| ❗ BeyondTrust AD Bridge Open is no longer maintained and will be archived. If you are interested in an Enterprise version of pbis-open, please visit our website https://www.beyondtrust.com/privilege-management/active-directory-bridge |
|---|
BeyondTrust AD Bridge Open has several goals:
- Simplify the process of joining non-Microsoft hosts to Active Directory domains.
- Simplify the management of these hosts.
- Provide a rich development platform for writing applications in heterogeneous networks.
The pbis-open build uses makekit (http://bkoropoff.github.io/makekit/) While the code is portable among a variety of *nix based platforms (Linux, Solaris, AIX, HP-UX, and OS X), this build system is primarily intended for Linux & FreeBSD platforms.
Before you begin, please read over this list of prerequisite development packages (depending on your Linux distro):
- gcc glibc-devel pam-devel flex bison rpm-build rpm-devel popt-devel libxml2-devel autoconf automake libtool
- libglade2-devel - To build domainjoin-gui GTK application
- 32bit development tools and libraries for compatibility packages when building on x86_64
- glibc-devel.i686 libgcc.i686 pam-devel.i686
- build-essential fakeroot devscripts debhelper autoconf automake libtool flex bison libpam0g-dev libxml2-dev libpopt-dev
- libglade2-dev - To build domainjoin-gui GTK application
- 32bit development tools and libraries for compatibility packages when building on x86_64
- libc6-dev-i386 gcc-multilib libpam0g-dev:i386
- ia32-libs - replaced by lib32z1
Note: The default version of awk on some Ubuntu systems has a known bug which causes it to segfault when attempting to build. You can work around this by installing GNU awk:
sudo apt-get install gawk
See https://launchpad.net/ubuntu/+source/mawk/+bug/23494 for details
The easiest way to begin a build is to run:
$ mkdir debug && cd debug
$ ../configure --debug
$ make -jXX package ## where XX is 2x CPU cores
This will build the necessary binaries and libraries and package them up into DEBs or RPMs in the pbis-open/debug/package/ directory.
If you do not want to install using packages, you can do the following instead, but be sure to read the note below:
$ make -jXX
$ sudo make install
You may view the complete set of configure options by running
$ ../configure --help
To generate a release tarball, run "build/mkdist" with pbis-open as your working directory.
Note: When not installing using the local package managers (DEB or RPM), you will need to start lwsmd and import registry files manually:
$ sudo /etc/init.d/lwsmd start
$ sudo bash -c 'for file in /opt/pbis/share/config/*.reg; do \
/opt/pbis/bin/regshell import $file; \
done'
$ sudo /etc/init.d/lwsmd reload
The AD Bridge Registry Service (lwregd) is the configuration data store used by all AD Bridge services. AD Bridge provides several ways to view and modify the registry settings: - /opt/pbis/bin/edit-reg - /opt/pbis/bin/regshell
edit-reg allows you to modify registry settings in your preferred text editor. For example:
$ sudo /opt/pbis/bin/edit-reg
regshell provides the ability to interactively display and modify settings. For example:
$ sudo /opt/pbis/bin/regshell
> cd hkey_this_machine\\services
hkey_this_machine\services> dir
[hkey_this_machine\services]
[HKEY_THIS_MACHINE\Services\lsass]
...
hkey_this_machine\services> cd lsass
hkey_this_machine\services\lsass> dir
Arguments REG_SZ "lsassd --syslog"
Dependencies REG_SZ "netlogon lwio lwreg rdr"
Description REG_SZ "Security and Authentication Subsystem"
Path REG_SZ "/opt/pbis/sbin/lsassd"
Type REG_DWORD 0x00000001 (1)
[HKEY_THIS_MACHINE\Services\lsass\Parameters]
NOTE: incorrectly configuring the PBIS registry can prevent PBIS from starting and/or prevent user authentication. Use caution when modifying existing settings.
The AD Bridge Service Manager (lwsmd) provides a service control architecture for starting and stopping all AD Bridge daemons and drivers based on a dependency graph.
The lwsmd daemon itself is managed using the standard SysV init script:
$ /etc/init.d/lwsmd start
* Starting PBIS Service Manager: lwsmd [ OK ]
Only the registry service (lwregd) is hard coded to be started initially. The user space CLI for managing services is the "lwsm" utility.
$ lwsm list
lwreg running (standalone: 19415)
dcerpc running (standalone: 19453)
eventlog stopped
lsass running (standalone: 19475)
lwio running (standalone: 19438)
rdr running (io: 19438)
srv running (io: 19438)
pvfs running (io: 19438)
npfs running (io: 19438)
netlogon running (standalone: 19468)
srvsvc running (standalone: 19529)
$ lwsm info lsass
Service: lsass
Description: PBIS Security and Authentication Subsystem
Type: executable
Autostart: no
Path: /opt/pbis/sbin/lsassd
Arguments: 'lsassd' '--syslog'
Dependencies: netlogon lwio lwreg rdr
$ lwsm stop lsass
Stopping service reverse dependency: srvsvc
Stopping service reverse dependency: srv
Stopping service: lsass
$ lwsm start srvsvc
Starting service dependency: lsass
Starting service dependency: srv
Starting service: srvsvc
The main PBIS Open web site is at GitHub. From here you will find links to the project forums, and pre-built package downloads.