Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
Options and Features for Managing Unix User Accounts with Likewise Cells
Active Directory uses Organizational Units to group related objects in a common container so that you can manage the objects in a uniform and consistent way. To map Active Directory users to Linux and Unix users and groups, Likewise cells can be associated with Organizational Units. When you associate a cell with an Organizational Unit (OU), the cell becomes a custom mapping of Active Directory users and groups to Unix UIDs and GIDs.
Cells can map a Unix user account to different UIDs and GIDs for different computers. Linux and Unix computers that are in the OU (or an OU nested in it) use the cell to map AD users to UIDs and GIDs. In the following screen shot, the example user, Clark Kent, is allowed to access the Linux and Unix computers that are in the selected Likewise cells:
Creating Cells
Likewise modifies the Active Directory User and Computers MMC snap-in so that you can create an associated cell for an OU and then use the cell to manage UID-GID numbers. To create a cell, use Active Directory Users and Computers to select the OU you want, view the Likewise Settings property sheet, and then select the check box to associate a cell with the OU. You can then assign UID-GID numbers manually or allow Likewise to do it automatically.
When a Unix or Linux computer running the Likewise agent connects to Active Directory, it determines the OU of which it is a member and checks whether a Likewise cell is associated with it. If a cell is not associated with the OU, the Likewise agent on the Unix computer searches the parent and grandparent OUs until it finds an OU that has a cell associated with it. If an OU with an associated cell is not found, the agent uses the default cell to map its username to UID and GID information.
The Default Cell
Likewise lets you define a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers.
When you use the default cell, Likewise searches across all your trusted domains for Unix and Linux information directly on the user objects. In schema mode, Likewise searches all trusted global catalogs, which are shared across a forest -- Likewise queries the trusted global catalogs as a set. In non-schema mode, Likewise queries each trusted domain individually.
The default cell does not contain Unix or Linux data. It is a method for managing client Linux and Unix users, groups, and computers. When a client finds the default cell object, it searches all trusted domains and forests, enterprise wide, for Linux and Unix information, even if the default cell object has not been created in those trusted domains and forests.
A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell. Likewise does not require you to have a default cell.
Linking Cells
To provide a mechanism for inheritance and to ease system management, Likewise can link cells. Linking specifies that users and groups in a linked cell can access resources in the target cell. For example, if your default cell contains 100 system administrators and you want those administrators to have access to another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell inherits the settings of the default cell. Then, to make management easier, in the Engineering cell you can just specify the mapping information that deviates from the default cell.
Cell Manager
Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory Organizational Units. With Cell Manager, you can view all your cells in one place. Cell Manager complements Active Directory Users and Computers by letting you delegate management of a cell -- that is, give others -- either a user or a group -- the ability to add users and groups to a cell. Cell Manager is automatically installed when you install the Likewise Console. For more information, see Likewise Cell Manager
Migrating NIS Domains
If use Likewise to migrate all your Unix and Linux users to Active Directory, in most cases you will assign these users a UID and GID that is consistent across all the Unix and Linux computers that are joined to Active Directory -- a simple approach that reduces administrative overhead. In cases when multiple NIS domains are in use and you want to eliminate these domains over time and migrate all users and computers to Active Directory, mapping an Active Directory user to a single UID and GID might be too difficult. When multiple NIS domains are in place, a user typically has different UID-GID maps in each NIS domain. With Likewise, you can eliminate these NIS domains but retain the different NIS mapping information in Active Directory because Likewise lets you use a cell to map a user to different UIDs and GIDs depending on the Unix or Linux computer that they are accessing.
To move to Active Directory when you have multiple NIS servers, you can create an OU (or choose an existing OU) and join to the OU all the Unix computers that are connected to the NIS server. You can then use cells to represent users' UID-GID mapping from the previous identity management system.
Using Multiple Cells
If you have multiple Unix and Linux hosts but are not using a centralized scheme to manage UIDs and GIDs, it is likely that each host has unique UID-GID mappings. You may also have more than one centralized IMS, such as multiple NIS domains. You can use multiple cells to represent the UID-GID associations that the NIS domain provided, allowing those Unix and Linux users to continue to use their existing UID-GID information while using Active Directory credentials.
When using multiple cells, it is useful to identify what Unix and Linux objects the cell will represent, such as the following:
- Individual Unix, Linux, or Mac OS X computers
- A single NIS domain
- Multiple NIS domains (which requires multiple cells)
Migration Tool
The Likewise Console provides a migration tool to import Linux, Unix, and Mac OS X password and group files -- typically /etc/passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory. The migration tool can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. For more information, see the Likewise NIS Migration Tool
Orphaned Objects Tool
The Likewise Management Console provides a tool for finding and removing orphaned objects. An orphaned object is a linked object, such as a Unix or Linux user ID or group ID, that remain in a Likewise cell after you delete a group or user's security identifier, or SID, from an Active Directory domain. Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve search speed. For more information about such features of Likewise Enterprise as the Likewise Management Console.
For information about using Active Directory and Likewise Enterprise to solve traditional Unix identity management problems, see Unix Account Management.
Next > > See a demo of Likewise Enterprise
