PowerBroker Identity Services Enterprise Installation

PowerBroker Identity Services Enterprise Installation
PowerBroker Identity Services
Administration Guide
Revision/Update Information: September 2014
Corporate Headquarters
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2014 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable,
is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”)
or BeyondTrust’s authorized remarketer, if and when applicable.
TRADE SECRET NOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author,
and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation,
as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on
copying, modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties
expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR
PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights.
This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express
limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes:
manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is
subject to limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at
DFARS 252.227-7013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops,
PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker
Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust.
ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The
SSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certain
jurisdictions.
This application contains software powered by PKAIP®, the leading solution for enabling efficient and secure data storage and
transmission. PKAIP® is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used with
permission.
OTHER NOTICES
If and when applicable the following additional provisions are so noted:
The PowerBroker Identity Services Open software is free to download and use according to the terms of the Limited GPL 2.1 for
client libraries and the GPL 2 for daemons. The licenses for PowerBroker Identity Services Enterprise and for PowerBroker
Identity Services UID-GID Module are different. For complete information on the software licenses and terms of use for
BeyondTrust products, see www.beyondtrust.com.
PBIS Enterprise Administration Guide
Contents
Contents
Introduction
7
Conventions Used in This Guide
Documentation Set for PBIS Enterprise
Contact Technical Support
Before Contacting Technical Support
Contacting Support
Using the Management Console
12
Start the BeyondTrust Management Console
Connect to a Domain
Changes Made by the Directory Integrated Mode Configuration
Replication in a Large Forest or in Multiple Domains
Add a Plug-In
Working with Cells
12
14
14
14
14
15
Understanding PowerBroker Cells
Types of Cells
How Cells Are Processed
Cell Design
Using Multiple Cells
Assigning Users to Manage Cells
Create a Cell and Associate it with an OU or a Domain
Create a Default Cell
Associate a User with Cells
Linking Cells
Moving a Computer to Another Cell
Managing Cells with Cell Manager
Start Cell Manager
Assigning Users to Manage a Cell
Change Permissions of a Cell, Group, or User
Add a Cell
Adding a User or Group to a Cell
Filter Cells
Connect to a Different Domain
Managing Users and Groups
15
15
16
17
18
18
19
19
20
20
23
23
23
24
24
24
25
25
26
27
Configuring Cell Settings for Users
Configuring Cell Settings for a Group
Disable a User
Finding Users and Groups in ADUC
Finding Orphaned Objects
Configure Entries in Your sudoers Files
Check a User's Canonical Name on Linux
BeyondTrust®
7
7
9
9
10
September 2014
27
29
31
31
33
33
34
3
PBIS Enterprise Administration Guide
Contents
Set a sudoers Search Path
Add Domain Accounts to Local Groups
Extend File Mode Permissions with POSIX ACLs
Prerequisites
Example
Using POSIX ACLs to Grant AD Accounts Access to Subversion
Migrating Users to Active Directory
38
Migrate Users to Active Directory
Before Running the Migration Tool
Run the Migration Tool
Migrate a User Profile on a Mac
Migrate a User Profile from the GUI
Migrate a User Profile from the Command Line
Customize the Migration Script
Migrating NIS Domains
Managing Computers
38
38
39
40
41
42
42
42
43
Use PBIS with a Single Organizational Unit
Join a Linux Computer to an Organizational Unit
Rename a Joined Computer
Rename a Computer Using the Command-Line Tool
Rename a Computer Using the Domain Join Tool UI
Removing a Computer from a Domain
NetworkManager: Use a Wired Connection to Join a Domain
AIX: Create Audit Classes to Monitor Events
Configuring PBIS with the Registry
43
43
43
44
44
45
46
46
48
The Structure of the Registry
Data Types
Access the Registry
Change a Registry Value Using the Shell
Set Common Options with the Registry Shell
Change a Registry Value from the Command Line
Find a Registry Setting
lsass Settings
Log Level Value Entries
Turn on Event Logging
Turn off Network Event Logging
Restrict Logon Rights
Display an Error to Users Without Access Rights
Display a Message of the Day
Change the Domain Separator Character
Change Replacement Character for Spaces
Turn Off System Time Synchronization
Set the Default Domain
BeyondTrust®
34
34
35
35
36
37
September 2014
48
49
50
50
51
52
52
53
53
53
54
54
55
55
56
56
57
57
4
PBIS Enterprise Administration Guide
Contents
Set the Home Directory and Shell for Domain Users
Set the Umask for Home Directories
Set the Skeleton Directory
Force PBIS Enterprise to Work Without Cell Information
Refresh User Credentials
Turn Off K5Logon File Creation
Change the Duration of the Computer Password
Sign and Seal LDAP Traffic
NTLM Settings
Additional Subkeys
Add Domain Groups to Local Groups
Control Trust Enumeration
Modify Smart Card Settings
Set the Interval for Checking the Status of a Domain
Set the Interval for Caching an Unknown Domain
lsass Cache Settings
Set the Cache Type
Cap the Size of the Memory Cache
Change the Duration of Cached Credentials
Change NSS Membership and NSS Cache Settings
eventlog Settings
Allow Users and Groups to Delete Events
Allow Users and Groups to Read Events
Allow Users and Groups to Write Events
Set the Maximum Disk Size
Set the Maximum Number of Events
Set the Maximum Event Timespan
Change the Purge Interval
netlogon Settings
Set the Negative Cache Timeout
Set the Ping Again Timeout
Set the Writable Rediscovery Timeout
Set the Writable Timestamp Minimum Change
Set CLdap Options
lwio Settings
Sign Messages If Supported
Enable Security Signatures
Require Security Signatures
Set Support for SMB2
autoenroll Settings
Lwedsplugin Settings for Mac Computers
Managing PBIS Licenses
82
Create a License Container
Turn on Automatic Licensing
Import a License File
BeyondTrust®
58
60
60
61
62
62
62
63
64
65
66
66
68
68
68
68
69
69
69
70
71
71
72
72
73
73
73
74
74
75
75
75
76
76
76
77
77
77
78
79
80
84
86
86
September 2014
5
PBIS Enterprise Administration Guide
Contents
Assign a License to a Computer in AD
Manage a License Key from the Command Line
Check the License Key
Set a License Key
Release a License Key
Change the Type of License
Delete a License
Manage PBIS Enterprise from the Windows Command Line (btopt.exe)
BeyondTrust®
September 2014
86
87
87
88
88
89
89
90
6
PBIS Enterprise Administration Guide
Introduction
Introduction
This guide shows system administrators and security administrators how to use BeyondTrust
PowerBroker Identity Services Enterprise Edition (PBIS).
PBIS ships with a number of documents that help you to use the various features of the product. See the
following section for a list of the guides.
Conventions Used in This Guide
Specific font and linespacing conventions are used in this book to ensure readability and to highlight
important information such as commands, syntax, and examples.
Font Conventions
The font conventions used for this document are:
•
Courier New Font is used for program names, commands, command arguments, directory
paths, variable names, text input, text output, configuration file listings, and source code. For
example:
C:\Documents and Settings\All Users
•
Courier New Bold Font is used for information that should be entered into the system exactly as
shown. For example:
pbdeploy.exe
•
Courier New Italics Font is used for input variables that need to be replaced by actual values.
In the following example, the variable MyServer, must be replaced by an actual environment server
name and the variable MyFolder must be replaced by an actual folder name:
\\MyServer\MyFolder\pbdcl32.msi
•
Bold is used for Windows buttons. For example:
Click OK.
Documentation Set for PBIS Enterprise
The complete PowerBroker Identity Services Enterprise Edition documentation set includes the following:
•
PBIS Enterprise Installation Guide
•
PBIS Enterprise Administration Guide
•
PBIS Enterprise Linux Administration Guide
•
PBIS Enterprise Auditing & Reporting Guide
•
PBIS Enterprise Group Policy Administration Guide
•
PBIS Release Notes
•
Report Book
•
Best Practices (go to the BeyondTrust web site)
BeyondTrust®
September 2014
7
PBIS Enterprise Administration Guide
Contact Technical Support
BeyondTrust Software, Inc. provides an online knowledge base, as well as telephone and web-based
support.
Before Contacting Technical Support
To expedite support, collect the following information to provide to Technical Support:
•
PBIS Enterprise version (Available in the PBIS Console by clicking Help, About on the menu bar.)
•
PBIS Agent version and build number
•
Linux or Unix version
•
Windows or Windows Server version
If you are contacting Technical Support about one of the following problems, also provide the diagnostic
information specified.
Segmentation Faults
Provide the following information when contacting Technical Support:
•
Core dump of the PowerBroker Identity Services application:
ulimit - c unlimited
•
Exact patch level or exact versions of all installed packages.
Program Freezes
Provide the following information when contacting Technical Support:
•
Debug logs
•
tcpdump
•
An strace of the program
Domain-Join Errors
Provide the following information when contacting Technical Support:
•
Debug logs (Copy the log file from /var/log/pbis-join.log.)
•
tcpdump
All Active Directory Users Are Missing
Provide the following information when contacting Technical Support:
•
Run /opt/pbis/bin/get-status
•
Contents of nsswitch.conf
All Active Directory Users Cannot Log On
Provide the following information when contacting Technical Support:
BeyondTrust®
September 2014
9
PBIS Enterprise Administration Guide
•
Output of id <user>
•
Output of su -c 'su <user>' <user>
•
Lsass debug logs (See Generate an Authentication Agent Debug Log, in the PBIS Troubleshooting
webhelp.)
•
Contents of pam.d/pam.conf
•
The sshd and ssh debug logs and syslog
AD Users or Groups are Missing
Provide the following information when contacting Technical Support:
•
The debug logs for lsass
•
Output for getent passwd or getent group for the missing object
•
Output for id <user> if user
•
tcpdump
•
Copy of lsass cache file.
Poor Performance When Logging On or Looking Up Users
Provide the following information when contacting Technical Support:
•
Output of id <user>
•
The lsass debug log
•
Copy of lsass cache file. (For more about the file name and location of the cache files, refer to the
Linux Administration Guide.)
•
tcpdump
Contacting Support
If you encounter problems that are not covered in the documentation, contact BeyondTrust Technical
Support.
When contacting Technical Support, provide the following information:
l
l
l
l
Your company name
Telephone and email address where you can be contacted
Description of the problem and the steps you have taken to resolve it
Diagnostic information requested in Before Contacting Technical Support
You can contact BeyondTrust Technical Support by email or through the BeyondTrust website. If you are
located in the United States, you can also contact Technical Support by telephone. Support is staffed 24
hours per day, seven days per week.
Telephone: +1 800-234-9072 or +1 818-575-4040
Email: pbis-support@beyondtrust.com
Web: To submit a support request online:
BeyondTrust®
September 2014
10
PBIS Enterprise Administration Guide
1. Browse to http://www.beyondtrust.com.
2. Click Support at the top of any page.
3. On the BeyondTrust Technical Support page, scroll to the Customer Support Portals section and
click the PowerBroker Identity Services tab.
4. If you do not have a PBIS Support password, click support@beyondtrust.com to request that a PBIS
Support password be sent to your email address.
Note: This is a different password than the one provided for use with the BeyondTrust
Customer/Partner Portal.
5. For Username, enter your email address.
6. For Password, enter the password provided to you by PBIS Support and click Submit.
BeyondTrust®
September 2014
11
PBIS Enterprise Administration Guide
Using the Management Console
Using the Management Console
You can use the console to do the following tasks:
•
Run multiple instances of the console and point them at different domains.
•
Run the console with a different user account.
•
Upgrade your Active Directory schema.
•
Obtain status information about your Active Directory forests and domains.
•
Migrate Unix and Linux users and groups by importing passwd and group files and mapping the
information to users and groups in Active Directory.
•
Remove orphaned objects.
•
Generate reports about users, groups, and computers.
•
Start Active Directory Users and Computers (ADUC), Cell Manager, and the Migration tool.
Start the BeyondTrust Management Console
Depending on the options chosen during installation, the console can be started in the following ways:
•
Double-click the BeyondTrust Management Console shortcut.
•
Click Start > All Programs > BeyondTrust PBIS > BeyondTrust Enterprise Console.
•
At the command prompt, execute the following commands:
cd %ProgramFiles%\BeyondTrust\PBIS\Enterprise\
iConsole.bmc
After you start the console, you can navigate to all other pages in the console, including the PBIS Status
page.
The PBIS Status page displays the following information for the selected Active Directory forest. After you
start the console, it may take a few moments to retrieve information about your domains.
PBIS Version: The PBIS version and build number. Technical support personnel may ask you for this
information when you contact them for assistance.
BeyondTrust®
September 2014
12
PBIS Enterprise Administration Guide
Using the Management Console
Consistency check: Indicates whether Active Directory has been properly prepared for the current
operating mode. Typically this status indicator is Good.
Cell count: Displays the number of cells that are associated with organizational units in the selected
domain, including the default cell.
Mode: Either Directory Integrated or Schemaless. Directory Integrated indicates that the selected forest
is using the RFC 2307-compliant schema. Schemaless indicates that it is not.
Licenses Installed: Indicates if valid product licenses are deployed.
BeyondTrust®
September 2014
13
PBIS Enterprise Administration Guide
Using the Management Console
Connect to a Domain
If PBIS detects more than one Active Directory forest, it displays them on the PBIS Status page. You can
connect to a forest by double-clicking the forest name.
You can connect to another domain as follows:
1. In the BeyondTrust Management Console tree, right-click the Enterprise Console node, and then
click Connect to Domain.
2. Enter the FQDN of the domain that you want to connect to.
3. Enter the credentials of an Active Directory administrator.
It is recommended that you use the AD Enterprise Administrators security group account.
Changes Made by the Directory Integrated Mode Configuration
The Active Directory schema changes are applied from a set of LDAP Data Interchange Format (LDIF) files.
The standard installation places these files in the following directory:
\Program Files\BeyondTrust\PBIS\Enterprise\Resources\LDF
After you raise the domain and forest to 2003 functional levels, the PBIS domain configuration wizard
changes the following attributes, which are required for PBIS to run in Directory Integrated mode.
Promotes and indexes the following attributes to the global catalog:
•
uidNumber
•
uid
•
displayName
•
gecos
•
loginShell
•
unixHomeDirectory
Replication in a Large Forest or in Multiple Domains
When you set up PBIS in an environment with a large forest or multiple domains, it may take some time
for the PBIS objects and the schema update to replicate to the rest of the domain.
Replication must complete before the domain and its child domains are fully enabled for PBIS. You will be
unable to connect to a child domain until replication finishes.
Add a Plug-In
The console includes several plug-ins: Access and Audit Reporting, Enterprise Database Management,
and the Operations Dashboard.
1.
2.
3.
4.
In the console, on the File menu, click Add/Remove Plug-in.
Click Add.
Click the plug-in that you want, and then click Add.
Click Close, and then click OK.
BeyondTrust®
September 2014
14
PBIS Enterprise Administration Guide
Working with Cells
Working with Cells
You can use the following tools to manage your PowerBroker cells:
•
•
Active Directory Users and Computers – A PowerBroker Cell Settings tab is added to the dialog box of
the following objects in the Active Directory Users and Computers MMC snap-in:
–
Domain
–
Users
–
Groups
–
Organizational Units
Cell Manager – Cell Manager is a PBIS MMC snap-in for managing your PowerBroker cells. Cell
Manager is installed when you install the BeyondTrust Management Console.
