PowerBroker Servers policy rules data:
1. In GPMC, right-click an existing GPO and click Edit to open the Group Policy Management Editor.
2. In Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PowerBroker Servers, PowerBroker Policy Rules Data.
BeyondTrust®
May 2015
55
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
3. Double-click the Create PowerBroker Server Policy Rules policy setting to open the Create
PowerBroker Server Policy Rules Properties dialog.
Tip: Displaying multiple items in a row
If a rule includes multiple commands, submitters, or Submit Hosts, a summary of the
number of each is displayed in the row. To display an itemized list of commands, submitters,
or hosts in a tool tip, point to the Commands, Submitters, or Submit Hosts cell in the row
for that rule.
4. Using this dialog, you can do the following:
–
Create or modify a PBUL rule.
–
Change the priority of PBUL rules.
–
Disable or enable a PBUL rule.
–
Export, manually edit, and import PBUL policy data.
BeyondTrust®
May 2015
56
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
Create or Modify a PBUL Rule
Note: Before PBUL rules can be deployed, a PBUL configuration file must be defined. For more
information, see “PBUL Configuration,” page 63.
To create a PBUL rule or to modify an existing PBUL rule, do the following:
1. In the Create PowerBroker Server Policy Rules Properties dialog box:
– To create a new PBUL rule, click Add.
–
To modify an existing PBUL rule, select the rule and then click Edit.
2. Enter a name for the rule.
3. Enter the following information on the Conditions tab.
BeyondTrust®
May 2015
57
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
a. Select the rule type: Accept or Reject.
b. To add a user or group to be managed by the rule, click Add Submitter. Select a type of user or
group to add.
–
If adding an Active Directory user or group, click OK, enter the name of the user or group, and
then click OK.
–
If adding a local user or group, type the name in the box and click OK.
c. Click Add Command and select from the following:
–
Submit Command – Enter the command as a submitter would type it. You can include
arguments.
If you want to allow the user to include additional arguments with the command at runtime,
select the Allow Argument check box.
–
Run Command – Enter the command that runs when a submitter types the Submit
Command. You can include arguments.
–
Run Command the same as submit – Select the check box when you want the command
the same as Submit Command.
BeyondTrust®
May 2015
58
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
If Run Command the same as Submit is not selected, you can effectively create an alias for a
command for submitters.
–
Save As User Command – Select the check box to use the command with other PBUL rules.
Click OK to add the command.
Note: You can remove commands that you add, but you cannot remove the default commands
provided with PBIS.
d. Select the commands that you want to run when the rule is activated.
Click >> to move the command to the Current Active Commands list. To remove the command
from the Current Active Commands list, click <<.
e. Select the computers that will be Submit Hosts (commands in the rule are run by submitters) and
Run Hosts (commands entered by submitters are run).
– Run Host is the same as Submit Host – (Optional). The computer used as the Run Host
must be the same computer used as the Submit Host, select the check box.
f.
–
Run Host pool is the same as Submit Host pool – (Optional). The selected computers are
used as both Submit Hosts and Run Hosts, select the check box.
–
Submit Hosts and Run Hosts – In the Submit Hosts or Run Hosts areas, click Add. Type a
computer name or click ADD to search Active Directory for a computer. You can enter
multiple computer names separated by commas.
(Optional). You can limit when the rule is active to between specified dates or times of day, delay
when a rule will become active, or specify an expiration for a rule.
For example, to make the rule active only between 8:00AM and 7:00PM, select the Time Start
check box and enter 8:00:00 AM, and select the Time End check box and enter 7:00:00 PM.
4. Optional. Click the Environment tab, and then enter information for the following.
– Run User – Enter the user account to use to run the commands in this rule on the Run Host. The
default account is root. If you change the account, ensure that the account has the permissions
necessary to run the commands in the rule and that the account exists on the Run Hosts. For
more information about the pbrun command, see the "pbrun" section in PB Servers System
Administration Guide.
BeyondTrust®
May 2015
59
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
–
Preserve Environment – (Optional). List any Unix or Linux environment variables that you want
to remain unchanged by the effect of this rule when commands are run. Environment variables
can alter which libraries are loaded for the session.
–
Define Environment – (Optional). Enter the names and values of any Unix or Linux environment
variables that you want to explicitly define when this rule is used to run commands.
–
Enable Keystroke Logging – (Optional). To enable keystroke logging, select the check box. If
selected, by default, keystrokes are logged to a separate log file for each command instance.
BeyondTrust®
May 2015
60
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
Advanced administrators can change the path and file name format of these log files by changing
the pb.conf file. If the default pb.conf file is used, keystroke log files are saved to file names
beginning with /var/adm/pb.iolog. For more information, see “PBUL Configuration,”
page 63.
–
Authenticate User – (Optional). To display a password prompt to the user and authenticate the
user before a command is run, select the check box.
Select where authentication occurs: Submit Host, Run Host, the PowerBroker Master Server.
This setting can provide additional protection against unauthorized users if an authorized user
neglects to lock his computer before stepping away from it.
For information about authentication in PBUL, see the following sections in the PB Servers
System Administration Guide: "PowerBroker Servers Settings," "Receiving Task Requests from a
Master Daemon," "Pluggable Authentication Modules," and "Kerberos Version 5."
–
Idle Timeout – (Optional). To force a timeout so that a long-running command cannot continue
indefinitely, select the check box and enter the maximum number of minutes.
For example, if you are configuring rules that allow users to create a shell session using
pbsh or pbksh, you can use this setting to ensure that this elevated access eventually
expires if idle.
5. Click OK.
BeyondTrust®
May 2015
61
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
Change the Priority of PBUL Rules
The priority of PBUL rules within a GPO is determined by their order in the list on the Create PowerBroker
Server Policy Rules Properties dialog.
To change the priority of PBUL rules within a GPO, on the Create PowerBroker Server Policy Rules
Properties dialog, select a rule and click one of the arrows to move the rule to a higher or lower priority.
Disable or Enable PBUL Rules
You can enable and disable PBUL rules from the Create PowerBroker Server Policy Rules Properties dialog.
Select the Enable check box to enable the rules you want to be active. Clear the Enable check box to
disable a rule.
Export, Manually Edit, and Import PBUL Rules
You can export PBUL rules from Active Directory to a local file, manually edit the rules, and then import
the edited rules from a local file into Active Directory.
Export PBUL Rules to a Local File
You can export PBUL rules from Active Directory to a local file so that you can manually edit the rules or to
archive the rules.
