The Basics
Likewise Open joins Linux, Unix, and Mac OS X computers to Microsoft Active Directory so that you can authenticate users and groups by using the highly secure Kerberos protocol. In addition, with the Likewise UID-GID management tool, you can also centrally administer Linux, Unix, and Mac users and groups by assigning them user identifiers (UIDs) and group identifiers (GIDs) in Active Directory.
UID-GID Generation in Likewise Open
In Likewise Open, a UID and GID are generated by hashing the user or group's security identifier, or SID, from Active Directory. You do not need to make any changes to Active Directory. Although a UID and GID stays the same across host machines, you cannot set UIDs and GIDs for Linux and Unix in Active Directory.
Using AD to set and manage UIDs and GIDs is a feature of the Likewise UID-GID management tool. If you have UIDs and GIDs defined in Active Directory, Likewise Open will not use those UIDs and GIDs unless you have installed the Likewise UID-GID management tool.
Moreover, if your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use the Likewise UID-GID management tool.
Processing UID-GID Information in Active Directory
The challenge: Allow AD users to access resources on Unix and Linux hosts. Why is this difficult? It's because the Unix and Linux permission settings for users and groups that are defined by UIDs and GIDs are simple integers, typically 32-bit numbers, while in Active Directory, security identifiers (SIDs) contain a domain-specific universally unique ID. In Active Directory, a SID uniquely identifies a user, group, or computer within a forest. Interoperability thus requires a method to map SIDs to UIDs and GIDs. The Likewise UID-GID management tool overcomes this mismatch by mapping SIDs to UIDs and primary GIDs and storing the information in Active Directory.
The Likewise UID-GID management tool has two operating modes: schema mode and non-schema mode. Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information. In contrast, non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Thus, with Likewise UID-GID management tool, there is no requirement to change your AD schema and there is no need for additional infrastructure.
Mapping SIDs to UIDs and GIDs
The Likewise UID-GID management tool maps SIDs to UIDs and GIDs and vice versa. This mapping enables Likewise to use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the Likewise Open agent communicates with the Active Directory domain controller through standard LDAP protocols to obtain the following authorization data:
- UID
- Primary GID
- Secondary GIDs
- Home directory
- Login shell
Likewise Open uses this information to authorize the user to access Unix and Linux resources.
Setting UID-GID Information in Active Directory
The Likewise UID-GID management tool provides extension tabs to the property sheet of the following Active Directory objects in the Microsoft Active Directory Users and Computers MMC snap-in:
- Domain
- Users
- Groups
- Organizational Units
Managing UIDs and GIDs with Likewise Cells
Active Directory uses Organizational Units to group related objects in a common container so that you can manage the objects in a uniform and consistent way. To map Active Directory users to Linux and Unix UIDs and GIDs, the Likewise UID-GID management tool associates cells with Organizational Units. When you associate a Likewise cell with an Organizational Unit (OU), the cell becomes a custom mapping of Active Directory users to UIDs and GIDs.
Cells can map a user to different UIDs and GIDs for different computers. Linux and Unix computers that are in the OU (or an OU nested in it) use the cell to map AD users to UIDs and GIDs. In the following screen shot, the example user, Clark Kent, is allowed to access the Linux and Unix computers that are in the selected Likewise cells:
To learn more about Likewise cells, see our page on cell technology for easy migration of existing Linux/UNIX information.