Likewise UID-GID Module Installation and Administration Guide

Likewise comprises several software components, each of which provides part of the functionality necessary to manage Linux and Unix computers in Active Directory.

The installation and deployment process typically proceeds in the following order:

The key to a successful deployment is planning. Before you begin deploying Likewise in an enterprise, develop a plan that addresses at least the following aspects of installation and deployment:

Likewise has two operating modes: schema mode and non-schema mode. Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information. In contrast, non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Instead, non-schema mode uses existing object classes and attributes to store its data. To store information about a cell, Likewise creates a container object and stores data in its description attribute. To store information about a group or user, Likewise creates a serviceConnectionPoint object and stores data in its keywords attribute. Both keywords and description are multi-valued attributes that can have multiple values while still allowing AD searches for specific values.

Specifically, in non-schema mode Likewise uses RFC 2307 attribute names to store values in the keywords and description attributes in the form name=value, where name is the attribute name and value is its value. Here's an example of how the keywords attribute name-value pairs can contain Unix and Linux information for an AD user:

uid=
uidNumber=1016
gidNumber=100000
loginShell=/bin/bash
unixHomeDirectory=/home/joe
gecos=
backlink=[securityIdentifierOfUser]
objectClass=CenterisLikewiseUser

In the example, the uid attribute is empty. It is needed only when you want to specify a name alias so that the AD user can log on a computer with something other than his or her AD account name.

In ADSI Edit, the properties for a user look like this:

The keywords attribute is also used to store Linux and Unix group information. Here's an example of how the attribute name-value pairs can contain Unix and Linux information for a group:

backLink=[securityIdentifierOfGroup] description= displayName= gidNumber=100000 objectClass=centerisLikewiseGroup

When you set an alias for a group, it is stored in the displayName attribute (for the group in the example above, no alias has been set, and thus displayName is empty).

In ADSI Edit, the values of the keywords attribute look like this:

Schema mode takes a slightly different approach. To store Linux and Unix user and group information, schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes, namely the posixAccount and posixGroup object classes. For example, the posixAccount and posixGroup object classes include attributes -- uidNumber and gidNumber -- that Likewise uses for UID and GID mapping. In addition, Likewise uses serviceConnectionPoint objects to store the same information as in non-schema mode by using the keywords attribute.

If you choose to use schema mode and your schema does not comply with RFC 2307, you must modify the schema. The Likewise Domain Extension Wizard, which is a tool in the console, can automatically upgrade your schema to comply with RFC 2307. (Windows Server 2003 R2 complies with RFC 2307.) When you use schema mode with a schema that already complies with RFC 2307, Likewise does not change the schema, but you still must run the Domain Extension Wizard to include the RFC 2307 attributes in the global catalog and to index them for faster searches.

Key Differences

The following table summarizes the differences between schema mode and non-schema mode:

Both schema mode and non-schema mode provide a method for storing Unix and Linux information in Active Directory -- including UIDs and GIDs -- so that Likewise can map SIDs to UIDs and GIDs and vice versa. This mapping enables Likewise to use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the Likewise Agent communicates with the Active Directory Domain Controller through standard LDAP protocols to obtain the following authorization data:

Likewise uses this information to control the user's access to Unix and Linux resources.

The advantages and disadvantages of the schema modes are further discussed in the next section.

Active Directory uses Organizational Units to group related objects in a common container so that you can manage the objects in a uniform and consistent way. To map Active Directory users to Linux and Unix user identifiers (UIDs) and group identifiers (GIDs), you associate Likewise cells with Organizational Units. When you associate a cell with an Organizational Unit (OU), the cell becomes a custom mapping of Active Directory users to UIDs and GIDs.

Cells can map a user to different UIDs and GIDs for different computers. Linux and Unix computers that are in the OU (or an OU nested in it) use the cell to map AD users to UIDs and GIDs. In the following screen shot, the example user, Clark Kent, is allowed to access the Linux and Unix computers that are in the selected Likewise cells:

Creating Cells

Likewise modifies the Active Directory User and Computers MMC snap-in so that you can create an associated cell for an OU and then use the cell to manage UID-GID numbers. To create a cell, use Active Directory Users and Computers to select the OU you want, view the Likewise Settings property sheet, and then select the check box to associate a cell with the OU. You can then assign UID-GID numbers manually or allow Likewise to do it automatically.

When a Unix or Linux computer running the Likewise agent connects to Active Directory, it determines the OU of which it is a member and checks whether a Likewise cell is associated with it. If a cell is not associated with the OU, the Likewise agent on the Unix computer searches the parent and grandparent OUs until it finds an OU that has a cell associated with it. If an OU with an associated cell is not found, the agent uses the default cell to map its username to UID and GID information.

