Likewise Enterprise Installation and Administration Guide

Likewise makes two closely related software products: Likewise Open and Likewise Enterprise.

Likewise Open authenticates domain users with the highly secure Kerberos 5 protocol by hashing their security identifiers from Active Directory. Likewise Open does not, however, process user identifiers or group identifiers even if they are set in Active Directory.

Likewise Enterprise is installed on a Windows administrative workstation connected to a domain controller so you can set user identifiers and group identifiers in Active Directory Users and Computers. Once the UIDs and GIDs are set, the Likewise agent uses the identifiers to authenticate users and groups and to control access to computers and applications.

Likewise Enterprise includes additional features. It not only lets you manage Unix identities in Active Directory but also lets you apply group policies to Unix computers from the Microsoft Group Policy Management Console, including policies based on the Gnome GConf project to define desktop and application preferences for Linux computers. More: Likewise Enterprise integrates Apple's Workgroup Manager with the Group Policy Object Editor to apply managed client settings to Mac OS X computers with group policy objects. Likewise Enterprise also lets you generate a range of reports to help improve regulatory compliance. The result: lower operating costs, better security, enhanced compliance.

Likewise comprises several components, each of which provides part of the functionality necessary to manage Linux and Unix computers in Active Directory. There are, however, only two installation packages: one to install the Likewise agent on a Unix, Linux, or Mac OS X computer; the other to install Likewise Enterprise on a Windows administrative workstation that connects to an Active Directory domain controller.

The installation and deployment process typically proceeds in the following order:

The key to a successful deployment is planning. Before you begin deploying Likewise in an enterprise, develop a plan that addresses at least the following aspects of installation and deployment:

Likewise has two operating modes: schema mode and non-schema mode. Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information. In contrast, non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the schema. Instead, non-schema mode uses existing object classes and attributes to store its data. To store information about a cell, Likewise creates a container object and stores data in its description attribute. To store information about a group or user, Likewise creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.

Specifically, in non-schema mode Likewise uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value. Here's an example of how the keywords attribute name-value pairs can contain Unix and Linux information for an AD user:

uid=
uidNumber=1016
gidNumber=100000
loginShell=/bin/bash
unixHomeDirectory=/home/joe
gecos=
backlink=[securityIdentifierOfUser]
objectClass=CenterisLikewiseUser

In the example, the uid attribute is empty. It is needed only when you want to specify a name alias so that the AD user can log on a computer with something other than his or her AD account name.

In ADSI Edit, the properties for a user look like this:

The keywords attribute is also used to store Linux and Unix group information. Here's an example of how the attribute name-value pairs can contain Unix and Linux information for a group:

backLink=[securityIdentifierOfGroup] description= displayName= gidNumber=100000 objectClass=centerisLikewiseGroup

When you set an alias for a group, it is stored in the displayName attribute (for the group in the example above, no alias has been set, and thus displayName is empty).

In ADSI Edit, the values of the keywords attribute look like this:

Schema mode takes a slightly different approach. To store Linux and Unix user and group information, schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes, namely the posixAccount and posixGroup object classes. For example, the posixAccount and posixGroup object classes include attributes -- uidNumber and gidNumber -- that Likewise uses for UID and GID mapping. In addition, Likewise uses serviceConnectionPoint objects to store the same information as in non-schema mode by using the keywords attribute.

For example, when you create a cell in schema mode, Likewise creates a container object – CN=$LikewiseIdentityCell -- in the domain root, or in the OU where you created the cell. If the container is created in an OU, which is called a named or non-default cell, the Unix-specific data is stored in CN=Users and CN=Groups in the $LikewiseIdentityCell container object. The objects point to the Active Directory user or group information with a backlinked security identifier.

If the container is created at the level of the root domain, it is known as a default cell. In this case, the Unix-specific data is stored directly in the AD user or group account.

If you choose to use schema mode and your schema does not comply with RFC 2307, you must modify the schema. The Likewise Domain Extension Wizard, which is a tool in the console, can automatically upgrade your schema to comply with RFC 2307. (Windows Server 2003 R2 or later complies with RFC 2307.) When you use schema mode with a schema that already complies with RFC 2307, Likewise does not change the schema, but you still must run the Domain Extension Wizard to include the RFC 2307 attributes in the global catalog and to index them for faster searches.

A Likewise cell contains Unix settings for Active Directory users and groups so they can log on to Linux, Unix, and Mac OS X computers. For each user, the settings include a Unix user identifier (UID), the group identifier (GID) of the primary group, a home directory, and a shell.

When an Active Directory user logs on a Likewise client, Likewise searches Active Directory for the user's cell information. The search typically begins at the node where the computer is joined and moves up the directory's structure until a cell is found. To operate properly, the Likewise Enterprise agent must find a cell.

There are two types of cells:

In a named cell, Likewise searches for a user or group's attributes in the cell associated with the computer.

A default cell is processed in a different way. With a default cell, Likewise searches for a user or group's attributes in the default cell of the domain where the user or group resides. As a result, in a two-domain topology that, for example, uses a separate domain for users and a separate domain for computers, there must be two default cells:

In a multi-domain topology, then, you must create a default cell in each domain.

Cells can also map a user to different UIDs and GIDs for different computers. In the following screen shot, the example user, Clark Kent, is allowed to access the computers that are in the selected cells:

Creating Cells

Likewise modifies the Active Directory User and Computers MMC snap-in so that you can create a cell associated with an OU and then use the cell to manage UID-GID numbers. To create a cell, use Active Directory Users and Computers to select the OU you want, click the Likewise Settings tab of the object's Properties sheet, and then select the check box to associate a cell with the OU. You can then assign UID-GID numbers manually or let Likewise do it for you.

When a Likewise client connects to Active Directory, the Likewise agent determines the OU of which the computer is a member and checks whether a cell is associated with it. If a cell is not associated with the OU, the Likewise agent on the Unix computer searches the parent and grandparent OUs until it finds an OU that has a cell associated with it. If an OU with an associated cell is not found, the agent uses the default cell to map its username to UID and GID information.

Important: Before you associate a cell with an organizational unit, make sure you have chosen the schema mode that you want. You cannot change the schema mode after you create a cell, including a default cell.

For instructions on how to make a cell, see Create a Cell.

The Default Cell

Likewise lets you define a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers.

When you use a default cell, Likewise searches across all your trusted domains for Unix and Linux information directly on the user objects. In schema mode, Likewise searches all trusted global catalogs, which are shared across a forest -- Likewise queries the trusted global catalogs as a set. In non-schema mode, Likewise queries each trusted domain individually.

The default cell does not contain Unix or Linux data. It is a method for managing client Linux and Unix users and computers. When a client finds the default cell object, it searches all trusted domains and forests, enterprise wide, for Linux and Unix information, even if the default cell object has not been created in those trusted domains and forests.

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell. Likewise does not require you to have a default cell.

Linking Cells

To provide a mechanism for inheritance and to ease system management, Likewise can link cells. Linking specifies that users and groups in a linked cell can access resources in the target cell. For example, if your default cell contains 100 system administrators and you want those administrators to have access to another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell will inherit the settings of the default cell. Then, to make management easier, in the Engineering cell you can just specify the mapping information that deviates from the default cell.

Although you can use linking to in effect set up a hierarchy of cells, linking is not transitive. If, for example, a cell called Civil is linked to the Engineering cell and the Engineering cell is linked to the default cell, the Civil cell does not inherit the settings of the default cell.

When you link to multiple cells, the order that you set is important because it controls the search order. Suppose that Kathy, a system administrator, has a UID of 100,000 set in the default cell and a UID of 150,000 set in the Engineering cell. In the Civil cell, however, he must use his UID from the Engineering cell to log on Civil computers. If the Civil cell is linked to both the default cell and Engineering cell, the order becomes important. If Engineering does not precede the default cell in the search order, Kathy will be assigned the wrong UID and will be unable to log on computers in the Civil cell.

For instructions on how to link cells, see Link Cells.

Cell Manager

Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory organizational units. With Cell Manager, you can view all your cells in one place. Cell Manager complements Active Directory Users and Computers by letting you delegate management of a cell -- that is, give others the ability to add users and groups to a cell. Cell Manager is automatically installed when you install the Likewise Console. For more information, see Manage Cells.

Migrating NIS Domains

If use Likewise to migrate all your Unix and Linux users to Active Directory, in most cases you will assign these users a UID and GID that is consistent across all the Unix and Linux computers that are joined to Active Directory -- a simple approach that reduces administrative overhead.

In cases when multiple NIS domains are in use and you want to eliminate these domains over time and migrate all users and computers to Active Directory, mapping an Active Directory user to a single UID and GID might be too difficult. When multiple NIS domains are in place, a user typically has different UID- GID maps in each NIS domain. With Likewise, you can eliminate these NIS domains but retain the different NIS mapping information in Active Directory because Likewise lets you use a cell to map a user to different UIDs and GIDs depending on the Unix or Linux computer that they are accessing.

To move to Active Directory when you have multiple NIS servers, you can create an OU (or choose an existing OU) and join to the OU all the Unix computers that are connected to the NIS server. You can then use cells to represent users' UID-GID mapping from the previous identity management system.

Using Multiple Cells

If you have multiple Unix and Linux hosts but are not using a centralized scheme to manage UIDs and GIDs, it is likely that each host has unique UID-GID mappings. You may also have more than one centralized IMS, such as multiple NIS domains. You can use multiple cells to represent the UID-GID associations that the NIS domain provided, allowing those Unix and Linux users to continue to use their existing UID-GID information while using Active Directory credentials.

When using multiple cells, it is useful to identify what Unix and Linux objects the cell will represent, such as the following:

Migration Tool

The Likewise Console provides a migration tool to import Linux, Unix, and Mac OS X passwd and group files -- typically /etc/passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory. The migration tool can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. For more information, see Migrate Users to Active Directory.

Orphaned Objects Tool

The Likewise console provides a tool for finding and removing orphaned objects. An orphaned object is a linked object, such as a Unix or Linux user ID or group ID, that remain in a cell after you delete a group or user's security identifier, or SID, from an  Active Directory domain. Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve search speed. For more information, see Find Orphaned Objects.

In general, the optimal setup is schema mode with a default cell. Schema mode is strongly preferred because lookups use attributes indexed in Active Directory, reducing network traffic and the processing load on domain controllers. When Unix identity information does not overlap, you should use schema mode with a default cell. If you require multiple cells to keep Unix identities from coming into conflict, use schema mode with named cells. Try to minimize the number of named cells you use, preferably no more than four.

Forests that are in Windows 2008 Forest Mode are already in Likewise schema mode. Forests in Windows 2003 Forest Mode with Windows 2003 R2 domain controllers can be moved to schema mode without extending the AD schema.

Because of the performance benefits of schema mode, you should avoid non-schema mode whenever you can. Non-schema mode, however, remains fully supported by Likewise.

Migrating from a non-schema default cell to a default cell in schema mode requires more work and is riskier than any other kind of cell migration. So, to ease migration in the future and to improve support, non-schema mode cells should be created only as named cells -- that is, cells associated with organizational units.

Although you could use cells to limit access to a computer, doing so goes against the design of Active Directory. It is recommended that you control access and authorize users with methods other than cells. Instead, you can control access by using the RequireMembershipOf setting in the registry or the group policy, named Allow Logon Rights, that manages the RequireMembershipOf setting.

