2912769 Likewise Open Guide
-
Upload
alysonbalbino -
Category
Documents
-
view
216 -
download
0
Transcript of 2912769 Likewise Open Guide
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 1/72
9
Copyright © 2008 Likewise Software. All rights reserved. 04.10.2008.
Product Documentation
Likewise Open
Likewise Open Installation
And Administration GuideIN THIS DOCUMENT
• Downloading Likewise Open.
• Installing the Likewise Open Agent.
• Joining an Active Directorydomain.
• Managing and troubleshootingthe agent.
Abst ract
Likewise Open joins Linux, Unix, and Mac OS X computers to Microsoft
Active Directory so that you can centrally manage all your computers,
authenticate users, and authorize access to resources. This guide
describes how to install and administer Likewise Open, an open source
version of Likewise that includes the Likewise Agent. The guide covers
installing the agent, joining an Active Directory domain, and troubleshootin
the agent.
Likewise Open is free to download and use according to the terms of the
GNU General Public License.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 2/72
9
Copyright © 2008 Likewise Software. All rights reserved. 2
Product Documentation
Likewise Open: Installation and Administration Guide
The information contained in this document represents the current view of Likewise
Software on the issues discussed as of the date of publication. Because Likewise
Software must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Likewise, and Likewise Software cannot guarantee the
accuracy of any information presented after the date of publication.
These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES
NO WARRANTIES, EXPRESS OR IMPLIED.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in,
or introduced into a retrieval system, or transmitted in any form, by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Likewise Software.
Likewise may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Likewise, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
Likewise Open is an open source, community project sponsored by Likewise Software to
provide fast and easy integration into networks using Microsoft Active Directory. Likewise
Open is licensed under Version 3 of the GNU General Public License so you can
download it for free.
© 2008 Likewise Software. All r ights reserved.
Likewise and the Likewise logo are either registered trademarks or trademarks of
Likewise Software in the United States and/or other countries. All other trademarks are
property of their respective owners.
Likewise Software
15395 SE 30th Place, Suite #140
Bellevue, WA 98007
USA
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 3/72
9
Copyright © 2008 Likewise Software. All rights reserved. 3
Product Documentation
Likewise Open: Installation and Administration Guide
Table of Contents
INTRODUCTION............................................................................6
The Likewise Agent ............................................................................................6
Time Synchronization .......................................................................................7
Using a Network Time Protocol Server.............................................................8
CHECKING SYSTEM HEALTH BEFORE INSTALLATION........10
INSTALLING THE AGENT ..........................................................13
Requirements ....................................................................................................13
Administrator Privileges ..................................................................................13
Active Directory Requirements .......................................................................13
Unix and Linux Requirements for the Agent ...................................................13
Overview of the Installation Process ..............................................................13
Download Likewise Open.................................................................................14
Install the Agent on a L inux Computer ...........................................................14
Install the Agent on a Mac Computer .............................................................15
Install the Agent on a Mac in Unattended Mode ............................................16
Using Command-Line Tools to Deploy Agents .............................................17
Upgrade to the Latest Agent............................................................................18
Uninstall the Agent on a Linux or Unix Computer.........................................18
Uninstall BitRock Installations on Linux ..........................................................18
Uninstall BitRock Installations on Unix ...........................................................19
Uninstall the Agent on a Mac...........................................................................19
JOINING ACTIVE DIRECTORY ..................................................20
Removing a Computer from a Domain ...........................................................20
Files Modi fied During a Domain Join ..............................................................20
Join Acti ve Directory wi th the Command Line ..............................................21
Join a Linux Computer to Active Directory......................................................22
Join a Unix Computer to Active Directory .......................................................22
Join a Mac Computer to Active Directory .......................................................22
Join a Linux Computer to an Organizational Unit ...........................................23
Options and Basic Commands........................................................................23
Options............................................................................................................23
Basic Commands............................................................................................24
Advanced Commands ......................................................................................25
Preview the Stages of the Domain Join for Your Computer ...........................25
Check Required Configurations......................................................................26
View Details about a Module ..........................................................................27
Turn On or Turn Off Domain Join Modules.....................................................28
Join Act ive Directory Without Changing /etc/hosts ......................................29
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 4/72
9
Copyright © 2008 Likewise Software. All rights reserved. 4
Product Documentation
Likewise Open: Installation and Administration Guide
If the Computer Fails to Join the Domain .......................................................29
Join a Mac Computer to Acti ve Directory ......................................................30
Instal l the Domain Join GUI .............................................................................31
Uninstal l the Domain Join GUI ........................................................................33
Join a Linux Computer to Active Directory with the GUI..............................33
Use Likewise with a Single OU........................................................................36
Join a Linux Computer to an Organizational Unit ...........................................36
Set the Home Directory and Shell for Domain Users ....................................37
Log On a JoinedComputer with Active Directory Credentials .....................38
Rename a Joined Computer ............................................................................39
Rename a Computer by Using the Command-Line Tool................................39
Rename a Computer by Using the Domain Join Tool ....................................40
Leave a Domain .................................................................................................42
The Computer Account in Active Directory.....................................................42
Remove a Linux Computer from a Domain ....................................................43
Remove a Unix Computer from a Domain ......................................................43
Remove a Mac from a Domain .......................................................................43
Remove a Mac with the Command Line.........................................................43
USING SINGLE SIGN ON............................................................44
Configure SSH for SSO ....................................................................................46
FTP .....................................................................................................................48
Log On and Verify Your Kerberos Ticket .......................................................49
Perform an Authenticated LDAP Search ........................................................49
rlogin ..................................................................................................................51
rsh.......................................................................................................................52
Telnet..................................................................................................................52
Use Firefox to Single Sign-On Int ranet Sites .................................................53
TROUBLESHOOTING THE AGENT ...........................................54
Check Authent ication .......................................................................................54
Troubleshoot ...................................................................................................54
Check the Status o f the Authentication Daemon ..........................................54
Mac OS X........................................................................................................55
Check the Vers ion and Bui ld Number ............................................................55
Check the Version Number of the Agent ........................................................55
Check the Build Number of the Agent ............................................................56
Clear the Authent ication Cache ......................................................................57
Clear the Cache on a Linux Computer ...........................................................58
Determine a Computer's FQDN .......................................................................58
HP-UX.............................................................................................................58
Solaris .............................................................................................................58
Fix the Shell and Home Directory Paths.........................................................59
Generate a Network Trace................................................................................59
Generate a PAM Debug Log.............................................................................59
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 5/72
9
Copyright © 2008 Likewise Software. All rights reserved. 5
Product Documentation
Likewise Open: Installation and Administration Guide
Generate an Authent ication Agent Debug Log ..............................................61
Increase Max Username Leng th on AIX .........................................................61
Make Sure Outbound Ports Are Open ............................................................62
Resolve an AD Al ias Conflict with a Local Account .....................................63
Change Ownership .........................................................................................63
Restart the Authentication Daemon................................................................63
Linux and Unix ................................................................................................63
HP-UX.............................................................................................................64
Mac OS X........................................................................................................64
Working with Solaris Zones.............................................................................64
CONFIGURING THE AGENT ......................................................67
Configure nsswitch.conf ..................................................................................67
Configure resolv.conf .......................................................................................67
Set the Home Directory and Shell for Domain Users ....................................67
PLATFORM SUPPORT ...............................................................69
GET TECHNICAL SUPPORT......................................................72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 6/72
9
Copyright © 2008 Likewise Software. All rights reserved. 6
Product Documentation
Likewise Open: Installation and Administration Guide
Introduction
Likewise Open is an agent that runs on Linux, Unix, and Mac OS Xcomputers so that you can join them to Microsoft Active Directory and
authenticate users in the same way on all your systems.
This guide describes how to install Likewise Open, join computers
running Linux, Unix, or Mac OS X to Microsoft Active Directory, and
manage the Likewise Open Agent.
Likewise Open is free to download and use according to the terms of the
GNU General Public License. To download Likewise Open or obtain the
source code, go to
http://www.likewisesoftware.com/products/likewise_open/ .
The target audience for this document is network directory administrators
who manage access to workstations, servers, and other network
resources within Active Directory. The guide assumes that you know how
to administer Active Directory as well as computers running Linux, Unix,
and Mac OS X.
The Likewise Agent
The agent is installed on Linux and Unix computers and integrates with
the core operating system to implement the mapping for any application
that uses the name service (NSS) or pluggable authentication module
(PAM). An example of a PAM-aware application is the login process
(/bi n/ l ogi n).
The agent acts as a Kerberos 5 client for authentication and as a LDAP
client for authorization.
The Likewise agent has the following daemon:
Agent Daemon Descript ion
Linux: /etc/init.d/likewise-open
Unix: /sbin/init.d/likewise-open
The Likewise authentication
daemon. It handles
authentication, authorization,
caching, and idmap lookups.
The agent also includes two libraries:
• The NSS library: l wi dent i t y. so
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 7/72
9
Copyright © 2008 Likewise Software. All rights reserved. 7
Product Documentation
Likewise Open: Installation and Administration Guide
• The PAM library: pam_l wi dent i t y. so
The agent uses the following ports for outbound traffic. The agent is a
client only; it does not listen on any ports.
Port Protocol Use
53 UDP/TCP DNS
88 UDP/TCP Kerberos
123 UDP NTP
137 UDP NetBIOS Name
Service
139 TCP NetBIOS Session
(SMB)
389 UDP/TCP LDAP
445 TCP SMB over TCP
464 UDP/TCP Machine password
changes (typicallyafter 30 days)
Time Synchronization
For the Likewise agent to communicate over Kerberos with the domain
controller, the clock of the client must be within the domain controller's
maximum clock skew, which is 300 seconds, or 5 minutes, by default.
(For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-
1.4.2/doc/krb5-admin/Clock-Skew.html.)
The clock skew tolerance is a server-side setting. When a client
communicates with a domain controller, it is the domain controller's
Kerberos Key Distribution Center that determines the maximum clock
skew. Changing the maximum clock skew in the client's krb5. conf file
does not affect the clock skew tolerance of the domain controller and will
not unable a client outside the domain controller's tolerance to
communicate with it.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 8/72
9
Copyright © 2008 Likewise Software. All rights reserved. 8
Product Documentation
Likewise Open: Installation and Administration Guide
The clock skew value that is set in the kr b5. conf file of Linux, Unix,
and Mac OS X computers is only useful when the computer is
functioning as a server for other clients.
The domain controller uses the clock skew tolerance to prevent replay
attacks by keeping track of every authentication request within the
maximum clock skew. Authentication requests outside the maximum
clock skew are discarded. When the server receives an authentication
request within the clock skew, it checks the replay cache to make sure
the request is not a replay attack.
For more information, see the following resources:
• Kerberos Authentication Tools and Settings:
http://technet2.microsoft.com/windowsserver/en/library/b36b8071-
3cc5-46fa-be13-280aa43f2fd21033.mspx
• Authentication Errors Caused by Unsynchronized Clocks:
http://technet2.microsoft.com/windowsserver/en/library/6ee8470e-
a0e8-40b2-a84f-dbec6bcbd8621033.mspx
• Kerberos Technical Supplement for Windows:
http://msdn2.microsoft.com/en-us/library/aa480609.aspx
• The Kerberos Network Authentication Service (V5) RFC:
http://www.ietf.org/rfc/rfc4120.txt
• Troubleshooting Kerberos Errors:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
• Kerberos and LDAP Troubleshooting Tips:
http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigr
ation/unix/usecdirw/17wsdsu.mspx
Using a Network Time Protocol Server
If you set the system time on your computer with a Network Time
Protocol (NTP) server, the time value of the NTP server and the time
value of the domain controller could exceed the maximum skew. As a
result, you will be unable to log on your computer.
