Easy Active Directory integration with Likewise Open
Local
The first time a domain user logs on to a client, Likewise Open uses PAM (pam_lwidentity.so) to set up local user directories. Alternatively, the pam_mount module can mount central user directories on a remote server with SMB/CIFS [5]. This guarantees all users access to their own files independent of the client they use to log in. The share is defined by a line in /etc/security/pam_mount.conf that uses the volume keyword:
volume user filesystem server share mountpoint options cipher path
Use of a wildcard * for the user parameter tells the module to insert the name of the user. The filesystem can be smbfs or cifs. The server can be an IP address or a NetBIOS name, and share can use the ampersand, &, as a wildcard for the username.
The last three parameters are not typically needed; dashes will be fine in this case:
volume * smbfs SAMBASERVER & /home/EXAMPLE/&/Documents - - -
Whether you mount the Documents subdirectory or the complete home directory is a matter of taste and will depend on how an organization arranges its central servers.
If the mount point does not exist, the PAM pam_mount module, with a setting of mkmountpoint 1, creates it. As of version 0.29, pam_mount stores the configuration in an equivalent XML format, as shown in Listing 4.
Listing 4
pam_mount Mounts Samba Shares
Before the sufficient entries in the auth section of /etc/pam.d, you can insert an entry for the module. Listing 5 shows a configuration in the common-auth and common-session files on Ubuntu. To avoid the need for users to repeatedly enter their passwords, the try_first_pass = yes entry in the /etc/security/pam_lwidentity.conf file enables the option for retrying a password entered previously.
Listing 5
Setting up pam_mount
More in the Commercial Version
Besides the open source version of Likewise, the US-based Likewise Software corporation offers a commercial version of its software, Likewise Enterprise [6]. The commercial version has support for AD group policies on top of the functionality offered by the free version; the product defines around 500 default policies. The Likewise Administrative Console can use a Linux or Unix machine to manage AD records.
On top of this, Likewise Enterprise supports Linux desktops, referring to AD to retrieve settings and restrictions. This enables the implementation of strict security policies. The Enterprise variant is available free of charge for evaluation purposes, or for US$ 250 as a server version. The company offers two levels of commercial support.
A New Face
Once configured, Likewise Open offers the same functional scope as a combination of Samba, Kerberos, PAM, and NSS. It takes many pesky setup tasks off the administrator's hands and supports centralized and platform-independent user management. The ticket-based Kerberos authentication service and single sign-on is a bonus.
If you enjoy working with Likewise Open, you might appreciate the extra features offered by the commercial version or the benefits of professional support. The only manual work left to the administrator is that of managing centralized user directories.
Infos
- Likewise Open: http://www.likewisesoftware.com/products/likewise_open/
- "Linux with Active Directory" by Walter Neu, Linux Magazine, November 2008, pg. 28
- MIT Kerberos: http://web.mit.edu/kerberos/
- File Hierarchy Standard: http://www.pathname.com/fhs/
- Mounting home directories with PAM: http://pam-mount.sourceforge.net/
- Likewise Enterprise: http://www.likewisesoftware.com/products/likewise_enterprise
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.