Easy Active Directory integration with Likewise Open
The first time a domain user logs on to a client, Likewise Open uses PAM (pam_lwidentity.so) to set up local user directories. Alternatively, the pam_mount module can mount central user directories on a remote server with SMB/CIFS . This guarantees all users access to their own files independent of the client they use to log in. The share is defined by a line in /etc/security/pam_mount.conf that uses the volume keyword:
volume user filesystem server share mountpoint options cipher path
Use of a wildcard * for the user parameter tells the module to insert the name of the user. The filesystem can be smbfs or cifs. The server can be an IP address or a NetBIOS name, and share can use the ampersand, &, as a wildcard for the username.
The last three parameters are not typically needed; dashes will be fine in this case:
volume * smbfs SAMBASERVER & /home/EXAMPLE/&/Documents - - -
Whether you mount the Documents subdirectory or the complete home directory is a matter of taste and will depend on how an organization arranges its central servers.
If the mount point does not exist, the PAM pam_mount module, with a setting of mkmountpoint 1, creates it. As of version 0.29, pam_mount stores the configuration in an equivalent XML format, as shown in Listing 4.
pam_mount Mounts Samba Shares
01 <?xml version="1.0" encoding="UTF-8"?> 02 <pam_mount> 03 <volume user = "*" 04 server = "SAMBASERVER" 05 mountpoint = "/home/EXAMPLE/%(USER)/Document" 06 path = "%(USER)" 07 fstype = "smbfs" /> 08 </pam_mount>
Before the sufficient entries in the auth section of /etc/pam.d, you can insert an entry for the module. Listing 5 shows a configuration in the common-auth and common-session files on Ubuntu. To avoid the need for users to repeatedly enter their passwords, the try_first_pass = yes entry in the /etc/security/pam_lwidentity.conf file enables the option for retrying a password entered previously.
Setting up pam_mount
01 # /etc/pam.d/common-auth 02 auth required pam_mount.so 03 auth sufficient /lib/security/pam_lwidentity.so 04 auth requisite pam_unix.so nullok_secure try_first_pass 05 auth optional pam_smbpass.so migrate missingok 06 07 # /etc/pam.d/common-session 08 session optional pam_mount.so 09 auth sufficient /lib/security/pam_lwidentity.so 10 session required pam_unix.so
More in the Commercial Version
Besides the open source version of Likewise, the US-based Likewise Software corporation offers a commercial version of its software, Likewise Enterprise . The commercial version has support for AD group policies on top of the functionality offered by the free version; the product defines around 500 default policies. The Likewise Administrative Console can use a Linux or Unix machine to manage AD records.
On top of this, Likewise Enterprise supports Linux desktops, referring to AD to retrieve settings and restrictions. This enables the implementation of strict security policies. The Enterprise variant is available free of charge for evaluation purposes, or for US$ 250 as a server version. The company offers two levels of commercial support.
A New Face
Once configured, Likewise Open offers the same functional scope as a combination of Samba, Kerberos, PAM, and NSS. It takes many pesky setup tasks off the administrator's hands and supports centralized and platform-independent user management. The ticket-based Kerberos authentication service and single sign-on is a bonus.
If you enjoy working with Likewise Open, you might appreciate the extra features offered by the commercial version or the benefits of professional support. The only manual work left to the administrator is that of managing centralized user directories.
- Likewise Open: http://www.likewisesoftware.com/products/likewise_open/
- "Linux with Active Directory" by Walter Neu, Linux Magazine, November 2008, pg. 28
- MIT Kerberos: http://web.mit.edu/kerberos/
- File Hierarchy Standard: http://www.pathname.com/fhs/
- Mounting home directories with PAM: http://pam-mount.sourceforge.net/
- Likewise Enterprise: http://www.likewisesoftware.com/products/likewise_enterprise
Richard Stallman calls for the W3C to remain independent of vendor interests.
The new release supports nine architectures, 73 human languages, and zero non-Free components.
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.
The new Gnome release includes privacy and sharing settings, allowing more user control over access to personal information.
Mozilla is collaborating with Samsung on a new web browser engine called Servo.