2912769 Likewise Open Guide

7/26/2019 2912769 Likewise Open Guide

http://slidepdf.com/reader/full/2912769-likewise-open-guide 1/72

9

Copyright © 2008 Likewise Software. All rights reserved. 04.10.2008.

Product Documentation

Likewise Open

Likewise Open Installation

And Administration GuideIN THIS DOCUMENT

• Downloading Likewise Open.

• Installing the Likewise Open Agent.

• Joining an Active Directorydomain.

• Managing and troubleshootingthe agent.

Abst ract

Likewise Open joins Linux, Unix, and Mac OS X computers to Microsoft

Active Directory so that you can centrally manage all your computers,

authenticate users, and authorize access to resources. This guide

describes how to install and administer Likewise Open, an open source

version of Likewise that includes the Likewise Agent. The guide covers

installing the agent, joining an Active Directory domain, and troubleshootin

the agent.

Likewise Open is free to download and use according to the terms of the

GNU General Public License.



9

Copyright © 2008 Likewise Software. All rights reserved. 2


Likewise Open: Installation and Administration Guide

The information contained in this document represents the current view of Likewise

Software on the issues discussed as of the date of publication. Because Likewise

Software must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Likewise, and Likewise Software cannot guarantee the

accuracy of any information presented after the date of publication.

These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES

NO WARRANTIES, EXPRESS OR IMPLIED.

Complying with all applicable copyright laws is the responsibility of the user. Without

limiting the rights under copyright, no part of this document may be reproduced, stored in,

or introduced into a retrieval system, or transmitted in any form, by any means

(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Likewise Software.

Likewise may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly

provided in any written license agreement from Likewise, the furnishing of this document

does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

Likewise Open is an open source, community project sponsored by Likewise Software to

provide fast and easy integration into networks using Microsoft Active Directory. Likewise

Open is licensed under Version 3 of the GNU General Public License so you can

download it for free.

© 2008 Likewise Software. All r ights reserved.

Likewise and the Likewise logo are either registered trademarks or trademarks of

Likewise Software in the United States and/or other countries. All other trademarks are

property of their respective owners.

Likewise Software

15395 SE 30th Place, Suite #140

Bellevue, WA 98007

USA



9




Table of Contents

INTRODUCTION............................................................................6

The Likewise Agent ............................................................................................6

Time Synchronization .......................................................................................7

Using a Network Time Protocol Server.............................................................8

CHECKING SYSTEM HEALTH BEFORE INSTALLATION........10

INSTALLING THE AGENT ..........................................................13

Requirements ....................................................................................................13

Administrator Privileges ..................................................................................13

Active Directory Requirements .......................................................................13

Unix and Linux Requirements for the Agent ...................................................13

Overview of the Installation Process ..............................................................13

Download Likewise Open.................................................................................14

Install the Agent on a L inux Computer ...........................................................14

Install the Agent on a Mac Computer .............................................................15

Install the Agent on a Mac in Unattended Mode ............................................16

Using Command-Line Tools to Deploy Agents .............................................17

Upgrade to the Latest Agent............................................................................18

Uninstall the Agent on a Linux or Unix Computer.........................................18

Uninstall BitRock Installations on Linux ..........................................................18

Uninstall BitRock Installations on Unix ...........................................................19

Uninstall the Agent on a Mac...........................................................................19

JOINING ACTIVE DIRECTORY ..................................................20

Removing a Computer from a Domain ...........................................................20

Files Modi fied During a Domain Join ..............................................................20

Join Acti ve Directory wi th the Command Line ..............................................21

Join a Linux Computer to Active Directory......................................................22

Join a Unix Computer to Active Directory .......................................................22

Join a Mac Computer to Active Directory .......................................................22

Join a Linux Computer to an Organizational Unit ...........................................23

Options and Basic Commands........................................................................23

Options............................................................................................................23

Basic Commands............................................................................................24

Advanced Commands ......................................................................................25

Preview the Stages of the Domain Join for Your Computer ...........................25

Check Required Configurations......................................................................26

View Details about a Module ..........................................................................27

Turn On or Turn Off Domain Join Modules.....................................................28

Join Act ive Directory Without Changing /etc/hosts ......................................29



9




If the Computer Fails to Join the Domain .......................................................29

Join a Mac Computer to Acti ve Directory ......................................................30

Instal l the Domain Join GUI .............................................................................31

Uninstal l the Domain Join GUI ........................................................................33

Join a Linux Computer to Active Directory with the GUI..............................33

Use Likewise with a Single OU........................................................................36

Join a Linux Computer to an Organizational Unit ...........................................36

Set the Home Directory and Shell for Domain Users ....................................37

Log On a JoinedComputer with Active Directory Credentials .....................38

Rename a Joined Computer ............................................................................39

Rename a Computer by Using the Command-Line Tool................................39

Rename a Computer by Using the Domain Join Tool ....................................40

Leave a Domain .................................................................................................42

The Computer Account in Active Directory.....................................................42

Remove a Linux Computer from a Domain ....................................................43

Remove a Unix Computer from a Domain ......................................................43

Remove a Mac from a Domain .......................................................................43

Remove a Mac with the Command Line.........................................................43

USING SINGLE SIGN ON............................................................44

Configure SSH for SSO ....................................................................................46

FTP .....................................................................................................................48

Log On and Verify Your Kerberos Ticket .......................................................49

Perform an Authenticated LDAP Search ........................................................49

rlogin ..................................................................................................................51

rsh.......................................................................................................................52

Telnet..................................................................................................................52

Use Firefox to Single Sign-On Int ranet Sites .................................................53

TROUBLESHOOTING THE AGENT ...........................................54

Check Authent ication .......................................................................................54

Troubleshoot ...................................................................................................54

Check the Status o f the Authentication Daemon ..........................................54

Mac OS X........................................................................................................55

Check the Vers ion and Bui ld Number ............................................................55

Check the Version Number of the Agent ........................................................55

Check the Build Number of the Agent ............................................................56

Clear the Authent ication Cache ......................................................................57

Clear the Cache on a Linux Computer ...........................................................58

Determine a Computer's FQDN .......................................................................58

HP-UX.............................................................................................................58

Solaris .............................................................................................................58

Fix the Shell and Home Directory Paths.........................................................59

Generate a Network Trace................................................................................59

Generate a PAM Debug Log.............................................................................59



9




Generate an Authent ication Agent Debug Log ..............................................61

Increase Max Username Leng th on AIX .........................................................61

Make Sure Outbound Ports Are Open ............................................................62

Resolve an AD Al ias Conflict with a Local Account .....................................63

Change Ownership .........................................................................................63

Restart the Authentication Daemon................................................................63

Linux and Unix ................................................................................................63

HP-UX.............................................................................................................64

Mac OS X........................................................................................................64

Working with Solaris Zones.............................................................................64

CONFIGURING THE AGENT ......................................................67

Configure nsswitch.conf ..................................................................................67

Configure resolv.conf .......................................................................................67

Set the Home Directory and Shell for Domain Users ....................................67

PLATFORM SUPPORT ...............................................................69

GET TECHNICAL SUPPORT......................................................72



9




Introduction

Likewise Open is an agent that runs on Linux, Unix, and Mac OS Xcomputers so that you can join them to Microsoft Active Directory and

authenticate users in the same way on all your systems.

This guide describes how to install Likewise Open, join computers

running Linux, Unix, or Mac OS X to Microsoft Active Directory, and

manage the Likewise Open Agent.

Likewise Open is free to download and use according to the terms of the

GNU General Public License. To download Likewise Open or obtain the

source code, go to

http://www.likewisesoftware.com/products/likewise_open/ .

The target audience for this document is network directory administrators

who manage access to workstations, servers, and other network

resources within Active Directory. The guide assumes that you know how

to administer Active Directory as well as computers running Linux, Unix,

and Mac OS X.

The Likewise Agent

The agent is installed on Linux and Unix computers and integrates with

the core operating system to implement the mapping for any application

that uses the name service (NSS) or pluggable authentication module

(PAM). An example of a PAM-aware application is the login process

(/bi n/ l ogi n).

The agent acts as a Kerberos 5 client for authentication and as a LDAP

client for authorization.

The Likewise agent has the following daemon:

Agent Daemon Descript ion

Linux: /etc/init.d/likewise-open

Unix: /sbin/init.d/likewise-open

The Likewise authentication

daemon. It handles

authentication, authorization,

caching, and idmap lookups.

The agent also includes two libraries:

• The NSS library: l wi dent i t y. so



9




• The PAM library: pam_l wi dent i t y. so

The agent uses the following ports for outbound traffic. The agent is a

client only; it does not listen on any ports.

Port Protocol Use

53 UDP/TCP DNS

88 UDP/TCP Kerberos

123 UDP NTP

137 UDP NetBIOS Name

Service

139 TCP NetBIOS Session

(SMB)

389 UDP/TCP LDAP

445 TCP SMB over TCP

464 UDP/TCP Machine password

changes (typicallyafter 30 days)

Time Synchronization

For the Likewise agent to communicate over Kerberos with the domain

controller, the clock of the client must be within the domain controller's

maximum clock skew, which is 300 seconds, or 5 minutes, by default.

(For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-

1.4.2/doc/krb5-admin/Clock-Skew.html.)

The clock skew tolerance is a server-side setting. When a client

communicates with a domain controller, it is the domain controller's

Kerberos Key Distribution Center that determines the maximum clock

skew. Changing the maximum clock skew in the client's krb5. conf file

does not affect the clock skew tolerance of the domain controller and will

not unable a client outside the domain controller's tolerance to

communicate with it.



9




The clock skew value that is set in the kr b5. conf file of Linux, Unix,

and Mac OS X computers is only useful when the computer is

functioning as a server for other clients.

The domain controller uses the clock skew tolerance to prevent replay

attacks by keeping track of every authentication request within the

maximum clock skew. Authentication requests outside the maximum

clock skew are discarded. When the server receives an authentication

request within the clock skew, it checks the replay cache to make sure

the request is not a replay attack.

For more information, see the following resources:

• Kerberos Authentication Tools and Settings:

http://technet2.microsoft.com/windowsserver/en/library/b36b8071-

3cc5-46fa-be13-280aa43f2fd21033.mspx

• Authentication Errors Caused by Unsynchronized Clocks:

http://technet2.microsoft.com/windowsserver/en/library/6ee8470e-

a0e8-40b2-a84f-dbec6bcbd8621033.mspx

• Kerberos Technical Supplement for Windows:

http://msdn2.microsoft.com/en-us/library/aa480609.aspx

• The Kerberos Network Authentication Service (V5) RFC:

http://www.ietf.org/rfc/rfc4120.txt

• Troubleshooting Kerberos Errors:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

• Kerberos and LDAP Troubleshooting Tips:

http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigr

ation/unix/usecdirw/17wsdsu.mspx

Using a Network Time Protocol Server

If you set the system time on your computer with a Network Time

Protocol (NTP) server, the time value of the NTP server and the time

value of the domain controller could exceed the maximum skew. As a

result, you will be unable to log on your computer.

