Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
A Technical FAQ on How Likewise Integrates Unix Computers with a Windows Network by Connecting Unix to Active Directory
Introduction
This page provides answers to frequently asked questions about how Likewise Enterprise supports Unix Windows integration by connecting Unix to Active Directory (AD). Likewise Enterprise connects, or joins, Unix and Linux computers to Microsoft Active Directory to provide Kerberos authentication, LDAP-based Unix access control, group policy, single sign-on, and other features.
Does Likewise Enterprise support dual authentication? In other words, can local accounts still be used as well as centralized accounts?
Yes. Local accounts can continue to be used along with Active Directory accounts.
When it connects your Unix computer to an Active Directory domain, Likewise Enterprise inserts its PAM module in the PAM stack. The Likewise PAM module coexists with the existing local account PAM module. Unix authentication requests are first routed to the Likewise module, which examines the request to see if it is an Active Directory account. If the username is not an AD account, the Likewise modules forwards the request to the next PAM module in the stack, which is typically the local account module.
If the machine is removed from the Active Directory domain, the process of leaving the domain transparently removes the Likewise PAM module from the PAM stack.
Does your product extend group policy to Linux, Unix, and Mac OS X? If so, How?
Yes. Likewise has a full-featured Active Directory group policy infrastructure running on the target Unix machine. Customers can take advantage of more than 80 group policies for Unix, Linux, and Mac. Likewise Enterprise also enables you to control Gnome desktops with group policies on Linux computers with hundreds of Gnome group policies. For Mac, Likewise Enterprise integrates managed client settings (MCX) from Apple's Workgroup Manager with Active Directory so Mac preferences can be applied with group policy objects and managed in Active Directory.
Likewise fully integrates its group policies with the Microsoft GPMC and GPOE consoles and supports RSOP in planning mode.
How are groups managed by Likewise Enterprise? Can Likewise provide Unix access control down to the host level?
Likewise supports Unix Active Directory groups in the same way as groups are supported on a Windows computer -- providing another benefit of Unix Windows Integration. All the properties of an Active Directory group are supported.
Likewise Enterprise provides access control for Unix machines down to the host level in two ways:
- By manually configuring login settings to allow or deny access to the machine
- By deploying group policies to manage logon rights to a machine
Can Likewise Enterprise provide Unix role-based access control, or RBAC?
Yes. The Enterprise version of Likewise, with its cell technology and AD sudo group policy, can provide a powerful tool for enforcing role-based access control for Unix, Linux, and Mac OS X computers.
What versions of Unix does Likewise support?
Likewise runs on nearly all versions of Solaris, IBM AIX, and HP-UX, including 32-bit and 64-bit systems. For more information, see our list of supported platforms.
What versions of Linux does Likewise support?
Likewise runs on nearly all versions of Red Hat, SUSE, CentOS, Debian, Fedora, Oracle Enterprise Linux, Scientific Linux, and Ubuntu, including 32-bit and 64-bit systems. For more information, see our list of supported platforms.
For examples of how Likewise Enterprise connects RHEL and IBM AIX with Active Directory, see our case study on Red Hat Windows Integration.
Does Likewise support Mac OS X?
Yes. See our list of supported platforms.
Does Likewise support VMWare ESX 3.x or later?
Yes.
What components are required to be installed on a Unix machine to implement Unix Windows integration? Is an agent required?
Yes, an agent is required on the Unix machine. The agent runs the Likewise Unix authentication daemon and the Likewise group policy daemon, both of which work in conjunction to provide Unix Windows integration with Active Directory.
Does your product cache previous logons?
Yes, Likewise Enterprise supports cached credentials.
How long and how many previous logons can be cached?
The cached credentials are stored for a configurable period of time. The number of cached credentials is also configurable.
How is the password hashed?
For cached credentials, we support the Windows NTLM2 password verifier. This verifier is a salted MD4 hash that is computed twice. It is the hash of the hash of the user’s password. Incidentally, this is how Windows 2000 and beyond handles cached credentials.
