Local

The first time a domain user logs on to a client, Likewise Open uses PAM (pam_lwidentity.so) to set up local user directories. Alternatively, the pam_mount module can mount central user directories on a remote server with SMB/CIFS [5]. This guarantees all users access to their own files independent of the client they use to log in. The share is defined by a line in /etc/security/pam_mount.conf that uses the volume keyword:

volume user filesystem server share mountpoint options cipher path

Use of a wildcard * for the user parameter tells the module to insert the name of the user. The filesystem can be smbfs or cifs. The server can be an IP address or a NetBIOS name, and share can use the ampersand, &, as a wildcard for the username.

The last three parameters are not typically needed; dashes will be fine in this case:

volume * smbfs SAMBASERVER & /home/EXAMPLE/&/Documents - - -

Whether you mount the Documents subdirectory or the complete home directory is a matter of taste and will depend on how an organization arranges its central servers.

If the mount point does not exist, the PAM pam_mount module, with a setting of mkmountpoint 1, creates it. As of version 0.29, pam_mount stores the configuration in an equivalent XML format, as shown in Listing 4.

01 <?xml version="1.0" encoding="UTF-8"?>
02 <pam_mount>
03 <volume user       = "*"
04         server     = "SAMBASERVER"
05         mountpoint = "/home/EXAMPLE/%(USER)/Document"
06         path       = "%(USER)"
07         fstype     = "smbfs" />
08 </pam_mount>

Before the sufficient entries in the auth section of /etc/pam.d, you can insert an entry for the module. Listing 5 shows a configuration in the common-auth and common-session files on Ubuntu. To avoid the need for users to repeatedly enter their passwords, the try_first_pass = yes entry in the /etc/security/pam_lwidentity.conf file enables the option for retrying a password entered previously.

01 # /etc/pam.d/common-auth
02 auth     required    pam_mount.so
03 auth     sufficient  /lib/security/pam_lwidentity.so
04 auth     requisite   pam_unix.so nullok_secure try_first_pass
05 auth     optional    pam_smbpass.so migrate missingok
06
07 # /etc/pam.d/common-session
08 session  optional   pam_mount.so
09 auth     sufficient /lib/security/pam_lwidentity.so
10 session  required   pam_unix.so

More in the Commercial Version

Besides the open source version of Likewise, the US-based Likewise Software corporation offers a commercial version of its software, Likewise Enterprise [6]. The commercial version has support for AD group policies on top of the functionality offered by the free version; the product defines around 500 default policies. The Likewise Administrative Console can use a Linux or Unix machine to manage AD records.

On top of this, Likewise Enterprise supports Linux desktops, referring to AD to retrieve settings and restrictions. This enables the implementation of strict security policies. The Enterprise variant is available free of charge for evaluation purposes, or for US$ 250 as a server version. The company offers two levels of commercial support.

A New Face

Once configured, Likewise Open offers the same functional scope as a combination of Samba, Kerberos, PAM, and NSS. It takes many pesky setup tasks off the administrator's hands and supports centralized and platform-independent user management. The ticket-based Kerberos authentication service and single sign-on is a bonus.

If you enjoy working with Likewise Open, you might appreciate the extra features offered by the commercial version or the benefits of professional support. The only manual work left to the administrator is that of managing centralized user directories.