To export PBUL rules from Active Directory to a local .CSV file:
1. On the Create PowerBroker Server Policy Rules Properties dialog box, select the rules that you want to
export.
Use the CTRL key to select more than one rule.
2. Click the Export button.
3. Indicate where to save the .CSV file and enter a name for the file and click Save.
BeyondTrust®
May 2015
62
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
Import PBUL Rules to Active Directory
If you manually edited PBUL rules or previously saved PBUL rules to a .CSV file, you can import those rules
to Active Directory.
To import PBUL rules from a local .CSV file to Active Directory:
1. On the Create PowerBroker Server Policy Rules Properties dialog box, click the Import button.
2. Select a local .CSV file from which to import data and click Open.
3. Click Apply to save the data to Active Directory.
Tip: Replacing rules
To ensure that rules are not inadvertently overwritten, rules in the .CSV file that you import
will not overwrite existing rules, even if the rule names are the same.
If you want a rule that you imported to replace an existing rule, select the existing rule and
click Remove.
PBUL Configuration
The PBUL Configuration policy setting is designed to install a pb.conf file on target computers that are
running PBUL as a PowerBroker Master, enabling PBUL rules to function. The given computer's
/etc/pb.settings file determines the placement of the PowerBroker configuration policy file by using
the two settings policyfile and policydir. These values indicate the file and path that the given
PowerBroker Master is configured to use for determining policy (typically /etc/pb.conf). If there is a
previous file at the given location, it is backed up prior to being updated by the new policy configuration
installed by Group Policy.
Before PBUL rules can be deployed using Group Policy, you must define a PBUL configuration file
(pb.conf) that will be deployed to PB Masters.
There are several sources from which you can obtain a configuration file.
l
l
l
If you are already using PBUL, you can import your existing configuration file.
If you have not previously used PBUL or do not have a configuration file, you can import a copy of the
default configuration file that is installed with PBIS Enterprise. It is recommended that you use this
file without modification unless you are an advanced administrator of PBUL.
If you are an advanced administrator of PBUL and familiar with PBUL syntax, you can import a copy of
the default configuration file to serve as a template and modify it as needed to use advanced PBUL
functionality. For information about the text used to write PBUL policy settings, see the PB Servers
Policy Language Guide.
Tip: Changing the keystroke log file location
If keystroke logging is enabled in a PBUL rule, keystrokes are logged to a separate file for each
command instance. The path and file name format for these files are specified in the
pb.conf file. The path and file prefix are defined in the _iolog_file_ variable. The file
name is defined by the iolog variable.
BeyondTrust®
May 2015
63
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
The default pb.conf file is installed in the PBIS software installation directory. This pb.conf file is
designed to process the PBUL Policy Rules Data (/etc/pb/Policy.csv) that is created and maintained
by the Create PowerBroker Server Policy Rules policy setting. It will apply all of the fields that the PBUL
Rule Editor supports when running on target PB Master computers.
To import a copy of a PBUL configuration file so that you can deploy PBUL rules:
1. In GPMC, right-click an existing GPO and click Edit to open the Group Policy Management Editor.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, BeyondTrust Settings, PowerBroker Servers, PBUL Configuration.
3. Double-click the Define PBUL Configuration file policy setting to open the Define PBUL
Configuration file Properties dialog.
4. Click Import to import a copy of a PBUL configuration file (pb.conf).
The default pb.conf file is located in the PBIS software installation directory (typically C:\Program
Files\BeyondTrust\
PBIS\Enterprise\Resources\Configuration\pb.conf).
You do not need to make any changes to the file. However, if you are an advanced administrator of
PBUL who is familiar with PBUL syntax, you can edit the imported file on this dialog box.
BeyondTrust®
May 2015
64
PBIS Enterprise Group Policy Guide
PowerBroker Servers Settings
5. Optional. To turn on monitoring for local pb.conf files, select the Monitor this policy setting check
box. If the Group Policy agent detects local tampering of the pb.conf file, audit event warnings are
logged and the local file is replaced by the pb.conf file specified in this policy setting.
6. Click OK.
Tip: If you unintentionally alter the pb.conf file
The pb.conf file that you have imported is a copy of the one installed in the PBIS software
installation directory (typically C:\Program Files\BeyondTrust\PBIS\Enterprise\
Resources\Configuration\pb.conf).
If an administrator inadvertently alters the pb.conf file that has been imported, you can
replace it by repeating this procedure to import a new copy of the default pb.conf file.
BeyondTrust®
May 2015
65
PBIS Enterprise Group Policy Guide
Message Settings
Message Settings
This section describes message settings that you can display to your end users.
Display a Message with a Login Prompt Policy
By using PBIS, you can use a group policy to set a message in the /etc/issue file on target Linux and
Unix computers. The message, which appears before the login prompt, can display the name of the
operating system, the kernel version, and other information that identifies the system.
In the message text, you can use characters, numbers, and special characters; there is no limit to the
length of the message.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the
/etc/issue file on target computers.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Message Settings, and then click Login Prompt.
3. Double-click Login Prompt (/etc/issue), select the Define this Policy Setting check box, and then in
the Text Value box, type your message.
In your message, you can use escape codes that getty (on Unix) or agetty (on Linux) recognizes.
For example, if you write Welcome to \s \r \l, on a Linux computer, agetty replaces \s with
the name of the operating system, \r with the kernel version, and \l with the name of the terminal
device. For a list of escape codes, see the getty or agetty man pages for your system.
Display a Message of the Day
By using PBIS, you can use a group policy to set a message of the day in the /etc/motd file on target
Linux and Unix computers.
The message of the day, which appears after a user logs in but before the logon script executes, can give
users information about a computer. For example, the message can remind users of the next scheduled
maintenance window.
You can use this policy on computers running Linux, Unix, or Mac OS X. The policy replaces the motd file
on the target computer.
Note: If you are using this policy on target Linux and Unix computers running PBIS Enterprise 5.0 or
later, you must first set an lsassd group policy; see Display a Message of the Day at Logon.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Message Settings, and then click Message of the Day:
BeyondTrust®
May 2015
66
PBIS Enterprise Group Policy Guide
Message Settings
3. Double-click Message of the day (/etc/motd), select the Define this Policy Setting check box, and
then in the Text Value box, type your message.
Tip:
Limit the size of your message to one screen.
BeyondTrust®
May 2015
67
PBIS Enterprise Group Policy Guide
Logging and Audit Settings
Logging and Audit Settings
Logging and auditing settings enable you to manage various types of security logs and security methods.
