Angelegt von , zuletzt geändert am Apr 04, 2019 Aktuelle Version V 5
Linux AD integration with PBIS
New installed CI RHEL servers are able to authentication users and check group memberships against the BOSCH active directory. For implementation CI installs an solution called PBIS-Enterprise ( rpm --info pbis-enterprise-8.5.6-366.x86_64 as by April 2019). This tool allows to join an Linux system to an active directory, which is the case for DrP Linux systems. In parallel all Linux servers also have NIS enabled, which is used for compatibility.
Unix users and groups are primarily managed in Windows AD!
PBIS-enterprise is used for
- Join an Linux system into BOSCH active directory
- Active Directory Integration via PBIS is used for authentication (AD username/password)
- Accessing group information managed in AD
The NSSSWITCH.CONF contains the entry "lsass" for passwd and group, which means if nothing is found at the local /etc/passwd or /etc/group the PBIS service is look for the username/group information at the active directory.
NIS is still used for
In addition to the local files also for (only for compatibility):
- resolving hostname in addition to DNS and local host file
- network
- services
- protocols
and some more stuff.
Configuration file nsswitch.conf
According to this the nsswitch.conf of an standard Linux server looks like this to enable PBIS AD for username and group and use local file, NIS or DNS for the remaining information
Attention: dont change this file, this is centrally managed !
[old1dr@dr-008l ~]$ cat /etc/nsswitch.conf
#
# automagically generated by method sc.venus.nss from VENUS 2.5.2, Tue Mar 12 14:58:25 CET 2019
#
passwd: files lsass
group: files lsass
hosts: files nis dns
networks: files nis
services: files nis
protocols: files nis
rpc: files nis
ethers: files nis
netmasks: files nis
netgroup: files nis
publickey: files nis
bootparams: files nis
automount: files nis
aliases: files nis
Troubleshooting and diagnose using pbis commands
Query a user and show user account details with "pbis find-user-by-name <username>"
[old1dr@dr-008l ~]$ pbis find-user-by-name lid8dr
User info (Level-0):
====================
Name: lid8dr
SID: S-1-5-21-220523388-115176313-1801674531-2649688
Uid: 88743
Gid: 128975361
Gecos: <null>
Shell: /bin/bash
Home dir: /home/lid8dr
Logon restriction: NO
Show the group membership of an user "pbis list-groups-for-user <username>"
[old1dr@dr-006l ~]$ pbis list-groups-for-user old1dr
Number of groups found for user 'old1dr' : 2
Group[1 of 2] name = domain^users (gid = 128975361)
Group[2 of 2] name = dr6_rb300_cim_staging_login (gid = 78965)
Show PBIS and AD connection status with "pbis status"
[old1dr@dr-008l ~]$ pbis status
LSA Server Status:
Compiled daemon version: 8.5.6.375
Packaged product version: 8.5.366.9
Uptime: 22 days 22 hours 30 minutes 56 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Default Cell
Domain: DE.BOSCH.COM
Domain SID:
Forest: bosch.com
Site: DELO
Online check interval: 300 seconds
Sub mode: Directory Integrated ==> system is AD integrated
[Trusted Domains: 7]
[Domain: DE]
DNS Domain: de.bosch.com
Netbios name: DE
Forest name: bosch.com
Trustee DNS name:
Client site name: DEDR6
Domain SID: S-1-5-21-220523388-115176313-1801674531
Domain GUID: 5118fb63-69d6-d847-9f7c-9e8227a8db2e
Trust Flags: [0x0019]
[0x0001 - In forest]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: LO-BCD14.de.bosch.com
DC Address: 10.104.104.254
DC Site: DELO
DC Flags: [0x0000f17c]
DC Is PDC: no
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: BR]
DNS Domain: br.bosch.com
Netbios name: BR
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name:
Domain SID: S-1-5-21-1844237615-1450960922-527237240
Domain GUID: 80d169e8-6598-194e-b58a-7f98a37585f7
Trust Flags: [0x0023]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: EMEA]
DNS Domain: emea.bosch.com
Netbios name: EMEA
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name: DEDR6
Domain SID: S-1-5-21-377891251-1475643905-1959494604
Domain GUID: 982b64ca-053a-d647-b26e-ecfaaa90e052
Trust Flags: [0x0023]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0020]
[0x0020 - Within forest]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: SI-BCD102.emea.bosch.com
DC Address: 10.3.9.67
DC Site: DOMAIN-EMEA
DC Flags: [0x0000f17c]
DC Is PDC: no
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: US]
DNS Domain: us.bosch.com
Netbios name: US
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name:
Domain SID: S-1-5-21-299502267-515967899-839522115
Domain GUID: 8622b3ae-905e-5246-b578-3e790c1fd32f
Trust Flags: [0x0023]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: BOSCH]
DNS Domain: bosch.com
Netbios name: BOSCH
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name: DEDR6
Domain SID: S-1-5-21-2000478354-1614895754-1801674531
Domain GUID: 3e2d99cd-e306-d841-a727-c6edcf6c1540
Trust Flags: [0x0027]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0004 - Tree root]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x400000]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: FE-BCD91.bosch.com
DC Address: 10.4.102.82
DC Site: HUB-EMEA
DC Flags: [0x0000f17d]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: APAC]
DNS Domain: APAC.bosch.com
Netbios name: APAC
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name: DEDR6
Domain SID: S-1-5-21-3128019436-993217923-4252910445
Domain GUID: 8e567053-8c3b-6d48-9b61-53a90bd1173f
Trust Flags: [0x0023]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0020]
[0x0020 - Within forest]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: fe-bcd81.APAC.bosch.com
DC Address: 10.3.30.43
DC Site: DE-sLCS
DC Flags: [0x0000f17c]
DC Is PDC: no
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: QS]
DNS Domain: qs.bosch.com
Netbios name: QS
Forest name: bosch.com
Trustee DNS name: DE.BOSCH.COM
Client site name:
Domain SID: S-1-5-21-823518204-1326574676-725345543
Domain GUID: 00afe9f3-2342-cd42-84b1-e4521dd34f7a
Trust Flags: [0x0001]
[0x0001 - In forest]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Global Catalog (GC) Information]
GC Name: NU-BCD22.de.bosch.com
GC Address: 10.16.1.72
GC Site: DENUE
GC Flags: [0x0000f17c]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
There are more commands available, so just use pbis --help !