If you use an NTP server with a cron job, there will be two processes

trying to synchronize the computer's time -- causing a conflict that will

change the computer's clock back and forth between the time of the two

sources.



9




Likewise recommends that you configure your domain controller to get its

time from the NTP server and configure the domain controller's clients to

get their time from the domain controller.



9




Checking System Health Before Installation

The following table lists items each item to check, describes the item,and suggests corrective action.

Item to Check Corrective Action

Type of operating system Install the agent on a computer that is running a supported operating

system.

Processor type Install the agent on a computer with a supported processor.

Disk usage Increase the amount of disk space available to / opt or / usr .

Contents of / et c/ *rel ease (for

AIX, to determine the osl evel )

Install the agent on a computer that is running a supported operating

system and version.

Network interface and its status Configure the computer so that it has network access and can

communicate with the domain controller.

Contents of the IP routing table If the computer does not use a single default gateway, you must

define a route to a single default gateway.

For example, you can run the r out e - n to view the IP routing table

and set a static route. For more information, see the man pages foryour system.

On Solaris, you may need to create or edit / et c/ def aul t r out er .

On Linux, you can set the default gateway by running the network

utility for your distribution.

Connectivity to the default

gateway

Configure the computer and the network so that the computer can

connect to the default gateway.

Contents of nsswi t ch. conf (or,for AIX, net svc. conf )

The nsswi t ch. conf file must contain the following line:

hosts: f i l es dns

Computers running Solaris, in particular, may not contain this line in nsswi t ch. conf .



9




Item to Check Corrective Action

FQDN Make sure the computer's FQDN is correct in / et c/ hosts .

You can determine the fully qualified domain name of a computer

running Linux, Unix, or Mac OS X by executing the following

command:

pi ng - c 1 `host name`

On HP-UX:

pi ng `host name` - n 1

On Solaris:

FQDN= / usr / l i b/ mai l / sh/ check- host name| cut - d" " -f 7`; echo $FQDN

This command prompts the computer to look up the primary host

entry for its hostname. In most cases, it looks for its hostname in

/ et c/ host s, returning the first FQDN name on the same line. So,

for the hostname qaser ver , here's an example of a correct entry in

/ et c/ host s:

10. 100. 10. 10 qaserver . cor pqa. cent er i s. com qaserver

If, however, the entry in / et c/ hosts incorrectly lists the hostname(or anything else) before the FQDN, the computer's FQDN becomes,

using the malformed example below, qaser ver :

10. 100. 10. 10 qaserver qaserver . cor pqa. cent er i s. com

If the host entry cannot be found in / et c/ hosts , the computer looks

for the results in DNS instead. This means that the computer must

have a correct A record in DNS. If the DNS information is wrong and

you cannot correct it, add an entry to / et c/ hosts .

IP address of local NIC Either update DNS or change the local IP address so that the IP

address of the local network card matches the IP address returned by

DNS for the computer.

Contents of r esol v. conf Compare against the results of the items checked next.

DNS query results for system Either update DNS or change the local IP address so that the IP






Installing the Agent

Requirements

This section lists the requirements to use Likewise Open. You must have

at least the following components:

1. An Active Directory domain controller.

2. One or more Unix, Linux, or Mac OS X computers that Likewise

Open supports.

Administrator Privileges

• Root access or sudo permission on the Unix, Linux, and Mac OS X

computers on which you want to install Likewise Open.

• Active Directory credentials that allow you to add computers to an

Active Directory domain -- for example, membership in the Domain

Administrators security group or the Enterprise Administrators security

group.

Active Directory Requirements

• Windows 2003 SP1 or R2 Standard and Enterprise

• Windows 2000 SP4 Server

Unix and Linux Requirements for the Agent

• An operating system that Likewise Open supports, such as versions

of Mac OS X, Red Hat, SUSE Linux, Fedora, CentOS, Debian,

Solaris, AIX, HP-UX, and Ubuntu. For a complete list of supported

platforms, see the list of supported platforms later in this guide.

Overview of the Installation Process

The installation process typically proceeds in the following order:

1. Make sure your computers meet the installation requirements.

2. Download the Likewise Open installation package from the Likewise

Software web site at http://www.likewisesoftware.com/community/.

3. Install Likewise Open on each Unix, Linux, or Mac OS X computer

that you want to join to the Active Directory domain.






the transfer. Most FTP clients default to AUTO or ASCII, but the

installer includes some binary code that will become corrupted if

you do not use binary mode.

3. As the root user or with sudo permission, modify the execute bit on

the installer by executing the following command at the shell prompt

on the Linux or Unix computer:

chmod a+x / t mp/ Li kewi se*

4. To launch the installer, at the shell prompt, execute the following

command:

/ t mp/ Li kewi se*

5. Follow the instructions in the installation wizard.

Install the Agent on a Mac Computer

To install the Likewise Agent on a computer running Mac OS X, you

must have administrative privileges on the Mac. Likewise supports Mac

OS X 10.4 or later.

1. Log on the Mac with a local account.

2. On the Apple menu , click System Preferences.

3. Under Internet & Network, click Sharing, and then select the

Remote Login check box.

4. Go to http://www.likewisesoftware.com/support/ and download to

your desktop the Likewise Agent installation package for your Mac.

Important: To install the agent on an Intel-based Mac, use the i386

version of the . dmg package. To install the agent on a Mac that

does not have an Intel chip, use the powerpc version of the . dmg

package.

5. On the Mac computer, go to the Desktop and double-click the

Likewise . dmg file.






6. In the Finder window that appears, double-click the Likewise . mpkg

file.

7. Follow the instructions in the installation wizard.

When the wizard finishes installing the package, which includes the

Likewise Agent, you are ready to join the Mac to the Active Directory

domain.

Install the Agent on a Mac in Unattended Mode

The Likewise command-line tools can remotely deploy the shell version

of the Likewise agent to multiple Mac OS X computers, and you can

automate the installation of the agent by using the installation command

in unattended mode.

The commands used in this procedure require at least administrative

privileges to run.

Important: For Intel-based Macs, use the i386 version of the . dmg

installer; for example: Li kewi seOpen- 4. 1. 0. 2779- i 386. dmg. For

Macs that do not have Intel chips, use the powerpc version of the . dmg

installer; for example: Li kewi seOpen- 4. 1. 0. 2779- powerpc. dmg

The procedure below assumes you are installing the agent on an i386

Mac; if you are installing on a powerpc, replace the i386 installer with thepowerpc installer.

1. Use SSH to connect to the target Mac OS X computer and then use

SCP to copy the . dmg installation file to the desktop of the target

Mac or to a location that can be accessed remotely. The rest of this

procedure assumes that you copied the installation file to the

desktop.

2. On the target Mac, open Terminal and then use the hdi ut i l

mount command to mount the . dmg file under Vol umes :

/ usr / bi n/ hdi ut i l mount Deskt op/ Li kewi seOpen-

4. 1. 0. 2779- i 386. dmg

3. Execute the following command to open the .mpkg volume:

/ usr / bi n/ open Vol umes/ Li kewi seOpen- 4. 1. 0. 2779- i 386






4. Execute the following command to install the agent:

sudo i nst al l er - pkg / Vol umes/ Li kewi seOpen-

4. 1. 0. 2779- i 386/ Li kewi seOpen- 4. 1. 0. 2779- i 386. mpkg

- t ar get Local Syst em

Note: For more information about the i ns tal l er command, in

Terminal execute the following command:

man i nst al l er

5. To join the domain, execute the following command in the Terminal,

replacing domai nName with the FQDN of the domain that you want

to join and j oi nAccount with the user name of an account that hasprivileges to join computers to the domain:

sudo / opt / cent er i s/ bi n/ domai nj oi n- c l i j oi n

domai nName j oi nAccount

Example: sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i j oi n

cent er i sdemo. com Admi ni st r at or

Terminal prompts you for two passwords: The first is for a user

account on the Mac that has admin privileges; the second is for the

user account in Active Directory that you specified in the joincommand.

Note: You can also add the password for joining the domain to the

command, but Likewise recommends against this approach because

another user could see and intercept the full command that you are

running, including the password:


domai nName j oi nAccount j oi nPassword


cent er i sdemo. com Admi ni st r ator Your PasswordHer e

Using Command-Line Tools to Deploy Agents

The Likewise command-line tools can help deploy the Likewise agent to

multiple computers or install the agent remotely.






You can use the command-line tools to automatically install the agent,

join the computer to a domain, and obtain credentials. For example, you

can automate the installation of the agent by using the installation

command in unattended mode:

# . / Li kewi seOpen- 4. 1. 0. 2513- l i nux- x86_64- r pm- i nst al l er - - modeunat t ended

For Unix and Linux hosts, you can run the installer from the shell prompt

with no special treatment. The installer detects that it is running in

character mode and displays a character mode user interface, or you

can force it into character mode with the option - - mode text :

# . / Li kewi seOpen- 4. 1. 0. 2513- l i nux- x86_64- r pm- i nst al l er - - modetext

After you have installed the agent on Linux computers, additional

command-line tools are in / usr / cent er i s / bi n.

On Unix and Mac OS X computers, the command-line tools are in

/ opt / cent er i s / bi n.

Upgrade to the Latest Agent

To upgrade to the latest version of the Likewise agent, it is

recommended that you first leave the domain and uninstall the current

agent.

Uninstall the Agent on a Linux or Unix Computer

Uninstall BitRock Installations on Linux

On a Linux computer, you can uninstall the Likewise Agent from the

command line if you originally installed the agent with the BitRock

installer.

Note: Execute the uni nst al l command from a directory other than

cent er i s so that the uninstall program can delete the cent er i s

directory and all its subdirectories. For example, execute the command

from the root directory.

• To uninstall the agent on a Linux computer running Likewise

Enterprise, run the following command as root:

/ usr/ cent er i s/ set up/ l we/ uni nst al l

• To uninstall the agent on a Linux computer running Likewise Open,

run the following command as root:






/ usr/ cent er i s/ set up/ l wo/ uni nst al l

Uninstall BitRock Installations on Unix

On a Unix computer, you can uninstall the Likewise Agent from the

command line if you originally installed the agent with the BitRock

installer.

Note: Execute the uni nst al l command from a directory other than

cent er i s so that the uninstall program can delete the cent er i s

directory and all its subdirectories. For example, execute the command

from the root directory.