If you use an NTP server with a cron job, there will be two processes
trying to synchronize the computer's time -- causing a conflict that will
change the computer's clock back and forth between the time of the two
sources.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 9/72
9
Copyright © 2008 Likewise Software. All rights reserved. 9
Product Documentation
Likewise Open: Installation and Administration Guide
Likewise recommends that you configure your domain controller to get its
time from the NTP server and configure the domain controller's clients to
get their time from the domain controller.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 10/72
9
Copyright © 2008 Likewise Software. All rights reserved. 10
Product Documentation
Likewise Open: Installation and Administration Guide
Checking System Health Before Installation
The following table lists items each item to check, describes the item,and suggests corrective action.
Item to Check Corrective Action
Type of operating system Install the agent on a computer that is running a supported operating
system.
Processor type Install the agent on a computer with a supported processor.
Disk usage Increase the amount of disk space available to / opt or / usr .
Contents of / et c/ *rel ease (for
AIX, to determine the osl evel )
Install the agent on a computer that is running a supported operating
system and version.
Network interface and its status Configure the computer so that it has network access and can
communicate with the domain controller.
Contents of the IP routing table If the computer does not use a single default gateway, you must
define a route to a single default gateway.
For example, you can run the r out e - n to view the IP routing table
and set a static route. For more information, see the man pages foryour system.
On Solaris, you may need to create or edit / et c/ def aul t r out er .
On Linux, you can set the default gateway by running the network
utility for your distribution.
Connectivity to the default
gateway
Configure the computer and the network so that the computer can
connect to the default gateway.
Contents of nsswi t ch. conf (or,for AIX, net svc. conf )
The nsswi t ch. conf file must contain the following line:
hosts: f i l es dns
Computers running Solaris, in particular, may not contain this line in nsswi t ch. conf .
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 11/72
9
Copyright © 2008 Likewise Software. All rights reserved. 11
Product Documentation
Likewise Open: Installation and Administration Guide
Item to Check Corrective Action
FQDN Make sure the computer's FQDN is correct in / et c/ hosts .
You can determine the fully qualified domain name of a computer
running Linux, Unix, or Mac OS X by executing the following
command:
pi ng - c 1 `host name`
On HP-UX:
pi ng `host name` - n 1
On Solaris:
FQDN= / usr / l i b/ mai l / sh/ check- host name| cut - d" " -f 7`; echo $FQDN
This command prompts the computer to look up the primary host
entry for its hostname. In most cases, it looks for its hostname in
/ et c/ host s, returning the first FQDN name on the same line. So,
for the hostname qaser ver , here's an example of a correct entry in
/ et c/ host s:
10. 100. 10. 10 qaserver . cor pqa. cent er i s. com qaserver
If, however, the entry in / et c/ hosts incorrectly lists the hostname(or anything else) before the FQDN, the computer's FQDN becomes,
using the malformed example below, qaser ver :
10. 100. 10. 10 qaserver qaserver . cor pqa. cent er i s. com
If the host entry cannot be found in / et c/ hosts , the computer looks
for the results in DNS instead. This means that the computer must
have a correct A record in DNS. If the DNS information is wrong and
you cannot correct it, add an entry to / et c/ hosts .
IP address of local NIC Either update DNS or change the local IP address so that the IP
address of the local network card matches the IP address returned by
DNS for the computer.
Contents of r esol v. conf Compare against the results of the items checked next.
DNS query results for system Either update DNS or change the local IP address so that the IP
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 12/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 13/72
Copyright © 2008 Likewise Software. All rights reserved. 13
Product Documentation
Likewise Open: Installation and Administration Guide
Installing the Agent
Requirements
This section lists the requirements to use Likewise Open. You must have
at least the following components:
1. An Active Directory domain controller.
2. One or more Unix, Linux, or Mac OS X computers that Likewise
Open supports.
Administrator Privileges
• Root access or sudo permission on the Unix, Linux, and Mac OS X
computers on which you want to install Likewise Open.
• Active Directory credentials that allow you to add computers to an
Active Directory domain -- for example, membership in the Domain
Administrators security group or the Enterprise Administrators security
group.
Active Directory Requirements
• Windows 2003 SP1 or R2 Standard and Enterprise
• Windows 2000 SP4 Server
Unix and Linux Requirements for the Agent
• An operating system that Likewise Open supports, such as versions
of Mac OS X, Red Hat, SUSE Linux, Fedora, CentOS, Debian,
Solaris, AIX, HP-UX, and Ubuntu. For a complete list of supported
platforms, see the list of supported platforms later in this guide.
Overview of the Installation Process
The installation process typically proceeds in the following order:
1. Make sure your computers meet the installation requirements.
2. Download the Likewise Open installation package from the Likewise
Software web site at http://www.likewisesoftware.com/community/.
3. Install Likewise Open on each Unix, Linux, or Mac OS X computer
that you want to join to the Active Directory domain.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 14/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 15/72
Copyright © 2008 Likewise Software. All rights reserved. 15
Product Documentation
Likewise Open: Installation and Administration Guide
the transfer. Most FTP clients default to AUTO or ASCII, but the
installer includes some binary code that will become corrupted if
you do not use binary mode.
3. As the root user or with sudo permission, modify the execute bit on
the installer by executing the following command at the shell prompt
on the Linux or Unix computer:
chmod a+x / t mp/ Li kewi se*
4. To launch the installer, at the shell prompt, execute the following
command:
/ t mp/ Li kewi se*
5. Follow the instructions in the installation wizard.
Install the Agent on a Mac Computer
To install the Likewise Agent on a computer running Mac OS X, you
must have administrative privileges on the Mac. Likewise supports Mac
OS X 10.4 or later.
1. Log on the Mac with a local account.
2. On the Apple menu , click System Preferences.
3. Under Internet & Network, click Sharing, and then select the
Remote Login check box.
4. Go to http://www.likewisesoftware.com/support/ and download to
your desktop the Likewise Agent installation package for your Mac.
Important: To install the agent on an Intel-based Mac, use the i386
version of the . dmg package. To install the agent on a Mac that
does not have an Intel chip, use the powerpc version of the . dmg
package.
5. On the Mac computer, go to the Desktop and double-click the
Likewise . dmg file.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 16/72
Copyright © 2008 Likewise Software. All rights reserved. 16
Product Documentation
Likewise Open: Installation and Administration Guide
6. In the Finder window that appears, double-click the Likewise . mpkg
file.
7. Follow the instructions in the installation wizard.
When the wizard finishes installing the package, which includes the
Likewise Agent, you are ready to join the Mac to the Active Directory
domain.
Install the Agent on a Mac in Unattended Mode
The Likewise command-line tools can remotely deploy the shell version
of the Likewise agent to multiple Mac OS X computers, and you can
automate the installation of the agent by using the installation command
in unattended mode.
The commands used in this procedure require at least administrative
privileges to run.
Important: For Intel-based Macs, use the i386 version of the . dmg
installer; for example: Li kewi seOpen- 4. 1. 0. 2779- i 386. dmg. For
Macs that do not have Intel chips, use the powerpc version of the . dmg
installer; for example: Li kewi seOpen- 4. 1. 0. 2779- powerpc. dmg
The procedure below assumes you are installing the agent on an i386
Mac; if you are installing on a powerpc, replace the i386 installer with thepowerpc installer.
1. Use SSH to connect to the target Mac OS X computer and then use
SCP to copy the . dmg installation file to the desktop of the target
Mac or to a location that can be accessed remotely. The rest of this
procedure assumes that you copied the installation file to the
desktop.
2. On the target Mac, open Terminal and then use the hdi ut i l
mount command to mount the . dmg file under Vol umes :
/ usr / bi n/ hdi ut i l mount Deskt op/ Li kewi seOpen-
4. 1. 0. 2779- i 386. dmg
3. Execute the following command to open the .mpkg volume:
/ usr / bi n/ open Vol umes/ Li kewi seOpen- 4. 1. 0. 2779- i 386
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 17/72
Copyright © 2008 Likewise Software. All rights reserved. 17
Product Documentation
Likewise Open: Installation and Administration Guide
4. Execute the following command to install the agent:
sudo i nst al l er - pkg / Vol umes/ Li kewi seOpen-
4. 1. 0. 2779- i 386/ Li kewi seOpen- 4. 1. 0. 2779- i 386. mpkg
- t ar get Local Syst em
Note: For more information about the i ns tal l er command, in
Terminal execute the following command:
man i nst al l er
5. To join the domain, execute the following command in the Terminal,
replacing domai nName with the FQDN of the domain that you want
to join and j oi nAccount with the user name of an account that hasprivileges to join computers to the domain:
sudo / opt / cent er i s/ bi n/ domai nj oi n- c l i j oi n
domai nName j oi nAccount
Example: sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i j oi n
cent er i sdemo. com Admi ni st r at or
Terminal prompts you for two passwords: The first is for a user
account on the Mac that has admin privileges; the second is for the
user account in Active Directory that you specified in the joincommand.
Note: You can also add the password for joining the domain to the
command, but Likewise recommends against this approach because
another user could see and intercept the full command that you are
running, including the password:
sudo / opt / cent er i s/ bi n/ domai nj oi n- c l i j oi n
domai nName j oi nAccount j oi nPassword
Example: sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i j oi n
cent er i sdemo. com Admi ni st r ator Your PasswordHer e
Using Command-Line Tools to Deploy Agents
The Likewise command-line tools can help deploy the Likewise agent to
multiple computers or install the agent remotely.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 18/72
Copyright © 2008 Likewise Software. All rights reserved. 18
Product Documentation
Likewise Open: Installation and Administration Guide
You can use the command-line tools to automatically install the agent,
join the computer to a domain, and obtain credentials. For example, you
can automate the installation of the agent by using the installation
command in unattended mode:
# . / Li kewi seOpen- 4. 1. 0. 2513- l i nux- x86_64- r pm- i nst al l er - - modeunat t ended
For Unix and Linux hosts, you can run the installer from the shell prompt
with no special treatment. The installer detects that it is running in
character mode and displays a character mode user interface, or you
can force it into character mode with the option - - mode text :
# . / Li kewi seOpen- 4. 1. 0. 2513- l i nux- x86_64- r pm- i nst al l er - - modetext
After you have installed the agent on Linux computers, additional
command-line tools are in / usr / cent er i s / bi n.
On Unix and Mac OS X computers, the command-line tools are in
/ opt / cent er i s / bi n.
Upgrade to the Latest Agent
To upgrade to the latest version of the Likewise agent, it is
recommended that you first leave the domain and uninstall the current
agent.
Uninstall the Agent on a Linux or Unix Computer
Uninstall BitRock Installations on Linux
On a Linux computer, you can uninstall the Likewise Agent from the
command line if you originally installed the agent with the BitRock
installer.
Note: Execute the uni nst al l command from a directory other than
cent er i s so that the uninstall program can delete the cent er i s
directory and all its subdirectories. For example, execute the command
from the root directory.
• To uninstall the agent on a Linux computer running Likewise
Enterprise, run the following command as root:
/ usr/ cent er i s/ set up/ l we/ uni nst al l
• To uninstall the agent on a Linux computer running Likewise Open,
run the following command as root:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 19/72
Copyright © 2008 Likewise Software. All rights reserved. 19
Product Documentation
Likewise Open: Installation and Administration Guide
/ usr/ cent er i s/ set up/ l wo/ uni nst al l
Uninstall BitRock Installations on Unix
On a Unix computer, you can uninstall the Likewise Agent from the
command line if you originally installed the agent with the BitRock
installer.
Note: Execute the uni nst al l command from a directory other than
cent er i s so that the uninstall program can delete the cent er i s
directory and all its subdirectories. For example, execute the command
from the root directory.
• To uninstall the agent on a Unix computer running Likewise
Enterprise, run the following command as root:
/ opt / cent er i s/ set up/ l we/ uni nst al l
• To uninstall the agent on a Unix computer running Likewise Open, run
the following command as root:
/ opt / cent er i s/ set up/ l wo/ uni nst al l
Uninstall the Agent on a Mac
On a Mac computer, you must uninstall the Likewise agent by using theTerminal.
