PowerBroker Identity Services

Linux Administration Guide

Revision/Update Information: September 2014

Corporate Headquarters
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright 2014 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable,
is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (BeyondTrust)
or BeyondTrusts authorized remarketer, if and when applicable.
TRADE SECRET NOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author,
and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation,
as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on
copying, modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties
expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR
PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights.
This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express
limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes:
manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is
subject to limited rights and other restrictions, as set forth in the Rights in Technical Data Noncommercial Items clause at
DFARS 252.227-7013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops,
PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker
Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust.
ssh is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The
SSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certain
jurisdictions.
This application contains software powered by PKAIP, the leading solution for enabling efficient and secure data storage and
transmission. PKAIP is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used with
permission.
OTHER NOTICES
If and when applicable the following additional provisions are so noted:
The PowerBroker Identity Services Open software is free to download and use according to the terms of the Limited GPL 2.1 for
client libraries and the GPL 2 for daemons. The licenses for PowerBroker Identity Services Enterprise and for PowerBroker
Identity Services UID-GID Module are different. For complete information on the software licenses and terms of use for
BeyondTrust products, see www.beyondtrust.com.

PBIS Enterprise Linux Administration Guide

Contents

Contents
Introduction

Conventions Used in This Guide

Documentation Set for PBIS Enterprise
Contact Technical Support
Before Contacting Technical Support
Contacting Support
Command-Line Reference

Accessing the PBIS Tools

Accessing Help for a Command
Manage PBIS Services (lwsm)
Modify Registry Settings with the config Tool
Start the Registry Shell (regshell)
Export the Registry to an Editor (edit-reg)
Change the Host Name in the Local Provider (set-machine-name)
Find a User or a Group
Find a User by Name
Find a User by UID
Find a User by SID
Find a Group by Name
Find a Group by ID
List Groups for a User (list-groups-for-user)
List Groups (enum-groups)
List Users (enum-users)
List the Status of Authentication Providers (get-status)
List the Domain
List Domain Controllers (get-dc-list)
List Domain Controller Information (get-dc-name)
List Domain Controller Time (get-dc-time)
List Computer Account Information (lsa ad-get-machine)
Dynamically Update DNS (update-dns)
Manage the AD Cache (ad-cache)
On Mac OS X
Join or Leave a Domain (domainjoin-cli)
Basic Commands
Advanced Commands
Configuration and Debugging Commands
Display NIS Map (ypcat)
Display the Value of a Key in an NIS Map (ypmatch)
Modify Objects in AD (adtool)
Using the Tool
Options
Examples
BeyondTrust

5
5
6
6
7

September 2014

9
9
9
10
13
13
13
14
14
15
15
15
16
16
16
17
17
18
18
18
19
19
19
20
21
21
21
22
25
26
26
27
28
29
30

PBIS Enterprise Linux Administration Guide

Contents

Copy Files Across Disparate Operating Systems (lwio-copy)

Modify Local Accounts

33

Add a Local User (add-user)

Add a Local Group Member (add-group)
Remove a Local User (del-user)
Remove a Local Group (del-group)
Modify a Local User (mod-user)
Modify the Membership of a Local Group (mod-group)
Kerberos Commands

33
33
33
34
34
34
35

Destroy the Kerberos Ticket Cache (kdestroy)

View Kerberos Tickets (klist)
Obtain and Cache a TGT (kinit)
Change a Password (kpasswd)
The Keytab File Maintenance Utility (ktutil)
Acquire a Service Ticket and Print Key Version Number (kvno)
Certificates Auto Enrollment

35
35
36
36
36
37
38

EnableAutoEnroll
AutoEnrollPollingInterval
ManagedCertificateLifecycle
EnableWireless
SSID
SecurityType
Authentication

BeyondTrust

32

38
38
38
38
38
39
39

September 2014

PBIS Enterprise Linux Administration Guide

Introduction

Introduction
This guide shows system administrators and security administrators how to use BeyondTrust
PowerBroker Identity Services Enterprise Edition (PBIS).
PBIS ships with a number of documents that help you to use the various features of the product. See the
following section for a list of the guides.

Conventions Used in This Guide

Specific font and linespacing conventions are used in this book to ensure readability and to highlight
important information such as commands, syntax, and examples.

Font Conventions
The font conventions used for this document are:

Courier New Font is used for program names, commands, command arguments, directory

paths, variable names, text input, text output, configuration file listings, and source code. For
example:
C:\Documents and Settings\All Users

Courier New Bold Font is used for information that should be entered into the system exactly as

shown. For example:

pbdeploy.exe

Courier New Italics Font is used for input variables that need to be replaced by actual values.
In the following example, the variable MyServer, must be replaced by an actual environment server
name and the variable MyFolder must be replaced by an actual folder name:
\\MyServer\MyFolder\pbdcl32.msi

Bold is used for Windows buttons. For example:

Click OK.

Documentation Set for PBIS Enterprise

The complete PowerBroker Identity Services Enterprise Edition documentation set includes the following:

PBIS Enterprise Installation Guide

PBIS Enterprise Administration Guide

PBIS Enterprise Linux Administration Guide

PBIS Enterprise Auditing & Reporting Guide

PBIS Enterprise Group Policy Administration Guide

PBIS Release Notes

Report Book

Best Practices (go to the BeyondTrust web site)

BeyondTrust

September 2014

PBIS Enterprise Linux Administration Guide

Introduction

Contact Technical Support

BeyondTrust Software, Inc. provides an online knowledge base, as well as telephone and web-based
support.

Before Contacting Technical Support

To expedite support, collect the following information to provide to Technical Support:

PBIS Enterprise version (Available in the PBIS Console by clicking Help, About on the menu bar.)

PBIS Agent version and build number

Linux or Unix version

Windows or Windows Server version

If you are contacting Technical Support about one of the following problems, also provide the diagnostic
information specified.

Segmentation Faults
Provide the following information when contacting Technical Support:

Core dump of the PowerBroker Identity Services application:

ulimit - c unlimited

Exact patch level or exact versions of all installed packages.

Program Freezes
Provide the following information when contacting Technical Support:

Debug logs

tcpdump

An strace of the program

Domain-Join Errors
Provide the following information when contacting Technical Support:

Debug logs (Copy the log file from /var/log/pbis-join.log.)

tcpdump

All Active Directory Users Are Missing

Provide the following information when contacting Technical Support:

Run /opt/pbis/bin/get-status

Contents of nsswitch.conf

All Active Directory Users Cannot Log On

Provide the following information when contacting Technical Support:

Output of id <user>

BeyondTrust

September 2014

PBIS Enterprise Linux Administration Guide

Introduction

Output of su -c 'su <user>' <user>

Lsass debug logs (See Generate an Authentication Agent Debug Log, in the PBIS Troubleshooting
webhelp.)

Contents of pam.d/pam.conf

The sshd and ssh debug logs and syslog

AD Users or Groups are Missing

Provide the following information when contacting Technical Support:

The debug logs for lsass

Output for getent passwd or getent group for the missing object

Output for id <user> if user

tcpdump

Copy of lsass cache file.