• To uninstall the agent on a Unix computer running Likewise

Enterprise, run the following command as root:

/ opt / cent er i s/ set up/ l we/ uni nst al l

• To uninstall the agent on a Unix computer running Likewise Open, run

the following command as root:

/ opt / cent er i s/ set up/ l wo/ uni nst al l

Uninstall the Agent on a Mac

On a Mac computer, you must uninstall the Likewise agent by using theTerminal.

1. Log on the Mac by using a local account with privileges that allow

you to use sudo.

2. Open a Terminal window: In Finder, on the Go menu, click Utilities,

and then double-click Terminal.

3. At the Terminal shell prompt, execute the following command:

sudo / opt / cent er i s / bi n/ l wi - uni nstal l . sh






Joining Active Directory

When Likewise joins a computer to a domain, it uses the hostname ofthe computer to create the name of the computer object in Active

Directory. From the hostname, the Likewise Domain Join Tool attempts

to derive a fully qualified domain name.

By default, the domain join tool creates the Linux and Unix machine

accounts in the default Computers container within Active Directory.

You can, however, choose to create machine accounts in Active

Directory before you join your Unix, Linux, and Mac OS X computers to

the domain. When you join a computer to a domain by running the

Domain Join Tool, Likewise associates the Unix or Linux host with thepre-existing machine account. If no match is found, Likewise creates a

machine account.

On Linux computers, the domain join command-line utility --

domai nj oi n- cl i -- is in / usr / cent er i s / bi n. On Unix and Mac OS

X computers, it is in / opt / cent er i s / bi n.

Removing a Computer from a Domain

You can remove a computer from the domain either by removing the

computer's account from Active Directory Users and Computers or by

running the Domain Join Tool on the Unix, Linux, or Mac OS X computerthat you want to remove.

Files Modified During a Domain Jo in

When Likewise joins a computer to a domain, it modifies some system

files. The files that are modified depend on the platform, the distribution,

and the system's configuration. The following files might be modified.

Note: Not all of these files are present on all computers.

• /etc/nsswitch.conf

• /etc/pam.conf or /etc/pam.d/*

• /etc/ssh/{ssh_config,sshd_config} (or wherever sshd configuration is

located)

• /etc/hosts (To join a domain without modifying /etc/hosts, see Join

Active Directory Without Changing /etc/hosts.)






• /etc/apparmor.d/abstractions/nameservice

• /etc/X11/gdm/PreSession/Default

• /etc/vmware/firewall/services.xml

• /usr/lib/security/methods.cfg

• /etc/security/user

• /etc/security/login.cfg

• /etc/netsvc.conf

•

/etc/krb5.conf

• /etc/krb5/krb5.conf

• /etc/rc.config.d/netconf

• /etc/nodename

• /etc/{hostname,HOSTNAME,hostname.*}

• /etc/sysconfig/network/config

• /etc/sysconfig/network/dhcp

• /etc/sysconfig/network/ifcfg-*

• /etc/sysconfig/network-scripts/ifcfg-*

Join Act ive Directory with the Command Line

When you join a domain by using the command-line utility, Likewise uses

the hostname of the computer to derive a fully qualified domain name

(FQDN) and then automatically sets the computer’s FQDN in the

/ et c/ hosts file. You can also join a domain without changing the

/ et c/ hosts file; see Join Active Directory Without Changing /etc/hosts.

On Linux computers, the domain join command-line utility is in

/ usr / cent er i s / bi n. On Unix and Mac OS X computers, it is in







Important: To run the command-line utility, you must use a root

account. To join a computer to a domain, you must have the user name

and password of an Active Directory account that has privileges to join

computers to the domain and the full name of the domain that you want

to join.

Join a Linux Computer to Active Directory

• Execute the following command, replacing domai nName with the

FQDN of the domain that you want to join and j oi nAccount with the

user name of an account that has privileges to join computers to the

domain:

/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n domainName

joinAccount

Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n


Join a Unix Computer to Active Directory

• Execute the following command, replacing domai nName with the

FQDN of the domain that you want to join and j oi nAccount with the

user name of an account that has privileges to join computers to the

domain:

/ opt / cent er i s / bi n/ domai nj oi n- cl i j oi n domainNamejoinAccount

Example: / opt / cent er i s / bi n/ domai nj oi n- cl i j oi n


Join a Mac Computer to Active Directory

• Using sudo, execute the following command in the Terminal,

replacing domai nName with the FQDN of the domain that you want to

join and j oi nAccount with the user name of an account that has

privileges to join computers to the domain:


domainName joinAccount








The terminal prompts you for two passwords: The first is for a user

account on the Mac that has administrative privileges; the second is

for the user account in Active Directory that you specified in the join

command.

Join a Linux Computer to an Organizational Unit

• Execute the following command, replacing

or gani zat i onal Uni t Name with the path and name of the

organizational unit that you want to join, domai nName with the FQDN

of the domain, and j oi nAccount with the user name of an account

that has privileges to join computers to the domain:

/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou

organizationalUnitName domainName joinAccount

Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou

Engi neer i ng cent er i sdemo. com Admi ni st r at or

Options and Basic Commands

The following tables list the options and commands of the command-line

interface for joining a domain.

Options

The domai nj oi n- cl i command-line interface includes the following

options:

Option Description Example

- - hel p Displays the command-line

options and commands.

domai nj oi n- c l i - - hel p

- - hel p- i nt er nal Displays a list of the

internal debugging

commands.

domai nj oi n- c l i - - hel p- i nt er nal

- - l o g {.| pat h} Generates a log file or

prints the log to the

console.

domai nj oi n- c l i - - l og

/ var / l og/ domai nj oi n. l og j oi n


domai nj oi n- cl i - - l og . j oi n







Basic Commands

The domain join command-line interface includes the following basic

commands:

Command Descr iption Example

query Displays the

hostname, current

domain, and

distinguished name,

which includes the

OU to which the

computer belongs.

If the computer is

not joined to a

domain, it displays

only the hostname.

domai nj oi n- cl i quer y

set name computerName Renames the

computer and

modifies the

/ et c/ hosts file

with the name that

you specify.

domai nj oi n- cl i set name RHEL44I D

f i xf qdn Fixes a computer's

fully qualified

domain name.

domai nj oi n- c l i f i xf qdn

j oi n [ - - ou

organizationalUnit]

domainName userName

Joins the computer

to the domain that

you specify by using

the account that you

specify.

You can use the - -

ou option to join the

computer to an OU

within the domain by

specifying the path

to the OU and the

domai nj oi n- c l i j oi n - - ou

Engi neer i ng cent er i sdemo. com

Admi ni st r at or






Command Descr iption Example

OU's name. When

you use this option,

you must use an

account that has

membership in the

Domain

Administrators

security group. The

path to the OU is top

down.

l eave [ user Name] Removes thecomputer from the

Active Directory

domain.

If the user Name is

provided, the

computer account is

disabled in Active

Directory.

domai nj oi n- cl i l eave

domai nj oi n- cl i l eave

smi t hy@l i kewi sedemo. com

Advanced Commands

The command-line interface includes advanced commands that you can

use to preview the stages of joining or leaving a domain, find out which

configurations are required for your system, view information about a

module that will be changed, and enable or disable a module. The

advanced commands provide a potent tool for troubleshooting issues

while configuring a Linux or Unix computer to interoperate with Active

Directory.

Preview the Stages of the Domain Join for Your Computer

To preview the domain, DNS name, and configuration stages that will be

used to join a computer to a domain, execute the following command at

the command line:

domai nj oi n- cl i j oi n - - pr evi ew domainName






Example: domai nj oi n- cl i j oi n - - pr evi ew l i kewi sedemo. com

The result, which can vary by computer, looks something like this:

[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - pr evi ew cent eri sdemo. com J oi ni ng t o AD Domai n: cent er i sdemo. comWi t h Comput er DNS Name: r hel 44i d. center i sdemo. com The f ol l owi ng st ages ar e cur r ent l y conf i gured t o be r un dur i ngt he domai n j oi n:host name - set computer host name j oi n - j oi n computer t o ADl wi conf - conf i gur e l wi aut hd. confkrb5 - conf i gur e krb5. confnsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul est art - st art daemonspam - conf i gure pam. d/ pam. confssh - conf i gure ssh and sshd[ r oot @r hel 44i d ~] #

Check Required Configurations

To see a full listing of the modules that apply to your operating system,

including those module that will not be run, execute either the following

join or leave command:

domai nj oi n- cl i j oi n - - advanced - - pr evi ew domainName

domai nj oi n- cl i l eave - - advanced - - pr evi ew domainName

Example: domai nj oi n- cl i j oi n - - advanced - - pr evi ew

l i kewi sedemo. com

The result varies by computer:

[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - advanced - - pr evi ewcent er i sdemo. com J oi ni ng t o AD Domai n: cent er i sdemo. comWi t h Comput er DNS Name: r hel 44i d. center i sdemo. com [ F] st op - st op daemons[ X] [ S] host name - set comput er host name

[ F] f i r ewal l - open por t s t o DC[ X] [ N] j oi n - j oi n comput er t o AD[ X] [ N] l wi conf - conf i gur e l wi aut hd. conf[ X] [ N] krb5 - conf i gur e krb5. conf[ X] [ N] nsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul e

[ X] [ N] st ar t - st ar t daemons[ F] bash - f i x bash pr ompt f or backsl ashes i nuser names

[ F] gdm - f i x gdm pr esessi on scri pt f or spaces i nuser names[ X] [ N] pam - conf i gur e pam. d/ pam. conf[ X] [ S] ssh - conf i gur e ssh and sshd

Key to flags

[ F]ul l y conf i gur ed - t he syst em i s al r eady conf i gur ed f ort hi s step






You can further bore down into the details of the changes that a module

will make by using either the following join or leave command:

domai nj oi n- cl i j oi n - - det ai l s module domainName joinAccount

domai nj oi n- c l i l eave - - det ai l s module domainName

joinAccount

Example: domai nj oi n- cl i j oi n - - det ai l s l wi conf


The result varies depending on your system's configuration:

[ r oot @r hel 44i d ~] # domai nj oi n- cl i j oi n - - det ai l s l wi conf

cent eri sdemo. com Admi ni st r ator[ X] [ N] l wi conf - conf i gur e l wi aut hd. confKey to f l ags[ F]ul l y conf i gur ed - t he syst em i s al r eady conf i gur ed f ort hi s step[ S] uf f i ci ent l y conf i gur ed - t he syst em meet s t he mi ni mumconf i gur at i on

r equi r ement s f or t hi s st ep[ N] ecessar y - t hi s st ep must be r un or manual l yper f ormed.[ X] - t hi s st ep i s enabl ed and wi l l makechanges[ ] - t hi s step i s di sabl ed and wi l l notmake changesDet ai l s for ' conf i gur e l wi aut hd. conf ' :

Edi t / et c/ samba/ l wi aut hd. conf t o set t he f ol l owi ng val ues:wor kgr oup=<shor t domai n name>r eal m=<dns domai n name>secur i t y=adsuse kerber os keyt ab=ads[ r oot @r hel 44i d ~] #

Turn On or Turn Off Domain Join Modules

You can explicitly enable or disable a module when you join or leave a

domain. Disabling a module can be useful in cases where a module has

been manually configured or in cases where you must ensure that

certain system files will not be modified.