1. Log on the Mac by using a local account with privileges that allow
you to use sudo.
2. Open a Terminal window: In Finder, on the Go menu, click Utilities,
and then double-click Terminal.
3. At the Terminal shell prompt, execute the following command:
sudo / opt / cent er i s / bi n/ l wi - uni nstal l . sh
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 20/72
Copyright © 2008 Likewise Software. All rights reserved. 20
Product Documentation
Likewise Open: Installation and Administration Guide
Joining Active Directory
When Likewise joins a computer to a domain, it uses the hostname ofthe computer to create the name of the computer object in Active
Directory. From the hostname, the Likewise Domain Join Tool attempts
to derive a fully qualified domain name.
By default, the domain join tool creates the Linux and Unix machine
accounts in the default Computers container within Active Directory.
You can, however, choose to create machine accounts in Active
Directory before you join your Unix, Linux, and Mac OS X computers to
the domain. When you join a computer to a domain by running the
Domain Join Tool, Likewise associates the Unix or Linux host with thepre-existing machine account. If no match is found, Likewise creates a
machine account.
On Linux computers, the domain join command-line utility --
domai nj oi n- cl i -- is in / usr / cent er i s / bi n. On Unix and Mac OS
X computers, it is in / opt / cent er i s / bi n.
Removing a Computer from a Domain
You can remove a computer from the domain either by removing the
computer's account from Active Directory Users and Computers or by
running the Domain Join Tool on the Unix, Linux, or Mac OS X computerthat you want to remove.
Files Modified During a Domain Jo in
When Likewise joins a computer to a domain, it modifies some system
files. The files that are modified depend on the platform, the distribution,
and the system's configuration. The following files might be modified.
Note: Not all of these files are present on all computers.
• /etc/nsswitch.conf
• /etc/pam.conf or /etc/pam.d/*
• /etc/ssh/{ssh_config,sshd_config} (or wherever sshd configuration is
located)
• /etc/hosts (To join a domain without modifying /etc/hosts, see Join
Active Directory Without Changing /etc/hosts.)
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 21/72
Copyright © 2008 Likewise Software. All rights reserved. 21
Product Documentation
Likewise Open: Installation and Administration Guide
• /etc/apparmor.d/abstractions/nameservice
• /etc/X11/gdm/PreSession/Default
• /etc/vmware/firewall/services.xml
• /usr/lib/security/methods.cfg
• /etc/security/user
• /etc/security/login.cfg
• /etc/netsvc.conf
•
/etc/krb5.conf
• /etc/krb5/krb5.conf
• /etc/rc.config.d/netconf
• /etc/nodename
• /etc/{hostname,HOSTNAME,hostname.*}
• /etc/sysconfig/network/config
• /etc/sysconfig/network/dhcp
• /etc/sysconfig/network/ifcfg-*
• /etc/sysconfig/network-scripts/ifcfg-*
Join Act ive Directory with the Command Line
When you join a domain by using the command-line utility, Likewise uses
the hostname of the computer to derive a fully qualified domain name
(FQDN) and then automatically sets the computer’s FQDN in the
/ et c/ hosts file. You can also join a domain without changing the
/ et c/ hosts file; see Join Active Directory Without Changing /etc/hosts.
On Linux computers, the domain join command-line utility is in
/ usr / cent er i s / bi n. On Unix and Mac OS X computers, it is in
/ opt / cent er i s / bi n.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 22/72
Copyright © 2008 Likewise Software. All rights reserved. 22
Product Documentation
Likewise Open: Installation and Administration Guide
Important: To run the command-line utility, you must use a root
account. To join a computer to a domain, you must have the user name
and password of an Active Directory account that has privileges to join
computers to the domain and the full name of the domain that you want
to join.
Join a Linux Computer to Active Directory
• Execute the following command, replacing domai nName with the
FQDN of the domain that you want to join and j oi nAccount with the
user name of an account that has privileges to join computers to the
domain:
/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n domainName
joinAccount
Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n
cent er i sdemo. com Admi ni st r at or
Join a Unix Computer to Active Directory
• Execute the following command, replacing domai nName with the
FQDN of the domain that you want to join and j oi nAccount with the
user name of an account that has privileges to join computers to the
domain:
/ opt / cent er i s / bi n/ domai nj oi n- cl i j oi n domainNamejoinAccount
Example: / opt / cent er i s / bi n/ domai nj oi n- cl i j oi n
cent er i sdemo. com Admi ni st r at or
Join a Mac Computer to Active Directory
• Using sudo, execute the following command in the Terminal,
replacing domai nName with the FQDN of the domain that you want to
join and j oi nAccount with the user name of an account that has
privileges to join computers to the domain:
sudo / opt / cent er i s/ bi n/ domai nj oi n- c l i j oi n
domainName joinAccount
Example: sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i j oi n
cent er i sdemo. com Admi ni st r at or
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 23/72
Copyright © 2008 Likewise Software. All rights reserved. 23
Product Documentation
Likewise Open: Installation and Administration Guide
The terminal prompts you for two passwords: The first is for a user
account on the Mac that has administrative privileges; the second is
for the user account in Active Directory that you specified in the join
command.
Join a Linux Computer to an Organizational Unit
• Execute the following command, replacing
or gani zat i onal Uni t Name with the path and name of the
organizational unit that you want to join, domai nName with the FQDN
of the domain, and j oi nAccount with the user name of an account
that has privileges to join computers to the domain:
/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou
organizationalUnitName domainName joinAccount
Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou
Engi neer i ng cent er i sdemo. com Admi ni st r at or
Options and Basic Commands
The following tables list the options and commands of the command-line
interface for joining a domain.
Options
The domai nj oi n- cl i command-line interface includes the following
options:
Option Description Example
- - hel p Displays the command-line
options and commands.
domai nj oi n- c l i - - hel p
- - hel p- i nt er nal Displays a list of the
internal debugging
commands.
domai nj oi n- c l i - - hel p- i nt er nal
- - l o g {.| pat h} Generates a log file or
prints the log to the
console.
domai nj oi n- c l i - - l og
/ var / l og/ domai nj oi n. l og j oi n
cent er i sdemo. com Admi ni st r at or
domai nj oi n- cl i - - l og . j oi n
cent er i sdemo. com Admi ni st r at or
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 24/72
Copyright © 2008 Likewise Software. All rights reserved. 24
Product Documentation
Likewise Open: Installation and Administration Guide
Basic Commands
The domain join command-line interface includes the following basic
commands:
Command Descr iption Example
query Displays the
hostname, current
domain, and
distinguished name,
which includes the
OU to which the
computer belongs.
If the computer is
not joined to a
domain, it displays
only the hostname.
domai nj oi n- cl i quer y
set name computerName Renames the
computer and
modifies the
/ et c/ hosts file
with the name that
you specify.
domai nj oi n- cl i set name RHEL44I D
f i xf qdn Fixes a computer's
fully qualified
domain name.
domai nj oi n- c l i f i xf qdn
j oi n [ - - ou
organizationalUnit]
domainName userName
Joins the computer
to the domain that
you specify by using
the account that you
specify.
You can use the - -
ou option to join the
computer to an OU
within the domain by
specifying the path
to the OU and the
domai nj oi n- c l i j oi n - - ou
Engi neer i ng cent er i sdemo. com
Admi ni st r at or
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 25/72
Copyright © 2008 Likewise Software. All rights reserved. 25
Product Documentation
Likewise Open: Installation and Administration Guide
Command Descr iption Example
OU's name. When
you use this option,
you must use an
account that has
membership in the
Domain
Administrators
security group. The
path to the OU is top
down.
l eave [ user Name] Removes thecomputer from the
Active Directory
domain.
If the user Name is
provided, the
computer account is
disabled in Active
Directory.
domai nj oi n- cl i l eave
domai nj oi n- cl i l eave
smi t hy@l i kewi sedemo. com
Advanced Commands
The command-line interface includes advanced commands that you can
use to preview the stages of joining or leaving a domain, find out which
configurations are required for your system, view information about a
module that will be changed, and enable or disable a module. The
advanced commands provide a potent tool for troubleshooting issues
while configuring a Linux or Unix computer to interoperate with Active
Directory.
Preview the Stages of the Domain Join for Your Computer
To preview the domain, DNS name, and configuration stages that will be
used to join a computer to a domain, execute the following command at
the command line:
domai nj oi n- cl i j oi n - - pr evi ew domainName
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 26/72
Copyright © 2008 Likewise Software. All rights reserved. 26
Product Documentation
Likewise Open: Installation and Administration Guide
Example: domai nj oi n- cl i j oi n - - pr evi ew l i kewi sedemo. com
The result, which can vary by computer, looks something like this:
[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - pr evi ew cent eri sdemo. com J oi ni ng t o AD Domai n: cent er i sdemo. comWi t h Comput er DNS Name: r hel 44i d. center i sdemo. com The f ol l owi ng st ages ar e cur r ent l y conf i gured t o be r un dur i ngt he domai n j oi n:host name - set computer host name j oi n - j oi n computer t o ADl wi conf - conf i gur e l wi aut hd. confkrb5 - conf i gur e krb5. confnsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul est art - st art daemonspam - conf i gure pam. d/ pam. confssh - conf i gure ssh and sshd[ r oot @r hel 44i d ~] #
Check Required Configurations
To see a full listing of the modules that apply to your operating system,
including those module that will not be run, execute either the following
join or leave command:
domai nj oi n- cl i j oi n - - advanced - - pr evi ew domainName
domai nj oi n- cl i l eave - - advanced - - pr evi ew domainName
Example: domai nj oi n- cl i j oi n - - advanced - - pr evi ew
l i kewi sedemo. com
The result varies by computer:
[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - advanced - - pr evi ewcent er i sdemo. com J oi ni ng t o AD Domai n: cent er i sdemo. comWi t h Comput er DNS Name: r hel 44i d. center i sdemo. com [ F] st op - st op daemons[ X] [ S] host name - set comput er host name
[ F] f i r ewal l - open por t s t o DC[ X] [ N] j oi n - j oi n comput er t o AD[ X] [ N] l wi conf - conf i gur e l wi aut hd. conf[ X] [ N] krb5 - conf i gur e krb5. conf[ X] [ N] nsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul e
[ X] [ N] st ar t - st ar t daemons[ F] bash - f i x bash pr ompt f or backsl ashes i nuser names
[ F] gdm - f i x gdm pr esessi on scri pt f or spaces i nuser names[ X] [ N] pam - conf i gur e pam. d/ pam. conf[ X] [ S] ssh - conf i gur e ssh and sshd
Key to flags
[ F]ul l y conf i gur ed - t he syst em i s al r eady conf i gur ed f ort hi s step
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 27/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 28/72
Copyright © 2008 Likewise Software. All rights reserved. 28
Product Documentation
Likewise Open: Installation and Administration Guide
You can further bore down into the details of the changes that a module
will make by using either the following join or leave command:
domai nj oi n- cl i j oi n - - det ai l s module domainName joinAccount
domai nj oi n- c l i l eave - - det ai l s module domainName
joinAccount
Example: domai nj oi n- cl i j oi n - - det ai l s l wi conf
cent er i sdemo. com Admi ni st r at or
The result varies depending on your system's configuration:
[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - det ai l s l wi conf
cent eri sdemo. com Admi ni st r ator[ X] [ N] l wi conf - conf i gur e l wi aut hd. confKey to f l ags[ F]ul l y conf i gur ed - t he syst em i s al r eady conf i gur ed f ort hi s step[ S] uf f i ci ent l y conf i gur ed - t he syst em meet s t he mi ni mumconf i gur at i on
r equi r ement s f or t hi s st ep[ N] ecessar y - t hi s st ep must be r un or manual l yper f ormed.[ X] - t hi s st ep i s enabl ed and wi l l makechanges[ ] - t hi s step i s di sabl ed and wi l l notmake changesDet ai l s for ' conf i gur e l wi aut hd. conf ' :
Edi t / et c/ samba/ l wi aut hd. conf t o set t he f ol l owi ng val ues:wor kgr oup=<shor t domai n name>r eal m=<dns domai n name>secur i t y=adsuse kerber os keyt ab=ads[ r oot @r hel 44i d ~] #
Turn On or Turn Off Domain Join Modules
You can explicitly enable or disable a module when you join or leave a
domain. Disabling a module can be useful in cases where a module has
been manually configured or in cases where you must ensure that
certain system files will not be modified.
