Hi ,

I have installed and configured PowerBroker Identity Services Open 8.5.0.153 successfully but I cannot login to the ubuntu desktop using the AD user.

Then I have issued a command

$ domainjoin-cli query

I got

Name = acp-box16
Domain = DOMAIN.LOCAL
Distinguished Name = CN=ACP-BOX16,CN=Computers,DC=DOMAIN,DC=local

Also, the computer name is added to the active directory.

I'm not sure why I cannot login to the desktop with this AD user.

Should I configure anything on AD itself or? Any help will be appreciated.

Thanks
Amal

Heya,

Is it possible to upgrade your .deb repos to use sha256 to comply Debian and Canonical's https://wiki.debian.org/Teams/Apt/Sha1Removal due January 1?

Thanks for considering. Unsure if this is the correct place to send this so close with my apologies if it isn't.

Cheers

Hi there

When users log in, they have their Active Directory home folders mounted under their userfolder, with this RemoteHomeDirTemplate:
"%H/%D/%U/M-Drive"
Whenever they logout, the share is NOT unmounted, this means that all the shares from multiple users are still mounted, after they logout and leave the machine.
I can't see a setting to control this in PowerBroker and unmount during logout works fine for other shares, which are mounted via PAM_MOUNT.
We are using the latest version of PowerBroker (8.5.2.265) on Ubuntu 16.04 with the standard Unity Desktop Environment.

Any help solving this issues is highly appreciated.

Hi

i used to have a samba server 3.6 configured with winbind to auth against windows AD, and was everything fine, untill i migrated to samba 4.2 and joined the domain with pbis-open.
everything is configured fine and samba is running and the integration components installed according to the manual of pbis,

the issue i found is samba can not control the share with user lever permissions. like homedirs as they have 700 permissions then the users can not access thier home dirs, and receive access denied. unless i change permissions to 755 or change the group domain^users and give it read permissions only, then the users have read access only.
other shares works fine as they are shared with group permissions only.

another strange behavior when i give write permissions to the group so the users can write on home dir for testing, if i right click and create a new folder then then 5 newfolders will be created newfolder newfolder1 newfolder2 newfolder3 newfolder4
PBIS Vesrion: pbis-open-8.5.0-153.x86_6
OS: Centos 6.8
Samba: samba4-4.2.10-7.el6_8.x86_64

i wish someone can advice with this
here are my configs
`[global]
msdfs root = yes
security = ads
workgroup = DOMAIN
realm = DOMAINNAME.COM
netbios name = server01
machine password timeout = 0
log level = 10
log file = /var/log/samba/smbd.log
Kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
template homedir = /export/home/%U
max protocol = SMB2
include = /etc/samba/shares.conf
[homes]
comment = Home Directory of User %U in Doamin %D
browseable = no
writable = yes
path = /export/home/%S
create mask = 640
directory mask = 2750

Pbis-dump

AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "+"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir false
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/export/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/sh"
SkeletonDirs "/etc/skel"
UserDomainPrefix "DOMAIN"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
`

I am in the domain join group however unable to join a new system to domain in solaris10

domainjoin-cli join resldap.net [email protected]
Error: ERROR_ACCESS_DENIED [code 0x00000005]

Access is denied

-bash-3.2$ id -a
uid=1344800290(IDLDAP\vpekelis) gid=1344799233(IDLDAP\domain^users) groups=1344799233(IDLDAP\domain^users),145753179(dl^icc^admins),1344803336(IDLDAP\gg^bms^admins),145753180(dl^iccdatabaseadmins),1344803337(IDLDAP\ug^bms^admins),1344799838(IDLDAP\ug^icc^admins),1344801901(IDLDAP\sudo_ug^ews^engineer),1344801899(IDLDAP\sudo_gg^ews^engineer),1344799839(IDLDAP\ug^iccdatabaseadmins),1344803470(IDLDAP\safenet_ug^security^sync^agent),1344801903(IDLDAP\sudo_gg^system^engineer),145753278(dl^domain^join),1344801905(IDLDAP\sudo_ug^system^engineer),1344801907(IDLDAP\sudo_gg^operator^support),145753189(dl^iccsystemadmin),145755178(dl^bms^admins)

Hi guys!!!

We're facing issues when we try to authenticate with PBIS 8.2.2-2993 in an Active Domain using users where the token size exceeds 1024 bytes. Users are able to log in the servers but after 5 min which is not acceptable. We have enabled verbose mode and we are getting this cache error in the log:

20170412092522:VERBOSE:lsass:AD_OnlineQueryMemberOfForSid():lsass/server/auth-providers/ad-open-provider/online.c:4369: Cache entry for user's group membership for sid S-1-5-21-329068152-1454471165-1417001333-2254287 is incomplete

If we try with a test user with a loken size lower than 1024, user logs very quickly. I´ve checked a similar issue here (group membership won't resolve completely) and we have tried the solution for it, install the last beta PBIS version (8.5.3) that fixes BUG 84274 - fix group membership lookup for ldap queries in PBIS Open but it doesn´t work either.

It's not a solution to reduce group membership for users because we're not the Domain administrator and they're based in very complicated Company policies.

Any suggestions?.
Thx in advance.

I am running Ubuntu 16.04.1 LTS with recent PBIS software (installed from the PPA), and recently received updates to versions:

• pbis-open-upgrade 8.5.2.265
• pbis-open 8.5.2.265

After this, no domain logins worked any more. Local logins worked fine. After some debugging, I found that several files in /etc/pam.d/ had been replaced when I updated some packages. The offending files included:

• /etc/pam.d/common-account
• /etc/pam.d/common-auth
• /etc/pam.d/common-password
• /etc/pam.d/common-session
• /etc/pam.d/common-session-noninteractive

All these files had been renamed to *.lwidentity.orig, (which sounds like it has something to do with likewise) and had been replaced with files without any reference to pam-lsass. When I reinstated all the *.lwidentity.orig files, domain users immediately started working again.

All the *.lwidentity.orig files are dated 2 Jan 2017, 15:57:17. Reading /var/log/apt/term.log, I see from the latest update:

Log started: 2017-01-02  15:56:54
(Reading database ...)
<snip>
Setting up pbis-open-upgrade (8.5.2.265)
Setting up pbus-open (8.5.2.265)
Importing registry...

<snip>
Log ended: 15:57:34

After Open PBIS installation, we have no more access to the system, even with "root" user.
Further details will come ASAP.

We have a linux-Redhat-Server joined to domain test.at. This domain has a trusted domain ooe. Powerbroker recognises this domain, but he
can't add it properly because of the site name.
The server is in SITE1, but this site doesn't exist in the trusted domain ooe.