Poor Performance When Logging On or Looking Up Users

Provide the following information when contacting Technical Support:

Output of id <user>

The lsass debug log

Copy of lsass cache file. (For more about the file name and location of the cache files, refer to the
Linux Administration Guide.)

tcpdump

Contacting Support
If you encounter problems that are not covered in the documentation, contact BeyondTrust Technical
Support.
When contacting Technical Support, provide the following information:
l
l
l
l

Your company name

Telephone and email address where you can be contacted
Description of the problem and the steps you have taken to resolve it
Diagnostic information requested in Before Contacting Technical Support

You can contact BeyondTrust Technical Support by email or through the BeyondTrust website. If you are
located in the United States, you can also contact Technical Support by telephone. Support is staffed 24
hours per day, seven days per week.
Telephone: +1 800-234-9072 or +1 818-575-4040
Email: [email protected]
Web: To submit a support request online:

BeyondTrust

September 2014

PBIS Enterprise Linux Administration Guide

Introduction

1. Browse to http://www.beyondtrust.com.
2. Click Support at the top of any page.
3. On the BeyondTrust Technical Support page, scroll to the Customer Support Portals section and
click the PowerBroker Identity Services tab.
4. If you do not have a PBIS Support password, click [email protected] to request that a PBIS
Support password be sent to your email address.
Note: This is a different password than the one provided for use with the BeyondTrust
Customer/Partner Portal.
5. For Username, enter your email address.
6. For Password, enter the password provided to you by PBIS Support and click Submit.

BeyondTrust

September 2014

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Command-Line Reference
This chapter provides an overview of the commands in /opt/pbis/bin. Most of the commands are
intended to be run as root.
Commands for managing the event log are covered in PBIS Enterprise Administration Guide.
For information about troubleshooting the Group Policy commands for PBIS Enterprise, see the
PowerBroker Identity Services Group Policy Administration Guide.
For an overview of commands such as rpm and dpkg that can help you manage PBIS on Linux and Unix
platforms, see Package Management Commands.

Accessing the PBIS Tools

The PBIS tools are located here:
/opt/pbis/bin

You can access the tools using either an absolute path or relative path.

Accessing Help for a Command

You can access help for any command using --help
Example:
/opt/pbis/bin/find-group-by-id --help

Note that some commands use different syntax to access help. The syntax is provided in the command
description.

Manage PBIS Services (lwsm)

The PBIS service manager lets you track and troubleshoot all the PBIS services with a single command-line
utility.
Using the service manager, you can:

Check the status of a service

Start or stop a service

The service manager is the preferred method for restarting a service because it automatically
identifies a service's dependencies and restarts them in the right order.

Set the logging destination and log level

Syntax
Lists the status of the services. Run the command with superuser privileges.
/opt/pbis/bin/lwsm list

BeyondTrust

September 2014

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Example
root@bvt-ubu1104-32d:/home/testuser# /opt/pbis/bin/lwsm list
lwreg
running (container: 23349)
dcerpc
stopped
eventfwd
running (container: 23673)
eventlog
running (container: 23364)
gpagent
running (container: 23575)
lsass
running (container: 23399)
lwio
running (container: 23386)
lwpkcs11
stopped
lwsc
stopped
netlogon
running (container: 23376)
rdr
running (io: 23386)
reapsysl
running (container: 23413)
usermonitor
running (container: 23686)
root@bvt-ubu1104-32d:/home/testuser#

Syntax to restart the lsass service. Run the command with superuser privileges:
/opt/pbis/bin/lwsm restart lsass

After you change a setting in the registry, you must use the service manager to force the service to begin
using the new configuration by executing the following command with super-user privileges.
This example refreshes the lsass service:
/opt/pbis/bin/lwsm refresh lsass

Syntax to view information about the lsass service, including its dependencies:
/opt/pbis/bin/lwsm info lsass

Example
[root@rhel5d bin] # /opt/pbis/bin/lwsm info lsass
Service: lsass
Description: Security and Authentication Subsystem
Type: module
Autostart: yes
Path: /opt/pbis/lib/lw-svcm/lsass.so
Arguments:
Environment:
Dependencies: netlogon lwio lwreg rdr
Service Group: lsass
File descriptor limit: 1024
Core dump size limit: inherit

Modify Registry Settings with the config Tool

You can change an end-user setting in the registry that is not managed by a Group Policy setting.

Command
/opt/pbis/bin/config

BeyondTrust

September 2014

10

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Syntax
/opt/pbis/bin/config setting value

where setting is the registry entry and value is the new value that you want to set.

Example 1
Use config to change the AssumeDefaultDomain setting:
[root@rhel5d bin]# ./config --detail AssumeDefaultDomain
Name: AssumeDefaultDomain
Description: Apply domain name prefix to account name at logon
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.
[root@rhel5d bin]# ./config AssumeDefaultDomain true
[root@rhel5d bin]# ./config --show AssumeDefaultDomain
boolean
true
local policy

Use the --detail option to view the setting's current value and to determine the values that it
accepts.
Set the value to true.
Use the --show option to confirm that the value was set to true.
To view the registry settings that you can change with config:
/opt/pbis/bin/config --list

You can also import and apply a number of settings with a single command by using the --file option
combined with a text file that contains the settings that you want to change followed by the values that
you want to set. Each setting-value pair must be on a single line.
For example, the contents of a flat file, named newRegistryValuesFile and saved to the desktop of a
Red Hat computer, looks like this:
AssumeDefaultDomain true
RequireMembershipOf "example\\support" "example\\domain^admins"
HomeDirPrefix /home/ludwig
LoginShellTemplate /bash/sh

To import the file and automatically change the settings listed in the file to the new values, run the
following command as root:
/opt/pbis/bin/config --file /root/Desktop/newRegistryValuesFile

BeyondTrust

September 2014

11

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Example 2
You want to view the available trust settings because you know there are inaccessible trusts in your Active
Directory network and you want to set PBIS to ignore all the trusts before you try to join a domain.
Use grep with the list option:
/opt/pbis/bin/config --list | grep -i trust

The results will look something like this:

DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList

Next, use the details option to list the values that the DomainManagerIgnoreAllTrusts setting
accepts:
[root@rhel5d bin]# ./config --details DomainManagerIgnoreAllTrusts
Name: DomainManagerIgnoreAllTrusts
Description: When true, ignore all trusts during domain enumeration.
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

Now change the setting to true so that PBIS will ignore trusts when you try to join a domain.
[root@rhel5d bin]# ./config DomainManagerIgnoreAllTrusts true

Finally, check to make sure the change took effect:

[root@rhel5d bin]# ./config --show DomainManagerIgnoreAllTrusts
boolean
true
local policy

In the example output that shows the setting's current values, local policy is listedmeaning that
the policy is managed locally through config because a PBIS Group Policy setting is not managing the
setting. You cannot locally modify a setting that is managed by a Group Policy setting.

Example 3
You can use PBIS to make Mac and Linux computers automatically connect (mount) the share locations
that are defined in each user's Active Directory account profile so that documents and settings specific to
the user are available on any computer from which they log on to your network.
If the share path is represented as a DFS URL, PBIS translates these paths to SMB server\share\paths that
the native CIFS mount support can use. In newer Linux distributions and Mac operating systems, the
user's logon single sign-on, Kerberos credentials are used to connect to the shares.
You can use these shares in either of the following ways:

As a resource folder accessible to the user's local home directory.