Important: Before you associate a cell with an Organizational Unit, make sure you have chosen the schema mode that you want. You cannot change the schema mode after you create a cell, including a default cell.

For instructions on how to make a cell, see Create a Cell.

The Default Cell

Likewise lets you define a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers.

When you use the default cell, Likewise searches across all your trusted domains for Unix and Linux information directly on the user objects. In schema mode, Likewise searches all trusted global catalogs, which are shared across a forest -- Likewise queries the trusted global catalogs as a set. In non-schema mode, Likewise queries each trusted domain individually.

The default cell does not contain Unix or Linux data. It is a method for managing client Linux and Unix users and computers. When a client finds the default cell object, it searches all trusted domains and forests, enterprise wide, for Linux and Unix information, even if the default cell object has not been created in those trusted domains and forests.

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell. Likewise does not require you to have a default cell.

For more information, see Create a Default Cell.

Linking Cells

To provide a mechanism for inheritance and to ease system management, Likewise can link cells. Linking specifies that users and groups in a linked cell can access resources in the target cell. For example, if your default cell contains 100 system administrators and you want those administrators to have access to another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell inherits the settings of the default cell. Then, to make management easier, in the Engineering cell you can just specify the mapping information that deviates from the default cell.

Although you can use linking to in effect set up a hierarchy of cells, linking is not transitive. If, for example, a cell called Civil is linked to the Engineering cell and the Engineering cell is linked to the default cell, the Civil cell does not inherit the settings of the default cell.

When you link to multiple cells, the order that you set is important because it controls the search order. Suppose that Steve, a system administrator, has a UID of 1000,000 set in the default cell and a UID of 150,000 set in the Engineering cell. In the Civil cell, however, he must use his UID from the Engineering cell to log on Civil computers. If the Civil cell is linked to both the default cell and Engineering cell, the order becomes important. If Engineering does not precede the default cell in the search order, Steve will be assigned the wrong UID and will be unable to log on computers in the Civil cell.

For instructions on how to link cells, see Link Cells.

Cell Manager

Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory Organizational Units. With Cell Manager, you can view all your cells in one place. Cell Manager complements Active Directory Users and Computers by letting you delegate management of a cell -- that is, give others -- either a user or a group --  the ability to add users and groups to a cell. Cell Manager is automatically installed when you install the Likewise Console. For more information, see Manage Cells.

Migrating NIS Domains

If use Likewise to migrate all your Unix and Linux users to Active Directory, in most cases you will assign these users a UID and GID that is consistent across all the Unix and Linux computers that are joined to Active Directory -- a simple approach that reduces administrative overhead.

In cases when multiple NIS domains are in use and you want to eliminate these domains over time and migrate all users and computers to Active Directory, mapping an Active Directory user to a single UID and GID might be too difficult. When multiple NIS domains are in place, a user typically has different UID- GID maps in each NIS domain. With Likewise, you can eliminate these NIS domains but retain the different NIS mapping information in Active Directory because Likewise lets you use a cell to map a user to different UIDs and GIDs depending on the Unix or Linux computer that they are accessing.

To move to Active Directory when you have multiple NIS servers, you can create an OU (or choose an existing OU) and join to the OU all the Unix computers that are connected to the NIS server. You can then use cells to represent users' UID-GID mapping from the previous identity management system.

Using Multiple Cells

If you have multiple Unix and Linux hosts but are not using a centralized scheme to manage UIDs and GIDs, it is likely that each host has unique UID-GID mappings. You may also have more than one centralized IMS, such as multiple NIS domains. You can use multiple cells to represent the UID-GID associations that the NIS domain provided, allowing those Unix and Linux users to continue to use their existing UID-GID information while using Active Directory credentials.

When using multiple cells, it is useful to identify what Unix and Linux objects the cell will represent, such as the following:

Migration Tool

The Likewise Console provides a migration tool to import Linux, Unix, and Mac OS X passwd and group files -- typically /etc/passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory. The migration tool can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. For more information, see Migrate Users to Active Directory.

Orphaned Objects Tool

The Likewise console provides a tool for finding and removing orphaned objects. An orphaned object is a linked object, such as a Unix or Linux user ID or group ID, that remain in a Likewise cell after you delete a group or user's security identifier, or SID, from an  Active Directory domain. Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve search speed. For more information, see Find Orphaned Objects.

To install the Likewise Management Console on a Windows administrative workstation connected to a domain controller is, in effect, to install either Likewise Enterprise or the UID-GID module on the Active Directory side of your network. With both Likewise Enterprise and the UID-GID module, the console lets you administer Linux, Unix, and Mac OS X computers within Active Directory. The console, which runs on a Windows administrative workstation that connects to an Active Directory domain controller, includes management tools that are integrated into Active Directory Users and Computers. In addition, with Likewise Enterprise, group policies are integrated with the Group Policy Management Console and the Group Policy Object Editor.

