CONFIG TOOL USER GUIDE
What is the AD Bridge config tool?
AD Bridge joins Linux and Unix computers to Active Directory so that you can centrally manage all your computers from one source, authenticate users with the highly secure Kerberos protocol, control access to resources, and apply group policies to non-Windows computers.
How is the AD Bridge config tool useful?
The AD Bridge config tool provides policies similar to the GPO policies that can be applied to local Linux and Unix systems. The config tool policies can be set before the system is joined to a domain. If a GPO policy and config tool policy are applied to a target, the GPO policy overrides the config tool policy.
How to access the config tool
The config tool is located at /opt/pbis/bin/config.
Usage: config [OPTIONS] [COMMAND]
Access help
/opt/pbis/bin/config --help
Options
| Option | Description |
|---|---|
| --verbose | Display additional information. |
Commands
| Commands | Description |
|---|---|
| SETTING [VALUE] | Change SETTING to the given VALUE(s), or the default value if no value is specified. |
| --list | Display names of all settings. |
| --show SETTING | Display current value(s) of SETTING. |
| --detail SETTING | Display current value(s) and details of SETTING. |
| --file FILE | Read FILE with each line beginning with a setting name followed by value(s). Use '.' for reading from stdin. |
| --dump | Dump all settings in a format suitable for use with --file. |
Settings
Event log
| Setting Name | Description |
|---|---|
| AllowDeleteTo | List of users that can delete entries from log. |
| AllowReadTo | List of users that can read entries from log. |
| AllowWriteTo | List of users that can write entries from log. |
| MaxDiskUsage | Max size in bytes of eventlog database. Default value: 104857600 |
| MaxEventLifespan | Maximum number of days that events are saved in eventlog. Default value: 90 |
| MaxNumEvents | Maximum number of events to hold in eventlog database. Default value: 100000 |
Lsass
| Description | Setting Name |
|---|---|
| Character used to designate the domain name separator. Default value: \ | DomainSeparator |
| Character used to designate space characters in names of objects. Default value: ^ | SpaceReplacement |
| Configure lsass to log events to the event log. Default value: false | EnableEventlog |
| Configure lsass to log events for failed authentication attempts due to invalid passwords. | LogInvalidPasswords |
| Size of the buffer to allocate for decoding incoming LDAP responses (bytes). Default value: 16777215 | SaslMaxBufSize |
| Configure which lsass providers to load. Default value: ActiveDirectory | Providers |
| Comma delimited string of Domain ID ranges to use. For example: domainA,1000,2000. | DomainIDRanges |
Lsass PAM
| Setting Name | Description |
|---|---|
| DisplayMotd | Display message of the day. Default value: false |
| PAMLogLevel | Configure PAM lsass logging detail level. Default value: error |
| UserNotAllowedError | Message displayed at console logon failed attempt. Default value: Access denied |
| NssApplyAccessControl | Filter users returned by NSS based on RequireMembershipOf. Default value: false |
Lsass Active Directory
| Setting Name | Description |
|---|---|
| AssumeDefaultDomain | Apply domain name prefix to account name at logon. Default value: false |
| CreateHomeDir | Whether home directories should be automatically created upon user logon. Default value: true |
| CreateK5Login | Whether .k5login file is to be created on user logon. Default value: true |
| SyncSystemTime | Whether system time should be syncronized with AD domain controller. Default value: true |
| TrimUserMembership | Whether to remove a cached group membership entry derived from PAC with information from LDAP showing the user disappearing from a group. Default value: true |
| LdapSignAndSeal | Whether all LDAP traffic should be sent both signed and sealed. Default value: false |
| LogADNetworkConnectionEvents | Configure lsass to log events for offline query failures and transitions. Default value: true |
| NssEnumerationEnabled | Whether to enumerate users or groups for NSS. Default value: true |
| NssGroupMembersQueryCacheOnly | Whether to return only cached info for NSS group members. Default value: true |
| NssUserMembershipQueryCacheOnly | Whether to return only cached info for NSS user's groups. Default value: false |
| RefreshUserCredentials | Whether to refresh user credentials against AD domain controller. Default value: true |
| CacheEntryExpiry | Duration for when lsass object cache entries are marked stale. Default value: 14400 |
| DomainManagerCheckDomainOnlineInterval | How often the domain manager should check whether a domain is back online. Default value: 300 |
