Easy Active Directory integration with Likewise Open
Staying Active
Likewise Open provides smooth integration with Active Directory environments. We show you how to install and configure the admin-friendly authentication system.
The Likewise Open authentication system [1] integrates Linux clients with the Active Directory environment. Of course, you can also configure Active Directory through Samba and its supporting cast of characters [2], but the Likewise solution offers several benefits for easier configuration and administration.
The free, GPL'd version of Likewise supports authentication against Active Directories, the authorization of kerberized services, and even single sign-on. This might sound a lot like Samba, which does the same things; in fact, the project manager of Likewise, Gerald Carter, is a long-term member of the Samba core developer team. Likewise Open builds on the work by Samba, although it adds many of its own features.
Ready-to-Run Packages
Likewise packages are available for Red Hat, Novell, and Canonical distributions, a couple of commercial Unix systems, and Mac OS X.
The Likewise website features version 5.0, although the distribution-specific packages include version 4, which I will use for this article. Ubuntu users will find the likewise-open and likewise-open-gui packages in the Universe repository. The Likewise packages include a number of dependencies – mainly related to Kerberos. Likewise Open relies on the MIT version of Kerberos as a back end [3]. During installation on Ubuntu, the package prompts the admin to specify the Kerberos and administrative servers (Figures 1 and 2).
Besides a working Active Directory (AD) server and a domain structure managed by Windows, Likewise has two main requirements: a working name server to resolve DNS names and a synchronized system clock. If the client and server clocks are more than five minutes out of sync, the Kerberos server will refuse to issue tickets, which is a security measure to prevent replay attacks.
New Configuration Approach
Adding a raw Linux system to an AD domain requires a fair amount of configuration work [2]. The Likewise Agent handles most of this work, adding itself to the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) on the local client.
Server-side, the agent passes on authentication requests to the Kerberos 5 server and the LDAP-based AD. To allow this to happen, the package installs a couple of libraries and configuration files. For example, /lib/libnss_lwidentity.so integrates Likewise with NSS, and /--etc/pam.d/-pam_lwidentity.so- does the same thing for PAM. The /etc/security/pam_lwidentity.conf configuration file sets up the module, and the interface to the remote domain controller is implemented by the Likewise Winbind server, likewise-winbindd. The server has its own configuration file, /etc/samba/lwiauthd.conf, which is similar to the smb.conf file from the Samba package.
Likewise Open integrates these components to support a transparent domain login for the users. The login process passes the username and password to PAM. The pam_lwidentity.so module communicates with the Likewise authentication service, which generates a secret key from the username and password. The Likewise daemon uses the secret key to request an initial Ticket Granting Ticket (TGT) from the Kerberos Authentication Server, which runs as part of the Key Distribution Center (KDC) on the AD Server.
On presenting the TGT, the Likewise authentication service receives service tickets for other network services, such as SSH. Users can thus log on to kerberized servers without entering their passwords a second time.
Set up the Likewise installation package on each Linux machine that will become a member of the AD domain (and will be managed by Likewise). If you use the installation packages from the website, Likewise Open will be installed by using a Bitrock Installer – an executable whose file name ends with installer. To run the program, you must become root and follow the instructions on the screen.
The installer displays information about the OSS licenses for the installed components before Likewise sets up its files. After this, the Installer points the administrator to domainjoin-cli, which is located in the /-usr/centeris/bin/ directory (thus contravening the FHS [4] conventions; the distribution packages and later versions of Likewise correct this error). The agent stores logging information in /var/log/lw-identity/ or – if you use the version from the Ubuntu repository – in /var/log/likewise-open.
Come On In
An AD domain requires both the user and the client systems to become members. The act of setting up a machine account in Microsoft's directory service is referred to in AD-speak as "Joining the domain."
A command-line tool, domainjoin-cli, lets the root user join the AD domain, creating a machine account in the directory in the process. The domainjoin-cli tool accepts the join option and the domain as arguments. The domain argument must be specified as a fully qualified DNS name.
On top of this, the command expects the name of a user authorized to create computer accounts in the AD environment. Listing 1 shows a computer called ubuntu joining the example.org domain. The Administrator account has the required privileges for this step.
Listing 1
Joining a Domain
The second option for joining a domain is the Likewise Open GUI (Figure 3), however, the GUI is not included with the likewise-open core package. To add the GUI, just install likewise-open-gui and launch it with root privileges by entering domainjoin-gui.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.