The debugging messages are:
lsass: [lsass] Ignoring failure enumerating trusts for forest ooe.at. Error was DNS_ERROR_BAD_PACKET (9502)
VERBOSE:netlogon: DNS lookup for '_ldap._tcp.SITE1._sites.dc._msdcs.ooe.at' failed with errno 0, h_errno = 1

When I use following command, I get the same error:
/opt/pbis/bin/get-dc-name rbgooe.at --site SITE1 # and the same error without --site
Failed communication with the LWNET Agent. Error code 9502 (DNS_ERROR_BAD_PACKET).
A bad packet was received from a DNS server. Potentially the requested address does not exist.

but with /opt/pbis/bin/get-dc-name ooe.at --site SITE2 (this site exists in the trusted domain) the result looks ok:
Printing LWNET_DC_INFO fields:

dwDomainControllerAddressType = 23
dwFlags = 12669
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = *.ooe.at
pszDomainControllerAddress = ...
pucDomainGUID(hex) = ******
pszNetBIOSDomainName = OOE
pszFullyQualifiedDomainName = ooe.at
pszDnsForestName = ooe.at
pszDCSiteName = SITE2
pszClientSiteName = SITE1
pszNetBIOSHostName = ***
pszUserName =

/opt/pbis/bin/get-dc-list ooe.at also works fine and lists the three DCs correctly

I think the problem is situated in lwnet-dns.c:

......
    if (IsNullOrEmptyString(pszSiteName))
    {
        dwError = LwAllocateStringPrintf(&question,
                                            "%s._tcp.%s._msdcs.%s",
                                            service, kind,
                                            pszDomainName);
    BAIL_ON_LWNET_ERROR(dwError);
    }
    else
    {
        dwError = LwAllocateStringPrintf(&question,
                                            "%s._tcp.%s._sites.%s._msdcs.%s",
                                            service, pszSiteName, kind,
                                            pszDomainName);
# when this doesn't work it would help to try it with an empty site like in the then-branch
        BAIL_ON_LWNET_ERROR(dwError);
    }
.....

Windows looks for the site and if it is not found it looks in ldap._tcp.dc._msdcs.ooe.at where he can find a DC (this is called site affinity). I think
it would work for Powerbroker too, when lwnet-dns.c is changed like mentioned above.

Is there a chance to get a fix for this problem?

I've tried it with the latest Powerbroker-Release 8.5.3.

nslookup:
nslookup -type=any _ldap._tcp.dc._msdcs.ooe.at
Server: .......
Address: .......

_ldap._tcp.dc._msdcs.ooe.at service = 0 100 389 dc03.ooe.at.
_ldap._tcp.dc._msdcs.ooe.at service = 0 100 389 dc02.ooe.at.
_ldap._tcp.dc._msdcs.ooe.at service = 0 100 389 dc01.ooe.at.

which package should I download for Ubuntu 16.04 LTS 64bit

The lwsmd.service file used to start the lwsmd service on boot does not always (rarely, if ever in my case) successfully contact the AD server on startup. This is due to a race condition between the service starting and the network card becoming fully online. The existing systemd service file is:

[Unit]
Description=BeyondTrust PBIS Service Manager
After=network.target 

[Service]
Type=forking
ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon 
ExecReload=/opt/pbis/bin/lwsm refresh
ExecStop=/opt/pbis/bin/lwsm shutdown
# We want systemd to give lwsmd some time to finish gracefully, but still want
# it to kill lwsmd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill lwsmd. We are sending useless SIGCONT here to give
# lwsmd time to finish.
KillSignal=SIGCONT
PrivateTmp=false

[Install]
WantedBy=multi-user.target nss-lookup.target

A fix is to change the "After" line to read:

After=network-online.target

This forces the service to wait until the network service reports fully online. As described at https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/, the network.target has little meaning. The network-online.target is stronger relating to a NIC at least acquiring a route-able IP.

Even with the fix, occasionally the service will still fail probably due a lingering race condition between reporting online and actually being able to resolve network services.

I'm trying to setup pbis-open 8.5.1-206 on a CentOS 7 x64 server and the following happens:

/opt/pbis/bin/config AssumeDefaultDomain true

Problem executing '/opt/pbis/bin/ad-cache --delete-all >/dev/null 2>/dev/null'
Error: Error returned by external program

Any ideas? Other sites show this was a bug in earlier versions. Maybe a regression?

Hi,

I have a directory on my Linux server which contains 18 files, all of these files are owned by different users in a trusted Windows 2008 domain. Some of these files are owned by users whose accounts have been deleted from the trusted Windows domain and therefore are not in the local PowerBroker cache or cannot be enumerated (or should I say, it requires a lookup request each time a directory listing is performed "ls -la").

After performing a TCP capture I can see that each time a "ls -la" is performed on this directory an SMB request (lsa_Lookup_Sids) is sent to the domain controller to try and resolve the UID to a friendly username. Obviously a friendly username is never returned because the user does not exist and the long listing just shows the UID, this is not a problem and expected behavior.

The problem occurs if you run the directory listing "ls -la" a few times one after each other, eventually the console (ssh session) will hang (ctrl + c, nothing works) and no directory listing or anything is returned until 300 seconds later when the TCP (SMB) session times out and a new session SMB session is established, then all of a sudden the session comes to life and the directory listing is displayed.

Your answer might be to remove the files owned by orphaned users but I have really simplified my description of the issue because this is happening across an estate of ~30 servers with many different directories and keeping on top of this would be an admin nightmare, so the real answer would be to address why this is hanging when lsa_Lookup_Sids are sent to the DC?

Is there any debugging / logging we can enable to see what the process is doing when these directory long listings are issued?
Are there any ways to address orphaned files (where the user has been deleted) so that we don't have the expensive lsa_Lookup_Sids being run everytime a process / user requests a directory?

Client OS:
Red Hat Enterprise Linux Server release 6.6

PB open version:
Compiled daemon version: 8.3.0.3287
Packaged product version: 8.3.3287.68880

DC OS:
Windows 2008 R2 STD with one way transitive trust relationship

Thanks for your time,

Hi
i'm trying to understand how pbis works with krb5, and how it generate the keytab file when joining the domain, because i can seen enteries like host/fqdn@realm and cifs/fqdn@realm on the krb5.keytab.
is there a way to control those enteries like type of encryption and principle names?
why only host and cifs? why there is no HTTP?
on some old winbind hosts where they had keytab files with HTTP service on it, i found that when i used pbis to join the domain it includes the HTTP in the auto generated krb5.keytab.

my aim is to use pbis for apache single sign on,, is that possible??

Thanks
Jasem

Version: 8.3.3287.68880
OS/Distro: RHEL 7.2
Issue/Impact:
We have an issue where pbis every now and then stops working on a machine (maybe once or twice per month). It is different machines, no clear pattern, and it does not seem to affect more than one machine at a time.

The lsass log contains these lines around a login attempt at this time:

20170803154936:VERBOSE:lsass:LsaSrvIpcCheckPermissions():lsass/server/api/ipc_state.c:79: Permission granted for (uid = 226, gid = 226, pid = 22773) to open LsaIpcServer
20170803154936:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():lwmsg/src/peer-log.c:230: (session:a98135b6b8b0e8c5-35e60cf93e858a7e) Accepted <local euid:226 egid:226 pid:22773>
20170803154936:DEBUG:lsass:AD_ResolveProviderState():lsass/server/auth-providers/ad-open-provider/provider-main.c:583: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154936:DEBUG:lsass:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:4790: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154936:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():lwmsg/src/peer-task.c:625: (session:a98135b6b8b0e8c5-35e60cf93e858a7e) Dropping: LWMSG_STATUS_PEER_CLOSE
20170803154936:VERBOSE:lsass:LsaSrvIpcCheckPermissions():lsass/server/api/ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 22378) to open LsaIpcServer
20170803154936:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():lwmsg/src/peer-log.c:230: (session:f632c51130c7e777-6cf0b88a23721743) Accepted <local euid:0 egid:0 pid:22378>
20170803154936:DEBUG:lsass:AD_ResolveProviderState():lsass/server/auth-providers/ad-open-provider/provider-main.c:583: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154936:DEBUG:lsass:AD_AuthenticateUserPam():lsass/server/auth-providers/ad-open-provider/provider-main.c:1685: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154936:DEBUG:lsass:LsaSrvAuthenticateUserEx():lsass/server/api/auth.c:358: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154936:VERBOSE:lsass:LsaSrvAuthenticateUserEx():lsass/server/api/auth.c:397: Failed to authenticate user (name = 'carlpett') -> error = no such entry, client pid = 22378
20170803154936:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():lwmsg/src/peer-task.c:625: (session:f632c51130c7e777-6cf0b88a23721743) Dropping: LWMSG_STATUS_PEER_CLOSE
20170803154937:VERBOSE:lsass:LsaSrvIpcCheckPermissions():lsass/server/api/ipc_state.c:79: Permission granted for (uid = 226, gid = 226, pid = 23158) to open LsaIpcServer
20170803154937:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():lwmsg/src/peer-log.c:230: (session:8692da1b624cb16a-30b529814c8e7eb0) Accepted <local euid:226 egid:226 pid:23158>
20170803154937:DEBUG:lsass:AD_ResolveProviderState():lsass/server/auth-providers/ad-open-provider/provider-main.c:583: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154937:DEBUG:lsass:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:4790: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154937:VERBOSE:lsass-ipc:lwmsg_peer_task_handle_assoc_error():lwmsg/src/peer-task.c:625: (session:8692da1b624cb16a-30b529814c8e7eb0) Dropping: LWMSG_STATUS_PEER_CLOSE
20170803154938:VERBOSE:lsass:LsaSrvIpcCheckPermissions():lsass/server/api/ipc_state.c:79: Permission granted for (uid = 226, gid = 226, pid = 23351) to open LsaIpcServer
20170803154938:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():lwmsg/src/peer-log.c:230: (session:9ccbaa849ec66aec-400fdc532396dda2) Accepted <local euid:226 egid:226 pid:23351>
20170803154938:DEBUG:lsass:AD_ResolveProviderState():lsass/server/auth-providers/ad-open-provider/provider-main.c:583: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
20170803154938:DEBUG:lsass:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:4790: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)

The only known way to fix it we have at this time is to reboot, sometimes more than once is needed. I'm guessing it has to do with some pairing to a DC that is not cleared by a simple restart of the service?

Systemctl status:

● lwsmd.service - BeyondTrust PBIS Service Manager
   Loaded: loaded (/etc/pbis/redhat/lwsmd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-08-03 10:31:51 CEST; 5h 50min ago
  Process: 3222 ExecStop=/opt/pbis/bin/lwsm shutdown (code=exited, status=0/SUCCESS)
  Process: 3361 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, status=0/SUCCESS)
 Main PID: 3368 (lwsmd)
   Memory: 33.9M
   CGroup: /system.slice/lwsmd.service
           ├─ 3368 /opt/pbis/sbin/lwsmd --start-as-daemon
           ├─ 3396 lw-container lwreg
           ├─ 3440 lw-container eventlog
           ├─ 3536 lw-container lwio
           ├─16208 lw-container netlogon
           ├─16285 lw-container reapsysl
           └─16315 lw-container lsass

Aug 03 10:40:27 machinename lsass[16315]: Logging started
Aug 03 11:38:04 machinename lsass[16315]: [lsass] Failed to run provider specific request (request code = 1, provider = 'lsa-activedirectory-provider') -> error = 40017, symbol = LW_ERROR_NOT_HANDLED, client pid = 11962
Aug 03 11:38:16 machinename lsass[16315]: [lsass] Failed to run provider specific request (request code = 1, provider = 'lsa-activedirectory-provider') -> error = 40017, symbol = LW_ERROR_NOT_HANDLED, client pid = 13417
Aug 03 11:38:23 machinename lsass[16315]: [lsass] Failed to run provider specific request (request code = 1, provider = 'lsa-activedirectory-provider') -> error = 40017, symbol = LW_ERROR_NOT_HANDLED, client pid = 14175
Aug 03 11:38:32 machinename lsass[16315]: [lsass] Failed to run provider specific request (request code = 1, provider = 'lsa-activedirectory-provider') -> error = 40017, symbol = LW_ERROR_NOT_HANDLED, client pid = 14674
Aug 03 11:38:38 machinename lsass[16315]: [lsass] Failed to run provider specific request (request code = 1, provider = 'lsa-activedirectory-provider') -> error = 40017, symbol = LW_ERROR_NOT_HANDLED, client pid = 15599

lwsm list:

lwreg          running (container: 3396)
dcerpc         stopped
eventlog       running (container: 3440)
lsass          running (container: 16315)
lwio           running (container: 3536)
netlogon       running (container: 16208)
rdr            running (io: 3536)
reapsysl       running (container: 16285)
usermonitor    stopped

pbis status:

LSA Server Status:

Compiled daemon version: 8.3.0.3287
Packaged product version: 8.3.3287.68880
Uptime:        0 days 5 hours 43 minutes 58 seconds

[Authentication provider: lsa-activedirectory-provider]

        Status:        Unknown
        Mode:          Unknown

enum-users:

TotalNumUsersFound: 0

(Running id DOMAIN\username also returns nothing)

Some details about the network setup:
The machines are joined to an Active Directory with 2008r2 functional level. This domain has a two-way external trust with one domain, and a one-way external trust with another.
We do not have full connectivity to all domain controllers in those trusted domains, but only a subset. Users come primarily from those two trusted domains, with the machine's domain having security groups containing those users to restrict access.

Version: 8.5.0-3287
OS/Distro: RHEL/CentOS 6
Issue/Impact:

I would like the provided update-dns binary to REPLACE the IP of my host in MS AD DNS rather than add second entry if the IP changes. In our DR situation, if a host fails over from one site to the other, it gets a new IP. I have /opt/pbis/bin/update-dns running from cron to keep the IP current... but instead of replacing the old IP with the new one, it adds a second dns entry for the new one. So now, when clients attempt to resolve my hostname to an address, they get two addresses: one valid, one old.

Anybody else dealing with this?

Consider this case: A machine is bound to AD with User1's account. SSH is configured to allow domain users to connect and User2 can SSH into the server. User1 then changes their password. At that point, User 2 can no longer log in to the server.

This issue does not affect Windows servers, but it affect *nix server bound with open-pbis. Is there a way around this? I'd rather not create service accounts for binding that can never have their passwords changed.

As the forum has been down for quite a while im resorting to posting this as an error.

Our AD setup currently has multiple companies/forests in it, and our client machines can only reach the AD servers of the local company. It seems that open-pbis doesn't like that it can't query any DC it likes, ( we have this issue with ldap logins as well ), and thus im trying to find out if there is any way i can specify manually which AD servers to use in pbis?

this is the error i get:
sudo /opt/pbis/bin/config UserDomainPrefix MYDOMAIN
Problem executing '/opt/pbis/bin/ad-cache --delete-all >/dev/null 2>/dev/null'
Error: Error returned by external program

the error is the same for any command i run, joining the domain went fine though.

Anyone know how to remove the prepended DOMAIN from DOMAIN\username so that logged in users are just username?

On some of our servers the lwsmd service is using a lot of cpu and slows down the whole system. When activating the lsass debug log it constantly writes, so much that it filled up the whole disk.

This is the debug output:

20170627094152:VERBOSE:lsass:AD_OnlineGetGroupMemberSids():lsass/server/auth-providers/ad-open-provider/online.c:4714: Cache entry for group membership for sid <sid> is incomplete 20170627094152:DEBUG:lsass:AD_EnumMembers():lsass/server/auth-providers/ad-open-provider/provider-main.c:5263: Error code: 259 (symbol: ERROR_NO_MORE_ITEMS) 20170627094152:DEBUG:LwKrb5SetThreadDefaultCachePath():lwadvapi/threaded/lwkrb5.c:474: Switched gss krb5 credentials path from <null> to FILE:/var/lib/pbis/krb5cc_lsass.DOMAIN.LOCAL 20170627094152:DEBUG:lsass:LsaSrvEnumMembers():lsass/server/api/api2.c:1149: Error code: 259 (symbol: ERROR_NO_MORE_ITEMS) 20170627094152:DEBUG:LwKrb5SetThreadDefaultCachePath():lwadvapi/threaded/lwkrb5.c:474: Switched gss krb5 credentials path from <null> to FILE:/var/lib/pbis/krb5cc_lsass.DOMAIN.LOCAL

We tried the newest version 8.5.4, but the error still occured. Is this a configuration error or a bug?