Likewise recommends the following additional best practices:

There are additional best practices for managing the security of the Likewise database; see the chapter on installing and configuring the Likewise database.

Finally, more best practices are listed in Likewise professional services' Best Practices Guide.

You install the Likewise Management Console on a Windows administrative workstation connected to a domain controller to administer Linux, Unix, and Mac OS X computers in Active Directory. When you install the console, it adds extension tabs to the properties sheets of most objects in Active Directory Users and Computers (ADUC). The extension tabs, named Likewise Settings and Likewise NIS Maps, let you manage Unix settings in ADUC. In addition, the Likewise group policies are added to the Group Policy Management Console and the Group Policy Object Editor.

After you install the console, you can use Active Directory Users and Computers to manage Unix and Linux users and groups, including their UID and GID information, their default logon shell, and their default home directory. You can also use the Group Policy Object Editor to create and edit Linux- and Unix-specific group policies, and you can use the Group Policy Management Console to view information about Likewise group policies.

You can use the console to perform the following tasks:

This section lists the requirements to use Likewise Enterprise with Active Directory. Requirements for the Likewise agent -- the software that runs on the Linux, Unix, and Mac OS X computers that you want to connect to AD -- are listed in About Installing the Agent.

You must have at least the following components:

Administrator Privileges

Active Directory Requirements

Windows Requirements for the Console

Requirements to Run Likewise in Schema Mode

For more information, see About Schema Mode and Non-Schema Mode and Pros and Cons of the Schema Modes.

Remediation Requirements for Active Directory

Networking

The subnets with your Linux, Unix, and Mac computers must be added to Active Directory sites before joining the computers to Active Directory so that the Likewise agent can detect the optimal domain controller and global catalog.

Replication

Make sure your AD replication system is up to date and functioning properly by using the following diagnostic tools from http://www.microsoft.com/download to test replication. For instructions, see the Microsoft documentation for each tool.

In addition, the following tools can help you review and troubleshoot FRS problems.

Sonar. Optionally use it to perform a quick review of FRS status.

Ultrasound. Optionally use it to monitor and troubleshoot FRS.

ReplMon. Included in the Microsoft Resource Kit Tools, use it to investigate replication problems across links where DCDiag showed failures.

You install the Likewise Management Console on a Windows administrative workstation that can connect to your Active Directory domain controller. It is recommended that you do not install the console on a domain controller. (For instructions on how to use the Likewise metainstaller to install the console and other components, see the Likewise Evaluation Guide.)

In addition to the console, the Likewise Enterprise installer for Windows includes several components: the Likewise migration tools, Gnome group policy schemas, and GPMC support.

Important Note About Upgrading: To upgrade to the latest version of Likewise Enterprise on your Windows administrative workstation, first uninstall the existing version. Then, before installing the latest version of Likewise Enterprise, install the latest version of the Microsoft Group Policy Management Console and run Windows update to make sure your workstation has the latest XML patches.

Before you can start the Likewise Management Console, it must be installed on your administrative desktop. Depending on the options chosen during installation, the console can be started in the following ways:

Tip: You can run multiple instances of the Likewise Console and point them at different domains.

The Likewise Console page is the first screen that is displayed after you start the console. From the page, you can navigate to all other pages in the console, including the Status page. You can also start Active Directory Users and Computers (ADUC), Cell Manager, and the Migration tool.

The Forest Status page displays the following information for the selected Active Directory forest. After you start the console, it may take a few moments to retrieve information about your domains.

Likewise Version: The Likewise version and build number. Technical support personnel may ask you for this information when you contact them for assistance.

Consistency check: Indicates whether Active Directory has been properly prepared for the current operating mode. Typically this status indicator reads as Good.

Cell count: Displays the number of cells that are associated with organizational units in the selected domain, including the default cell.

Mode: Either schema or non-schema. Schema indicates that the selected forest is using the RFC 2307-compliant schema. Non-schema indicates that it is not.

If Likewise detects more than one Active Directory forest, it displays them on the Likewise Console's Forest Status page. You can connect to a forest by double-clicking the forest name.

You can connect to another domain as follows:

After you install the Likewise Management Console for the first time, you can run the Schema Mode Wizard to upgrade your Active Directory schema to that of Microsoft Windows Server 2003 R2, which provides support for RFC 2307. The Run Schema Mode Wizard button appears only if you have not run the Schema Mode Wizard and if you have not created any Likewise cells. In non-schema mode, the button will reappear after you remove all your Likewise cells.

Likewise has two operating modes: schema mode and non-schema mode. Non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Non-schema mode is Likewise's default mode, and you do not need to run the schema mode wizard to use it.

Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes, namely the posixAccount and posixGroup object classes. The wizard upgrades your schema to RFC 2307. If you are already using Windows Server 2003 R2, running the wizard indexes frequently searched attributes in the Active Directory global catalog.

Before you decide which schema mode is right for your environment, see About Schema Mode and Non-Schema Mode and Pros and Cons of the Schema Modes.

Important: You cannot roll back the changes that the schema mode wizard makes to the Active Directory schema. Back up Active Directory before you run the wizard.

Run the Schema Mode Wizard

To raise the forest functional level and to upgrade the schema, you must be a member of the Enterprise Administrators security group or the Schema Administrators security group for the forest.

When you set up Likewise in an environment with a large forest or multiple domains, it may take some time for the Likewise objects and the schema update to replicate to the rest of the domain.

Replication must complete before the domain and its child domains are fully enabled for Likewise. You will be unable to connect to a child domain until replication finishes.

One or more domains that share a common schema and global catalog are known as a forest. With Likewise, you can upgrade the schema of a forest. To do so, you must be a member of the Enterprise Administrators security group or the Schema Administrators security group for the forest.

Important: To apply the schema extensions only to a single forest, select only the forest that you want.

The console includes several plug-ins: Access and Audit Reporting, Enterprise Database Management, and the Operations Dashboard.

To create a Likewise cell and associate it with a domain or an organizational unit (OU), you must have Active Directory administrative privileges that allow you to create container objects within an OU or a domain. To associate a cell with an OU, for example, you must be a member of the Domain Administrators security group, or you must have been delegated control to create container objects within the OU.

Important: Before you associate a cell with an organizational unit, make sure you have chosen the schema mode that you want. You cannot easily change the schema mode after you create a cell, including a default cell.

Likewise gives you the option of defining a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers. Likewise Enterprise does not require a default cell.

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such cases, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell.

To create a default cell, in the Active Directory Users and Computers console tree, right-click the name of your domain, click Properties, click the Likewise Settings tab, and then click Create Associated Likewise Cell.

In Active Directory Users and Computers, you can associate a user with one or more Likewise cells to give the user access to the Linux, Unix, and Mac OS X computers that are members of each cell.

Note: To associate a user with a cell, you must log on with sufficient administrative privileges -- for example, as a member of the Domain Administrators group.

See Also

Assign a Group ID

You can add an Active Directory group to a cell after you have associated a cell with an organizational unit (OU).

You can add an Active Directory user to a cell after you have associated a cell with an organizational unit (OU).

Linking specifies that the computers in the current cell can be accessed by the users in the cell that you link to (the linked cell).

In the scenario shown in the screenshot below, the current cell is EditorialDepartment. When you link to the Engineering cell from the Likewise Settings tab for EditorialDepartment, the users in Engineering can access the computers in EditorialDepartment.

The following example demonstrates how linking cells can be useful:

If your default cell contains 100 system administrators and you want those administrators to have access to the computers in another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell inherits the settings of the default cell. For more information on linking cells, see About Cells.

To associate a Likewise cell with an Active Directory organizational unit, an administrator must have permission to create container objects within the OU. A member of the Domain Administrators or Enterprise Administrators security group can delegate control of the OU to another administrator.

Tip: For more information about delegating control, see Delegating Administration in Active Directory Users and Computers Help.

Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory organizational units.

With Cell Manager, you can delegate management, change permissions for a cell, add cells, view cells, and associate cells with OUs to provide users and groups with Linux and Unix access. Cell Manager also lets you connect to another domain and filter cells to reduce clutter.

Cell Manager is automatically installed when you install the Likewise Console.

Start Cell Manager

Tip: To start Cell Manager from the Start menu, click Start, point to All Programs, click Likewise, and then click Likewise Cell Manager.

Delegate Management

You can use Cell Manager to create an access control list (ACL) that allows users or groups without administrative privileges to perform the administrative operations that you specify. For example, you can delegate management for the cell manager node to allow other users to create and delete cells. You can delegate management of a cell, a group, or a user.

Change Permissions of a Cell, Group, or User

Add a Cell

When you add a cell, you must attach it to an Organizational Unit in Active Directory.

Give a User Access to a Cell

When you give a user access to a cell by using Cell Manager, you can add the new user to the cell only with default attributes. You can change the attributes later by using in Active Directory Users and Computers; see Specify a User's ID and Unix or Linux Settings.

Give a Group Access to a Cell

When you give a group access to a cell by using Cell Manager, you can add the new group to the cell only with default attributes. You can change the attributes later by using Active Directory Users and Computers.

Filter Cells

You can use filtering to set the maximum number of cells to display and show only the cells that match a pattern.

Connect to a Different Domain

Even though users and groups imported from a different domain appear in Cell Manager, you cannot modify their settings from outside their original domain. Instead, to modify the settings of a user or group imported from another domain, use Cell Manager to connect to that domain and then make the changes that you want.

In Microsoft Active Directory Users and Computers, you can modify your Likewise settings for a domain, an organizational unit, a group, or a user. Likewise adds a tab to the property sheet of the following objects in the Active Directory Users and Computers MMC snap-in:

Important: To change the settings, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or another group that gives you sufficient privileges to modify objects in Active Directory. Or you must have been delegated privileges to modify the settings of the objects that you want to change; for more information, see Delegate Management.

To create a Unix or Linux user account in Active Directory, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

See Also

Create a Cell

Because of a limitation with the Active Directory Users and Computers snap-in, when you try to find a Likewise user or group by right-clicking an organizational unit and then clicking Find, the user or group will not appear in the results even when the user or group is in the OU. The Find command does, however, work at the level of the domain.

As an alternative, you can find Likewise users and groups in an OU by using the following procedure:

To provide an Active Directory user with Unix, Linux, or Mac access, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

Tip: For a Mac OS X user, limit group membership to less than 45 groups that are enabled for Unix access. Because of a limitation with Mac OS X, membership in groups other than the primary group is not enumerated for a user who belongs to more than 45 groups.

To provide an Active Directory group with Unix, Linux, or Mac access, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

You can set a user's identifier (UID) and specify the user's Unix, Linux, or Mac OS X settings.

Note: To provide a user with a UID and Unix or Linux settings, you must have sufficient administrative privileges -- for example, as a domain administrator or as a delegate. To delegate administrative privileges to another user, see Delegate Management.

See Also

Resolve an AD Alias Conflict with a Local Account

Likewise lets you apply Unix, Linux, and Mac OS X settings to multiple users at the same time. For example, you can assign multiple users to a cell and then set their home directory.

The users must be members of a group that is associated with a cell and each user must have a UID-GID mapping.

Note: To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify the settings of the user objects that you want to change; for more information, see Delegate Management.

You can set an alias for an Active Directory user so that the user can use the alias to log on a Linux, Unix, or Mac OS X computer joined to Active Directory. The alias is set only for the cell that you select when you set it.