With the UID-GID module, you can use the console to perform the following tasks:

With Likewise Enterprise, you can also generate reports about users, groups, and computers.

After you install the console, you can use Active Directory Users and Computers to manage Unix and Linux users and groups. With Likewise Enterprise, you can also use the Group Policy Object Editor to create or edit Linux- and Unix-specific group policies, and you can use the Group Policy Management Console to view information about group policies.

This section lists the requirements to use either Likewise Enterprise or the UID-GID module. You must have at least the following components:

Administrator Privileges

Active Directory Requirements

Windows Requirements for the Console

Unix and Linux Requirements for the Agent

Additional requirements for the agent, including those for patch levels and memory, are listed in About Installing the Agent.

Requirements to Run Likewise in Schema Mode

For more information, see About Schema Mode and Non-Schema Mode and Pros and Cons of the Schema Modes.

Remediation Requirements for Active Directory

Networking

The subnets on which your Linux, Unix, and Mac computers must be added to Active Directory sites before joining the computers to Active Directory so that the Likewise agent can detect the optimal domain controller and global catalog.

Replication

Make sure your AD replication system is up to date and functioning properly by using the following diagnostic tools from http://www.microsoft.com/download to test replication. For instructions, see the Microsoft documentation for each tool.

In addition, the following tools can help you review and troubleshoot FRS problems.

Sonar. Optionally use it to perform a quick review of FRS status.

Ultrasound. Optionally use it to monitor and troubleshoot FRS.

ReplMon. Included in the Microsoft Resource Kit Tools, use it to investigate replication problems across links where DCDiag showed failures.

You install the UID-GID Module on a Windows administrative workstation that can connect to your Active Directory domain controller. It is recommended that you do not install the module directly on your domain controller.

The UID-GID Module installer for Windows includes two components: the Likewise Management Console and the Likewise migration tools.

Important Note About Upgrading: To upgrade to the latest version of the UID-GID Module on your Windows administrative workstation, first uninstall the existing version. Then, before installing the latest version of the module, install the latest version of the Microsoft Group Policy Management Console and run Windows update to make sure your workstation has the latest XML patches.

To start the Likewise Management Console, it must first be installed on your administrative desktop.

Depending on the options chosen during installation, you can start the Likewise Console in the following ways:

Tip: You can run multiple instances of the Likewise Console and point them at different domains.

The Welcome page is the first screen that is displayed after you start the Likewise Console. From the Welcome page, you can navigate to all other pages in the console, including the Status page. You can also start Active Directory Users and Computers (ADUC) as well as Cell Manager.

If Likewise detects more than one Active Directory forest, it displays them on the Likewise Console's Status page. You can connect to a forest by double-clicking the forest name.

You can connect to another domain as follows:

You can run the Likewise Console by using a different user account.

Note: Your domain policy might restrict your ability to use this option.

After you install the Likewise Management Console for the first time, you can run the Schema Mode Wizard to upgrade your Active Directory schema to that of Microsoft Windows Server 2003 R2, which provides support for RFC 2307. The Run Schema Mode Wizard button appears only if you have not run the Schema Mode Wizard and if you have not created any Likewise cells. In non-schema mode, the button will reappear after you remove all your Likewise cells.

Likewise has two operating modes: schema mode and non-schema mode. Non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Non-schema mode is Likewise's default mode, and you do not need to run the schema mode wizard to use it.

Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes, namely the posixAccount and posixGroup object classes. The wizard upgrades your schema to RFC 2307. If you are already using Windows Server 2003 R2, running the wizard indexes frequently searched attributes in the Active Directory global catalog.

Before you decide which schema mode is right for your implementation, see About Schema Mode and Non-Schema Mode and Pros and Cons of the Schema Modes.

Important: You cannot roll back the changes that the schema mode wizard makes to the Active Directory schema. Back up Active Directory before you run the wizard.

Run the Schema Mode Wizard

To raise the forest functional level and to upgrade the schema, you must be a member of the Enterprise Administrators security group or the Schema Administrators security group for the forest.

When you set up Likewise in an environment with large forests or multiple domains, it may take some time for the Likewise objects and the schema update to replicate to the rest of the domain.

Replication must complete before the domain and its child domains are fully enabled for Likewise. You will be unable to connect to a child domain until replication finishes.

If a forest has not been configured, you can upgrade its schema. To do so, you must be a member of the Enterprise Administrators security group or the Schema Administrators security group for the forest.

Important: To apply the schema extensions only to a single child forest, select only the child domain, not the top-level forest.