Sorry if this is in the wrong place but I am new to all of this. any help or advice would be much appreciated

I want the pbis-open software installed on my machine (HP-G61 laptop) 4gb ram running lubuntu 16.04 desktop. I tried 8-5 and then Master. I followed the instructions
I have run the same on my xeon-4core server and results shown are from there.

4b208ea

sudo apt-get install build-essential fakeroot devscripts debhelper autoconf automake libtool libncurses5-dev flex bison libpam0g-dev libxml2-dev libpopt-dev libglade2-dev lib32ncurses5 lib32z1 libc6-dev-i386 gcc-multilib

note ia32-libs being replaced by lib32ncurses5 lib32z1

Package ia32-libs is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
lib32ncurses5 lib32z1

sudo apt-get install gawk

I downloaded the zip file and extracted the folder and it contents to by home folder Documents
cd ~/Documents/pbis-open-master/

mkdir debug && cd debug
sudo ../configure --debug
sudo make -j4 package ## where XX is 2x CPU cores

I got warnings
[compile] btkrb5/ktldap.c (host/x86_64)
../btkrb5/keytab.c: In function ‘KtKrb5AddKeyA’:
../btkrb5/keytab.c:414:19: warning: implicit declaration of function ‘KtLdapGetBaseDnA’ [-Wimplicit-function-declaration]
dwError = KtLdapGetBaseDnA(pszDcName, &pszBaseDn);
^
../btkrb5/keytab.c:419:23: warning: implicit declaration of function ‘KtLdapGetKeyVersionA’ [-Wimplicit-function-declaration]
dwError = KtLdapGetKeyVersionA(pszDcName,
^
../btkrb5/keytab.c: In function ‘KtKrb5GetSaltingPrincipalA’:
../btkrb5/keytab.c:924:15: warning: implicit declaration of function ‘KtLdapGetSaltingPrincipalA’ [-Wimplicit-function-declaration]
dwError = KtLdapGetSaltingPrincipalA(pszDcName,
^
../btkrb5/keytab.c: At top level:
../btkrb5/keytab.c:1078:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
KtKrb5GetUserSaltingPrincipalA(4b208ea
^
[compile] lwadtool/adtool/main.c (host/x86_64)
Then error
[compile] lwsm/server/driver.c (host/x86_64)
../lwsm/server/main.c:40:20: fatal error: ctexec.h: No such file or directory
compilation terminated.
[compile] FAILED: 'gcc' '-m64' '-O0' '-g' '-Wall' '-Werror' '-Wmissing-prototypes' '-I../lwsm/server/.' '-Iobject/lwsm/server/.' '-I../lwsm/server/../include' '-Iobject/lwsm/server/../include' '-DDEBUG=1' '-DLWSM_DISABLE_DEPRECATED' '-DLWSM_BUILD' '-Istage/opt/pbis/include' '-DHAVE_CONFIG_H' '-D_MK_HOST_X86_64' '-D_MK_HOST' '-fPIC' '-MMD' '-MP' '-MF' '.MakeKitDeps/object_lwsm_server_main.lwsmd.host.x86_64.dep' '-o' 'object/lwsm/server/main.lwsmd.host.x86_64.o' '-c' '../lwsm/server/main.c'
Makefile:7445: recipe for target 'object/lwsm/server/main.lwsmd.host.x86_64.o' failed
make: *** [object/lwsm/server/main.lwsmd.host.x86_64.o] Error 1
make: *** Waiting for unfinished jobs....

Hi.
We're having two issues on many PCs. One is we often have to restart lwsmd service after each PC restart before being able to login with a domain account. The second is the service is often crashing.
Could you let me know which logs we should be looking at or what I can provide to get some help with this please?
Thanks

Hi

is there a document that explain how to configure Oracle SSO with pbis-open?

Thanks

Hello,

I run several Ubuntu 16.04 computers with pbis open against an AD authetify. Login with username and password is also running.

Is a login with an e-mail address and password possible? Since I have found nothing in the documentation, I ask the question here.

will pbis ldap still work if you modify the IP or the hostname after installation. Say it was on a temporary IP with ldap already installed for testing. Are there any specific files that need to be modified or will pbis need to be fully re-installed?

Hi,
I'm running pbis-open 8.5.3.293 on Debian Jessie (installe via the repository) and from time to time it disconnects from the AD. In the logs I find messages like this :
juin 20 10:12:30 fraef-storiq2 lsass[20378]: [lsass] Failed to authenticate user (name = 'XXXXXXX') -> error = 40121, symbol = LW_ERROR_DOMAIN_IS_OFFLINE, client pid = 4029
Of course when this happens samba stops working, file rights change in a strange manner (I use ACLs). How can I understand what happens ?
Thanks you,
Michal
PS. I'm running several other systems with PBIS Open installed and it's the first time I see this kind of problems

This is similar to issue #8 however, it was discounted as different by the poster. Thus I have raised this issue as separate thread to track debug activity

Environment: Linux myserver 3.13.0-68-generic #111~precise1-Ubuntu SMP Fri Nov 6 18:17:31 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
PBIS vers: ii pbis-open 8.5.2.265 Authentication services for Active Directory domains

Symptom:
When the group_cache is working my user has 121 groups.
$ id | tr ',' '\n' | wc -l
121
when it gets messed up i'm only seeing 17 groups from /opt/pbis/bin/list-groups-for-user myuser
$ id | tr ',' '\n' | wc -l
17

The issue is 100% reproducible.
I can introduce the problem by clearing the ad-cache and starting a new shell as myuser
sudo /opt/pbis/bin/ad-cache --delete-user --name myuser
list-groups then shows only a small subset of expected groups:
$ id | tr ',' '\n' | wc -l
16

I can get a fully populated group list if i do an authenticate-user and start a fresh shell:
/opt/pbis/bin/lsa authenticate-user --user myuser
$ id | tr ',' '\n' | wc -l
121

I see this in my log at time of "authenticate-user" :-
20161214045456:VERBOSE:lsass: The user group membership information for user MYDOMAIN\myuser does not match what is in the cache, because the cache contains 19 memberships, but the pac contains 113 memberships. The group membership now needs to be compared against LDAP.

upon "authenticate-user", lsass appears to refresh the group cache and all is working again. So the issue seems to occur on cold cache. Like maybe its not loading the groups on first reference after ad-cache-delete
issue seems to represent after a duration of time (i'm guessing after ad-cache TTL expiry)

Ubuntu Gnome 17.04

We can login/out fine with the gnome login, but if a user is set to have their password reset, the login will notify them allowing them to put in a new password, but instead of changing the password the tool say's an error is thrown and fails to register the login.