Create a SysLog Policy
You can create a syslog group policy for target Unix and Linux computers. A syslog policy can help you
manage, troubleshoot, and audit your systems.
PBIS provides a graphical user interface to configure and customize your syslog policies. You can log
different facilities, such as cron, daemon, and auth, and you can use priority levels and filters to collect
messages.
This policy works with computers running Linux, Unix, or Mac OS X. The policy replaces the local policies.
It is not inherited and does not merge with the local settings. For more information, see “About Group
Policy Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Logging and Audit Settings, and then click SysLog:
3. Double-click SysLog, and then select the Define this Policy Setting check box.
4. Click Add.
5. In the Syslog Policy Editor, select the destination type for the syslog.
The options in the box below the Destination Type list change depending on the destination type
selected:
For a Destination
Type Of
Do This
File
Enter the path to the file.
Named Pipe
Enter the path and name of the pipe file.
Remote Host
Enter the IP address or the server name of the remote host.
Local Users
Enter a comma-separated list of email addresses.
All Users
The box is unavailable.
BeyondTrust®
May 2015
68
PBIS Enterprise Group Policy Guide
Logging and Audit Settings
6. Click in the Facilities box and then click
to select the facilities that you want to log.
– All – Adds all the facilities to the policy.
–
Selected Items – Select the check boxes for the facilities that you want in the list.
–
Custom Entry – Type a comma-separated list of the facilities that you want to use. For example:
cron, daemon, auth, kern
7. From the Priorities list, select the priority level for the events that you want to log.
8. From the Filter list, select the filter that you want to apply to the priority level, and then click OK.
Tip:
To change a log's options later, click a log in the list, and then click Edit.
Secure Computers with an AppArmor Policy
You can create an AppArmor group policy to help secure target computers that are running SUSE Linux
Enterprise.
AppArmor is a Linux Security Module implementation of name-based access controls. To help protect
your operating system and applications from threats, AppArmor uses security policies, called profiles,
that define the system resources and privileges that an application can use.
AppArmor is included with all SUSE distributions from SUSE Linux Enterprise Server 9, Service Pack 3
(SLES9 SP3) and later, including SLES10, SLED10, and openSUSE 10.0, 10.1, and 10.2.
Note: To configure this policy, you must have a file containing an AppArmor security profile. The SUSE
Linux distribution contains default profiles that you can use. It also contains tools to build your
own profiles. For information on how to obtain or create a security profile, see the AppArmor
documentation.
This policy, which is inherited, does not replace local policies; it merges with them. For more information,
see “About Group Policy Settings,” page 8.
To secure computers with an AppArmor policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Logging and Audit Settings, and then click AppArmor.
3. Double-click AppArmor, and then select the Define this Policy Setting check box.
4. Click Add, find the security profile that you want to use, and then click Open.
5. In the list under Profile Mode, select one of the following:
BeyondTrust®
May 2015
69
PBIS Enterprise Group Policy Guide
Logging and Audit Settings
–
complain – Select to log events that would be denied if the profile were set to enforce.
–
enforce – Select to enforce the policies defined by the security profile.
Secure Computers with an SELinux Policy
You can create a Security-Enhanced Linux (SELinux) group policy to help secure target computers running
Red Hat Enterprise Linux.
SELinux puts in place mandatory access control using the Linux Security Modules, or LSM, in the Linux
kernel. The security architecture, which is based on the principle of least privilege, provides fine-grained
control over the users and processes that are allowed to access a system or execute commands on it.
SELinux can secure processes from each other. For example, if you have a public web server that is also
acting as a DNS server, SELinux can isolate the two processes so that a vulnerability in the web server
process does not expose access to the DNS server.
This policy, which is inherited, does not replace local policies; it merges with them. For more information,
see “About Group Policy Settings,” page 8.
Note: This policy applies the settings that you define in the procedure below to the
/etc/sysconfig/selinux file on target computers running Red Hat Enterprise Linux. The
/etc/sysconfig/selinux file is the primary configuration file for enabling or disabling
SELinux and for setting which policy to enforce on the system and how to enforce it.
To secure computers with an SELinux policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Logging and Audit Settings, and then click SELinux.
3. Double-click SELinux, and then select the Define this policy setting check box.
4. From the SE Linux list, select one of the following:
– enforcing – The SELinux security policy is enforced.
–
permissive – SELinux prints warnings but does not enforce policy. You can use this setting for
debugging and troubleshooting.
BeyondTrust®
May 2015
70
PBIS Enterprise Group Policy Guide
Logging and Audit Settings
In permissive mode, more denials are logged, as subjects can continue to execute actions that
are denied in enforcing mode.
For example, traversing a directory tree generates multiple avc: denied messages for every
directory level read. In enforcing mode, a kernel would have stopped the initial traversal and not
generated further denial messages.
–
disabled – SELinux is fully disabled.
SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.
5. From the SE Linux Type list, select one of the following:
– targeted – Protects only targeted network daemons. The default targeted policy protects the
following daemons on Red Hat Enterprise Linux 4: dhcpd, httpd (apache.te), named, nscd,
ntpd, portmap, snmpd, squid, and syslogd. The rest of the system runs in the unconfined_
t domain. The policy files for these daemons are in
/etc/selinux/targeted/src/policy/domains/program and might vary depending on
the version of Red Hat Enterprise Linux that you are using.
–
strict – Provides full SELinux protection for all daemons. The system defines security contexts for
all objects and subjects, and the policy enforcement server processes every action.
Rotate Logs
To help you manage, troubleshoot, and archive your system's log files, you can create a group policy to
configure and customize your log-rotation daemon. For example, you can choose to use either a
logrotate or logrotate.d file, specify the maximum size before rotation, compress old log files, and
set an address for emailing log files and error messages. You can also enter commands to run before and
after rotation.
This policy works with computers running Linux, Unix, or Mac OS X. The policy replaces the local policies.
It is not inherited and does not merge with the local settings. For more information, see “About Group
Policy Settings,” page 8.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Logging and Audit Settings, and then click LogRotate.
3. Double-click Rotate logs, and then select the Define this Policy Setting check box.
4. Click Add.
5. In the Log Rotate Policy Editor, under the General Options tab, set the options that you want.
BeyondTrust®
May 2015
71
PBIS Enterprise Group Policy Guide
Logging and Audit Settings
6. Click the Log Options tab, and then set the options that you want.
7. Click the Mail/Script Options tab, and then set the options that you want.
BeyondTrust®
May 2015
72
PBIS Enterprise Group Policy Guide
File System Settings
File System Settings
File system settings enable you to control various aspects of the computer's file system.