Note: If you disable a necessary module and you have not manually

configured it, the domain join utility will not join your computer to the

domain.

To disable a module, execute either the following join or leave command:






domai nj oi n- c l i j oi n - - di sabl e module domainName

accountName

domai nj oi n- cl i l eave - - di sabl e module domainName

accountName

Example: domai nj oi n- cl i j oi n - - di sabl e pam


To enable a module, execute the following command at the command

line:

domai nj oi n- c l i j oi n -- enabl e module domainName

accountName

Example: domai nj oi n- cl i j oi n - - enabl e pamcent er i sdemo. com Admi ni st r at or

Join Active Directory Without Changing /etc/hosts

When you join a computer to a domain by using the Likewise Domain

Join Tool, Likewise uses the hostname of the computer to derive a fully

qualified domain name (FQDN) and then automatically sets the

computer’s FQDN in the / et c/ hosts file.

You join a domain without changing the / et c/ hosts file by using the

shell prompt.

To join a Linux computer to the domain without changing the

/ et c/ hosts file, execute the following command at the shell prompt as

root, replacing domai nName with the FQDN of the domain that you want

to join and j oi nAccount with the user name of an account that has

privileges to join computers to the domain:

/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - di sabl e

host name domai nName j oi nAccount

Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - -

di sabl e host name cent er i sdemo. com Admi ni st r ator

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in / et c/ host s.







running Linux, Unix, or Mac OS X by executing the following command:


When you execute this command, the computer looks up the primary

host entry for its hostname. In most cases, this means that it looks for its

hostname in / et c/ hosts , returning the first FQDN name on the same

line. So, for the hostname qaser ver , here's an example of a correct

entry in / et c/ hosts :

10. 100. 10. 10 qaserver . cor pqa. cent er i s. com qaserver

If, however, the entry in / et c/ hosts incorrectly lists the hostname (or

anything else) before the FQDN, the computer's FQDN becomes, usingthe malformed example below, qaser ver :

10. 100. 10. 10 qaserver qaserver . cor pqa. cent er i s. com

If the host entry cannot be found in / et c/ host s, the computer looks for

the results in DNS instead. This means that the computer must have a

correct A record in DNS. If the DNS information is wrong and you cannot

correct it, add an entry to / et c/ hosts .


To join a computer running Mac OS X 10.4 or later to an Active Directory

domain, you must have administrative privileges on the Mac and

privileges on the Active Directory domain that allow you to join a

computer.

1. In Finder, click Appl ications . In the list of applications, double-click

Utilities, and then double-click Directory Access.

2. On the Services tab, click the lock and enter an administrator

name and password to unlock it.

3. In the list click Likewise Enterprise, make sure the Enable check

box for Likewise Enterprise is selected, and then click Configure.

4. Enter a name and password of a local machine account with

administrative privileges.






5. On the menu bar at the top of the screen, click the Likewise

Enterprise Domain Join menu, and then click Join or Leave

Domain.

6. In the Computer name box, type the name of the local hostname of

the Mac without the . l ocal extension. Because of a limitation with

Active Directory, the local hostname cannot be more than 15

characters. Also: l ocal host is not a valid name.

Tip: To find the local hostname of a Mac, on the Apple menu ,

click System Preferences, and then click Sharing. Under the

Computer Name box, click Edit. Your Mac's local hostname is

displayed.

7. In the Domain to join box, type the fully qualified domain name of

the Active Directory domain that you want to join.

8. Under Organizational Unit, you can join the computer to an OU in

the domain by selecting OU Path and then typing a path in the OU

Path box.

Note: To join the computer to an OU, you must be a member of the

Domain Administrator security group.

Or, to join the computer to the Computers container, select Defaultto "Computers" container .

9. Click Join.

10. After you are joined to the domain, you can set the display login

window preference on the Mac: On the Apple menu , click

System Preferences, and then under System, click Accounts .

11. Click the lock and enter an administrator name and password to

unlock it.

12. Click Login Options, and then under Display login window as,

select Name and password.

Install the Domain Join GUI

You can install the optional graphical user interface version of the

Likewise Domain Join Tool on a Linux computer after you have installed






the Likewise agent. The domain join tool can be installed on Linux

platforms that are running GTK+ version 2.6 or later.

Note: You do not need to install the domain join GUI to join a domain; for

more information, see Join Active Directory with the Command Line.

1. Obtain the BitRock installer for the domain join tool for your platform

from Likewise Software at http://www.LikewiseSoftware.com.

2. Copy the installer to the desktop of the target Linux computer.

Important: If you use FTP to transfer the file, you must select BIN,

or binary. Most FTP clients default to AUTO or ASCII, but the

installer includes some binary code that will become corrupted if you

do not use binary mode.

3. On the desktop, right-click the icon for the installer, click Properties,

and then click the Permissions tab.

4. Change the owner's permissions to Read and Execute, and then

click Close:






5. On the desktop, double-click the icon of the installer to run it, and

then follow the instructions in the installation wizard.

Uninstall the Domain Join GUI

On a Linux computer, you can uninstall the domain join GUI from the

command line by running the following command as root:

/ usr/ cent er i s/ set up/ dj gt k/ uni nstal l

Join a Linux Computer to Active Directory with the GUI

After you install the Likewise agent, you can install the Likewise Domain

Join Tool, a graphical user interface for joining a domain. The domain

join tool is not included when you install the agent; you must install the

utility separately. For more information, see Install the Domain Join

Utility.






Important: To join a computer to a domain, you must have the user

name and password of a user who has privileges to join computers to a

domain and the full name of the domain that you want to join.

1. From the desktop with root privileges, double-click the Likewise

Domain Join Tool, or at the shell prompt of a Linux computer, type

the following command:

/ usr / cent er i s/ bi n/ domai nj oi n- gui

2. On the Likewise AD Settings panel, in the Domain box, enter the

Fully Qualified Domain Name (FQDN) of the Active Directory

domain.

Note: The domain join tool automatically sets the computer’s FQDN

by modifying the / et c/ host s file. For example, If your computer's

name is qaser ver and the domain is cor pqa. cent er i s. com,

the domain join tool adds the following entry to the / et c/ hosts file:

qaser ver . cor pqa. cent er i s. com. To manually set the

computer's FQDN, see Join Active Directory Without Changing

/etc/hosts.








Path box. The OU path is from the top of the Active Directory

domain down to the domain that you want.

Or, to join the computer to the Computers container, select Default

to container (Computers).

5. Click Join Domain.

6. Enter the user name and password of an Active Directory user with

the right to join a machine to the Active Directory domain, and then






click OK.

Note: If you do not use an Active Directory Domain Administrator

account, you might not have sufficient privileges to change an

existing machine object in Active Directory.

Use Likewise wi th a Single OU

If you have only write privileges for an organizational unit in Active

Directory, you can still use Likewise. You should enable an

organizational unit (OU) for Likewise only when you want to manage

your Linux, Unix, and Mac OS X computers within a single OU and you

do not have Domain Administrator or Enterprise Administrator privileges,

but you have been given rights to create objects in an OU. You can use

the write privileges that you have been given for an OU to join Linux andUnix computers to that OU.

There are additional limitations to this approach:

• You must join the computer to a specific OU, and you must know the

path to that OU.

• You cannot use Likewise in schema mode unless you have Enterprise

Administrator privileges, which are required to upgrade the schema.

Join a Linux Computer to an Organizational UnitWhen you join a domain by using the command-line utility, Likewise uses

the hostname of the computer to derive a fully qualified domain name

(FQDN) and then automatically sets the computer’s FQDN in the

/ et c/ hosts file. You can also join a domain without changing the

/ et c/ hosts file; see Join Active Directory Without Changing /etc/hosts.

On Linux computers, the domain join command-line utility is in

/ usr / cent er i s / bi n. On Unix and Mac OS X computers, it is in


Important: To join a computer to a domain, you must have the username and password of an account that has privileges to join computers

to the domain and the full name of the domain that you want to join.

• Execute the following command, replacing

or gani zat i onal Uni t Name with the path and name of the

organizational unit that you want to join, domai nName with the FQDN

of the domain, and j oi nAccount with the user name of an account






that has privileges to join computers to the domain:

/ usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou

organizationalUnitName domainName joinAccount

Example: / usr / cent er i s / bi n/ domai nj oi n- cl i j oi n - - ou

Engi neer i ng cent er i sdemo. com Admi ni st r at or

See Also

Join Active Directory with the Command Line


Join Active Directory Without Changing /etc/hosts

Set the Home Directory and Shell for Domain Users

When you use Likewise by installing it only on a Linux, Unix, or Mac

computer and not on Active Directory, you cannot associate a Likewise

cell with an organizational unit, and thus you have no way to define a

home directory or shell in Active Directory for users who log on the

computer with their domain credentials.

To set the home directory and shell for a computer that is using Likewise

Open or Likewise Enterprise without cell, edit the following configuration

file:

/ et c/ samba/ l wi aut hd. conf

Modify the following lines to set the shell and home directory that you

want:

t empl ate shel l =

t empl at e homedi r =

Examples:

t empl at e shel l = / bi n/ bash

t empl at e homedi r = / home/ l ocal / %D/ %U

When you set the default home directory, you must use the default user

name variable (%U). You may specify the default domain name by using

the domain name variable (%D) but, unlike the user name variable, it is

not required.






All the users who log on the computer by using their Active Directory

domain credentials will have the shell and home directory that you set.

Note: / bi n/ bash might not be available on all systems.

Important: On Solaris, you cannot create a local home directory in

/ home, because / home is used by autofs, Sun's automatic mounting

service. The standard on Solaris is to create local home directories in

/ expor t / home.

If you set the shell and home directory both in Active Directory and in

l wi aut hd. conf , the settings in Active Directory -- which appear on the

target computer in / et c/ secur i t y/ pam_l wi dent i t y. conf -- take

precedence.

Log On a JoinedComputer with Active Directory Credentials

After the Likewise Agent has been installed and the Linux computer has

been joined to a domain, users can log on interactively by using their

Active Directory credentials. For example, a user can log on by using the

form DOMAI N\ user name.