You can create an alias for a group that is part of a Likewise cell, including the default cell. The group can use the alias within the cell.

There are three ways that you can set the default home directory for Linux, Unix, and Mac OS X users:

When you set the default home directory, you must use the default user name variable (%U). You may specify the default domain name by using the domain name variable (%D) but, unlike the user name variable, it is not required.

Important: On Solaris, you cannot create a local home directory in /home, because /home is used by autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories in /export/home.

Set the Home Directory for a Cell

To set a default home directory for a cell, you must have Active Directory administrative privileges to modify OU objects.

Set the Home Directory for Multiple Users

To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

Set the Home Directory for a Single User

To change a user's settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

By using Likewise, there are two ways that you can set the default login shell for Linux, Unix, and Mac OS X users:

Set the Login Shell for a Cell

To set a default login shell for a cell, you must have Active Directory administrative privileges to modify OU objects.

Set the Login Shell for Multiple Users

To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

Set the Login Shell for a Single User

To change a user's settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

You can assign a group identifier (GID) to an Active Directory group by associating the group object with a cell and specifying a GID value for the group object.

The GID information that you enter is applied to all objects within the group. However, subgroups nested within the settings do not carry down; you must apply the GID information to subgroups individually.

Note: To assign a group ID, you must log on with privileges sufficient to modify the object.

To disable a user, you must log on as a domain administrator or as a member of another group that gives you privileges sufficient to modify Active Directory user objects.

Note: When a computer cannot communicate with a domain controller, a user with a disabled account who has recently logged on to the computer can continue to log on until you clear the cache or until the cache expires. By default, the cache expires after 4 hours, or the interval that you set by using a Likewise group policy or by modifying the local configuration file (lsassd.conf).

When the Microsoft Management Console loads a snap-in such as ADUC, it checks for certificate revocations. To improve MMC performance after Likewise is installed on your Windows administrative workstation, you can reconfigure Internet Explorer's security options to not check for certificate revocation and reconfigure Windows to not update root certificates.

Important: Although these changes can improve performance, they can also affect your administrative workstation's security policy. Before making these changes, determine whether they are permitted by your IT security policy.

When you have to grant multiple users or groups access to a file, directory, or Samba share on a Linux server, you can use POSIX access control lists to extend the standard file mode permissions.

Because Linux and Unix file mode permissions control access only for a single user, a single group, and then everyone else, the only means of granting access to more than one group with the standard file modes is to either nest the groups together or to give everyone access -- approaches that are often unacceptable. Nested groups can be a maintenance burden, and granting access to everyone can undermine security. As for Samba shares, it is insufficient to add multiple users and groups to the valid users parameter in smb.conf if the underlying file system does not allow them access.

Prerequisites

You must have the acl package installed. You can determine this as follows:

# rpm – qa | grep acl
libacl-2.2.23-5
acl-2.2.23-5

The file system must be mounted with acl in the option list.  You can determine this using the mount command:

# mount
/dev/sda1 on / type ext3 (rw,acl)

As shown above, the root file system has been mounted with read-write (rw) and acl options.  If you don’t see acl in the options for the file system you are working with, modify /etc/fstab to include this option, and then remount the file system. In the case of the root file system, you may need to reboot the system.

All users and groups must be created before adding them to the ACL. In the case of Active Directory users, they must be preceded by the domain unless user aliases have be to configured (for example, DOMAIN\username).

Example

This example uses a directory called testdir. The process is the same for files.

Here are the standard file mode permissions of the testdir directory.  

[aciarochi@rhel4-devel tmp]$ ls -ld testdir
drwxrwx---  2 root root 4096 Dec 14 13:28 testdir

You can view the extended ACL using the getfacl utility. In this case, it shows the same information, in a different format:

[aciarochi@rhel4-devel tmp]$ getfacl testdir
# file: testdir
# owner: root
# group: root
user::rwx
group::rwx
other::---

With these permissions, only the root user and members of the root group are allowed to open the directory.  Since the aciarochi user is not in the root group, he is denied access:

[aciarochi@rhel4-devel tmp]$ cd testdir
-bash: cd: testdir: Permission denied

However, we can grant access to aciarochi by using the setfacl utility to add him to the ACL. We must switch to the root user, of course, since that is the directory owner. Once the ACL is set, aciarochi can open the directory:

[root@rhel4-devel ~]# setfacl -m u:aciarochi:rwx /tmp/testdir/
[root@rhel4-devel ~]# exit
logout
[aciarochi@rhel4-devel tmp]$ cd testdir
[aciarochi@rhel4-devel testdir]$ pwd
/tmp/testdir

Notice that the standard file mode permissions have not changed, except for the addition of a + at the end, indicating that extended file permissions are in effect:

[aciarochi@rhel4-devel tmp]$ ls -ld /tmp/testdir/
drwxrwx---+ 2 root root 4096 Dec 14 13:28 /tmp/testdir/

Additional groups can be added in the same manner -- using a g: instead of a u: -- to indicate a group.  In the following example, we grant read and execute (open) access to the ftp group:

[root@rhel4-devel ~]# setfacl -m g:ftp:r-x /tmp/testdir
[root@rhel4-devel ~]# getfacl testdir
# file: testdir
# owner: root
# group: root
user::rwx
user:aciarochi:rwx
group::rwx
group:ftp:r-x
mask::rwx
other::---

$ svnadmin create /data/foo 

## Add domain admins to the default directory ace 
$ find /data/foo -type d | xargs setfacl -d -m “g:AD\domain^admins:rwx” 

## Add domain admins to the directory ace 
$ find /data/foo -type d | xargs setfacl -m “g:AD\domain^admins:rwx” 

## Add domain admins to the ace for files 
$ find /data/foo -type f | xargs setfacl -m “g:AD\domain^admins:rw” 

$ getfacl /data/foo 
# file: foo 
# owner: AD\134gjones 
# group: AD\134unixusers 
user::rwx 
group::r-x 
group:AD\134domain^admins:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:group::r-x 
default:group:AD\134domain^admins:rwx 
default:mask::rwx 
default:other::r-x

The Likewise Diagnostics and Migration page in the Likewise Management Console includes two tools to help manage a mixed network:

An orphaned object is a linked object, such as a Unix user ID or group ID, that remains in a cell after you delete a group or user's security identifier, or SID, from an Active Directory domain. The Find Orphaned Objects tool cleans up manually assigned user IDs and improves search speed.

The NIS migration tool imports Linux and Unix passwd files and group files and maps them to users and groups in Active Directory. The tool lets you resolve conflicts and ambiguous user names before you commit the changes.

The migration tool includes options to ease your NIS migration to Active Directory and to handle various requirements:

The Likewise NIS migration tool can import Linux, Unix, and Mac OS X password and group files -- typically /etc/passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory.

You can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. Before you commit the changes, you can resolve ambiguous user names and other conflicts.

Important: Before you migrate users to a domain that operates in non-schema mode, it is recommended that you find and remove orphaned objects. The IDs associated with orphaned objects are reserved until you remove the orphaned objects. See Find Orphaned Objects.

What You Need Before You Begin

Before running the migration tool, you should have the following information ready:

Run the Migration Tool

You can use the Likewise Management Console to find and remove orphaned objects. An orphaned object is a linked object, such as a Unix or Linux user ID or group ID, that remains in a cell after you delete a group or user's security identifier, or SID, from an Active Directory domain.

Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve search speed. It is recommended that you remove orphaned objects before you use the migration tool with a domain that operates in non-schema mode.

On a Mac OS X computer, the Likewise domain join utility includes a tool to migrate a user's profile from a local user account to the home directory specified for the user in Active Directory.

When you migrate the user's profile, you can either copy or move it from the local account to the user's Active Directory account. Copying the profile leaves a copy of the user's files in their original location, but doubles the space on the hard disk required to keep the user's files.

You can migrate a user by using the GUI or by using the command line. In addition, you can customize the migration shell script to suit your requirements.

Important: To migrate a user's profile, you must have a local or AD account with administrative privileges. The account that you use must not be the account that you are migrating.

Migrate a User's Profile with the GUI

Migrate a User's Profile from the Command Line

You can migrate a user's profile by using the command line. On a Mac OS X computer, the location of the migration shell script is as follows:

/opt/likewise/bin/lw-local-user-migrate.sh

You can execute the migration script either locally or remotely by connecting to a Mac with SSH. Connecting to a Mac with SSH and then running the migration script from the command line lets you remotely migrate users from another computer.

For information about the command's syntax and arguments, execute the following command in Terminal:

/opt/likewise/bin/lw-local-user-migrate.sh --help

Customize the Migration Script

You can customize the migration script to suit your needs by opening the script and editing it. The script is written in Bash shell.

Important: There is no Likewise support for customizing the script or for modified scripts. Changes to the script preclude Likewise support.

The Likewise agent is installed on a Linux, Unix, or Mac OS X computer to connect it to Microsoft Active Directory and to authenticate users with their domain credentials. The agent integrates with the core operating system to implement the mapping for any application, such as the logon process (/bin/login), that uses the name service (NSS) or pluggable authentication module (PAM). As such, the agent acts as a Kerberos 5 client for authentication and as an LDAP client for authorization. In Likewise Enterprise, the agent also retrieves group policy objects to securely update local configurations, such as the sudo file.

The Likewise agent is also known as the Likewise client and the Likewise identity service.

Likewise Open

The Likewise Open agent comprises the following daemons:

Likewise Enterprise

Likewise Enterprise includes all the daemons that are in Likewise Open. The following additional daemons are in Likewise Enterprise to apply group policies, handle smart cards, and monitor security events:

The Likewise Input-Output Service

The lwiod daemon multiplexes input and output by using SMB1 or SMB2. The daemon's plugin-based architecture includes several drivers, the most significant of which is coded as rdr -- the redirector.

The redirector multiplexes CIFS/SMB connections to remote systems. For instance, when two different processes on a local Linux computer need to perform input-output operations on a remote system by using CIFS/SMB, with either the same identity or different identities, the preferred method is to use the APIs in the lwio client library, which routes the calls through the redirector. In this example, the redirector maintains a single connection to the remote system and multiplexes the traffic from each client by using multiplex IDs.

The input-output service plays a key role in the Likewise architecture because Likewise makes heavy use of DCE/RPC, short for Distributed Computing Environment/Remote Procedure Calls. DCE/RPC, in turn, uses SMB: Thus, the DCE-RPC client libraries use the Likewise input-output client library, which in turn makes calls to lwiod with Unix domain sockets.

When you join a domain, for example, Likewise uses DCE-RPC calls to establish the machine password. The Likewise authentication daemon periodically refreshes the machine password by using DCE-RPC calls. Authentication of users and groups in Active Directory takes place with Kerberos, not RPC. ( View a data-flow diagram that shows how systems interact when you join a domain.)

In addition, when a joined computer starts up, the Likewise authentication daemon enumerates Active Directory trusts by using DCE-RPC calls that go through the redirector. With one-way trusts, the authentication daemon uses RPC to look up domain users, groups, and security identifiers. With two-way trusts, lookup takes place through LDAP, not RPC.

Because the authentication daemon registers trusts only when it starts up, you should restart lsassd with the Likewise Service Manager after you modify a trust relationship.

The Likewise group policy agent also uses the input-output client library and the redirector when it copies files from the sysvol share of a domain controller.

To troubleshoot remote procedure calls that go through the input-output service and its redirector, use a Wireshark trace or a TCP dump to capture the network traffic. Wireshark, a free open-source packet analyzer, is recommended.