Note: If you disable a necessary module and you have not manually
configured it, the domain join utility will not join your computer to the
domain.
To disable a module, execute either the following join or leave command:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 29/72
Copyright © 2008 Likewise Software. All rights reserved. 29
Product Documentation
Likewise Open: Installation and Administration Guide
domai nj oi n- c l i j oi n - - di sabl e module domainName
accountName
domai nj oi n- cl i l eave - - di sabl e module domainName
accountName
Example: domai nj oi n- cl i j oi n - - di sabl e pam
cent er i sdemo. com Admi ni st r at or
To enable a module, execute the following command at the command
line:
domai nj oi n- c l i j oi n -- enabl e module domainName
accountName
Example: domai nj oi n- cl i j oi n - - enabl e pamcent er i sdemo. com Admi ni st r at or
Join Active Directory Without Changing /etc/hosts
When you join a computer to a domain by using the Likewise Domain
Join Tool, Likewise uses the hostname of the computer to derive a fully
qualified domain name (FQDN) and then automatically sets the
computer’s FQDN in the / et c/ hosts file.
You join a domain without changing the / et c/ hosts file by using the
shell prompt.
To join a Linux computer to the domain without changing the
/ et c/ hosts file, execute the following command at the shell prompt as
root, replacing domai nName with the FQDN of the domain that you want
to join and j oi nAccount with the user name of an account that has
privileges to join computers to the domain:
/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - di sabl e
host name domai nName j oi nAccount
Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - -
di sabl e host name cent er i sdemo. com Admi ni st r ator
If the Computer Fails to Join the Domain
Make sure the computer's FQDN is correct in / et c/ host s.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 30/72
Copyright © 2008 Likewise Software. All rights reserved. 30
Product Documentation
Likewise Open: Installation and Administration Guide
You can determine the fully qualified domain name of a computer
running Linux, Unix, or Mac OS X by executing the following command:
pi ng - c 1 `host name`
When you execute this command, the computer looks up the primary
host entry for its hostname. In most cases, this means that it looks for its
hostname in / et c/ hosts , returning the first FQDN name on the same
line. So, for the hostname qaser ver , here's an example of a correct
entry in / et c/ hosts :
10. 100. 10. 10 qaserver . cor pqa. cent er i s. com qaserver
If, however, the entry in / et c/ hosts incorrectly lists the hostname (or
anything else) before the FQDN, the computer's FQDN becomes, usingthe malformed example below, qaser ver :
10. 100. 10. 10 qaserver qaserver . cor pqa. cent er i s. com
If the host entry cannot be found in / et c/ host s, the computer looks for
the results in DNS instead. This means that the computer must have a
correct A record in DNS. If the DNS information is wrong and you cannot
correct it, add an entry to / et c/ hosts .
Join a Mac Computer to Active Directory
To join a computer running Mac OS X 10.4 or later to an Active Directory
domain, you must have administrative privileges on the Mac and
privileges on the Active Directory domain that allow you to join a
computer.
1. In Finder, click Appl ications . In the list of applications, double-click
Utilities, and then double-click Directory Access.
2. On the Services tab, click the lock and enter an administrator
name and password to unlock it.
3. In the list click Likewise Enterprise, make sure the Enable check
box for Likewise Enterprise is selected, and then click Configure.
4. Enter a name and password of a local machine account with
administrative privileges.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 31/72
Copyright © 2008 Likewise Software. All rights reserved. 31
Product Documentation
Likewise Open: Installation and Administration Guide
5. On the menu bar at the top of the screen, click the Likewise
Enterprise Domain Join menu, and then click Join or Leave
Domain.
6. In the Computer name box, type the name of the local hostname of
the Mac without the . l ocal extension. Because of a limitation with
Active Directory, the local hostname cannot be more than 15
characters. Also: l ocal host is not a valid name.
Tip: To find the local hostname of a Mac, on the Apple menu ,
click System Preferences, and then click Sharing. Under the
Computer Name box, click Edit. Your Mac's local hostname is
displayed.
7. In the Domain to join box, type the fully qualified domain name of
the Active Directory domain that you want to join.
8. Under Organizational Unit, you can join the computer to an OU in
the domain by selecting OU Path and then typing a path in the OU
Path box.
Note: To join the computer to an OU, you must be a member of the
Domain Administrator security group.
Or, to join the computer to the Computers container, select Defaultto "Computers" container .
9. Click Join.
10. After you are joined to the domain, you can set the display login
window preference on the Mac: On the Apple menu , click
System Preferences, and then under System, click Accounts .
11. Click the lock and enter an administrator name and password to
unlock it.
12. Click Login Options, and then under Display login window as,
select Name and password.
Install the Domain Join GUI
You can install the optional graphical user interface version of the
Likewise Domain Join Tool on a Linux computer after you have installed
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 32/72
Copyright © 2008 Likewise Software. All rights reserved. 32
Product Documentation
Likewise Open: Installation and Administration Guide
the Likewise agent. The domain join tool can be installed on Linux
platforms that are running GTK+ version 2.6 or later.
Note: You do not need to install the domain join GUI to join a domain; for
more information, see Join Active Directory with the Command Line.
1. Obtain the BitRock installer for the domain join tool for your platform
from Likewise Software at http://www.LikewiseSoftware.com.
2. Copy the installer to the desktop of the target Linux computer.
Important: If you use FTP to transfer the file, you must select BIN,
or binary. Most FTP clients default to AUTO or ASCII, but the
installer includes some binary code that will become corrupted if you
do not use binary mode.
3. On the desktop, right-click the icon for the installer, click Properties,
and then click the Permissions tab.
4. Change the owner's permissions to Read and Execute, and then
click Close:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 33/72
Copyright © 2008 Likewise Software. All rights reserved. 33
Product Documentation
Likewise Open: Installation and Administration Guide
5. On the desktop, double-click the icon of the installer to run it, and
then follow the instructions in the installation wizard.
Uninstall the Domain Join GUI
On a Linux computer, you can uninstall the domain join GUI from the
command line by running the following command as root:
/ usr/ cent er i s/ set up/ dj gt k/ uni nstal l
Join a Linux Computer to Active Directory with the GUI
After you install the Likewise agent, you can install the Likewise Domain
Join Tool, a graphical user interface for joining a domain. The domain
join tool is not included when you install the agent; you must install the
utility separately. For more information, see Install the Domain Join
Utility.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 34/72
Copyright © 2008 Likewise Software. All rights reserved. 34
Product Documentation
Likewise Open: Installation and Administration Guide
Important: To join a computer to a domain, you must have the user
name and password of a user who has privileges to join computers to a
domain and the full name of the domain that you want to join.
1. From the desktop with root privileges, double-click the Likewise
Domain Join Tool, or at the shell prompt of a Linux computer, type
the following command:
/ usr / cent er i s/ bi n/ domai nj oi n- gui
2. On the Likewise AD Settings panel, in the Domain box, enter the
Fully Qualified Domain Name (FQDN) of the Active Directory
domain.
Note: The domain join tool automatically sets the computer’s FQDN
by modifying the / et c/ host s file. For example, If your computer's
name is qaser ver and the domain is cor pqa. cent er i s. com,
the domain join tool adds the following entry to the / et c/ hosts file:
qaser ver . cor pqa. cent er i s. com. To manually set the
computer's FQDN, see Join Active Directory Without Changing
/etc/hosts.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 35/72
Copyright © 2008 Likewise Software. All rights reserved. 35
Product Documentation
Likewise Open: Installation and Administration Guide
4. Under Organizational Unit, you can join the computer to an OU in
the domain by selecting OU Path and then typing a path in the OU
Path box. The OU path is from the top of the Active Directory
domain down to the domain that you want.
Or, to join the computer to the Computers container, select Default
to container (Computers).
5. Click Join Domain.
6. Enter the user name and password of an Active Directory user with
the right to join a machine to the Active Directory domain, and then
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 36/72
Copyright © 2008 Likewise Software. All rights reserved. 36
Product Documentation
Likewise Open: Installation and Administration Guide
click OK.
Note: If you do not use an Active Directory Domain Administrator
account, you might not have sufficient privileges to change an
existing machine object in Active Directory.
Use Likewise wi th a Single OU
If you have only write privileges for an organizational unit in Active
Directory, you can still use Likewise. You should enable an
organizational unit (OU) for Likewise only when you want to manage
your Linux, Unix, and Mac OS X computers within a single OU and you
do not have Domain Administrator or Enterprise Administrator privileges,
but you have been given rights to create objects in an OU. You can use
the write privileges that you have been given for an OU to join Linux andUnix computers to that OU.
There are additional limitations to this approach:
• You must join the computer to a specific OU, and you must know the
path to that OU.
• You cannot use Likewise in schema mode unless you have Enterprise
Administrator privileges, which are required to upgrade the schema.
Join a Linux Computer to an Organizational UnitWhen you join a domain by using the command-line utility, Likewise uses
the hostname of the computer to derive a fully qualified domain name
(FQDN) and then automatically sets the computer’s FQDN in the
/ et c/ hosts file. You can also join a domain without changing the
/ et c/ hosts file; see Join Active Directory Without Changing /etc/hosts.
On Linux computers, the domain join command-line utility is in
/ usr / cent er i s / bi n. On Unix and Mac OS X computers, it is in
/ opt / cent er i s / bi n.
Important: To join a computer to a domain, you must have the username and password of an account that has privileges to join computers
to the domain and the full name of the domain that you want to join.
• Execute the following command, replacing
or gani zat i onal Uni t Name with the path and name of the
organizational unit that you want to join, domai nName with the FQDN
of the domain, and j oi nAccount with the user name of an account
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 37/72
Copyright © 2008 Likewise Software. All rights reserved. 37
Product Documentation
Likewise Open: Installation and Administration Guide
that has privileges to join computers to the domain:
/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou
organizationalUnitName domainName joinAccount
Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou
Engi neer i ng cent er i sdemo. com Admi ni st r at or
See Also
Join Active Directory with the Command Line
Join a Mac Computer to Active Directory
Join Active Directory Without Changing /etc/hosts
Set the Home Directory and Shell for Domain Users
When you use Likewise by installing it only on a Linux, Unix, or Mac
computer and not on Active Directory, you cannot associate a Likewise
cell with an organizational unit, and thus you have no way to define a
home directory or shell in Active Directory for users who log on the
computer with their domain credentials.
To set the home directory and shell for a computer that is using Likewise
Open or Likewise Enterprise without cell, edit the following configuration
file:
/ et c/ samba/ l wi aut hd. conf
Modify the following lines to set the shell and home directory that you
want:
t empl ate shel l =
t empl at e homedi r =
Examples:
t empl at e shel l = / bi n/ bash
t empl at e homedi r = / home/ l ocal / %D/ %U
When you set the default home directory, you must use the default user
name variable (%U). You may specify the default domain name by using
the domain name variable (%D) but, unlike the user name variable, it is
not required.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 38/72
Copyright © 2008 Likewise Software. All rights reserved. 38
Product Documentation
Likewise Open: Installation and Administration Guide
All the users who log on the computer by using their Active Directory
domain credentials will have the shell and home directory that you set.
Note: / bi n/ bash might not be available on all systems.
Important: On Solaris, you cannot create a local home directory in
/ home, because / home is used by autofs, Sun's automatic mounting
service. The standard on Solaris is to create local home directories in
/ expor t / home.
If you set the shell and home directory both in Active Directory and in
l wi aut hd. conf , the settings in Active Directory -- which appear on the
target computer in / et c/ secur i t y/ pam_l wi dent i t y. conf -- take
precedence.