I am unsure if this is related to the gnome login. Any suggestions?

root@PrintServer: /opt/likewise/bin/domainjoin-gui
/opt/likewise/bin/domainjoin-gui: error while loading shared libraries: libglade-2.0.so.0: cannot open shared object file: No such file or directory
root@PrintServer:

Using pbis for Domain authentication seems to be a great way to include Systems into AD. While I was testing a configuration, I realised that samba4 isn’t supported

user@tst-lu1604-dcl:/opt/pbis/bin$ sudo ./samba-interop-install --check-Version
[sudo] password for user:
Found smbd version 4.3.11-Ubuntu
Unsupported smbd version 4.3.11-Ubuntu
Error: ERROR_PRODUCT_VERSION

Especially Ubuntu Server supports samba4 only since 14.04.
Is there any chance to use pbis with samba4?

Thank you in advance.

Trying to install on RHEL7...

From https://github.com/BeyondTrust/pbis-open/wiki/docs/PBIS_Open_Quick_Start.pdf

Step 1: Download PBIS Open
To download PBIS Open:
1. Browse to www.beyondtrust.com and click Downloads and Free Tools.

There appears to be no such link

I tried installing from the repo ( https://repo.pbis.beyondtrust.com/yum.html )
I got the package installed, but I see no GUI.

We make use of PBIS-open to allow our non-ephemeral Linux instances to authenticate against Active Directroy. Ours is mostly a large Windows shop with a large backing AD service (several tens of thousands of user and group entries). For the most part, PBIS Open works well for the Linux systems it's used on. However, if an Linux administrator makes the mistake of doing a full enumeration of the AD name-space (e.g., with the equivalent of a getent passwd or getent groups), PBIS has a stroke. There's only two ways to recover from the situation:

• Wholly uninstall - ensuring to nuke the various */pbis/* directories and files
• Nuke the sqlite cache DB and re-join the host to the domain

Looking for tips on how we might prevent PBIS from crushing its sqlite cache DB other than "don't (accidentally) try to enumerate 80,000 user objects".

We are unable to join several RHEL 6 Update 8 x86_64 servers to the local domain using PBIS.

We have installed the pbis-open-8.5.1-206 version on each of the servers and was unable success fully attach to the domain and received the following ERROR message when running domainjoin-cli

ERROR_FILE_NOT_FOUND [code 0x00000002]

The following is the output from the domainjoin-cli.log
20161109175308:INFO:Domainjoin invoked with the join command (remaining arguments will be printed later):
20161109175308:INFO: [/opt/pbis/bin/domainjoin-cli]
20161109175308:INFO: [--loglevel]
20161109175308:INFO: [verbose]
20161109175308:INFO: [join]
20161109175308:INFO:Domainjoin invoked with 3 arg(s) to the join command:
20161109175308:INFO: [vchs.vodafone.net]
20161109175308:INFO: [domainadd]
20161109175308:INFO: []
20161109175308:INFO:Adding hb1-xxx-dbr-01 (fqdn hb1-xxx-dbr-01.vchs.vodafone.net) to /etc/hosts ip 10.10.10.77, removing hb1-xxx-dbr-01, hb1-xxx-dbr-01.vchs.vodafone.net, hb1-xxx-dbr-01, hb1-xxx-dbr-01.vchs.vodafone.net
20161109175308:INFO:Reading krb5 file /tmp/likewisetmprRMn7m/etc/krb5.conf
20161109175308:VERBOSE:Found krb5 stanza '[logging]
'
20161109175308:VERBOSE:Found krb5 name value pair ' default = FILE:/var/log/krb5libs.log
'
20161109175308:VERBOSE:Found krb5 name value pair ' kdc = FILE:/var/log/krb5kdc.log
'
20161109175308:VERBOSE:Found krb5 name value pair ' admin_server = FILE:/var/log/kadmind.log
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[libdefaults]
'
20161109175308:VERBOSE:Found krb5 name value pair ' default_realm = EXAMPLE.COM
'
20161109175308:VERBOSE:Found krb5 name value pair ' dns_lookup_realm = false
'
20161109175308:VERBOSE:Found krb5 name value pair ' dns_lookup_kdc = false
'
20161109175308:VERBOSE:Found krb5 name value pair ' ticket_lifetime = 24h
'
20161109175308:VERBOSE:Found krb5 name value pair ' renew_lifetime = 7d
'
20161109175308:VERBOSE:Found krb5 name value pair ' forwardable = true
'
20161109175308:VERBOSE:Found krb5 name value pair ' default_keytab_name = /etc/krb5.keytab
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[realms]
'
20161109175308:VERBOSE:Found krb5 compound statement ' EXAMPLE.COM = {
'
20161109175308:VERBOSE:Found krb5 name value pair ' kdc = kerberos.example.com
'
20161109175308:VERBOSE:Found krb5 name value pair ' admin_server = kerberos.example.com
'
20161109175308:VERBOSE:Found krb5 compound end ' }
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[domain_realm]
'
20161109175308:VERBOSE:Found krb5 name value pair ' .example.com = EXAMPLE.COM
'
20161109175308:VERBOSE:Found krb5 name value pair ' example.com = EXAMPLE.COM
'
20161109175308:INFO:Reading nsswitch file /etc/nsswitch.conf
20161109175308:INFO:Reading krb5 file /tmp/likewisetmptTpcGz/etc/krb5.conf
20161109175308:VERBOSE:Found krb5 stanza '[logging]
'
20161109175308:VERBOSE:Found krb5 name value pair ' default = FILE:/var/log/krb5libs.log
'
20161109175308:VERBOSE:Found krb5 name value pair ' kdc = FILE:/var/log/krb5kdc.log
'
20161109175308:VERBOSE:Found krb5 name value pair ' admin_server = FILE:/var/log/kadmind.log
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[libdefaults]
'
20161109175308:VERBOSE:Found krb5 name value pair ' default_realm = EXAMPLE.COM
'
20161109175308:VERBOSE:Found krb5 name value pair ' dns_lookup_realm = false
'
20161109175308:VERBOSE:Found krb5 name value pair ' dns_lookup_kdc = false
'
20161109175308:VERBOSE:Found krb5 name value pair ' ticket_lifetime = 24h
'
20161109175308:VERBOSE:Found krb5 name value pair ' renew_lifetime = 7d
'
20161109175308:VERBOSE:Found krb5 name value pair ' forwardable = true
'
20161109175308:VERBOSE:Found krb5 name value pair ' default_keytab_name = /etc/krb5.keytab
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[realms]
'
20161109175308:VERBOSE:Found krb5 compound statement ' EXAMPLE.COM = {
'
20161109175308:VERBOSE:Found krb5 name value pair ' kdc = kerberos.example.com
'
20161109175308:VERBOSE:Found krb5 name value pair ' admin_server = kerberos.example.com
'
20161109175308:VERBOSE:Found krb5 compound end ' }
'
20161109175308:VERBOSE:Found krb5 comment '
'
20161109175308:VERBOSE:Found krb5 stanza '[domain_realm]
'
20161109175308:VERBOSE:Found krb5 name value pair ' .example.com = EXAMPLE.COM
'
20161109175308:VERBOSE:Found krb5 name value pair ' example.com = EXAMPLE.COM
'
20161109175308:INFO:Distro Version 6.8
20161109175308:INFO:Reading pam configuration
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/other
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/cvs
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/login
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/reboot
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/sudo-i
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/runuser
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/password-auth-ac
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/system-auth-ac
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/vmtoolsd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/setup
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/passwd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/subscription-manager
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/system-config-network-cmd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/polkit-1
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/run_init
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/chfn
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/eject
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/smartcard-auth
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/vsftpd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/newrole
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/rhn_register
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/su-l
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/system-config-network
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/screen
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/sudo
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/password-auth
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/ssh-keycat
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/crond
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/fingerprint-auth-ac
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/chsh
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/halt
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/abrt-cli-root
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/smartcard-auth-ac
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/config-util
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/su
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/smtp.postfix
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/fingerprint-auth
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/poweroff
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/runuser-l
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/remote
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/atd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/smtp
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/system-auth
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.d/sshd
20161109175308:INFO:Reading pam file /tmp/likewisetmpbvoofM/etc/pam.conf
20161109175308:INFO:File /tmp/likewisetmpbvoofM/etc/pam.conf does not exist
20161109175308:INFO:Found config file /etc/ssh/sshd_config
20161109175308:INFO:Found binary /usr/sbin/sshd
20161109175308:INFO:Reading ssh file /etc/ssh/sshd_config
20161109175308:INFO:Found open sshd version 5.3.-1p1
20161109175308:INFO:Testing option ChallengeResponseAuthentication
20161109175308:INFO:Option ChallengeResponseAuthentication supported
20161109175308:INFO:Testing option UsePAM
20161109175308:INFO:Testing option PAMAuthenticationViaKBDInt
20161109175308:INFO:Option PAMAuthenticationViaKBDInt not supported
20161109175308:INFO:Testing option KbdInteractiveAuthentication
20161109175308:INFO:Option KbdInteractiveAuthentication supported
20161109175308:INFO:Testing option GSSAPIAuthentication
20161109175308:INFO:Testing option GSSAPICleanupCredentials
20161109175308:INFO:Found config file /etc/ssh/ssh_config
20161109175308:INFO:Found binary /usr/bin/ssh
20161109175308:INFO:Reading ssh file /etc/ssh/ssh_config
20161109175308:INFO:Testing option GSSAPIAuthentication
20161109175308:INFO:Testing option GSSAPIDelegateCredentials
20161109175308:INFO:Option GSSAPIDelegateCredentials supported
20161109175308:INFO:Running module join
20161109175308:VERBOSE:eventlog:LwEvtOpenEventlog():/builder/src-git/Platform/src/linux/eventlog/client/eventlog.c:174: client::eventlog.c OpenEventlog server=)