Checkpoint
–
Ensure the account you are using to manage PowerBroker cell properties is a member of the
Domain Admins group or Enterprise Admins group. The account needs privileges to create and
change objects and child objects in Active Directory.
Understanding PowerBroker Cells
A PowerBroker cell is a container of Unix settings for Active Directory users and groups so they can log on
to Linux, Unix, and Mac OS X computers.
For each user, the settings include a Unix user identifier (UID), the group identifier (GID) of the primary
group, a home directory, and a login shell.
You can use cells to map a user to different UIDs and GIDs for different computers.
Review the details in this section to learn more about how cells work.
Types of Cells
There are two types of PowerBroker cells:
•
Default cell – A cell associated with a domain or an entire enterprise. In a multi-domain topology, you
create a default cell in each domain, and these domain-specific default cells merge into an enterprisewide default cell.
•
Named cell – A cell associated with an organizational unit (OU). Associating cells with OUs is a natural
way to organize computers and users.
PBIS lets you define a default cell that handles mapping for computers that are not in an OU with an
associated named cell. The default cell for the domain can contain the mapping information for all your
Linux and Unix computers. If you are using Directory Integrated mode, various attributes are indexed in
the global catalog by using the default cell.
BeyondTrust®
September 2014
15
PBIS Enterprise Administration Guide
Working with Cells
In a multi-domain or multi-forest enterprise, the default cells of the domains merge into a single
enterprise-wide default cell where users from each domain can authenticate with their credentials. Users'
UID, GID, and other settings are defined separately in each domain, but nothing additional is needed at
the domain-level to enable the user to authenticate.
Each forest that has a two-way transitive forest trust with the computer's forest is listed in the default
cell. Each domain in each forest can opt in to this enterprise-wide default cell by creating a default cell in
that domain. Any user who is listed in the default cell in a domain can be seen by the PBIS-enabled
operating system of any computer joined to the default cell.
How Cells Are Processed
•
PBIS searches Active Directory for cell information
When an Active Directory user logs on to a PBIS client computer, the PBIS agent searches Active
Directory for the user's PowerBroker cell information.
The search typically begins at the node where the computer is joined to Active Directory and can
extend to all forests that have a two-way transitive trust with the client computer's forest.
•
PBIS agent checks the cell type
The PBIS agent determines the OU where the computer is a member and checks whether a named
cell is associated with it.
•
PBIS agent continues search if no cell found for the OU
If a cell is not associated with the OU, the PBIS agent on the Unix or Linux computer moves up the
directory structure, searching the parent and grandparent OUs until it finds an OU that has a
PowerBroker cell associated with it.
•
Named cell found
If a named cell is found, PBIS searches for a user or group's attributes in the cell associated with the
computer.
If an OU with an associated cell is not found, the PBIS agent uses the default cell for the domain to map
the username to UID and GID information.
Default Cell Processing
A default cell is processed differently than a named cell. When processing a default cell, PBIS searches for
a user or group's attributes in the default cell of the domain where the user or group resides. For
example, a two-domain topology configured with one domain for users and another domain for
computers would require two default cells—one default cell in the domain where user and group objects
reside, and another default cell in the domain where computer objects are joined.
A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a
case, the Group Policy Objects (GPOs) associated with the OU apply to the Linux or Unix computer, but
user UID and GID mappings follow the policy of the nearest parent cell or the default cell.
BeyondTrust®
September 2014
16
PBIS Enterprise Administration Guide
Working with Cells
PBIS does not require you to have a default cell, but for PBIS to operate properly you must ensure that
the PBIS agent can always find a cell. For more information, see Best Practices for Modes, Cells, and User
Rights.
Cell Design
PowerBroker cell technology allows managing overlapping Unix identities in a single Active Directory
organization for PBIS Enterprise. Cells work in Directory Integrated or Schemaless mode.
Storing Unix Identities
Cells store Unix identity information separate from other cells. This allows a single user or group to have
different names or different numerical ID values (UID or GID) in different environments, all associated
with the same AD identity.
This also allows multiple users or groups to have overlapping names or numerical ID values (UID or GID) in
separate environments. Each cell requires additional overhead for the standard procedure for account
management and for troubleshooting end-user logon issues, because both cases require the additional
step of determining which cell the operation must be performed against.
To minimize complexity while allowing the flexibility of cells, it is recommended that you use no more
than four cells.
Named Cells
Named Cells store Unix identity information (uid, uidNumber, gidNumber, gecos, unixHomeDirectory,
logonShell) in a subcontainer of the organizational unit (OU) which is associated with the cell.
Whether a user exists in the local domain or a trusted domain, the Unix identity information exists in an
object in the cell. In other words, a Named Cell can reference users or groups from outside the current AD
domain.
Default Cells
Default Cell mode refers to how an AD domain is set up. There is one Default Cell, and it is enterprisewide. All trusted Microsoft Active Directory Global Catalogs are part of the Default Cell. However,
individual AD domains participate in the Default Cell by creating the Default Cell object in the root of
those domains.
In Default Cell mode, the Unix identity information is stored in the same OU as the user object that the
Unix Identity information is related to. This enforces a single Unix identity for a single AD user across the
entire enterprise. Therefore, the Default Cell should be viewed as the ultimate authority for Unix
information within an enterprise.
Directory Integrated Mode - Default Cell Configurations
In Directory Integrated mode, the Default Cell stores the Unix identity information directly to the user or
group object in the same manner as “First Name” (givenName), “Address” (address, city, state), and
“Email” (emailAddress) attributes.
BeyondTrust®
September 2014
17
PBIS Enterprise Administration Guide
Working with Cells
Because the Directory Integrated Mode - Default Cell stores the information to the user or group object,
existing Identity Management (IDM) products do not need to be modified to provision users for the
Default Cell in Directory Integrated Mode. This also allows non-PBIS computers that use the RFC 2307
attributes (such as Network Appliances ONTAPP Filers and EMC Celerra storage devices) to use the same
identity information as PBIS Enterprise.
Directory Integrated Mode - Default Cell is the preferred method for all PBIS Enterprise installations. In all
cases where Unix identity information can be made to be non-overlapping, the Directory Integrated
Mode - Default Cell should be used.
Directory Integrated Mode - Named Cell Configurations
In Directory Integrated mode, Named Cells create objects of class PosixAccount and
serviceConnectionPoint, which are linked back to the user or group object associated with the PBIS
object.
Directory Integrated Mode - Named Cells are recommended wherever multiple cells beyond the Default
Cell are required.
Schemaless Mode Cells
Schemaless mode is deprecated but fully supported.
The PBIS clients determine cell and Schema configuration at startup and re-check this configuration
periodically. Because of how the data is stored, migration from a Schemaless Default Cell to a Directory
Integrated Mode - Default Cell configuration requires more work, more steps, and more potential risks
than any other cell migration.
For migration and long-term support purposes, Schemaless Mode Cells should only be created as Named
Cells.
Note: Directory Integrated mode is preferred for the performance benefits and because Microsoft
Active Directory is moving towards Directory Integrated Mode by default.
Using Multiple Cells
If you have multiple Unix and Linux computers but are not using a centralized scheme to manage UIDs
and GIDs, it is likely that each computer has unique UID-GID mappings. You may also have more than one
centralized IMS, such as multiple NIS domains. You can use multiple cells to represent the UID-GID
associations that the NIS domain provided, allowing those Unix and Linux users to continue to use their
existing UID-GID information while using Active Directory credentials.
When using multiple cells, it can be helpful to identify what Unix and Linux objects each cell represents.
For example:
•
Individual Unix, Linux, or Mac OS X computers
•
A single NIS domain
•
Multiple NIS domains (which require multiple cells)
Assigning Users to Manage Cells
BeyondTrust®
September 2014
18
PBIS Enterprise Administration Guide
Working with Cells
If you want to assign users to help manage PowerBroker cells, ensure the users have the permissions to
create container objects in an OU.
For more information about delegating control, see Delegating Administration in Active Directory Users
and Computers Help.
1. In Active Directory Users and Computers, right-click an OU, and then select Delegate Control.
2. Go through the Delegation of Control wizard, and ensure the following permissions are selected:
– Read, Write, Create All Child Objects, Delete All Child Objects, Read All Properties, Write All
Properties
3. Click Finish.
Create a Cell and Associate it with an OU or a Domain
To associate a cell with an OU, for example, you must be a member of the Domain Administrators
security group, or you must be assigned permissions to manage container objects in an OU.
Important: Do not create a cell in the Domain Controllers built-in OU.
Important: Before you associate a cell with an OU, make sure you chose the schema mode. You cannot
easily change the schema mode after you create a cell, including a default cell.
1. Start Active Directory Users and Computers.
2. In the console tree, right-click the OU or the domain for which you want to create a cell, click
Properties, and then click the PowerBroker Cell Settings tab.
3. Under PowerBroker Cell Information, select the Create Associated PowerBroker Cell check box,
and then click OK.
You can now associate users with the cell.
Create a Default Cell
You can create a default cell that maps computers that are not in an OU with an associated cell. The
default cell can contain the mapping information for all your Linux and Unix computers. PBIS Enterprise
does not require a default cell.
A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such
cases, the group policies associated with the OU apply to the Linux and Unix computer, but user UID-GID
mappings follow the policy of the nearest parent cell, or the default cell.
To create a default cell:
1. Start Active Directory Users and Computers.
2. Right-click the name of your domain, and then select Properties.
3. Select the PowerBroker Cell Settings tab, and then select Create Associated PowerBroker Cell
check box.
BeyondTrust®
September 2014
19
PBIS Enterprise Administration Guide
Working with Cells
Use Pre-Existing RFC 2307 Data
To recognize and use pre-existing Unix data that is stored in Active Directory with RFC 2307 attributes,
make sure PowerBroker Identity Services is in Directory Integrated mode and then create a default cell.
Associate a User with Cells
You can associate a user with one or more PowerBroker cells to give the user access to the Linux, Unix,
and Mac OS X computers that are members of each cell.
1.
2.
3.
4.
5.
Start Active Directory Users and Computers.
In the console tree, click Users.
In the details pane, right-click a user, and then click Properties.
Select the PowerBroker Cell Settings tab.
Under PowerBroker Cells, select the check box for the cell that you want to associate the user with.
You can select more than one cell.
6. Under User info for cell, a default GID value, typically 100000, is automatically populated in the GID
box.
Note: The user's settings can vary by cell.
7. To set the UID, click Suggest, or type a value in the UID box.
Note: Setting UIDs below 1,000 is not advised, as they can result in a security vulnerability.
Linking Cells
When you link cells, computers in one cell can be accessed by the users in the cell that you link to (the
linked cell).
To provide a mechanism for inheritance and to ease system management, PowerBroker Identity Services
can link cells. Users and groups in a linked cell can access resources in the target cell.
For example, if your default cell contains 100 system administrators and you want those administrators
to have access to another cell, called Engineering, you do not need to provision those users in the
Engineering cell—Link the Engineering cell to the default cell. The Engineering cell will inherit the settings
of the default cell.
To ease management, in the Engineering cell you can set any mapping information that should differ
from the default cell.
BeyondTrust®
September 2014
20
PBIS Enterprise Administration Guide
Working with Cells
Although you can use linking to create a hierarchy of cells, linking is not transitive.
For example, consider the following linked cells:
- Civil cell linked to Engineering cell
- Engineering cell linked to Default cell
In this scenario, the Civil cell will not inherit the settings of the default cell.
Linking to Multiple Cells
The order of the UIDs controls the search order.
Consider the following scenario:
Kathy, a system administrator, has UIDs set in the default cell (100,000) and in the Engineering cell
(150,000). In the Civil cell, however, the UID from the Engineering cell must be used to log on to Civil
computers.
If the Civil cell is linked to the default cell and the Engineering cell, the order is important. If Engineering
does not precede the default cell in the search order, Kathy will be assigned the wrong UID and will be
unable to log on computers in the Civil cell.
In the following scenario, a link is created to the Engineering cell. With this link, users in the Engineering
cell can access the computers in the Accounting cell:
BeyondTrust®
September 2014
21
PBIS Enterprise Administration Guide
Working with Cells
1. Start Active Directory Users and Computers.
2. In the console tree, right-click the organizational unit that is associated with the cell you want to link
to another cell, and then click Properties.
3. Click the PowerBroker Cell Settings tab.
4. Click Linked Cells, click Add, click the cell that you want, and then click OK.
5. When you link to multiple cells, the order that you set is important because it controls the search
order. The cells are searched in the order listed. Use Move Up or Move Down to set the order of the
cells. See Linking to Multiple Cells.
6. Click OK.
BeyondTrust®
September 2014
22
PBIS Enterprise Administration Guide
Working with Cells
Moving a Computer to Another Cell
When you move a computer from one cell to another, you must do the following if you want the cell
information to be updated immediately on the client:
•
Clear the authentication cache for user and group membership: lsass-adcache.db. See Manage
the AD Cache (ad-cache).
•
Restart the PBIS authentication service by running this command as root: /opt/pbis/bin/lwsm
restart lsass
•
Force the computer to refresh its Group Policy settings by running this command as root:
/opt/pbis/bin/gporefresh
Managing Cells with Cell Manager
Using Cell Manager, you can:
•
Delegate control of a cell
•
Change permissions for a cell
•
Add cells, view cells
•
Associate cells with OUs to provide users and groups with Linux and Unix access
•
Connect to another domain and filter cells to reduce clutter
Start Cell Manager
To start Cell Manager:
1. In the BeyondTrust Management Console, expand Enterprise Console and click Diagnostics &
Migration.
2. Under Tasks, click Launch Cell Manager.
Alternatively, start Cell Manager from the Start menu. Select Start, All Programs, BeyondTrust PBIS,
PowerBroker Cell Manager.
BeyondTrust®
September 2014
23
PBIS Enterprise Administration Guide
Working with Cells
Assigning Users to Manage a Cell
You can use Cell Manager to create an access control list (ACL) that allows users or groups without
administrative privileges to manage PowerBroker cells.
For example, you can assign permissions to particular users to add users or remove users from a cell.
1.
2.
3.
4.
In Cell Manager, right-click a cell, and then select Delegate Control.
Click Start.
Click Add, and then choose the users or groups that you are delegating permissions to.
Click Next, and then select the permissions that you want to assign.
5. Review the information that you entered, and then click Finish.
Change Permissions of a Cell, Group, or User
To change the permissions of a cell, a group, or a user:
1. In the Cell Manager console tree or in the details pane, right-click the object that you want to change
permissions for, and then click Properties.
2. Click Permissions.
3. Change the permissions, and then click OK.
Add a Cell
When you add a cell, you must attach it to an organizational unit (OU) in Active Directory.
To add a cell:
BeyondTrust®
September 2014
24
PBIS Enterprise Administration Guide
Working with Cells
1. In Cell Manager, right-click the top-level Cell Manager domain node, select New, and then click Cell.
2. Select the OU to which you want to attach the cell.
Note: You cannot attach a cell to the top-level node (the domain).