You can upgrade the schema of the top-level forest and have the upgrade replicated to all child forests.

Note: To upgrade the schema for the forest, you must be a member of the Enterprise Administrators security group or the Schema Administrators security group for the entire forest.

To associate a Likewise cell with a domain or an OU, you must have Active Directory administrative privileges that allow you to create container objects within an OU or a domain. For example, to associate a cell with an OU, you must be a member of the Domain Administrators security group, or you must have been delegated control to create container objects within the OU.

Important: Before you associate a cell with an organizational unit, make sure you have chosen the schema mode that you want. You cannot change the schema mode after you create a cell, including a default cell.

A cell is created, and you can now associate users with it.

You create a cell by associating it with an Active Directory domain or organizational unit (OU).

Associating a Likewise cell with a domain or an OU requires Active Directory administrative privileges that allow you to modify OU objects within the organizational unit. For example, to associate a cell with an OU, you must be a member of the Domain Administrators security group, or you must have been delegated control to create container objects within the OU.

Important: Before you associate a cell with an organizational unit, make sure you have chosen the schema mode that you want. You cannot change the schema mode after you create a cell, including a default cell.

A cell is created, and you can now associate users with it.

Likewise gives you the option of defining a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers. Likewise Enterprise does not require a default cell.

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such cases, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell.

To create a default cell, in the Active Directory Users and Computers console tree, right-click the name of your domain, click Properties, click the Likewise Settings tab, and then click Create Associated Likewise Cell.

In Active Directory Users and Computers, you can associate a user with one or more Likewise cells to give the user access to the Linux, Unix, and Mac OS X computers that are members of each cell.

Note: To associate a user with a cell, you must log on with sufficient administrative privileges -- for example, as a member of the Domain Administrators group.

See Also

Assign a Group ID

You can add an Active Directory group to a cell after you have associated a cell with an organizational unit (OU).

You can add an Active Directory user to a cell after you have associated a cell with an organizational unit (OU).

Linking specifies that the computers in the current cell can be accessed by the users in the cell that you link to (the linked cell).

In the scenario shown in the screenshot below, the current cell is EditorialDepartment. When you link to the Engineering cell from the Likewise Settings tab for EditorialDepartment, the users in Engineering can access the computers in EditorialDepartment.

The following example demonstrates how linking cells can be useful:

If your default cell contains 100 system administrators and you want those administrators to have access to the computers in another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell inherits the settings of the default cell. For more information on linking cells, see About Cells.

To associate a Likewise cell with an Active Directory organizational unit, an administrator must have permission to create container objects within the OU. A member of the Domain Administrators or Enterprise Administrators security group can delegate control of the OU to another administrator.

Tip: For more information about delegating control, see Delegating Administration in Active Directory Users and Computers Help.

Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory organizational units.

With Cell Manager, you can delegate management, change permissions for a cell, add cells, view cells, and associate cells with OUs to provide users and groups with Linux and Unix access. Cell Manager also lets you connect to another domain and filter cells to reduce clutter.

Cell Manager is automatically installed when you install the Likewise Console.

Start Cell Manager

Tip: To start Cell Manager from the Start menu, click Start, point to All Programs, click Likewise, and then click Likewise Cell Manager.

Delegate Management

You can use Cell Manager to create an access control list (ACL) that allows users or groups without administrative privileges to perform the administrative operations that you specify. For example, you can delegate management for the cell manager node to allow other users to create and delete cells. You can delegate management of a cell, a group, or a user.

Change Permissions of a Cell, Group, or User

Add a Cell

When you add a cell, you must attach it to an Organizational Unit in Active Directory.

Give a User Access to a Cell

When you give a user access to a cell by using Cell Manager, you can add the new user to the cell only with default attributes. You can change the attributes later by using in Active Directory Users and Computers; see Specify a User's ID and Unix or Linux Settings.

Give a Group Access to a Cell

When you give a group access to a cell by using Cell Manager, you can add the new group to the cell only with default attributes. You can change the attributes later by using Active Directory Users and Computers.

Filter Cells

You can use filtering to set the maximum number of cells to display and show only the cells that match a pattern.

Connect to a Different Domain

Likewise adds a tab to the property sheet of the following Active Directory objects in the Microsoft Active Directory Users and Computers MMC snap-in:

In Active Directory Users and Computers, you can modify your Likewise settings for a domain, an organizational unit, a group, or a user.

Note: To change settings, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or another group that gives you sufficient privileges to modify objects in Active Directory. Or you must have been delegated privileges to modify the settings of the objects that you want to change; for more information, see Delegate Management.

