Likewise is taking an active role at the upcoming Samba Experience 2009 conference (www.sambaxp.org) in Göttingen, Germany from April 20-24. The theme of this year’s conference is, “Opening windows to a wider world”.

Our company is supporting the event along with Google and Intel. We’ll also have three speakers:

• Krishna Ganugapati - “Windows Interoperability Efforts at Likewise Software”
• Jerry Carter - “Implementing and Using the Winbind Client library”
• Rafal Szczesniak - “Samba and Likewise RPC - Cross-testing the Implementations”

It promises to be an informative conference with other speakers from IBM, Intel, Microsoft, Red Hat, and SUSE. Be sure to say “hello” if you are attending!

I’m at OSBC (Open Source Business Conference and sat through an interesting session run by Chris DiBona, Google’s Open Source Program Manager, and Dirk Hohndel, Intel’s Chief Linux and Open Source Technologist (Intel is an investor in Likewise) (his blog: http://www.hohndel.org/communitymatters/).  The topic: “Where’s the Risk, Exactly?”  Meaning where is the risk to organizations that are using and developing with Open Source Software.  

The risk question, as the CEO of an business with an Open Source business and development model, is one that that I’m asked with some regularity.  Chris and Dirk certainly got the details right I’d like to add on with actionable information.  I worry at times that overloading the uninitiated with the minutia of the ins/outs of OSS licensing can freak out mainstream organizations that are considering moving to OSS.  And if you believe the analyst numbers presented in a couple of the keynotes, our economic climate is accelerating Open Source adoption in organizations of all sizes so this is an important time to help folks figure out how to correctly use and develop with Open Source. 

The licensing minutia does matter and if you get it wrong, particularly if you’ve not even tried to get it right, this can lead to pain and misery and even the loss of a job  if you’re a technology leader and this badness happens under your watch.  That said, it isn’t difficult to get it right and here is some actionable advice to organizations that are considering Open Source Software for the first time:

1.  Get a pragmatic, Open Source savvy attorney and listen to them.  I can make an excellent referral to ours if you like.  If the attorney you’re working with advises you that it is risky to use open source it is probably safe to say that they are not open source savvy.

2.  Get a business oriented and Open Source-experienced project manager.  There are details that need to be gotten right and someone that has experience in these areas will help things go smoothly for your project.

3.  Scan your code.  Here is one company that does this: 

http://www.blackducksoftware.com/   

There are others.  I won’t be surprised if you are surprised by the results of your first scan.  Dirk has a test that is a good one:  do your developers have illicit MP3 files on their computers?  What makes you think that this isn’t true of illicit code snippets that they have downloaded?  It is just the same, I assure you.  This is good hygiene even for commercial software companies; as I said you’ll be surprised at what you find.

4.  Train your developers on the basics of how to do Open Source the right way.  If you are a small company this can be less formal.  If you are a big company your lawyers will appreciate a fancy, formal, and detailed program.

5.  Operated in good faith to do the right thing.  Contribute back when you are required to and meet other license obligations as appropriate.  If you don’t you can get a community of pissed of developers and then not-necessariy friendly lawyers that may, and rightly so, make your life more complicated than you wish.

6.  Work with quality Open Source Software vendors.  Like Likewise.  [Sorry for the quick plug.] Your life will be simpler in the long run.  

Hope this helps!!

Barry 

PS: Loved a couple of things from the Ron Hovsepian’s (Novell CEO) keynote: 

- 67% of prospects/customers rank interoperability between Linux and Windows as one of the top factors in selecting a server OS.  Amen.

- Interoperability is one of the key issues for Linux in the data center.  Double amen.

How the Mac saved Microsoft in the Enterprise

Have you seen our new t-shirts?  We are now officially in the big leagues; we’ve got excellent t-shirts and our “company store” is open for business. 

The back story is that we were having fun with these internally when a bunch of our customers and a couple of our partners saw them and everyone wanted one.  So we’ve now officially executed what in the trade is known as a “product line extension” although in this case we’re giving all the proceeds to charity.   Please check them out here.  Operators are standing by.

The t-shirts are a fun way to call attention to a very real technology conundrum: Mixed OSs in the enterprise. It is something I feel strongly about and deal with daily with Likewise’s customer base.