| DomainManagerUnknownDomainCacheTimeout | How long an unknown domain is cached as unknown in the domain manage. Default value: 3600 |
| MachinePasswordLifespan | Machine password expiration lifespan in seconds. Default value: 2592000 |
| ResetMachinePasswordOnJoin | Reset the machine password after joining a domain. Default value: false |
| ResetMachinePasswordDelay | The default time in minutes before resetting the machine after a domain join. Default value: 5 |
| ServicePrincipalName | Update the local krb5 keytab file and computer account service principal name attribute in AD with the provided list of instances. Changes take affect on domain join. The default adds host service class. Default value: host |
| MemoryCacheSizeCap | The maximum bytes to use for the in-memory cache. Old data will be purged if the total cache size exceeds this limit. A value of 0 indicates no limit. Default value: 0 |
| HomeDirForceLowercase | Forces the home directory (/.../domainname/username) to be lowercase. Lowercase home directory is created on user login. If configured, /etc/pbis/user-override file takes precedence. Default value: false |
| HomeDirPrefix | Prefix path for user's home directory. This value is used in place of the %H in the HomeDirTemplate setting. Value must be an absolute path. Default value: /home |
| HomeDirTemplate | Format string for user's home directory path. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U). Default value: %H/local/%D/%U |
| RemoteHomeDirTemplate | Format string for the mount path of the remote Windows Folder. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U). |
| HomeDirUmask | Umask for home directories. Default value: 022 |
| LoginShellTemplate | Default login shell template. Default value: /bin/sh |
| SkeletonDirs | Skeleton home directory template directories. Default value: /etc/skel |
| UserDomainPrefix | Domain short name prefix to be used when AssumeDefaultDomain setting is enabled. |
| DomainManagerIgnoreAllTrusts | When true, ignore all trusts during domain enumeration. |
| DomainManagerIncludeTrustsList | When DomainManagerIgnoreAllTrusts is true, these trusts are included. |
| DomainManagerExcludeTrustsList | When DomainManagerIgnoreAllTrusts is false, these trusts are excluded. |
| RequireMembershipOf | Restrict logon access to computer to specific users or group members, or SIDs. |
| IgnoreGroupAlias | When enabled, Group Alias will not be used when displaying group names. |
| SmartcardEnabled | Smart Card services will not be used when disabled. Default value: false |
| SmartcardRedirector | Smart Card redirector services will not be used when disabled. Default value: false |
| SmartcardRequiredForLogin | Smart Card will be required for login. Default value: false |
Lsass OAuth provider
| Setting Name | Description |
|---|---|
| OAuthCreateHomeDir | To specify whether home directories should be automatically created upon user logon via the lsass OAuth provider. Accepted values are true or false. Default value: true |
| OAuthHomeDirPrefix | The prefix path for user's home directory. This value is used in place of the %H in the OAuthHome DirTemplate setting. Value must be an absolute path. Default value: /home |
| OAuthHomeDirTemplate | The format string for lsass OAuth provider account user's home directory path. This value can con tain substitution string markers for OAuthHomeDirPrefix (%H), Domain (%D), and User (%U). Default value: %H/local/%D/%U |
| OAuthHomeDirUmask | The Umask for lsass OAuth provider account home directories (in octal). Accepted range of values: [0, 01777]. Default value: 022 |
| OAuthLoginShellTemplate | The default login shell template for lsass OAuth provider accounts. Default value: /bin/sh |
| OAuthSkeletonDirs | The Skeleton home directory template directories for lsass OAuth provider accounts. Default value: /etc/skel |
| AccessTokenExpirationGraceTime | The number of minutes prior to the access token expiration to attempt refreshing the access token. Accepted range of values: [10, 50] Default value: 20 |
| RequestTimeout | The maximum time, in seconds, to wait for an Azure request to complete before it times out. Supports specifying this in seconds (s) or minutes (m). For example, 1m. No suffix defaults to seconds. Accepted range of values: [30, 300] Default value: 60 |
| RequestTimeout | The maximum time, in seconds, to wait for an Azure request to complete before it times out. Supports specifying this in seconds (s) or minutes (m). For example, 1m. No suffix defaults to seconds. Accepted range of values: [30, 300] Default value: 60 |
| UserAuthenticationWaitTime | The maximum time, in seconds, lsass waits for a user to authenticate with Entra ID. Duration can be specified with seconds (s) or minutes (m) suffix. For example: 1m. No suffix defaults to seconds. Accepted range of values: [60, 120] Default value: 60 |