To create a Unix or Linux user account in Active Directory, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

See Also

Create a Cell

Because of a limitation with the Active Directory Users and Computers snap-in, when you try to find a Likewise user or group by right-clicking an organizational unit and then clicking Find, the user or group will not appear in the results even when the user or group is in the OU. The Find command does, however, work at the level of the domain.

As an alternative, you can find Likewise users and groups in an OU by using the following procedure:

To provide an Active Directory user with Unix, Linux, or Mac access, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

To provide an Active Directory group with Unix, Linux, or Mac access, you must have sufficient administrative privileges -- for example, as a member of the Enterprise Administrators group, the Domain Administrators group, or as a delegate.

You can set a user's identifier (UID) and specify the user's Unix, Linux, or Mac OS X settings.

Note: To provide a user with a UID and Unix or Linux settings, you must have sufficient administrative privileges -- for example, as a domain administrator or as a delegate. To delegate administrative privileges to another user, see Delegate Management.

See Also

Resolve an AD Alias Conflict with a Local Account

Likewise lets you apply Unix, Linux, and Mac OS X settings to multiple users at the same time. For example, you can assign multiple users to a cell and then set their home directory.

The users must be members of a group that is associated with a cell and each user must have a UID-GID mapping.

Note: To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify the settings of the user objects that you want to change; for more information, see Delegate Management.

You can set an alias for an Active Directory user so that the user can use the alias to log on a Linux, Unix, or Mac OS X computer joined to Active Directory. The alias is set only for the cell that you select when you set it.

You can create an alias for a group that is part of a Likewise cell, including the default cell. The group can use the alias within the cell.

There are three ways that you can set the default home directory for Linux, Unix, and Mac OS X users:

When you set the default home directory, you must use the default user name variable (%U). You may specify the default domain name by using the domain name variable (%D) but, unlike the user name variable, it is not required.

Important: On Solaris, you cannot create a local home directory in /home, because /home is used by autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories in /export/home.

Set the Home Directory for a Cell

To set a default home directory for a cell, you must have Active Directory administrative privileges to modify OU objects.

Set the Home Directory for Multiple Users

To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

Set the Home Directory for a Single User

To change a user's settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

By using Likewise, there are two ways that you can set the default login shell for Linux, Unix, and Mac OS X users:

Set the Login Shell for a Cell

To set a default login shell for a cell, you must have Active Directory administrative privileges to modify OU objects.

Set the Login Shell for Multiple Users

To change users' settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

Set the Login Shell for a Single User

To change a user's settings, you must log on as a member of the Domain Administrators security group or the Enterprise Administrators security group. Or, you must have been delegated privileges to modify user settings; see Delegate Management.

Likewise Enterprise and the UID-GID module are compatible with Small Business Server 2003. However, because the server locks down several user account values by default, you must create a group in Active Directory for your Unix computers, add each Likewise client computer to it, and configure the group to read all user information.

On other versions of Windows Server, the user account values are available by default. If, however, you use an AD security setting to lock them down, they will be unavailable to the Likewise agent.

To determine Unix account information, the Likewise agent requires that the AD computer account for the machine running Likewise can access the attributes in the following table .

Allow Access to Account Attributes

See Also

Restart the Authentication Daemon

About Schema Mode and Non-Schema Mode

You can assign a group identifier (GID) to an Active Directory group by associating the group object with a cell and specifying a GID value for the group object.

The GID information that you enter is applied to all objects within the group. However, subgroups nested within the settings do not carry down; you must apply the GID information to subgroups individually.

Note: To assign a group ID, you must log on with privileges sufficient to modify the object.

To disable a user, you must log on as a domain administrator or as a member of another group that gives you privileges sufficient to modify Active Directory user objects.

The Likewise Diagnostics and Migration page in the Likewise Management Console includes two tools to help manage a mixed network:

An orphaned object is a linked object, such as a Unix user ID or group ID, that remains in a cell after you delete a group or user's security identifier, or SID, from an Active Directory domain. The Find Orphaned Objects tool cleans up manually assigned user IDs and improves search speed.

The NIS migration tool imports Linux and Unix passwd files and group files and maps them to users and groups in Active Directory. The tool lets you resolve conflicts and ambiguous user names before you commit the changes.

The migration tool includes options to ease your NIS migration to Active Directory and to handle various requirements:  

The Likewise NIS migration tool can import Linux, Unix, and Mac OS X password and group files -- typically /etc/ passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory.

You can also generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. Before you commit the changes, you can resolve ambiguous user names and other conflicts.

Important: Before you migrate users to a domain that operates in non-schema mode, it is recommended that you find and remove orphaned objects. The IDs associated with orphaned objects are reserved until you remove the orphaned objects. See Find Orphaned Objects.