Log On a JoinedComputer with Active Directory Credentials
After the Likewise Agent has been installed and the Linux computer has
been joined to a domain, users can log on interactively by using their
Active Directory credentials. For example, a user can log on by using the
form DOMAI N\ user name.
1. On a Linux computer, log out of the current session.
2. Log on the system console by using an Active Directory user
account in the form of DOMAI N\ user name, where DOMAI N is the Active Directory short name.
To eliminate barriers to acceptance, preserve existing user behaviors,
and support script files that may rely on a particular logon nomenclature,
Likewise provides the following logon options:
• Full domain credentials -- example: l i kewi sedemo. com\ hoenst i v
• Single domain user name -- example: l i kewi sedemo\ hoenst i v
• Alias names: example --
s t i v
• Cached credentials
• To use UPN names, you must raise your Active Directory forest
functional level to Windows Server 2003, but note that raising the
forest functional level to Windows Server 2003 will exclude Windows
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 39/72
Copyright © 2008 Likewise Software. All rights reserved. 39
Product Documentation
Likewise Open: Installation and Administration Guide
2000 domain controllers from the domain. For more information, see
About Schema Mode and Non-Schema Mode.
Rename a Joined Computer
To rename a computer that has been joined to Active Directory, you
must first leave the domain. You can then rename the computer by using
the domain join command line interface. After you rename the computer,
you must rejoin it to the domain. Renaming a joined computer requires
the user name and password of a user with privileges to join a computer
to a domain.
Important: Do not change the name of a Linux, Unix, or Mac computer
by using the host name command because some distributions do not
permanently apply the changes.
Rename a Computer by Using the Command-Line Tool
The following procedure removes a Unix computer from the domain,
renames the computer, and then rejoins it to the domain. You can also
use the command-line tool on a Linux computer; on a Linux computer,
the path to the tool is / usr / cent er i s / bi n/ .
1. With root privileges, at the shell prompt of a Unix computer, execute
the following command:
/ opt / cent er i s/ bi n/ domai nj oi n- c l i l eave
2. To rename the computer in / et c/ hosts , execute the following
command at the shell prompt, replacing computerName with the
new name of the computer:
/ opt / cent er i s/ bi n/ domai nj oi n- cl i set name
computerName
Example: / opt / cent er i s/ bi n/ domai nj oi n- cl i set name
RHEL44I D
3. To rejoin the renamed computer to the domain, execute the
following command at the shell prompt, replacing DomainName with
the name of the domain that you want to join and UserName with
the user name of a user who has privileges to join a domain:
/ opt / cent er i s / bi n/ domai nj oi n- cl i j oi n DomainName
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 40/72
Copyright © 2008 Likewise Software. All rights reserved. 40
Product Documentation
Likewise Open: Installation and Administration Guide
UserName
Example: /opt/centeris/bin/domainjoin-cli join
centerisdemo.com Administrator
It may take a few moments before the computer is joined to the
domain.
Rename a Computer by Using the Domain Join Tool
To execute the following procedure, the Likewise Domain Join Tool, a
graphical user interface for joining a domain, must be installed on your
computer. For more information, see Install the Likewise Domain JoinTool.
1. From the desktop with root privileges, double-click the Likewise
Domain Join Tool, or at the shell prompt of a Linux computer, type
the following command:
/ usr / cent er i s/ bi n/ domai nj oi n- gui
2. Click Leave, and then click OK.
3. Start the Domain Join Tool again by double-clicking the Likewise
Domain Join Tool on the desktop, or by typing the following
command at the shell prompt of a Linux computer:
/ usr / cent er i s/ bi n/ domai nj oi n- gui
4. Click Next.
5. In the Computer Name box, rename the computer by typing a new
name.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 41/72
Copyright © 2008 Likewise Software. All rights reserved. 41
Product Documentation
Likewise Open: Installation and Administration Guide
6. In the Domain to join box, enter the Fully Qualified Domain Name
(FQDN) of the Active Directory domain.
7. Under Organizational Unit, you can join the computer to an OU in
the domain by selecting OU Path and then typing a path in the OU
Path box.
Or, to join the computer to the Computers container, select Default
to "Computers" container .
8. Click Next.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 42/72
Copyright © 2008 Likewise Software. All rights reserved. 42
Product Documentation
Likewise Open: Installation and Administration Guide
9. Enter the user name and password of an Active Directory user with
the right to join a machine to the Active Directory domain, and then
click OK.
The computer's name in / et c/ host s has been changed to the name
that you specified and the computer has been joined to the Active
Directory domain with the new name.
Leave a Domain
Likewise reverses the Likewise-specific settings that were made to the
computer's configuration when it was joined to the domain. Before you
leave a domain, you can execute the following command to view the
changes that will be made:
domai nj oi n- cl i l eave - - advanced - - pr evi ew domainName
Example:
[ r oot@r hel 44i d / ] # domai nj oi n- cl i l eave - - advanced - - pr evi ewcent eri sdemo. comLeavi ng AD Domai n: CENTERI SDEMO. COM[ X] [ S] ssh - conf i gur e ssh and sshd[ X] [ N] pam - conf i gur e pam. d/ pam. conf[ X] [ N] nsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul e[ X] [ S] l eave - del ete machi ne account[ X] [ N] krb5 - conf i gur e krb5. conf[ X] [ N] l wi conf - conf i gure l wi aut hd. conf[ X] [ N] st op - st op daemons
Key t o f l ags[ F]ul l y conf i gured - t he system i s al r eady conf i gur ed f or t hi s step[ S] uf f i ci ent l y conf i gur ed - t he syst emmeets t he mi ni mum conf i gur at i on
r equi r ement s f or t hi s step[ N] ecessar y - t hi s st ep must be r un or manual l y per f ormed.[ X] - t hi s st ep i s enabl ed and wi l l make changes[ ] - t hi s st ep i s di sabl ed and wi l l not makechanges
For information on advanced commands for leaving a domain, see Join
Active Directory with the Command Line.
The Computer Account in Active Directory
When you leave a domain, the computer's account in Active Directory is
not disabled and not deleted. If, however, you include the user name aspart of the l eave command, the computer's account is disabled but not
deleted. You can include the user name as part of the l eave command
as follows; you will be prompted for the password of the user account:
domai nj oi n- cl i l eave userName
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 43/72
Copyright © 2008 Likewise Software. All rights reserved. 43
Product Documentation
Likewise Open: Installation and Administration Guide
Example: domai nj oi n- cl i l eave br smi t h
Remove a Linux Computer from a Domain • On the Linux computer that you want to remove from the Active
Directory domain, use a root account to run the following command at
the shell prompt:
/ usr/ cent er i s/ bi n/ domai nj oi n- c l i l eave
Remove a Unix Computer from a Domain
• On the Unix computer that you want to remove from the Active
Directory domain, execute the following command at the shell prompt:
/ opt / cent er i s/ bi n/ domai nj oi n- c l i l eave
Remove a Mac from a Domain
To leave a domain on a Mac OS X computer, you must have
administrative privileges on the Mac.
1. In Finder, click Appl ications .
2. In the list of applications, double-click Utilities, and then double-
click Directory Access.
3. On the Services tab, click the lock and enter an administrator
name and password to unlock it.
4. In the list, click Likewise, and then click Configure.
5. Enter a name and password of a local machine account with
administrative privileges.
6. On the menu bar at the top of the screen, click the Likewise
Domain Join Tool menu, and then click Join or Leave Domain.
7. Click Leave.
Remove a Mac with the Command Line
Execute the following command with an account that allows you to use
sudo:
sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i l eave
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 44/72
Copyright © 2008 Likewise Software. All rights reserved. 44
Product Documentation
Likewise Open: Installation and Administration Guide
Using Single Sign On
When you log on a Linux, Unix, or Mac OS X computer by using your Active Directory domain credentials, Likewise initializes and maintains a
Kerberos ticket granting ticket (TGT). With a TGT, you can log on other
computers joined to Active Directory or applications provisioned with a
Service Principal Name and be automatically authenticated with
Kerberos and authorized for access through Active Directory. In a
process transparent to the user, the underlying Generic Security
Services (GSS) system requests a Kerberos service ticket for the
Kerberos-enabled application or server. The result: single sign-on.
To gain access to the other computer, you can use various protocols and
applications:
• SSH (how to configure single sign-on for SSH)
• rlogin
• rsh
• Telnet
• FTP
• Firefox (for browsing of intranet sites)
• LDAP queries against Active Directory
• HTTP with an Apache HTTP Server
How Likewise Makes SSO Happen
Since Microsoft Windows 2000, Active Directory's primary authentication
protocol has been Kerberos. When a user logs on a Windows computer
that is joined to a domain, the operating system uses the Kerberos
protocol to establish a key and to request a ticket for the user. Active
Directory serves as the Kerberos key distribution center, or KDC.
Likewise configures Linux and Unix computers to interact with Active
Directory in a similar way. When a user logs on a Linux and Unix
computer joined to a domain, Likewise requests a ticket for the user. The
ticket can then be used to implement SSO with other applications.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 45/72
Copyright © 2008 Likewise Software. All rights reserved. 45
Product Documentation
Likewise Open: Installation and Administration Guide
Likewise fosters the use of the highly secure Kerberos 5 protocol by
automating its configuration and use on Linux and Unix computers. To
ensure that the Kerberos authentication infrastructure is properly
configured, Likewise does the following:
• Ensures that DNS is properly configured to resolve names associated
with Active Directory (AD).
• Provides tools to join Linux, Unix, and Mac OS X computers to AD.
• Performs secure, dynamic DNS updates to ensure that Linux and
Unix computer names can be resolved with AD-integrated DNS
servers.
• Configures Kerberos. In an environment with multiple KDCs, Likewisemakes sure that Kerberos selects the appropriate server.
• Configures SSHD to support SSO through Kerberos (by using
GSSAPI).
• Creates a keytab for the computer in the following way: When you join
a Linux or Unix computer to AD, Likewise creates a machine account
for the computer. Likewise then automatically creates a keytab for the
SPN and places it in the standard system location (typically
/ et c/ krb5. keyt ab).
• Provides a tool, l wi net , to generate additional keytab entries for
other applications or services.
• Creates a keytab for the user during logon. On most systems, the
user keytab is placed in the / t mp directory and named krb5cc_UI D,
where UI D is the numeric user ID assigned by the system.
Overview of How to Implement SSO with Likewise
When you install Likewise on a Linux, Unix, or Mac OS X computer and
join it to Active Directory, Likewise prepares it for single sign-on by
creating a keytab for the computer. However, when you use Likewise to
implement SSO with other applications or services, such as SAP or
Oracle, you will likely have to configure the application to use Kerberos
authentication and you will likely have to provision each application user
for external Kerberos authentication. At the very least, however, you will
have to provision your application with a Service Principal Name in
Active Directory.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 46/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 47/72
Copyright © 2008 Likewise Software. All rights reserved. 47
Product Documentation
Likewise Open: Installation and Administration Guide
Note: Not all versions of OpenSSH support Kerberos. Versions older
than 4.2p1 might not work or might work improperly.
The SSH
Service
Principal
Name
The first thing that needs to be considered is the Kerberos service
principal name (SPN) that is used by ssh and sshd. The SPN is a string
that identifies the service for which an authentication ticket is to be
generated. In the case of SSH, the SPN has the form:
host / <ser ver name>@<REALMNAME>
For example, when a user uses ssh to connect to a computer named
f ozzi e. mycor p. com, the ssh program will request a service ticket for
the SPN:
host / f ozz i e. mycor p. com@MYCORP. COM
Note: The Kerberos realm is the computer's domain name using
uppercase letters.
