Daemon Services and Architecture in AD Bridge
Prior to AD Bridge 6.5, the agent was composed of separate daemon processes, and each was started in sequence by the operating systems at start up.
In AD Bridge 6.5+, the daemons are replaced by libraries loaded by the service manager daemon, /opt/pbis/sbin/lwsmd. The service lsass replaces the daemon lsassd.
At start up, the operating system is configured to start the service manager daemon. It is then instructed by the operating system with the command /opt/pbis/bin/lwsm autostart to start all desired services.
The service manager daemon keeps track of the services already started and ensures the services are started and stopped in the appropriate order.
AD Bridge Enterprise
The AD Bridge Enterprise agent is composed of the service manager daemon (/opt/pbis/sbin/lwsmd) and includes the following services:
Service | Description | Dependencies |
---|---|---|
lsass |
Handles authentication, authorization, caching, and idmap lookups. You can check its status or restart it. To view the lsass architecture see the diagram following the tables. |
netlogon lwio rdr lwreg Usually eventlog. This can be disabled after installation. Sometimes dcerpc. This can be enabled after installation for registering TCP/IP endpoints of various services. |
netlogon |
Detects the optimal domain controller and global catalog and caches them. |
lwreg |
lwio |
An input-output service used to communicate through DCE-RPC calls to remote computers, such as during domain join and user authentication. |
lwreg |
rdr |
A redirector that multiplexes connections to remote systems. |
lwio
lwreg |
dcerpc |
Handles communication between Linux or Unix computers and Microsoft Active Directory by mapping data to end points. By default, it is disabled. |
|
eventlog |
Collects and processes data for the local event log and can be disabled. |
|
lwreg |
The registry service that holds configuration information about both the services and the information provided by the services. |
|
reapsysl |
The syslog reaper that scans syslog for events of interest and records them in the eventlog. |
eventlog |
usermonitor |
The service scans the system for changes to users, groups, and authorization rights and records the changes in the eventlog. |
lsass
eventlog |
AD Bridge Enterprise Only
Additionally, AD Bridge Enterprise also includes the following services to apply Group Policy settings, handle smart cards, and monitor security events:
Service | Description | Dependencies |
---|---|---|
gpagent |
Pulls Group Policy Objects (GPOs) from Active Directory and applies them to the computer. |
lsass netlogon lwio rdr lwreg eventlog |
eventfwd |
Forwards events from the local event log to a remote computer. |
eventlog |
lwsc |
Smart card service. |
lwpkcs11 |
lwpkcs11 |
Aids lwsc by supporting PKCS#11 API. |
|
lwpkcs11r |
Smart card redirector service for Windows client. |
lwsc |
LSASS Architecture:
AD Bridge Enterprise Input-Output Service
The lwio service multiplexes input and output by using SMB1 or SMB2. The service's plugin-based architecture includes several drivers, the most significant of which is coded as rdr, the redirector.
The redirector multiplexes Common Internet File System (CIFS) and Server Message Block (SMB) connections to remote systems. For instance, when two different processes on a local Linux computer need to perform input-output operations on a remote system by using CIFS and SMB, with either the same identity or different identities, the preferred method is to use the APIs in the lwio client library, which routes the calls through the redirector. In this example, the redirector maintains a single connection to the remote system and multiplexes the traffic from each client by using multiplex IDs.
The input-output service plays a key role in the AD Bridge Enterprise architecture because AD Bridge Enterprise uses Distributed Computing Environment/Remote Procedure Calls (DCE/RPC). DCE/RPC uses SMB. Thus, the DCE-RPC client libraries use the AD Bridge Enterprise input-output client library, which in turn makes calls to lwio with Unix domain sockets.
When you join a domain, AD Bridge Enterprise uses DCE-RPC calls to establish the machine password. The AD Bridge Enterprise authentication service periodically refreshes the machine password by using DCE-RPC calls. Authentication of users and groups in Active Directory takes place with Kerberos, not RPC.
In addition, when a joined computer starts up, the AD Bridge Enterprise authentication service enumerates Active Directory trusts by using DCE-RPC calls that go through the redirector. With one-way trusts, the authentication service uses RPC to look up domain users, groups, and security identifiers. With two-way trusts, lookup takes place through LDAP, not RPC.
Because the authentication service registers trusts only when it starts up, you should restart lsass with the AD Bridge Enterprise Service Manager after you modify a trust relationship.
The AD Bridge Enterprise Group Policy agent also uses the input-output client library and the redirector when it copies files from the sysvol share of a domain controller.
To troubleshoot remote procedure calls that go through the input-output service and its redirector, use a Wireshark trace or a TCP dump to capture the network traffic.
We recommend Wireshark, a free open-source packet analyzer.
Privileged Access Managment (PAM) Options
AD Bridge Enterprise Edition uses the following standard PAM options:
- try_first_pass
- use_first_pass
- use_authtok
- debug
Additionally, there are non-standard options to the PAM configuration on some systems:
- unknown_ok: Allows local users to continue down the stack while blocking domain users who do not meet group membership requirements.
- remember_chpass: Prevents the AIX computer on AIX systems, which have both PAM and LAM modules, from trying to change the password twice and prompting the user twice.
- set_default_repository: used to make sure password changes work as expected on Solaris systems.
- smartcard_prompt: Enables smartcard prompts.
- no_require_membership: Allows the require membership check to be skipped.
Manage the AD Bridge Enterprise Services
Using the AD Bridge Enterprise Service Manager, you can:
- Track and troubleshoot all the AD Bridge Enterprise services with a single command-line utility. For example, check the status of the services, view their dependencies, and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the correct order.
- Use the service manager to set the logging destination and the log level.
For more information, please see "Manage AD Bridge Services (lwsm)" in the AD Bridge Enterprise Windows Administration Guide.