To troubleshoot connection problems with the redirector, set the log level of lwiod to debug:

/opt/likewise/bin/lwio-set-log-level debug

PAM Options

Likewise uses three standard PAM options – try_first_pass, use_first_pass, and use_authtok -- and adds three non-standard options to the PAM configuration on some systems: unknown_ok, remember_chpass, and set_default_repository. The unknown_ok option allows local users to continue down the stack (first line succeeds but second line fails) while blocking domain users who do not meet group membership requirements. On AIX systems, which have both PAM and LAM modules, the remember_chpass prevents the AIX computer from trying to change the password twice and prompting the user twice. On Solaris systems, the set_default_repository option is used to make sure password changes work as expected.

Managing the Likewise Daemons

The Likewise Service Manager lets you track and troubleshoot all the Likewise services with a single command-line utility. You can, for example, check the status of the services, view their dependencies, and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the right order. In addition, you can use the service manager to set the logging destination and the log level.

To list status of the services, run the following command with superuser privileges at the command line:

/opt/likewise/bin/lwsm list

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm list
lwreg       running (standalone: 1920)
dcerpc      running (standalone: 2544)
eventlog    running (standalone: 2589)
lsass       running (standalone: 2202)
lwio        running (standalone: 2191)
netlogon    running (standalone: 2181)
npfs        running (io: 2191)
rdr         running (io: 2191)

After you change a setting in the registry, you must use the service manager to force the service to begin using the new configuration by executing the following command with super-user privileges. This example refreshes the lsass service:

/opt/likewise/bin/lwsm refresh lsass

Configuration information for the daemons is stored in the Likewise registry, which you can access and modify by using the registry shell or by executing registry commands at the command line. The registry shell is at /opt/likewise/bin/lwregshell. For more information, see Configuring the Likewise Services with the Registry.

The agent includes a number of libraries in /opt/likewise/lib.

The agent uses the following ports for outbound traffic.

View a data-flow diagram that shows how systems interact when you join a domain.

To maintain the current state and to improve performance, the Likewise authentication service (lsass) caches information about users and groups in memory. You can, however, change the cache to store the information in a SQLite database; for more information, see the chapter on configuring Likewise with the registry.

The Likewise site affinity service, netlogon, caches information about the optimal domain controller and global catalog in the Likewise registry.

The following files are in /var/lib/likewise/db:

Since the default UIDs that Likewise generates are large, the entries made by the operating system in the lastlog file when AD users log in make the file appear to increase to a large size. This is normal and should not cause concern. The lastlog file (typically /var/log/lastlog) is a sparse file that uses the UID and GID of the users as disk addresses to store the last login information. Because it is a sparse file, the actual amount of storage used by it is minimal.

With Likewise Open, you can manage the following settings for your cache by editing the Likewise registry. See Cache Settings in the lsass Branch.

With Likewise Enterprise, you can manage the settings with group policies; see the Group Policy Adminstration Guide.

Additional information about a computer's Active Directory domain name, machine account, site affinity, domain controllers, forest, the computer's join state, and so forth is stored in the Likewise registry. Here's an example of the kind of information that is stored under the Pstore key and the netlogon key:

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\LIKEWISEDEMO.COM\Pstore]
"ClientModifyTimestamp"=dword:4b86d9c6
"CreationTimestamp"=dword:4b86d9c6
"DomainDnsName"="LIKEWISEDEMO.COM"
"DomainName"="LIKEWISEDEMO"
"DomainSID"="S-1-5-21-3190566242-1409930201-3490955248"
"HostDnsDomain"="likewisedemo.com"
"HostName"="RHEL5D"
"MachineAccount"="RHEL5D$"
"SchannelType"=dword:00000002

[HKEY_THIS_MACHINE\Services\netlogon\cachedb\likewisedemo.com-0]
"DcInfo-ClientSiteName"="Default-First-Site-Name"
"DcInfo-DCSiteName"="Default-First-Site-Name"
"DcInfo-DnsForestName"="likewisedemo.com"
"DcInfo-DomainControllerAddress"="192.168.92.20"
"DcInfo-DomainControllerAddressType"=dword:00000017
"DcInfo-DomainControllerName"="w2k3-r2.likewisedemo.com"
"DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,95,fb,5b,62,e3
"DcInfo-Flags"=dword:000003fd
"DcInfo-FullyQualifiedDomainName"="likewisedemo.com"
"DcInfo-LMToken"=dword:0000ffff
"DcInfo-NetBIOSDomainName"="LIKEWISEDEMO"
"DcInfo-NetBIOSHostName"="W2K3-R2"
"DcInfo-NTToken"=dword:0000ffff
"DcInfo-PingTime"=dword:00000006
"DcInfo-UserName"=""
"DcInfo-Version"=dword:00000005
"DnsDomainName"="likewisedemo.com"
"IsBackoffToWritableDc"=dword:00000000
"LastDiscovered"=hex:c5,d9,86,4b,00,00,00,00
"LastPinged"=hex:1b,fe,86,4b,00,00,00,00
"QueryType"=dword:00000000
"SiteName"=""

For the Likewise agent to communicate over Kerberos with the domain controller, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. (For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Clock-Skew.html.)

The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the domain controller's Kerberos key distribution center that determines the maximum clock skew. Since changing the maximum clock skew in a client's krb5.conf file does not affect the clock skew tolerance of the domain controller, the change will not allow a client outside the domain controller's tolerance to communicate with it.

The clock skew value that is set in the /etc/likewise/krb5.conf file of Linux, Unix, and Mac OS X computers is useful only when the computer is functioning as a server for other clients. In such cases, you can use a Likewise Enterprise group policy to change the maximum tolerance; for more information, see Set the Maximum Tolerance for Kerberos Clock Skew in the Likewise Group Policy Administration Guide.

The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew are discarded. When the server receives an authentication request within the clock skew, it checks the replay cache to make sure the request is not a replay attack.

If you set the system time on your computer with a Network Time Protocol (NTP) server, the time value of the NTP server and the time value of the domain controller could exceed the maximum skew. As a result, you will be unable to log on your computer.

If you use an NTP server with a cron job, there will be two processes trying to synchronize the computer's time -- causing a conflict that will change the computer's clock back and forth between the time of the two sources.

Likewise recommends that you configure your domain controller to get its time from the NTP server and configure the domain controller's clients to get their time from the domain controller.

The Likewise authentication daemon -- lsassd -- manages site affinity for domain controllers and global catalogs and caches the information with netlogond. When a computer is joined to Active Directory, netlogond determines the optimum domain controller and caches the information. If the primary domain controller goes down, lassd automatically detects the failure and switches to another domain controller and another global catalog within a minute.

However, if another global catalog is unavailable within the forest, the Likewise agent will be unable to find the Unix and Linux information of users and groups. The Likewise agent must have access to the global catalog to function. Therefore, it is a recommended that each forest has redundant domain controllers and redundant global catalogs.

In Likewise Open, a UID and GID are generated by hashing the user or group's security identifier, or SID, from Active Directory. With Likewise Open, you do not need to make any changes to Active Directory. A UID and GID stays the same across host machines. With Likewise Open, you cannot set UIDs and GIDs for Linux and Unix in Active Directory; using AD to set and manage UIDs and GIDs is a feature of Likewise Enterprise or the Likewise UID-GID management tool.

If your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use Likewise Enterprise or the Likewise UID-GID management tool.

The Likewise Open algorithm is the same in 4.1 and 5.0, and if you are running 4.1 on one computer and 5.0 or later on another, each user and group should have the same UID and GID on both machines.

Note: If you have UIDs and GIDs defined in Active Directory, Likewise Open will not use those UIDs and GIDs.

In Likewise Enterprise, you can specify the UIDs and GIDs that you want, including setting multiple UID and GID values for a given user based on OU membership by using Likewise cells. (Likewise cells, available only in Likewise Enterprise, provide a method for mapping Active Directory users and groups to UIDs and GIDs.) You can also set Likewise Enterprise to automatically generate UID and GID values sequentially.

Both Likewise Open and Likewise Enterprise cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable.

The Likewise agent supports the following Active Directory trusts:

There is information on the types of trusts at http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx.

Notes on Trusts

The following list contains general information about working with trusts.

Trusts and Cells in Likewise Enterprise

In Likewise Enterprise, a cell contains Unix settings, such as a UID and a GID, for an Active Directory user. When an AD user logs on a Likewise client, Likewise Enterprise searches Active Directory for the user's cell information -- and must find it to operate properly. Thus, your AD topology and your trust relationships may dictate where to locate a cell in Active Directory so that your Likewise clients can access their Unix settings.

With a default cell, Likewise searches for a user or group's attributes in the default cell of the domain where the user or group resides. In a multi-domain topology, a default cell must exist in the domain where user and group objects reside in addition to the default cell that exists in the domain to which Unix, Linux, and Mac computers are joined. In a multi-domain topology, then, be sure to create a default cell in each domain.

Ideally, Unix information is stored on the user object in default cell schema mode. If the client computer does not have the access rights to read and write the information to the user object, as in an external one-way trust, the Unix information cannot be stored on the user object. It can, however, be stored locally in a named cell, that is, a cell associated with an organizational unit.

Since a named cell can be linked to the default cell, you can store Unix information on the user object in default cell schema mode when possible, and otherwise in a named cell that represents the external user. For information about cells, see the chapter on planning your Likewise Enterprise installation and deployment.

Likewise includes a tool to install the files necessary to use Samba with Likewise. Located in /opt/likewise/bin, the tool is named samba-interop-install. The Likewise Samba Guide describes how to use the tool to integrate Samba 3.0.25, 3.2.X, or 3.5.X with Likewise Enterprise 6 or Likewise Open 6.

Likewise Open and Likewise Enterprise run on a broad range of Unix, Mac OS X, and Linux platforms. Likewise frequently adds new vendors and distributions to the list of supported platforms.

Before you attempt to join an Active Directory domain, make sure the /etc/nsswitch.conf file contains the following line:

hosts: files dns

The hosts line can contain additional information, but it must include the dns entry, and it is recommended that the dns entry appear after the files entry.

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

When you use Likewise with Multicast DNS 4 (mDNS4) and have a domain in your environment that ends in .local, you must place the dns entry before the mdns4_minimal entry and before the mdns4 entry:

hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4

The default setting for many Linux systems is to list the mdns4 entries before the dns entry -- a configuration that leaves Likewise unable to find the domain.

Important: For Likewise to process changes to your nsswitch.conf file, you must restart the Likewise input-output service (lwiod) and the authentication service (lsassd). Running the following command as root restarts both services:

/opt/likewise/bin/lwsm restart lwio

For Likewise to work correctly, the nsswitch.conf file must be readable by user, group, and world.

For more information on configuring nsswitch, see the man page for nsswitch.conf.

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve SRV records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf

search likewisedemo.com
nameserver 192.168.100.132

For more information on resolv.conf, see your operating system's man page.

The Likewise agent requires several firewall ports to be open for outbound traffic. For a list of the required ports, see Make Sure Outbound Ports Are Open.

On AIX 5.2 and 5.3, you may need to extend the size of certain partitions to complete the installation successfully.

To do so, use IBM's chfs command to change the partition sizes -- for example:

# chfs -a size=+200M /opt

This command increases the size of the opt partition by 200 megabytes, which should be sufficient for a successful installation.