System Keytab Generation
In order for Microsoft Active Directory to generate a Kerberos ticket for
this SPN, a service account must exist for it. Additionally, a keytab must
be created for the service account and placed on the sshd
server.Likewise completely automates this operation. When a Linux orUnix computer is joined to AD, a machine account is created for the
computer. If the computer is called f ozzi e, a machine account called
f ozzi e$ is created in AD. Likewise then automatically creates a keytab
for the SPN and places it in the standard system location (typically,
/ et c/ kr b5. keyt ab). Likewise includes a tool, l wi net , that can be
used to generate additional keytab entries for other services.
User Keytab Generation
When the user runs the ssh program and OpenSSH determines that it
will use Kerberos authentication, it will need to access a keytab for the
user so that it can obtain a service ticket for the service/computer to
which it is trying to connect. This keytab must be created using the user's
account name and password. Manually, this can be performed by using
the Linux/UNIX kinit utility. Likewise, however, does it automatically when
the user logs into the computer. On most systems, the user keytab is
placed in the / t mp directory and named krb5cc_UI D where UI D is the
numeric user ID assigned by the system.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 48/72
Copyright © 2008 Likewise Software. All rights reserved. 48
Product Documentation
Likewise Open: Installation and Administration Guide
Configuring OpenSSH
OpenSSH must be configured at both the client and server computer. On
the client, the ssh_conf i g file (typically, in / et c/ ssh/ ssh_conf i g)
must be modified. On the server, sshd_conf i g (typically, in
/ et c/ ssh/ sshd_conf i g) must be modified.
In the server, the following lines must be present in sshd_conf i g:
GSSAPI Aut hent i cat i on yes
GSSAPI Cl eanupCr edent i al s yes
On the client, these lines must be present in ssh_config:
GSSAPI Aut hent i cat i on yes
GSSAPI Del egateCr edent i al s yes
Likewise adds these lines to the appropriate files if they are not already
present.
Testing SSO
With OpenSSH properly configured, demonstrating SSO support is
simple. Log on a Linux or Unix machine (that is running Likewise) using
Active Directory credentials and then use ssh to connect to another
machine (also running Likewise). OpenSSH should establish a
connection without prompting for a username or password.
FTP
You will need both a GSS-enabled FTP daemon and client. This is part
of the krb5-workstation package. Once installed, you can enable the
daemon by editing the di sabl e line in /et c/ xi net . d/ gssf t p to no
and enabling the xi net d super server service:
Example from Red Hat or Fedora Core:
# def aul t : of f# descr i pt i on: The ker beri zed FTP server accept s FTPconnect i ons \# t hat can be aut hent i cated wi t h Kerber os 5.ser vi ce f t p{
f l ags = REUSEsocket _t ype = st r eam
wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ f t pdser ver _args = - l - a
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 49/72
Copyright © 2008 Likewise Software. All rights reserved. 49
Product Documentation
Likewise Open: Installation and Administration Guide
l og_on_f ai l ure += USERI Ddi sabl e = no
}
Example of an FTP single sign-on:
[ j ohnyu@j user - l i nux ~] $ f t p j user - l i nux. cor p. company. comConnected t o j user - l i nux. corp. company. com.220 j user r - l i nux FTP ser ver ( Ver si on 5. 60) r eady.334 Usi ng aut hent i cat i on t ype GSSAPI ; ADAT must f ol l owGSSAPI accepted as aut hent i cat i on t ypeGSSAPI aut hent i cat i on succeededName ( j user- l i nux. cor p. compay. com: j ohnyu) :232 GSSAPI user j geer @CORP. COMPANY. COM i s aut hor i zed as j ohnyuRemote syst emt ype i s UNI X.Usi ng bi nar y mode t o t r ansf er f i l es.f t p>
Log On and Verify Your Kerberos Ticket
To obtain a valid ticket through Likewise, log on through a PAM entry
point such as a non-single sign-on SSH (secure shell) login, the Unix
console, or the X11 display manager (XDM).
Example from Red Hat or Fedora Core:
l ogi n as: j user @corp. company. com j user @cor p. company. com@j geer- l i nux. cor p. cent er i s. com' s
password:Last l ogi n: Mon J ul 2 13: 22: 25 2007 f r oml ocal host . l ocal domai n$ kl i s t Ti cket cache: FI LE: / t mp/ kr b5cc_100013Def aul t pr i nci pal : j user@CORP. COMPANY. COMVal i d start i ng Expi r es Ser vi ce pr i nci pal07/ 02/ 07 13: 26: 24 07/ 02/ 07 23: 26: 44kr bt gt / CORP. COMPANY. COM@CORP. COMPANY. COM
r enew unt i l 07/ 09/ 07 13: 26: 2407/ 02/ 07 13: 26: 44 07/ 02/ 07 23: 26: 44 J USER-LI NUX$@CORP. COMPANY. COM r enew unt i l 07/ 09/ 07 13: 26: 24
Perform an Authenticated LDAP Search Example from Red Hat or Fedora Core system:
$ kl i s t$ l dapsear ch - H l dap: / / cor p. cent er i s. com - Y GSSAPI - b"OU=PM, OU=Bel l evue, DC=cor p, DC=cent er i s, DC=com" "gi venName=J ohn"SASL/ GSSAPI aut hent i cat i on st art edSASL user name: j user @CORP. COMPANY. COMSASL SSF: 56
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 50/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 51/72
Copyright © 2008 Likewise Software. All rights reserved. 51
Product Documentation
Likewise Open: Installation and Administration Guide
gBnAGUAZQByAC0AdgBhAGkAbzAeFw0wNTA3MDEyMTAwNTRaFw0xMzA3MDEyMTAwN TRaMGQxETAPBg
NVBAceCABNAFMATQBRMQswCQYDVQQKHgI ALTELMAkGA1UECx4CAC0xNTAzBgNVBAMeLABDAE8AUgB
QAFwASgBHAGUAZQByACwAI ABqAGcAZQBl AHI ALQB2AGEAaQBvMFwwDQYJ KoZI hvcNAQEBBQADSwAwSAJ BALj 8sXCwD6vuPTc8A1sY+t FyGL7J F3i Nb85wnEENEl gNHHr cvbj YGRF4sPoA
LHK/ HScf 7z6a8WABkMeRi dMeJ 7UCAwEAATANBgkqhki G9w0BAQQFAANBAI vbTV516CP9gRVp6HnSh
6ht t GO14HXNJ LI Vi 3Ni aZ/ GFVppqzVSBxcFvmGHaVz9BkBOOf j UscK7s92zuUj BQHTl qi FDUhLcZ5
VxWB0zI ZB6hFr j 2RU7J 0GcBdShUuCbLr UBAAAwggGxMI I BW6ADAgECAgSqpVpVMAwGCCqGSI b3DQIFBQAwYDERMA8GA1UEBx4I AE0AUwBNAFExCzAJ BgNVBAoeAgAt MQswCQYDVQQLHgI ALTExMC8GA1UE
Ax4oAEMATwBSAFAAXABKAEcAZQBl AHI ALAAgAGoAZwBl AGUAcgAt AGgAcDAeFw0wNTA4MTgxODEzM
j l aFw0xMzA4MTgxODEzMj l aMGAxETAPBgNVBAceCABNAFMATQBRMQswCQYDVQQKHgI ALTELMAkGA1
UECx4CAC0xMTAvBgNVBAMeKABDAE8AUgBQAFwASgBHAGUAZQByACwAI ABqAGcAZQBl AHI ALQBoAHA
wXDANBgkqhki G9w0BAQEFAANLADBI AkEAsU+XJ 59U0CwI aRUJ GCsnt j M+vaqr 7J / e5zcbTL4EscZu
g5Nl nA7LouRvm ZmqXc+EWb9Mj I Snmvs j 4m4t X0QI FQI DAQABMA0GCSqGSI b3DQEBBAUAA0EAf Fhp9 j o8hGw3aQAccT
1KwqPa6VWDNr LUJ I BYNn2f QWKLmNDb/ N74/ bpHbYNVGn0WXst o0I J 8b8KHNAK4RvM4yQ==mSMQDi gest s: : 5aohQ1I S3GeVcVgdMyGQeg==mSMQDi gest s: : Ec455CcKDcvzQWDt EvwZFA==msNPAl l owDi al i n: TRUEl ast LogonTi mest amp: 128277612716718750# sear ch r esul tsear ch: 4
r esul t : 0 Success# numResponses: 2# numEnt r i es: 1
rlogin
Example from Red Hat or Fedora Core:
# def aul t : of f# descr i pt i on: The kerber i zed r l ogi n server accept s BSD-styl e r l ogi n sessi ons, \# but uses Kerberos 5 aut henti cat i on.ser vi ce kl ogi n{
f l ags = REUSEsocket _t ype = st r eam
wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ kl ogi ndserver _ar gs = - 5di sabl e = no
}
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 52/72
Copyright © 2008 Likewise Software. All rights reserved. 52
Product Documentation
Likewise Open: Installation and Administration Guide
Example of rlogin single sign-on:
[ j ohnyu@j user - l i nux ~] $ r l ogi n j user - l i nux. cor p. company. com
Last l ogi n: Mon J ul 2 19: 00: 59 f r om j user - l i nux[ j ohnyu@j user- l i nux ~] $
rsh
You will need both a GSS-enabled rsh daemon and client. This is part of
the krb5 workstation package. Once installed, you can enable the
daemon by editing the di sabl e line in / et c/ xi net . d/ kshel l to no
and enabling the xi net d super server service:
Example from Red Hat or Fedora Core:
# def aul t : of f# descr i pt i on: The ker ber i zed r shel l ser ver accept s rshel lcommands \# aut hent i cated and encr ypt ed wi t h Kerberos 5.ser vi ce kshel l{
f l ags = REUSEsocket _t ype = st r eam
wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ kshdserver_ args = - e - 5di sabl e = no
Example of rsh single sign-on:
[ j ohnyu@j user - l i nux ~] $ r sh j user - l i nux. cor p. company. comLast l ogi n: Mon J ul 2 18: 53: 21 f r om j user - l i nux[ j ohnyu@j user - l i nux ~] $ i d
Telnet
Here's an example of single sign-on using telnet:
[ j ohnyu@j user - l i nux ~] $ t el net - a j user - l i nux. cor p. company. com Tr yi ng 127. 0. 0. 2. . .Connect ed to j user - l i nux. cor p. company. com ( 127. 0. 0. 2) .Escape char acter i s ' ] ' .[ Ker beros V5 accepts you as ``j user @CORP. COMPANY. COM' ' ]Last l ogi n: Mon J ul 2 18: 36: 39 f r om l ocal host . l ocal domai n[ j ohnyu@j user - l i nux ~] $ i dui d=100013( j ohnyu) gi d=100000( CORP\ domai n user s)groups=10( wheel ) , 100000( CORP\ domai n user s) , 100005( CORP\ vmadmi ns)cont ext =syst em_u: syst em_r : unconf i ned_t[ j ohnyu@j user- l i nux ~] $
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 53/72
Copyright © 2008 Likewise Software. All rights reserved. 53
Product Documentation
Likewise Open: Installation and Administration Guide
Use Firefox to Single Sign-On Intranet Sites
When logged on an X11 desktop, you have access to GSS-aware
applications such as Mozilla Firefox. Firefox is configured by default tonot attempt a negotiation with any website. To override this behavior,
change net wor k. negot i at e- aut h. del egat i on- ur i s and
net wor k. negot i at e- aut h. t r ust ed- ur i s to include a filter white
list of URIs that the browser will attempt to negotiate a single sign-on
with. Among the broadest may be Error! Hyperlink reference not valid
and Error! Hyperlink reference not valid, which includes all standard web
URIs.
Then, restart the web browser and point to a Windows authenticated web
site, such as Sharepoint.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 54/72
Copyright © 2008 Likewise Software. All rights reserved. 54
Product Documentation
Likewise Open: Installation and Administration Guide
Troubleshooting the Agent
Check Authentication
On the Unix or Linux computer that is joined to the Active Directory
domain, you can check the domain user's information by executing the
following command at the shell prompt. Replace username with the full
domain user name or the single domain user name of the user that you
want to check.