20161109175308:ERROR:ERROR_FILE_NOT_FOUND [ERROR_FILE_NOT_FOUND]

Stack Trace:
/builder/src-git/Platform/src/linux/domainjoin/domainjoin-cli/src/main.c:1211
/builder/src-git/Platform/src/linux/domainjoin/domainjoin-cli/src/main.c:583
/builder/src-git/Platform/src/linux/domainjoin/libdomainjoin/src/djmodule.c:355
/builder/src-git/Platform/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:857
/builder/src-git/Platform/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1255

We have run several straces and tcpdumps on connectivity to attempt to find out what the ERROR is related to.

Please can assist with any possible troubleshooting we can do to isolate the issue.

Regards

Andy
[email protected]

Have server with Ubuntu 16.04 and PBIS Open 8.5.3. PBIS stops working after a while and gets the following errors in syslog. Restarting doesn't fix the issue. Seems like rejoining the domain is only fix for a bit then fails again.

Mar 31 07:37:59 SERVER lsass: [LwKrb5GetTgtImpl /builder/src-git/Platform/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
Mar 31 07:37:59 SERVER lsass: [lsass] Error: Failed to refresh machine TGT for EXAMPLE.COM (error = 40022)
Mar 31 07:38:57 SERVER lsass: [lsass] Domain 'example.com' is now online
Mar 31 07:40:31 SERVER lsass: GSS API error calling gss_init_sec_context(): majorStatus = 0x000d0000 (Unspecified GSS failure. Minor code may provide more information), minorStatus = 0x96c73a20 (Ticket expired)
Mar 31 07:40:32 SERVER lsass: [LwKrb5GetTgtImpl /builder/src-git/Platform/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
Mar 31 07:40:32 SERVER lsass: [lsass] Domain 'example.com' is now offline
Mar 31 07:42:59 SERVER lsass: [LwKrb5GetTgtImpl /builder/src-git/Platform/src/linux/lwadvapi/threaded/krbtgt.c:276] KRB5 Error code: -1765328360 (Message: Preauthentication failed)
Mar 31 07:42:59 SERVER lsass: [lsass] Error: Failed to refresh machine TGT for EXAMPLE.COM (error = 40022)

This isn't really an issue, just looking for advice as I'm sure someone has ran into this before.

Using PBIS-open, authenticating AD users against Linux machines just fine.

Need to set the AD user's primary group to a local linux group rather than an AD one.

Thanks!
Adam

Hello all,

I'm facing the following problem with pbis-8.3 and same with pbis-8.5 on AIX 6.1:
I cannot authenticate with the AD account, but I can get all information from the AD - user info, groups, AD status, all info, but not to authenticate. I turned on the debug module and thats what i observe:
Feb 17 15:25:10 test02 authpriv:err|error sshd[10092576]: [lsass-pam] [module:pam_lsass][LsaNssGetEntry() /builder/src-buildserver/Platform-8.3/src/linux/lsass/interop/nsswitch/aix/lam-main.c:212] Getentry finishing with code 40008
Feb 17 15:25:10 test02 authpriv:err|error sshd[10092576]: [lsass-pam] [module:pam_lsass][LsaNssGetPwNam() /builder/src-buildserver/Platform-8.3/src/linux/lsass/interop/nsswitch/aix/lam-user.c:273] Lsass queried by getpwnam for [NOUSER]

Feb 17 15:25:10 test02 auth|security:info sshd[10092576]: Failed password for invalid user TEST.LOC\aesa0015 from XX:XX:XX:XX port 51733 ssh2
Feb 17 15:25:10 test02 auth|security:info sshd[10092576]: Failed password for invalid user TEST.LOC\aesa0015 from XX:XX:XX:XX port 51733 ssh2
Feb 17 15:25:10 test02 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from XX:XX:XX:XX
Feb 17 15:25:10 test02 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from XX:XX:XX:XX

I checked the file: /etc/methods.cfg - LSASS is there, i have configured /etc/resolv.conf, ntp is working, /etc/netsvc.conf is configured..

If someone have any idea, please share... how this could be solved

Starting to see these messages occur more frequently in /var/log/messages on all AD authenticated VM's.

Curious if anyone has received these also.

Only relevant information I found was related to VMware vRealize Automation which we do not use.

Thanks,
Adam

I have installed pbis from apt repository on debian stable.
I join domain, and now i can login with AD account, but if I login with root local account, Im unable ta change password.

root@syslog-1:~# id
uid=0(root) gid=0(root) gruppi=0(root)
root@syslog-1:~# passwd
passwd: Errore manipolazione token di autenticazione
passwd: password unchanged
root@syslog-1:~# 

and this is the error that I recive:

giu 15 09:02:47 syslog-1 passwd[27269]: [lsass-pam] [module:pam_lsass]LsaPamCheckCurrentPassword failed [login:root][error code: 40008]

this is my version of pbis:

ii  pbis-open                         8.5.3.293                      amd64        Authentication services for Active Directory domains
ii  pbis-open-upgrade                 8.5.3.293                      amd64        Helper package for upgrading systems with versions preceding

How I can change root password?

when i try to add solaris 10 serwer do domain i got LW_ERROR_LDAP_SERVER_DOWN 0x00009d5e
dc closed an ldap connection in the middle of a query
ad server is in same vlan, firewall is off , ldap is working , when i snoop communication i see:

LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
*** Decode length error, PDU length = 1456 ***
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
*** Decode length error, PDU length = 1449 ***
LDAP: [Version]
LDAP: [Object Name]
LDAP: Authentication: SASL *[3]
*** Decode length error, PDU length = 1440 ***
LDAP: [OctetString]
LDAP: GSS-SPNEGO
LDAP: [OctetString]
*** Decode length error, PDU length = 1424 ***
LDAP: *** NOT PRINTED - Too long value ***
LDAP:

Hello,

This works great for my Ubuntu systems. I have a group of the users that I want to be able to use the box that I set in RequireMembershipOf setting and that works fine, they can login. The shell is set via LoginShellTemplate and that looks good too.