1. On a Linux computer, log out of the current session.

2. Log on the system console by using an Active Directory user

account in the form of DOMAI N\ user name, where DOMAI N is the Active Directory short name.

To eliminate barriers to acceptance, preserve existing user behaviors,

and support script files that may rely on a particular logon nomenclature,

Likewise provides the following logon options:

• Full domain credentials -- example: l i kewi sedemo. com\ hoenst i v

• Single domain user name -- example: l i kewi sedemo\ hoenst i v

• Alias names: example --

s t i v

• Cached credentials

• To use UPN names, you must raise your Active Directory forest

functional level to Windows Server 2003, but note that raising the

forest functional level to Windows Server 2003 will exclude Windows






2000 domain controllers from the domain. For more information, see

About Schema Mode and Non-Schema Mode.

Rename a Joined Computer

To rename a computer that has been joined to Active Directory, you

must first leave the domain. You can then rename the computer by using

the domain join command line interface. After you rename the computer,

you must rejoin it to the domain. Renaming a joined computer requires

the user name and password of a user with privileges to join a computer

to a domain.

Important: Do not change the name of a Linux, Unix, or Mac computer

by using the host name command because some distributions do not

permanently apply the changes.

Rename a Computer by Using the Command-Line Tool

The following procedure removes a Unix computer from the domain,

renames the computer, and then rejoins it to the domain. You can also

use the command-line tool on a Linux computer; on a Linux computer,

the path to the tool is / usr / cent er i s / bi n/ .

1. With root privileges, at the shell prompt of a Unix computer, execute


/ opt / cent er i s/ bi n/ domai nj oi n- c l i l eave

2. To rename the computer in / et c/ hosts , execute the following

command at the shell prompt, replacing computerName with the

new name of the computer:

/ opt / cent er i s/ bi n/ domai nj oi n- cl i set name

computerName

Example: / opt / cent er i s/ bi n/ domai nj oi n- cl i set name

RHEL44I D

3. To rejoin the renamed computer to the domain, execute the

following command at the shell prompt, replacing DomainName with

the name of the domain that you want to join and UserName with

the user name of a user who has privileges to join a domain:

/ opt / cent er i s / bi n/ domai nj oi n- cl i j oi n DomainName






UserName

Example: /opt/centeris/bin/domainjoin-cli join

centerisdemo.com Administrator

It may take a few moments before the computer is joined to the

domain.

Rename a Computer by Using the Domain Join Tool

To execute the following procedure, the Likewise Domain Join Tool, a

graphical user interface for joining a domain, must be installed on your

computer. For more information, see Install the Likewise Domain JoinTool.

1. From the desktop with root privileges, double-click the Likewise

Domain Join Tool, or at the shell prompt of a Linux computer, type



2. Click Leave, and then click OK.

3. Start the Domain Join Tool again by double-clicking the Likewise

Domain Join Tool on the desktop, or by typing the following

command at the shell prompt of a Linux computer:


4. Click Next.

5. In the Computer Name box, rename the computer by typing a new

name.






6. In the Domain to join box, enter the Fully Qualified Domain Name

(FQDN) of the Active Directory domain.



Path box.

Or, to join the computer to the Computers container, select Default

to "Computers" container .

8. Click Next.






9. Enter the user name and password of an Active Directory user with

the right to join a machine to the Active Directory domain, and then

click OK.

The computer's name in / et c/ host s has been changed to the name

that you specified and the computer has been joined to the Active

Directory domain with the new name.

Leave a Domain

Likewise reverses the Likewise-specific settings that were made to the

computer's configuration when it was joined to the domain. Before you

leave a domain, you can execute the following command to view the

changes that will be made:

domai nj oi n- cl i l eave - - advanced - - pr evi ew domainName

Example:

[ r oot@r hel 44i d / ] # domai nj oi n- cl i l eave - - advanced - - pr evi ewcent eri sdemo. comLeavi ng AD Domai n: CENTERI SDEMO. COM[ X] [ S] ssh - conf i gur e ssh and sshd[ X] [ N] pam - conf i gur e pam. d/ pam. conf[ X] [ N] nsswi t ch - enabl e/ di sabl e Li kewi se nsswi t ch modul e[ X] [ S] l eave - del ete machi ne account[ X] [ N] krb5 - conf i gur e krb5. conf[ X] [ N] l wi conf - conf i gure l wi aut hd. conf[ X] [ N] st op - st op daemons

Key t o f l ags[ F]ul l y conf i gured - t he system i s al r eady conf i gur ed f or t hi s step[ S] uf f i ci ent l y conf i gur ed - t he syst emmeets t he mi ni mum conf i gur at i on

r equi r ement s f or t hi s step[ N] ecessar y - t hi s st ep must be r un or manual l y per f ormed.[ X] - t hi s st ep i s enabl ed and wi l l make changes[ ] - t hi s st ep i s di sabl ed and wi l l not makechanges

For information on advanced commands for leaving a domain, see Join

Active Directory with the Command Line.

The Computer Account in Active Directory

When you leave a domain, the computer's account in Active Directory is

not disabled and not deleted. If, however, you include the user name aspart of the l eave command, the computer's account is disabled but not

deleted. You can include the user name as part of the l eave command

as follows; you will be prompted for the password of the user account:

domai nj oi n- cl i l eave userName






Example: domai nj oi n- cl i l eave br smi t h

Remove a Linux Computer from a Domain • On the Linux computer that you want to remove from the Active

Directory domain, use a root account to run the following command at

the shell prompt:

/ usr/ cent er i s/ bi n/ domai nj oi n- c l i l eave

Remove a Unix Computer from a Domain

• On the Unix computer that you want to remove from the Active

Directory domain, execute the following command at the shell prompt:

/ opt / cent er i s/ bi n/ domai nj oi n- c l i l eave

Remove a Mac from a Domain

To leave a domain on a Mac OS X computer, you must have

administrative privileges on the Mac.

1. In Finder, click Appl ications .

2. In the list of applications, double-click Utilities, and then double-

click Directory Access.

3. On the Services tab, click the lock and enter an administrator

name and password to unlock it.

4. In the list, click Likewise, and then click Configure.

5. Enter a name and password of a local machine account with

administrative privileges.

6. On the menu bar at the top of the screen, click the Likewise

Domain Join Tool menu, and then click Join or Leave Domain.

7. Click Leave.

Remove a Mac with the Command Line

Execute the following command with an account that allows you to use

sudo:

sudo / opt / cent er i s/ bi n/ domai nj oi n- cl i l eave






Using Single Sign On

When you log on a Linux, Unix, or Mac OS X computer by using your Active Directory domain credentials, Likewise initializes and maintains a

Kerberos ticket granting ticket (TGT). With a TGT, you can log on other

computers joined to Active Directory or applications provisioned with a

Service Principal Name and be automatically authenticated with

Kerberos and authorized for access through Active Directory. In a

process transparent to the user, the underlying Generic Security

Services (GSS) system requests a Kerberos service ticket for the

Kerberos-enabled application or server. The result: single sign-on.

To gain access to the other computer, you can use various protocols and

applications:

• SSH (how to configure single sign-on for SSH)

• rlogin

• rsh

• Telnet

• FTP

• Firefox (for browsing of intranet sites)

• LDAP queries against Active Directory

• HTTP with an Apache HTTP Server

How Likewise Makes SSO Happen

Since Microsoft Windows 2000, Active Directory's primary authentication

protocol has been Kerberos. When a user logs on a Windows computer

that is joined to a domain, the operating system uses the Kerberos

protocol to establish a key and to request a ticket for the user. Active

Directory serves as the Kerberos key distribution center, or KDC.

Likewise configures Linux and Unix computers to interact with Active

Directory in a similar way. When a user logs on a Linux and Unix

computer joined to a domain, Likewise requests a ticket for the user. The

ticket can then be used to implement SSO with other applications.






Likewise fosters the use of the highly secure Kerberos 5 protocol by

automating its configuration and use on Linux and Unix computers. To

ensure that the Kerberos authentication infrastructure is properly

configured, Likewise does the following:

• Ensures that DNS is properly configured to resolve names associated

with Active Directory (AD).

• Provides tools to join Linux, Unix, and Mac OS X computers to AD.

• Performs secure, dynamic DNS updates to ensure that Linux and

Unix computer names can be resolved with AD-integrated DNS

servers.

• Configures Kerberos. In an environment with multiple KDCs, Likewisemakes sure that Kerberos selects the appropriate server.

• Configures SSHD to support SSO through Kerberos (by using

GSSAPI).

• Creates a keytab for the computer in the following way: When you join

a Linux or Unix computer to AD, Likewise creates a machine account

for the computer. Likewise then automatically creates a keytab for the

SPN and places it in the standard system location (typically

/ et c/ krb5. keyt ab).

• Provides a tool, l wi net , to generate additional keytab entries for

other applications or services.

• Creates a keytab for the user during logon. On most systems, the

user keytab is placed in the / t mp directory and named krb5cc_UI D,

where UI D is the numeric user ID assigned by the system.

Overview of How to Implement SSO with Likewise

When you install Likewise on a Linux, Unix, or Mac OS X computer and

join it to Active Directory, Likewise prepares it for single sign-on by

creating a keytab for the computer. However, when you use Likewise to

implement SSO with other applications or services, such as SAP or

Oracle, you will likely have to configure the application to use Kerberos

authentication and you will likely have to provision each application user

for external Kerberos authentication. At the very least, however, you will

have to provision your application with a Service Principal Name in

Active Directory.






Note: Not all versions of OpenSSH support Kerberos. Versions older

than 4.2p1 might not work or might work improperly.

The SSH

Service

Principal

Name

The first thing that needs to be considered is the Kerberos service

principal name (SPN) that is used by ssh and sshd. The SPN is a string

that identifies the service for which an authentication ticket is to be

generated. In the case of SSH, the SPN has the form:

host / <ser ver name>@<REALMNAME>

For example, when a user uses ssh to connect to a computer named

f ozzi e. mycor p. com, the ssh program will request a service ticket for

the SPN:

host / f ozz i e. mycor p. com@MYCORP. COM

Note: The Kerberos realm is the computer's domain name using

uppercase letters.

System Keytab Generation

In order for Microsoft Active Directory to generate a Kerberos ticket for

this SPN, a service account must exist for it. Additionally, a keytab must

be created for the service account and placed on the sshd

server.Likewise completely automates this operation. When a Linux orUnix computer is joined to AD, a machine account is created for the

computer. If the computer is called f ozzi e, a machine account called

f ozzi e$ is created in AD. Likewise then automatically creates a keytab

for the SPN and places it in the standard system location (typically,

/ et c/ kr b5. keyt ab). Likewise includes a tool, l wi net , that can be

used to generate additional keytab entries for other services.