Automount a File System
You can create a group policy to start a daemon that automatically mounts a file system on target Unix,
Linux, or Mac OS X computers. When a user attempts to access an unmounted file system, the file that
you associate with this policy automatically mounts it.
Since operating systems automatically mount a file system differently, create an automount group policy
for each operating system. To automount a file system on Unix computers and on Mac OS X computers,
for example, create two automount policies, one targeted at each operating system. To apply a policy to
an operating system in a cell containing computers running different operating systems, see Filtering by
Target Platform.
Automount is typically configured with two or more files, auto_master and one or more files referenced
by auto_master. The PBIS group policy agent, gpagentd, copies files referenced by auto_master to a
subdirectory of /var/lib/pbis/grouppolicy/ and copies the auto_master file to /etc. The agent
creates a link in /etc named lwi_automount to the appropriate subdirectory in
/var/lib/pbis/grouppolicy/. (The subdirectory can vary by system.) The purpose of /etc/lwi_
automount is to specify one or more automap files in the group policy-specified auto_master file
without interfering with files that already exist in /etc.
Here is a sample auto_master file:
# PBIS identity automount file
/test /etc/lwi_automount/auto.test
Here is a sample auto.test file specifying two mounts:
# PBIS identity auto.test
test1
-ro,hard,vers=3,intr,tcp
test2
-rw,soft,vers=3,intr,tcp
10.10.1.123:/distro
10.10.1.123:/distro/software
You can specify multiple autofs (/test) directories and multiple mount points in each directory.
You can also reference existing files in /etc or another path using the full path names in the auto_
master file.
Example Usage
The automount group policy, which can be especially helpful in large networks, has several uses:
•
Automount NFS, Samba, and boot mounts or partitions.
•
Cross-mount file systems between a few machines, especially machines that are not always online.
•
Switch between a forced-on ASCII conversion mount of a DOS file system and a forced-off ASCII
conversion mount of the same DOS file system.
•
Automount removable devices.
BeyondTrust®
May 2015
73
PBIS Enterprise Group Policy Guide
File System Settings
Inheritance and Backup
The automount policy replaces the local file. It is not inherited and does not merge with the local file. For
more information, see “About Group Policy Settings,” page 8.
The original auto_master file is backed up and stored in
/var/lib/pbis/grouppolicy/systemfiles. The original is restored if the automount group policy
is disabled or if the computer goes out of scope by, for example, being moved to another OU.
Automount a File System
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see Managing GPOs.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, File System Settings, and then click AutoMount:
3.
4.
5.
6.
Double-click AutoMount, and then select the Define this Policy Setting check box.
Click Add, type the file name, or click Browse to find the file.
If the file is an executable file, select the File is executable check box.
Click OK.
Create Directories, Files, and Links
You can define a group policy to create directories, files, commands, and symbolic links on target Unix
and Linux computers. This policy can be applied to either computers or users.
The policy works on computers running Linux, Unix, or Mac OS X. The policy, which is not inherited, does
not concatenate a series of settings across multiple group policy objects in different locations in the
Active Directory hierarchy. Instead, the closest local policy object is applied.
Setting up a Script Policy
You can add more than one script when setting up scripts using this policy setting. All scripts will
automatically merge and run.
Note that a script can be applied at the system level using the Run Scripts policy. See Run a Script File.
BeyondTrust®
May 2015
74
PBIS Enterprise Group Policy Guide
File System Settings
For example, you might want to run a common script (for example, /etc/resolv.config) on all systems but
then configure other scripts that are different depending on the system (for example,
/etc/sysconfig/iptables). Configure the system specific policies using a Files, Directories and Links policy
setting.
Configure a Files, Directories and Links policy
To configure the policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand either Computer Configuration or User
Configuration, Unix and Linux Settings, File System Settings, and then click Files, Directories and
Links.
3. Double-click Create Directories, Install Files, Configure Links, and then select the Define this
Policy Setting check box.
4. Click Add, and then select one of the following:
– File - On the File Object Editor dialog box, configure settings for the file path on the source and
targets; configure permissions on the file; add a user or group.
You can also delete the file on sources and targets when the policy is deleted.
–
Directory - On the Directory Object Editor, configure the file path on the target; configure
directory permissions; add a user or group.
–
Symbolic Link - On the Link Object Editor, set the path information where the symbolic link will
be created on the target.
–
Command - On the Command Object Editor, enter the command that you want to run on the
target.
5. Use the Object Editor that appears to set the object's paths and other file system properties.
To change an object's properties later, click the object in the list, and then click Edit.
Note: Configuring a User or Group using an ID
When setting up the local user or local group, you can prefix the ID with a number sign (#).
PBIS does not validate a user or group ID prefixed by a number sign; you must provide a valid
user or a valid group. To use the ID of 0 for the root account, however, do not use the # prefix.
BeyondTrust®
May 2015
75
PBIS Enterprise Group Policy Guide
File System Settings
Specify the File System Mounts (fstab)
You can create a group policy for the file systems table, or fstab, on target Unix and Linux computers and
add mount entries to it by using a graphical user interface. Fstab, typically located in /etc/fstab, is a
configuration file that specifies how a computer is to mount partitions and storage devices.
The mount entries in this policy are appended to the contents of /etc/fstab (/etc/vfstab on
Solaris), but the file systems are not mounted until you explicitly mount them using a command such as
mount -a even though the group policy has been polled by the target computer.
To mount the file systems, you can do one of the following:
•
Log on to the target computer and execute the mount -a command (or a similar command,
depending on your operating system) or restart the computer.
•
Run a cron job that resets the mounts remotely or restarts the computer; see Schedule Cron Jobs
with a crontab or cron.d Policy.
Note: It is recommended that you not reset the mounts while a user is logged on to the computer.
To mount public-oriented Windows shares, you can use a general AD user account with no other rights.
When you must use individual user accounts to mount the shares, consider using pam_mount instead.
The policy can add the following kinds of file systems to fstab:
•
Common Internet File System (cifs)
•
Linux Native File System (ext2)
BeyondTrust®
May 2015
76
PBIS Enterprise Group Policy Guide
•
New Linux Native File System (ext3)
•
ISO9660 CD-ROM (iso9660)
•
Network File System (NFS)
•
Network File System version 4 (NFS4)
File System Settings
Note: For cifs and iso9660 file systems, make sure the owner and group objects in Active Directory are
enabled in a PBIS cell. Doing so defines UID and GID values for the objects on the systems where
the policy setting is to take effect.
To set file system mounts:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, File System Settings, and then click File System Mounts (fstab).