| AssumeDefaultTenant | Apply tenant name suffix to upn at logon. Default value: false |
| AzureRequireMembershipOf | Restrict logon access to computer to groups. |
| CacheBackupDelay | Delay in seconds for next cache backup. Default value: 3600 |
Lsass local provider
| Setting Name | Description |
|---|---|
| Local_AcceptNTLMv1 | Allows local provider to accept NTLMv1. Default value: true |
| Local_HomeDirTemplate | Format string for lsass local provider account user's home directory path. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U). Default value: %H/local/%D/%U |
| Local_HomeDirUmask | Umask for lsass local provider account home directories. Default value: 022 |
| Local_LoginShellTemplate | Default login shell template for lsass local provider accounts. Default value: /bin/sh |
| Local_SkeletonDirs | Skeleton home directory template directories for lsass local provider accounts. Default value: /etc/skel |
User monitor
| Setting Name | Description |
|---|---|
| UserMonitorCheckInterval | Frequency in seconds that the user monitor service queries the system to see who can log in. Default value: 1800 |
System initialization
| Setting Name | Description |
|---|---|
| LsassAutostart | Start lsass when lwsmd starts. Default value: true |
| EventlogAutostart | Start eventlog when lwsmd starts. Default value: true |
| GpagentAutostart | Start gpagent when lwsmd starts. Default value: false |
Netlogon
| Setting Name | Description |
|---|---|
| BlocklistDC | List of blocked domain controller IP addresses. Entered IP addresses are whitespace-separated. |
Netlogon authentication
| Setting Name | Description |
|---|---|
| DCCacheEnabled | Allows the agent to cache the DC information. Default value: true |
| DCCacheExpiryInterval | The length of time the agent holds on to the cached DC information. Default value: 1440 (accepted range 60 - 43200) |
| DCValidationSupport | Turns on DC validation through secure channel connection. Default value: false |
SMB
Changing any of the values will restart the SMB driver to apply the change.
| Setting Name | Description |
|---|---|
| SMB202Support | The agent supports the SMB 2.02 dialect. Not applicable if SMB 2.1/3.x dialects are supported. Default value: true |
| SMB3Support | The agent supports SMB 2.1/3.x dialects. Default value: true |
| MaxSMB3Dialect | The maximum SMB 2.1/3.x dialect supported by the agent. Accepts the following values: 0x210, 0x300, 0x302, 0x311. Default value: 0x311 |
| SMBSigningSupport | The agent supports signing SMB requests. Default value: true |
| SMBSigningRequired | The agent requires SMB requests/responses be signed. Default value: false |
| SMB3EncryptionSupport | The agent supports encrypting SMB requests. Only applicable if the agent supports SMB 3.x dialects. Default value: false |
| SMB3EncryptionCiphers | The supported encryption ciphers in preferred order. Supported values are "AES-128-CCM", "AES-128-GCM". Default value: "AES-128-CCM" "AES-128-GCM" |
DC validation
| Setting Name | Description |
|---|---|
| DCValidationSupport | If enabled, a DC is checked for validity before use. Default value: false |
| DCCacheEnabled | If enabled, validated DC information is cached. Default value: true |
| DCCacheExpiryInterval | The frequency in minutes that the DC cache remains valid. Valid duration can be set in minutes (m), hours (h), or days (d), using the desired suffix. No suffix defaults to minutes. Default value: 24 |
Service manager
| Setting Name | Description |
|---|---|
| UserServiceShutdownTimer | If enabled, services will be killed if they do not shutdown within 50 seconds. Restarting lwsmd is required for the change to take effect. Default value: true |
SNMP
| Setting Name | Description |
|---|---|
| SNMPEnabled | True to send SNMP traps. Default value: false |
| SNMPTarget | The IP address or machine name to send SNMP traps to. Default value: localhost |
| SNMPPort | The port to send SNMP traps to. Default value: 162 |
| SNMPCommunity | SNMP Community. Default value: public |
| SNMPLogonAuthenticationGroup | Enable all traps in the Logon/Authentication group. Default value: false |
| SNMPAccountGroup | Enable all traps in the Account group. Default value: false |
| SNMPSystemServicesGroup | Enable all traps in the System/Services group. Default value: false |
| SNMPDomainGroup | Enable all traps in the Domain group. Default value: false |
| SNMPSudoGroup | Enable all traps in the Sudo group. Default value: false |
lwpkcs11
| Setting Name | Description |
|---|---|
| ModuleSearchList | Determines which pkcs11 module lwpkcs11 daemon uses to access Smart Card functionality. Default: /usr/lib64/opensc-pkcs11.so /usr/local/lib/libpkcs11.so /usr/lib/libpkcs11.so |
Updated 15 days ago