User Keytab Generation

When the user runs the ssh program and OpenSSH determines that it

will use Kerberos authentication, it will need to access a keytab for the

user so that it can obtain a service ticket for the service/computer to

which it is trying to connect. This keytab must be created using the user's

account name and password. Manually, this can be performed by using

the Linux/UNIX kinit utility. Likewise, however, does it automatically when

the user logs into the computer. On most systems, the user keytab is

placed in the / t mp directory and named krb5cc_UI D where UI D is the

numeric user ID assigned by the system.






Configuring OpenSSH

OpenSSH must be configured at both the client and server computer. On

the client, the ssh_conf i g file (typically, in / et c/ ssh/ ssh_conf i g)

must be modified. On the server, sshd_conf i g (typically, in

/ et c/ ssh/ sshd_conf i g) must be modified.

In the server, the following lines must be present in sshd_conf i g:

GSSAPI Aut hent i cat i on yes

GSSAPI Cl eanupCr edent i al s yes

On the client, these lines must be present in ssh_config:

GSSAPI Aut hent i cat i on yes

GSSAPI Del egateCr edent i al s yes

Likewise adds these lines to the appropriate files if they are not already

present.

Testing SSO

With OpenSSH properly configured, demonstrating SSO support is

simple. Log on a Linux or Unix machine (that is running Likewise) using

Active Directory credentials and then use ssh to connect to another

machine (also running Likewise). OpenSSH should establish a

connection without prompting for a username or password.

FTP

You will need both a GSS-enabled FTP daemon and client. This is part

of the krb5-workstation package. Once installed, you can enable the

daemon by editing the di sabl e line in /et c/ xi net . d/ gssf t p to no

and enabling the xi net d super server service:

Example from Red Hat or Fedora Core:

# def aul t : of f# descr i pt i on: The ker beri zed FTP server accept s FTPconnect i ons \# t hat can be aut hent i cated wi t h Kerber os 5.ser vi ce f t p{

f l ags = REUSEsocket _t ype = st r eam

wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ f t pdser ver _args = - l - a






l og_on_f ai l ure += USERI Ddi sabl e = no

}

Example of an FTP single sign-on:

[ j ohnyu@j user - l i nux ~] $ f t p j user - l i nux. cor p. company. comConnected t o j user - l i nux. corp. company. com.220 j user r - l i nux FTP ser ver ( Ver si on 5. 60) r eady.334 Usi ng aut hent i cat i on t ype GSSAPI ; ADAT must f ol l owGSSAPI accepted as aut hent i cat i on t ypeGSSAPI aut hent i cat i on succeededName ( j user- l i nux. cor p. compay. com: j ohnyu) :232 GSSAPI user j geer @CORP. COMPANY. COM i s aut hor i zed as j ohnyuRemote syst emt ype i s UNI X.Usi ng bi nar y mode t o t r ansf er f i l es.f t p>

Log On and Verify Your Kerberos Ticket

To obtain a valid ticket through Likewise, log on through a PAM entry

point such as a non-single sign-on SSH (secure shell) login, the Unix

console, or the X11 display manager (XDM).


l ogi n as: j user @corp. company. com j user @cor p. company. com@j geer- l i nux. cor p. cent er i s. com' s

password:Last l ogi n: Mon J ul 2 13: 22: 25 2007 f r oml ocal host . l ocal domai n$ kl i s t Ti cket cache: FI LE: / t mp/ kr b5cc_100013Def aul t pr i nci pal : j user@CORP. COMPANY. COMVal i d start i ng Expi r es Ser vi ce pr i nci pal07/ 02/ 07 13: 26: 24 07/ 02/ 07 23: 26: 44kr bt gt / CORP. COMPANY. COM@CORP. COMPANY. COM

r enew unt i l 07/ 09/ 07 13: 26: 2407/ 02/ 07 13: 26: 44 07/ 02/ 07 23: 26: 44 J USER-LI NUX$@CORP. COMPANY. COM r enew unt i l 07/ 09/ 07 13: 26: 24

Perform an Authenticated LDAP Search Example from Red Hat or Fedora Core system:

$ kl i s t$ l dapsear ch - H l dap: / / cor p. cent er i s. com - Y GSSAPI - b"OU=PM, OU=Bel l evue, DC=cor p, DC=cent er i s, DC=com" "gi venName=J ohn"SASL/ GSSAPI aut hent i cat i on st art edSASL user name: j user @CORP. COMPANY. COMSASL SSF: 56






gBnAGUAZQByAC0AdgBhAGkAbzAeFw0wNTA3MDEyMTAwNTRaFw0xMzA3MDEyMTAwN TRaMGQxETAPBg

NVBAceCABNAFMATQBRMQswCQYDVQQKHgI ALTELMAkGA1UECx4CAC0xNTAzBgNVBAMeLABDAE8AUgB

QAFwASgBHAGUAZQByACwAI ABqAGcAZQBl AHI ALQB2AGEAaQBvMFwwDQYJ KoZI hvcNAQEBBQADSwAwSAJ BALj 8sXCwD6vuPTc8A1sY+t FyGL7J F3i Nb85wnEENEl gNHHr cvbj YGRF4sPoA

LHK/ HScf 7z6a8WABkMeRi dMeJ 7UCAwEAATANBgkqhki G9w0BAQQFAANBAI vbTV516CP9gRVp6HnSh

6ht t GO14HXNJ LI Vi 3Ni aZ/ GFVppqzVSBxcFvmGHaVz9BkBOOf j UscK7s92zuUj BQHTl qi FDUhLcZ5

VxWB0zI ZB6hFr j 2RU7J 0GcBdShUuCbLr UBAAAwggGxMI I BW6ADAgECAgSqpVpVMAwGCCqGSI b3DQIFBQAwYDERMA8GA1UEBx4I AE0AUwBNAFExCzAJ BgNVBAoeAgAt MQswCQYDVQQLHgI ALTExMC8GA1UE

Ax4oAEMATwBSAFAAXABKAEcAZQBl AHI ALAAgAGoAZwBl AGUAcgAt AGgAcDAeFw0wNTA4MTgxODEzM

j l aFw0xMzA4MTgxODEzMj l aMGAxETAPBgNVBAceCABNAFMATQBRMQswCQYDVQQKHgI ALTELMAkGA1

UECx4CAC0xMTAvBgNVBAMeKABDAE8AUgBQAFwASgBHAGUAZQByACwAI ABqAGcAZQBl AHI ALQBoAHA

wXDANBgkqhki G9w0BAQEFAANLADBI AkEAsU+XJ 59U0CwI aRUJ GCsnt j M+vaqr 7J / e5zcbTL4EscZu

g5Nl nA7LouRvm ZmqXc+EWb9Mj I Snmvs j 4m4t X0QI FQI DAQABMA0GCSqGSI b3DQEBBAUAA0EAf Fhp9 j o8hGw3aQAccT

1KwqPa6VWDNr LUJ I BYNn2f QWKLmNDb/ N74/ bpHbYNVGn0WXst o0I J 8b8KHNAK4RvM4yQ==mSMQDi gest s: : 5aohQ1I S3GeVcVgdMyGQeg==mSMQDi gest s: : Ec455CcKDcvzQWDt EvwZFA==msNPAl l owDi al i n: TRUEl ast LogonTi mest amp: 128277612716718750# sear ch r esul tsear ch: 4

r esul t : 0 Success# numResponses: 2# numEnt r i es: 1

rlogin


# def aul t : of f# descr i pt i on: The kerber i zed r l ogi n server accept s BSD-styl e r l ogi n sessi ons, \# but uses Kerberos 5 aut henti cat i on.ser vi ce kl ogi n{


wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ kl ogi ndserver _ar gs = - 5di sabl e = no

}






Example of rlogin single sign-on:

[ j ohnyu@j user - l i nux ~] $ r l ogi n j user - l i nux. cor p. company. com

Last l ogi n: Mon J ul 2 19: 00: 59 f r om j user - l i nux[ j ohnyu@j user- l i nux ~] $

rsh

You will need both a GSS-enabled rsh daemon and client. This is part of

the krb5 workstation package. Once installed, you can enable the

daemon by editing the di sabl e line in / et c/ xi net . d/ kshel l to no

and enabling the xi net d super server service:


# def aul t : of f# descr i pt i on: The ker ber i zed r shel l ser ver accept s rshel lcommands \# aut hent i cated and encr ypt ed wi t h Kerberos 5.ser vi ce kshel l{


wai t = nouser = r ootser ver = / usr / ker ber os/ sbi n/ kshdserver_ args = - e - 5di sabl e = no

Example of rsh single sign-on:

[ j ohnyu@j user - l i nux ~] $ r sh j user - l i nux. cor p. company. comLast l ogi n: Mon J ul 2 18: 53: 21 f r om j user - l i nux[ j ohnyu@j user - l i nux ~] $ i d

Telnet

Here's an example of single sign-on using telnet:

[ j ohnyu@j user - l i nux ~] $ t el net - a j user - l i nux. cor p. company. com Tr yi ng 127. 0. 0. 2. . .Connect ed to j user - l i nux. cor p. company. com ( 127. 0. 0. 2) .Escape char acter i s ' ] ' .[ Ker beros V5 accepts you as ``j user @CORP. COMPANY. COM' ' ]Last l ogi n: Mon J ul 2 18: 36: 39 f r om l ocal host . l ocal domai n[ j ohnyu@j user - l i nux ~] $ i dui d=100013( j ohnyu) gi d=100000( CORP\ domai n user s)groups=10( wheel ) , 100000( CORP\ domai n user s) , 100005( CORP\ vmadmi ns)cont ext =syst em_u: syst em_r : unconf i ned_t[ j ohnyu@j user- l i nux ~] $






Use Firefox to Single Sign-On Intranet Sites

When logged on an X11 desktop, you have access to GSS-aware

applications such as Mozilla Firefox. Firefox is configured by default tonot attempt a negotiation with any website. To override this behavior,

change net wor k. negot i at e- aut h. del egat i on- ur i s and

net wor k. negot i at e- aut h. t r ust ed- ur i s to include a filter white

list of URIs that the browser will attempt to negotiate a single sign-on

with. Among the broadest may be Error! Hyperlink reference not valid

and Error! Hyperlink reference not valid, which includes all standard web

URIs.

Then, restart the web browser and point to a Windows authenticated web

site, such as Sharepoint.






Troubleshooting the Agent

Check Authentication

On the Unix or Linux computer that is joined to the Active Directory

domain, you can check the domain user's information by executing the

following command at the shell prompt. Replace username with the full

domain user name or the single domain user name of the user that you

want to check.