What You Need Before You Begin

Before running the migration tool, you should have the following information ready:

Run the Migration Tool

You can use the Likewise Management Console to find and remove orphaned objects. An orphaned object is a linked object, such as a Unix or Linux user ID or group ID, that remains in a cell after you delete a group or user's security identifier, or SID, from an Active Directory domain.

Removing orphaned objects from Active Directory can clean up manually assigned user IDs and improve search speed. It is recommended that you remove orphaned objects before you use the migration tool with a domain that operates in non-schema mode.

The Likewise agent is installed on Linux, Unix, and Mac OS X computers to connect them to Microsoft Active Directory and to authenticate users with their domain credentials. The agent integrates with the core operating system on Linux, Unix, and Mac to implement the mapping for any application, such as the logon process (/bin/ login), that uses the name service (NSS) or pluggable authentication module (PAM). As such, the agent acts as a Kerberos 5 client for authentication and as a LDAP client for authorization. In Likewise Enterprise, the agent also retrieves group policy objects to securely update local configurations, such as the sudo file.

The Likewise agent is also known as the Likewise client.

Daemons

The Likewise agent comprises the following daemons:

Suggested Restart Order for the Likewise Daemons

1. netlogond

2. lwrdrd

3. dcerpcd

4. eventlogd

5. lsassd

6. gpagentd (with Likewise Enterprise)

7. lwmgmtd

Ports and Libraries

The agent includes a number of libraries in /opt/likewise/lib.

The agent uses the following ports for outbound traffic.

Caches

To maintain the current state and to improve performance, the Likewise agent caches information in four files, all of which are in /var/lib/likewise/db:

Configuration Files

On most operating systems, the configuration files for Likewise are in /etc/likewise. For more information, see Configuring the Agent.

Time Synchronization

For the Likewise agent to communicate over Kerberos with the domain controller, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. (For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Clock-Skew.html.)

The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the domain controller's Kerberos key distribution center that determines the maximum clock skew. Changing the maximum clock skew in the client's krb5.conf file does not affect the clock skew tolerance of the domain controller and will not unable a client outside the domain controller's tolerance to communicate with it.

The clock skew value that is set in the /etc/likewise/krb5.conf file of Linux, Unix, and Mac OS X computers is useful only when the computer is functioning as a server for other clients. In such cases, you can use a Likewise Enterprise group policy to change the maximum tolerance; for more information, see Set the Maximum Tolerance for Kerberos Clock Skew.

The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew are discarded. When the server receives an authentication request within the clock skew, it checks the replay cache to make sure the request is not a replay attack. For more information, see the resources below.

Troubleshooting Kerberos

The following resources can help troubleshoot time synchronization and other Kerberos issues:

Using a Network Time Protocol Server

If you set the system time on your computer with a Network Time Protocol (NTP) server, the time value of the NTP server and the time value of the domain controller could exceed the maximum skew. As a result, you will be unable to log on your computer.

If you use an NTP server with a cron job, there will be two processes trying to synchronize the computer's time -- causing a conflict that will change the computer's clock back and forth between the time of the two sources.

Likewise recommends that you configure your domain controller to get its time from the NTP server and configure the domain controller's clients to get their time from the domain controller.

Automatic Detection of Offline Domain Controller and Global Catalog

The Likewise authentication daemon -- lsassd -- manages site affinity for domain controllers and global catalogs and caches the information with netlogond. When a computer is joined to Active Directory, netlogond determines the optimum domain controller and caches the information. If the primary domain controller goes down, lassd automatically detects the failure and switches to another domain controller and another global catalog within a minute.

However, if another global catalog is unavailable within the forest, the Likewise agent will be unable to find the Unix and Linux information of users and groups. The Likewise agent must have access to the global catalog to function. Therefore, it is a recommended that each forest has redundant domain controllers and redundant global catalogs.

UID-GID Generation in Likewise Open and Likewise Enterprise Cells

In Likewise Open, a UID and GID are generated by hashing the user or group's security identifier, or SID, from Active Directory. With Likewise Open, you do not need to make any changes to Active Directory. A UID and GID stays the same across host machines. With Likewise Open, you cannot set UIDs and GIDs for Linux and Unix in Active Directory; using AD to set and manage UIDs and GIDs is a feature of Likewise Enterprise or the Likewise UID-GID management tool. If your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use Likewise Enterprise or that you use the Likewise UID-GID management tool.

The Likewise Open algorithm is the same in 4.1 and 5.0, and if you are running 4.1 on one computer and 5.0 or later on another, each user and group should have the same UID and GID on both machines.

Note: If you have UIDs and GIDs defined in Active Directory, Likewise Open will not use those UIDs and GIDs.