But, when I do 'getent passwd', I see ALL users in the domain, even disabled ones, and they ALL have the shell set from the LoginShellTemplate.

$ getent passwd | wc -l 23375

I only have about 20 users in the group, but over 23,000 accounts are active on the box.

How do I fix this? Is this a bug? Is this a feature request? How can I make sure that random disabled account from 2004 doesn't have /bin/bash on my Linux hosts?

Hello.

IIUC, currently PBIS uses a fixed mapping of users and groups from SID to UID/GID (by taking some bits from the domain SID and others from the object SID).
While it could be a good default for most situations, I find it quite limiting relative to winbind, where I used
idmap config DOM1:backend = rid
idmap config DOM1:base_rid = 500
idmap config DOM1:range = 100000 - 49999999
idmap config DOM2:backend = rid
idmap config DOM2:base_rid = 500
idmap config DOM2:range = 50000000 - 99999999
This way it's possible to "squeeze" domains known to have lesser users/groups in smaller ranges, reserving more space for bigger domains and avoid collisions.
I already saw about a dozen mapping collisions in one of our domains (with abount 400k users and 600-800k groups), and I'd like to avoid this situation, if possible. But I'm only allowed to join machines in a single OU and can't alter the schema.

Tks.

Version: 8.5.4.334
OS/Distro: Rhel 6/7
Issue/Impact: Either no one can login or everyone
pbis status = good
Machine is joined to AD
DNS is configured and working correctly
All services are running

Output/Error:
When I configure /opt/pbis/bin/config RequireMembershipOf "domain\group name" **Theres 2 slashes but for some reason this forum is removing the other
it never lets anyone login from any domain unless I set the default value and then everyone can login.

Environment:
Domain A has a one way external Trust with Domain B. Domain A is where I connected machines into AD.

Question? Are there any work-arounds to this?

Running Scientific Linux 7 and I am unable to login with PBIS. I'm able to install, join the domain, I can use the find user scripts just fine, the ID command works fine, getent passwd works fine, but it won't let me login with an AD account.

Here's /var/log/secure for an attempt:
Jun 12 10:52:43 gntcs-alit-hp1 sshd[5619]: Invalid user knoflicek from 144.92.163.197
Jun 12 10:52:43 gntcs-alit-hp1 sshd[5619]: input_userauth_request: invalid user knoflicek [preauth]
Jun 12 10:52:43 gntcs-alit-hp1 sshd[5619]: Postponed keyboard-interactive for invalid user knoflicek from 144.92.163.197 port 50527 ssh2 [preauth]
Jun 12 10:52:44 gntcs-alit-hp1 sshd[5621]: pam_unix(sshd:auth): check pass; user unknown
Jun 12 10:52:44 gntcs-alit-hp1 sshd[5621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dyn-144-92-163-197.genetics.wisc.edu
Jun 12 10:52:47 gntcs-alit-hp1 sshd[5619]: error: PAM: User not known to the underlying authentication module for illegal user knoflicek from dyn-144-92-163-197.genetics.wisc.edu
Jun 12 10:52:47 gntcs-alit-hp1 sshd[5619]: Failed keyboard-interactive/pam for invalid user knoflicek from 144.92.163.197 port 50527 ssh2
Jun 12 10:52:47 gntcs-alit-hp1 sshd[5619]: Postponed keyboard-interactive for invalid user knoflicek from 144.92.163.197 port 50527 ssh2 [preauth]
Jun 12 10:52:47 gntcs-alit-hp1 sshd[5619]: Connection closed by 144.92.163.197 [preauth]

I also noticed that I cannot login with local users after I've joined the domain, I get this error:

Jun 12 10:45:42 gntcs-alit-hp1 sshd[5600]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:test34][error code:40016]

If I run authconfig --updateall it fixed the problem, but I can no longer run the id and getent commands for AD accounts.

Any advice would be greatly appreciated.

Thanks,
Isaac

Have a RHEL 6.7 NFS server running PBIS-Open 8.3.0.3287. CentOS 7 clients are running the same version of Open. Most of the time everything works fine. Lately been having different users not being able to access an NFS mounted directory on the client due to group protections. The user will be listed in the group on the client but it seems the server doesn't know they should be a member of that group so it gives a "permission denied" error when trying to access the directory. This could be related to the other cases of group membership I've seen here but since it involves NFS I figured I'd ask. Also looks like 8.5.3 will be coming out soon that may address this as well. Thanks for any info/suggestions.

I've Ubuntu 16.04.2 LTS, no DE
I've launched:

/opt/pbis/bin/domainjoin-cli join MYDOMAIN.LOCAL [email protected]

it gives me SUCCESS, but nothing happens

wbinfo -u give me

Error looking up domain users

and "/opt/pbis/bin/domainjoin-cli query" gives me empty domain

Hi,

So our DNS/DC is on Azure, and i'm trying to join an Ubuntu machine that's on AWS to the domain.

How can I troubleshoot the below error? Is there a log file somewhere?

Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
A bad packet was received from a DNS server. Potentially the requested address does not exist.

Hello!

we've updated our environment from Likewise 6 to PBIS 8.5.0 and now a lot of users can't login on updated Systems (SLES 11 / SLES 12 systems affected). Strange behavior is that some users can and some other can't login on the same system. So PBIS is working.

Logon is restricted via AllowGroups in sshd-config and PBIS can't resolve users group membership completely. I've checked this via "list-groups-for-user"

I've ended up on taken tcpdumps to check communication with our microsoft ad-servers.
In this dumps I see starting pretty good ldap-communication in resolving the users group membership. But at some point, the client stops resolving group membership and there are still more groups to query.

My feeling in this issue is, that there must be a limit in time or count in resolving users group-membership. How can I increase this limit? I found some hard coded variables like "dwMaxEnumCount" or "MAX_NUM_GROUPS " in the code. Is it a chance in increasing this values? I take every clue in this issue!

Thanks!
Robin

I have downloaded and installed the newest 8.5.3 release. However, I am still having issues with group memberships that involve accounts from an AD trust. Specifically, I have joined an AD domain PrimaryDomain which has a trust to another domain TrustedDomain. I have added a sudoers drop-in file to grant root access to an account in TrustedDomain. This part works fine...I can logon as the TrustedDomain account and elevate that account to root with sudo.

I do not want to have to explicitly place user into the sudoers drop-in. I want to use a TrustedDomain group account that has the user accounts as members and create a drop-in for the group.

However, if I remove the explicit account from the drop-in and instead create a drop-in for the group, the account is no longer able to be granted sudo permissions. If I examine the groups the TrustedDomain account belongs to I get "0":

[root@ip-10-22-13-249 ~]# /opt/pbis/bin/list-groups-for-user TRUSTEDDOMAIN\\someaccount
Number of groups found for user 'TRUSTEDDOMAIN\\someaccount' : 0

I used to see this behavior in the previous version if I cleared the cache and the group memberships will all start returning no results, but the groups will mysteriously repopulate itself at some point during the day.

Is there a way to initiate this or force a synchronization so all the groups are populated?

This is not an issue with PrimaryDomain accounts, only TrustedDomain accounts.

