Easy Active Directory integration with Likewise Open
The first time a domain user logs on to a client, Likewise Open uses PAM (pam_lwidentity.so) to set up local user directories. Alternatively, the pam_mount module can mount central user directories on a remote server with SMB/CIFS . This guarantees all users access to their own files independent of the client they use to log in. The share is defined by a line in /etc/security/pam_mount.conf that uses the volume keyword:
volume user filesystem server share mountpoint options cipher path
Use of a wildcard * for the user parameter tells the module to insert the name of the user. The filesystem can be smbfs or cifs. The server can be an IP address or a NetBIOS name, and share can use the ampersand, &, as a wildcard for the username.
The last three parameters are not typically needed; dashes will be fine in this case:
volume * smbfs SAMBASERVER & /home/EXAMPLE/&/Documents - - -
Whether you mount the Documents subdirectory or the complete home directory is a matter of taste and will depend on how an organization arranges its central servers.
If the mount point does not exist, the PAM pam_mount module, with a setting of mkmountpoint 1, creates it. As of version 0.29, pam_mount stores the configuration in an equivalent XML format, as shown in Listing 4.
pam_mount Mounts Samba Shares
01 <?xml version="1.0" encoding="UTF-8"?> 02 <pam_mount> 03 <volume user = "*" 04 server = "SAMBASERVER" 05 mountpoint = "/home/EXAMPLE/%(USER)/Document" 06 path = "%(USER)" 07 fstype = "smbfs" /> 08 </pam_mount>
Before the sufficient entries in the auth section of /etc/pam.d, you can insert an entry for the module. Listing 5 shows a configuration in the common-auth and common-session files on Ubuntu. To avoid the need for users to repeatedly enter their passwords, the try_first_pass = yes entry in the /etc/security/pam_lwidentity.conf file enables the option for retrying a password entered previously.
Setting up pam_mount
01 # /etc/pam.d/common-auth 02 auth required pam_mount.so 03 auth sufficient /lib/security/pam_lwidentity.so 04 auth requisite pam_unix.so nullok_secure try_first_pass 05 auth optional pam_smbpass.so migrate missingok 06 07 # /etc/pam.d/common-session 08 session optional pam_mount.so 09 auth sufficient /lib/security/pam_lwidentity.so 10 session required pam_unix.so
More in the Commercial Version
Besides the open source version of Likewise, the US-based Likewise Software corporation offers a commercial version of its software, Likewise Enterprise . The commercial version has support for AD group policies on top of the functionality offered by the free version; the product defines around 500 default policies. The Likewise Administrative Console can use a Linux or Unix machine to manage AD records.
On top of this, Likewise Enterprise supports Linux desktops, referring to AD to retrieve settings and restrictions. This enables the implementation of strict security policies. The Enterprise variant is available free of charge for evaluation purposes, or for US$ 250 as a server version. The company offers two levels of commercial support.
A New Face
Once configured, Likewise Open offers the same functional scope as a combination of Samba, Kerberos, PAM, and NSS. It takes many pesky setup tasks off the administrator's hands and supports centralized and platform-independent user management. The ticket-based Kerberos authentication service and single sign-on is a bonus.
If you enjoy working with Likewise Open, you might appreciate the extra features offered by the commercial version or the benefits of professional support. The only manual work left to the administrator is that of managing centralized user directories.
- Likewise Open: http://www.likewisesoftware.com/products/likewise_open/
- "Linux with Active Directory" by Walter Neu, Linux Magazine, November 2008, pg. 28
- MIT Kerberos: http://web.mit.edu/kerberos/
- File Hierarchy Standard: http://www.pathname.com/fhs/
- Mounting home directories with PAM: http://pam-mount.sourceforge.net/
- Likewise Enterprise: http://www.likewisesoftware.com/products/likewise_enterprise
Buy this article as PDF
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.