3. On the Cell Defaults page, select the following:
– Default Home directory – type the path for the home directory that you want to set for users in
the cell—for example, /home/%D/%U.
Important: When you set the home directory, you must use the default user name variable (%U).
You can set the default domain name using the domain name variable (%D) but it is not required.
–
Default login shell – type the path to the default shell that you want to use—for example,
/bin/ sh.
–
Enable your user account in the cell – select to add your account to the cell.
4. Select the Create Group Policy Object check box to create a GPO for the OU.
– Forward audit event to
–
Prepend default domain name to AD users and groups
–
Set group policy refresh interval
5. Click Start.
Adding a User or Group to a Cell
Default attributes are used when you add a user or group to a cell using Cell Manager.
You can change the properties later using Active Directory Users and Computers. See Configuring Cell
Settings for Users.
1.
2.
3.
4.
In Cell Manager, right-click a cell, select New.
Select User or Group.
Click OK.
Enter Search for the user or group that you want to add, and then click OK.
Filter Cells
You can use filtering to set the maximum number of cells to display and show only the cells that match a
pattern.
1. In Cell Manager, right-click the top-level Cell Manager domain node, and then click Filter.
2. Set the filtering values that you want to use:
– Maximum number of cells to display – Enter the number of cells to display. The default is 300.
–
Only show cells that match pattern
–
Interpret pattern as regular expression
3. Click OK.
BeyondTrust®
September 2014
25
PBIS Enterprise Administration Guide
Working with Cells
Connect to a Different Domain
Even though users and groups imported from a different domain appear in Cell Manager, you cannot
modify their settings from outside their original domain.
To modify the settings of a user or group imported from another domain, use Cell Manager to connect to
that domain and then make the changes that you want.
1. In Cell Manager, right-click the top-level Cell Manager domain node, and then click Connect To
Domain.
2. In the Domain box, type the domain. Alternatively, click Browse, and then locate the domain.
BeyondTrust®
September 2014
26
PBIS Enterprise Administration Guide
Managing Users and Groups
Managing Users and Groups
Using PBIS Enterprise, you can manage the PowerBroker cell settings for Unix, Linux, and Mac OS X users
and groups in Active Directory Users and Computers.
Configuring Cell Settings for Users
In Active Directory Users and Computers, you can configure PowerBroker cell settings for your users.
Note: Administrative privileges are required to manage PowerBroker cell settings. Ensure you are logged
on as a Domain Administrator, Enterprise Administrators, or you are assigned permissions. For
more information, see Assigning Users to Manage Cells.
The following cell settings can be configured to establish connection between Active Directory and your
clients:
•
UID – The Unix user ID.
The user's settings can vary by cell.
•
GID – The Unix group ID.
•
Login Name – Provide an alias for an Active Directory user so that the user can log on to a bridged
client using the alias. An alias only applies to the selected cell.
•
Home Directory – When you set the default home directory, you must use the default user name
variable (%U). Using the default domain name using the domain name variable (%D) but it is optional.
Important: On Solaris, you cannot create a local home directory in /home, because /home is used by
autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories
in /export/home.
•
Login Shell – When assigning a login shell, you can select a user or more than one user.
You can assign the login shell at the OU level or user level.
•
Comment (GECOS)
Tip: Generate a report to view existing values
The Cell Access Report can show you existing values for UID, GID, home directory, and login
shells for users. For more information, see Generate a Sample Report.
You can configure cell settings at the OU level, user level, or select a range of users in a selected OU.
To configure cell settings for your users:
1.
2.
3.
4.
Start Active Directory Users and Computers.
Navigate to the OU where your users reside.
Right-click the user and then select Properties.
Select the cells where you want the settings to apply.
When editing the properties for a particular cell, if the check box is already selected, then select the
cell to activate the settings in the user info section.
BeyondTrust®
September 2014
27
PBIS Enterprise Administration Guide
Managing Users and Groups
5. Enter information for the following:
– UID – Click Suggest, or type a value in the box.
–
GID – The GID value is automatically populated. Select a group from the list to change the primary
group for the user account.
If the group is unavailable, be sure to add the group to the cell. See Add a Group to a Cell.
–
Login Name – Type an alias for the user.
The user must log on using the Active Directory account if a login name is not set here.
–
Home Directory – To override the default home directory, type the directory that you want to set
for the user. For example, /home/%D/%U
–
Login Shell – Enter a login shell if you want to override the default. For example, /bin/sh or
/bin/bash.
–
Comment (GECOS) – Enter a comment. (Optional).
BeyondTrust®
September 2014
28
PBIS Enterprise Administration Guide
Managing Users and Groups
6. Click OK.
Assigning Settings to More Than One User
You can assign settings to more than one user at the same time. For example, you can assign users to a
cell and then set the home directory.
The users must be members of a group already associated to a cell and each user must have a UID-GID
mapping.
Configuring Cell Settings for a Group
In Active Directory Users and Computers, you can configure PowerBroker cell settings for a group.
You can configure a GID and group alias.
Note: Administrative privileges are required to manage PowerBroker cell settings. Ensure you are logged
on as a Domain Administrator, Enterprise Administrators, or you are assigned permissions. For
more information, see Assigning Users to Manage Cells.
A cell must already be created. See Create a Cell or Create a Default Cell.
1.
2.
3.
4.
Start Active Directory Users and Computers.
In the console tree, right-click a group, and then click Properties.
Click the PowerBroker Cell Settings tab.
In the PowerBroker Cells section, select the check box for the cell that you want to provide the group
access to.
BeyondTrust®
September 2014
29
PBIS Enterprise Administration Guide
Managing Users and Groups
5. In the Group info for cell section, set the following:
– GID – Click Suggest, or type a value in the GID box.
You can assign a group identifier (GID) to an Active Directory group by associating the group
object with a cell and setting a GID value for the group object.
The GID information that you enter is applied to all objects in the group.
However, the settings are not applied to nested groups; you must apply the GID information to
each group.
–
Group Alias – Set an alias for the group. (Optional). The alias applies only within the cell.
BeyondTrust®
September 2014
30
PBIS Enterprise Administration Guide
Managing Users and Groups
Disable a User
Note: When a computer cannot communicate with a domain controller, a user whose account was
disabled on the domain controller, but who logged on to the computer prior to their account
being disabled, can continue to log on until you clear the cache or until the computer regains
communication with the domain controller.
By default, the cache expires after 4 hours. You can configure the interval using a PBIS Group
Policy setting or, if the policy setting has not been configured, by modifying the registry using the
PBIS config tool.
1.
2.
3.
4.
5.
Start Active Directory Users and Computers.
Find the user.
Right-click the user that you want to disable, and then click Properties.
Click the PowerBroker Cell Settings tab.
In the PowerBroker Cells section, clear the check boxes for the cells where you want to disable the
user.
To disable the user's access to all Linux, Unix, and Mac OS X computers, clear all the check boxes.
Finding Users and Groups in ADUC
Because of a limitation with the Active Directory Users and Computers snap-in, when you try to find a
PBIS user or group by right-clicking an OU and then clicking Find, the user or group will not appear in the
results even when the user or group is in the OU. The Find command does, however, work at the domain
level.
As an alternative, you can find PBIS users and groups in an OU using the following procedure:
1. Right-click the OU with an associated cell, select Properties, and then click the PowerBroker Cell
Settings tab.
2. Click Add, and then search the user or group.
BeyondTrust®
September 2014
31
PBIS Enterprise Administration Guide
BeyondTrust®
Managing Users and Groups
September 2014
32
PBIS Enterprise Administration Guide
Managing Users and Groups
Finding Orphaned Objects
You can use the BeyondTrust Management Console to find and remove orphaned objects. An orphaned
object is a linked object, such as a Unix or Linux user ID or group ID, that remains in a cell after you delete
a group or user's security identifier, or SID, from an Active Directory domain.
Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve
search speed. It is recommended that you remove orphaned objects before you use the migration tool
with a domain that operates in Schemaless mode.
1. In the BeyondTrust Management Console tree, expand Enterprise Console, and then click
Diagnostics & Migration.
2. From the Tasks list, click Find Orphaned Objects.
3. Click Select Domains, select the domains that you want to scan, and then click OK.
4. Click Begin Scan.
5. To remove the objects that appear in the Orphaned objects to delete box, click Delete Objects.
Configure Entries in Your sudoers Files
When you add Active Directory entries to your sudoers file—typically, /etc/sudoers—you must adhere
to at least the following rules:
•
ALL must be in uppercase letters.
•
Use a slash character to escape the slash that separates the Active Directory domain from the user or
group name.
•
Use the correct case; entries are case sensitive.
•
Use a user or group's alias if the user or group has one in Active Directory.
•
If the user or group does not have an alias, you must set the user or group in the PBIS canonical
name format of NetBIOSdomainName\SAMaccountName (and escape the slash character).
Note: For users or groups with an alias, the PBIS canonical name format is the alias, which you
must use; you cannot use the format of NetBIOS domain name\SAM account name.
For users and groups without an alias, the form of an entry in the sudoers file is as follows:
DOMAIN\\username
DOMAIN\\groupname
Example entry of a group:
% EXAMPLE\\LinuxFullAdmins ALL=(ALL) ALL
Example entry of a user with an alias:
kyle ALL=(ALL) ALL
For more information about how to format your sudoers file, see your computer's man page for sudo.
BeyondTrust®
September 2014
33
PBIS Enterprise Administration Guide
Managing Users and Groups
Check a User's Canonical Name on Linux
To determine the canonical name of a PBIS user on Linux, execute the following command, replacing the
domain and user in the example with your domain and user:
getent passwd example.com\\hab
EXAMPLE\hab:x:593495196:593494529: Jurgen Habermas:/home/local/ EXAMPLE/
hab:/bin/ sh
In the results, the user's PBIS canonical name is the first field.
Set a sudoers Search Path
Although PowerBroker Identity Services searches a number of common locations for your sudoers file, on
some platforms PBIS might not find it.
You can set the location of your sudoers file by adding the following line to the Sudo GP Extension section
of /etc/pbis/grouppolicy.conf:
SudoersSearchPath = /your/search/path
Example: SudoersSearchPath = "/opt/sfw/etc";
Here is an example in the context of the /etc/pbis/grouppolicy.conf file:
[{20D139DE-D892-419f-96E5-0C3A997CB9C4}]
Name = "PBIS Enterprise Sudo GP Extension";
DllName = "liblwisudo.so";
EnableAsynchronousProcessing = 0;
NoBackgroundPolicy = 0;
NoGPOListChanges = 1;
NoMachinePolicy = 0;
NoSlowLink = 1;
NoUserPolicy = 1;
PerUserLocalSettings = 0;
ProcessGroupPolicy = "ProcessSudoGroupPolicy";
ResetGroupPolicy = "ResetSudoGroupPolicy";
RequireSuccessfulRegistry = 1;
SudoersSearchPath = "/opt/sfw/etc";
Add Domain Accounts to Local Groups
You can add domain users to your local groups on a Linux, Unix, and Mac OS X computer by placing an
entry for the user or group in the /etc/group file. Adding an entry for an Active Directory user to your
local groups can give the user local administrative rights. The entries must adhere to the following rules:
•
Use the correct case; entries are case sensitive.
•
Use a user or group's alias if the user or group has one in Active Directory.
•
If the user or group does not have an alias, you must set the user or group in the PBIS canonical
name format of NetBIOSdomainName\SAMaccountName.
Note: For users or groups with an alias, the PBIS canonical name format is the alias, which you
must use; you cannot use the format of NetBIOS domain name\SAM account name.
BeyondTrust®
September 2014
34
PBIS Enterprise Administration Guide
Managing Users and Groups
For users and groups without an alias, the form of an entry is as follows:
root:x:0:EXAMPLE\kristeva
For users and groups with an alias, the form of an entry is as follows:
root:x:0:kris
In /etc/group, the slash character separating the domain name from the account name does not
typically need to be escaped.
Tip: On Ubuntu, you can give a domain user administrative privileges by adding the user to the admin
group as follows:
admin:x:119:EXAMPLE\bakhtin
On a Mac OS X computer, you can add users to a local group with Apple's directory service command-line
utility: dscl. In dscl, go to the /Local/Default/Groups directory and then add users to a group by
using the append command.
Extend File Mode Permissions with POSIX ACLs
When you have to grant multiple users or groups access to a file, directory, or Samba share on a Linux
server, you can use POSIX access control lists to extend the standard file mode permissions.
Because Linux and Unix file mode permissions control access only for a single user, a single group, and
then everyone else, the only means of granting access to more than one group with the standard file
modes is to either nest the groups together or to give everyone access—approaches that are often
unacceptable. Nested groups can be a maintenance burden, and granting access to everyone can
undermine security. As for Samba shares, it is insufficient to add multiple users and groups to the valid
users parameter in smb.conf if the underlying file system does not allow them access.
Prerequisites
You must have the acl package installed. You can determine this as follows:
# rpm – qa | grep acl
libacl-2.2.23-5
acl-2.2.23-5
The file system must be mounted with acl in the option list. You can determine this using the mount
command:
# mount
/dev/sda1 on / type ext3 (rw,acl)
As shown above, the root file system has been mounted with read-write (rw) and acl options. If you do
not see acl in the options for the file system you are working with, modify /etc/fstab to include this
option, and then remount the file system. In the case of the root file system, you may need to restart the
system.
All users and groups must be created before adding them to the ACL. In the case of Active Directory
users, they must be preceded by the domain unless user aliases have to be configured (for example,
DOMAIN\username).
BeyondTrust®
September 2014
35
PBIS Enterprise Administration Guide
Managing Users and Groups
Example
This example uses a directory called testdir. The process is the same for files.
Here are the standard file mode permissions of the testdir directory.
[aciarochi@rhel4-devel tmp]$ ls -ld testdir
drwxrwx--- 2 root root 4096 Dec 14 13:28 testdir
You can view the extended ACL using the getfacl utility. In this case, it shows the same information, in
a different format:
[aciarochi@rhel4-devel tmp]$ getfacl testdir
# file: testdir
# owner: root
# group: root
user::rwx
group::rwx
other::---
With these permissions, only the root user and members of the root group are allowed to open the
directory. Since the aciarochi user is not in the root group, he is denied access:
[aciarochi@rhel4-devel tmp]$ cd testdir
-bash: cd: testdir: Permission denied
However, we can grant access to aciarochi by using the setfacl utility to add him to the ACL. We
must switch to the root user, since that is the directory owner. Once the ACL is set, aciarochi can open
the directory:
[root@rhel4-devel ~]# setfacl -m u:aciarochi:rwx /tmp/testdir/
[root@rhel4-devel ~]# exit
logout
[aciarochi@rhel4-devel tmp]$ cd testdir
[aciarochi@rhel4-devel testdir]$ pwd
/tmp/testdir
Notice that the standard file mode permissions have not changed, except for the addition of a + at the
end, indicating that extended file permissions are in effect:
[aciarochi@rhel4-devel tmp]$ ls -ld /tmp/testdir/
drwxrwx---+ 2 root root 4096 Dec 14 13:28 /tmp/testdir/
Additional groups can be added in the same manner—using a g: instead of a u:—to indicate a group. In
the following example, we grant read and execute (open) access to the ftp group:
[root@rhel4-devel ~]# setfacl -m g:ftp:r-x /tmp/testdir
[root@rhel4-devel ~]# getfacl testdir
BeyondTrust®
September 2014
36
PBIS Enterprise Administration Guide
Managing Users and Groups
# file: testdir
# owner: root
# group: root
user::rwx
user:aciarochi:rwx
group::rwx
group:ftp:r-x
mask::rwx
other::---
Using POSIX ACLs to Grant AD Accounts Access to Subversion
With PowerBroker Identity Services, you can use AD accounts with Subversion. Use POSIX ACLs to give a
domain group write access to the SVN repository.