3. In the details pane, double-click File System Mount, and then select the Define this Policy Setting
check box.
4. Click Add, click the type of file system that you want to mount, and then click OK.
5. Use the Add New Mount Wizard to set the mount details for the type of file system that you want to
mount.
After you use the wizard to add a file system, you can edit the mount details and options by clicking
the mount entry in the list and then clicking Edit.
6. To disable the mount, in the list of mount entries, under Status, double-click Enabled.
BeyondTrust®
May 2015
77
PBIS Enterprise Group Policy Guide
Task Settings
Task Settings
Using Task Settings policies, you can:
•
Configure scripts to run
•
Schedule cron jobs
•
Copy sudoer file to targets
Schedule Cron Jobs with a crontab or cron.d Policy
You can use a GPO to schedule commands, or cron jobs, that are executed at a set time.
When you set this policy, you must select a file type:
•
/etc/cron.d - Use only on Linux computers. Using cron.d adds your file to the /etc/cron.d
directory on target Linux computers.
•
crontab - Use on Linux, Unix, Mac OS X computers. Using crontab overwrites the crontab file on
target computers.
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Task Settings, and then click Crontab/Cron.d.
3. Double-click Crontab Settings, and then select the Define this Policy Setting check box.
4. To set the crontab file type, click Change Type, select one of the following, and then click OK.
– /etc/cron.d – Adds the file to the /etc/cron.d directory while preserving existing files and
other files inherited from policy objects.
Not supported by the Sun Solaris, Mac OS X, or IBM AIX operating systems.
–
crontab – Uses the crontab utility to install the file in the root account, overriding the account's
existing crontab settings and any files inherited from policy objects.
Supported by most systems including Solaris, AIX, and Mac OS X.
5. In the Current file content box, type your command. Example:
* * * * * echo "` date` Running Cronjob 1 ($0) " >> /tmp/AD_GPO.log
Or, click Import, find the file that contains your commands, and then click Open.
Run a Script File
You can use a GPO to execute a text-based script file on target Linux and Unix computers. The script file
runs under the root account when the target computer first receives the GPO or when the policy object's
version changes. When a target system is restarted, the script runs again.
This policy replaces the local file. It is not inherited and does not merge with the local file. For more
information, see “About Group Policy Settings,” page 8.
BeyondTrust®
May 2015
78
PBIS Enterprise Group Policy Guide
Task Settings
Only one script can be applied at the system level. You can apply more than one script to targets using
the File System Settings policies. See Create Files, Directories, and Links.
The default ordering of the script policy is as follows:
1. Default domain policy
2. Higher-level OU policies
3. Current-level OU policies
Within an OU, the ordering is from highest link number to the lowest link order number.
To create a script file policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Task Settings, and then click Run Script:
3. Double-click Script file, and then select the Define this Policy Setting check box.
4. In the Current file content box, type your script. Example:
#!/bin/bash
echo "` date` Running AD Script 1 ($0)" >> /tmp/AD_GPO.log
Or, click Import, find the file that contains your script, and then click Open.
Security Group Policies
You can define a GPO to specify a sudo configuration file for target computers running Linux, Unix, and
Mac OS X. The sudo configuration file is copied to the local machine and replaces the local sudoers file. A
sudo file can reference local users and groups or Active Directory users and groups.
Sudo, or superuser do, allows a user to run a command as root or as another user. This policy can
control sudo access in a centralized and uniform way. For more information about sudo, see the man
pages for your system.
This policy is not inherited and does not merge with the local file. For more information, see “About
Group Policy Settings,” page 8.
BeyondTrust®
May 2015
79
PBIS Enterprise Group Policy Guide
Task Settings
Note: The PBIS entries in your sudoers file must conform to the rules in "Configure Entries in Your
Sudoers Files" in the PowerBroker Identity Services Enterprise Edition Administration Guide.
As a best practice, it is recommended that you take a proven, working sudoers file from a computer and
apply it only to other computers running the same operating system. For example, to apply a sudo policy
to a set of Red Hat Enterprise Linux computers, select a working sudo configuration file from one of the
RHEL computers and apply it only to the other RHEL computers. Proceeding in this way helps prevent
overriding a system's default sudoers file with changes that might be unsuitable (especially on, for
example, Ubuntu or Mac OS X) because they apply only in the context of another operating system.
To create a sudo configuration file policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, Security Settings, and then click SUDO command:
3. Double-click Define Sudoer file, select the Define this Policy Setting check box, and then in the
Current file content box, type your commands.
Or, to import a sudo configuration file, click Import, and then find the file that you want.
BeyondTrust®
May 2015
80
PBIS Enterprise Group Policy Guide
Security Settings
Security Settings
This section describes the sudo and auto enrollment policy setting.
Sudo Command
You can create a GPO to specify a sudo configuration file for target computers.
Sudo, or superuser do, allows a user to run a command as root or as another user. You can use this GPO
to control sudo access in a centralized and uniform way.
The sudo configuration file is copied to the local computer and replaces the local sudoers file. A sudo file
can reference Active Directory users and groups. For more information about sudo, see the man pages
for your system.
For more information, see Create and Test a Sudo Group Policy.
To create a sudo GPO:
1. In the Group Policy Management Editor, expand either Computer Configuration or User
Configuration, expand Policies, Unix and Linux Settings.
2. Expand Security Settings, and then select SUDO command.
3. Double-click Define Sudoer file.
4. Select the Define this Policy Setting check box, and then in the Current file content box, type your
commands.
Or, to import a sudo configuration file, click Import.
5. Click OK.
Auto Enrollment of Certificates
You can use the PowerBroker Identity Services auto enrollment policy to automatically enroll domain and
root certificates to debian systems. The auto enrollment policy will renew expired/revoked certificates and
remove revoked certificates.
Additional certificates can be issued using the wifi GPO. See Set Wireless Properties.
Auto enrollment for security certificates is a feature available with Active Directory Certificate Services. For
more information about automatic certificate management, refer to Microsoft's documentation.
Applying a GPO Policy
The auto enrollment service is managed by the lwsm service manager. The auto enrollment service starts
when the policy is defined.
When the autoenrollment group policy is downloaded, gpagentd will startup the autoenroll daemon and
download the certificates. Certificates are downloaded from the CA authority of the joined domain to
/usr/share/ca-certificates/pbis/<Domain>/. The directory will be created if it does not already
exist.
If the computer leaves the domain, then the auto enrollment of certificates stops. However, certificates
on the system will remain for existing connections.