BeyondTrust

September 2014

12

PBIS Enterprise Linux Administration Guide

Command-Line Reference

As the actual user home directory for a network-mounted user account profile.

When the user logs off, the network mount connection is automatically removed.
To use the config tool to mount a remote file share specific to the user:
1. In Active Directory Users and Computers (ADUC), configure the network share to mount.
2. Using the config tool, set the local folder where the share should be mounted. If none of the defaults
are modified, the following command mounts the home folder specified in ADUC in the user's home
folder as MyHome.
/opt/pbis/bin/config RemoteHomeDirTemplate "%H/local/%D/%U/MyHome"

Note: With PBIS Enterprise, you can manage this feature by using a PBIS Group Policy setting. For
information, see the PowerBroker Identity Services Group Policy Administration Guide.

Start the Registry Shell (regshell)

You can access and modify the PBIS registry by using the registry shellregshell. The shell works in a way
that is similar to BASH.
Help syntax for regshell:
/opt/pbis/bin/regshell
\> help

You can also manage the registry by executing the registry's commands from the command line. For
more information, see Modify Registry Settings with the config Tool.

Export the Registry to an Editor (edit-reg)

You can export the contents of the PBIS registry to a text editor set in your EDITOR environment variable
You can use the edit-reg command to quickly view the contents of the registry and make changes to
the settings.
Then, you can launch the registry shell and import the modified file so that your changes take effect.

Command
/opt/pbis/bin/edit-reg

If a default editor is not set, the script searches for an available editor in the following order: gedit, vi,
friends, emacs.
Note: On platforms without gedit, an error might occur. To correct the error, set the EDITOR
environment variable to an available editor, such as vi:
export EDITOR=vi

Change the Host Name in the Local Provider (set-machine-name)

After you change the host name of a computer, you must also change the name in the PBIS local provider
database so that the local PBIS accounts use the correct prefix.

BeyondTrust

September 2014

13

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Command
/opt/pbis/bin/lsa set-machine-name hostName

Notes

Run the command as root.

Replace hostName with the name of your host.

Find a User or a Group

You can check a domain user's or group's information by either name or ID. These commands can verify
that the client can locate the user or group in Active Directory.

Find a User by Name

You can search for a user by name.

Command
/opt/pbis/bin/find-user-by-name domain\\username

Notes
Replace domain\\username with the full domain user name or the single domain user name of the
user.

Example
/opt/pbis/bin/find-user-by-name mydomain\\trejo

Optionally set the level of detail of information that is returned. Example:

/opt/pbis/bin/find-user-by-name --level 2 mydomain\\trejo
User info (Level-2):
====================
Name:
trejo
SID:
S-1-5-21-3447809367-3151979076-456401374-1135
UPN:
[email protected]
GeneratedUPN:
NO
DN:
CN=trejo,CN=Users,DC=MYDOMAIN,DC=EXAMPLE,DC=COM
Uid:
239600751
Gid:
239600770
Gecos:
Markus Trejo
Shell:
/bin/sh
Home dir:
/home/MYDOMAIN/trejo-macbook/trejo-bvt
LMHash length:
0
NTHash length:
0
Local User:
NO
Account disabled (or locked): FALSE
Account expired:
FALSE
Password never expires:
TRUE

BeyondTrust

September 2014

14

PBIS Enterprise Linux Administration Guide

Password Expired:
Prompt for password change:
User can change password:
Days till password expires:
Logon restriction:
trejo-macbook:~ root#

Command-Line Reference

FALSE
YES
YES
0
NO

Find a User by UID

You can search for a user by UID.

Command
/opt/pbis/bin/find-user-by-id UID

Notes
Replace UID with the user's ID.

Example
/opt/pbis/bin/find-user-by-id 593495196

Find a User by SID

You can find a user in Active Directory by security identifier (SID).

Command
/opt/pbis/bin/find-by-sid SID

Notes

Run the command as root.

Replace SID with the user's security identifier.

Example
[root@rhel4d bin]# /opt/pbis/bin/find-by-sid S-1-5-21-382349973-3885793314468868962-1180
User info (Level-0):
====================
Name:
EXAMPLE\hab
SID:
S-1-5-21-382349973-3885793314-468868962-1180
Uid:
593495196
Gid:
593494529
Gecos:
Jurgen Habermas
Shell:
/bin/ sh
Home dir: /home/ EXAMPLE/ hab

Find a Group by Name

BeyondTrust

September 2014

15

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Syntax
/opt/pbis/bin/find-group-by-name domain\\groupname

Example
/opt/pbis/bin/find-group-by-name example.com\\dnsadmins

Find a Group by ID
Command
/opt/pbis/bin/find-group-by-id GID

Example
[root@rhel4d bin]# /opt/pbis/bin/find-group-by-id 593494534
Group info (Level-0):
====================
Name:
EXAMPLE\schema^admins
Gid:
593494534
SID:
S-1-5-21-382349973-3885793314-468868962-518

List Groups for a User (list-groups-for-user)

You can list the groups where a particular user is a member.

Command
/opt/pbis/bin/list-groups-for-user

Notes

You can search either by user name or UID.

Example
/opt/pbis/bin/list-groups-for-user --uid 593495196

Here is the command and its result for the user example\\hab:
[root@rhel5d bin]# ./list-groups-for-user example\\hab
Number of groups found for user 'example\hab' : 2
Group[1 of 2] name = EXAMPLE\enterprise^admins (gid = 593494535)
Group[2 of 2] name = EXAMPLE\domain^users (gid = 593494529)

List Groups (enum-groups)

You can list the groups in Active Directory and view GIDs and SIDs for the group members.
The PBIS agent enumerates groups in the primary domain. Groups in trusted domains and linked cells are
not enumerated. NSS membership settings in the registry do not affect the result of the command.

BeyondTrust

September 2014

16

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Command
/opt/pbis/bin/enum-groups --level 1

List Users (enum-users)

You can enumerate the users in Active Directory and view their members, GIDs, and SIDs.
The PBIS agent enumerates users in the primary domain. Users in trusted domains and linked cells are
not enumerated. NSS membership settings in the registry do not affect the result of the command.

Command
/opt/pbis/bin/enum-users

To view full information about the users, include the level option when you execute the command:
/opt/pbis/bin/enum-users --level 2

Example result for a one-user batch

User info (Level-2):
====================
Name:
UPN:
Generated UPN:
Uid:
Gid:
Gecos:
Shell:
Home dir:
LMHash length:
NTHash length:
Local User:
Account disabled:
Account Expired:
Account Locked:
Password never expires:
Password Expired:
Prompt for password change:

EXAMPLE\sduval
[email protected]
NO
593495151
593494529
Shelley Duval
/bin/sh
/home/EXAMPLE/sduval
0
0
NO
FALSE
FALSE
FALSE
FALSE
FALSE
NO

List the Status of Authentication Providers (get-status)

PowerBroker Identity Services includes two authentication providers:

A local provider

An Active Directory provider

If the AD provider is offline, you cannot log on with your AD credentials.