/ usr / cent er i s / bi n/ l wi i nf o – i username
Examples:
• Full domain user name:/ us r / center i s /bi n/ l wi i nf o - i
l i kewi sedemo. com\ \ hoenst i v
• Single domain user name:
/ usr/ cent er i s/ bi n/ l wi i nf o - i l i kewi sedemo\ \ hoenst i v
In the examples, there are two slashes in the user name because the
first is an escape character for the second.
Troubleshoot
If Do this
The wrong information is
returned
Check Active Directory to make
sure the user has an account.
The user is not found Check the status of the
authentication daemon.
The user is found Check whether the same user is
in the / et c/ passwd file. If
necessary, migrate the user.
Check the Status o f the Authentication Daemon
You can check the status of the authentication daemon on a Unix or
Linux computer running the Likewise Agent by executing the following
command at the shell prompt as the root user:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 55/72
Copyright © 2008 Likewise Software. All rights reserved. 55
Product Documentation
Likewise Open: Installation and Administration Guide
/ sbi n/ ser vi ce l i kewi se- open st at us
(On HP-UX, the command is / sbi n/ i ni t . d/ l i kewi se- open
status .)
If the authentication daemon is running, the result should look like this:
l i kewi se- wi nbi ndd ( pi d 30418 30408) i s r unni ng. . .
If the service is not running, execute the following command:
/ sbi n/ ser vi ce l i kewi se- open st ar t
(On HP-UX, the command is / sbi n/ i ni t . d/ l i kewi se- open
start .)
Next, as the root user, check whether the authentication daemon is
communicating with the windbind daemon by executing the following
command:
/ usr / cent er i s / bi n/ l wi i nf o - p
If all is well, the result should look like this:
Pi ng t o wi nbi ndd succeeded on f d 4
Mac OS X
On a Mac OS X computer, you cannot use the status command, butyou can monitor daemon by using Activity Monitor:
1. In Finder, click Appl ications , click Utilities, and then click Ac tivi ty
Monitor .
2. In the list under Process Name, make sure cent er i s. l i kewi se-
open appears. If the process does not appear in the list, you might
need to start it.
3. To monitor the status of the process, in the list under Process
Name, click the process, and then click Inspect.
Check the Version and Build Number
Check the Version Number of the Agent
To check the version number of the Likewise Agent, execute one of the
following commands at the shell prompt:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 56/72
Copyright © 2008 Likewise Software. All rights reserved. 56
Product Documentation
Likewise Open: Installation and Administration Guide
Operating System Command
Linux / usr / center i s / bi n/ l wi i nf o
- - vers i on
or
/ usr / center i s / bi n/ l wi i nf o
- V
Unix / opt / center i s / bi n/ l wi i nf o
- - vers i on
or
/ opt / center i s / bi n/ l wi i nf o
–V
Note: In the shorthand version, the - V must be an uppercase letter.
Check the Build Number of the Agent
On Linux distributions that support RPM -- for example, Red Hat
Enterprise Linux, Fedora, SUSE Linux Enterprise, OpenSUSE, and
CentOS -- you can determine the build number of the agent (4.1.0.xxxx
in the examples below) by executing the following command at the shell
prompt:
r pm - qa | gr ep cent er i s
The result shows the build version after the version number:
cent er i s- aut h- 4. 1. 0- 1. 22813. 2779cent er i s- domai nj oi n- 4. 1. 0- 1. 22813. 2779cent er i s- r pc- 4. 1. 0- 1. 22813. 2779cent eri s- openl dap- 4. 1. 0- 1. 22813. 2779cent er i s- l i bxml 2- 4. 1. 0- 1. 22813. 2779cent er i s- cent ut i l s- 4. 1. 0- 1. 22813. 2779cent er i s- gr ouppol i cy- 4. 1. 0- 1. 22813. 2779
cent er i s- passwor d- pol i cy- 4. 1. 0- 1. 22813. 2779cent er i s- domai nj oi n- gui - 4. 1. 0- 1. 22813. 2779cent er i s- krb5- 4. 1. 0- 1. 22813. 2779cent eri s- passwd- 4. 1. 0- 1. 22813. 2779
On Unix computers and Linux distributions that do not support RPM, the
command to check the build number varies by platform:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 57/72
Copyright © 2008 Likewise Software. All rights reserved. 57
Product Documentation
Likewise Open: Installation and Administration Guide
Platform Command
Debian and Ubuntu dpkg –S / usr / cent er i s/
Solaris pkgi nf o | gr ep - i cent er
AIX l s l pp – l | gr ep cent er i s
HP-UX swl i st | gr ep - i Cent er
Clear the Authentication Cache
There are certain conditions under which you might need to clear the
cache so that a user's ID is recognized on a target computer.
By default, the user's ID is cached for 900 seconds (15 minutes). If you
change a user's UID for a Likewise cell, during the 900 seconds after you
change the UID you must clear the cache on a target computer in the cell
before the user can log on.
For example, if you set the Minimum UID-GID Value group policy to 99
for a OU with an associated Likewise cell that contains a user with a UID
lower than 99, you must change the user's UID so that it is 99 or higher
and then you must clear the cache before the user can log on during the
15-minute period after the change.
If you do not clear the cache after changing the UID, the computer will
find the old UID until after the cache expires:
#i d cent er i sdemo\ \ bl ugosii d: cent er i sdemo\ bl ugosi : No such user
There are three Likewise group policies that can affect the cache time:
• The Winbind Cache Expiration Time, which stores UID-SID mappings,
user/group enumeration lists, get grnam( ) and get pwnam( ) , and so
forth. Its default expiration time is 900 seconds (15 minutes).
• The ID Mapping Cache Expiration Time, which caches the mapping
tables for SIDs, UIDs, and GIDs. Its default is 1 hour.
• The ID Mapping Negative Cache Expiration Time, which stores failed
SID-UID-GID lookups to prevent an overload of resolution requests.
Its default is 5 minutes.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 58/72
Copyright © 2008 Likewise Software. All rights reserved. 58
Product Documentation
Likewise Open: Installation and Administration Guide
Tip: While you are deploying and testing Likewise, set the cache
expiration times of the Winbind Cache Expiration Time and the ID
Mapping Cache Expiration Time policies to a short period of time.
Clear the Cache on a Linux Computer
1. Stop the Likewise authentication daemon by executing the following
command as root (On HP-UX, the path to the command is / sbi n/ i ni t . d):
/ sbi n/ ser vi ce l i kewi se- open st op
2. Clear the cache:
rm - f / var / l i b/ l wi dent i t y/ * tdb
3. Start the Likewise authentication daemon:
/ sbi n/ ser vi ce l i kewi se- open st ar t
After the clearing the cache, the user is recognized:
# i d cent eri sdemo\ \ bl ugosiui d=101( CENTERI SDEMO\ bl ugosi )gi d=100000( CENTERI SDEMO\ domai n user s)gr oups=100000( CENTERI SDEMO\ domai n user s)
Determine a Computer's FQDN
You can determine the fully qualified domain name of a computer
running Linux, Unix, or Mac OS X by executing the following command at
the shell prompt:
pi ng - c 1 `host name`
HP-UX
The command is different on HP-UX:
pi ng `host name` - n 1 Solaris
On Sun Solaris, you can find the FQDN by executing the following
command, but note that the computer's configuration can affect the
results:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 59/72
Copyright © 2008 Likewise Software. All rights reserved. 59
Product Documentation
Likewise Open: Installation and Administration Guide
FQDN= / usr / l i b/ mai l / sh/ check- host name| cut - d" " -
f 7`; echo $FQDN
Fix the Shell and Home Directory Paths
Symptom: A l ocal directory is in the home directory path and the
home directory path does not match the path specified in Active
Directory or in / et c/ passwor d.
Example: / home/ l ocal / DOMAI N/ USER instead of
/ home/ DOMAI N/ USER
The shell might also be different from what is set in Active Directory -- forexample, / bi n/ ksh instead of / bi n/ bash.
Problem: The computer is not in a Likewise cell in Active Directory.
Solution: Ensure that the computer is in a Likewise cell. For more
information, see Associate a Cell with an OU or a Domain, or create a
default cell.
A default cell handles mapping for computers that are not in an OU with
an associated cell. The default cell can contain the mapping information
for all your Linux and Unix computers. For instance, a Linux or Unixcomputer can be a member of an OU that does not have a cell
associated with it. In such a case, the home directory and shell settings
are obtained from the nearest parent cell, or the default cell. If there is no
parent cell and no default cell, the computer will not receive its shell and
home directory paths from Active Directory.
Generate a Network Trace
Execute the following command in a separate session to dump network
traffic as the root user and interrupt the trace with CTRL-C:
t cpdump - s 0 - i eth0 - w t r ace. pcap
The result should look something like this:
t cpdump: l i st eni ng on et h028 packet s r ecei ved by f i l t er0 packet s dr opped by ker nel
Generate a PAM Debug Log
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 60/72
Copyright © 2008 Likewise Software. All rights reserved. 60
Product Documentation
Likewise Open: Installation and Administration Guide
You can generate a debug log for PAM on a Unix or Linux computer
running the Likewise Agent. PAM stands for pluggable authentication
modules.
The location of the configuration and log files in the following procedure
can vary by platform.
1. Log on as root user.
2. Edit / et c/ secur i t y/ pam_l wi dent i t y. conf so that the
following lines are set to yes and are not commented out with either
a number sign or a semicolon:
debug = yes
debug_st at e = yes
The data is sent to syslog.
3. Edit / et c/ sysl og. conf to add the following line:
* . * / var / l og/ al l . l og
Important: You must use a TAB to delimit *. * from
/ var / l og/ al l . l og.
4. Restart syslog by executing the following command at the shell
prompt:
ser vi ce sysl og r est ar t
5. At the command line, execute the following command and note the
time stamp:
dat e
6. Perform a login test for both a local account and an Active Directoryaccount.
7. At the command line, execute the following command again and
note the new time:
dat e
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 61/72
Copyright © 2008 Likewise Software. All rights reserved. 61
Product Documentation
Likewise Open: Installation and Administration Guide
8. Comment out the changes that you made to
/ et c/ secur i t y/ pam_l wi dent i t y. conf and
/ et c/ sysl og. conf in the steps above.
9. Remove all activity from al l . l og that is not between the time
stamps that you noted.
Generate an Authentication Agent Debug Log
1. Log in as root user.
2. Modify the file / et c/ samba/ l wi aut hd. conf to include the
following: [ gl obal ]
l og l evel = 10
3. Restart the Likewise authentication daemon by executing the
following command from the command line (On HP-UX, the path to
the command is / sbi n/ i ni t . d):
/ sbi n/ ser vi ce l i kewi se- open r est ar t
The result should look like this:
St oppi ng l i kewi se- wi nbi ndd: [ OK ]
St ar t i ng l i kewi se- wi nbi ndd: [ OK ]
4. After some activity, comment out the l og l evel line and restart
the daemon.
Important: If you do not comment out the log level and then restart
the daemon, you might run into disk space issues over time.
The log files will appear in / var / l og/ l wi dent i ty.
Increase Max Username Length on AIX
By default, AIX is not configured to support long user and group names,
which might present a conflict when you try to log on with a long Active
Directory username. To increase the max username length on AIX 5.3,
use the following syntax:
# chdev - l sys0 - a max_l ogname=MaxUser NameLengt h+1
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 62/72
Copyright © 2008 Likewise Software. All rights reserved. 62
Product Documentation
Likewise Open: Installation and Administration Guide
Example:
# chdev - l sys0 - a max_l ogname=255
This command allocates 254 characters for the user and 1 for the
terminating null.
The safest value that you can set max_ l ogname to is 255.
You must reboot for the changes to take effect:
# shut down –Fr
Note: AIX 5.2 does not support increasing the maximum user name
length.