Note the following:
•
Use only one forward slash (\) in /etc/group.
•
The entry is case sensitive. The domain name must be uppercase and the username lowercase.
Here is an example:
$ svnadmin create /data/foo
## Add domain admins to the default directory ace
$ find /data/foo -type d | xargs setfacl -d -m “g:AD\domain^admins:rwx”
## Add domain admins to the directory ace
$ find /data/foo -type d | xargs setfacl -m “g:AD\domain^admins:rwx”
## Add domain admins to the ace for files
$ find /data/foo -type f | xargs setfacl -m “g:AD\domain^admins:rw”
$ getfacl /data/foo
# file: foo
# owner: AD\134gjones
# group: AD\134unixusers
user::rwx
group::r-x
group:AD\134domain^admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:AD\134domain^admins:rwx
default:mask::rwx
default:other::r-x
BeyondTrust®
September 2014
37
PBIS Enterprise Administration Guide
Migrating Users to Active Directory
Migrating Users to Active Directory
The NIS migration tool imports Linux, Unix, and Mac OS X passwd files and group files and maps them to
users and groups in Active Directory.
The migration tool includes options to ease your NIS migration to Active Directory, including:
•
Migrate account information to the organizational units that you want.
•
Create groups in Active Directory to match your Linux and Unix groups.
•
Generate scripts to repair file ownership and group settings.
•
Change the GID of imported users to that of the AD Domain Users group.
•
Automatically set an alias for each migrated user.
•
Generate Visual Basic scripts to migrate users and groups in an automated and custom way.
•
Modify GIDs during migration.
•
Select only the groups and users that you want to migrate from your full list of groups and users.
•
Set the home directory and shell for migrated users.
•
Filter out standard Unix and Linux accounts, such as mail and news.
•
Modify UID information during migration.
•
Use NIS map files to migrate netgroups, automounts, and other services to Active Directory.
On a Mac OS X computer, the PBIS domain join utility includes a tool to migrate a user profile from a local
user account to the home directory specified for the user in Active Directory. For more information, see
Migrate a User Profile on a Mac.
Migrate Users to Active Directory
The PBIS NIS migration tool can import Linux, Unix, and Mac OS X password and group files—typically
/etc/passwd and /etc/group—and automatically map their UIDs and GIDs to users and groups defined in
Active Directory.
You can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with
Active Directory users and groups. Before you commit the changes, you can resolve ambiguous user
names and other conflicts.
Important: Before you migrate users to a domain that operates in schemaless mode, it is recommended
that you find and remove orphaned objects. The IDs associated with orphaned objects are reserved until
you remove the orphaned objects. See Find Orphaned Objects.
Before Running the Migration Tool
Before running the migration tool, obtain the following information:
•
The name of the domain where you want to migrate the account information.
•
Credentials that allow you to modify the domain.
BeyondTrust®
September 2014
38
PBIS Enterprise Administration Guide
•
Migrating Users to Active Directory
The Unix or Linux passwd file and corresponding group file that you want to add to Active Directory.
The password and group files can be from a computer or an NIS server.
Run the Migration Tool
To import Linux, Unix, and Mac OS X password and group files and automatically map UIDs and GIDs to
users and groups in Active Directory:
1. In the BeyondTrust Management Console tree, expand Enterprise Console, and then click the
Diagnostics & Migration.
2. From the Tasks list, click Run Migration Tool.
3. Click Next.
4. In the Domain box, type the domain name that you want to migrate the account information to.
5. Select credentials:
– Use logon credentials – Select if your logon credentials allow you to modify the domain.
–
Use alternate credentials – Select if your logon credentials are not allowed to modify the
domain, and then enter credentials that have the appropriate privileges.
6. Click Next.
7. Select your mapping files:
– Click Import to import a Linux/Unix password and group file, and then provide the following
information.
–
–
Map name – The migration tool imports the passwd file and group file into the map file,
which is then matched to existing Active Directory user and group names.
–
Passwd file – Type the path and name of the file that you want to import, or click Browse to
find the file.
–
Group file – Type the path and name of the passwd file's corresponding group file, or click
Browse and then find the file.
–
To import default Unix or Linux user accounts such as root and public, clear the Omit
standard Linux/UNIX user accounts check box.
–
In the list under Users, clear the Import check box for any user that you do not want to
import, and then click Next.
Click Import NIS Map to import an NIS Map File:
You can run the ypcat command on the NIS server to create the map file.
–
NIS Map file – Click Rowse to find the map file.
–
Map type – Select the map file type: Netgroups, Automounts, or Services.
8. Select the OU where you want to migrate the Linux or Unix account information.
If you select the top of your domain, the information is migrated to the default PowerBroker cell of
your Active Directory forest and UID numbers are automatically assigned within the domain's range.
BeyondTrust®
September 2014
39
PBIS Enterprise Administration Guide
Migrating Users to Active Directory
If you select an OU, PBIS creates a cell for the OU and migrates the account information to it. UIDs
and GIDs are maintained if the passwd and group files agree, and if the UIDs and GIDs do not conflict
with existing users or groups.
The migrated account information applies only to computers that are members of the OU.
9. Click Next.
10. Select from the following list of migration options:
– Create groups in Active Directory to match Linux/Unix groups – Create groups in Active Directory
that match your Linux or Unix groups
11.
12.
13.
14.
–
Create all groups in AD – Create all groups in Active Directory—not just the references ones. To
select this option, you must first select the Create groups in Active Directory to match
Linux/UNIX groups check box.
–
Generate scripts to repair file ownership and group settings – Run scripts that can repair
ownership issues and group settings issues.
–
Change GID of imported users to Domain Users
–
Always set Login Name (alias), even when same as sAMAcountName
–
Generate VBScript to perform migration – Enter the name of the script in the Script name box.
Enter the directory where the script is located.
Click Next.
Click the Users tab and verify that the information is correct.
Click the Groups tab and verify that the information is correct.
To import the passwd and group files after you verify that the information is correct, click Next.
Migrate a User Profile on a Mac
On a Mac OS X computer, the PBIS domain join utility includes a tool to migrate a user's profile from a
local user account to the home directory specified for the user in Active Directory.
When you migrate the user's profile, you can either copy or move it from the local account to the user's
Active Directory account. Copying the profile leaves a copy of the user's files in their original location, but
doubles the space on the hard disk required to keep the user's files.
You can migrate a user by using the GUI or by using the command line. In addition, you can customize
the migration shell script to suit your requirements.
Important: To migrate a user's profile, you must have a local or AD account with administrative privileges.
The account that you use must not be the account that you are migrating.
BeyondTrust®
September 2014
40
PBIS Enterprise Administration Guide
Migrating Users to Active Directory
Migrate a User Profile from the GUI
Note: For Mac OS 10.8 and later, the GUI is no longer supported.
For PBIS 7.0 and later, GUI on any Mac is not supported.
Use the CLI commands. See Migrate a User Profile from the Command Line.
To migrate a user profile on a Mac to Active Directory:
1. Save and close any documents that the user has open.
2. Log on with an administrator account that is not being migrated.
3. In Terminal, execute the following command to open the PBIS Domain Join dialog box:
open /opt/pbis/bin/Domain\ Join.app
If prompted, enter a name and password of an account with administrative privileges. The account
can be either a local machine account or an AD account, but must not be the account that you are
migrating.
4. In the Domain Join dialog box, click Migrate.
Note: The Domain Join dialog box might be behind your Terminal window or behind another
window.
5. Under Source - Local Account, in the list, click the user that you want.
6. In the box under Destination - Likewise AD Account, type the name of the Active Directory user
account that you want to migrate the local account to, and then click
to check that the account
is in Active Directory.
7. In the Options section, select one of the following:
– Copy Profile – Copy a user's files and data from the user's home directory to a home directory
specified in Active Directory.
Note: This option doubles the amount of hard disk space required to store the user's files and
data on the computer.
BeyondTrust®
September 2014
41
PBIS Enterprise Administration Guide
–
Migrating Users to Active Directory
Move Profile – Move the user's files and data from the user's home directory to a home directory
specified in Active Directory.
Select any of the check boxes, as needed:
–
Remove local account when finished: Deletes the account after the account is migrated to
AD.
–
Retain local account's admin rights: Maintains the permissions of the account after
migration.
–
Use Spotlight to find user profile files.
8. Click Migrate.
Migrate a User Profile from the Command Line
You can migrate a user's profile using the command line. On a Mac OS X computer, the location of the
migration shell script is as follows:
/opt/pbis/bin/lw-local-user-migrate.sh
You can run the script locally or remotely. Connect to a Mac using SSH and then run the migration script
to remotely migrate users from another computer.
For information about the command's syntax and arguments, execute the following command in
Terminal:
/opt/pbis/bin/lw-local-user-migrate.sh --help
Customize the Migration Script
You can customize the migration script to suit your needs by opening the script and editing it. The script
is written in Bash shell.
Important: There is no PBIS support for customizing the script or for modified scripts. Changes to the
script preclude PBIS support.
Migrating NIS Domains
If you use PBIS to migrate all your Unix and Linux users to Active Directory, in most cases you will assign
these users a UID and GID that is consistent across all the Unix and Linux computers that are joined to
Active Directory—a simple approach that reduces administrative overhead.
In cases when multiple NIS domains are in use and you want to eliminate these domains over time and
migrate all users and computers to Active Directory, mapping an Active Directory user to a single UID and
GID might be too difficult. When multiple NIS domains are in place, a user typically has different UID-GID
maps in each NIS domain. With PBIS, you can eliminate these NIS domains but retain the different NIS
mapping information in Active Directory because PBIS lets you use a cell to map a user to different UIDs
and GIDs depending on the Unix or Linux computer that they are accessing.
To move to Active Directory when you have multiple NIS servers, you can create an OU (or choose an
existing OU) and join to the OU all the Unix computers that are connected to the NIS server. You can then
use cells to represent users' UID-GID mapping from the previous identity management system.
BeyondTrust®
September 2014
42
PBIS Enterprise Administration Guide
Managing Computers
Managing Computers
Use PBIS with a Single Organizational Unit
You can use PBIS if you have write privileges for only one OU. Your AD rights to create objects in the OU
allow you to join Linux and Unix computers to the OU even though you do not have Active Directory
Domain Administrator or Enterprise Administrator privileges. (See Assigning Users to Manage Cells.)
There are additional limitations to this approach:
•
You must join the computer to a specific OU, and you must know the path to that OU.
•
You cannot use PBIS Enterprise in Directory Integrated mode unless you have Enterprise
Administrator privileges, which are required to upgrade the schema.
Join a Linux Computer to an Organizational Unit
To join a computer to a domain, you need:
•
The user name and password of an account that has privileges to join computers to the OU
•
The full name of the domain that you want to join. The OU path is from the top OU down to the OU
that you want.
As root, execute the following command, replacing organizationalUnitName with the path and
name of the OU that you want to join, domainName with the FQDN of the domain, and joinAccount
with the user name of an account that has privileges to join computers to the domain:
/opt/pbis/bin/domainjoin-cli join --ou organizationalUnitName domainName joinAccount
Example: /opt/pbis/bin/domainjoin-cli join --ou Engineering example.com
Administrator
Example of how to join a nested OU:
domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU
example.com Administrator
After you join a domain for the first time, you must restart the computer before you can log on.
Rename a Joined Computer
To rename a joined computer, you must:
•
Leave the domain.
•
Rename the computer using the domain join command-line interface.
•
Rejoin the computer to the domain.
Important: Do not change the name of a Linux, Unix, or Mac computer using the hostname command
because some distributions do not permanently apply the changes.
BeyondTrust®
September 2014
43
PBIS Enterprise Administration Guide
Managing Computers
Rename a Computer Using the Command-Line Tool
The following procedure removes a Unix or Linux computer from the domain, renames the computer,
and then rejoins it to the domain.
Note: Renaming a joined computer requires the user name and password of a user with privileges to
join a computer to a domain.
1. With root privileges, at the shell prompt of a Unix computer, execute the following command:
/opt/pbis/bin/domainjoin-cli leave
2. To rename the computer in /etc/hosts, execute the following command, replacing
computerName with the new name of the computer:
/opt/pbis/bin/domainjoin-cli setname computerName
Example: /opt/pbis/bin/domainjoin-cli setname RHEL44ID
3. To rejoin the renamed computer to the domain, execute the following command at the shell prompt,
replacing DomainName with the name of the domain that you want to join and UserName with the
user name of a user who has privileges to join a domain:
/opt/pbis/bin/domainjoin-cli join DomainName UserName
Example: /opt/pbis/bin/domainjoin-cli join example.com Administrator
It may take a few moments before the computer is joined to the domain.
4. After you change the hostname of a computer, you must also change the name in the PBIS local
provider database so that the local PBIS accounts use the correct prefix. Execute the following
command as root, replacing hostName with the name that you want:
/opt/pbis/bin/set-machine-name hostName
Rename a Computer Using the Domain Join Tool UI
1. From the desktop with root privileges, double-click the PBIS Domain Join Tool, or at the shell prompt
of a Linux computer, type the following command:
/opt/pbis/bin/domainjoin-gui
2. Click Leave, and then click OK.
3. Start the domain join tool again by double-clicking the PBIS Domain Join Tool on the desktop, or by
typing the following command at the shell prompt of a Linux computer:
/opt/pbis/bin/domainjoin-gui
4. Click Next.
5. In the Computer name box, rename the computer by typing a new name.
BeyondTrust®
September 2014
44
PBIS Enterprise Administration Guide
Managing Computers
6. In the Domain box, enter the Fully Qualified Domain Name (FQDN) of the Active Directory domain.
7. Under Organizational Unit, you can join the computer to an OU in the domain by selecting OU Path
and then typing a path in the Specific OU path box.
Or, to join the computer to the Computers container, select Default.
8. Click Next.
9. Enter the user name and password of an Active Directory user with authority to join a machine to the
Active Directory domain, and then click OK.
The computer's name in /etc/hosts has been changed to the name that you specified and the
computer has been joined to the Active Directory domain with the new name.
10. After you change the hostname of a computer, you must also change the name in the PBIS local
provider database so that the local PBIS accounts use the correct prefix. Execute the following
command as root, replacing hostName with the name that you want:
/opt/pbis/bin/set-machine-name hostName
Removing a Computer from a Domain
You can remove a computer from a domain in the following ways:
•
Remove the computer account from ADUC
•
Run the domain join tool on the Unix, Linux, or Mac OS X computer
See Leave a Domain.