In Likewise Enterprise, you can specify the UIDs and GIDs that you want, including setting multiple UID and GID values for a given user based on OU membership by using Likewise cells. (Likewise cells, available only in Likewise Enterprise, provide a method for mapping Active Directory users and groups to UIDs and GIDs.) You can also specify that Likewise Enterprise automatically generates UID and GID values sequentially.

Cached Credentials

Both Likewise Open and Likewise Enterprise cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable.

The Likewise agent supports the following Active Directory trusts:

Notes on Trusts

Aliasing and Trusts

Likewise Open and Likewise Enterprise run on a broad range of Unix, Mac OS X, and Linux platforms. Likewise frequently adds new vendors and distributions to the list of supported platforms. To view the list, go to http://www.likewise.com/products/likewise_enterprise/supported_platforms.php.

Before you attempt to join an Active Directory domain, make sure the /etc/nsswitch.conf file contains the following line:

hosts: files dns

The hosts line can contain additional information, but it must include the dns entry, and it is recommended that the DNS entry appear after the files entry.

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

For information, see the man page for nsswitch.conf.

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve Srv records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf

search likewisedemo.com
nameserver 192.168.100.132

For information, see your operating system's man page for resolv.conf.

The Likewise agent requires several firewall ports to be open for outbound traffic. For a list of the required ports, see Make Sure Outbound Ports Are Open.

On AIX 5.2 and 5.3, you may need to extend the size of certain partitions to complete the installation successfully.

To do so, use IBM's chfs command to change the partition sizes -- for example:

# chfs -a size=+200M /opt

This command increases the size of the /opt partition by 200 megabytes, which should be sufficient for a successful installation.

By default, IBM AIX is not configured to support long user and group names, which might present a conflict when you try to log on with a long Active Directory username. To increase the max username length on AIX 5.3, use the following syntax:

# chdev - l sys0 -a max_logname=MaxUserNameLength+1

Example:

# chdev - l sys0 -a max_logname=255

This command allocates 254 characters for the user and 1 for the terminating null.

The safest value that you can set max_logname to is 255.

You must reboot for the changes to take effect:

# shutdown - Fr

Note: AIX 5.2 does not support increasing the maximum user name length.  

Likewise Software distributes a shell script to check the health of a Linux or Unix computer on which you plan to install the Likewise Agent. The script, which is available only with Likewise Enterprise, helps identify potential system configuration issues before you install the agent and join a Linux or Unix computer to Active Directory. To obtain the script, contact Likewise technical support at support@likewise.com or at http://www.likewise.com/support/.

With Likewise Open, the script is unavailable, but you can manually check your computer against the list in the table below.

The name of the script is healthchk.sh. To execute it, copy the script to the Unix or  Linux computer that you want to check, and then execute the following command from the shell prompt:

likewise-health-check.sh

The script outputs the results of its scan to /tmp/healthchk.out.

The following table lists each item the script checks, describes the item, and suggests action to correct the issue.

You must install the Likewise agent on each Linux, Unix, or Mac OS X computer that you want to connect to Active Directory. To obtain the installer or to view a list of supported platforms, see www.likewise.com. The Likewise Open installation package can be downloaded for free at http://www.likewise.com/products/likewise_open/.

Important: Before you install the agent, it is recommended that you upgrade your system with the latest security patches. Patch requirements for Unix systems are listed below.

The procedure for installing the Likewise Open agent or the Likewise Enterprise agent depends on the operating system of your target computer. Each procedure is documented in a separate section of this manual.

You also have the option of installing the agent in unattended mode; see Install the Agent on Linux in Unattended or Text Mode and Install the Agent on a Mac in Unattended Mode.

For Likewise Enterprise, you can optionally install the agent with a shell script -- an efficient method of deploying the agent in an enterprise environment; see Install the Agent on Linux or Unix with the Shell Script.

Checking Your glibc Version

To determine the version of glibc on your Linux machine, run the following command:

 rpm - q glibc

This section lists requirements for installing and running the Likewise agent. Requirements for installing and running the Likewise Management Console, which is part of Likewise Enterprise and the UID-GID module, are detailed in the chapter on installing the console. Likewise Open does not include the Likewise Management Console.

Patch Requirements

It is recommended that you apply the latest patches for your operating system before you install Likewise. Known patch requirements are listed below.

Sun Solaris

Sun Solaris 10 requires update 5 or later. The Solaris 10 05/08 (or later) patch bundle is available at http://sunsolve.sun.com/.

Solaris 8 Sparc should be fully patched according to Sun's recommendations. Likewise depends on the latest patch for libuuid. On Sparc systems, the patch for libuuid is 115831.

Solaris 8 Intel systems also require the latest patch for libuuid: 115832-01.

