Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
Likewise Configures Samba to Extend AD to Linux, Unix, and Mac
Likewise 4.2 and earlier automatically configures Samba and PAM to use winbind to join Linux, Unix, and Mac OS X computers to Microsoft Active Directory. By executing a single command from the command line, Likewise's winbind daemon gets you unified logon, secure authentication, and single sign-on. Likewise 5.0 and later includes the Likewise Identity Service, or LWIS, an open-source authentication engine for Linux, Unix, and Mac OS X that takes your mixed network beyond Winbind.
Winbind is a Samba component that can help you make unified logon a reality. Winbind ports Microsoft RPC calls to Unix and then takes advantages of the Pluggable Authentication Modules (PAMs) and the name service switch (NSS) to turn Active Directory domain users into Unix users on a Unix computer.
Winbind was engineered to provide three functions:
1. Authenticate user credentials by using PAM.
2. Resolve user identities and group identities by using the name service switch.
3. Store mappings between Unix UIDs and GIDs and Active Directory security identifiers, or SIDs.
Natively, however, configuring Samba and PAM to use winbind for unified logon can be headache-inducing manual work for even the most experienced Linux system administrator: Every Linux platform and every Samba versions can require a slightly different configuration to get it to work just right.
Likewise automates the configuration of Samba and PAM on more than 120 Linux, Unix, and Mac platforms to provide you with instant use of winbind's three functions.
Instant Interoperatibility
The Likewise agent integrates a winbind module with the core operating system on Linux, Unix, and Mac OS X computers to implement the mapping for any application, such as the logon process (/bin/login), that uses the name service (NSS) or pluggable authentication module (PAM). The Likewise agent also acts as a Kerberos 5 client for authentication and as a LDAP client for authorization.
The following diagram shows how the Likewise winbind daemon (winbindd) interacts with PAM, NSS, Kerberos, the Likewise management tools, the Likewise console, and the Likewise group policy agent to provide instant interoperability with Active Directory:
Winbind Group Policies
Likewise Enterprise includes a variety of group policies for managing winbindd on Linux, Unix, and Mac OS X computers. The following sample winbind policies are described below:
- Log Winbind Debugging Information
- Refresh Kerberos Tickets
- Set the level of nested group expansion
- Set the Winbind Cache Expiration Time
- Set the ID Mapping Cache Expiration Time
- Set the ID Mapping Negative Cache Expiration Time
Log Winbind Debugging Information
To monitor and troubleshoot the winbind PAM module, you can define a Likewise group policy that logs winbind debugging information for the winbind daemon on target computers running Linux, Unix, or Mac OS X.
Refresh Kerberos Tickets
You can use a group policy to automatically refresh Kerberos tickets on target Linux and Unix computers. The Kerberos authentication protocol grants tickets to prove the identity of users in a secure way. By automatically refreshing tickets, you can maintain a user's domain access.
When the policy is enabled, the Likewise winbind daemon automatically refreshes Kerberos tickets that are retrieved using the pam_winbind module.
Set the Level of Nested Group Expansion
By using Likewise, you can define a group policy to set the level of nested group expansion on target Unix and Linux computers. The level of nested group expansion specifies how deep the Likewise winbind daemon, winbindd, traverses the tree when it expands nested groups into a membership list.
The Likewise winbind daemon renders all names of Active Directory users and groups lowercase.
Set the Winbind Cache Expiration Time
You can specify how long the Likewise winbind daemon caches information about a user's home directory, logon shell, and the mapping between the user or group and the security identifier (SID) on target Unix and Linux computers. Winbind features that are using offline cached credentials reattempt to log on the Active Directory domain controller at the interval that you set. When online, winbindd also caches the information for the specified time period. The winbind cache also stores user-group enumeration lists, getgrnam(), and getpwnam().
Set the ID Mapping Cache Expiration Time
Likewise lets you define a group policy to set the expiration time for the ID mapping cache on target Linux and Unix computers. After a user or group is mapped to its security identifier (SID) in Active Directory, the Likewise winbind daemon caches the entry for the time that you specify. This policy can improve the performance of your system if, for example, you are making a lot of changes to your ID mapping.
Set the ID Mapping Negative Cache Expiration Time
Likewise lets you define a group policy to specify how long the Likewise winbind daemon caches the unmapped state for an unsuccessful security identifier (SID) mapping of an Active Directory user or group. This policy prevents repeated lookup requests that might degrade the performance of your system.
Beyond Winbind
Likewise 5.0 can take your mixed network beyond Winbind. The Likewise Identity Service, or LWIS, is a next-generation authentication engine for Linux, Unix, and Mac OS X. A highly reliable and industrial-strength application, LWIS gives non-Windows computers advanced capabilities for both local authentication and Active Directory-based authentication. As the authentication engine in Likewise Open 5.0, LWIS is free and its code base is open.
Samba Integration
LWIS is a fully compliant winbind client (libwbclient) library, giving you out-of-the-box integration with the Samba smbd file server and allowing LWIS to serve as a clean winbind replacement.
Full-Featured DCE/RPC Framework
DCE/RPC Framework A full MSRPC-compatible DCE/RPC implementation ships with LWIS, empowering OEMs and others to build their own Windows-compatible RPC clients and servers. The DCE/RPC framework comes with a full IDL compiler, the DCE/RPC runtime, a platform-neutral threading library, and full support for Windows authentication libraries.
Learn more - How to join Linux to Active Directory