Does your product use Kerberos tickets generated from Active Directory? If so, how is the ticket provided?
Yes. We fully support the Kerberos authentication protocol. At login time, a ticket granting ticket is generated for the user. The machine’s password is generated and stored as the system’s default keytab at domain-join time. The user’s TGT is refreshed by the system seamlessly, as is the machine password and the system keytab file.
What features does your product have to help migrate Unix IDs (UID) to Active Directory?
Likewise includes NIS migration tools to import /etc/passwd and /etc/group files as well as NIS maps. Likewise also supports grouping of Unix and Linux systems using AD organizational units to retain existing security settings by mapping multiple UIDs and GIDs to a single AD user. For more information, see our page on NIS Migration.
Does Likewise support Active Directory site awareness for finding local AD resources?
Yes. The Likewise agent locates all the domain controllers and computes the optimal one to use for each computer. This means that the Likewise agent tethers itself to a domain controller in its local site and submits AD requests to that particular domain controller. In the event that the domain controller goes down, the Likewise Unix authentication daemon automatically detects the failure and switches to another domain controller and another global catalog.
Does Likewise offer AD pass-through authentication for servers running on Unix, such as Apache and iPlanet?
Yes. We support connectors for JBoss, Tomcat, WebLogic, WebSphere and Apache. We provide SPNEGO, Kerberos and NTLM authentication support.
Does Likewise fully support Active Directory nested groups? In other words, can Likewise resolve a user that is a member of a group that is in a group that grants access on a host?
Yes. Likewise fully supports Active Directory nested groups. For a nested group to be available to Unix users, it must be provisioned with Unix access by assigning it with a group id (GID).
Does Likewise require a custom schema extension? If not, what version of the native AD schema do you require? Does Likewise allow for directory path, and home profiles? How about default login shells such as bash and ksh? For the Unix-specific attributes, how do you expose them to Unix administrators? Do you supply an extension for ADUC, or do you supply a new tool?
We support both a non-schema mode that requires no changes to your AD schema and a schema mode that requires no changes beyond compliance with RFC 2307. Likewise Enterprise works with all AD schemas: Windows 2000, Windows 2003 and Windows 2003 R2, and Windows 2008.
Our product lets administrators store both default settings for the home directory path and user profiles as well as configure user specific information on a per-user basis for the home directory and other user profile information.
We expose Unix-specific attributes through the standard Microsoft prescribed mechanism of extending the Active Directory Users and Computers snapin. In addition to this, in both schema-mode and non-schema mode, all Likewise settings in Active Directory are programmable through the ADSI programming model.
Does Likewise Enterprise require administrators to configure native PAM stacks?
No. One of the highlights of Likewise is its ease of installation and configuration. When an administrator chooses to connect a target Linux, Unix, or Mac OS X computer to Active Directory, the Likewise automatically configures all necessary Unix components, including PAM. The administrator does not need to manually configure any settings.
Can Likewise specify different shells and different home directories depending on the user or the host?
Yes. A common requirement of Unix Windows integration with Active Directory is to support different Unix attributes for an Active Directory user depending on the Unix machine that they are logging into. This is especially necessary when the machine is being migrated off a Unix authentication system such as NIS. It is necessary to maintain the settings that the NIS infrastructure had for the user either for the interim period of time when the enterprise is migrating off the NIS infrastructure or in some cases maintain these settings in perpetuity.
Likewise uses the notion of cells to provide context-sensitive properties on a per-machine basis. Cells represent a grouping of machines for which a user will have a set of Unix attribute settings, including different shells and different home directories.
Learn More
To find out more about connecting Linux to Active Directory, see Overcoming Barriers to Linux Active Directory Integration.
To find out about running Mac with Windows in the enterprise, see Mac Windows Integration.
Next > > Workgroup Manager Overview