You can check the status of the authentication providers.

Command
/opt/pbis/bin/get-status

Healthy result output:

BeyondTrust

September 2014

17

PBIS Enterprise Linux Administration Guide

Command-Line Reference

LSA Server Status:

Agent version: 5.4.0
Uptime:
22 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
Status:
Online
Mode:
Local system
[Authentication provider: lsa-activedirectory-provider]
Status:
Online
Mode:
Un-provisioned
Domain:
example.com
Forest:
example.com
Site:
Default-First-Site-Name

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the
AD authentication provider is not listed in the results, restart the authentication service. For more
information, refer to the Troubleshooting document on the BeyondTrust web site.
If the result looks like the line below, check the status of the PBIS services to make sure they are running.
Failed to query status from LSA service.

The LSASS server is not responding.

To check the status of the services. Run the command as root:

/opt/pbis/bin/lwsm list

List the Domain

This command retrieves the Active Directory domain to which the computer is connected.

Command
/opt/pbis/bin/lsa ad-get-machine account

List Domain Controllers (get-dc-list)

This command lists the domain controllers for a target domain. You can delimit the list in several ways,
including by site.

Command
/opt/pbis/bin/get-dc-list

Example
[root@rhel5d bin]# ./get-dc-list example.com
Got 1 DCs:
===========
DC 1: Name = 'steveh-dc.example.com', Address = '192.168.100.132'

List Domain Controller Information (get-dc-name)

This command displays the name of the current domain controller for the domain you specify. The
command can help you select a domain controller.

BeyondTrust

September 2014

18

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Command
/opt/pbis/bin/get-dc-name DomainName

Example
To select a domain controller, run the following command as root until the domain controller you want is
displayed. Replace DomainName with the name of your domain:
/opt/pbis/bin/get-dc-name DomainName --force

List Domain Controller Time (get-dc-time)

This command displays the time of the current domain controller for the domain that you specify. The
command can help you determine whether there is a Kerberos time-skew error between a PBIS client and
a domain controller.

Command
/opt/pbis/bin/get-dc-time

Example
[root@rhel5d bin]# ./get-dc-time example.com
DC TIME: 2009-09-08 14:54:18 PDT

List Computer Account Information (lsa ad-get-machine)

You can print out the computer account name, computer account password, SID, and other information
by running the following command as root.

Command
/opt/pbis/bin/lsa ad-get-machine account domainDNSName

Example
/opt/pbis/bin/lsa ad-get-machine account example.com

Dynamically Update DNS (update-dns)

This command registers an IP address for the computer in DNS. The command is useful when you want
to register A and PTR records for your computer and the DHCP server is not registering them.
Note: --fqdn is the fully qualified domain name for the client computer.

Command
/opt/pbis/bin/update-dns

Examples

Register an IP address:

BeyondTrust

September 2014

19

PBIS Enterprise Linux Administration Guide

Command-Line Reference

/opt/pbis/bin/update-dns --ipaddress 192.168.100.4 --fqdn bvt-deb50664.lampi.centeris.com

If your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the
command once with multiple instances of the ipaddress option:
/opt/pbis/bin/update-dns --fqdn corp.example.com --ipaddress 192.168.100.4
--ipaddress 192.168.100.7 --ipaddress 192.168.100.9

To troubleshoot, add the loglevel option with the debug parameter:

/opt/pbis/bin/update-dns --loglevel debug --fqdn corp.example.com -ipaddress 192.168.100.4 --ipaddress 192.168.100.7

Manage the AD Cache (ad-cache)

This command manages the PBIS cache for Active Directory users and groups on Linux and Unix
computers.

Syntax
/opt/pbis/bin/ad-cache

You can use the command to clear the cache. The command's arguments can delete from the cache a
user, a group, or all users and groups.

Example
Deletes all the users and groups from the cache.
/opt/pbis/bin/ad-cache --delete-all

Tip: To reclaim disk space from SQLite after you clear the cache when you are using the non-default
SQLite caching option, execute the following command as root, replacing fqdn with your fully qualified
domain name:
/opt/pbis/bin/sqlite3 /var/lib/pbis/db/lsass-adcache.filedb.fqdn vacuum

You can also use the ad-cache command to enumerate users in the cache, which may be helpful in
troubleshooting. Example:
[root@rhel5d bin]# ./ad-cache --enum-users
TotalNumUsersFound:
0
[root@rhel5d bin]# ssh example.com\\hab@localhost
Password:
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./ad-cache --enum-users
User info (Level-0):
====================
Name:
EXAMPLE\hab
Uid:
593495196
Gid:
593494529
Gecos:
<null>Shell:
/bin/bash
Home dir: /home/EXAMPLE/hab

BeyondTrust

September 2014

20

PBIS Enterprise Linux Administration Guide

TotalNumUsersFound:
[root@rhel5d bin]#

Command-Line Reference

On Mac OS X
On a Mac OS X computer, clear the DirectoryService cache (not the PBIS cache) by running the following
command with superuser privileges in Terminal:
dscacheutil -flushcache

Join or Leave a Domain (domainjoin-cli)

domainjoin-cli is the command-line utility for joining or leaving a domain.

Command
/opt/pbis/bin/domainjoin-cli
The domainjoin-cli command-line interface includes the following options:

Option

Description

Example

--help

Displays the command-line options domainjoin-cli --help

and commands.

--help- Displays a list of the internal

internal debugging and configuration

domainjoin-cli --help-internal

commands.
-logfile
{.| path}

Generates a log file or prints the log domainjoin-cli --logfile

/var/log/domainjoin.log join example.com
to the console.
Administrator
domainjoin-cli --logfile . join
example.com Administrator

Basic Commands
The domain join command-line interface includes the following basic commands:
Command

Description

Example

query

domainjoin-cli
Displays the hostname, current domain, and
distinguished name, which includes the OU to which query
the computer belongs.

If the computer is not joined to a domain, it displays

only the hostname.
setname
computerName

Renames the computer and modifies the

/etc/hosts file with the name that you specify.

domainjoin-cli
setname RHEL44ID

fixfqdn

Fixes a computer's fully qualified domain name.

domainjoin-cli
fixfqdn

BeyondTrust

September 2014

21

PBIS Enterprise Linux Administration Guide

Command

Command-Line Reference

Description

Example

join [--ou
Joins the computer to the domain that you specify by
organizationalUnit using the account that you specify.
] domainName
You can use the --ou option to join the computer to
userName

domainjoin-cli
join --ou
Engineering
example.com
Administrator

join --notimesync

Joins the computer to the domain without

synchronizing the computer's time with the domain
controller's. When you use this option, the syncsystem-time value for lsass is set to no.

domainjoin-cli
join -- notimesync
example.com
Administrator

leave [userName]

Removes the computer from the Active Directory

domain.

domainjoin-cli
leave

If the userName is provided, the computer account

is disabled in Active Directory.

domainjoin-cli
leave
[email protected]

an OU within the domain by specifying the path to

the OU and the OU's name. When you use this
option, you must use an account that has
membership in the Domain Administrators security
group. The path to the OU is top down.

