Webinar Replay:
Joining Ubuntu Systems to Active Directory Using Likewise

The Basics

• Introduction
• Installation and Administration Guide
• Likewise Forum for Ubuntu Topics
• Ubuntu Forum for Likewise Topics
• Ubuntu Blog Entries
• Ubuntu Documentation
• Webinar Replay
• Webinar Q & A

Media Coverage

How to Achieve Secure Integration of Ubuntu and MS Active Directory Without Breaking the Bank

New Ubuntu Linux server is for business

Ubuntu 8.04 AD via Likewise Open

Q and A Session from 9.9.2009

Here is a sampling from our post-webinar Q and A chat session from webinar participants.

How could one map their home drive to network storage / share?
You can map your NFS based home directory with our Automount map.

Are any changes needed to be made on the Ubuntu machine or in AD to accept the Domain Credentials?
The join process makes the changes for you in /etc/nsswitch.conf to point to our pam module. We also make additional changes to /etc/pam.d/ files to point to our pam module for specific applications.

How does the AD account map or get associated with the local account?
We don't add your AD account to the local account file (/etc/passwd). We are simply another module Ubuntu refers to when you attempt to login.

What changes need to be made to the client-side iptables firewall to make this work?
Our documentation on our website lists the specific ports that need to be opened up.

If I have 20,000 users in AD will the Agent create an ID for each user in each server I have the agent installed?
We generate a user ID from a user's SID which is centrally stored in AD. With Likewise Open, while you have no control over your user ID, they will be the same on all Likewise joined machines as they use the same algorithm to generate a user ID out of your SID stored in AD.

Can he talk about the cost of Likewise Enterprise?
See pricing information for Likewise Enterprise here:
http://www.likewise.com/products/pricing.php

Can you map your NFS based home directory with our Automount map?
Yes, you can do this manually or use our Automount GPO to centrally manage NFS mounted home directory. All rules about NFS mounted home directories apply regardless if you are using LW or not.

If you are joining a specific ou (say a computer part of the 'research' group of likewise) what would be the syntax? Such as ou=research,dc=likewise?
To join to a nested OU:
domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

For more information, please visit this link to our documentation:
http://www.likewise.com/resources/documentation_library/manuals/lwe/likewise-enterprise-guide.html#JoinWithCommandLine

I noticed that you had the cache expiration time set very low (1 minute) in your test environment, is there a specific reason why you have this set so low, from the default of 4 hours?
This was done for testing and demo purposes. Sometimes we are asked to do things in the demo that are outside the normal day to day operations. Things don’t usually change as rapidly in a productions environment like changing OU structures, nested groups, etc.

How you handle time synchronization between the Linux machine and the ADC machine?
Time sync can happen a couple of ways:

• During the domain join process, the default is that the Linux system sync’s with the DC.
• If you are using NTP already and your DC’s are also using a single authoritative NTP service, then you can specify not to sync with the DC during the domain join and just rely on NTP. This is an option in our CLI.

When you log into a server/desktop how do you differentiate between an AD account login and a local Unix account login?
By default, LW works with NSSWITCH to manage which Identity Store to check and in which order. By default, PAM will check FILES (local) first, then LSASS (AD) second. If properly designed, you shouldn’t have local users in the PASSWD file. If you do and the username matches your AD username, then your local username would always be hit first and never go to AD. To for AD authentication, you have to specify the DOMAIN\USERNAME for interactive login or use DOMAIN\\USERNAME for things like SSH.

Can Likewise Open do Single Sign-On (shared uid/gid) in Ubuntu?
Likewise supports SSO in Open, UID GID Module, and Enterprise.

How do I run apache under an active directory account?
Likewise does support the import of “service” accounts in AD. Importing “service” accounts follow similar migration process as interactive user accounts.

Are there any Linux based tools for the AD management in your package?
Yes. With Likewise Enterprise we provide the Likewise Administrative Console to provide you with Linux tools for ADUC, GPMC, GPOE, and Event Viewer.

For more information, please visit this link to our documentation:
http://www.likewise.com/resources/documentation_library/manuals/lwe/likewise-enterprise-guide.html#id2641741

Does likewise enterprise have a GUI for AD similar to Windows Server AD?
Yes.

For more information, please visit this link to our documentation:
http://www.likewise.com/resources/documentation_library/manuals/lwe/likewise-enterprise-guide.html#id2641741

In which file does likewise open store the Win SID to Unix ID mappings?
SID to UID / GID mapping happens dynamically and is not stored in any local files.

What versions of AD are supported currently and how long after a new AD release is likewise updated to support it?

• Windows 2000 SP4
• Windows 2003 SP1 or SP2 Standard and Enterprise
• Windows 2008

We partner closely with Microsoft and strive to support new AD platforms before they are generally available to the public.

Is LW ready for Windows Server 2008 AD?
Yes.