Easy Active Directory integration with Likewise Open

Staying Active

© tauro79, Fotolia

© tauro79, Fotolia

Article from Issue 97/2008
Author(s):

Likewise Open provides smooth integration with Active Directory environments. We show you how to install and configure the admin-friendly authentication system.

The Likewise Open authentication system [1] integrates Linux clients with the Active Directory environment. Of course, you can also configure Active Directory through Samba and its supporting cast of characters [2], but the Likewise solution offers several benefits for easier configuration and administration.

The free, GPL'd version of Likewise supports authentication against Active Directories, the authorization of kerberized services, and even single sign-on. This might sound a lot like Samba, which does the same things; in fact, the project manager of Likewise, Gerald Carter, is a long-term member of the Samba core developer team. Likewise Open builds on the work by Samba, although it adds many of its own features.

Ready-to-Run Packages

Likewise packages are available for Red Hat, Novell, and Canonical distributions, a couple of commercial Unix systems, and Mac OS X.

The Likewise website features version 5.0, although the distribution-specific packages include version 4, which I will use for this article. Ubuntu users will find the likewise-open and likewise-open-gui packages in the Universe repository. The Likewise packages include a number of dependencies – mainly related to Kerberos. Likewise Open relies on the MIT version of Kerberos as a back end [3]. During installation on Ubuntu, the package prompts the admin to specify the Kerberos and administrative servers (Figures 1 and 2).

Figure 1: The Ubuntu package manager prompts you for the name of the Kerberos server when you install the Kerberos packages.
Figure 2: You must specify the administrative server for the Kerberos realm.

Besides a working Active Directory (AD) server and a domain structure managed by Windows, Likewise has two main requirements: a working name server to resolve DNS names and a synchronized system clock. If the client and server clocks are more than five minutes out of sync, the Kerberos server will refuse to issue tickets, which is a security measure to prevent replay attacks.

New Configuration Approach

Adding a raw Linux system to an AD domain requires a fair amount of configuration work [2]. The Likewise Agent handles most of this work, adding itself to the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) on the local client.

Server-side, the agent passes on authentication requests to the Kerberos 5 server and the LDAP-based AD. To allow this to happen, the package installs a couple of libraries and configuration files. For example, /lib/libnss_lwidentity.so integrates Likewise with NSS, and /--etc/pam.d/-pam_lwidentity.so- does the same thing for PAM. The /etc/security/pam_lwidentity.conf configuration file sets up the module, and the interface to the remote domain controller is implemented by the Likewise Winbind server, likewise-winbindd. The server has its own configuration file, /etc/samba/lwiauthd.conf, which is similar to the smb.conf file from the Samba package.

Likewise Open integrates these components to support a transparent domain login for the users. The login process passes the username and password to PAM. The pam_lwidentity.so module communicates with the Likewise authentication service, which generates a secret key from the username and password. The Likewise daemon uses the secret key to request an initial Ticket Granting Ticket (TGT) from the Kerberos Authentication Server, which runs as part of the Key Distribution Center (KDC) on the AD Server.

On presenting the TGT, the Likewise authentication service receives service tickets for other network services, such as SSH. Users can thus log on to kerberized servers without entering their passwords a second time.

Set up the Likewise installation package on each Linux machine that will become a member of the AD domain (and will be managed by Likewise). If you use the installation packages from the website, Likewise Open will be installed by using a Bitrock Installer – an executable whose file name ends with installer. To run the program, you must become root and follow the instructions on the screen.

The installer displays information about the OSS licenses for the installed components before Likewise sets up its files. After this, the Installer points the administrator to domainjoin-cli, which is located in the /-usr/centeris/bin/ directory (thus contravening the FHS [4] conventions; the distribution packages and later versions of Likewise correct this error). The agent stores logging information in /var/log/lw-identity/ or – if you use the version from the Ubuntu repository – in /var/log/likewise-open.

Come On In

An AD domain requires both the user and the client systems to become members. The act of setting up a machine account in Microsoft's directory service is referred to in AD-speak as "Joining the domain."

A command-line tool, domainjoin-cli, lets the root user join the AD domain, creating a machine account in the directory in the process. The domainjoin-cli tool accepts the join option and the domain as arguments. The domain argument must be specified as a fully qualified DNS name.

On top of this, the command expects the name of a user authorized to create computer accounts in the AD environment. Listing 1 shows a computer called ubuntu joining the example.org domain. The Administrator account has the required privileges for this step.

Listing 1

Joining a Domain

 

The second option for joining a domain is the Likewise Open GUI (Figure 3), however, the GUI is not included with the likewise-open core package. To add the GUI, just install likewise-open-gui and launch it with root privileges by entering domainjoin-gui.

Figure 3: The Likewise Open GUI expects the DNS name of the domain and the hostnames.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Linux with Active Directory

    Microsoft's Active Directory system provides centralized user management and single sign-on. If you're ready for a few manual steps, Linux can leverage this potential.

  • FreeIPA

    FreeIPA offers integrated identity management and big ideas for the future.

  • Samba 4

    Samba 4 has been around for more than three years, but some users still shy from it. If you are still sitting on the fence, this tour through some of the new features and capabilities might help you decide whether it is finally time to upgrade.

  • Likewise Open Sees 100,000 Downloads Thanks Open Source Community

    Likewise announced today that over 100,000 organizations have downloaded Likewise Open, its cross-platform integration software used for joining desktops and servers running Linux, Unix and Mac OS X to an organization's existing Active Directory environment.

  • Linux with Active Directory

    We explore some leading tools for integrating your Linux network with an Active Directory environment.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News