Command-line:

root@acme-ubuntu:~/Desktop# sh ./pbis-open-8.5.1.206.linux.x86.deb.sh 
Creating directory pbis-open-8.5.1.206.linux.x86.deb
Verifying archive integrity... All good.
Uncompressing pbis-open-8.5.1.206.linux.x86.deb..............
Would you like to install package for legacy links? (i.e.  /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) y
Would you like to install now? (yes/no) y
Installing packages and old packages will be removed
(Reading database ... 208811 files and directories currently installed.)
Removing pbis-open-upgrade:i386 (8.5.1.206) ...
Selecting previously unselected package pbis-open-upgrade:i386.
(Reading database ... 208810 files and directories currently installed.)
Preparing to unpack .../pbis-open-upgrade_8.5.1.206_i386.deb ...
Unpacking pbis-open-upgrade:i386 (8.5.1.206) ...
Setting up pbis-open-upgrade:i386 (8.5.1.206) ...
Selecting previously unselected package pbis-open:i386.
(Reading database ... 208812 files and directories currently installed.)
Preparing to unpack .../pbis-open_8.5.1.206_i386.deb ...
Unpacking pbis-open:i386 (8.5.1.206) ...
Setting up pbis-open:i386 (8.5.1.206) ...
Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not found

dpkg: error processing package pbis-open:i386 (--install):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 pbis-open:i386
Error installing /root/Desktop/pbis-open-8.5.1.206.linux.x86.deb/./packages/pbis-open_8.5.1.206_i386.deb

/var/log/pbis-open-install.log

Package: PowerBroker Identity Services Open Upgrade begins (Thu 3 Nov 17:55:07 GMT 2016)Error: pkill -KILL -x reapsysld returned 1  (ignoring and continuing)Error: pkill -KILL -x lsassd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwiod returned 1  (ignoring and continuing)Error: pkill -KILL -x netlogond returned 1  (ignoring and continuing)Error: pkill -KILL -x dcerpcd returned 1  (ignoring and continuing)Error: pkill -KILL -x eventlogd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwregd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwsmd returned 1  (ignoring and continuing)Package: PowerBroker Identity Services Open Upgrade finishedPackage: PowerBroker Identity Services Open preinstall [install] begins (Thu 3 Nov 17:55:10 GMT 2016)Error: /usr/sbin/service lwsmd stop returned 5  (ignoring and continuing)
Failed to stop lwsmd.service: Unit lwsmd.service not loaded.Error: pkill -KILL -x lwsmd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwregd returned 1  (ignoring and continuing)Error: pkill -KILL -x netlogond returned 1  (ignoring and continuing)Error: pkill -KILL -x lwiod returned 1  (ignoring and continuing)Error: pkill -KILL -x dcerpcd returned 1  (ignoring and continuing)Error: pkill -KILL -x eventlogd returned 1  (ignoring and continuing)Error: pkill -KILL -x lsassd returned 1  (ignoring and continuing)Error: pkill -KILL -x reapsysld returned 1  (ignoring and continuing)Package: PowerBroker Identity Services Open preinstall [install] finishedPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:55:11 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:56:02 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:56:34 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:57:05 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:59:03 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 17:59:27 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:00:17 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:00:36 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:01:46 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:02:43 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:03:47 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:12:50 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open postinstall begins (Thu 3 Nov 18:16:37 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not foundPackage: PowerBroker Identity Services Open preremove [remove] begins (Thu 3 Nov 18:18:07 GMT 2016)Error: /opt/pbis/bin/domainjoin-cli configure --disable pam returned 127  (ignoring and continuing)
/var/lib/dpkg/info/pbis-open.prerm: 59: /var/lib/dpkg/info/pbis-open.prerm: /opt/pbis/bin/domainjoin-cli: not foundError: /opt/pbis/bin/domainjoin-cli configure --disable nsswitch returned 127  (ignoring and continuing)
/var/lib/dpkg/info/pbis-open.prerm: 59: /var/lib/dpkg/info/pbis-open.prerm: /opt/pbis/bin/domainjoin-cli: not foundError: /bin/systemctl disable lwsmd.service returned 1  (ignoring and continuing)
Failed to disable unit: No such file or directorySuccess: rm -f /lib/systemd/system/lwsmd.serviceSuccess: /usr/sbin/update-rc.d lwsmd removeSuccess: rm -f /etc/init.d/lwsmdError: pkill -KILL -x reapsysld returned 1  (ignoring and continuing)Error: pkill -KILL -x lsassd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwiod returned 1  (ignoring and continuing)Error: pkill -KILL -x netlogond returned 1  (ignoring and continuing)Error: pkill -KILL -x eventlogd returned 1  (ignoring and continuing)Error: pkill -KILL -x dcerpcd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwregd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwsmd returned 1  (ignoring and continuing)Package: PowerBroker Identity Services Open preremove [remove] finishedPackage: PowerBroker Identity Services Open postremove [remove] begins (Thu 3 Nov 18:18:08 GMT 2016)Package: PowerBroker Identity Services Open postremove [remove] finishedPackage: PowerBroker Identity Services Open Upgrade begins (Fri 4 Nov 17:29:34 GMT 2016)Error: pkill -KILL -x reapsysld returned 1  (ignoring and continuing)Error: pkill -KILL -x lsassd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwiod returned 1  (ignoring and continuing)Error: pkill -KILL -x netlogond returned 1  (ignoring and continuing)Error: pkill -KILL -x dcerpcd returned 1  (ignoring and continuing)Error: pkill -KILL -x eventlogd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwregd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwsmd returned 1  (ignoring and continuing)Success: cp /etc/pbis/user-ignore /var/lib/pbis-upgradeSuccess: cp /etc/pbis/group-ignore /var/lib/pbis-upgradePackage: PowerBroker Identity Services Open Upgrade finishedPackage: PowerBroker Identity Services Open preinstall [install] begins (Fri 4 Nov 17:29:38 GMT 2016)Error: /usr/sbin/service lwsmd stop returned 5  (ignoring and continuing)
Failed to stop lwsmd.service: Unit lwsmd.service not loaded.Error: pkill -KILL -x lwsmd returned 1  (ignoring and continuing)Error: pkill -KILL -x lwregd returned 1  (ignoring and continuing)Error: pkill -KILL -x netlogond returned 1  (ignoring and continuing)Error: pkill -KILL -x lwiod returned 1  (ignoring and continuing)Error: pkill -KILL -x dcerpcd returned 1  (ignoring and continuing)Error: pkill -KILL -x eventlogd returned 1  (ignoring and continuing)Error: pkill -KILL -x lsassd returned 1  (ignoring and continuing)Error: pkill -KILL -x reapsysld returned 1  (ignoring and continuing)Package: PowerBroker Identity Services Open preinstall [install] finishedPackage: PowerBroker Identity Services Open postinstall begins (Fri 4 Nov 17:29:44 GMT 2016)Error: /opt/pbis/sbin/lwsmd --start-as-daemon --disable-autostart --loglevel debug returned 127 (aborting this script)
/var/lib/dpkg/info/pbis-open.postinst: 74: /var/lib/dpkg/info/pbis-open.postinst: /opt/pbis/sbin/lwsmd: not found

https://github.com/BeyondTrust/pbis-open/blob/master/package/open/rpm/open.spec.in however suggests that the license is "Likewise Proprietary", but this does not match with the wiki which states that the license is GPLv2.

No general LICENSE file exists in https://github.com/BeyondTrust/pbis-open which leaves users to consult the wiki (which is potentially out of date WRT code) at https://github.com/BeyondTrust/pbis-open/wiki/Licensing
Note that some sub-trees (e.g. https://github.com/BeyondTrust/pbis-open/tree/master/lsass) do include a LICENSE file bit many do not.