AD Bridge 24.1.1 Release Notes

May 15, 2024

  • Agent: 24.1.1.616
  • Windows: N/A

This is an Agent-only release.

New Features and Enhancements

Enable the Machine Password after domainjoin

We've enhanced the ResetMachinePassword configuration option to support a reversion of the PwdLastSet after a domainjoin option we introduced in AD Bridge 24.1.0.

 

In AD Bridge 24.1.0, we added the following update:

  • Reset machine password on join
    • PwdLastSet was only updating after half the MachinePasswordLifespan(Defaulted to 30days) was reached. Now after a domainjoin is successful it will initiate a machine password reset.

With the 24.1.1 release, we are reverting this change to make it an elective feature, instead of an always-on feature, via the ResetMachinePasswordOnJoin configuration options.

ResetMachinePasswordOnJoin

With the ResetMachinePasswordOnJoin configuration option, you can opt to send an automatic password reset request to a machine once the machine joins a domain.

Acceptable values include:

  • true sends a request to reset the machine password

  • false does not send a request to reset a machine password

  • Default valuefalse

ResetMachinePasswordDelay

You can also set the wait (in minutes) before the password reset request is sent after joining a domain.

The ResetMachinePasswordOnJoin option must be set to true.

Acceptable values include:

  • digits 2 - 60, inclusive

  • Default value: 5

Force a Machine Password Reset

Use the new pbis ad-reset-machine-password command to force a machine password reset request at any time.

Support for pam_aucore on domainjoins

As pam_aucore is seen as a known module, pam_lsass.so is placed above pam_aucore.so.

AD Bridge Allows Installs with EPM-UL Installed and the Policy Configured to use ACA

When defaults are used, AD Bridge now allows installs on a system with EPM-ULClosed Endpoint Privilege Management for Unix/Linux installed and configured for ACAClosedAdvanced Control Audit via the LD_PRELOAD environment variable.

Issues Resolved

Agent

  • Resolved an issue on systems with systemd where LWSMD was starting prior to the network coming online.
  • Resolved an issue where the WARNING: Ignoring unsupported krb5 line 'include /opt/pbis/share/krb5.conf'; line will be included in krb5.conf but won't be parsed) message incorrectly displayed as a warning. This error message now displays in debug.
  • Segfaults on Solaris Sparc
    • Resolved an issue where SamrAllocateUserInfo21 did not align computed buffer size; they now align as expected.
    • Resolved an issue where the LsaAllocateAuditEventsInfo() did not align computed buffer size; they now align as expected.
  • Resolved an issue when Gpagent/lsass would crash when the domain includes trusts that were too large.
  • Resolved an issue where the config tool errored when the system was not joined to any providers.
  • Resolved an AIX issue where the LSASS64 entry in /etc/methods.cfg was created.
  • Resolved the issue where the config tool would successfully set options when not joined, but return error code 5.
  • Resolved an issue where the config dump did not export valid import options for empty multistring settings.
  • Resolved an issue when, after the lsass restart, the first cron attempt by an AD user failed with getpwnam failed.

Tools

  • Now, pbis-support.pl will always collect the /var/log/domainjoin-cli.log.
  • A new script for creating the Azure registered app, /opt/pbis/libexec/create-azure-app.sh, is in the agent installer. This requires you to install azure-cli.