/ usr / cent er i s / bi n/ l wi i nf o – i username

Examples:

• Full domain user name:/ us r / center i s /bi n/ l wi i nf o - i

l i kewi sedemo. com\ \ hoenst i v

• Single domain user name:

/ usr/ cent er i s/ bi n/ l wi i nf o - i l i kewi sedemo\ \ hoenst i v

In the examples, there are two slashes in the user name because the

first is an escape character for the second.

Troubleshoot

If Do this

The wrong information is

returned

Check Active Directory to make

sure the user has an account.

The user is not found Check the status of the

authentication daemon.

The user is found Check whether the same user is

in the / et c/ passwd file. If

necessary, migrate the user.

Check the Status o f the Authentication Daemon

You can check the status of the authentication daemon on a Unix or

Linux computer running the Likewise Agent by executing the following

command at the shell prompt as the root user:






/ sbi n/ ser vi ce l i kewi seopen st at us

(On HP-UX, the command is / sbi n/ i ni t . d/ l i kewi seopen

status .)

If the authentication daemon is running, the result should look like this:

l i kewi se- wi nbi ndd ( pi d 30418 30408) i s r unni ng. . .

If the service is not running, execute the following command:

/ sbi n/ ser vi ce l i kewi seopen st ar t

(On HP-UX, the command is / sbi n/ i ni t . d/ l i kewi seopen

start .)

Next, as the root user, check whether the authentication daemon is

communicating with the windbind daemon by executing the following

command:

/ usr / cent er i s / bi n/ l wi i nf o - p

If all is well, the result should look like this:

Pi ng t o wi nbi ndd succeeded on f d 4

Mac OS X

On a Mac OS X computer, you cannot use the status command, butyou can monitor daemon by using Activity Monitor:

1. In Finder, click Appl ications , click Utilities, and then click Ac tivi ty

Monitor .

2. In the list under Process Name, make sure cent er i s. l i kewi se-

open appears. If the process does not appear in the list, you might

need to start it.

3. To monitor the status of the process, in the list under Process

Name, click the process, and then click Inspect.

Check the Version and Build Number

Check the Version Number of the Agent

To check the version number of the Likewise Agent, execute one of the

following commands at the shell prompt:






Operating System Command

Linux / usr / center i s / bi n/ l wi i nf o

- - vers i on

or

/ usr / center i s / bi n/ l wi i nf o

- V

Unix / opt / center i s / bi n/ l wi i nf o

- - vers i on

or

/ opt / center i s / bi n/ l wi i nf o

–V

Note: In the shorthand version, the - V must be an uppercase letter.

Check the Build Number of the Agent

On Linux distributions that support RPM -- for example, Red Hat

Enterprise Linux, Fedora, SUSE Linux Enterprise, OpenSUSE, and

CentOS -- you can determine the build number of the agent (4.1.0.xxxx

in the examples below) by executing the following command at the shell

prompt:

r pm - qa | gr ep cent er i s

The result shows the build version after the version number:

cent er i s- aut h- 4. 1. 0- 1. 22813. 2779cent er i s- domai nj oi n- 4. 1. 0- 1. 22813. 2779cent er i s- r pc- 4. 1. 0- 1. 22813. 2779cent eri s- openl dap- 4. 1. 0- 1. 22813. 2779cent er i s- l i bxml 2- 4. 1. 0- 1. 22813. 2779cent er i s- cent ut i l s- 4. 1. 0- 1. 22813. 2779cent er i s- gr ouppol i cy- 4. 1. 0- 1. 22813. 2779

cent er i s- passwor d- pol i cy- 4. 1. 0- 1. 22813. 2779cent er i s- domai nj oi n- gui - 4. 1. 0- 1. 22813. 2779cent er i s- krb5- 4. 1. 0- 1. 22813. 2779cent eri s- passwd- 4. 1. 0- 1. 22813. 2779

On Unix computers and Linux distributions that do not support RPM, the

command to check the build number varies by platform:






Platform Command

Debian and Ubuntu dpkg –S / usr / cent er i s/

Solaris pkgi nf o | gr ep - i cent er

AIX l s l pp – l | gr ep cent er i s

HP-UX swl i st | gr ep - i Cent er

Clear the Authentication Cache

There are certain conditions under which you might need to clear the

cache so that a user's ID is recognized on a target computer.

By default, the user's ID is cached for 900 seconds (15 minutes). If you

change a user's UID for a Likewise cell, during the 900 seconds after you

change the UID you must clear the cache on a target computer in the cell

before the user can log on.

For example, if you set the Minimum UID-GID Value group policy to 99

for a OU with an associated Likewise cell that contains a user with a UID

lower than 99, you must change the user's UID so that it is 99 or higher

and then you must clear the cache before the user can log on during the

15-minute period after the change.

If you do not clear the cache after changing the UID, the computer will

find the old UID until after the cache expires:

#i d cent er i sdemo\ \ bl ugosii d: cent er i sdemo\ bl ugosi : No such user

There are three Likewise group policies that can affect the cache time:

• The Winbind Cache Expiration Time, which stores UID-SID mappings,

user/group enumeration lists, get grnam( ) and get pwnam( ) , and so

forth. Its default expiration time is 900 seconds (15 minutes).

• The ID Mapping Cache Expiration Time, which caches the mapping

tables for SIDs, UIDs, and GIDs. Its default is 1 hour.

• The ID Mapping Negative Cache Expiration Time, which stores failed

SID-UID-GID lookups to prevent an overload of resolution requests.

Its default is 5 minutes.






Tip: While you are deploying and testing Likewise, set the cache

expiration times of the Winbind Cache Expiration Time and the ID

Mapping Cache Expiration Time policies to a short period of time.

Clear the Cache on a Linux Computer

1. Stop the Likewise authentication daemon by executing the following

command as root (On HP-UX, the path to the command is / sbi n/ i ni t . d):

/ sbi n/ ser vi ce l i kewi seopen st op

2. Clear the cache:

rm - f / var / l i b/ l wi dent i t y/ * tdb

3. Start the Likewise authentication daemon:

/ sbi n/ ser vi ce l i kewi seopen st ar t

After the clearing the cache, the user is recognized:

# i d cent eri sdemo\ \ bl ugosiui d=101( CENTERI SDEMO\ bl ugosi )gi d=100000( CENTERI SDEMO\ domai n user s)gr oups=100000( CENTERI SDEMO\ domai n user s)

Determine a Computer's FQDN


running Linux, Unix, or Mac OS X by executing the following command at

the shell prompt:


HP-UX

The command is different on HP-UX:

pi ng `host name` - n 1 Solaris

On Sun Solaris, you can find the FQDN by executing the following

command, but note that the computer's configuration can affect the

results:






FQDN= / usr / l i b/ mai l / sh/ check- host name| cut - d" " -

f 7`; echo $FQDN

Fix the Shell and Home Directory Paths

Symptom: A l ocal directory is in the home directory path and the

home directory path does not match the path specified in Active

Directory or in / et c/ passwor d.

Example: / home/ l ocal / DOMAI N/ USER instead of

/ home/ DOMAI N/ USER

The shell might also be different from what is set in Active Directory -- forexample, / bi n/ ksh instead of / bi n/ bash.

Problem: The computer is not in a Likewise cell in Active Directory.

Solution: Ensure that the computer is in a Likewise cell. For more

information, see Associate a Cell with an OU or a Domain, or create a

default cell.

A default cell handles mapping for computers that are not in an OU with

an associated cell. The default cell can contain the mapping information

for all your Linux and Unix computers. For instance, a Linux or Unixcomputer can be a member of an OU that does not have a cell

associated with it. In such a case, the home directory and shell settings

are obtained from the nearest parent cell, or the default cell. If there is no

parent cell and no default cell, the computer will not receive its shell and

home directory paths from Active Directory.

Generate a Network Trace

Execute the following command in a separate session to dump network

traffic as the root user and interrupt the trace with CTRL-C:

t cpdump - s 0 - i eth0 - w t r ace. pcap

The result should look something like this:

t cpdump: l i st eni ng on et h028 packet s r ecei ved by f i l t er0 packet s dr opped by ker nel

Generate a PAM Debug Log






You can generate a debug log for PAM on a Unix or Linux computer

running the Likewise Agent. PAM stands for pluggable authentication

modules.

The location of the configuration and log files in the following procedure

can vary by platform.

1. Log on as root user.

2. Edit / et c/ secur i t y/ pam_l wi dent i t y. conf so that the

following lines are set to yes and are not commented out with either

a number sign or a semicolon:

debug = yes

debug_st at e = yes

The data is sent to syslog.

3. Edit / et c/ sysl og. conf to add the following line:

* . * / var / l og/ al l . l og

Important: You must use a TAB to delimit *. * from

/ var / l og/ al l . l og.

4. Restart syslog by executing the following command at the shell

prompt:

ser vi ce sysl og r est ar t

5. At the command line, execute the following command and note the

time stamp:

dat e

6. Perform a login test for both a local account and an Active Directoryaccount.

7. At the command line, execute the following command again and

note the new time:

dat e






8. Comment out the changes that you made to

/ et c/ secur i t y/ pam_l wi dent i t y. conf and

/ et c/ sysl og. conf in the steps above.

9. Remove all activity from al l . l og that is not between the time

stamps that you noted.

Generate an Authentication Agent Debug Log

1. Log in as root user.

2. Modify the file / et c/ samba/ l wi aut hd. conf to include the

following: [ gl obal ]

l og l evel = 10

3. Restart the Likewise authentication daemon by executing the

following command from the command line (On HP-UX, the path to

the command is / sbi n/ i ni t . d):

/ sbi n/ ser vi ce l i kewi seopen r est ar t

The result should look like this:

St oppi ng l i kewi se- wi nbi ndd: [ OK ]

St ar t i ng l i kewi se- wi nbi ndd: [ OK ]

4. After some activity, comment out the l og l evel line and restart

the daemon.

Important: If you do not comment out the log level and then restart

the daemon, you might run into disk space issues over time.

The log files will appear in / var / l og/ l wi dent i ty.

Increase Max Username Length on AIX

By default, AIX is not configured to support long user and group names,

which might present a conflict when you try to log on with a long Active

Directory username. To increase the max username length on AIX 5.3,

use the following syntax:

# chdev - l sys0 - a max_l ogname=MaxUser NameLengt h+1






Example:

# chdev - l sys0 - a max_l ogname=255

This command allocates 254 characters for the user and 1 for the

terminating null.

The safest value that you can set max_ l ogname to is 255.

You must reboot for the changes to take effect:

# shut down –Fr

Note: AIX 5.2 does not support increasing the maximum user name

length.