Full disclosure:  I worked at Apple for almost nine years.  I started as an IT intern at Apple in 1985 with an employee # in the 6000 range.  During my tenure, I was involved in some of the largest field projects involving Macs in large enterprise organizations - Mac-in-the-enterprise 1.0, if you will.

Last year I returned to the Apple flock when I migrated my work computer form Windows XP to the MacOS on a MacBook Air (love the Air, not so much Entourage).  I also have a long standing personal connection to “the other side.”  My wife Maureen has worked at two companies, Intel and Microsoft.  She recently rejoined Microsoft.  Many of my neighbors and friends work at Microsoft (I live in a Seattle-suburb).  The net of it is I know a few things about Macs in the enterprise as well as what goes on over on the other side of the OS train-tracks.

In 2009, it will become apparent that the Mac is the single “best-of-the-best” thing that happened to Microsoft and to large enterprise customers.

“How’s that?” you ask. For the last couple of years Microsoft has been distracted by choosing a variety of questionable battles.  Google is the best example but there are plenty of others.  Zune for one.  It is shocking that, given what a proven competitor Microsoft is, that it chose to do battle on ground that is so disadvantageous to them.  Search?  One could probably write a book on topic but let’s just say that Microsoft isn’t going to succeed at web-search and that’s OK so long as it does not to detract financially or by burning out top talent on the wrong battles.

There are a couple of battles that Microsoft must fight and win and fortunately, it has the high ground for some of these battles: The OS.  Applications (included SAAS). Virtualization.  Cloud computing.  Enterprise Mobile.  These are places that Microsoft can leverage their “Iron Triangle” (Windows Desktop, Office, Windows Server) as an unfair advantage.  If I were Steve Ballmer I’d be more focused on making Microsoft a bigger, cooler but more nimble (and profitable) IBM, instead of trying to compete in places it can’t win like search and music and always feeling like the dorks compared to Google and Apple.

No news here: Microsoft screwed the pooch with Vista.  We all have our Vista horror stories, I’m sure mine aren’t unique.  Let’s just leave it that Vista has been one of the biggest misses in the industry.  Ever.  While Microsoft likely managed to make a surprising amount of money on Vista, the enterprise adoption is paltry and in my opinion over-reported.   In fact, CIO patience has worn thin with Microsoft; what comes after Vista could wind up being a do-or-die issue for Microsoft.

Fortunately for Microsoft, Apple has helped them out significantly.

“Come again?” you might ask.

Apple created a superior and quite elegant OS reference platform yet stopped short of actually going after Microsoft’s throat in the enterprise.  In fact, the Mac has several significant limitations that prevent widespread enterprise adoption.  Never-mind that these Mac enterprise limitations come partially at the hand of Microsoft (Entourage, office format issues, AD integration); Truth is - Apple hasn’t put their shoulder into the enterprise.  There is ample evidence of this including that Apple’s Enterprise group is located “off-off-Broadway”, far from the main, gleaming campus.

Yet, Apple has created an OS yardstick for Microsoft in the enterprise.  It has poked fun at Microsoft in a way that hurt in its ads.  In some important areas, Apples has drawn real blood (laptops, music, mobile) but the company has failed to to go for the jugular–Microsoft’s footprint in the enterprise.

Apple significantly helped Microsoft “get it right” with Windows 7.  Our technical team has looked at the Windows 7 beta.  This is a team that doesn’t throw out idle praise and certainly doesn’t pull any punches when reviewing Microsoft technology.  To say that the early returns from our team on Windows 7 are positive would be an understatement.  Microsoft appears to have delivered.  And the timing for Microsoft could not  be better.

While much of the technology industry will be fighting to stay alive (including our competitors) over the next couple of years, Microsoft may wind up in a golden position strangely enough because of their Vista miss.  The enterprise market has ignored Vista, but their Windows OS of choice, XP , is getting long in the tooth and Apple has given many of us a taste of what a modern OS should be.  So when Windows 7 ships under budget and ahead of schedule (this year) Microsoft might score big on widespread XP to Win7 enterprise migrations over the next several years.

And you can bet that Microsoft will never give Apple the “thank you” that it deserves.

“How’s it going?”  I meet frequently with customers, partners, and analysts and this seems to be the question that everyone is asking each other.  And they aren’t referring to the winter weather in Seattle.