By default, IBM AIX is not configured to support long user and group names, which might present a conflict when you try to log on with a long Active Directory username. On AIX 5.3 and AIX 6.1, the symptom is that group names, when enumerated through the groups command, are truncated.

To increase the max username length on AIX 5.3, use the following syntax:

# chdev - l sys0 -a max_logname=MaxUserNameLength+1

Example:

# chdev - l sys0 -a max_logname=255

This command allocates 254 characters for the user and 1 for the terminating null.

The safest value that you can set max_logname to is 255.

You must reboot for the changes to take effect:

# shutdown - Fr

Note: AIX 5.2 does not support increasing the maximum user name length.  

Members of the Likewise support staff might use a shell script to check the health of a Linux or Unix computer on which you plan to install the Likewise agent. The script helps identify potential system configuration issues before you install the agent and attempt to join a Linux or Unix computer to Active Directory.

With Likewise Open, the script is unavailable, but you can manually check your computer against the list in the table below.

The name of the script is healthchk.sh. To execute it, copy the script to the Unix or  Linux computer that you want to check, and then execute the following command from the shell prompt: likewise-health-check.sh

The script outputs the results of its scan to /tmp/healthchk.out.

The following table lists each item the script checks, describes the item, and suggests action to correct the issue.

You must install the Likewise agent -- the identity service that authenticates users -- on each Linux, Unix, or Mac OS X computer that you want to connect to Active Directory. To obtain the installer or to view a list of supported platforms, see www.likewise.com. The Likewise Open installation package can be downloaded for free at http://www.likewise.com/products/likewise_open/. If you are using Likewise Enterprise, make sure you install the Likewise Enterprise version of the agent.

Important: Before you install the agent, it is recommended that you upgrade your system with the latest security patches. Patch requirements for Unix systems are listed below.

The procedure for installing the Likewise Open agent or the Likewise Enterprise agent depends on the operating system of your target computer or virtual machine. Each procedure is documented in a separate section of this chapter.

You also have the option of installing the agent in unattended mode; see Install the Agent on Linux in Unattended or Text Mode and Install the Agent on a Mac in Unattended Mode.

Checking Your Linux Kernel Release Number

To determine the release number of the kernel on your Linux machine, run the following command:

uname -r

For the Linux machine to be supported by Likewise, the kernel release number must be 2.6 or later.

Package Management Commands

For an overview of commands such as rpm and dpkg that can help you manage Likewise on Linux and Unix platforms, see Package Management Commands.

This section lists requirements for installing and running the Likewise agent. Requirements for the Likewise Management Console, which is part of Likewise Enterprise and the UID-GID module, are detailed in the chapter on installing the console. Likewise Open does not include the Likewise Management Console.

Before you install the Likewise agent, make sure that the following environmental variables are not set: LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH, LD_PRELOAD. Setting any of these environmental variables violates best practices for managing Unix and Linux computers because it causes Likewise to use non-Likewise libraries for its services. For more information on best practices, see http://linuxmafia.com/faq/Admin/ld-lib-path.html. Likewise does not support installations that use these environmental variables. If joining the domain fails with an error message that one of these environmental variables is set, stop all the Likewise daemons, clear the environmental variable, make sure it is not automatically set when the computer restarts, and then try to join the domain again.

If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the Likewise library path (/opt/likewise/lib or /opt/likewise/lib64) before any other path -- but keep in mind that doing so may result in side effects for your other programs, as they will now use Likewise libraries for their services.

Patch Requirements

It is recommended that you apply the latest patches for your operating system before you install Likewise. Known patch requirements are listed below.

Sun Solaris

All Solaris versions require the md5sum utility, which can be found on the companion CD.

Sun Solaris 10 requires update 5 or later. The Solaris 10 05/08 (or later) patch bundle is available at http://sunsolve.sun.com/. Solaris 10_x86 requires the patch for nscd, either patch ID number 138047-02 or the patch that supercedes it, number 138264-02. This patch available for SPARC as patch 138046.

Solaris 8 Sparc should be fully patched according to Sun's recommendations. Likewise depends on the latest patch for libuuid. On Sparc systems, the patch for libuuid is 115831. Sun patch 110934-28 for Solaris 5.8 is also required for Solaris 8.

Solaris 8 Intel systems also require the latest patch for libuuid: 115832-01. Sun patches 110403-06 and 110935-26 are also required. Patch 110403-06 must be installed before you install patch 110935-26.

Solaris 9 requires Sun patch 113713-28 for Solaris 5.9.

OpenSolaris is compatible with Likewise without any patches.

HP-UX

Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed. Likewise recommends that you use HP-UX Secure Shell A.05.00.014 or later.

Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable Authentication Module, or PAM, which Likewise requires to allow domain users to execute sudo commands with super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make sure that you use the with-pam configuration option when you build it.

HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_31903, and PHKL_29243. Although these patches may be superceded by subsequent patches, these patches represent the minimum patch level for proper operation.

Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, you must download and install the latest KRB5-Client libraries from the HP Software Depot. (By default, HP-UX 11.31 includes the libraries.)

Other Requirements for the Agent

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.

Secure Shell

To properly process logon events with Likewise, your SSH server or client must support the UsePam yes option. For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other programs that uses PAM for processing authentication requests are compatible with Likewise.

Networking Requirements

Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

In addition, several ports must be open; see Make Sure Outbound Ports Are Open.

Disk Space Requirements

The Likewise agent requires 100 MB of disk space in the /opt mount point. The agent also creates configuration files in /etc/likewise and offline logon information in /var/lib/likewise. In addition, the Likewise Enterprise agent caches group policy objects in /var/cache/likewise.  

Memory and CPU Requirements

The agent consists of several daemons that typically use between 9 MB and 14 MB of RAM. Memory utilization of the authentication daemon on a 300-user mail server is typically 7 MB; the other daemons require between 500 KB and 2 MB each. CPU utilization on a 2.0 gigahertz single-core processor under heavy load with authentication requests is about 2 percent. For a description of the Likewise daemons, see About the Likewise Agent.

Clock Skew Requirements

For the Likewise agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. For more information on time synchronization, see About the Likewise Agent.

You install the Likewise Enterprise agent by using a shell script that contains a self-extracting executable. The file name of the SFX installer ends in sh. Example: LikewiseEnterprise-6.1.0.3499-linux-i386-rpm.sh.

The examples shown are for Linux RPM-based platforms. For other Linux and Unix platforms -- such as Debian, HP-UX, AIX, and Solaris -- simply substitute the right installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Install the Agent on Linux or Unix with the Shell Script

Perform the following procedure with the root account. To view information about the installer or to view a list of command-line options, run the following command: ./LikewiseEnterprise-6.1.0.3499-linux-i386-rpm.sh --help

After the wizard finishes, the user interface for joining a domain appears. To suppress it, you can run the installer with its --dont-join argument.

You can install the agent in unattended mode by using the install command:

./LikewiseEnterprise-6.1.0.67-linux-i386-rpm.sh install

You install the Likewise Open agent or the Likewise Enterprise agent on Sun Solaris, HP-UX, and IBM AIX by using a shell script that contains a self-extracting executable -- an SFX installer with a file name that ends in sh. Example: LikewiseEnterprise-6.1.0.70-solaris-sparc-pkg.sh.

The examples shown below are for Solaris Sparc systems. For other Unix platforms, simply substitute the right installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Note: The name of a Unix installer for Likewise Enterprise on installation media might be truncated to an eight-character file name with an extension. For example, l3499sus.sh is the truncated version of LikewiseEnterprise-6.1.0.3499-solaris-sparc-pkg.sh.

Perform the following procedure with the root account.

To install the Likewise agent on a computer running Mac OS X, you must have administrative privileges on the Mac. Likewise supports Mac OS X 10.4 or later.

The Likewise command-line tools can remotely deploy the shell version of the Likewise agent to multiple Mac OS X computers, and you can automate the installation of the agent by using the installation command in unattended mode.

The commands in this procedure require administrative privileges.

Important: For Intel-based Macs, use the i386 version of the .dmg installer; for example: LikewiseEnterprise-6.1.0.3628-i386.dmg. For Macs that do not have Intel chips, use the powerpc version of the .dmg installer; for example: LikewiseEnterprise-6.1.0.3628-powerpc.dmg

The procedure below assumes you are installing the agent on an i386 Mac; if you are installing on a powerpc, replace the i386 installer with the powerpc installer.

Solaris Zones are a virtualization technology created by Sun Microsystems to consolidate servers. Primarily used to isolate an application, Solaris Zones act as isolated virtual servers running on a single operating system, making each application in a collection of applications seem as though it is running on its own server. A Solaris Container combines system resource controls with the virtual isolation provided by zones.

Every zone server contains a global zone that retains visibility and control in any installed non-global zones. By default, the non-global zones share certain directories, including /usr, which are mounted read-only. The shared directories are writable only for the global zone.

By default, installing Likewise in the global zone results in it being installed in all the non-global zones. You can, however, control the target of the installation by using the following options of the SFX installer:

./LikewiseEnterprise-6.1.0.97-solaris-i386-pkg.sh --help
...
--all-zones           (Solaris) Install to all zones (default)
--current-zone        (Solaris) Install only to current zone

After a new child zone is installed, booted, and configured, you must run the following command as root to complete the installation:

/opt/likewise/bin/postinstall.sh

You cannot join zones to Active Directory as a group. Each zone, including the global zone, must be joined to the domain independently of the other zones.

Caveats

There are some caveats when using Likewise with Solaris Zones:

1. When you join a non-global zone to AD, you will receive an error as Likewise attempts to synchronize the Solaris clock with AD. The error occurs because the root user of the non-global zone does not have root access to the underlying global system and thus cannot set the system clock. If the clocks are within the 5-minute clock skew permitted by Kerberos, the error will not be an issue. Otherwise, you can resolve the issue by manually setting the clock in the global zone to match AD or by joining the global zone to AD before joining the non-global zone.

2. Some group policies may log PAM errors in the non-global zones even though they function as expected. The cron group policy is one example:

Wed Nov 7 16:26:02 PST 2009 Running Cronjob 1 (sh)
Nov 7 16:26:01 zone01 last message repeated 1 time
Nov 7 16:27:00 zone01 cron[19781]: pam_lsass(cron): request failed

Depending on the group policy, these errors may result from file access permissions, attempts to write to read-only directories, or both.

3. By default, Solaris displays auth.notice syslog messages on the system console. Some versions of Likewise generate significant authentication traffic on this facility-priority level, which may lead to an undesirable amount of chatter on the console or clutter on the screen.

To redirect the traffic to a file instead of displaying it on the console, edit your /etc/syslog.conf file as follows:

Change this:

*.err;kern.notice;auth.notice /dev/sysmsg

To this:

*.err;kern.notice /dev/sysmsg

auth.notice /var/adm/authlog

Important: Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from the action field (on the right). Using spaces will cue syslog to ignore the entire line.

Before you upgrade your operating system, you must leave the domain, uninstall the domain join GUI, and uninstall the agent. Then, make sure you are using the correct agent for the new version of your operating system, install it, and rejoin the domain.

If, for example, you plan to upgrade your operating system from Mac OS X 10.5 (Leopard) to Mac OS X 10.6 (Snow Leopard), you must first leave the domain and uninstall the current agent. Then, after upgrading your operating system, install the correct agent for the new version of the operating system and join the domain again. See Uninstall the Agent on a Mac.