BeyondTrust®
May 2015
82
PBIS Enterprise Group Policy Guide
Security Settings
This policy is tested on:
•
Ubuntu 14.04 LTS x86_64
•
RHEL 6.6, 7.0 x86_64
•
CentOS 6.6, 7.0 x86_64
Turning on Auto Enrollment
You can also turn on auto enrollment using the PBIS config tool. For more information, refer to the PBIS
Linux Administration Guide.
Note: The auto enrollment policy downloads the root certificate and domain certificate only.
To turn on the auto enrollment policy:
1. In GPME, expand Policies > Unix and Linux Settings > Security Settings > Certificates Auto
Enrollment.
2. Double-click Certificates Auto Enrollment.
3. Select a configuration model from the list:
– Enabled - Select the check box to renew and update certificates.
Select the interval rate that the computer checks in with the Certificate Authority for updates. The
default value is 28800 seconds (8 hours). The interval range can be between 300 to 65535
seconds.
–
Disabled - Select to turn off auto enrollment.
4. Click OK.
Applying the Settings Using the Config Tool
Command
Description
/opt/pbis/bin/config EnableAutoEnroll true
Turns on auto enroll service.
Sets the number of seconds that pass before the
computer queries the CA service.
/opt/pbis/bin/config AutoEnrollPollInterval 300 - The interval value is in seconds. The default value is
65535
28800 seconds (8 hours).
Accepted interval values are between 300 seconds –
65535 seconds.
/opt/pbis/bin/config
ManagedCertificateLifecycle false
BeyondTrust®
Renew, update, and remove certificates.
Accepted values: true, false
May 2015
83
PBIS Enterprise Group Policy Guide
Network Settings
Network Settings
Using the Network Settings policy, you can configure resolv.conf settings and apply to target computers.
You can merge with or replace the existing resolv.conf file on the target.
Set DNS Servers and Search Domains
You can create a GPO to specify the DNS servers and search domains on target Linux, Unix, and Mac OS X
computers.
The search domains are automatically appended to names that are typed in Internet applications. For
example, if you set campus.college.edu as a search domain on a Mac computer, a user can type
server1 in the Finder’s Connect To Server dialog box to connect to server1.campus.college.edu.
Note: Setting this group policy can lead to a conflict with the settings in the resolv.conf file on some
target computers, especially those running newer versions of Linux that include
NetworkManager. NetworkManager's dynamic maintenance of resolv.conf will likely conflict
with this policy's resolver options. When turned on, NetworkManager typically leaves a comment
in resolv.conf to indicate that it generated the file:
[root@bvt-rad12-32 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search corpqa.pbisdemo.com corp.pbisdemo.com
nameserver 10.100.1.24
nameserver 10.100.1.45
nameserver 10.100.1.51
When the GPO is processed, a new resolv.conf file is generated and named resolv.conf.gp. The
old resolv.conf file is saved as resolv.conf.lwidentity.orig, and then the new
resolv.conf.gp is renamed resolv.conf. When the network interface is restarted, however, the
updated resolv.conf settings can be overwritten with values from other configuration repositories,
even if NetworkManager is not turned on.
It is recommended that you use a target platform filter to apply the policy only to Unix platforms or other
systems on which resolv.conf is not dynamically modified.
To create a DNS server policy:
1. In GPMC, create or edit a group policy for the organizational unit that you want, and then open it
with the Group Policy Management Editor. For more information, see “Managing GPOs,” page 10.
2. In the Group Policy Management Editor, expand Computer Configuration, Policies, Unix and Linux
Settings, and then click Network Settings.
BeyondTrust®
May 2015
84
PBIS Enterprise Group Policy Guide
Network Settings
3. Double-click DNS, and then select the Define this policy setting check box.
BeyondTrust®
May 2015
85
PBIS Enterprise Group Policy Guide
Network Settings
4. In the DNS Servers box, type the DNS address that you want to use.
To enter more than one address, each address must be on a new line.
5. Optional. In the Search Domains box, type a search domain.
To enter multiple search domains, separate each by a comma. Domains are searched in the order
listed. To include local as one of the search domains, the target computers must be running OS X
10.4 or later and local must be first. Example:
local, demo.com, campus.college.edu
6. Optional. Use a sortlist to sort addresses returned by gethostbyname. A sortlist is IP address and
optional network pairs that are separated by slashes. See the man pages of your target platform for
information about how to set up your sortlist.
7. Set the resolver options as needed. For information about each resolver option, see the man pages
for your target platform.
Setting
Ignore
Enable
Disable
How Option Is Applied
The option is not applied to /etc/resolv.conf. When you also select to merge the
selections with the local settings on the target computer and the option is specified in
the local file, the option remains as specified in the local file.
The option is added to /etc/resolv.conf. When you also select to merge the
selections with the local settings, the option replaces the local version of the option.
The option is not applied to /etc/resolv.conf. When you also select to merge the
selections with the local settings, the option is removed from /etc/resolv.conf if it
appears in the local file.
8. From the Apply settings by list, select either:
– Merging with local settings – Adds the settings in the policy to /etc/resolv.conf.
–
Replacing local settings – Overwrites the local settings in /etc/resolv.conf with the settings
of the policy.
Set Wireless Properties
The PBIS wireless policy configures a wireless interface using Network Manager. When the policy is
downloaded to the workstations, the policy automatically enrolls in this certificate template and
configures a wireless interface. The name of the certificate template must match the name as stated in
the certificate authority template list.
This policy is tested on:
•
Ubuntu 14.04 LTS x86_64
•
RHEL 6.6, 7.0 x86_64
•
CentOS 6.6, 7.0 x86_64
Preparing to Use the Wireless Policy
Review the following sections to ensure that your environment is ready to use a wireless policy.
BeyondTrust®
May 2015
86
PBIS Enterprise Group Policy Guide
Network Settings
Roles
The following Windows server roles are required since the PBIS policy supports WPA2 Enterprise
authentication. Ensure the roles are properly configured before setting the wireless policy in PBIS. Refer
to the Microsoft documentation for more information.
•
Active Directory Certificate Services (AD CS), Certification Authority role service with Certificate
Enrollment Web Service (CES)
•
Network Policy and Access Services, Network Policy Server role service
Authentication method
Ensure the following authentication method is added to the Network Policies:
•
Microsoft Smart Card or other certificate
Certificate Templates
You can copy the Workstation Authentication template and use the copy as your wireless certificate when
configuring the policy.
Configuring a GPO Policy
The wireless policy requires that the Certificate Auto Enrollment policy be enabled. See Certificates Auto
Enrollment.