For the record, things are going very well for the company.  We had a great year in 2008 on all fronts… new customers, revenue, and growth.  We’re in great shape financially and will continue to carefully expand and invest as our business continues to grow. 2008 was all about the enterprise for Likewise.  This segment of our business exploded in 2008 as the enterprise adoption of both Likewise Open and Likewise Enterprise soared.  And the icing on the cake was that we were able to purchase the likewise.com domain late in December.

Here’s why I expect that 2009 will be a good year for Likewise despite the dismal climate:

- Likewise projects are low risk and deliver a strong ROI.  By bridging Linux, Unix, and Mac systems into Microsoft’s Active Directory environment  we help organizations get additional value and efficiencies out of both their Linux, Unix, and Mac systems AS WELL AS their Microsoft management infrastructure.

- We provide the best value in our market.  Our Open Source business model allows us to offer a range of options that literally start with “free” (Likewise Open with no support) and scale all the way to a fully deployed, enterprise-wide solution with 24×7 support.  In fact, many of our largest customers started with Likewise Open and later grew into Likewise Enterprise as they expanded the scope of their projects and built on the success of their initial authentication projects using Likewise Open.  We added a new option last year which is Likewise Open with our Cell Technology which provided UID-GID management for our Likewise Open customers with support contracts.

- Likewise has the strongest technical team and provides the best support in the category.  I’ve heard consistently from our customers — they like doing business with us and highly value our deep technical orientation.  We have some of the biggest names in the industry as significant paying customers including NBC/GE, Microsoft, Delta Airlines, IBM, Qwest, Virgin, Maersk, and the US Government to name a few.

I know from talking to many of you out there that it is very difficult economic environment and many people are facing both professional and personal challenges.  As an old boss of mine said many times, the real test of relationships isn’t when times are good but rather when times are tough.  It is during times like these that you’ll be able to determine who is a true business partner and who is simply a vendor.   

Barry Crist
CEO

It’s not very likely that you are familiar with the Mac’s Workgroup Manager (let’s call it WGM). This is a shame because Workgroup Manager can be an extremely useful tool. If you need to configure a lot of Mac’s in identical fashion, it’s a whole lot easier and reliable to use WGM to specify that configuration in one place than it is to have to visit a bunch of individual machines and establish the configuration in each.

The reason why you’re probably not familiar with WGM is that it’s pretty much useless unless you also run Mac OS X Server in your company. WGM needs a central place where it can store its settings. It knows how to store them in OS X Server or in “any LDAP server” (according to the WGM data sheet). Alas, at most companies, the most prevalent LDAP server is Microsoft’s Active Directory (AD) and storing additional information in it is not trivial. To store WGM data in AD, you need to make schema modifications. AD administrators do not like to make schema modifications, especially if it’s just for the benefit of non-Windows folk. Schema modifications are pretty much a one-way process; undoing them is difficult.

Of course, convincing your IT folk to deploy OS X server is probably no easier. As a result, few people take advantage of what really is a good tool.

Mac WGM allows you to set a multitude of different operating system and application settings. WGM is also extensible meaning that ISVs can provide new UI for WGM allowing it to control application behavior. Finally, let me note that Apple has done an excellent job of keeping WGM in synch with its operating system releases.

The equivalent of WGM in the Windows world is group policy and the Microsoft Group Policy tools (the management console, GPMC, and the object editor, GPOE). Just as WGM can be used to store Mac computer and user settings in a central place, the group policy tools can be used to store WIndows computer and user settings in AD.

Likewise Enterprise, since version 3.5, has supported the extension of group policy to Mac computers. In version 5.0, however, we added a feature that allows Mac WGM to be used with AD group policy. The result is a solution that really provides the best of both worlds: the use of a native tool (WGM) to set standard configuration settings but the storage of those settings in AD group policy objects that can be seen and manipulated by AD administrators.