BeyondTrust®
September 2014
45
PBIS Enterprise Administration Guide
Managing Computers
NetworkManager: Use a Wired Connection to Join a Domain
On Linux computers running NetworkManager—which is often used for wireless connections—you must
make sure before you join a domain that the computer has a non-wireless network connection and that
the non-wireless connection is configured to start when the networking cable is plugged in. You must
continue to use the non-wireless network connection during the post-join process of restarting your
computer and logging on with your Active Directory domain credentials.
After you join the domain and log on for the first time with your AD domain credentials using a nonwireless connection, you can then revert to using your wireless connection because your AD logon
credentials are cached. (You will not, however, be notified when your AD password is set to expire until
you either run a sudo command or log on using a non-wireless connection.)
If, instead, you attempt to use a wireless connection when you join the domain, you cannot log on to
your computer with AD domain credentials after your computer restarts.
Here is why: NetworkManager is composed of a daemon that runs at startup and a user-mode
application that runs only after you log on. NetworkManager is typically configured to auto-start wired
network connections when they are plugged in and wireless connections when they are detected. The
problem is that the wireless network is not detected until the user-mode application starts—which
occurs only after you log on.
Information about NetworkManager is available at http://projects.gnome.org/NetworkManager/.
AIX: Create Audit Classes to Monitor Events
On AIX computers, after you install the PBIS agent, you can create audit classes to monitor the activities
of users who log on with their Active Directory credentials.
You can use the following file as a template to create audit classes for AD users:
/etc/pbis/auditclasses.sample
To create and configure an audit class, copy the file and name it /etc/pbis/auditclasses. Edit the
file to set the audit classes.
After you configure audit classes, the auditing occurs the next time the user logs on.
The sample PBIS auditclasses file looks like this:
#
# Sample auditclasses file.
#
# A line with no label specifies the default audit classes
# for users that are not explicitly listed:
#
general, files
#
# A line starting with a username specifies the audit classes
# for that AD user. The username must be specified as the
# "canonical" name for the user: either "DOMAIN\username" or
# just "username" if "--assumeDefaultDomain yes" was passed
# to domainjoin-cli with "--userDomainPrefix DOMAIN".
# In PBIS Enterprise, if the user has an alias specified in
# the cell the alias name must be used here.
BeyondTrust®
September 2014
46
PBIS Enterprise Administration Guide
Managing Computers
#
DOMAIN\user1: general, files, tcpip user2: general, cron
#
# A line starting with an @ specifies the audit classes for
# members of an AD group. These classes are added to the
# audit classes for the user (or the default, if the user is
# not listed here). Whether to specify "DOMAIN\groupname" or
# just "groupname" follows the same rules as for users.
#
@DOMAIN\mail_users: mail group2: cron
For information on AIX audit classes, see the IBM documentation for your version of AIX.
BeyondTrust®
September 2014
47
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Configuring PBIS with the Registry
The PBIS registry is a hierarchical database that stores configuration information for PBIS services,
authentication providers, drivers, and other services.
On Linux, Unix, and Mac computers, the PBIS services continually access the registry to obtain settings for
their parameters. The PBIS authentication service, for example, queries the registry to determine which
log level to use or which home directory template to apply to a user. In version 5.4 or later, the registry
replaces the text-based configuration files like lsassd.conf that were used in version 5.3 or earlier.
When you install the PBIS agent on a Linux, Unix, or Mac computer but do not install PBIS Enterprise on a
Windows administrative workstation connected to Active Directory, you cannot configure local PBIS
settings with Group Policy settings. Instead, you must edit the local PBIS registry. You can access the
registry and modify its settings by using the PBIS registry shell—regshell—in /opt/pbis/bin/.
This chapter describes the structure of the registry, demonstrates how to change a value in it, and lists
the local PBIS configuration options.
Note: Most of the registry settings can be centrally managed with Group Policy settings when you use
PBIS Enterprise; see the PowerBroker Identity Services Group Policy Administration Guide. If you
modify a setting in the registry that is managed by a Group Policy setting, the change will not
persist: It will be overwritten by the setting in the Group Policy Object (GPO) as soon as the GPO is
updated, which typically takes place once every 30 minutes. PBIS Open does not apply Group
Policy settings.
The Structure of the Registry
The PBIS registry contains one predefined top-level, or root, key: HKEY_THIS_MACHINE. Within the root
key, the structure of the registry is delineated by service into branches of keys, subkeys, and values.
•
A key is similar to a folder; it can contain additional keys and one or more value entries.
•
A value entry is an ordered pair with a name and a value.
•
A subkey, similar to a subfolder, is simply a child key that appears under another key, the parent.
•
A branch describes a key and all of its contents, including subkeys and value entries.
The upper level of the PBIS registry's hierarchical structure looks like the following:
[root@bvt-cen62-64 testuser]# /opt/pbis/bin/regshell
\> cd H
\> cd [HKEY_THIS_MACHINE]
HKEY_THIS_MACHINE\> ls
[HKEY_THIS_MACHINE]
[HKEY_THIS_MACHINE\Services]
HKEY_THIS_MACHINE\> cd Ser\
HKEY_THIS_MACHINE\> cd Services\
BeyondTrust®
September 2014
48
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
HKEY_THIS_MACHINE\Services> ls
[HKEY_THIS_MACHINE\Services\]
[HKEY_THIS_MACHINE\Services\dcerpc]
[HKEY_THIS_MACHINE\Services\eventfwd]
[HKEY_THIS_MACHINE\Services\eventlog]
[HKEY_THIS_MACHINE\Services\gpagent]
[HKEY_THIS_MACHINE\Services\lsass]
[HKEY_THIS_MACHINE\Services\lwio]
[HKEY_THIS_MACHINE\Services\lwpkcs11]
[HKEY_THIS_MACHINE\Services\lwreg]
[HKEY_THIS_MACHINE\Services\lwsc]
[HKEY_THIS_MACHINE\Services\netlogon]
[HKEY_THIS_MACHINE\Services\rdr]
[HKEY_THIS_MACHINE\Services\reapsysl]
[HKEY_THIS_MACHINE\Services\usermonitor]
HKEY_THIS_MACHINE\Services>
Each of the services corresponds to a PBIS service or driver. The subkeys within each service contain value
entries. A value specifies the setting for an entry, often presented under the parameters key.
Data Types
The PBIS registry uses four data types to store values. The values of data types are case sensitive. The
maximum size of a key is 255 characters (absolute path).
Table 1.
Data types defined and used by PBIS
Name
Data
Type
Binary
Value
REG_
A sequence of bytes. Displayed in the registry shell in hexadecimal format. The
BINARY maximum size is 1024 bytes.
Description
Data represented by a 32-bit integer. Parameters and services are typically set as this
DWORD REG_
data type. The values are displayed in the registry shell in hexadecimal and decimal
Value DWORD format. When a parameter is turned off, it is set to 0; when a parameter is turned on,
it is set to 1.
MultiString
Value
A multiple string. Values that include lists or multiple values typically use this data
type. Values are strings in quotation marks separated by spaces. In an import of a
REG_
PBIS registry file, the multi-string values typically contain an sza: prefix. In an export
MULTI_ of the registry, the multi-string values typically contain an hex(7): prefix. The
SZ
maximum size of a REG_MULTI_SZ is 1024 bytes, total, not each string in the multi
string. There are, however, null bytes between strings that contribute to the count,
so the actual byte count is slightly less.
String
Value
REG_SZ
BeyondTrust®
A text string. The maximum size of a REG_SZ value is 1023 characters (1024 bytes,
including the null terminator).
September 2014
49
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Access the Registry
You can access and modify the registry by using the registry shell—regshell—in /opt/pbis/bin. The
shell works in a way that is similar to BASH. You can navigate the registry's hierarchy with the following
commands:
cd
ls
pwd
You can view a list of commands that you can execute in the shell by entering help:
/opt/pbis/bin/regshell
\> help
usage: regshell [--file | -f] command_file.txt
add_key [[KeyName]]
list_keys [[keyName]]
delete_key [KeyName]
delete_tree [KeyName]
cd [KeyName]
pwd
add_value [[KeyName]] "ValueName" Type "Value" ["Value2"] [...]
set_value [[KeyName]] "ValueName" "Value" ["Value2"] [...]
list_values [[keyName]]
delete_value [[KeyName]] "ValueName"
set_hive HIVE_NAME
import file.reg
export [[keyName]] file.reg
upgrade file.reg
exit | quit | ^D
Type: REG_SZ | REG_DWORD | REG_BINARY | REG_MULTI_SZ
REG_DWORD and REG_BINARY values are hexadecimal
Note: cd and pwd only function in interactive mode
Note: HKEY_THIS_MACHINE is the only supported hive
\>
Note: In the unlikely event that you want to restore all the registry's default values, you must leave the
domain, stop all the PBIS services, manually delete /var/lib/pbis/db/registry.db, and
then reinstall PBIS.
Change a Registry Value Using the Shell
You can change a value in the registry by executing the set_value command with the shell. After you
modify a registry setting for a PBIS service, refresh the service with the PBIS Service Manager for the
changes to take effect.
The following procedure shows how to change the value of the PAM key's LogLevel entry. The procedure
to change other keys is similar.
1. With the root account, start regshell:
/opt/pbis/bin/regshell
BeyondTrust®
September 2014
50
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
2. Change directories to the location of the PAM key and list its current settings:
[root@rhel5d bin]# ./regshell
\> cd HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM
HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM> ls
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]
"DisplayMotd"
REG_DWORD
0x00000001 (1)
"LogLevel"
REG_SZ
"error"
"UserNotAllowedError" REG_SZ
"Access denied"
3. Execute the set_value command with the name of the value as the first argument and the new
value as the second argument:
HKEY_THIS_MACHINE\services\lsass\Parameters\PAM> set_value LogLevel debug
4. List the key's value entries to confirm that the value was changed:
HKEY_THIS_MACHINE\services\lsass\Parameters\PAM> ls
[HKEY_THIS_MACHINE\services\lsass\Parameters\PAM\]
"DisplayMotd"
REG_DWORD
0x00000001 (1)
"LogLevel"
REG_SZ
"debug"
"UserNotAllowedError" REG_SZ
"Access denied"
5. Exit the shell:
HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM> quit
6. After you change a setting in the registry, you must use the PBIS Service Manager—lwsm—to force
the service to start using the new configuration.
Since there were configuration changes to the lsass service, run the following command with superuser privileges:
/opt/pbis/bin/lwsm refresh lsass
Set Common Options with the Registry Shell
This section shows you how to modify common PBIS settings by using the registry shell: the default
domain, the home directory, and the shell.
1. As root or with sudo, start the registry shell:
/opt/pbis/bin/regshell
2. Change directories to the following location:
cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory
3. Change the shell to, for example, bash:
set_value LoginShellTemplate /bin/bash
For more information, see Set the Home Directory and Shell for Domain Users.
BeyondTrust®
September 2014
51
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
4. Set the option to use the default domain:
set_value AssumeDefaultDomain 1
5. Leave the shell:
quit
6. After you change a setting in the registry, you must use the PBIS Service Manager—lwsm—to force
the service to start using the new configuration.
Since there were configuration changes to the lsass service, run the following command with superuser privileges:
/opt/pbis/bin/lwsm refresh lsass
Here is how the string of commands looks in the registry shell:
[root@rhel5d docs]# /opt/pbis/bin/regshell
\> cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory
HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory> set_value
AssumeDefaultDomain 1
HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory> set_value
LoginShellTemplate /bin/bash
HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory> quit
[root@rhel5d docs]# /opt/pbis/bin/lwsm refresh lsass
Change a Registry Value from the Command Line
You can change a value in the registry by executing the set_value command from the command line.
After you modify a registry setting for a PBIS service, you must refresh the corresponding service with the
PBIS Service Manager for the changes to take effect.
The following code block demonstrates how to change the value of the PAM key's LogLevel entry
without using the shell.
/opt/pbis/bin/regshell ls '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]'
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
"DisplayMotd"
REG_DWORD
0x00000001 (1)
"LogLevel"
REG_SZ
"error"
"UserNotAllowedError" REG_SZ
"Access denied"
/opt/pbis/bin/regshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]' LogLevel debug
/opt/pbis/bin/regshell ls '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]'
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
"DisplayMotd"
REG_DWORD
0x00000001 (1)
"LogLevel"
REG_SZ
"debug"
"UserNotAllowedError" REG_SZ
"Access denied"
Find a Registry Setting
When you are not sure where to find a setting that you want to change, you can export the registry's
structure to a file and then search the file for the value entry's location.
BeyondTrust®
September 2014
52
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Important: You must export the registry as root.
1. With the root account, start regshell:
/opt/pbis/bin/regshell
2. In the shell, execute the export command with the root key as the first argument and a target file as
the second argument: export HKEY_THIS_MACHINE\ lwregistry.reg
The file is exported to your current directory unless you specify a path.
3. In a text editor such as vi, open the file and search for the entry that you are want to find.
lsass Settings
This section lists values in the lsass branch of the registry.
Log Level Value Entries
There is a LogLevel value entry under several keys, including lsass/Parameters and PAM.
Default value: error
Available entries: disabled, error, warning, info, verbose
Locations
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
Value Entry
LogLevel
Example with default value
"LogLevel"="error"
Turn on Event Logging
You can capture information about authentication transactions, authorization requests, and other
security events by turning on event logging.
For information about managing and viewing events, refer to the PBIS Enterprise Auditing and Reporting
Guide.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
Value Entry
EnableEventlog
BeyondTrust®
September 2014
53
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Example with default value
"EnableEventlog"=dword:00000000
Turn off Network Event Logging
After you turn on event logging, network connection events are logged by default.
On laptop computers, computers with a wireless connection, or other computers whose network status
might be in flux, you can turn off event logging so that the event log is not inundated with connectivity
events.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
LogNetworkConnectionEvents
Example with default value
"LogNetworkConnectionEvents"=dword:00000001
Restrict Logon Rights
You can require that a user be a member of a group to log on a computer, or you can limit logon to only
the users that you specify. PBIS checks requiremembershipof information in both the authentication
phase and the account phase.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
RequireMembershipOf
Notes
•
Add each user or group to the value entry by using an NT4-style name (the short domain name with
the group name) or an Active Directory security identifier (SID). Aliases are not supported.
•
Each entry must be enclosed in quotation marks.
•
Only the users that you specify and the users who are members of the groups that you specify are
allowed to log on the computer.
•
Use a slash character to escape a slash (\\).
BeyondTrust®
September 2014
54
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Example
"RequireMembershipOf"="example\\support" "example\\domain^admins"
"example\\joe" "S-1-5-21-3447809367-3151979076-456401374-513"
Display an Error to Users Without Access Rights
You can set PBIS to display an error message when a user tries to log on to a computer without the
appropriate permissions in place.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
Value Entry
UserNotAllowedError
Notes
Add the text of the error message that you want to display to the value of the entry.
Example with default value
"UserNotAllowedError"="Access denied"
Display a Message of the Day
You can set PBIS to display a message of the day (MOTD). It appears after a user logs on but before the
logon script executes to give users information about a computer.
