Categories

ID #1268

How can PowerBroker be used with Bright?

How can PowerBroker be used with Bright?

 

PowerBroker allows AD authentication services to work with Linux. It can be made to work with Bright. The following procedure was tested with Bright 7.0 and RHEL 6 and illustrates how it can be done:

 

For the head node

 

  1. Download the Power Broker script:

[root@b70-c6 ~]# wget -c http://download.beyondtrust.com/PBISO/8.2.2/linux.rpm.x64/pbis-open-8.2.2.2993.linux.x86_64.rpm.sh

 

  1. Run the downloaded script to install the binaries:

 

[root@b70-c6 ~]# sh pbis-open-8.2.2.2993.linux.x86_64.rpm.sh

Creating directory pbis-open-8.2.2.2993.linux.x86_64.rpm

Verifying archive integrity... All good.

Uncompressing pbis-open-8.2.2.2993.linux.x86_64.rpm............

Would you like to install package for legacy links? (i.e.  /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) yes

Would you like to install now? (yes/no) yes

Installing packages and old packages will be removed

warning: /root/pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-upgrade-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                ########################################### [100%]

  1:pbis-open-upgrade      ########################################### [100%]

warning: /root/pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                ########################################### [100%]

  1:pbis-open              ########################################### [100%]

Setting up SELinux Policy Module

 

Importing registry...

 

/opt/pbis/share/config/accounts.reg

/opt/pbis/share/config/dcerpcd.reg

/opt/pbis/share/config/eventlogd.reg

/opt/pbis/share/config/lsassd.reg

/opt/pbis/share/config/lwiod.reg

/opt/pbis/share/config/lwreg.reg

/opt/pbis/share/config/netlogond.reg

/opt/pbis/share/config/privileges.reg

/opt/pbis/share/config/rdr.reg

/opt/pbis/share/config/reapsysl.reg

/opt/pbis/share/config/usermonitor.reg

warning: /root/pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-gui-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                ########################################### [100%]

  1:pbis-open-gui          ########################################### [100%]

warning: /root/pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-legacy-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY

Preparing...                ########################################### [100%]

  1:pbis-open-legacy       ########################################### [100%]

Installing Packages was successful

 

New libraries and configurations have been installed for PAM and NSS.

Please reboot so that all processes pick up the new versions.

 

As root, run domainjoin-gui or domainjoin-cli to join a domain so you can log on with Active Directory credentials. Example:

domainjoin-cli join MYDOMAIN.COM MyJoinAccount

 

  1. Add the AD server in the /etc/hosts list so that it can be reached, and create a forward zone for the AD domain:

 

[root@b70-c6 ~]# cat /etc/hosts

# This section of this file was automatically generated by cmd. Do not edit manually!

10.2.181.5 win2008 win2008.bcm.local bcm.local bcm

# BEGIN AUTOGENERATED SECTION -- DO NOT REMOVE

 

[root@b70-c6 ~]# cat /etc/resolv.conf

# This section of this file was automatically generated by cmd. Do not edit manually!

# BEGIN AUTOGENERATED SECTION -- DO NOT REMOVE

search cm.cluster eth.cluster openstacklocal new.net bcm.local

nameserver 127.0.0.1

nameserver 10.141.255.253

nameserver 10.2.181.5

nameserver 10.2.202.202

# END AUTOGENERATED SECTION   -- DO NOT REMOVE

 

[root@b70-c6 ~]# cat /etc/named.conf.include

zone “bcm.local” IN {

      type forward;

      forwarders {10.2.181.5;};

};

 

  1. Join the AD domain, so that the head node can be logged into with the AD credentials:

 

[root@b70-c6 ~]# domainjoin-cli join BCM.LOCAL Administrator

Joining to AD Domain:   BCM.LOCAL

With Computer DNS Name: b70-c6.bcm.local

 

Administrator@BCM.LOCAL's password:

Warning: System restart required

Your system has been configured to authenticate to Active Directory for the first time.  It is recommended that you restart your system to ensure that all applications recognize the new

settings.

 

SUCCESS

[root@b70-c6 ~]# getent passwd

[...]

BCM\administrator:x:1015546356:1015546369::/home/local/BCM/administrator:/bin/sh

BCM\guest:x:1015546357:1015546370::/home/local/BCM/guest:/bin/sh

BCM\krbtgt:x:1015546358:1015546369::/home/local/BCM/krbtgt:/bin/sh

BCM\adel:x:1015546959:1015546369:adel:/home/local/BCM/adel:/bin/sh

 

mohamed@mohamed:~$ ssh -l BCM\\adel b70-c6

[...]

Creating DSA key for ssh

-sh-4.1$

 

[root@b70-c6 ~]# tail /var/log/secure

[...]

