search

BeyondTrust / pbis-open

BeyondTrust AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is currently archived and will no longer receive updates. If you are interested in an Enterprise version of this project, please see our AD Bridge product.
https://www.beyondtrust.com/privilege-management/active-directory-bridge
Apache License 2.0
366 stars 93 forks source link

Issue when installing in a Solaris11 child zone #132

Closed Warpedflash closed 6 years ago

Warpedflash commented 6 years ago

Version: 8.6.0.427 OS/Distro: Solaris 5.11-0.175.3.32.0.4.0 Issue/Impact: Unable to join domain

When reporting an issue it's important that we have as much detail as you can provide. The following is a list of commands to check.

  1. systemctl status lwsmd.service root@EACAA001:/opt/pbis/bin# svcs lwsmd STATE STIME FMRI online 14:00:40 svc:/network/lwsmd:default

  2. /opt/pbis/bin/lwsm list root@EACAA001:/opt/pbis/bin# ./lwsm list lwreg running (container: 6660) dcerpc stopped eventlog running (container: 6661) lsass running (container: 6665) lwio running (container: 6664) netlogon running (container: 6662) rdr running (io: 6664) reapsysl running (container: 6666) usermonitor stopped

  3. /opt/pbis/domainjoin-cli query Jun 13 14:31:24 EACAA001 lsass: [lsass] Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = -1 Name = eacaa001 Domain =

  4. pbis status root@EACAA001:/opt/pbis/bin# ./pbis-status LSA Server Status:

Compiled daemon version: 8.6.0.427 Packaged product version: 8.6.427.243473 Uptime: 0 days 0 hours 5 minutes 18 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Unknown
    Mode:          Unknown
  1. attach logs
    • /opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
    • /opt/pbis/bin/lwsm set-log-level -p lsass - debug lsass.log

Steps to Reproduce: install using command ./pbis-open-8.6.0.427.solaris11.sparcv9.pkg.sh -- --current-zone install Install proceeds without issue until the following step:

Executing postinstall script.

Package: PowerBroker Identity Services Open postinstall begins (Wednesday, June 13, 2018 02:00:25 PM BST) Logging all operations to /var/log/pbis-open-install.log Importing registry... Importing service configurations Jun 13 14:00:40 EACAA001 lsass: [lsass] Failed to run provider specific request (request code = 12, provider = 'lsa-a ctivedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = -1 Package: PowerBroker Identity Services Open postinstall finished Installation of was successful. Installing Packages was successful New libraries and configurations have been installed for PAM and NSS. Please reboot so that all processes pick up the new versions. Run domainjoin-cli to join a domain to allow log on with Active Directory credentials. domainjoin-cli will prompt for missing parameters. Run domainjoin-cli --help for more information. Example: /opt/pbis/bin/domainjoin-cli join MYDOMAIN.COM MyJoinAccount

once I try and run the domainjoin command the username/password combination I enter is rejected as incorrect ( I have tried using using multiple accounts that are able to add new machines to the domain).

I am seeing this behaviour on 2 child zones. The global zone on the same physical machine has a fully working pbiso install (again installed with the command ./pbis-open-8.6.0.427.solaris11.sparcv9.pkg.sh -- --current-zone install).

Any advice would be appreciated this is my first time working with pbiso in Solaris zones so I may have just done something stupid.

Warpedflash commented 6 years ago

This was a networking issue our side and not a pbis issue so this can be closed.

rbest-bt commented 6 years ago

Sorry we didn't get a chance to look at your issue. Thanks for posting that it has been resolved.