Advanced Commands
The command-line interface includes advanced commands that you can use to:

Preview the stages of joining or leaving a domain

Check configurations required for your system

View information about a module that will be changed

Configure a module such as nsswitch

Enable or disable a module.

The advanced commands can be used for troubleshooting issues while configuring a Linux or Unix
computer to work with Active Directory.
Review the Domain Join Dataflow diagram to see how systems interact when you join a domain.

Preview the Stages of the Domain Join for Your Computer

Run the command to preview the domain, DNS name, and configuration stages that will be used to join a
computer to a domain.

Command
domainjoin-cli join --preview domainName

Example
domainjoin-cli join --preview example.com

Here is an example of the results, which can vary by computer:

BeyondTrust

September 2014

22

PBIS Enterprise Linux Administration Guide

Command-Line Reference

[root@rhel4d bin]# domainjoin-cli join --preview example.com

Joining to AD Domain:
example.com
With Computer DNS Name: rhel4d.example.com
The following stages are currently configured to be run during the domain join:
join
- join computer to AD
krb5
- configure krb5.conf
nsswitch
- enable/disable PowerBroker Identity Services nsswitch module
start
- start daemons
pam
- configure pam.d/pam.conf
ssh
- configure ssh and sshd

Check Required Configurations

To list the modules that apply to your operating system, including those modules that will not be run,
execute either the following join or leave command.

Command
domainjoin-cli join --advanced --preview domainName
domainjoin-cli leave --advanced --preview domainName

Example
domainjoin-cli join --advanced --preview example.com

The result varies by computer:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview example.com
Joining to AD Domain:
example.com
With Computer DNS Name: rhel4d.example.com
[X] [F] stop
- stop daemons
[F] hostname
- set computer hostname
[F] keytab
- initialize kerberos keytab
[X] [N] join
- join computer to AD
[X] [N] nsswitch
- enable/disable PowerBroker Identity Services nsswitch
module
[X] [N] cache
- manage caches for this host
[X] [N] start
- start daemons
[X] [N] krb5
- configure krb5.conf
[F] bash
- fix bash prompt for backslashes in usernames
[X] [N] pam
- configure pam.d/pam.conf
[X] [S] ssh
- configure ssh and sshd
[F] DDNS
- Configure Dynamic DNS Entry for this host
Key to flags
[F]ully configured
- the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary
- this step must be run or manually performed.
[X]
- this step is enabled and will make changes
[]
- this step is disabled and will not make changes

BeyondTrust

September 2014

23

PBIS Enterprise Linux Administration Guide

Command-Line Reference

View Details about a Module

The PBIS domain join tool includes the following modulesthe components and services that the tool
must configure before it can join a computer to a domain:
Module

Description

join

Joins the computer to Active Directory

leave

Deletes the machine account in Active Directory

dsplugin

Enables the PBIS directory services plugin on a Mac computer

stop

Stops services so that the system can be configured

start

Starts services after configuration

firewall

Opens ports to the domain controller

hostname

sets the computer hostname

krb5

Configures krb5.conf

pam-mode

Switches authentication from LAM to PAM

nsswitch

Enables or disables PBIS nsswitch module

pam

Configures pam.d and pam.conf

lam-auth

Configures LAM for Active Directory authentication

ssh

Configures ssh and sshd

bash

Fixes the bash prompt for backslashes in usernames

gdm

Fixes gdm presession script for spaces in usernames

Run the following command to see the modules that must be configured on your computer:
domainjoin-cli join --advanced --preview domainName

Run one of the following commands to view more information about a module:
domainjoin-cli join --details module domainName joinAccount
domainjoin-cli leave --details module domainName joinAccount

Example
domainjoin-cli join --details nsswitch example.com Administrator

The result varies depending on your system's configuration:

domainjoin-cli join --details nsswitch example.com Administrator
[X] [N] nsswitch
- enable/disable PowerBroker Identity Services nsswitch
module
Key to flags
[F]ully configured
- the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step

BeyondTrust

September 2014

24

PBIS Enterprise Linux Administration Guide

[N]ecessary
[X]
[]

Command-Line Reference

- this step must be run or manually performed.

- this step is enabled and will make changes
- this step is disabled and will not make changes

Details for 'enable/disable PowerBroker Identity Services nsswitch module':

The following steps are required and can be performed automatically:
* Edit nsswitch apparmor profile to allow libraries in the /opt/pbis/lib
and /opt/pbis/lib64 directories
* List lwidentity module in /usr/lib/security/methods.cfg (AIX only)
* Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or
/etc/netsvc.conf
If any changes are performed, then the following services must be restarted:
* GDM
* XDM
* Cron
* Dbus
* Nscd

Turn Off a Domain-Join Module

You can turn off a module when you join or leave a domain.
Disabling a module can be useful in cases where a module has been manually configured or in cases
where you must ensure that certain system files will not be modified.
Note: If you disable a necessary module and you have not manually configured it, the domain join utility
will not join your computer to the domain.
You can use either join or leave.
domainjoin-cli join --disable module domainName accountName
domainjoin-cli leave --disable module domainName accountName

Example
domainjoin-cli join --disable pam example.com Administrator

Turn on a Domain-Join Module

You can turn on a module when you join or leave a domain.

Command
domainjoin-cli join --enable module domainName accountName

Example
domainjoin-cli join --enable pam example.com Administrator

Configuration and Debugging Commands

The domainjoin-cli tool includes commands for debugging the domain-join process and for
configuring or preconfiguring a module.

BeyondTrust

September 2014

25

PBIS Enterprise Linux Administration Guide

Command-Line Reference

For example, run the configure command to preconfigure a system before you join a domaina useful
strategy when you are deploying PBIS in a virtual environment and you need to preconfigure the
nsswitch, ssh, or PAM module of the target computers to avoid restarting them after they are added to
the domain.

Example with nsswitch

domainjoin-cli configure --enable nsswitch

Help Syntax
domainjoin-cli --help-internal
fixfqdn
configure
configure
configure
configure

{--enable | --disable } pam [--testprefix <dir>]

{--enable | --disable } nsswitch [--testprefix <dir>]
{--enable | --disable } ssh [--testprefix <dir>]
{--enable | --disable } [--testprefix <dir>]
[--long <longdomain>] [--short <shortdomain>] krb5
configure {--enable | --disable } firewall [--testprefix <dir>]
configure {--enable | --disable } eventfwd
configure {--enable | --disable } reapsysl
get_os_type
get_arch
get_distro
get_distro_version
raise_error <error code | error name | 0xhex error code>

Display NIS Map (ypcat)

This command is the PBIS Network Information Services (NIS) ypcat function for group passwd and
netgroup maps.

Command
/opt/pbis/bin/ypcat

Example
/opt/pbis/bin/ypcat -d example.com -k map-name

Display the Value of a Key in an NIS Map (ypmatch)

This command is the PBIS Network Information Services (NIS) ypmatch function for group passwd and
netgroup maps.

Command
/opt/pbis/bin/ypmatch

Example
/opt/pbis/bin/ypmatch -d example.com -k key-name map-name

BeyondTrust

September 2014

26

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Modify Objects in AD (adtool)

PBIS Enterprise includes a tool to modify objects in Active Directory. Using the tool, you can:

Query and modify objects in Active Directory.