Make Sure Outbound Ports Are Open

If you are using local firewall settings, such as i pt abl es , on a computer

running the Likewise agent, make sure the following ports are open for

outbound traffic.

Note: The Likewise Agent is a client only; it does not listen on any ports.

Port Protocol Use

53 UDP/TCP DNS

88 UDP/TCP Kerberos 5

123 UDP NTP

137 UDP NetBIOS Name

Service

139 TCP NetBIOS Session

(SMB)

389 UDP/TCP LDAP

445 TCP SMB over TCP

464 UDP/TCP Machine passwordchanges (typically after

30 days)






Resolve an AD Alias Conflict with a Local Account

When you use Likewise to set an Active Directory alias for a user, the

user can have a file-ownership conflict under the following conditions ifthe user logs on with the AD account:

• The AD alias is the same alias as the original local account name.

• The home directory assigned to the user in Active Directory is the

same as the local user's home directory.

• The owner UID-GID of the AD account is different from that of the

local account.

To avoid such conflicts, by default Likewise includes the short ADdomain name in each user's home directory. If the conflict nevertheless

occurs, there are two options to resolve it:

1. Make sure that the UID assigned to the user's AD alias is the same

as that of the user's local account. See Specify a User's ID and Unix

or Linux Settings.

2. Log on as root and use the chown command to recursively change

the ownership of the local account's resources to the AD user alias.

Change Ownership

Log on the computer as root and execute the following commands:

cd <users home di r ect ory r oot >

chown –R <AD user UI D>: <AD pr i mar y gr oup I D> *. *

Or: chown –R <shor t domai n name>\ \ <account

name>: <shor t domai n name>\ \ <AD gr oup name> *. *

Restart the Authentication Daemon

Linux and UnixYou can restart the authentication daemon by executing the following

command at the shell prompt:

/ sbi n/ ser vi ce l i kewi seopen r est ar t

To stop the daemon, enter the following command:






1. When you join a non-global zone to AD, you will receive an error as

Likewise attempts to synchronize the Solaris clock with AD. This is

because the root user of the non-global zone does not have root access

to the underlying (global) system, and therefore cannot set the system

clock.

If the clocks are within the five minute spread required by Kerberos, this

will not be an issue. If this is not the case, you can resolve this issue by

manually setting the clock in the global zone to match AD, or by joining

the global zone to AD before joining the non-global zone.

2. Cached credentials are not supported for non-global zones. This will

also prevent authenticated logins from succeeding, unless you disable

the cached credentials (‘su’ from root will work with or without cachedcredentials)

To disable cached credentials, edit the /etc/security/pam_lwidentity.conf

file in the non-global zone, commenting out the following line:

cached_login = yes

You comment this line out by putting a semi-colon (;) at the beginning of

the line.

3. If you create a new global zone after installing the Likewise product,

you may receive errors similar to the following:

Installation of these packages generated errors: <CenterisLibXML2

CenterisOpenLDAP CenterisKrb5 CenterisExpat CenterisGroupPolicy

CenterisAuth CenterisDomainJoin>

Installation of these packages generated warnings: <SMCx11vnc

NXnode NXserver>

The file </zones/zone02/root/var/sadm/system/logs/install_log> contains

a log of the zone installation.

The ‘install_log’ file will show issues related to the packages requiring

user interaction. This interaction is simply pkgadd asking if you are sure

you want to over-write the package files that already exist in the global

zone.

You may safely ignore these messages, since the required files are

already installed in the shared file spaces.






4. Some group policies may log PAM errors in the non-global zones even

though they function as expected. Cron is one example, as shown below:

Wed Nov 7 16:26:02 PST 2007 Running Cronjob 1 (sh)

Nov 7 16:26:01 zone01 last message repeated 1 time

Nov 7 16:27:00 zone01 cron[19781]: pam_lwidentity(cron): request failed

Depending on the group policy, these errors may be due to file access

permissions, attempts to write to read-only file spaces, or both.

5. By default, Solaris displays ‘auth.notice’ syslog messages on the

system console. Some versions of Likewise generate significant

authentication traffic on this facility/priority level, which may cause anundesirable amount of ‘chatter’ on the console, and/or mangle the

graphic desktop.

To redirect this traffic to a file instead of being displayed on the console,

edit your /etc/syslog.conf file as follows:

Change this:

*.err;kern.notice;auth.notice /dev/sysmsg

To this:

*.err;kern.notice /dev/sysmsg

auth.notice /var/adm/authlog

Make sure that you use tabs, not spaces, to separate the facility.priority

information (on the left) from the action field (on the right). Using spaces

will cause Syslog to ignore the entire line.






Configuring the Agent

Configure nsswitch.conf

Before you attempt to join an Active Directory domain, make sure the

nsswi t ch. conf file contains the following line:

hosts: f i l es dns

Computers running Solaris, in particular, may not contain this line in

nsswi t ch. conf .

Configure resolv.conf

Before you attempt to join an Active Directory domain, make sure that

r esol v. conf on your Linux, Unix, or Mac client includes a DNS server

that can resolve Srv records for your domain.

Set the Home Directory and Shell for Domain Users

When you use Likewise by installing it only on a Linux, Unix, or Mac

computer and not on Active Directory, you cannot associate a Likewise

cell with an organizational unit, and thus you have no way to define a

home directory or shell in Active Directory for users who log on the

computer with their domain credentials.

To set the home directory and shell for a computer that is using LikewiseOpen or Likewise Enterprise without cell, edit the following configuration

file:

/ et c/ samba/ l wi aut hd. conf

Modify the following lines to set the shell and home directory that you

want:

t empl ate shel l =

t empl at e homedi r =

Examples:

t empl at e shel l = / bi n/ bash

t empl at e homedi r = / home/ l ocal / %D/ %U

When you set the default home directory, you must use the default user

name variable (%U). You may specify the default domain name by using






the domain name variable (%D) but, unlike the user name variable, it is

not required.

All the users who log on the computer by using their Active Directory

domain credentials will have the shell and home directory that you set.

Note: / bi n/ bash might not be available on all systems.

Important: On Solaris, you cannot create a local home directory in

/ home, because / home is used by autofs, Sun's automatic mounting

service. The standard on Solaris is to create local home directories in

/ expor t / home.

If you set the shell and home directory both in Active Directory and in

l wi aut hd. conf , the settings in Active Directory -- which appear on thetarget computer in / et c/ secur i t y/ pam_l wi dent i t y. conf -- take

precedence.

.






Platform Support

Likewise supports a broad range of platforms. Likewise Software is constantly adding new vendors anddistributions to the following list. To get the latest list of supported platforms, go to

www.likewisesoftware.com.

SupportedVendor Distribution

32‐bit 64‐bit

SuSE Linux Desktop 8.2 Yes ‐

SuSE Linux Desktop 9.0 Yes ‐

SuSE Linux Desktop 9.1 Yes Yes



SuSE Linux Enterprise Desktop 10.0 Yes Yes

OpenSuSE Linux 10.0 Yes Yes

OpenSuSE Linux 10.1 Yes Yes

OpenSuSE Linux

10.2

Yes

Yes

SuSE Linux Enterprise Server 9.0 Yes Yes

SuSE

SuSE Linux Enterprise Server 10.0 Yes Yes

Red Hat Enterprise Linux AS 2.1 Yes ‐

Red Hat Enterprise Linux ES 2.1 Yes ‐

Red Hat Enterprise Linux WS 2.1 Yes ‐

Red Hat

Enterprise

Linux

AS

3.0

Yes

Yes

Red Hat Enterprise Linux ES 3.0 Yes Yes

Red Hat Enterprise Linux WS 3.0 Yes Yes

Red Hat

Red Hat Enterprise Linux AS 4.0 Yes Yes






Red Hat Enterprise Linux ES 4.0 Yes Yes

Red Hat Enterprise Linux WS 4.0 Yes Yes

Red Hat Enterprise Linux 5.0 Yes Yes

Red Hat Enterprise Linux 5.0 Desktop Yes Yes

Red Hat Enterprise Linux 5.0 Advanced Platform Yes Yes

Red Hat Linux 7.2 Yes ‐

Red Hat Linux 7.3 Yes ‐

Red Hat

Linux

8

Yes ‐

Red Hat Linux 9 Yes ‐

Fedora Core 3 Yes ‐

Fedora Core 4 Yes Yes



Fedora

Fedora Core

7

Yes

Yes

CentOS 4.0 Yes Yes

CentOS 4.1 Yes Yes

CentOS 4.2 Yes Yes

CentOS 4.3 Yes Yes

CentOS 4.4 Yes Yes

CentOS

CentOS 5.0 Yes Yes

Debian Debian Linux 3.1 Yes Yes

Ubuntu Ubuntu Desktop 6.06 Yes Yes






Ubuntu Desktop 6.10 Yes Yes

Ubuntu Server 6.06 Yes Yes

Ubuntu Server 6.10 Yes Yes

Ubuntu Desktop 7.04 Yes Yes

Solaris 8 (SPARC) Yes Yes

Solaris 8 x86 Yes Yes

Solaris 9 (SPARC) Yes Yes

Solaris 9 x86

Yes

Yes

Solaris 10 (SPARC) ‐ Yes

Open Solaris ‐ Yes

Sun

Solaris 10 x86 ‐ Yes

AIX 5L 5.2 Yes Yes AIX

AIX 5L 5.3 Yes Yes

HP‐UX

11.11

PA

‐RISC

‐Trusted

Mode

‐Yes

HP‐UX 11.11 PA‐RISC – Untrusted Mode ‐ Yes

HP‐UX 11.23 Itanium ‐ Trusted Mode ‐ Yes HP

HP‐UX 11.23 Itanium – Untrusted Mode ‐ Yes

OS X v10.4 PPC Yes Yes

OS X v10.5 PPC and x86 Yes Yes

OS X Server v10.4 PPC Yes Yes Apple

OS X v10.4 x86 Yes Yes





Get Technical Support

For technical support, please visit the Likewise Open community Webpage at http://www.likewisesoftware.com/community/. You can use the

page to join the Likewise Open mailing list to discuss Likewise Open with

other users and developers.

You can also obtain paid support from Likewise Software by visiting

http://www.likewisesoftware.com/support/ or writing to

[email protected].

ABOUT LIKEWISE SOFTWARE

Likewise Software is an open source company that provides audit and authenticationsolutions designed to improve security, reduce operational costs and helpdemonstrate regulatory compliance in mixed network environments. Likewise Open

allows large organizations to securely authenticate Linux UNIX and Mac systems

2912769 Likewise Open Guide

Documents

Transcript of 2912769 Likewise Open Guide