To configure the wireless GPO:
1.
2.
3.
4.
In GPME, expand Policies > Unix and Linux Settings > Network Settings.
Double-click Wireless.
Select the Define this policy setting check box, and then select Enabled.
Enter the network name of the wireless LAN.
Only WPA2 Enterprise security is available at this time.
5. Enter the name of the certificate template.
When the policy is downloaded to the workstations, the policy automatically enrolls in this certificate
template.
6. Click OK.
Configuring a Policy to Only Issue Certificates
You can use the auto enrollment feature to only enroll certificates. The wifi GPO is needed but set to
Disabled.
To configure the wireless GPO:
1.
2.
3.
4.
In GPME, expand Policies > Unix and Linux Settings > Network Settings.
Double-click Wireless.
Select the Define this policy setting check box, and then select Disabled.
Enter the network name of the wireless LAN.
The name can be anything as it is not used.
BeyondTrust®
May 2015
87
PBIS Enterprise Group Policy Guide
Network Settings
5. Enter the name of the certificate template.
When the policy is downloaded to the workstations, the policy automatically enrolls in this certificate
template.
6. Click OK.
Applying the Settings Using the Config Tool
Command
Description
/opt/pbis/bin/config EnableWireless false
Configure and enable the wireless interface. Accepted
values: true, false
root@tst-ubu1404-64:/home/testuser#
/opt/pbis/bin/config SSID " "
SSID of wireless router.
/opt/pbis/bin/config SecurityType 1
The security method used for the wireless point. 0 None 1 - WPA2-Enterprise 2 - WPA2-Personal
/opt/pbis/bin/config Authentication " "
Name of certificate or passphrase.
BeyondTrust®
May 2015
88
PBIS Enterprise Group Policy Guide
Network Settings
Troubleshooting Connection Issues
If you are having issues with your connection, review the list for a fix on some common connection
failures.
•
Check the Event Log Viewer for the Network Policies and Access Services.
•
Check the name of the certificate template in CA matches your entry in the policy.
BeyondTrust®
May 2015
89
PBIS Enterprise Group Policy Guide
Appendix A: Troubleshooting the PBIS Group Policy Agent
Appendix A: Troubleshooting the PBIS Group Policy Agent
This section contains information to help you troubleshoot common issues with the PBIS Group Policy
Agent.
Force PBIS Group Policy Objects to Refresh
The PBIS Group Policy agent, a component of PBIS Enterprise, connects to Active Directory, retrieves
changes to Group Policy Objects (GPOs), and applies the changes once every 30 minutes, when a
computer boots or restarts, or when requested by the PBIS GPO refresh tool.
You can run the PBIS GPO refresh tool at any time on a Unix, Linux, or Mac OS X computer joined to a
domain with the PBIS Enterprise agent. To run the GPO refresh tool, execute the following command at
the shell prompt:
/opt/pbis/bin/gporefresh
The command should return a result that looks like this:
20070731100621:0xb7f046c0:INFO:GPO Refresh succeeded
On target computers, PBIS stores its GPOs in /var/lib/pbis/grouppolicy.
PBIS Open includes neither the Group Policy agent nor the PBIS GPO refresh tool.
Check the Status of the PBIS Group Policy Daemon
You can check the status of the PBIS Group Policy daemon on a PBIS client computer that is running Unix
or Linux by running the following command as the root user:
/opt/pbis/bin/lwsm status gpagent
Restart the PBIS Group Policy Daemon
You can restart the PBIS Group Policy daemon on a computer that is running Unix or Linux by executing
the following command as root:
/opt/pbis/bin/lwsm restart gpagent
Generate a PBIS Group Policy Agent Debug Log
You can generate a PBIS Group Policy agent debug log on a Unix or Linux computer running the PBIS
agent.
1. Log on as root user.
2. Stop the Group Policy daemon by executing the following command at the shell prompt:
/opt/pbis/bin/lwsm stop gpagent
3. Start the Group Policy daemon in command-line debug mode and capture the output in a file with
these two commands:
BeyondTrust®
May 2015
90
PBIS Enterprise Group Policy Guide
Appendix A: Troubleshooting the PBIS Group Policy Agent
/opt/pbis/sbin/lwsmd --loglevel debug --logfile /var/log/gpagentd.log -container gpagent &
/opt/pbis/bin/lwsm start gpagent
4. When you are done logging the information and debugging the service, use the kill command to
stop the service, which returns the log level to its default setting.
5. Start the Group Policy daemon with the PBIS service manager:
/opt/pbis/bin/lwsm start gpagent
Modify or Inspect GPOs from the gp-admin Command
The gp-admin command-line utility lets you modify the settings in a Group Policy Object (GPO) in Active
Directory from a Linux, Unix, or Mac computer. For example, you can use the tool to specify a GPO,
download a policy setting in the GPO from Active Directory to a Unix folder, modify it, and then upload it
to Active Directory.
You run the tool as root. Its location is as follows:
/opt/pbis/bin/gp-admin
To view the tool's arguments, run the following command:
/opt/pbis/bin/gp-admin --help
Here's what the help looks like:
Usage: gp-admin --list --gpolicy <Group Policy setting>
--help
| -h Show help
--listgpcses | -lgp List all the Group Policy extensions
--listall | -la List all the enabled policy settings in all the GPOs
--list | -l List the GPOs where the specified policy setting is configured
--download | -d Download the specified Group Policy setting to the specified path
--upload | -u Upload the specified Group Policy setting from the specified path
--gpolicy | -gp Specify the desired Group Policy setting
This should be set with the option '-l' '-d' or '-u'
--gpobject | -gpo Specify the desired Group Policy Object from which policy setting
to be downloaded or uploaded. This should be set only with
the option '-d' or '-u'
--path | -p Specify the desired path to download or upload policy settings
from or to AD. This should be set only with the option '-d' or '-u'.
Please provide the directory path where GPT.INI is present
Examples:
gp-admin -lgp
gp-admin -la
gp-admin -l -gp <ID>
gp-admin -d -gp <ID> -gpo <gpo name> -p <path>
Here's an example of how you can use gp-admin as root to inspect and modify a GPO:
BeyondTrust®
May 2015
91
PBIS Enterprise Group Policy Guide
Appendix A: Troubleshooting the PBIS Group Policy Agent
1. List all the GPOs applied to the computer by name and policy identifier:
/opt/pbis/bin/gp-admin -la
Here is an example of an abbreviated list:
[root@rhel5d bin]# ./gp-admin -la
PBIS Enterprise Syslog GP Extension is enabled in the GPO's
GPO name:PBIS Enterprise settings for test PolicyIdentifier: {46c77e22-bb04-4dec-a788-8cf3a30ebeb7}
GPO name:PBIS Enterprise settings for apps PolicyIdentifier: {c2152211-e134-4eb1-a53a-b90378d7f056}
PBIS Enterprise Settings GP Extension is enabled in the GPO's
GPO name:Default Domain Policy PolicyIdentifier: {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO name:Engineering ACL Policy 1.0 PolicyIdentifier: {33E3DE4C-02DF-4CEE-8785-1F43FB750AFB}
...
