Easy Active Directory integration with Likewise Open
Staying Active

© tauro79, Fotolia
Likewise Open provides smooth integration with Active Directory environments. We show you how to install and configure the admin-friendly authentication system.
The Likewise Open authentication system [1] integrates Linux clients with the Active Directory environment. Of course, you can also configure Active Directory through Samba and its supporting cast of characters [2], but the Likewise solution offers several benefits for easier configuration and administration.
The free, GPL'd version of Likewise supports authentication against Active Directories, the authorization of kerberized services, and even single sign-on. This might sound a lot like Samba, which does the same things; in fact, the project manager of Likewise, Gerald Carter, is a long-term member of the Samba core developer team. Likewise Open builds on the work by Samba, although it adds many of its own features.
Ready-to-Run Packages
Likewise packages are available for Red Hat, Novell, and Canonical distributions, a couple of commercial Unix systems, and Mac OS X.
The Likewise website features version 5.0, although the distribution-specific packages include version 4, which I will use for this article. Ubuntu users will find the likewise-open and likewise-open-gui packages in the Universe repository. The Likewise packages include a number of dependencies – mainly related to Kerberos. Likewise Open relies on the MIT version of Kerberos as a back end [3]. During installation on Ubuntu, the package prompts the admin to specify the Kerberos and administrative servers (Figures 1 and 2).
Besides a working Active Directory (AD) server and a domain structure managed by Windows, Likewise has two main requirements: a working name server to resolve DNS names and a synchronized system clock. If the client and server clocks are more than five minutes out of sync, the Kerberos server will refuse to issue tickets, which is a security measure to prevent replay attacks.
New Configuration Approach
Adding a raw Linux system to an AD domain requires a fair amount of configuration work [2]. The Likewise Agent handles most of this work, adding itself to the Name Service Switch (NSS) and Pluggable Authentication Modules (PAM) on the local client.
Server-side, the agent passes on authentication requests to the Kerberos 5 server and the LDAP-based AD. To allow this to happen, the package installs a couple of libraries and configuration files. For example, /lib/libnss_lwidentity.so integrates Likewise with NSS, and /--etc/pam.d/-pam_lwidentity.so- does the same thing for PAM. The /etc/security/pam_lwidentity.conf configuration file sets up the module, and the interface to the remote domain controller is implemented by the Likewise Winbind server, likewise-winbindd. The server has its own configuration file, /etc/samba/lwiauthd.conf, which is similar to the smb.conf file from the Samba package.
Likewise Open integrates these components to support a transparent domain login for the users. The login process passes the username and password to PAM. The pam_lwidentity.so module communicates with the Likewise authentication service, which generates a secret key from the username and password. The Likewise daemon uses the secret key to request an initial Ticket Granting Ticket (TGT) from the Kerberos Authentication Server, which runs as part of the Key Distribution Center (KDC) on the AD Server.
On presenting the TGT, the Likewise authentication service receives service tickets for other network services, such as SSH. Users can thus log on to kerberized servers without entering their passwords a second time.
Set up the Likewise installation package on each Linux machine that will become a member of the AD domain (and will be managed by Likewise). If you use the installation packages from the website, Likewise Open will be installed by using a Bitrock Installer – an executable whose file name ends with installer. To run the program, you must become root and follow the instructions on the screen.
The installer displays information about the OSS licenses for the installed components before Likewise sets up its files. After this, the Installer points the administrator to domainjoin-cli, which is located in the /-usr/centeris/bin/ directory (thus contravening the FHS [4] conventions; the distribution packages and later versions of Likewise correct this error). The agent stores logging information in /var/log/lw-identity/ or – if you use the version from the Ubuntu repository – in /var/log/likewise-open.
Come On In
An AD domain requires both the user and the client systems to become members. The act of setting up a machine account in Microsoft's directory service is referred to in AD-speak as "Joining the domain."
A command-line tool, domainjoin-cli, lets the root user join the AD domain, creating a machine account in the directory in the process. The domainjoin-cli tool accepts the join option and the domain as arguments. The domain argument must be specified as a fully qualified DNS name.
On top of this, the command expects the name of a user authorized to create computer accounts in the AD environment. Listing 1 shows a computer called ubuntu joining the example.org domain. The Administrator account has the required privileges for this step.
Listing 1
Joining a Domain
The second option for joining a domain is the Likewise Open GUI (Figure 3), however, the GUI is not included with the likewise-open core package. To add the GUI, just install likewise-open-gui and launch it with root privileges by entering domainjoin-gui.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
News
-
The 14" Pinebook Pro Linux Laptop is Shipping
After a considerable delay, the 14" version of the Pinebook Pro laptop is, once again, available for purchase.
-
OpenMandriva Lx ROME Technical Preview Released
OpenMandriva’s rolling release distribution technical preview has been released for testing purposes and adds some of the latest/greatest software into the mix.
-
Linux Mint 21 is Now Available
The latest iteration of Linux Mint, codenamed Vanessa, has been released with a new upgrade tool and other fantastic features.
-
Firefox Adds Long-Anticipated Feature
Firefox 103 has arrived and it now includes a feature users have long awaited…sort of.
-
System76 Refreshes Their Popular Oryx Pro Laptop with a New CPU
The System76 Oryx Pro laptop has been relaunched with a 12th Gen CPU and more powerful graphics options.
-
Elive Has Released a New Beta
The Elive team is proud to announce the latest beta version (3.8.30) of its Enlightenment-centric Linux distribution.
-
Rocky Linux 9 Has Arrived
The latest iteration of Rocky Linux is now available and includes a host of new features and support for new architecture.
-
Slimbook Executive Linux Ultrabook Upgrading Their CPUs
The Spanish-based company, Slimbook, has made available their next generation Slimbook Executive Linux ultrabooks with a 12th Gen Intel Alder Lake CPU.
-
Fedora Linux is Coming to the Raspberry Pi 4
Thanks to significant work in the upstream, the upcoming release of Fedora 37 will introduce support for the Raspberry Pi 4.
-
New Linux Ultrabook from TUXEDO Computers
TUXEDO Computers has released a new 15" Ultrabook running Linux.