To combine WGM with AD, you need to do several things:

1. Install Likewise Enterprise software on your Macs and join them to AD. This is identical to what you do with Windows machines and AD.
2. Install Likewise Enterprise software on a Windows computer that will be used to administer the Likewise software.
3. Run Microsoft’s GPMC tool to create a Group Policy Object (GPO) that will apply to the computers who settings you want to configure.
4. Edit the GPO, open the Mac Settings folder (added by Likewise) and the Workgroup Manager Settings. Enable the GPO to be used by WGM.
5. On one of your Mac machines (joined to AD), run WGM and connect to Active Directory (you will have this option having installed Likewise Enterprise).
6. Select either the “group of users” tab or the “group of computers” tabs. Each will show you a list of GPOs that have been enabled for use with WGM. You should see the one you enabled in step #3. Select it.
7. On the right pane of WGM, set whatever user or computer settings you want to store in the GPO. As you make your settings, they will be stored in AD by the Likewise software.
8. Back in the WIndows tools (e.g. in GPMC), if you refresh the new policy object and select the “Settings” tab in the right pane, you should see the settings made in WGM. As with other settings, the GPMC tool can be used to backup, copy and restore them.

This is a whole lot easier to do than to describe. If your company is interested in using Macs and WGM with Active Directory, send mail to info@likewise.com or sign up for a demo. You’ll see that the combination of WGM and AD provides great synergy for both Mac and Windows administrators.

To read more about Workgroup Manager, see

http://www.likewise.com/products/likewise_enterprise/workgroup_manager_overview.php

One of the most iconic moments in tech history is the Apple Superbowl ad of 1984 heralding the arrival of its Mac — 25 years ago!

This Computer Weekly article re-visits the history of the Mac and laments that the Mac “never really made it in the enterprise”. It even quotes our CEO, Barry Crist, since our company builds software integrating Macs with Active Directory.

But, it seems at last the Mac is making headway into enterprises. A Gartner report titled “Enterprises Move to Provide Limited Support for Macs: Where to Start” (January 12, 2009) even cited Likewise Software as one of the products that make Macs more manageable while leveraging existing Windows server infrastructure and tools.

Go here if you’re interested in obtaining a copy of the report from Gartner.

The user community likes fast resolution, instant search ability and interaction with experts and other users. Because of that, Likewise Software today launches Likewise Forum. Now, users and customers can quickly find technical information and support for Likewise Open and Likewise Enterprise by means of a user-friendly search feature. In addition, the Forum has a variety of sections for Likewise Software users such as Likewise Open Installation, Likewise Open Trouble Shooting, Likewise Open User Stories, Likewise Open FAQ, Likewise Enterprise FAQ, and many more. Anyone can read previously written forum posts, but registration to the forum is necessary to create new posts or respond to posts.
We hope our users find this a valuable resource and welcome your feedback.
For more information please visit the Likewise Software forum at http://www.likewisesoftware.com/community/index.php/forums/.

At Likewise, we’ve just recently announced the “Fall Edition” of our software. If you haven’t done so already, you shouldn stop now and read Krishna’s post on the topic.

I know, it’s a long post but, hey, we’ve got a lot to talk about in this release! There’s LWIS (a German pun on “Elvis”), there’s the new event system, the Likewise Administrator’s Console and support for the Mac Workgroup Manager. Each of these warrants its own post, elaborating its features. In this post, however, I’m going to write about something that Krishna mentions only in passing: the new underlying architecture. While LWIS (the new Likewise authentication engine) is the most clear manifestation of this new architecture, it’s impact to the current and future products is much more significant.

Before I get into the details of the new architecture, let me describe the fundamental elements of authentication and why we decided to redesign our product.

Fundamentally, authentication against Active Directory does not seem like a difficult problem. AD supports the Kerberos security protocol. To logon to AD, first you need to “join” the computer to AD and then you need to send some Kerberos packets to get a user “TGT”. This TGT, later, lets you get “service tickets” for other systems allowing single sign-on. After a user is logged on (to a UNIX, Linux or Mac computer), you then need to implement a series of nsswitch library functions to perform name-to-ID mapping. Implementing these functions usually involves performing a series of LDAP transactions in order to look up information in AD.

So far, the problem doesn’t seem very complicated. Indeed, years ago, someone wrote pam_kerberos and a set of nsswitch libraries to do exactly this. Alas, this simple-minded approach turns out to be difficult and inadequate. Joining a computer to AD involves creating a computer account (and Kerberos principal). Doing this “by hand” involves steps on both Windows and non-Windows computers and copying keytabs around. Additionally, AD doesn’t like plain old LDAP calls - it wants them to be secure and encrypted. Doing this with SSL encryption involves certificate distribution and other messy details. Beyond this, there are the issues of “offline-mode”, site affinity, domain controller selection, automatic machine password changes, Kerberos ticket refreshes, dynamic DNS updates and a host of other problems. Oh, there’s Group Policy, too. Hey, if it was easy, Likewise would not be in business.