Find and manage objects in PowerBroker cells.

Command
/opt/pbis/bin/adtool

Help Syntax
/opt/pbis/bin/adtool --help -a

Example Help Output

[root@rhel5d bin]# ./adtool --help -a
List of Actions
Generic Active Directory actions:
-------------------------------add-to-group - add a domain user/group to a security group.
delete-object - delete an object.
disable-user - disable a user account in Active Directory.
enable-user - enable a user account in Active Directory.
unlock-account - unlock user or computer account.
lookup-object - retrieve object attributes.
move-object - move/rename an object.
new-computer - create a new computer object.
new-group - create a new global security group.
new-ou - create a new organizational unit.
new-user - create a new user account.
remove-from-group - remove a user/group from a security group.
reset-user-password - reset user's password.
search-computer - search for computer objects, print DNs.
search-group - search for group objects, print DNs.
search-object - search for any type of objects using LDAP filter.
search-ou - search for organizational units, print DNs
search-user - search for users, print DNs.
PowerBroker cell management actions:
-------------------------------add-to-cell - add user/group to a PowerBroker cell.
delete-cell - delete a PowerBroker cell.
edit-cell - modify PowerBroker cell properties.
edit-cell-group - modify properties of a cell's group.
edit-cell-user - modify properties of a cell's user.
link-cell - link PowerBroker cells.
lookup-cell - retrieve PowerBroker cell properties.
lookup-cell-group - retrieve properties of cell's group.
lookup-cell-user - retrieve properties of cell's user.

BeyondTrust

September 2014

27

PBIS Enterprise Linux Administration Guide

Command-Line Reference

new-cell - create a new PowerBroker cell.

remove-from-cell - remove user/group from a PowerBroker cell.
search-cells - search for PowerBroker cells.
unlink-cell - unlink PowerBroker cells.

To get information about the options for each action, use the following syntax:
/opt/pbis/bin/adtool --help -a <ACTION>

Here is an example with the information that is returned:

/opt/pbis/bin/adtool --help -a new-user
Usage: adtool [OPTIONS] (-a |--action) new-user <ARGUMENTS>new-user - create a new
user account.
Acceptable arguments ([X] - required):
DN/RDN of the parent container/OU containing the user. (use '--dn=STRING
' for stdin input)
--cn=STRING
Common name (CN) of the new user. (use '-' for stdin input)
--logon-name=STRING
Logon name of the new user. (use '-' for stdin input) [X]
--pre-win-2000Pre Windows-2000 logon name.
name=STRING
--first-name=STRING
First name of the new user.
--last-name=STRING
Last name of the new user.
--description=STRING
Description of the user.
--password=STRING
User's password. (use '-' for stdin input)
User is not required to change the password at next logon. If
--no-must-changeomitted user must change password at next logon unless "--nopassword
password-expires' option is specified.
The password never expires. If omitted - user must change
--no-password-expires
password on next logon.
User account will be enabled. By default it is disabled on
--account-enabled
creation

Using the Tool

Privileges: The adtool provides similar features as native Microsoft Active Directory tools. When using
adtool, be sure to use an account that has appropriate permissions in place to apply changes to Active
Directory objects.
For example, to add a user to a security group, you must be a member of a security group, such as the
Enterprise Administrators security group.
For more information on Active Directory privileges, permissions, and security groups, see the following
references on the Microsoft TechNet website:

Active Directory Privileges

Active Directory object permissions

Active Directory Users, Computers, and Groups

Securing Active Directory Administrative Groups and Accounts

Options: There are short and long options. You separate arguments from options with either space or
equal sign. If you are not sure about the results of an action you want to execute, run it in read-only
mode first (-r). Also it can be useful to set log level to TRACE (-l 5) to see all the execution steps the tool is
taking.

BeyondTrust

September 2014

28

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Authentication: SSO by default if the computer is domain-joined. Otherwise, KRB5 via a cached ticket,
keytab file, or name/password (unless secure authentication is turned-off (--no-sec)).
Name resolution: In most cases you can reference objects by FQDN, RDN, UPN, or just names that make
sense for a specific action. Use - if you want the tool to read values from stdin. This allows you to
combine commands via pipes, e.g. search and lookup actions.
Multi-forest support: You can reference an object from a name context (forest) different from the one
you are currently connected to, provided that there is a proper trust relation between them. In this way,
for instance, you can add a user from one forest to a cell defined in another forest.
Creating a New Cell: When you create a new cell, the tool adds the default primary group (domain
users) to the cell. If you are adding a user to the cell and the user has a primary group different from the
default group, which is an atypical case, you must add the primary group to the cell, too. The tool does
not do it automatically.
Adding Users or Groups Across Domains: If you are adding a user or group to a cell, and the user or
group is in a domain different from the one hosting the cell, you must use an account that has write
permissions in the cell domain and at least read permissions in the domain hosting the user or group.
For example, you want to add a user such as CORP\kathy, whose primary group is, say, domain users, to
a cell in a domain named CORPQA. Two conditions must be met:

You must be authenticated to the CORPQA domain as a user with administrative rights in the
CORPQA domain;

Your user account must exist in the CORP domain with at least read permissions for the CORP
domain.

Further: Since in this example the primary group of CORP\kathy is CORP\domain users, you must add
CORP\domain users to the cell in the CORPQA domain, too.
Automating Commands with a Service Account: To run the tool under a service account, such as a
cron job, avoid using krb5 tickets for authentication, especially those cached by the PBIS authentication
service in the /tmp directory. The tickets may expire and the tool will not renew them. Instead, it is
recommended that you create an entry for the service account in a keytab file and use the keytab file for
authentication.
Working with a Default Cell: The tool uses the default cell only when the value of the dn parameter is
the root naming context, such as when you use an expression like --dn
DC=corp,DC=example,DC=com to represent corp.example.com.

Options
To view the tool's options and to see examples of how to use them, execute the following command:
/opt/pbis/bin/adtool --help
[root@rhel5d bin]# ./adtool --help Usage: adtool [OPTIONS] <ACTION> [ACTION_ARGUMENTS]
HELP OPTIONS
-u, --usage
-?, --help
-v, --version

Display brief usage message

Show this message, help on all actions (-a), or help on a
specific action (-a <ACTION>).
Print program version and exit.

COMMON OPTIONS

BeyondTrust

September 2014

29

PBIS Enterprise Linux Administration Guide

-l, --log-level=LOG_
LEVEL
-q, --quiet
-t, --print-dn
-r, --read-only

Command-Line Reference

Acceptable values: 1 (error), 2(warning), 3(info), 4(verbose)

5 (trace) (Default: warning).
Suppress printing to stdout. Just set the return code. printdn option makes an exception.
Print DNs of the objects to be looked up, modified or searched
for.
Do not actually modify directory objects when executing
actions.

CONNECTION OPTIONS
-s, --server=STRING
-d, --domain=STRING
-p, --port=INT
-m, --non-schema
AUTHENTICATION OPTIONS
-n, --logon-as=STRING
-x, --passwd=STRING
-k, --keytab=STRING
-c, --krb5cc=STRING
-z, --no-sec

Active Directory server to connect to.