May 11 08:55:07 b70-c6 sshd[18667]: Accepted keyboard-interactive/pam for BCM\\adel from 10.2.184.4 port 36976 ssh2

May 11 08:55:07 b70-c6 sshd[18667]: pam_unix(sshd:session): session opened for user BCM\adel by (uid=0)

 

  1. Add the following line in /etc/rc.local of the head nodes:

[root@b70-c6 ~]# cat /etc/rc.local

[...]

domainjoin-cli join BCM.LOCAL Administrator <Ch@ngeMe>

 

 

For the compute nodes

 

  1. copy the downloaded script into the tmp directory of the software image:

[root@b70-c6 ~]# cp pbis-open-8.2.2.2993.linux.x86_64.rpm.sh /cm/images/default-image/tmp/

 

 

  1. chroot into the software image and run the script to install the binaries:

[root@b70-c6 ~]# chroot /cm/images/default-image/
[root@b70-c6 /]# sh /tmp/pbis-open-8.2.2.2993.linux.x86_64.rpm.sh
 
Creating directory pbis-open-8.2.2.2993.linux.x86_64.rpm
Verifying archive integrity... All good. 
Uncompressing pbis-open-8.2.2.2993.linux.x86_64.rpm............ 
Would you like to install package for legacy links? (i.e. /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) yes 
Would you like to install now? (yes/no) yes
 
Installing packages and old packages will be removed
 
warning: /pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-upgrade-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY
 
Preparing...            ########################################### [100%] 
  1:pbis-open-upgrade  ########################################### [100%]
 
warning: /pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY 
Preparing...            ########################################### [100%] 
  1:pbis-open          ########################################### [100%]
 
Setting up SELinux Policy Module  
 
Importing registry…
/opt/pbis/share/config/accounts.reg 
/opt/pbis/share/config/dcerpcd.reg 
/opt/pbis/share/config/eventlogd.reg 
/opt/pbis/share/config/lsassd.reg 
/opt/pbis/share/config/lwiod.reg 
/opt/pbis/share/config/lwreg.reg 
/opt/pbis/share/config/netlogond.reg 
/opt/pbis/share/config/privileges.reg 
/opt/pbis/share/config/rdr.reg 
/opt/pbis/share/config/reapsysl.reg 
/opt/pbis/share/config/usermonitor.reg
 
warning: /pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-gui-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY 
Preparing...            ########################################### [100%] 
  1:pbis-open-gui      ########################################### [100%]
 
warning: /pbis-open-8.2.2.2993.linux.x86_64.rpm/./packages/pbis-open-legacy-8.2.2-2993.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY
 
Preparing...            ########################################### [100%] 
  1:pbis-open-legacy   ########################################### [100%]
 
Installing Packages was successful   
 
New libraries and configurations have been installed for PAM and NSS. 
Please reboot so that all processes pick up the new versions. 
[...]

 


3.a. for RHEL6-like systems, you'll need to add the following line in /cm/images/default-image/etc/rc.local so that the compute nodes are registered with AD after each reboot:

[root@b70-c6 ~]# cat /etc/rc.local

[...]

domainjoin-cli join BCM.LOCAL Administrator <password>


3.b. for RHEL7-like systems, you'll need to "ExecStartPost=/path/to/post/lwsmd/startup/script" to the "/etc/pbis/redhat/lwsmd.service" script so the custom post script can do the join after the service has started.

 

Troubleshooting

 

Issue:

[root@b70-c6 ~]# sh pbis-open-8.2.2.2993.linux.x86_64.rpm.sh

Creating directory pbis-open-8.2.2.2993.linux.x86_64.rpm

Verifying archive integrity... All good.

Uncompressing pbis-open-8.2.2.2993.linux.x86_64.rpm............

ERROR: LD_LIBRARY_PATH, LIBPATH, and SHLIB_PATH must be unset or list /opt/pbis/lib as the first directory. See the "Requirements for the Agent" section of the PowerBroker Identity Services manual for more information.

 

Resolution:

[root@b70-c6 ~]# unset LD_LIBRARY_PATH

 

Issue:

[root@b70-c6 ~]# domainjoin-cli join BCM.LOCAL Administrator

Joining to AD Domain:   BCM.LOCAL

With Computer DNS Name: b70-c6.bcm.local

 

Administrator@BCM.LOCAL's password:

 

Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]

 

A bad packet was received from a DNS server. Potentially the requested address does not exist.

[root@b70-c6 ~]# domainjoin-cli join BCM.LOCAL Administrator

Joining to AD Domain:   BCM.LOCAL

With Computer DNS Name: b70-c6.bcm.local

 

Administrator@BCM.LOCAL's password:

 

Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]

 

A bad packet was received from a DNS server. Potentially the requested address does not exist.

 

Resolution:

Add the DNS role to the windows server (if it’s not added already), add the AD as a nameserver in the base partition and make sure that the forward zone for the AD DNS is configured properly.

 

issue:

[root@b70-c6 ~]# domainjoin-cli join BCM.LOCAL Administrator

Joining to AD Domain:   BCM.LOCAL

With Computer DNS Name: b70-c6.BCM.LOCAL

 

Administrator@BCM.LOCAL's password:

Warning: Unsupported loader flags set

LD_LIBRARY_PATH and/or LD_PRELOAD are currently set on your system. Best practices for Unix and Linux administration strongly recommend not to use these environmental variables. PowerBroker

Identity Services does not support environments where either variable is set.

 

If this operation fails you should stop all PowerBroker Identity Services daemons, clear the environmental variable, then retry the join operation.

 

For more information, see the PowerBroker Identity Services guide online at:

http://www.beyondtrust.com/Technical-Support/Downloads/files/pbiso/Manuals/likewise-open-guide.html#AgentRequirements

 

Or a local PDF file is available in:

/opt/pbis/docs/likewise-open-guide.pdf (See section 4.2 Requirements for the Agent

 

SUCCESS

 

Resolution:

Before running the domainjoin-cli command, unload any environment modules which export LD_LIBRARY_PATH.  This will stop the warning.

Tags: -

Related entries:

You cannot comment on this entry