The authentication engines in Likewise 3.0 through 4.1 were based on Samba source code. Samba has been in the Windows interoperability business for years and has solved many of the problems mentioned above. Likewise employs several Samba developers and has been a major contributor of features and bug fixes for several years.

With 5.0, we decided to rewrite the authentication engine to remove our dependency on Samba. Why? Because we wanted to develop an architecture that would serve our needs for the next 5-10 yeas. Our interests in the Identity Management business go significantly beyond authentication and group policy. We need a flexible, modern, architecture that suited our technical and business purposes. Let’s consider the elements of the new architecture.

First, 5.0 is based on a formal RPC (remote procedure call) architecture. In order to join a computer to Active Directory and to perform a series of other operations efficiently, the Likewise agent performs RPC calls rather than LDAP calls. These RPC calls are described using a formal IDL (interface definition language) and translated by a compiler into a set of stubs that handle marshaling of the RPC calls. In 5.0, we’ve defined an IDL language and an IDL compiler that is Microsoft compatible. We can take IDL files designed for Windows and generate stubs that work on non-Windows systems.

Second, because Windows systems accept RPC calls using TCP or named-pipe protocols, we’ve implemented RPC transport layers that support both of these protocols.

Needless to say, the RPC calls support authentication and signing/sealing with Kerberos protocols. Additionally, however, because we’ve implemented a local provider for LWIS, we also support authenticated, secure, calls between UNIX, Linux and Mac computers (or, for that matter, between non-Windows and Windows systems using local credentials instead of AD credentials).

Only Likewise 5.0 is based on a formal RPC architecture and only Likewise provides this architecture as open source to others who want to build on it.

There’s another reason why we’ve implemented 5.0 in this fashion: it’s how Microsoft does it. Krishna, several of our developers and I are all ex-Microsoft folk. When you’re trying to talk to Microsoft systems, doing ala Microsoft makes a lot of sense to us. Note, too, that LWIS (like lsass, its Windows equivalent) is thread-based. Samba was originally developed at a time when threads were not consistently implemented across UNIXy operating systems and, often, performed poorly or were not reliable. Likewise has developed thread-support libraries to deal with inconsistencies (for example, exception handling) between OS thread packages. The result is that LWIS is highly scalable, easy to understand, and easy to debug.

When we developed the new event log system in 5.0, we also exploited the new RPC architecture. As with most Windows APIs, the event log API is remotable. By calling our API, you can read or write from/to an event log on another computer just as easily as you can to the local computer. The RPC mechanism takes care of the remoting, authentication and securing of the call. It will be trivial for us to write an archiving event log collector without having to worry about clear-text UDP messages or about a custom security mechanism (problems encountered by syslog-based solutions).

Implicit in the previous paragraph, by the way, is that we’ve implemented our RPC mechanism on both the client and server side. Implementing server-side RPC will allow us to implement future functionality that requires centralized management consoles to call managed computers.

There are many other things “in the works” that will build atop our new architecture. Some of these will be appearing soon and some will take a little longer for us to complete. As I like to say, however, “in the startup world, there are only two times: now and six-months from now.” Beyond that, it’s anybody’s guess.

Mac administrators understand their systems far better than Windows administrators. They have a better understanding of the different kinds of MCX settings that can be applied to a OS X desktop.

Enterprises however use Active Directory and Windows Group Policy to deploy standard settings throughout the enterprise network to desktops.

What if you could store MCX settings as Active Directory Group Policy objects? This would allow enterprise administrators to deploy standardized system settings to Macs.

What if you could still use the Mac Workgroup Manager tool on a Mac to design and create the standardize template of MCX settings and upload them to Active Directory as group policy objects? This would allow the subject matter experts (the Mac administrators) to decide what the settings should be, but allow Active Directory’s group policy infrastructure to push out the settings to the individual desktops.

Enter Likewise Enterprise 5.0 - marries the Mac desktop management with Windows group policy technology

Welcome Mac OS X into the large enterprise network!

