Likewise Open makes it very easy to authenticate users on a Linux machine using Windows Active Directory Domain Services and in today’s mixed Operating System environments it is possible to integrate assorted services across your network.
Once upon a time I was 100% Linux but got frustrated with the ever complicated setup of LDAP for authenticating a few users on my network. I now use Citrix XenServer to host a mixture of Windows and Linux virtual machines and found Windows Server 2008 Active Directory Domain Services to be a good replacement for other authentication services (as a Linux fanboy, that statement was hard to admit for some time).
Here follows a short list of useful tips for using Likewise Open:
-
Windows DNS Server
Make use of the Windows DNS Server by using its IP and domain within your
/etc/resolv.confor assigning it within your DHCP service.# /etc/resolv.conf # replace yourdomain.tld with your Active Directory domain # replace XXX.XXX.XXX.XXX with your Windows Servers IP address domain yourdomain.tld search yourdomain.tld nameserver XXX.XXX.XXX.XXX
This makes it easier to use
domainjoin-cliordomainjoin-guito get your Linux machine connected to the Active Directory. -
Username Formatting and Location of Home Directories
When logging into your Linux desktop, make sure you use the format
YOURDOMAIN\usernamebut if you are logging into a shell, remember to escape the backslash with another backslash asYOURDOMAIN\\username.
Also Make note that not only uid/gid are different but also the location of home directories (/home/YOURDOMAIN/usernameor/home/local/YOURDOMAIN/username, although this can be changed). -
POSIX Friendly Groups
Do feel the need to create a group for any users you add to the active directory, for example:
I am user ‘martin’ and my Primary Group is ‘martin-group’.
Doing this is more POSIX friendly and enables you to still have a very secure Linux system when your home directory is chmodrwxrwx---and chownYOURDOMAIN\\username:YOURDOMAIN\\username-group. -
Do Things as root
Missing sudo access?
Make sure you are a member of ‘Domain Admins’ within the Active Directory and add the group to your /etc/sudoers file:# replace YOURDOMAIN with your Active Directory domain %YOURDOMAIN\\domain^admins ALL=(ALL) ALL
Notice that the backslash is escaped with a backslash, Domain Admins is lower-case and space has been replaced with a ‘^’.
This could also be done by creating a ‘sudo’ group in the active directory, assigning users and adding%YOURDOMAIN\\sudo ALL=(ALL) ALL.
Referenced from ‘Ubuntu Forums – Re: Likewise-Open User with Sudo permissions?‘ -
Avoid Local Password Errors
Changing local passwords results in ‘Authentication token manipulation error’!
I have only tested this in Ubuntu so far and found out that it should be fixed in Ubuntu Lucid (Bug #302026).
For me (On Jaunty), the following fixed the issue:sudo apt-get install libpam-cracklib
-
Use a Samba Server
I did not get on too well with Windows NFS server or Windows File Sharing for Linux clients, a few days of messing about sent me running back to Linux for a solution.
I decided to use CentOS for my file server and combine NFS and Samba for both Windows and Linux clients.
Using this method allows Linux client machines to mount the home directory via NFS as normal (and already well documented) and other windows client users will automatically connect the share via Samba onto the specified device.
For CentOS, I followed reply #3 in the ‘CentOS forums – Setting up a folder share using Likewise over an Active Directory Network‘ so that Samba played nicely with Active Directory and then I added the following to/etc/samba/smb.conf.# replace YOURDOMAIN with your Active Directory domain [Users] path = /home/local/YOURDOMAIN writeable = yes browseable = yes guest ok = yes create mask = 0660 directory mask = 0770 admin users = YOURDOMAIN\administrator
Then you can simply edit your users profile within Active Domain to automatically map
Z:to use\\CENTOS\Users\usernamewhenever and wherever they log on and for Linux users, just use NFS (NOTE: YOURDOMAIN\Administrator will still get access to all the home directories in the Samba share, but I am still unsure how to make this play nicely when you install software as a user with ‘Domain Admins’ privileges on a Windows machine when the install wants to useZ:\WINDOWS).
If you have something to add or you feel I have missed some elegant tip out, please leave a your thoughts in the comment section below!
4 Comments
Thanks for this, and yes, I agree, MS do Domain control very well, there’s no denying it.
We’ve been trialling Lucid which comes with Open v5.4 and found it to be most reliable.
For our user shares we’ve just been creating them on the MS 2003 Server (not publishing through AD, just as regular old school SAMBA shares) and mapping via “bookmarking” through Nautilus which we’ve had no problems with, admittedly it would be good to be able to integrate and control them through AD + auto map Home DIR’s but until there’s a “simple” workaround Likewise Enterprise seems to be the only option?
there is a way of defining a default domain so that users from there don’t need to prefix their username with YOURDOMAIN\, but instead just put their username. I can’t remember the location of the config file for this nor what it is called, though.
I have just looked into the way of using the default domain but only on Ubuntu Lucid 10.04 LTS and do not yet have a solution (likewise-open 5.4.0.42111-2ubuntu1).
Apparently, you can create a map file for every user and copy it to all other machines on your network (I think that method defeats the objective of using AD in the 1st place and I also do not have a
/etc/samba/lwiauthd.conffile).username = DOMAIN\usernameThen, edit
/etc/samba/lwiauthd.confand make sure it contains:winbind nss info = lwopenlwopen:name_map = /etc/samba/map.txtrestart likewise and then you can login with username and not DOMAIN\username, and this will be your real username in the system.
Taken from HOWTO: Active Directory authentication in Ubuntu 8.04 and 8.10 – comments.
The 1st method of using the default domain is to use
winbind use default domain = yesin/etc/samba/lwiauthd.confbut as above, that file does not exist on my system.The next method is to use
assume-default-domain = yesin/etc/likewise/lsassd.confbut again, that file is not on my system (supposed to work for likewise-open 5.3).The last method I have tried is to change a line in
/etc/likewise-open/lsassd.regas follows:"AssumeDefaultDomain"=dword:00000000Change to:
"AssumeDefaultDomain"=dword:00000001Taken from the Ubuntu Forums – Use default domain with likewise-open 5.4
I do have that file and changed it as above, then rebooted just to make sure … but still no luck.
If anyone has any other solution I can include, please feel free to comment.
“The next method is to use assume-default-domain = yes in /etc/likewise/lsassd.conf but again, that file is not on my system (supposed to work for likewise-open 5.3).”
Thank you for this! I’d been looking for a way to do this for my Ubuntu 8.04 LTSP box. This worked for me perfectly!
One other recommendation: 8.04 ships with an older version of Likewise open. Download the newer version (5.3.0.7766 at the time of this writing). It is more stable and also fixed the issue of needing to restart the daemon on reboot.
Evan