Easy Active Directory integration with Likewise Open
The first time a domain user logs on to a client, Likewise Open uses PAM (pam_lwidentity.so) to set up local user directories. Alternatively, the pam_mount module can mount central user directories on a remote server with SMB/CIFS . This guarantees all users access to their own files independent of the client they use to log in. The share is defined by a line in /etc/security/pam_mount.conf that uses the volume keyword:
volume user filesystem server share mountpoint options cipher path
Use of a wildcard * for the user parameter tells the module to insert the name of the user. The filesystem can be smbfs or cifs. The server can be an IP address or a NetBIOS name, and share can use the ampersand, &, as a wildcard for the username.
The last three parameters are not typically needed; dashes will be fine in this case:
volume * smbfs SAMBASERVER & /home/EXAMPLE/&/Documents - - -
Whether you mount the Documents subdirectory or the complete home directory is a matter of taste and will depend on how an organization arranges its central servers.
If the mount point does not exist, the PAM pam_mount module, with a setting of mkmountpoint 1, creates it. As of version 0.29, pam_mount stores the configuration in an equivalent XML format, as shown in Listing 4.
pam_mount Mounts Samba Shares
01 <?xml version="1.0" encoding="UTF-8"?> 02 <pam_mount> 03 <volume user = "*" 04 server = "SAMBASERVER" 05 mountpoint = "/home/EXAMPLE/%(USER)/Document" 06 path = "%(USER)" 07 fstype = "smbfs" /> 08 </pam_mount>
Before the sufficient entries in the auth section of /etc/pam.d, you can insert an entry for the module. Listing 5 shows a configuration in the common-auth and common-session files on Ubuntu. To avoid the need for users to repeatedly enter their passwords, the try_first_pass = yes entry in the /etc/security/pam_lwidentity.conf file enables the option for retrying a password entered previously.
Setting up pam_mount
01 # /etc/pam.d/common-auth 02 auth required pam_mount.so 03 auth sufficient /lib/security/pam_lwidentity.so 04 auth requisite pam_unix.so nullok_secure try_first_pass 05 auth optional pam_smbpass.so migrate missingok 06 07 # /etc/pam.d/common-session 08 session optional pam_mount.so 09 auth sufficient /lib/security/pam_lwidentity.so 10 session required pam_unix.so
More in the Commercial Version
Besides the open source version of Likewise, the US-based Likewise Software corporation offers a commercial version of its software, Likewise Enterprise . The commercial version has support for AD group policies on top of the functionality offered by the free version; the product defines around 500 default policies. The Likewise Administrative Console can use a Linux or Unix machine to manage AD records.
On top of this, Likewise Enterprise supports Linux desktops, referring to AD to retrieve settings and restrictions. This enables the implementation of strict security policies. The Enterprise variant is available free of charge for evaluation purposes, or for US$ 250 as a server version. The company offers two levels of commercial support.
A New Face
Once configured, Likewise Open offers the same functional scope as a combination of Samba, Kerberos, PAM, and NSS. It takes many pesky setup tasks off the administrator's hands and supports centralized and platform-independent user management. The ticket-based Kerberos authentication service and single sign-on is a bonus.
If you enjoy working with Likewise Open, you might appreciate the extra features offered by the commercial version or the benefits of professional support. The only manual work left to the administrator is that of managing centralized user directories.
- Likewise Open: http://www.likewisesoftware.com/products/likewise_open/
- "Linux with Active Directory" by Walter Neu, Linux Magazine, November 2008, pg. 28
- MIT Kerberos: http://web.mit.edu/kerberos/
- File Hierarchy Standard: http://www.pathname.com/fhs/
- Mounting home directories with PAM: http://pam-mount.sourceforge.net/
- Likewise Enterprise: http://www.likewisesoftware.com/products/likewise_enterprise
Buy this article as PDF
Upcoming switch to HTML5-only ads is further evidence the Flash is entering its final days.
US government invests $19 billion on enhancing security and replacing ancient computer systems.
But you can still be a non-voting “individual supporter” if you pay the money
Several current systems could fall victim to the attack
Latest Linux engine comes with better graphics and support for Intel's new power-saving chips.
Hackers send a message of beauty and liberation to server logs
Citrix gets excited about new Pi-Powered XenDesktop client system
Linux on Azure cert heralds a new era for Redmond.
Proposals for presentations at the CeBIT Open Source Forum will be accepted through 24 January 2016.
Adobe looks for a new start; renames its embattled Flash tool.