[Note: this post is long and it’s probably going to go through several edits, but I believe it is worth reading through]

Well, it’s been a while since I’ve blogged. I’ve been heads down on getting the latest release of Likewise out the door. I want to use this post to tell you what we’ve been up to at Likewise

Yesterday, the official press release went out announcing the general availability of Likewise Open Fall Edition. I couldn’t be more excited about this release. This release, I believe, will be the high mark for comparison and differentiation in the open source world for what it means to support Windows interoperability in non-Windows systems

First, an explanation on numbering and editions is probably useful. The latest version of Likewise technology is 5.0. We’re using seasons to identify specific Open editions and Likewise Open Fall Edition is built on Likewise 5.0 technology. In contrast the Enterprise versions of the product continue to keep version numbers. So the forthcoming release of the Enterprise product will be Likewise Enterprise 5.0

Likewise 5.0 is our most ambitious and comprehensive release to date. The range of features and their ramifications are huge. I’ll start by enumerating what Likewise 5.0 will provide.

LWIS (the LikeWise Identity Service) is our next-generation authentication engine has been built from the ground up. Here is a sample of what LWIS offers

LWIS is a single-process, multi-threaded engine that is capable of hosting multiple server-side authentication providers. Today it will ship with two distinct authentication providers:

The Local Authentication Provider is a full local authentication database. It allows the creation and manipulation of local users and group objects. This provider supports functionality similar to the Windows local SAM authentication database present on every Windows client and server operating system.

The Active Directory Authentication Provider provides a full authentication and account management interface to a Microsoft Active Directory forest.

• Multiple uid-gid configuration modes. The AD provider supports three different retrieval mechanisms for returning user uid and group gid information. The first two modes: default and cell mode are retrieval mechanisms predicated on the AD domain being provisioned to store uid and gid information. The third mode: the unprovisioned mode functions without any changes made to the AD domain. The default and cell modes can function with the AD schema being extended to support the RFC 2307 attributes or without the schema being modified.
• Password and Kerberos Keytab Manager. When a machine is joined to an Active Directory domain, the machine’s name, site information, the name of the forest and domain are stored securely. In addition, the machine’s password is securely stored. Associated with the password, machine’s host keytab is derived off of the machine’s password. A clean interface and library of calls is provided to update this information. In addition APIs are provided to determine whether the machine is joined or not and to retrieve the machine’s hosting forest, domain and site information.

• Machine Password Refresh Manager - Active Directory requires that the machine’s password be periodically refreshed. A machine password refresh thread run periodically within the AD provider updating the machine’s password based on a policy configurable interval.

• Time Synchronization Subsystem .The time synchronization subsystem serves as a backup mechanism for misconfigured or absent NTP support on the joined machine. This system ensures that machine’s system time is synchronized to that of the domain controller.

• Site Management and Site Affinity. A full implementation of Active Directory site management and site affinity is provided. The machine will “affinitize” itself to the closest dc within its site. In the absence of the closest dc or the closest dc going down, the site affinity system will “reaffinitize” to the next available dc within the machine’s site. Additionally, site affinity is supported by a separate netlogond daemon which can be programmatically queried by all applications on the system thus ensuring that all applications communicate to the “affinitized” dc.

• Multi-forest support. The following scenarios have been supported.
o Single domain, single domain tree, single forest
o Multiple domains, single domain tree, single forest
o Multiple domains, multiple domain trees, single forest
o Multiple forests, two-way transitive trusts
o Multiple forests, one-way transitive trusts

• Cached credential support. LWIS supports a cached credential login model in the event that no domain controllers are reachable. See the section on site affinity for further details on domain controller reachability.

• Kerberos Ticket Management. The LWIS AD Provider also manages refreshes of kerberos tickets with specific attention to the logged on users’ TGTs.

• Kerberos and NTLM Password Authentication The implementation provides support for NTLM style authentication in addition to standard Kerberos password authentication.

• Integrated Change Password Support LWIS provides the ability to cleanly change AD passwords from Linux/UNIX clients and honors all change password settings i.e. allows users to change passwords at logon, allows users to change their AD passwords at will etc. etc.