PBIS Enterprise Automount GP Extension is enabled in the GPO's
GPO name:LinuxServers AutoFS 1.0 PolicyIdentifier: {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
...
2. Check the GPO extension's ID, which should be the same across different platforms:
/opt/pbis/bin/gp-admin --lgp
[root@rhel5d bin]# /opt/pbis/bin/gp-admin -lgp
Computer Policy Settings
ID = 1 PBIS Enterprise SeLinux GP Extension {0BCE95E2-5332-49dc-9878-D3F8B678734B}
ID = 2 PBIS Enterprise Syslog GP Extension {0D18828D-E7DA-434c-A537-8AF8122E2602}
ID = 3 PBIS Enterprise Settings GP Extension {0EED766B-2404-46A6-A6B6-F8971164A920}
ID = 4 PBIS Enterprise Sudo GP Extension {20D139DE-D892-419f-96E5-0C3A997CB9C4}
ID = 5 PBIS Enterprise Fstab GP Extension {36C20771-2724-4ee3-B1B0-36A396CDA5E3}
ID = 6 PBIS Enterprise Apparmor GP Extension {5554B0EB-ABE5-4654-A123-3B7818B2A48A}
ID = 7 PBIS Enterprise Computer Network Settings {5FB45FF0-A68C-430b-8C6E-347B14AEB975}
ID = 9 PBIS Enterprise Login Prompt GP Extension {9020E541-F49C-4ab8-88F3-55BE2D95B440}
ID = 10 PBIS Enterprise Automount GP Extension {9994B0EB-ABE5-4654-A123-3B7818B2A999}
ID = 11 PBIS Enterprise Message of the Day GP Extension {9A9F29C0-B1B1-467d-A255-0BD3D7AAAE59}
ID = 12 PBIS Enterprise Files GP Extension {AE472D6F-0615-4d12-BC70-8A381CA67D53}
ID = 13 PBIS Enterprise Computer Gconf GP Extension {B078EE20-01A1-4FEE-8DCC-032B758FA1F8}
ID = 14 PBIS Enterprise LogRotate GP Extension{B1BBA22A-08FF-4826-9B4B-151C8A0BC1CA}
ID = 15 PBIS Enterprise Cron GP Extension {B9CA8919-71D7-4aaa-9567-7225965F4A0E}
ID = 16 PBIS Enterprise Script GP Extension {DDFF8E72-5C29-4987-8FB3-DF7EB7CE8FC2}
User Policy Settings
ID = 8 PBIS Enterprise User Gconf GP Extension {74533AFA-5A94-4fa5-9F88-B78667C1C0B5}
ID = 17 PBIS Enterprise User Files GP Extension {E62C4C67-D187-4b89-8EEC-A8A2570390BF}
3. You can then use the ID to locate the GPOs that are applying a setting. The following example uses
the ID for the automount policy setting (10) to list the GPOs that are applying the automount
extension:
[root@rhel5d bin]# ./gp-admin --list -gp 10
PBIS Enterprise Automount GP Extension enabled in the below mentioned GPO's
GPO name:LinuxServers AutoFS 1.0 PolicyIdentifier: {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
BeyondTrust®
May 2015
92
PBIS Enterprise Group Policy Guide
Appendix A: Troubleshooting the PBIS Group Policy Agent
4. You can use the ID and the GPO name to download the latest version of a GPO that contains the
automount setting:
./gp-admin -d -gp 10 -GPO "LinuxServers AutoFS 1.0" -p
/var/lib/pbis/grouppolicy
The result of the command is as follows:
[root@rhel5d bin]# ./gp-admin -d -gp 10 -GPO "LinuxServers AutoFS 1.0" -p /var/lib/pbis/grouppolicy
Downloading policy data for setting:
(PBIS Enterprise Automount GP Extension) in GPO: (LinuxServers AutoFS 1.0)
to path: (/var/lib/pbis/grouppolicy)
Copying policy data from location:
\\demo.com\SysVol\demo.com\Policies\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
Downloaded PBIS Enterprise Automount GP Extension to /var/lib/pbis/grouppolicy/
{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654} folder
5. You can now change directories to the folder that contains the GPO and view it:
[root@rhel5d bin]# ls /var/lib/pbis/grouppolicy/
{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654} GPT.INI krb5cc_gpagentd systemfiles
[root@rhel5d bin]# ls /var/lib/pbis/grouppolicy/\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/
{9994B0EB-ABE5-4654-A123-3B7818B2A999}
[root@rhel5d bin]# cd /var/lib/pbis/grouppolicy/\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/
[root@rhel5d {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}]# cd \{9994B0EB-ABE5-4654-A123-3B7818B2A999\}/
[root@rhel5d {9994B0EB-ABE5-4654-A123-3B7818B2A999}]# ls
auto.home auto_master lwisettings.xml
[root@rhel5d {9994B0EB-ABE5-4654-A123-3B7818B2A999}]# cat lwisettings.xml
<LWIMachinePolicy> <GPItem clientGUID="{9994B0EB-ABE5-4654-A123-3B7818B2A999}"
itemGUID="{12587328-5C0D-46bd-BE9B-BF264F6CA720}" name="AutoMount settings" Version="2.0"> <autoMount>
6. You can also view the files referenced by the automount policy setting.
7. In the preceding example, the value of the Executable attribute for the auto_master file should be set
to no, not yes. You can open the file in an editor, make the change, and then upload the modified file
to Active Directory:
/opt/pbis/bin/gp-admin -u -gp 10 -GPO "LinuxServers AutoFS 1.0" -p
/var/lib/pbis/grouppolicy/
\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/
\{9994B0EB-ABE5-4654-A123-3B7818B2A999\}/lwisettings.xml
See also: "Troubleshoot User Rights with Ldp.exe and Group Policy Modeling" in the Troubleshooting
guide on the BeyondTrust web site.
BeyondTrust®
May 2015
93
Download PDF
Similar pages