When Likewise joins a computer to an Active Directory domain, it uses the hostname of the computer to create the name of the computer object in Active Directory. From the hostname, the Likewise domain join tool attempts to derive a fully qualified domain name. By default, the Likewise domain join tool creates the Linux and Unix machine accounts in the default Computers container in Active Directory.

You can, however, choose to pre-create machine accounts in Active Directory before you join your computers to the domain. When you join a computer to a domain, Likewise associates the computer with the pre-existing machine account when Likewise can find it. To locate the machine account, Likewise first looks for a machine account with a DNS hostname that matches the hostname of the computer. If the DNS hostname is not set, Likewise then looks for the name of a machine account that matches the computer's hostname, but only when the computer's hostname is 15 characters or less. Therefore, when the hostname of your computer is more than 15 characters, you should set the DNS hostname for the machine account to ensure that the correct machine account is found. If no match is found, Likewise creates a machine account.

The location of the domain join command-line utility is as follows:

/opt/likewise/bin/domainjoin-cli

After you join a domain for the first time, you must restart the computer before you can log on. If you cannot restart the computer, you must restart each service or daemon that looks up users or groups through the standard nsswitch interface, which includes most services that authenticate users, groups, or computers. You must, for instance, restart the services that use Kerberos, such as sshd.

For Linux computers, there is an optional graphical version of the Likewise domain join tool. It is installed on Linux platforms that are running GTK+ version 2.6 or later. For more information, see Join a Linux Computer to Active Directory with the GUI.

Important: On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on for the first time with your Active Directory domain credentials. For more information, see With NetworkManager, Use a Wired Connection to Join a Domain.

Privileges and Permissions

To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. Instructions on how to delegate rights to join a computer to a domain are at http://support.microsoft.com/kb/932455. The level of privileges that you need is set by Microsoft Active Directory and is typically the same as performing the corresponding action on a Windows computer. For more information on Active Directory privileges, permissions, and security groups, see the following references on the Microsoft Technet web site: Active Directory Privileges, Active Directory Object Permissions, Active Directory Users, Computers, and Groups, Securing Active Directory Administrative Groups and Accounts.

Removing a Computer from a Domain

You can remove a computer from the domain either by removing the computer's account from Active Directory Users and Computers or by running the domain join tool on the Unix, Linux, or Mac OS X computer that you want to remove; see Leave a Domain.

Creation of Local Accounts

After you join a domain, Likewise creates two local user accounts in the following form: machine-name\Administrator and machine-name\Guest. The administrator account is disabled until you enable it by running the lw-mod-user command with the root account. You will be prompted to reset the password the first time you use the account.

You can view information about these accounts by executing the following command:

/opt/likewise/bin/lw-enum-users

Example output:

User info (Level-2):
====================
Name:                       NISHI-01\Administrator
UPN:                        Administrator@NISHI-01
Generated UPN:              YES
Uid:                        1500
Gid:                        1544
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           TRUE
Account Expired:            FALSE
Account Locked:             FALSE
Password never expires:     FALSE
Password Expired:           TRUE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314


User info (Level-2):
====================
Name:                       NISHI-01\Guest
UPN:                        Guest@NISHI-01
Generated UPN:              YES
Uid:                        1501
Gid:                        1546
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /tmp
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           TRUE
Account Expired:            FALSE
Account Locked:             TRUE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314

On Linux, Unix, and Mac OS X computers, the location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

Important: To run the command-line utility, you must use a root account. To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. Instructions on how to delegate rights to join a computer to a domain are at http://support.microsoft.com/kb/932455. After you join a domain for the first time, you must restart the computer before you can log on with your domain account.

When you join a domain by using the command-line utility, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the FQDN in the /etc/hosts file. You can also join a domain without changing the /etc/hosts file; see Join Active Directory Without Changing /etc/hosts.

Before Joining a Domain

To join a domain, the computer's name server must be able to find the domain and the computer must be able to reach the domain controller. You can make sure the name server can find the domain by running this command:

nslookup  domainName

You can verify that your computer can reach the domain controller by pinging it:

ping  domainName

If either of these tests fails, see Check System Health Before Installing the Agent and Solve Domain-Join Problems.

Join a Linux or Unix Computer to Active Directory

Execute the following command as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join likewisedemo.com Administrator

Tip: On Ubuntu, execute the sudo su - command before you run the domainjoin-cli command.

Join a Mac Computer to Active Directory

Using sudo, execute the following command in Terminal, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

sudo /opt/likewise/bin/domainjoin-cli join domainName joinAccount

Example: sudo /opt/likewise/bin/domainjoin-cli join likewisedemo.com Administrator

The terminal prompts you for two passwords: The first is for a user account on the Mac that has administrative privileges; the second is for the account in Active Directory that you specified in the join command.

Join a Linux or Unix Computer to an Organizational Unit

Execute the following command as root, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join --ou organizationalUnitName domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --ou Engineering likewisedemo.com Administrator

Join a Linux or Unix Computer to a Nested Organizational Unit

Execute the following command as root, replacing path with the AD path to the OU from the top down, with each node separated by a forward slash (/). In addition, replace organizationalUnitName with the name of the organizational unit that you want to join. Replace domainName with the FQDN of the domain and joinAccount with the user name of an AD account that has privileges to join computers to the target OU:

/opt/likewise/bin/domainjoin-cli join --ou path/organizationalUnitName domainName joinAccount

Here's an example of how to join a deeply nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

The domainjoin-cli command-line interface includes the following options:

Basic Commands

The domain join command-line interface includes the following basic commands:

Advanced Commands

The command-line interface includes advanced commands that you can use to preview the stages of joining or leaving a domain, find out which configurations are required for your system, view information about a module that will be changed, configure a module such as nsswitch, and enable or disable a module. The advanced commands provide a potent tool for troubleshooting issues while configuring a Linux or Unix computer to interoperate with Active Directory.

View a data-flow diagram that shows how systems interact when you join a domain.

Preview the Stages of the Domain Join for Your Computer

To preview the domain, DNS name, and configuration stages that will be used to join a computer to a domain, execute the following command at the command line:

domainjoin-cli join --preview  domainName

Example: domainjoin-cli join --preview likewisedemo.com

Here's an example of the results, which can vary by computer:

[root@rhel4d bin]# domainjoin-cli join --preview likewisedemo.com
Joining to AD Domain:   likewisedemo.com
With Computer DNS Name: rhel4d.likewisedemo.com

The following stages are currently configured to be run during the domain join:
join           - join computer to AD
krb5           - configure krb5.conf
nsswitch       - enable/disable Likewise nsswitch module
start          - start daemons
pam            - configure pam.d/pam.conf
ssh            - configure ssh and sshd

Check Required Configurations

To see a full listing of the modules that apply to your operating system, including those modules that will not be run, execute either the following join or leave command:

domainjoin-cli join --advanced --preview  domainName

domainjoin-cli leave --advanced --preview  domainName

Example: domainjoin-cli join --advanced --preview likewisedemo.com

The result varies by computer:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview likewisedemo.com
Joining to AD Domain:   likewisedemo.com
With Computer DNS Name: rhel4d.likewisedemo.com
    [F] stop           - stop daemons
    [F] hostname       - set computer hostname
    [F] firewall       - open ports to DC
    [F] keytab         - initialize kerberos keytab
[X] [N] join           - join computer to AD
[X] [N] krb5           - configure krb5.conf
[X] [N] nsswitch       - enable/disable Likewise nsswitch module
[X] [N] start          - start daemons
    [F] gdm            - fix gdm presession script for spaces in usernames
[X] [N] pam            - configure pam.d/pam.conf
[X] [S] ssh            - configure ssh and sshd

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
                            requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

View Details about a Module

The Likewise domain join tool includes the following modules -- the components and services that the tool must configure before it can join a computer to a domain:

As the previous section illustrated, you can see the modules that must be configured on your computer by executing the following command:

domainjoin-cli join --advanced --preview  domainName

You can further bore down into the details of the changes that a module will make by using either the following join or leave command:

domainjoin-cli join --details  module domainName  joinAccount

domainjoin-cli leave --details  module domainName  joinAccount

Example: domainjoin-cli join --details nsswitch likewisedemo.com Administrator

The result varies depending on your system's configuration:

domainjoin-cli join --details nsswitch likewisedemo.com Administrator
[X] [N] nsswitch          - enable/disable Likewise nsswitch module

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
                            requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Details for 'enable/disable Likewise nsswitch module':
The following steps are required and can be performed automatically:
    * Edit nsswitch apparmor profile to allow libraries in the /opt/likewise/lib
        and /opt/likewise/lib64 directories
    * List lwidentity module in /usr/lib/security/methods.cfg (AIX only)
    * Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or
        /etc/netsvc.conf

If any changes are performed, then the following services must be restarted:
    * GDM
    * XDM
    * Cron
    * Dbus
    * Nscd

Turn On or Turn Off Domain Join Modules

You can explicitly enable or disable a module when you join or leave a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

Note: If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

The following command, with either join or leave, can be used to disable a module:

domainjoin-cli join --disable module domainName accountName
domainjoin-cli leave --disable module domainName accountName

Example: domainjoin-cli join --disable pam likewisedemo.com Administrator

To enable a module, execute the following command at the command line:

domainjoin-cli join --enable module domainName accountName

Example: domainjoin-cli join --enable pam likewisedemo.com Administrator

Configuration and Debugging Commands

The domainjoin-cli tool includes commands for debugging the domain-join process and for configuring or preconfiguring a module. You can, for example, run the configure command to preconfigure a system before you join a domain -- a useful strategy when you are deploying Likewise in a virtual environment and you need to preconfigure the nsswitch, ssh, or PAM module of the target computers to avoid having to restart them after they are added to the domain. Here's an example with nsswitch:

domainjoin-cli configure --enable nsswitch

The following commands, viewable by running domainjoin-cli --help-internal, are available:

    fixfqdn
    configure { --enable | --disable } pam [--testprefix <dir>]
    configure { --enable | --disable } nsswitch [--testprefix <dir>]
    configure { --enable | --disable } ssh [--testprefix <dir>]
    configure { --enable | --disable } [--testprefix <dir>] 
               [--long <longdomain>] [--short <shortdomain>] krb5
    configure { --enable | --disable } firewall [--testprefix <dir>]
    configure { --enable | --disable } eventfwdd
    configure { --enable | --disable } reapsysld
    get_os_type
    get_arch
    get_distro
    get_distro_version
    raise_error <error code | error name | 0xhex error code>

When you join a computer to a domain by using the Likewise domain join tool, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and automatically sets the computer’s FQDN in the /etc/hosts file.

To join a Linux computer to the domain without changing the /etc/hosts file, execute the following command as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join --disable hostname domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --disable hostname likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in /etc/hosts. For the computer to process tickets in compliance with the Kerberos protocol and to function properly when it uses cached credentials in offline mode or when its DNS server is offline, there must be a correct FQDN in /etc/hosts. For more information on GSS-API requirements, see RFC 2743.