• WBL API Integration LWIS is a fully compliant WBL (Winbind Bridge Library) service provider. This allows out-of-the-box integration with the Samba smbd file server and allows LWIS to serve as a clean winbind replacement

• DCE/RPC Framework LWIS provides a full MS RPC compatible DCE/RPC implementation that ships with the product. This allows OEMs and other customers to build their own Windows compatible RPC clients and servers. The DCE/RPC framework comes with a full idl compiler, the dce/rpc runtime, a platform neutral threading library and full support for Windows authentication libraries

• Native NetAPI Implementation for Linux/UNIX. A full native implementation of the Windows NetAPIs is available. The LWIS daemon uses many of these calls for authentication, multi-forest support and changing passwords. A list of the supported APIs will be provided in a further release of this document.

• OpenLDAP with GSS-SPNEGO support The vanilla openldap libraries do not have built-in support for GSS-SPNEGO. As a result, it is near impossible to cleanly access AD directory infrastructure. LWIS ships an enhanced openldap client library set that provides full support for the LDAP_AUTH_NEGOTIATE option and full support for signing and sealing of LDAP traffic

• Native GSS-NTLM support. LWIS ships libraries that provide native GSS-NTLM authentication for both local (peer-to-peer) authentication and pass-thru authentication to an NT4 or greater domain controller.

• Domain join system configuration library. LWIS also ships libraries that auto configure a native Linux/UNIX machines by provisioning and de-provisioning PAM, nsswitch, /etc/hosts, and kerberos configuration files for seamless and error free domain join behavior.

Likewise Event Log Subsystem

The Likewise Event Log Subsystem is an eventlog daemon that runs on a target Linux/UNIX platform. While similar to the Windows eventlog subsystem, it comes with significant enhancements including an embedded Sqlite database that allows rich queries to be executed on the server. The Event Log subsystem’s interface is built on top of our DCE/RPC subsystem which allows authenticated RPC queries to be run from remote clients as well as local clients. At the time of this writing, all of the Likewise subsystems including the authentication subsystem, the group policy subsystem and other UNIX logging systems have their security event log stored in this event log database.

Likewise Administrator’s Console (LAC) is our graphical console. It has the ability to load multiple plug-ins that can provide administrators’ the ability to administer a variety of subsystems. LAC will ship with plug-ins that can remotely manage local users and groups, a full Active Directory management editor, a full remote event viewer. In addition, our Likewise Enterprise release allows you to manage group policy objects as well. LAC’s versatility is derived from the fact that it has been written from the ground up using the .NET framework and can thus run natively on Windows, Linux (all flavors that run a graphical desktop) and all Mac OS X versions.

Licensing Likewise is fully committed to the open source process. Every thing we’ve developed in Likewise Open, the LWIS technology is being released under the LGPLv2.1 and the GPLv2.1. Our model is very simple. We will release all client API libraries under the LGPL and all daemons under the GPL. This means that just like how proprietary software uses glibc, they can use the LGPL libraries of Likewise, and appropriately protect their IP. We’re releasing our IP as open source, but we’re not choosing to mandate what people who call our libraries choose to do. In the case of daemons, we think it’s fair that if you make changes to the authentication daemon or other daemons, you should contribute those changes under the terms of the GPL.

Because we’ve written LWIS from the ground up, Likewise owns the copyright to all the source code. This allows us to license the source code under different licenses if we see fit. We’ve had several OEMs approach us and ask for a different license and we’re able to do this as well.

The Future: Making a Windows-compatible Distributed Systems Fabric available natively on Linux /UNIX/Macs

When I joined Likewise over two years, I thought to myself that I would like to spend my time making non-Windows systems first class citizens in a Windows network. This would mean real, tangible interoperability. This would spur choice among customers to adopt whatever platform they felt was in their best interests. The way to do this was to ensure that we could build the same distributed systems substrate that Windows is built on natively on non-Windows systems. There’s tons of work that needs to be done here, but every release, we’re getting closer to that goal.

Finally, I’ve just got to make a plug for the company. If you’re a system’s administrator or IT architect looking to integrate your systems into Active Directory, you should look no further than Likewise Open and Likewise Enterprise. Likewise Open is FREE and a completely full authentication stack for 118+ platforms. It’s is a pure subset of Likewise Enterprise which seamlessly adds on group policy support. Think about it!

Thanks for reading!