Domain to connect to.
TCP port number
Turn off schema mode
User name or UPN.
Password for authentication. (use '-' for stdin input)
Full path of keytab file, e.g. /etc/krb5.keytab
Full path of krb5 ticket cache file, e.g. /tmp/krb5cc_
[email protected]
Turns off secure authentication. Simple bind will be used. Use
with caution!

ACTION
Action to execute. Type '--help -a' for a list of actions, or
'--help -a <ACTION>' for information on a specific action.
Try '--help -a' for a list of actions.
-a, --action[=<ACTION>]

Examples
Here is an example that shows how to use two authentication optionslogon-as and passwdto
search Active Directory even though the computer on which the command was executed was not
connected to the domain. The account specified in the logon-as option is an Active Directory
administrative account.
root@ubuntu:/opt/pbis/bin# ./adtool -a search-cells --search-base
dc=connecticut,dc=com --logon-as=Administrator --passwd=-

In this case, the successful result looked like this:

Enter password:
CN=$LikewiseIdentityCell,DC=connecticut,DC=com
CN=$LikewiseIdentityCell,OU=mySecureOU,DC=connecticut,DC=com
Total cells: 2

Here are a variety of examples. In some of them, the command is broken into two lines and the line break
is marked by a back slash (\). In such cases, the back slash is not part of the command.
Create OU in a root naming context:
adtool -a new-ou --dn OU=TestOu
Create OU in DC=department,DC=company,DC=com:
adtool -a new-ou --dn OU=TestOu,DC=department,DC=company,DC=com
Create PowerBroker cell in OU TestOU setting the default login shell property to

BeyondTrust

September 2014

30

PBIS Enterprise Linux Administration Guide

Command-Line Reference

/bin/ksh:
adtool -a new-ou --dn OU=TestOu --default-login-shell=/bin/ksh
Create a new account for user TestUser in OU=Users,OU=TestOu:
adtool -a new-user --dn OU=Users,OU=TestOu --cn=TestUserCN --logon-name=TestUser
--password=$PASSWD
Enable the user account:
adtool -a enable-user --name=TestUser
Reset user's password reading the password from TestUser.pwd file:
cat TestUser.pwd | adtool -a reset-user-password --name=TestUser --password=- -no-password-expires
Create a new group in OU=Groups,OU=TestOu:
adtool -a new-group --dn OU=Groups,OU=TestOu --pre-win-2000-name=TestGrooup -name=TestGroup
Look up "description" attribute of an OU specified by name with a wildcard:
adtool -a search-ou --name='*RootOu' -t | adtool -a lookup-object --dn=- --attrr=description
Look up "unixHomeDirectory" attribute of a user with samAccountName TestUser:
adtool -a search-user --name TestUser -t | adtool -a lookup-object --dn=- --attrr=unixHomeDirectory
Look up "userAccountControl" attribute of a user with CN TestUserCN:
adtool -a search-user --name CN=TestUserCN -t | adtool -a lookup-object --dn=- -attr=userAccountControl
Look up all attributes of an AD object using filter-based search:
adtool -a search-object --filter '(&(objectClass=person)(displayName=TestUser))'
-t | adtool -a lookup-object
Add user TestUser to group TestGroup:
adtool -a add-to-group --user TestUser --to-group=TestGroup
Add group TestGroup2 to group TestGroup:
adtool -a add-to-group --group TestGroup2 --to-group=TestGroup
Remove user TestUser from group TestGroup:
adtool -a remove-from-group --user TestUser --from-group=TestGroup
Rename AD object OU=OldName and move it to a new location:
adtool -a move-object --from OU=OldName,DC=department,DC=company,DC=com \
--to OU=NewName,OU=TestOU,DC=department,DC=company,DC=com
Add group TestGroup to PowerBroker cell in TestOU:
adtool -a add-to-cell --dn OU=TestOU,DC=department,DC=company,DC=com --groupp=TestGroup
Remove user TestUser from PowerBroker cell in TestOU:
adtool -a remove-from-cell --dn OU=TestOU,DC=department,DC=company,DC=com --userr=TestUser

BeyondTrust

September 2014

31

PBIS Enterprise Linux Administration Guide

Command-Line Reference

Search for cells in a specific location:

adtool -a search-cells --search-base OU=department,DC=country,DC=company,DC=com
Link cell in OU=TestOU1 to the default cell in DC=country:
adtool -a link-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com \
--target-dn DC=country,DC=company,DC=com
Unlink cell in OU=TestOU1 from the default cell in DC=country:
adtool -a unlink-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com \
--target-dn DC=country,DC=company,DC=com
Change the default login shell property of PowerBroker cell in TestOU:
adtool -a edit-cell --dn OU=TestOU --default-login-shell=/bin/csh
Find cells linked to PowerBroker cell in OU=TestOU,DDC=department,DC=company,DC=com:
adtool -a lookup-cell --dn OU=TestOU --linked-cells
Look up login shell property of user TestUser in cell created in TestOU:
adtool -a lookup-cell-user --dn OU=TestOU --user TestUser --login-shell
Change login shell property of user TestUser in cell created in TestOU:
adtool -a edit-cell-user --dn OU=TestOU --user TestUser --login-shelll=/usr/bin/ksh
Delete a cell object and all its children if any (--force):
adtool -a delete-object --dn OU=TestOU --force
Search for PowerBroker cells in root naming context containing user TestUser:
adtool -a search-cells --user TestUser

Copy Files Across Disparate Operating Systems (lwio-copy)

The lwio-copy command-line utility lets you copy files across computers running different operating
systems. You can, for example, copy files from a Linux computer to a Windows computer.
There are two prerequisites to use lwio-copy:

The lwio service must be running

The rdr driver must be available as specified by the registry. By default, the rdr driver is available:
/opt/pbis/lib/lwio-driver/rdr.so

Commands
/opt/pbis/bin/lwio-copy

BeyondTrust

September 2014

32

PBIS Enterprise Linux Administration Guide

Modify Local Accounts

Modify Local Accounts

The PBIS local authentication provider for local users and groups includes a full local authentication
database. With functionality similar to the local SAM authentication database on every Windows
computer, the local authentication provider lets you create, modify, and delete local users and groups on
Linux, Unix, and Mac OS X computers by using the following commands.
To execute the commands that modify local accounts, you must use either the root account or an
account that has membership in the local administrators group. The account can be an Active Directory
account if you manually add it to the local administrators group. For example, you could add the Domain
Administrators security group from Active Directory to the local administrators group, and then use an
account with membership in the Domain Administrators security group to execute the commands.
Note: To authenticate a local provider user before the machine is joined to a domain, you must run the
following commands to enable pam and nsswitch:
domainjoin-cli configure --enable nsswitch
domainjoin-cli configure --enable pam

Add a Local User (add-user)

This command adds a user to the local authentication database.

Command
/opt/pbis/bin/add-user

Add a Local Group Member (add-group)

This command adds a group member to the local authentication database.

Command
/opt/pbis/bin/add-group

Remove a Local User (del-user)

This command deletes a user from the local authentication database.