The message can, for instance, remind users of the next scheduled maintenance window.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
Value Entry
DisplayMotd
Example
The value set to 1, or true, to display a message:
"DisplayMotd"=dword:00000001
BeyondTrust®
September 2014
55
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Change the Domain Separator Character
The default domain separator character is set to \. By default, the Active Directory group
DOMAIN\Administrators appears as DOMAIN\administrators on target Linux and Unix
computers. The PBIS authentication service renders all names of Active Directory users and groups
lowercase.
You can, however, replace the slash that acts as the separator between an Active Directory domain name
and the SAM account name with a character that you choose by modifying the DomainSeparator value
entry in the registry.
The following characters cannot be used as the separator:
•
alphanumeric characters (letters and digits)
•
@
•
#
•
And not the character that you used for the space-replacement setting. For more information,
see Change the Replacement Character for Spaces.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
Value Entry
DomainSeparator
Example entry with default value
"DomainSeparator"="\\"
Note: In the default value, the slash character is escaped by the slash that precedes it.
Change Replacement Character for Spaces
You can replace the spaces in Active Directory user and group names with another character in the
SpaceReplacement value entry.
The default replacement character is set to ^.
For example, the Active Directory group DOMAIN\Domain Users appears as DOMAIN\domain^users
on target Linux and Unix computers.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
Value Entry
SpaceReplacement
BeyondTrust®
September 2014
56
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Notes
The following characters cannot be used:
•
whitespace - spaces and tabs
•
alphanumeric characters - letters and digits
•
@
•
\
•
#
The PBIS authentication service renders all names of Active Directory users and groups lowercase.
Example with default value
"SpaceReplacement"="^"
Turn Off System Time Synchronization
With PBIS Open and PBIS Enterprise, you can specify whether a joined computer synchronizes its time
with the domain controller.
By default, when a computer is joined to a domain without using the notimesync command-line
option, the computer's time is synchronized with the domain controller's when there is a difference of
more than 60 seconds but less than the maximum clock skew, which is typically 5 minutes.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
SyncSystemTime
Example with default value
"SyncSystemTime"=dword:00000001
Set the Default Domain
If your Active Directory environment has only one domain, you can set that domain as the default. Users
then only need to type a user name or group name to log on to a computer.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
BeyondTrust®
September 2014
57
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Value Entry
AssumeDefaultDomain
Example with default value
"AssumeDefaultDomain"=dword:00000000
Set the Home Directory and Shell for Domain Users
When you install PowerBroker Identity Services on a Linux, Unix, or Mac computer but not on Active
Directory, you cannot associate a PowerBroker cell with an organizational unit, and thus you have no way
to define a home directory or shell in Active Directory for users who log on the computer with their
domain credentials.
To set the home directory and shell for a Linux, Unix, or Mac computer that is using PBIS Open or PBIS
Enterprise without a cell, edit the value entry in registry.
If you use PBIS Enterprise to set the shell and home directory both in Active Directory and in the registry,
the settings in Active Directory take precedence.
After you change the home directory or shell in the registry, you must clear the PBIS authentication
cache, log off, and then log on before your changes will take effect.
In the lsass branch, there are two keys that contain value entries for the home directory and shell. One is
for the local provider, the other is for the Active Directory provider.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
The following value entries for the home directory and shell, shown with their default settings, appear
under both the Active Directory and Local provider keys:
"LoginShellTemplate"="/bin/sh"
"HomeDirTemplate"="%H/local/%D/%U"
"HomeDirPrefix"="/home"
"CreateHomeDir"=dword:00000001
Set the Shell
Under the key for a provider, modify the value of the following entry to set the shell that you want:
LoginShellTemplate
Example with default value:
"LoginShellTemplate"="/bin/sh"
Note: /bin/bash might not be available on all systems.
Set the Home Directory
The following variables are available with the HomeDirTemplate value entry:
BeyondTrust®
September 2014
58
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Variable Description
%U
The default user name. Required.
%D
The default domain name. Optional.
%H
The default home directory. Optional.
It must be set as an absolute path. This value, if used, is typically the first variable in the
sequence.
%L
The hostname of the computer. Optional.
Here is an example with all four variables set: %H/%L/%D/%U
In the following example, the HomeDirTemplate is using the %H variable for the HomeDirPrefix to set
the user's home directory:
"HomeDirTemplate"="%H/local/%D/%U"
In the example, the HomeDirPrefix is not preceded by a slash because the slash is included in the
default HomeDirPrefix to ensure that the path is absolute.
By default, the %H variable automatically changes to be compatible with the operating system to
generate a home directory path:
–
On Solaris, the %H variable maps to /export/home.
–
On Mac OS X, %H maps to /Users
–
On Linux, %H maps to /home
Optionally, you can set the HomeDirPrefix by changing the prefix to the path that you want. However,
the HomeDirPrefix must be an absolute path—so you must precede it with a slash. Example with
default value:
"HomeDirPrefix"="/home"
All the users who log on to the computer using their Active Directory domain credentials will have the
shell and home directory that you set under the Providers\ActiveDirectory key. All the users who
log on to the computer using their local PBIS provider credentials will have the shell and home directory
that you set under the Providers\Local key.
Important: On Solaris, you cannot create a local home directory in /home, because /home is used by
autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories in
/export/home.
On Mac OS X, to mount a remote home directory, you must first create the directory on the remote
server as well as the folders for music, movies, and so forth. See Use the createhomedir Command to
Create Home Directories and other information on Apple's website.
Turn Off Home Directories
By default, a user's home directory is created upon logon. To turn off the creation of home directories,
change value of the following entry to 0, for false:
CreateHomeDir
Example with default setting of 1, which creates a home directory:
"CreateHomeDir"=dword:00000001
BeyondTrust®
September 2014
59
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Set the Umask for Home Directories
PBIS presets the umask for the home directory and all the files in it to 022. With a umask value of 022,
the default file permissions for your AD user account are as follows:
•
Read-write access for files
•
Read-write-search for directories you own.
All others have read access only to your files and read-search access to your directories. You can,
however, set the umask for home directories by modifying its value entry in the registry.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
Value Entry
HomeDirUmask
Example with default value
"HomeDirUmask"="022"
Set the Skeleton Directory
By default, PBIS adds the contents of /etc/skel to the home directory created for a new user account
on Linux and Unix computers. Using /etc/skel or a directory that you designate ensures that all users
begin with the same settings or environment.
On Mac OS X computers, the default skeleton directory is as follows:
System/Library/User Template/Non_localized,
/System/Library/User Template/English.lproj
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Locations
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
Value Entry
SkeletonDirs
BeyondTrust®
September 2014
60
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Notes
•
Add the skeleton directory that you want to set to the entry.
•
You can add multiple entries, but each entry must be enclosed in quotation marks and separated by
a space.
Example with default value
"SkeletonDirs"="/etc/skel"
Force PBIS Enterprise to Work Without Cell Information
To use the PBIS Enterprise agent to join a Linux, Unix, or Mac OS X computer to a domain that has not
been configured with cell information, you must change the value of CellSupport to unprovisioned.
This setting, which applies only to PBIS Enterprise, forces the authentication service to ignore the
following Unix information even though it is set in Active Directory:
•
Home directory
•
UID
•
GID
•
Unix shell
Instead of using the information from Active Directory, the unprovisioned value sets the
authentication service to hash the user's security identifier and use local settings for the Unix shell and
the home directory.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
CellSupport
Notes
The value must be set as one of the following: no-unprovisioned, full or unprovisioned.
The default is no-unprovisioned, a setting that requires you to create a cell in Active Directory before
you join a PBIS client to it. If you are using PBIS Enterprise with cells and you want to use the Unix settings
in AD, it is recommended that you leave cell-support set to its default value of no-unprovisioned:
"CellSupport"="no-unprovisioned"
Examples
Here is an example with the value set to unprovisioned to force PBIS Enterprise to ignore Unix settings
and other cell information in AD:
"CellSupport"="unprovisioned"
BeyondTrust®
September 2014
61
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Setting the value to full configures the PBIS Enterprise agent to use cell information when it appears in
AD and local settings when no cells are in AD:
"CellSupport"="full"
Refresh User Credentials
By default, PBIS automatically refreshes user credentials, but you can turn off automatic refreshes by
modifying the configuration of the PBIS authentication service.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
RefreshUserCredentials
Example with default setting
"RefreshUserCredentials"=dword:00000001
Turn Off K5Logon File Creation
By default, PBIS creates a .k5login file in the home directory of an Active Directory user who is
authenticated by Kerberos when logging on a Linux, Unix, or Mac OS X computer. You can, however, stop
the creation of a .k5login file.
The .k5login file contains the user's Kerberos principal, which uniquely identifies the user within the
Kerberos authentication protocol. Kerberos can use the .k5login file to check whether a principal is
allowed to log on as a user. A .k5login file is useful when your computers and your users are in different
Kerberos realms or different Active Directory domains, which can occur when you use Active Directory
trusts.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
CreateK5Login
Example with default value
"CreateK5Login"=dword:00000001
Change the Duration of the Computer Password
You can set the computer account password's expiration time. The expiration time specifies when a
computer account password is reset in Active Directory if the account is not used. The default is 30 days.
BeyondTrust®
September 2014
62
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Active Directory manages computer accounts for Linux, Unix, and Mac in the same way as those for
Windows computers; for more information, see the Microsoft Active Directory documentation.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
MachinePasswordLifespan
Example with default value, which is shown as seconds in hexadecimal format:
"MachinePasswordLifespan"=dword:000927c0
Notes
Setting the value to 0 disables expiration. The minimum value is 1 hour, expressed in seconds, and the
maximum is 60 days, expressed in seconds.
To avoid issues with Kerberos key tables and single sign-on, the MachinePasswordLifespan must be
at least twice the maximum lifetime for user tickets, plus a little more time to account for the permitted
clock skew.
The expiration time for a user ticket is set by using an Active Directory Group Policy setting called
Maximum lifetime for user ticket. The default user ticket lifetime is 10 hours; the default PBIS computer
password lifetime is 30 days.
Check the Maximum Lifetime for a User Ticket
1. Open the default domain policy in the Group Policy Management Editor.
2. In the console tree under Computer Configuration, expand Windows Settings, expand Security
Settings, expand Account Policies, and then click Kerberos policy.
3. In the details pane, double-click Maximum lifetime for user ticket.
4. In the Ticket expires in box, make sure that the number of hours is no more than half that of the
MachinePasswordLifespan you set in the registry.
Sign and Seal LDAP Traffic
You can sign and seal LDAP traffic to certify it and to encrypt it so that others cannot see your LDAP traffic
on your network. This setting can help improve network security.
BeyondTrust®
September 2014
63
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
LdapSignAndSeal
Example with default value
"LdapSignAndSeal"=dword:00000000
NTLM Settings
There are a number of NTLM settings that system administrators can use to manage NTLM sessions.
Locations
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]
Value Entry with Default Values
"AcceptNTLMv1"=dword:00000001
[HKEY_THIS_MACHINE\Services\lsass\Parameters\NTLM]
Value Entries with Default Values
"SendNTLMv2"=dword:00000000
"Support128bit"=dword:00000001
"Support56bit"=dword:00000001
"SupportKeyExchange"=dword:00000001
"SupportNTLM2SessionSecurity"=dword:00000001
"SupportUnicode"=dword:00000001
Each NTLM value entry is described in the following table. For additional information, see Microsoft's
description of the LAN Manager authentication levels.
Value Entry
Description
AcceptNTLMv1
Controls whether the PBIS local provider accepts the older and less
secure NTLM protocol for authentication in addition to NTLMv2. This
setting does not apply to the Active Directory provider because it passes
off NTLM and NTLMv2 authentication to a domain controller through
schannel; it is the domain controller's settings that determine which
versions of NTLM are allowed.
SendNTLMv2
Forces lsass to use NTLMv2 rather than the older and less secure
NTLM when lsass acts as a client. (Lsass typically serves as an NTLM
client in relation to domain controllers.)
Support128bit and
Support56bit
Control the length of the encryption key. They are intended to serve as a
mechanism for debugging NTLM sessions. There are no corresponding
BeyondTrust®
September 2014
64
PBIS Enterprise Administration Guide
Value Entry
Configuring PBIS with the Registry
Description
settings in Windows.
SupportKeyExchange
Allows the protocol to exchange a session key—Kerberos has a similar
feature. During authentication, an alternate key is exchanged for
subsequent encryption to reduce the risk of exposing a password. It is
recommended that you use the default setting.
Permits the client to use a more secure variation of the protocol if the
SupportNTLM2SessionSecurity client discovers that the server supports it. Corresponds to a similar
setting in Windows.
SupportUnicode
Sets NTLM to represent text according to the Unicode industry
standard. It is recommended that you use the default setting—which is
to support Unicode.
Additional Subkeys
There are additional subkeys in the lsass branch that the lsass service uses to store information for the
PBIS application.
It is recommended that you do not change these subkeys or their value entries.
•
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\DomainTrust]
Stores information about domain trusts.
•
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\ProviderData]
Stores data used by the Active Directory authentication provider.
•
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\YourDNSdomainName\Pstore]
Caches information about the computer and the user's Active Directory account, including the
computer password. The computer password is visible only to root users when they view or export
the registry.
The following shows an example of Pstore key information:
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\
ActiveDirectory\DomainJoin\EXAMPLE.COM\Pstore]
"ClientModifyTimestamp"=dword:4b86d9c6
"CreationTimestamp"=dword:4b86d9c6
"DomainDnsName"="EXAMPLE.COM"
"DomainName"="EXAMPLE"
"DomainSID"="S-1-5-21-3190566242-1409930201-3490955248"
"HostDnsDomain"="example.com"
"HostName"="RHEL5D"
"MachineAccount"="RHEL5D$"
"SchannelType"=dword:00000002
BeyondTrust®
September 2014
65
PBIS Enterprise Administration Guide
•
Configuring PBIS with the Registry
[HKEY_THIS_MACHINE\Services\lsass\Parameters\RPCServers]
Stores information that the system uses to execute remote procedure calls.
Add Domain Groups to Local Groups
This value entry controls whether the domain-join process adds domain groups to the local PBIS groups
and whether the domain-leave process removes domain groups from the local PBIS groups. The default
setting is 0, for disabled—no domain groups are added to local groups.
When the setting is enabled, the AD group Domain Admins is added to BUILTIN\\Administrators,
and Domain Users is added to BUILTIN\\Users.
After joining or leaving a domain, you can verify that the domain groups were added to or removed from
the local groups by running the lsa enum-members command for the BUILTIN\\Administrators
group and the BUILTIN\\Users group.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
AddDomainToLocalGroupsEnabled
Control Trust Enumeration
PBIS includes the following settings for controlling how the domain manager component of the
authentication service enumerates trusts. The settings can help improve performance of the
authentication service in an extended AD topology.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Important: The setting that specifies an include list is dependent on defining the setting for ignoring all
trusts: To use the include list, you must first enable the setting to ignore all trusts. The include-list setting
must explicitly contain every domain that you want to enumerate. It is insufficient to include only the
forests that contain the domains.
For a domain that is added to the include list, PBIS tries to discover its trust. If some of the domains are
not included in the space-separated list, the resulting trust relationships might run counter to your
intentions: The PBIS agent might process the trust as a one-way forest child trust when it is not.