You can determine the fully qualified domain name of a computer running Linux, Unix, or Mac OS X by executing the following command:

ping -c 1 `hostname`

When you execute this command, the computer looks up the primary host entry for its hostname. In most cases, this means that it looks for its hostname in /etc/hosts, returning the first FQDN name on the same line. So, for the hostname qaserver, here's an example of a correct entry in /etc/hosts:

10.100.10.10 qaserver.corpqa.likewise.com qaserver

If, however, the entry in /etc/hosts incorrectly lists the hostname (or anything else) before the FQDN, the computer's FQDN becomes, using the malformed example below, qaserver:

10.100.10.10 qaserver qaserver.corpqa.likewise.com

If the host entry cannot be found in /etc/hosts, the computer looks for the results in DNS instead. This means that the computer must have a correct A record in DNS. If the DNS information is wrong and you cannot correct it, add an entry to /etc/hosts.

A graphical user interface for joining a domain is included when you install the Likewise agent.

Important: To join a computer to a domain, you must have the user name and password of a user who has privileges to join computers to a domain and the full name of the domain that you want to join.

After you join a domain for the first time, you must restart the computer before you can log on.

To join a computer running Mac OS X 10.4 or later to an Active Directory domain, you must have administrative privileges on the Mac and privileges on the Active Directory domain that allow you to join a computer.

With Likewise Enterprise, the domain join utility includes a tool to migrate a Mac user's profile from a local user account to the home directory specified for the user in Active Directory; see Migrate a User Profile on a Mac.

dscl . -delete /Computers
dscl /Search -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController
dscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController

If you have write privileges only for an organizational unit in Active Directory, you can still use Likewise. Your AD rights to create objects in an OU allow you to join Linux and Unix computers to the OU even though you do not have Active Directory Domain Administrator or Enterprise Administrator privileges. (See Delegate Control to Create Container Objects.)

There are additional limitations to this approach:

Join a Linux Computer to an Organizational Unit

To join a computer to a domain, you must have the user name and password of an account that has privileges to join computers to the OU and the full name of the domain that you want to join. The OU path is from the top OU down to the OU that you want.

As root, execute the following command, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join -- ou organizationalUnitName domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join -- ou Engineering likewisedemo.com Administrator

Example of how to join a nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

To rename a computer that has been joined to Active Directory, you must first leave the domain. You can then rename the computer by using the domain join command-line interface. After you rename the computer, you must rejoin it to the domain. Renaming a joined computer requires the user name and password of a user with privileges to join a computer to a domain.

Important: Do not change the name of a Linux, Unix, or Mac computer by using the hostname command because some distributions do not permanently apply the changes.

Rename a Computer by Using the Command-Line Tool

The following procedure removes a Unix or Linux computer from the domain, renames the computer, and then rejoins it to the domain.

Rename a Computer by Using the Domain Join Tool GUI

When Likewise adds a computer to a domain, it modifies some system files. The files that are modified depend on the platform, the distribution, and the system's configuration. The following files might be modified.

To see a listing of the changes that joining a domain will make to your operating system, execute the following join command:

domainjoin-cli join --advanced --preview domainName

Note: Not all the following files are present on all computers.

As an example, the following table lists the files that are modified for the default configuration of the operating system of a few selected platforms.

On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on with your Active Directory domain credentials.

After you have joined the domain and logged on for the first time with your AD domain credentials by using a non-wireless connection, you can then revert to using your wireless connection because your AD logon credentials are cached. (You will not, however, be notified when your AD password is set to expire until you either run a sudo command or log on by using a non-wireless connection.)

If, instead, you attempt to use a wireless connection when you join the domain, you will be unable to log on your computer with AD domain credentials after your computer restarts.

Here's why: NetworkManager is composed of a daemon that runs at startup and a user-mode application that runs only after you log on. NetworkManager is typically configured to auto-start wired network connections when they are plugged in and wireless connections when they are detected. The problem is that the wireless network is not detected until the user-mode application starts -- which occurs only after you have logged on.

Information about NetworkManager is available at http://projects.gnome.org/NetworkManager/.

Likewise includes the following logon options:

Important: When you log on from the command line, you must use a slash to escape the slash character, making the logon form DOMAIN//username.

To use UPN names, you must raise your Active Directory forest functional level to Windows Server 2003, but raising the forest functional level to Windows Server 2003 will exclude Windows 2000 domain controllers from the domain. For more information, see About Schema Mode and Non-Schema Mode.

When you log on a Linux, Unix, or Mac OS X computer by using your domain credentials, Likewise uses the Kerberos protocol to connect to Active Directory's key distribution center, or KDC, to establish a key and to request a Kerberos ticket granting ticket (TGT). The TGT lets you log on to other computers joined to Active Directory or applications provisioned with a service principal name and be automatically authenticated with Kerberos and authorized for access through Active Directory.

After logon, Likewise stores the password in memory and securely backs it up on disk. You can, however, configure Likewise to store logon information in a SQLite database, but it is not the default method. The password is used to refresh the user's Kerberos TGT and to provide NTLM-based single sign-on through the Likewise GSSAPI library. In addition, the NTLM verifier hash -- a hash of the NTLM hash -- is stored to disk to handle offline logons by comparing the password with the cached credentials.

Likewise stores an NTLM hash and LM hash only for accounts in Likewise's local provider. The hashes are used to authenticate users over CIFS. Since Likewise does not support offline logons for domain users over CIFS, it does not store the LM hash for domain users.

See Also

About Single Sign-On

Configure Putty for Windows-Based SSO

Log On and Verify Your Kerberos Tickets

After the Likewise agent has been installed and the Linux or Unix computer has been joined to a domain, you can log on with your Active Directory credentials, either from the command line or interactively through the system console. After you join a domain for the first time, you must reboot your computer before you can log on interactively through the console.

You can log on with SSH by executing the ssh command at the shell prompt in the following format:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

To troubleshoot a problem with a user who cannot log on a to Linux or Unix computer, perform the following series of diagnostic tests sequentially.

To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account. The tests can also be used to troubleshoot logon problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

Make Sure You Are Joined to the Domain

Execute the following command:

/opt/likewise/bin/domainjoin-cli query

If you are not joined, see Join Active Directory with the Command Line.

Check Whether You Are Using a Valid Logon Form

When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username. Example: likewisedemo.com\hoenstiv.

When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username. Example: likewisedemo.com\\hoenstiv.

To view a list of logon options, see About Logging On.

Clear the Cache

You might need to clear the cache to ensure that the client computer recognizes the user's ID. See Clear the Authentication Cache.

Destroy the Kerberos Cache

Clear the Likewise Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command with the user account that you are troubleshooting:

/opt/likewise/bin/kdestroy

Check the Status of the Likewise Authentication Daemon

Check the status of the authentication daemon on a Unix or Linux computer running the Likewise Agent by executing the following command as the root user:

/opt/likewise/bin/lwsm status lsass

lsassd is stopped

lsassd (pid 1783) is running...

Check Communication between the Likewise Daemon and AD

Verify that the Likewise daemon can exchange data with AD by executing this command:

/opt/likewise/bin/lw-get-dc-name FullDomainName

Example: /opt/likewise/bin/lw-get-dc-name likewisedemo.com

Verify that Likewise Can Find a User in AD

Verify that the Likewise agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:

/opt/likewise/bin/lw-find-user-by-name domainName\\ADuserName

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab

Make Sure the AD Authentication Provider Is Running

Likewise includes two authentication providers:

If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

/opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:
Agent version: 5.0.0
Uptime:        2 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
        Status:   Online
        Mode:     Local system
[Authentication provider: lsa-activedirectory-provider]
        Status:   Online
        Mode:     Un-provisioned
        Domain:   likewisedemo.com
        Forest:   likewisedemo.com
        Site:     Default-First-Site-Name

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.
The LSASS server is not responding.

Run the id Command to Check the User

Run the following id command to check whether nsswitch is properly configured to handle AD user account information:

id DOMAIN\\username

Example: id likewisedemo\\kathy

If the command does not show information for the user, check whether the /etc/nsswitch.conf file is properly configured for passwd and group: Both entries should include the lsass parameter.

If /etc/nsswitch.conf is properly configured, the Likewise name service libraries might be missing or misplaced. It is also possible that the LD_PRELOAD or LD_LIBRARY_PATH variables are defined without including the Likewise libraries.

Switch User to Check PAM

Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:

su DOMAIN\\username

Example: su likewisedemo\\hoenstiv

Test SSH

Check whether you can log on with SSH by executing the following command:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

If you believe the issue might be specific to SSH, see troubleshooting SSH SSO.

Run the Authentication Daemon in Debug Mode

To troubleshoot the lookup of a user or group ID, you can set the Likewise authentication daemon to run in debug mode and show the log in the console by executing this command:

/opt/likewise/sbin/lsassd --loglevel debug

Check Nsswitch.Conf

Make sure /etc/nsswitch.conf is configured correctly to work with Likewise. For more information, see Configuring Clients Before Agent Installation.

On HP-UX, Escape Special Characters at the Console

When you log on to the console on some versions of HP-UX, such as 11.23, you might need to escape special characters, such as @ and #, by preceding them with a slash (\). For more information, see your HP-UX documentation.

Additional Diagnostic Tools

There are additional command-line utilities that you can use to troubleshoot logon problems in the following directory:

 /opt/likewise/bin

See Also

Resolve an AD Alias Conflict with a Local Account

Here are the top 10 reasons that an attempt to join a domain fails:

See Also

Generate a Domain-Join Log

To troubleshoot problems with joining a Linux computer to a domain, perform the following series of diagnostic tests sequentially on the Linux computer with a root account. The tests can also be used to troubleshoot domain-join problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

The procedures in this topic assume that you have already checked whether the problem falls under the Top 10 Reasons Domain Join Fails. It is also recommended that you generate a domain-join log.

Verify that the Name Server Can Find the Domain

Run the following command as root:

nslookup YourADrootDomain.com

Make Sure the Client Can Reach the Domain Controller

You can verify that your computer can reach the domain controller by pinging it:

ping YourDomainName

Verify that Outbound Ports Are Open

Run the following command as root:

domainjoin-cli join --details firewall likewisedemo.com

The results of the command show whether you must open any ports.

For a list of ports that must be open on the client, see Make Sure Outbound Ports Are Open.

Check DNS Connectivity

The computer might be using the wrong DNS server or none at all. Make sure the nameserver entry in /etc/resolv.conf contains the IP address of a DNS server that can resolve the name of the domain you are trying to join. The IP address is likely to be that of one of your domain controllers.

Make Sure nsswitch.conf Is Configured to Check DNS for Host Names

The /etc/nsswitch.conf file must contain the following line. (On AIX, the file is /etc/netsvc.conf.)

hosts: files dns

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

Generate a Domain-Join Log

To log information about your attempt to join a domain, you can use the command-line utility's log option with the join command. The log option captures information about the attempt to join the domain on the screen or in a file.

After you generate a log, review it for information that might help solve the problem.

Ensure that DNS Queries Are Not Using the Wrong Network Interface Card

If the computer is multi-homed, the DNS queries might be going out the wrong network interface card. Temporarily disable all the NICs except for the card on the same subnet as your domain controller or DNS server and then test DNS lookups to the AD domain. If this works, re-enable all the NICs and edit the local or network routing tables so that the AD domain controllers are accessible from the host.

Determine Whether the DNS Server Is Configured to Return SRV Records

Your DNS server must be set to return SRV records so the domain controller can be located. It is common for non-Windows (bind) DNS servers to not be configured to return SRV records.