Make Sure Outbound Ports Are Open
If you are using local firewall settings, such as i pt abl es , on a computer
running the Likewise agent, make sure the following ports are open for
outbound traffic.
Note: The Likewise Agent is a client only; it does not listen on any ports.
Port Protocol Use
53 UDP/TCP DNS
88 UDP/TCP Kerberos 5
123 UDP NTP
137 UDP NetBIOS Name
Service
139 TCP NetBIOS Session
(SMB)
389 UDP/TCP LDAP
445 TCP SMB over TCP
464 UDP/TCP Machine passwordchanges (typically after
30 days)
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 63/72
Copyright © 2008 Likewise Software. All rights reserved. 63
Product Documentation
Likewise Open: Installation and Administration Guide
Resolve an AD Alias Conflict with a Local Account
When you use Likewise to set an Active Directory alias for a user, the
user can have a file-ownership conflict under the following conditions ifthe user logs on with the AD account:
• The AD alias is the same alias as the original local account name.
• The home directory assigned to the user in Active Directory is the
same as the local user's home directory.
• The owner UID-GID of the AD account is different from that of the
local account.
To avoid such conflicts, by default Likewise includes the short ADdomain name in each user's home directory. If the conflict nevertheless
occurs, there are two options to resolve it:
1. Make sure that the UID assigned to the user's AD alias is the same
as that of the user's local account. See Specify a User's ID and Unix
or Linux Settings.
2. Log on as root and use the chown command to recursively change
the ownership of the local account's resources to the AD user alias.
Change Ownership
Log on the computer as root and execute the following commands:
cd <users home di r ect ory r oot >
chown –R <AD user UI D>: <AD pr i mar y gr oup I D> *. *
Or: chown –R <shor t domai n name>\ \ <account
name>: <shor t domai n name>\ \ <AD gr oup name> *. *
Restart the Authentication Daemon
Linux and UnixYou can restart the authentication daemon by executing the following
command at the shell prompt:
/ sbi n/ ser vi ce l i kewi se- open r est ar t
To stop the daemon, enter the following command:
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 64/72
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 65/72
Copyright © 2008 Likewise Software. All rights reserved. 65
Product Documentation
Likewise Open: Installation and Administration Guide
1. When you join a non-global zone to AD, you will receive an error as
Likewise attempts to synchronize the Solaris clock with AD. This is
because the root user of the non-global zone does not have root access
to the underlying (global) system, and therefore cannot set the system
clock.
If the clocks are within the five minute spread required by Kerberos, this
will not be an issue. If this is not the case, you can resolve this issue by
manually setting the clock in the global zone to match AD, or by joining
the global zone to AD before joining the non-global zone.
2. Cached credentials are not supported for non-global zones. This will
also prevent authenticated logins from succeeding, unless you disable
the cached credentials (‘su’ from root will work with or without cachedcredentials)
To disable cached credentials, edit the /etc/security/pam_lwidentity.conf
file in the non-global zone, commenting out the following line:
cached_login = yes
You comment this line out by putting a semi-colon (;) at the beginning of
the line.
3. If you create a new global zone after installing the Likewise product,
you may receive errors similar to the following:
Installation of these packages generated errors: <CenterisLibXML2
CenterisOpenLDAP CenterisKrb5 CenterisExpat CenterisGroupPolicy
CenterisAuth CenterisDomainJoin>
Installation of these packages generated warnings: <SMCx11vnc
NXnode NXserver>
The file </zones/zone02/root/var/sadm/system/logs/install_log> contains
a log of the zone installation.
The ‘install_log’ file will show issues related to the packages requiring
user interaction. This interaction is simply pkgadd asking if you are sure
you want to over-write the package files that already exist in the global
zone.
You may safely ignore these messages, since the required files are
already installed in the shared file spaces.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 66/72
Copyright © 2008 Likewise Software. All rights reserved. 66
Product Documentation
Likewise Open: Installation and Administration Guide
4. Some group policies may log PAM errors in the non-global zones even
though they function as expected. Cron is one example, as shown below:
Wed Nov 7 16:26:02 PST 2007 Running Cronjob 1 (sh)
Nov 7 16:26:01 zone01 last message repeated 1 time
Nov 7 16:27:00 zone01 cron[19781]: pam_lwidentity(cron): request failed
Depending on the group policy, these errors may be due to file access
permissions, attempts to write to read-only file spaces, or both.
5. By default, Solaris displays ‘auth.notice’ syslog messages on the
system console. Some versions of Likewise generate significant
authentication traffic on this facility/priority level, which may cause anundesirable amount of ‘chatter’ on the console, and/or mangle the
graphic desktop.
To redirect this traffic to a file instead of being displayed on the console,
edit your /etc/syslog.conf file as follows:
Change this:
*.err;kern.notice;auth.notice /dev/sysmsg
To this:
*.err;kern.notice /dev/sysmsg
auth.notice /var/adm/authlog
Make sure that you use tabs, not spaces, to separate the facility.priority
information (on the left) from the action field (on the right). Using spaces
will cause Syslog to ignore the entire line.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 67/72
Copyright © 2008 Likewise Software. All rights reserved. 67
Product Documentation
Likewise Open: Installation and Administration Guide
Configuring the Agent
Configure nsswitch.conf
Before you attempt to join an Active Directory domain, make sure the
nsswi t ch. conf file contains the following line:
hosts: f i l es dns
Computers running Solaris, in particular, may not contain this line in
nsswi t ch. conf .
Configure resolv.conf
Before you attempt to join an Active Directory domain, make sure that
r esol v. conf on your Linux, Unix, or Mac client includes a DNS server
that can resolve Srv records for your domain.
Set the Home Directory and Shell for Domain Users
When you use Likewise by installing it only on a Linux, Unix, or Mac
computer and not on Active Directory, you cannot associate a Likewise
cell with an organizational unit, and thus you have no way to define a
home directory or shell in Active Directory for users who log on the
computer with their domain credentials.
To set the home directory and shell for a computer that is using LikewiseOpen or Likewise Enterprise without cell, edit the following configuration
file:
/ et c/ samba/ l wi aut hd. conf
Modify the following lines to set the shell and home directory that you
want:
t empl ate shel l =
t empl at e homedi r =
Examples:
t empl at e shel l = / bi n/ bash
t empl at e homedi r = / home/ l ocal / %D/ %U
When you set the default home directory, you must use the default user
name variable (%U). You may specify the default domain name by using
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 68/72
Copyright © 2008 Likewise Software. All rights reserved. 68
Product Documentation
Likewise Open: Installation and Administration Guide
the domain name variable (%D) but, unlike the user name variable, it is
not required.
All the users who log on the computer by using their Active Directory
domain credentials will have the shell and home directory that you set.
Note: / bi n/ bash might not be available on all systems.
Important: On Solaris, you cannot create a local home directory in
/ home, because / home is used by autofs, Sun's automatic mounting
service. The standard on Solaris is to create local home directories in
/ expor t / home.
If you set the shell and home directory both in Active Directory and in
l wi aut hd. conf , the settings in Active Directory -- which appear on thetarget computer in / et c/ secur i t y/ pam_l wi dent i t y. conf -- take
precedence.
.
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 69/72
Copyright © 2008 Likewise Software. All rights reserved. 69
Product Documentation
Likewise Open: Installation and Administration Guide
Platform Support
Likewise supports a broad range of platforms. Likewise Software is constantly adding new vendors anddistributions to the following list. To get the latest list of supported platforms, go to
www.likewisesoftware.com.
SupportedVendor Distribution
32‐bit 64‐bit
SuSE Linux Desktop 8.2 Yes ‐
SuSE Linux Desktop 9.0 Yes ‐
SuSE Linux Desktop 9.1 Yes Yes
SuSE Linux Desktop 9.2 Yes Yes
SuSE Linux Desktop 9.3 Yes Yes
SuSE Linux Enterprise Desktop 10.0 Yes Yes
OpenSuSE Linux 10.0 Yes Yes
OpenSuSE Linux 10.1 Yes Yes
OpenSuSE Linux
10.2
Yes
Yes
SuSE Linux Enterprise Server 9.0 Yes Yes
SuSE
SuSE Linux Enterprise Server 10.0 Yes Yes
Red Hat Enterprise Linux AS 2.1 Yes ‐
Red Hat Enterprise Linux ES 2.1 Yes ‐
Red Hat Enterprise Linux WS 2.1 Yes ‐
Red Hat
Enterprise
Linux
AS
3.0
Yes
Yes
Red Hat Enterprise Linux ES 3.0 Yes Yes
Red Hat Enterprise Linux WS 3.0 Yes Yes
Red Hat
Red Hat Enterprise Linux AS 4.0 Yes Yes
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 70/72
Copyright © 2008 Likewise Software. All rights reserved. 70
Product Documentation
Likewise Open: Installation and Administration Guide
Red Hat Enterprise Linux ES 4.0 Yes Yes
Red Hat Enterprise Linux WS 4.0 Yes Yes
Red Hat Enterprise Linux 5.0 Yes Yes
Red Hat Enterprise Linux 5.0 Desktop Yes Yes
Red Hat Enterprise Linux 5.0 Advanced Platform Yes Yes
Red Hat Linux 7.2 Yes ‐
Red Hat Linux 7.3 Yes ‐
Red Hat
Linux
8
Yes ‐
Red Hat Linux 9 Yes ‐
Fedora Core 3 Yes ‐
Fedora Core 4 Yes Yes
Fedora Core 5 Yes Yes
Fedora Core 6 Yes Yes
Fedora
Fedora Core
7
Yes
Yes
CentOS 4.0 Yes Yes
CentOS 4.1 Yes Yes
CentOS 4.2 Yes Yes
CentOS 4.3 Yes Yes
CentOS 4.4 Yes Yes
CentOS
CentOS 5.0 Yes Yes
Debian Debian Linux 3.1 Yes Yes
Ubuntu Ubuntu Desktop 6.06 Yes Yes
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 71/72
Copyright © 2008 Likewise Software. All rights reserved. 71
Product Documentation
Likewise Open: Installation and Administration Guide
Ubuntu Desktop 6.10 Yes Yes
Ubuntu Server 6.06 Yes Yes
Ubuntu Server 6.10 Yes Yes
Ubuntu Desktop 7.04 Yes Yes
Solaris 8 (SPARC) Yes Yes
Solaris 8 x86 Yes Yes
Solaris 9 (SPARC) Yes Yes
Solaris 9 x86
Yes
Yes
Solaris 10 (SPARC) ‐ Yes
Open Solaris ‐ Yes
Sun
Solaris 10 x86 ‐ Yes
AIX 5L 5.2 Yes Yes AIX
AIX 5L 5.3 Yes Yes
HP‐UX
11.11
PA
‐RISC
‐Trusted
Mode
‐Yes
HP‐UX 11.11 PA‐RISC – Untrusted Mode ‐ Yes
HP‐UX 11.23 Itanium ‐ Trusted Mode ‐ Yes HP
HP‐UX 11.23 Itanium – Untrusted Mode ‐ Yes
OS X v10.4 PPC Yes Yes
OS X v10.5 PPC and x86 Yes Yes
OS X Server v10.4 PPC Yes Yes Apple
OS X v10.4 x86 Yes Yes
7/26/2019 2912769 Likewise Open Guide
http://slidepdf.com/reader/full/2912769-likewise-open-guide 72/72
Product Documentation
Likewise Open: Installation and Administration Guide
Get Technical Support
For technical support, please visit the Likewise Open community Webpage at http://www.likewisesoftware.com/community/. You can use the
page to join the Likewise Open mailing list to discuss Likewise Open with
other users and developers.
You can also obtain paid support from Likewise Software by visiting
http://www.likewisesoftware.com/support/ or writing to
ABOUT LIKEWISE SOFTWARE
Likewise Software is an open source company that provides audit and authenticationsolutions designed to improve security, reduce operational costs and helpdemonstrate regulatory compliance in mixed network environments. Likewise Open
allows large organizations to securely authenticate Linux UNIX and Mac systems