Command
/opt/pbis/bin/del-user

BeyondTrust

September 2014

33

PBIS Enterprise Linux Administration Guide

Modify Local Accounts

Remove a Local Group (del-group)

This command deletes a group from the local authentication database.

Command
/opt/pbis/bin/del-group

Modify a Local User (mod-user)

This command modifies a user's account settings in the local authentication database, including an
account's expiration date and password. You can also enable a user, disable a user, unlock an account, or
remove a user from a group.

Command
/opt/pbis/bin/mod-user

Modify the Membership of a Local Group (mod-group)

This command adds members to or removes members from a group in the local authentication
database.

Command
/opt/pbis/bin/mod-group

Example
Add domain accounts to a local group.
/opt/pbis/bin/mod-group --add-members DOMAIN\\Administrator
BUILTIN\\Administrators

BeyondTrust

September 2014

34

PBIS Enterprise Linux Administration Guide

Kerberos Commands

Kerberos Commands
PowerBroker Identity Services includes several command-line utilities for working with Kerberos. It is
recommended that you use these Kerberos utilities, located in /opt/pbis/bin, to manage those
aspects of Kerberos authentication that are associated with PBIS. For complete instructions on how to
use the Kerberos commands, see the man page for the command.

Destroy the Kerberos Ticket Cache (kdestroy)

The kdestroy utility destroys the user's active Kerberos authorization tickets obtained through
PowerBroker Identity Services. Destroying the user's tickets can help solve logon problems.
Note: This command destroys only the tickets in the PBIS Kerberos cache of the user account that is
used to execute the kdestroy command; tickets in other Kerberos caches, including root, are
not destroyed. To destroy another user's cache, use the command with its - c option.

Command
/opt/pbis/bin/kdestroy

Help Syntax
/opt/pbis/bin/kdestroy -

View Kerberos Tickets (klist)

On a target Linux or Unix computer, you can see a list of Kerberos tickets.
The command lists the location of the credentials cache, the expiration time of each ticket, and the flags
that apply to the tickets. For more information, see the man page for klist.

Command
/opt/pbis/bin/klist

Because PowerBroker Identity Services includes its own Kerberos 5 libraries (in /opt/pbis/lib), you
must use the PBIS klist command by either changing directories to /opt/pbis/bin or including the
path in the command.

Example
-sh-3.00$/opt/pbis/bin/klist
Ticket cache: FILE:/tmp/krb5cc_593495191
Default principal: [email protected]
Valid starting
Expires
Service principal
07/22/08 16:07:23 07/23/08 02:06:39 krbtgt/[email protected]
renew until 07/23/08 04:07:23
07/22/08 16:06:39 07/23/08 02:06:39 host/rhel4d.EXAMPLE.COM@
renew until 07/23/08 04:07:23
07/22/08 16:06:39 07/23/08 02:06:39 host/[email protected]
renew until 07/23/08 04:07:23
07/22/08 16:06:40 07/23/08 02:06:39 [email protected]
renew until 07/23/08 04:07:23

BeyondTrust

September 2014

35

PBIS Enterprise Linux Administration Guide

Kerberos Commands

Note: To address Kerberos issues, see Troubleshooting Kerberos Errors at

http://technet.microsoft.com/en-us/library/cc728430(WS.10).aspx.

Obtain and Cache a TGT (kinit)

This command obtains and caches an initial ticket-granting ticket for a principal.

Command
/opt/pbis/bin/kinit

Help Syntax
man kinit

Change a Password (kpasswd)

The kpasswd command changes a Kerberos principal's password.
On a Mac computer, use the Mac OS X UI to change a Kerberos principal's password.

Command
/opt/pbis/bin/kpasswd

Help Syntax
man kpasswd

The Keytab File Maintenance Utility (ktutil)

This command invokes a shell from which you can read, write, or edit entries in a Kerberos keytab.

Command
/opt/pbis/bin/ktutil

Syntax for Help

man ktutil

You can use ktutil to add a keytab file to a non-default location. When you join a domain, PowerBroker
Identity Services initializes a Kerberos keytab by adding the default_keytab_name setting to
krb5.conf and setting it to /etc/krb5.keytab. If the keytab file referenced in krb5.conf does not
exist, the PBIS domain-join utility changes the setting to /etc/krb5.conf.
You can set the keytab file to be in a location that is different from the default. To do so, you must precreate the keytab file in the location you want and set a symlink to it in /etc/krb5.keytab. Then, you
must set the default_keytab_name in /etc/krb5.conf to point to either the symlink or the real file.
The result is that the keytab file will already exist and the PBIS domain-join utility will not modify its
location setting.
The keytab's format does not let you create a keytab file without a keytab, but you can use ktutil to
manually create one with a place-holder entry. When PBIS adds your computer to the domain, a correct
entry will be added to the file.

BeyondTrust

September 2014

36

PBIS Enterprise Linux Administration Guide

Kerberos Commands

/opt/pbis/bin/ktutil
ktutil: addent -password -p nonexistent@nonexistent -k 1 -e RC4-HMAC
Password for nonexistent@nonexistent:
ktutil: wkt /var/OtherPlace/etc/krb5.keytab
ktutil: quit

Acquire a Service Ticket and Print Key Version Number (kvno)

This command acquires a service ticket for the specified Kerberos principals and prints out the key version
numbers of each.

Command
/opt/pbis/bin/kvno

Syntax for Help

man kvno

BeyondTrust

September 2014

37

PBIS Enterprise Linux Administration Guide

Certificates Auto Enrollment

Certificates Auto Enrollment

You can manage the auto enrollment of certificates using the config tool.
For information about managing auto enrollment using GPOs, refer to the PBIS Group Policy Guide.
The following commands can be used to manage certificates and auto enrollment.
For more information about a command, run the command with --detail. For example:
/opt/pbis/bin/config -detail EnableAutoEnroll

EnableAutoEnroll
Turns on the auto enroll service.

Command
/opt/pbis/bin/config EnableAutoEnroll true

AutoEnrollPollingInterval
Using this command, set the number of seconds the computer that pass before the computer queries
the CA service. The interval value is in seconds. The default value is 28800 seconds (8 hours).
Accepted interval values are between 300 seconds 65535 seconds.

Command
/opt/pbis/bin/config AutoEnrollPollInterval 300 - 65535

ManagedCertificateLifecycle
Using this command, you can renew, update, and remove certificates.
Accepted values: true, false

Command
/opt/pbis/bin/config ManagedCertificateLifecycle false

EnableWireless
Configure and enable the wireless interface.
Accepted values: true, false

Command
/opt/pbis/bin/config EnableWireless false

SSID
SSID of wireless router.

BeyondTrust

September 2014

38

PBIS Enterprise Linux Administration Guide

Certificates Auto Enrollment

Command
root@tst-ubu1404-64:/home/testuser# /opt/pbis/bin/config SSID " "

SecurityType
The security method used for the wireless point.
0 - None
1 - WPA2-Enterprise
2 - WPA2-Personal

Command
/opt/pbis/bin/config SecurityType 1

Authentication
Name of certificate or passphrase.

Command
/opt/pbis/bin/config Authentication " "

BeyondTrust

September 2014

39