Diagnose it by executing the following command:

nslookup -q=srv _ldap._tcp. ADdomainToJoin.com

Make Sure that the Global Catalog Is Accessible

The global catalog for Active Directory must be accessible. A global catalog in a different zone might not show up in DNS. Diagnose it by executing the following command:

nslookup -q=srv _ldap._tcp.gc._msdcs. ADrootDomain.com

From the list of IP addresses in the results, choose one or more addresses and test whether they are accessible on Port 3268 by using telnet.

telnet 192.168.100.20 3268

Trying 192.168.100.20... Connected to sales-dc.likewisedemo.com (192.168.100.20). Escape character is '^]'. Press the Enter key to close the connection: Connection closed by foreign host.  

Verify that the Client Can Connect to the Domain on Port 123

The following test checks whether the client can connect to the domain controller on Port 123 and whether the Network Time Protocol (NTP) service is running on the domain controller. For the client to join the domain, NTP -- the Windows time service -- must be running on the domain controller.

On a Linux computer, run the following command as root:

ntpdate -d -u  DC_hostname 

Example: ntpdate -d -u sales-dc

For more information, see Diagnose NTP on Port 123.

In addition, check the logs on the domain controller for errors from the source named w32tm, which is the Windows time service.

An inaccessible trust can block you from successfully joining a domain. If you know that there are inaccessible trusts in your Active Directory network, you can set Likewise to ignore all the trusts before you try to join a domain. To do so, use the lwconfig tool to modify the values of the DomainManagerIgnoreAllTrusts setting.

First, list the available trust settings:

/opt/likewise/bin/lwconfig --list | grep -i trust

The results will look something like this. The setting at issue is DomainManagerIgnoreAllTrusts.

DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList

Second, list the details of the DomainManagerIgnoreAllTrusts setting to see the values it accepts:

[root@rhel5d bin]# ./lwconfig --details DomainManagerIgnoreAllTrusts
Name: DomainManagerIgnoreAllTrusts
Description: When true, ignore all trusts during domain enumeration.
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

Third, change the setting to true so that Likewise will ignore trusts when you try to join a domain.

[root@rhel5d bin]# ./lwconfig DomainManagerIgnoreAllTrusts true

Finally, check to make sure the change took effect:

[root@rhel5d bin]# ./lwconfig --show DomainManagerIgnoreAllTrusts
boolean
true
local policy

Now try to join the domain again. If successful, keep in mind that only users and groups who are in the local domain will be able to log on the computer.

In the example output above that shows the setting's current values, local policy is listed -- meaning that the policy is managed locally through lwconfig because a Likewise Enterprise group policy is not managing the setting. Typically, with Likewise Enterprise, you would manage the DomainManagerIgnoreAllTrusts policy by using the corresponding group policy, but you cannot apply group policies to the computer until after it is added to the domain. The corresponding Likewise group policy is named Lsass: Ignore all trusts during domain enumeration. For more information on the domain manager group policies to set whitelists and blacklists for trusts, see the Group Policy Administration Guide.

For information on the arguments of lwconfig, run the following command:

/opt/likewise/bin/lwconfig --help

This section lists solutions to common errors that can occur when you try to join a domain.

Warning: A resumable error occurred while processing a module.
Even though the configuration of 'krb5' was executed, the configuration did not
fully complete. Please contact Likewise support.

Error: chkconfig failed [code 0x00080019]

When you use the Likewise domain-join utility to join a Linux or Unix client to a domain, the utility might be unable to contact the domain controller on Port 123 with UDP. The Likewise agent requires that Port 123 be open on the client so that it can receive NTP data from the domain controller. In addition, the time service must be running on the domain controller.

You can diagnose NTP connectivity by executing the following command as root at the shell prompt of your Linux machine:

ntpdate -d -u DC_hostname 

Example: ntpdate -d -u sales-dc

If all is well, the result should look like this:

[root@rhel44id ~]# ntpdate -d -u sales-dc
2 May 14:19:20 ntpdate[20232]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)
Looking for host sales-dc and service ntp
host found : sales-dc.likewisedemo.com
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
server 192.168.100.20, port 123
stratum 1, precision -6, leap 00, trust 000
refid [LOCL], delay 0.04173, dispersion 0.00182
transmitted 4, in filter 4
reference time:    cbc5d3b8.b7439581  Fri, May  2 2008 10:54:00.715
originate timestamp: cbc603d8.df333333  Fri, May  2 2008 14:19:20.871
transmit timestamp:  cbc603d8.dda43782  Fri, May  2 2008 14:19:20.865
filter delay:  0.04207  0.04173  0.04335  0.04178
 0.00000  0.00000  0.00000  0.00000
filter offset: 0.009522 0.008734 0.007347 0.005818
 0.000000 0.000000 0.000000 0.000000
delay 0.04173, dispersion 0.00182
offset 0.008734
2 May 14:19:20 ntpdate[20232]: adjust time server 192.168.100.20 offset 0.008734 sec

Output When There Is No NTP Service

If the domain controller is not running NTP on Port 123, the command returns a response such as no server suitable for synchronization found, as in the following output:

5 May 16:00:41 ntpdate[8557]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)
Looking for host RHEL44ID and service ntp
host found : rhel44id.likewisedemo.com
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
127.0.0.1: Server dropped: no data
server 127.0.0.1, port 123
stratum 0, precision 0, leap 00, trust 000
refid [127.0.0.1], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Wed, Feb  6 2036 22:28:16.000
originate timestamp: 00000000.00000000  Wed, Feb  6 2036 22:28:16.000
transmit timestamp:  cbca101c.914a2b9d  Mon, May  5 2008 16:00:44.567
filter delay:  0.00000  0.00000  0.00000  0.00000
 0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
 0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000
5 May 16:00:45 ntpdate[8557]: no server suitable for synchronization found

The Apache web server locks the keytab file, which can block an attempt to join a domain. If the computer is running Apache, stop Apache, join the domain, and then restart Apache.

To quickly change an end-user setting for the Likewise agent, you can run the lwconfig command-line tool as root:

/opt/likewise/bin/lwconfig

The syntax to change the value of a setting is as follows, where setting is replaced by the registry entry that you want to change and value by the new value that you want to set:

/opt/likewise/bin/lwconfig setting value

Here's an example of how to use lwconfig to change the AssumeDefaultDomain setting:

[root@rhel5d bin]# ./lwconfig --detail AssumeDefaultDomain 
Name: AssumeDefaultDomain
Description: Apply domain name prefix to account name at logon
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

[root@rhel5d bin]# ./lwconfig AssumeDefaultDomain true 

[root@rhel5d bin]# ./lwconfig --show AssumeDefaultDomain 
boolean
true
local policy

To view the settings that you can change with lwconfig, execute the following command:

/opt/likewise/bin/lwconfig --list

You can also import and apply a number of settings with a single command by using the --file option combined with a text file that contains the settings that you want to change followed by the values that you want to set. Each setting-value pair must be on a single line. For example, the contents of my flat file, named newRegistryValuesFile and saved to the desktop of my Red Hat computer, looks like this:

AssumeDefaultDomain true
RequireMembershipOf "likewisedemo\\support" "likewisedemo\\domain^admins"
HomeDirPrefix /home/ludwig
LoginShellTemplate /bash/sh

To import the file and automatically change the settings listed in the file to the new values, I would execute the following command as root:

/opt/likewise/bin/lwconfig --file /root/Desktop/newRegistryValuesFile

You can add domain users to your local groups on a Linux, Unix, and Mac OS X computer by placing an entry for the user or group in the /etc/group file. Adding an entry for an Active Directory user to your local groups can give the user local administrative rights. The entries must adhere to the following rules:

So, for users and groups without an alias, the form of an entry is as follows:

root:x:0:LIKEWISEDEMO\kristeva

For users and groups with an alias, the form of an entry is as follows:

root:x:0:kris

In /etc/group, the slash character separating the domain name from the account name does not typically need to be escaped.

Tip: On Ubuntu, you can give a domain user administrative privileges by adding the user to the admin group as follows:

admin:x:119:LIKEWISEDEMO\bakhtin

On a Mac OS X computer, you can AD users to a local group with Apple's directory service command-line utility: dscl. In dscl, go to the /Local/Default/Groups directory and then add users to a group by using the append command.

When you add Active Directory entries to your sudoers file -- typically, /etc/sudoers --  you must adhere to at least the following rules:

So, for users and groups without an alias, the form of an entry in the sudoers file is as follows:

DOMAIN\\username

DOMAIN\\groupname

Example entry of a group:

% LIKEWISEDEMO\\LinuxFullAdmins ALL=(ALL) ALL

Example entry of a user with an alias:

kyle ALL=(ALL) ALL

For more information about how to format your sudoers file, see your computer's man page for sudo.

Check a User's Canonical Name on Linux

To determine the canonical name of a Likewise user on Linux, execute the following command, replacing the domain and user in the example with your domain and user:

getent passwd likewisedemo.com\\hab

LIKEWISEDEMO\hab:x:593495196:593494529: Jurgen Habermas:/home/local/ LIKEWISEDEMO/ hab:/bin/ sh

In the results, the user's Likewise canonical name is the first field.

Although Likewise searches a number of common locations for your sudoers file, on some platforms Likewise might not find it. In such cases, you can specify the location of your sudoers file by adding the following line to the Sudo GP Extension section of /etc/likewise/grouppolicy.conf:

SudoersSearchPath = /your/search/path

Example: SudoersSearchPath = "/opt/sfw/etc";

Here's an example in the context of the /etc/likewise/grouppolicy.conf file:

[{20D139DE-D892-419f-96E5-0C3A997CB9C4}]
Name = "Likewise Enterprise Sudo GP Extension";
DllName = "liblwisudo.so";
EnableAsynchronousProcessing = 0;
NoBackgroundPolicy = 0;
NoGPOListChanges = 1;
NoMachinePolicy = 0;
NoSlowLink = 1;
NoUserPolicy = 1;
PerUserLocalSettings = 0;
ProcessGroupPolicy = "ProcessSudoGroupPolicy";
ResetGroupPolicy = "ResetSudoGroupPolicy";
RequireSuccessfulRegistry = 1;
SudoersSearchPath = "/opt/sfw/etc";

On AIX, you can set up audit classes to monitor the activities of users who log on with their Active Directory credentials. The file named /etc/likewise/auditclasses.sample is a template that you can use to set up audit classes for AD users.

To set up an audit class, make a copy of the file, name it /etc/likewise/auditclasses, and then edit the file to specify the audit classes that you want.

After you set up audit classes for a user, the auditing will take place the next time the user logs in.

The sample Likewise auditclasses file looks like this:

#
# Sample auditclasses file.
#
# A line with no label specifies the default audit classes for
# users that are not explicitly listed:
#
general, files
#
# A line starting with a username specifies the audit classes for
# that AD user.  The username must be specified as the "canonical"
# name for the user: either "DOMAIN\username" or just "username"
# if "--assumeDefaultDomain yes" was passed to domainjoin-cli
# with "--userDomainPrefix DOMAIN".  In Likewise Enterprise, if
# the user has an alias specified in the cell the alias name must
# be used here.
# 
DOMAIN\user1: general, files, tcpip
user2: general, cron
#
# A line starting with an @ specifies the audit classes for members
# of an AD group.  These classes are added to the audit classes
# for the user (or the default, if the user is not listed here).
# Whether to specify "DOMAIN\groupname" or just "groupname" follows
# the same rules as for users.
#
@DOMAIN\mail_users: mail
group2: cron

For information on AIX audit classes, see the IBM documentation for your version of AIX.