Changes to the trust enumeration settings take effect when you restart either the computer or the PBIS
authentication service (lsass).
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entries
BeyondTrust®
September 2014
66
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Value Entry
Description
DomainManagerIgnoreAllTrusts
Determines whether the authentication service discovers domain
trusts.
In the default configuration of disabled, the service enumerates all
the parent and child domains and forest trusts to other domains.
For each domain, the service establishes a preferred domain
controller by checking for site affinity and testing server
responsiveness, a process that can be slowed by WAN links, subnet
firewall blocks, stale AD site topology data, or invalid DNS
information.
When it is unnecessary to enumerate all the trusts—because, for
example, the intended users of the target computer are only from
the forest that the computer is joined to—turning on this setting can
improve startup times of the authentication service.
DomainManagerIncludeTrustsList When the setting DomainManagerIgnoreAllTrusts is turned on,
only the domain names in the space-separated include list are
enumerated for trusts and checked for server availability. Each item
in the list must be separated by a space.
DomainManagerExcludeTrustsList When the setting DomainManagerIgnoreAllTrusts is turned off
(its default setting), the domain names in the space-separated
exclude list are not enumerated for trusts and not checked for server
availability. Each item in the list must be separated by a space.
BeyondTrust®
September 2014
67
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Modify Smart Card Settings
The following settings are available only with PBIS Enterprise.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
Value Entries
SmartCardPromptGecos
SmartCardServices
Set the Interval for Checking the Status of a Domain
This value entry determines how frequently the PBIS domain manager checks whether a domain is online.
The default is 5 minutes.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
DomainManagerCheckDomainOnlineInterval
Example with default value
"DomainManagerCheckDomainOnlineInterval"=dword:0000012c
Set the Interval for Caching an Unknown Domain
This value entry determines how long the PBIS domain manager caches an unknown domain as
unknown. The default is 1 hour.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
DomainManagerUnknownDomainCacheTimeout
Example with default value
"DomainManagerUnknownDomainCacheTimeout"=dword:00000e10
lsass Cache Settings
Many of the following cache settings can be managed by the Group Policy settings of PBIS Enterprise. For
more information, see the PowerBroker Identity Services Group Policy Administration Guide.
BeyondTrust®
September 2014
68
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Set the Cache Type
By default, the lsass service uses memory to cache information about users, groups, and the state of the
computer. You can, however, change the cache to store the information in SQLite, which might improve
the performance of your system.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
CacheType
Example with default value:
"CacheType"="memory"
Notes
To use the SQLite cache, change the value to sqlite.
Example
"CacheType"="sqlite"
Cap the Size of the Memory Cache
You can set the size of the cache to prevent it from consuming too much memory.
The recommended cache size is between 1 MB and 10 MB. The size limit depends on your environment.
Groups with many members require a larger memory cache to enumerate all the users.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
MemoryCacheSizeCap
Notes
To limit the memory cache to a maximum value, change the value to the byte count that you want. When
the total cache size exceeds the limit, old data is purged. The default value is 0: no limit is set.
Example with default value
"MemoryCacheSizeCap"=dword:00000000
Change the Duration of Cached Credentials
You can specify how long the PBIS agent caches information about an Active Directory user's home
directory, logon shell, and the mapping between the user or group and its security identifier (SID). This
setting can improve the performance of your system by increasing the expiration time of the cache.
BeyondTrust®
September 2014
69
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entry
CacheEntryExpiry
Notes
Set the value to an interval, in seconds. The minimum entry is 0 seconds and the maximum is 1 day,
expressed in seconds.
Example with default value
"CacheEntryExpiry"=dword:00003840
Change NSS Membership and NSS Cache Settings
To customize PBIS to meet the performance needs of your network, you can specify how the PBIS agent
parses and caches group and user membership information with the following value entries in the
registry:
Location
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]
Value Entries
Here are the value entries with their default values:
"TrimUserMembership"=dword:00000001
"NssGroupMembersQueryCacheOnly"=dword:00000001
"NssUserMembershipQueryCacheOnly"=dword:00000000
"NssEnumerationEnabled"=dword:00000000
Each setting is described in the table.
Setting
Description
TrimUserMembership
Specifies whether to discard cached information from a
Privilege Attribute Certificate (PAC) entry when it conflicts
with new information retrieved through LDAP. Otherwise,
PAC information, which does not expire, is updated the next
time the user logs on.
The default setting is 1: It is turned on.
BeyondTrust®
September 2014
70
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Setting
Description
NssGroupMembersQueryCacheOnly
Specifies whether to return only cached information for the
members of a group when queried through nsswitch. More
specifically, the setting determines whether nsswitch-based
group APIs obtain group membership information exclusively
from the cache, or whether they search for additional group
membership data through LDAP.
This setting is made available because, with large amounts of
data, the LDAP enumeration can be slow and can affect
performance. To improve performance for groups with more
than 10,000 users, set this option to yes. Without the LDAP
enumeration, only when a user logs on can that user's
complete group membership be retrieved based on the PAC.
The default setting is 1: It is turned on.
NssUserMembershipQueryCacheOnly When set to yes, enumerates the groups to which a user
belongs using information based solely on the cache. When
set to no, it checks the cache and searches for more
information over LDAP.
The default setting is 0: It is turned off.
NssEnumerationEnabled
Controls whether all users or all groups can be incrementally
listed through NSS. On Linux computers and Unix computers
other than Mac, the default setting is 0, or turned off. On
Mac OS X computers, the default setting is 1, or turned on.
To allow third-party software show Active Directory users and
groups in lists, you can change this setting to 1, but
performance might be affected.
Note: When you run the id command for an Active
Directory user other than the current user on some
Linux systems, such as SLES 10 and SLED 10, the
command returns only that user's primary group.
The command enumerates all the groups and
searches for the user in the groups' membership. To
properly find another user's membership with the id
command on SLES 10 and SLED 10, you must turn on
NSS enumeration.
eventlog Settings
This section lists values in the eventlog branch of the registry.
Allow Users and Groups to Delete Events
This entry specifies the Active Directory users and groups who can delete events from the PBIS event log.
BeyondTrust®
September 2014
71
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
AllowDeleteTo
Notes
Add the users and groups, separated by commas, to the value entry by using NT4-style names (the short
domain name with the group name), the user's or group's alias, or an Active Directory security identifier
(SID). The comma-separated list must be enclosed in quotation marks.
Example
AllowDeleteTo="example\support, example\domain^admins, example\joe, jane, S-15-21-3447809367-3151979076-456401374-513, sales^admins"
Allow Users and Groups to Read Events
This value entry specifies the Active Directory users and groups who can read events in the PBIS event log.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
AllowReadTo
Notes
Add the users and groups, separated by commas, to the value entry by using NT4-style names (the short
domain name with the group name), the user's or group's alias, or an Active Directory security identifier
(SID). The comma-separated list must be enclosed in quotation marks.
Example
AllowReadTo="example\support, example\domain^admins, example\joe, jane, S-1-521-3447809367-3151979076-456401374-513, sales^admins"
Allow Users and Groups to Write Events
This value entry specifies the Active Directory users and groups who can write events in the PBIS event log.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
AllowWriteTo
BeyondTrust®
September 2014
72
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Notes
Add the users and groups, separated by commas, to the value entry by using NT4-style names (the short
domain name with the group name), the user's or group's alias, or an Active Directory security identifier
(SID). The comma-separated list must be enclosed in quotation marks.
Example
AllowWriteTo="example\support, example\domain^admins, example\joe, jane, S-15-21-3447809367-3151979076-456401374-513, sales^admins"
Set the Maximum Disk Size
This value entry specifies the maximum size of the event log. The default is 102400 KB. The minimum size
is 100 KB. The maximum is 2097152 KB.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
MaxDiskUsage
Example with default value
"MaxDiskUsage"=dword:06400000
Set the Maximum Number of Events
This value entry defines the maximum number of events that can reside in the event log. The default is
100,000. The minimum number is 100. The maximum is 2,000,000.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
MaxNumEvents
Example with default value
"MaxNumEvents"=dword:000186a0
Set the Maximum Event Timespan
This value entry defines maximum length of time, in days, that events can remain in the event log. Events
older than the specified time span are removed. The default is 90 days. The maximum is 365 days.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
BeyondTrust®
September 2014
73
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Value Entry
MaxEventLifespan
Example
Using default value of 90 days
"MaxEventLifespan"=dword:0000005a
Change the Purge Interval
This value entry defines the number of days after which to purge the database of events. The default is 1
day.
Location
[HKEY_THIS_MACHINE\Services\eventlog\Parameters]
Value Entry
EventDbPurgeInterval
Example
Using default value of 1 day
"EventDbPurgeInterval"=dword:00000001
netlogon Settings
The netlogon branch contains registry values for setting the expiration of the cache that holds
information for the site affinity service, including the optimal domain controller and global catalog.
The netlogon service generates the value entries under the [HKEY_THIS_
MACHINE\Services\netlogon\cachedb] subkey to cache information about your domain
controllers and global catalog.
It is recommended that you do not change the registry values under the cachedb subkey.
[HKEY_THIS_MACHINE\Services\netlogon]
"Arguments"
REG_SZ
""
"Autostart"
REG_DWORD
0x00000001 (1)
"CoreSize"
REG_DWORD
0x00000000 (0)
"Dependencies" REG_SZ
"lwreg"
"Description" REG_SZ
"Site Affinity Service"
"Environment" REG_SZ
""
"Path"
REG_SZ
"/opt/pbis/lib64/lw-svcm/netlogon.so"
"Type"
REG_DWORD
0x00000002 (2)
[HKEY_THIS_MACHINE\Services\netlogon\cachedb]
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
"CLdapMaximumConnections"
REG_DWORD
0x00000064 (100)
"CLdapSearchTimeout"
REG_DWORD
0x0000000f (15)
"CLdapSingleConnectionTimeout"
REG_DWORD
0x0000000f (15)
BeyondTrust®
September 2014
74
PBIS Enterprise Administration Guide
"NegativeCacheTimeout"
"NetBiosUdpTimeout"
"NetBiosWinsPrimary"
"NetBiosWinsSecondary"
"PingAgainTimeout"
"ResolveNameOrder"
"WritableRediscoveryTimeout"
"WritableTimestampMinimumChange"
Configuring PBIS with the Registry
REG_DWORD
REG_DWORD
REG_SZ
REG_SZ
REG_DWORD
REG_SZ
REG_DWORD
REG_DWORD
0x0000003c
0x00000001
""
""
0x00000384
"DNS"
0x00000708
0x00000000
(60)
(1)
(900)
(1800)
(0)
Only the values under the Parameters subkey are documented in this section.
Set the Negative Cache Timeout
This setting is reserved for internal use only.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
Value Entry
NegativeCacheTimeout
Example with default value
"NegativeCacheTimeout"=dword:0000003c
Set the Ping Again Timeout
The netlogon service periodically tests whether cached domain controllers are available. This setting
controls how often it does so.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
Value Entry
PingAgainTimeout
Example with default value
"PingAgainTimeout"=dword:00000384
Set the Writable Rediscovery Timeout
When a service requests a writable domain controller and one does not exist in the local site, this setting
controls how long the service stays affinitized to the writable domain controller before reaffinitizing to a
closer read-only domain controller.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
BeyondTrust®
September 2014
75
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Value Entry
WritableRediscoveryTimeout
Example with default value
"WritableRediscoveryTimeout"=dword:00000708
Set the Writable Timestamp Minimum Change
Netlogon keeps track of when a writable domain controller was last requested. Related to
WritableDiscoveryTimeout, this setting controls how often that timestamp is changed.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
Value Entry
WritableTimestampMinimumChange
Example with default value
"WritableTimestampMinimumChange"=dword:00000000
Set CLdap Options
The netlogon service uses multiple asynchronous CLDAP searches in a single thread to find servers that
act as domain controllers and global catalogs.
To improve performance in the context of your unique network, you can adjust the following settings for
the Connection-less Lightweight Directory Access Protocol.
Location
[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
Value Entries
CLdapMaximumConnections is the maximum number of servers that will be pinged simultaneously.
The default is 100.
CLdapSearchTimeout is the timeout for the entire search (in seconds). The default is 15 seconds.
CLdapSingleConnectionTimeout is the timeout for pinging a single server (in seconds). The default is
15 seconds.
lwio Settings
The lwio branch contains registry settings for the input-output service, lwio.
The settings under the shares subkey define shared folders and the security descriptors that control
access to them. It is recommended that you do not directly change the values under the shares subkey
while the lwio service is running.
BeyondTrust®
September 2014
76
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Sign Messages If Supported
Although signing messages is turned off by default, you can set the input-output service to sign
messages. Doing so, however, can degrade performance. When signing is turned off, the input-output
service will reject clients that require signing.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters]
Value Entry
SignMessagesIfSupported
Example with default value
"SignMessagesIfSupported"=dword:00000000
Enable Security Signatures
This registry setting, which is turned on by default, sets the CIFS file server to sign responses when it
receives signed messages from a client.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
Value Entry
EnableSecuritySignatures
Example with default value
"EnableSecuritySignatures"=dword:00000001
Require Security Signatures
This registry setting determines whether the CIFS file server will reject clients that do not support signing.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
Value Entry
RequireSecuritySignatures
Example with default value
"RequireSecuritySignatures"=dword:00000001
BeyondTrust®
September 2014
77
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Set Support for SMB2
This registry setting determines whether the CIFS file server will engage the SMB2 protocol module. When
the setting is turned off, the server will not negotiate with SMB2.
Location
[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\srv]
Value Entry
SupportSmb2
Example with default value
"SupportSmb2"=dword:00000000
BeyondTrust®
September 2014
78
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
autoenroll Settings
The autoenroll settings provide registry values to configure auto enrollment for certificates.
You can also manage auto enrollment using GPOs. For more information, refer to the PBIS Group Policy
Guide.
[HKEY_THIS_MACHINE\Services\autoenroll]
+ "Autostart"
REG_DWORD
0x00000000 (0)
"Arguments"
REG_SZ
""
"Dependencies" REG_SZ
""
"Description" REG_SZ
"PBIS Auto Enroll Service"
"Environment" REG_SZ
""
"Path"
REG_SZ
"/opt/pbis/lib/lw-svcm/autoenroll.so"
"Type"
REG_DWORD
0x00000002 (2)
[HKEY_THIS_MACHINE\Services\autoenroll\Parameters]
+ "Authentication"
REG_SZ
"none"
+ "AutoEnrollPollInterval"
REG_DWORD
0x00007080
+ "EnableAutoEnroll"
REG_DWORD
0x00000000
+ "EnableWireless"
REG_DWORD
0x00000000
+ "ManagedCertificateLifecycle" REG_DWORD
0x00000000
+ "SecurityType"
REG_DWORD
0x00000000
+ "SSID"
REG_SZ
"none"
(28800)
(0)
(0)
(0)
(0)
[HKEY_THIS_MACHINE\Policy\Services\autoenroll\Parameters]
+ "Authentication"
REG_SZ
"WirelessAuthentication"
+ "AutoEnrollPollInterval"
REG_DWORD
0x0000012c (300)
+ "EnableAutoEnroll"
REG_DWORD
0x00000001 (1)
+ "EnableWireless"
REG_DWORD
0x00000001 (1)
+ "ManagedCertificateLifecycle" REG_DWORD
0x00000001 (1)
+ "PrivateKeyPassword"
REG_SZ
"OkEp0OihVlG6yuk"
+ "SecurityType"
REG_DWORD
0x00000001 (1)
+ "SSID"
REG_SZ
"SSID"
BeyondTrust®
September 2014
79
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
Lwedsplugin Settings for Mac Computers
The PBIS registry includes the following settings to manage the directory services plugin on a Mac OS X
computer.
Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.
Here is an example configuration in the registry:
[HKEY_THIS_MACHINE\Services\lwedsplugin\Parameters\]
"AllowAdministrationBy"
REG_SZ
""
"EnableForceHomedirOnStartupDisk" REG_DWORD
0x00000000
"EnableMergeAdmins"
REG_DWORD
0x00000000
"EnableMergeModeMCX"
REG_DWORD
0x00000000
"UncProtocolForHomeLocation"
REG_SZ
"smb"
"UseADUncForHomeLocation"
REG_DWORD
0x00000000
(0)
(0)
(0)
(0)
Each setting is described in the table.
DS Plugin Setting
Description
in the Registry
Allow
Specifies the administrators included the local admin group (GID: 80) on the
administration by computer. The setting can specify Active Directory users or groups. Local entries are
overwritten unless you also set the parameter to merge administrators who are
defined locally.
Force home
directory on
startup disk
Sets a computer to use a local home directory path. When a user with a home
folder connection defined in Active Directory logs on, the connection is created in
the dock under /Network/Servers/homeFolderName.
Merge
Administrators
Preserves members of the admin group who are defined locally but are not specified
in the allow administration by policy.
Set the UNC
Protocol for the
Home Location
Sets the protocol for the home location.
Use UNC path from
Active Directory to
create home
location
Sets the computer to connect to the network share defined in the Active Directory
user account. The UNC path is converted to SMB when the target share is running
Windows or AFP when the target is running Mac OS X.
If the setting for forcing the home directory on the startup disk is enabled, the UNC
path is used to create a folder in the user's dock and the home directory is set to the
user's local home directory path.
To set the path for the home directory, go to the Profile tab of the user's properties
in ADUC and under Home folder select Connect, choose a drive letter (which is
ignored by a Mac OS X computer), and then in the To box type the UNC path that
you want.
Here is the form the path takes: \\server\share\folder
BeyondTrust®
September 2014
80
PBIS Enterprise Administration Guide
Configuring PBIS with the Registry
DS Plugin Setting
Description
in the Registry
Here is an example of a path: \\example\homes\fanthony
BeyondTrust®
September 2014
81
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Managing PBIS Licenses
There are two options to manage the assignment of PBIS licenses:
•
Globally using the License Management page in the BeyondTrust Management Console on a
Windows administrative workstation connected to Microsoft Active Directory.
It is recommended that you manage your licenses through the BeyondTrust Management Console.
•
Locally using a PBIS command-line utility—setkey-cli—on a Linux, Unix, or Mac OS X computer.
Evaluation Licenses and Permanent Licenses
When you install the PBIS agent without a permanent license on a Unix or Linux computer, a 30-day
product evaluation key is automatically generated. If a permanent license key or an extended evaluation
license key is unavailable, PBIS will stop authenticating users and applying Group Policy settings after 30
days. The expiration date of an evaluation license applies only to the computer on which the license is
installed.
BeyondTrust®
September 2014
82
PBIS Enterprise Administration Guide
Managing PBIS Licenses
To obtain a permanent license or to convert a trial license to a full license, contact a BeyondTrust sales
representative by sending an email to PBIS-sales@beyondtrust.com or by calling 1-800-234-9072 in the
United States. From outside the United States, call +1-818-575-4040.
You can upgrade an evaluation license to a permanent license by importing the permanent license key
into the BeyondTrust Management Console, and applying it to a client computer. If the automatic
assignment feature is in use, the PBIS agent will automatically apply a permanent license when you log on
a client with an AD account, restart the PBIS authentication service, or run the command-line utility for
managing licenses.
Site Licenses and Single-Computer Licenses
BeyondTrust offers site licenses and single-computer licenses.
•
A site license covers all the computers in a domain and its child domains. To determine whether a
computer falls under a site license, PBIS checks the last two components of the domain name.
For example, example.com is the domain governed by a site license and one of the child domains is
named child.example.com. The child domain is covered by the site license because the last two
components of the domain name match.
•
If there are multiple domains, a different license file is required for each domain, regardless of
whether you are using a site license or a set of single-computer licenses. To spread a set of singlecomputer licenses across two or more domains, you can request BeyondTrust sales to distribute the
licenses in two or more license files.
Workstation and Server Licenses
BeyondTrust offers two kinds of licenses: workstation and server. Both single-computer licenses and site
licenses distinguish between servers and workstations. When a computer joins a domain, PBIS looks at
the version of the operating system to determine whether to assign a workstation or a server license. If a
server license is unavailable, a workstation license is automatically used.
A workstation license limits the number of concurrent logins to five discrete user accounts. With a server
license, the number of concurrent logins is unlimited. If the computer is a server but is using a
workstation license because no server licenses were available, please contact BeyondTrust sales at PBISsales@beyondtrust.com to obtain more server licenses. You can adjust the license type that you want
the agent to obtain by using the command-line utility for managing licenses.
The PBIS agent verifies a license when you run the setkey-cli utility, when you start the PBIS
authentication service, and when you log on. To verify a license, the setkey-cli utility uses the
computer's Active Directory account to search for licenses in the computer's OU hierarchy up to the top
of the domain. Other domains in the forest are not searched. If the utility cannot find a license in the OU
hierarchy, as a last resort it checks the legacy PBIS container in the Program Data container. When the
computers's domain controller is down, the utility loads the license from the disk without verifying its
assignment in Active Directory.
The PBIS Group Policy service also checks for a license when it refreshes the computer's Group Policy
Objects (GPOs). If the license is invalid, the service ignores the GPOs. Once the license becomes
permanent and valid, the service applies the GPOs when it restarts.
BeyondTrust®
September 2014
83
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Note: If the message Invalid computer! is displayed in the Assigned To column, revoke the license and
return it to the pool of available licenses. For more information, see Revoke a License.
License Feature Codes
Licenses contain codes that can include or exclude features. When a license is displayed in the console,
the codes in the Features column indicate the entitlements that the license covers.
The following table describes each feature code:
Feature Code
Description
SC
Covers the use of two-factor authentication with a smart card.
GP
Covers the application of GPOs.
AU
Covers the auditing and reporting components.
AD
Covers the use of the PBIS management tools for Active Directory.
Create a License Container
You can install PowerBroker Identity Services licenses manually on each client, or you can install the
licenses in Active Directory and manage them from a central location. In Active Directory, you must create
a license container before you can import a PBIS license key file.
Recommendations
Review the following recommendations for creating a license container.
•
Manage licenses in Active Directory and create your license container in a common location at the
highest level of the organizational unit (OU) hierarchy to which you have write access.
For instance, if you have separate OUs for your Linux and Mac computers, creating the licensing
container in a common location above the OUs for the Mac and Linux computers can simplify license
management.
•
If you have a default cell, create the license container at the level of the domain.
BeyondTrust®
September 2014
84
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Any OU may have a license container. The container need not be in the same OU as a PowerBroker cell.
The PBIS agent searches the OU hierarchy for a license container in the same way that it searches for a
cell. When a license container is found, the agent stops trying to find a key in another container (even if
the container it finds is empty) and checks whether the license is assigned to the computer. When the
agent finds a license in Active Directory, it marks it as assigned to the computer.
When you create a license container, computers can automatically acquire a license. You can turn off
automatic licensing depending on your requirements. However, after you create the license container
you must assign a license to each computer manually. See Assign a License to a Computer in AD.
Note: If needed, you can turn on automatic licensing again at any time after you create the container.
See Turn on Automatic Licensing.
If there is no license container in Active Directory, the agent verifies the license locally—a scenario
reserved for licenses set with setkey-cli.
Important: You must be a member of the Domain Administrators security group or have privileges
sufficient to create and modify containers where you want to create the licensing container. It is
recommended that you do not create a license container in the Domain Controllers OU.
To create a license container:
1. In the BeyondTrust Management Console, expand the Enterprise Console node, right-click the
License Management node, and then click Create License Container.
2. Clear the Allow Computers to Acquire Licenses Automatically check box to prevent computers
from obtaining a license. (Optional).
If you clear the check box, you must manually assign a license to each computer.
3. Select the location where you want to create a container and then click OK:
You are now ready to import a license file, which will populate the PBIS licenses container in Active
Directory with licenses for your Unix, Linux, and Mac OS X computers.
BeyondTrust®
September 2014
85
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Turn on Automatic Licensing
If you turned off automatic licensing when you created the license container, you can turn on the feature
at any time.
To turn on automatic licensing:
1. In the BeyondTrust Management Console, expand the Enterprise Console node, right-click the
License Management node, and then click Assign Policy.
2. Select the check box to allow automatic licensing and click OK.
Import a License File
PBIS license keys and site licenses are distributed in an XML file.Using the BeyondTrust Management
Console on your Windows administrative workstation, you can import a license key file containing
licenses.
Note: When you import a license file an Active Directory object is created for every license. For example,
if your license XML file contains 100 licenses, then 100 Active Directory objects are created.
You must create a license container in Active Directory before you can import a license key file.
1. Make sure the XML file containing the licenses is available on your Windows administrative
workstation that is running the BeyondTrust Management Console.
2. Under Enterprise Console, right-click License Management, and then click Import License File.
3. Locate the XML file that contains the licenses, and then click Open.
Assign a License to a Computer in AD
By default, PBIS automatically assigns licenses to computers running the PBIS agent when the computers
connect to the domain. If you turn off the default setting, then a computer cannot automatically obtain a
license. However, you can manually assign a license using the BeyondTrust Management Console.
To manually assign a license:
BeyondTrust®
September 2014
86
PBIS Enterprise Administration Guide
Managing PBIS Licenses
1. In the BeyondTrust Management Console, expand Enterprise Console, and then click License
Management.
2. Right-click the license that you want to assign, and then click Assign License.
3. In the Select Computer dialog box, click Locations, select the location that contains the computer
you want, and then click OK.
4. In the Enter the object names to select box, type the name of one or more computers—for example,
AppSrvSeattle-1.
Separate multiple entries with semicolons. For a list of examples, click examples.
5. Click Check Names, and then click OK.
Tip: To use additional criteria to search for and select computers, click Advanced. Then, to show
more information about a computer in the Search results box, click Columns, and add or remove
columns.
Manage a License Key from the Command Line
Although it is recommended that you manage licenses in the BeyondTrust Management Console, you
can also manage a license locally from the command line on a Linux, Unix, or Mac OS X computer.
From the command line of a PBIS client, you can check the computer's license, set a license key, release a
license, and adjust the type of license that you want the computer to obtain.
For more information, run the following command:
/opt/pbis/bin/setkey-cli --help
Check the License Key
To view the license key that is installed on a Unix, Linux, or Mac OS X computer, execute the following
command at the shell prompt:
/opt/pbis/bin/setkey-cli
Here is an example:
BeyondTrust®
September 2014
87
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Set a License Key
You can set a license key for the PBIS agent by using the command line. You should, however, use this
method of setting a key only when there is no licensing container in Active Directory and you want the
agent to verify the license locally.
To set a license key, run the following command as root, replacing LicenseKeyNumber with a valid
license key number:
/opt/pbis/bin/setkey-cli --key LicenseKeyNumber
Note: If there is a license container in Active Directory, you cannot use the command to apply an
additional license or to select a license from the license container; instead, assign the license from
Active Directory.
Release a License Key
When you decommision a computer, you can release a computer's license so it can be used by another
computer. When you release a permanent license key, it is replaced by a temporary evaluation license.
You can also release a license to apply a different permanent license to the computer.
/opt/pbis/bin/setkey-cli --release
BeyondTrust®
September 2014
88
PBIS Enterprise Administration Guide
Managing PBIS Licenses
Change the Type of License
You can change the type of license that the computer obtains when it connects to Active Directory by
executing the following command as root, replacing typeOfLicense with either workstation or
server.
/opt/pbis/bin/setkey-cli --key-preference typeOfLicense
If the license type you set is unavailable the non-preferred type is obtained.
Delete a License
When you rename or remove a domain from Active Directory, you might also need to delete PBIS license
keys from Active Directory. If you rename an Active Directory domain, you must obtain new license keys
from BeyondTrust.
Licenses are provided on a per-domain basis; domain licenses apply only to the fully qualified domain
name or child domain to which they were issued.
1. In the BeyondTrust Management Console, expand Enterprise Console, and then click License
Management.
2. In the list of licenses, under Key, right-click the license that you want to delete and then click Delete.
Tip: If you inadvertently delete a license, you can restore it by importing the license file that contains it.
BeyondTrust®
September 2014
89
PBIS Enterprise Administration Guide
Manage PBIS Enterprise from the Windows Command
Manage PBIS Enterprise from the Windows Command Line (btopt.exe)
Using the btopt.exe tool, you can manage options for PBIS Enterprise from the command-line of a
Windows administrative workstation connected to Active Directory.
You can, for example, set an option to use sequential IDs instead of hashed IDs. In addition, after you set
the option to use sequential IDs, you can set the initial UID number for a cell.
The btopt.exe tool is installed on computers running PBIS Enterprise in the following directory:
C:\Program Files\BeyondTrust\PBIS\Enterprise folder.
C:\Program Files\BeyondTrust\PBIS\Enterprise>btopt btopt - configures local Windows
options for PowerBroker Identity Services Usage: btopt OPTIONS
OPTIONS:
--status
Show current configuration status
--narrowsearch
Only search the default cell on the local domain
Search the default cell across all domains and two-way forest
--widesearch
trust
--sequential
Use sequential IDs instead of hashed IDs
--hashed
Use hashed IDs
Allow the use of aliases for users and groups from other
--foreignaliases
domains.
Disallow the use of aliases for users and groups from other
--noforeignaliases
domains.
--usegc
Use the Global Catalog to speed up searches (default)
--ignoregc
Do not use the Global Catalog to speed up searches
--startUID=#
Sets the initial UID number for a cell (if --sequential)
--startGID=#
Sets the initial GID number for a cell (if --sequential)
--minID=#
Sets minimum UID and GID number configurable through the UI
Identifies the cell whose initial IDs (if --sequential)
--cell=LDAPPATH
Example: LDAP://somedc/ou=anou,dc=somecom,dc=com
Sets the default login names to all the users enabled in all
--enableloginnames
the cells.
Disable the enable default login names option to all users
--disableloginnames
enabled in all the cells.
Disable "Suggest" button, which is used to suggest UID/GID
--disablesuggestbutton
assignment to users and groups in the cells.
Enable "Suggest" button, which is used to suggest UID/GID
--enablesuggestbutton
assignment to users and groups in the cells.
--help
Displays this usage information
If the --startUID or --startGID options are set, the --cell option must also be set.
BeyondTrust®
September 2014
90
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising