Easy Active Directory integration with Likewise Open
Likewise Open provides smooth integration with Active Directory environments. We show you how to install and configure the admin-friendly authentication system.
The Likewise Open authentication system  integrates Linux clients with the Active Directory environment. Of course, you can also configure Active Directory through Samba and its supporting cast of characters , but the Likewise solution offers several benefits for easier configuration and administration.
The free, GPL'd version of Likewise supports authentication against Active Directories, the authorization of kerberized services, and even single sign-on. This might sound a lot like Samba, which does the same things; in fact, the project manager of Likewise, Gerald Carter, is a long-term member of the Samba core developer team. Likewise Open builds on the work by Samba, although it adds many of its own features.
Likewise packages are available for Red Hat, Novell, and Canonical distributions, a couple of commercial Unix systems, and Mac OS X.
The Likewise website features version 5.0, although the distribution-specific packages include version 4, which I will use for this article. Ubuntu users will find the likewise-open and likewise-open-gui packages in the Universe repository. The Likewise packages include a number of dependencies – mainly related to Kerberos. Likewise Open relies on the MIT version of Kerberos as a back end . During installation on Ubuntu, the package prompts the admin to specify the Kerberos and administrative servers (Figures 1 and 2).
Besides a working Active Directory (AD) server and a domain structure managed by Windows, Likewise has two main requirements: a working name server to resolve DNS names and a synchronized system clock. If the client and server clocks are more than five minutes out of sync, the Kerberos server will refuse to issue tickets, which is a security measure to prevent replay attacks.
New Configuration Approach
Adding a raw Linux system to an AD domain requires a fair amount of configuration work . The Likewise Agent handles most of this work, adding itself to the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) on the local client.
Server-side, the agent passes on authentication requests to the Kerberos 5 server and the LDAP-based AD. To allow this to happen, the package installs a couple of libraries and configuration files. For example, /lib/libnss_lwidentity.so integrates Likewise with NSS, and /--etc/pam.d/-pam_lwidentity.so- does the same thing for PAM. The /etc/security/pam_lwidentity.conf configuration file sets up the module, and the interface to the remote domain controller is implemented by the Likewise Winbind server, likewise-winbindd. The server has its own configuration file, /etc/samba/lwiauthd.conf, which is similar to the smb.conf file from the Samba package.
Likewise Open integrates these components to support a transparent domain login for the users. The login process passes the username and password to PAM. The pam_lwidentity.so module communicates with the Likewise authentication service, which generates a secret key from the username and password. The Likewise daemon uses the secret key to request an initial Ticket Granting Ticket (TGT) from the Kerberos Authentication Server, which runs as part of the Key Distribution Center (KDC) on the AD Server.
On presenting the TGT, the Likewise authentication service receives service tickets for other network services, such as SSH. Users can thus log on to kerberized servers without entering their passwords a second time.
Set up the Likewise installation package on each Linux machine that will become a member of the AD domain (and will be managed by Likewise). If you use the installation packages from the website, Likewise Open will be installed by using a Bitrock Installer – an executable whose file name ends with installer. To run the program, you must become root and follow the instructions on the screen.
The installer displays information about the OSS licenses for the installed components before Likewise sets up its files. After this, the Installer points the administrator to domainjoin-cli, which is located in the /-usr/centeris/bin/ directory (thus contravening the FHS  conventions; the distribution packages and later versions of Likewise correct this error). The agent stores logging information in /var/log/lw-identity/ or – if you use the version from the Ubuntu repository – in /var/log/likewise-open.
Come On In
An AD domain requires both the user and the client systems to become members. The act of setting up a machine account in Microsoft's directory service is referred to in AD-speak as "Joining the domain."
A command-line tool, domainjoin-cli, lets the root user join the AD domain, creating a machine account in the directory in the process. The domainjoin-cli tool accepts the join option and the domain as arguments. The domain argument must be specified as a fully qualified DNS name.
On top of this, the command expects the name of a user authorized to create computer accounts in the AD environment. Listing 1 shows a computer called ubuntu joining the example.org domain. The Administrator account has the required privileges for this step.
Joining a Domain
01 # domainjoin-cli join example.org Administrator 02 Joining to AD Domain: example.org 03 With Computer DNS Name: ubuntu.example.org 04 05 Administrator@EXAMPLE.ORG's password: 06 Enter Administrator@EXAMPLE.ORG's password: 07 SUCCESS
The second option for joining a domain is the Likewise Open GUI (Figure 3), however, the GUI is not included with the likewise-open core package. To add the GUI, just install likewise-open-gui and launch it with root privileges by entering domainjoin-gui.
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.