Solaris 9 and OpenSolaris are compatible with Likewise without any patches.

HP-UX

Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed. Likewise recommends that you use HP-UX Secure Shell A.05.00.014 or later.

Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable Authentication Module, or PAM, which Likewise requires to allow domain users to execute sudo commands with super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make sure that you use the --with-pam configuration option when you build it.

HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_31903, and PHKL_29243. Although these patches may be superceded by subsequent patches, these patches represent the minimum patch level for proper operation.

Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, you must download and install the latest KRB5-Client libraries from the HP Software Depot. (By default, HP-UX 11.31 includes the libraries.)

Other Requirements for the Agent

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.

Secure Shell

To properly process logon events with Likewise, your SSH server or client must support the UsePam yes option. For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other software that uses PAM for processing authentication requests is compatible with Likewise.

Networking Requirements

Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

In addition, several ports must be open; see Make Sure Outbound Ports Are Open.

Disk Space Requirements

The Likewise agent requires 100 MB of disk space in the /opt mount point. The agent also creates configuration files in /etc/likewise and offline logon information in /var/lib/likewise. In addition, the Likewise Enterprise agent caches group policy objects in /var/cache/likewise.  

Memory and CPU Requirements

The agent consists of several daemons that typically use between 9 MB and 14 MB of RAM. Memory utilization of the authentication daemon on a 300-user mail server is typically 7 MB; the other daemons require between 500 KB and 2 MB each. CPU utilization on a 2.0 gigahertz single-core processor under heavy load with authentication requests is about 2 percent. For a description of the Likewise daemons, see About the Likewise Agent.

Clock Skew Requirements

For the Likewise agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. For more information on time synchronization, see About the Likewise Agent.

You can install the Likewise Enterprise agent by using a shell script that contains a self-extracting executable. The file name of the shell script installer ends in sh. Example: LikewiseIdentityServiceOpen-5.0.0.3499-linux-i386-rpm.sh.

Note: The examples shown are for Linux RPM-based platforms. For other Linux and Unix platforms -- such as Debian, HP-UX, AIX, and Solaris -- simply substitute the appropriate installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type. For Linux computers running glibc 2.2 or earlier, see Install the Agent on Linux with glibc 2.2 or Earlier.

Install the Agent on Linux or Unix with the Shell Script

Perform the following procedure with the root account.

For most Linux platforms, you can install the Likewise Open agent or the Likewise Enterprise agent by using a BitRock installer — an executable whose file name ends with installer. Example: LikewiseOpen-5.0.0.3842-linux-i386-rpm-installer.

The following procedure assumes that you downloaded or copied the Likewise installer to the desktop of your Linux computer.

Linux platforms running glibc 2.2 or earlier require you to use the oldlibc installer -- a shell script that includes oldlibc in its name; example: LikewiseIdentityServiceOpen-5.1.0.3494-linux-oldlibc-i386-rpm.sh.

To check the version of glibc on your Linux computer, execute the following query:

 rpm - q glibc

The following platforms are running glibc 2.2 or earlier and thus require the oldlibc installer:

Install the Agent on glibc 2.2 or Earlier

Perform the following procedure with the root account.

When you use the BitRock installer, command-line tools can help deploy the Likewise agent to multiple computers or install the agent remotely.

You can use the command-line tools to automatically install the agent, join the computer to a domain, and obtain credentials. For example, you can automate the installation of the agent by using the installation command in unattended mode:

 LikewiseEnterprise-5.1.0.2513-linux-x86_64-rpm-installer --mode unattended

For Unix and Linux hosts, you can run the installer from the shell prompt with no special treatment. The installer detects that it is running in character mode and displays a character mode user interface, or you can force it into character mode with the option --mode text:

 LikewiseEnterprise-5.1.0.2513-linux-x86_64-rpm-installer --mode text

You can install the Likewise Open agent or the Likewise Enterprise agent on Sun Solaris, HP-UX, and IBM AIX by using a BitRock installer — an executable whose file name ends with installer. Example: LikewiseIdentityServiceEnterprise-5.0.0.3499-solaris-sparc-pkg-installer.

The examples shown below are for Solaris Sparc systems. For other Unix platforms, simply substitute the appropriate installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Note: The name of a Unix installer for Likewise Enterprise on installation media might be truncated to an eight-character file name with an extension. For example, l3499sus.sh is the truncated version of LikewiseIdentityServiceEnterprise-5.0.0.3499-solaris-sparc-pkg-installer.

Perform the following procedure with the root account.

You can install the optional graphical user interface version of the Likewise domain join tool on a Linux computer after you have installed the Likewise agent. The domain join tool can be installed on Linux platforms that are running GTK+ version 2.6 or later.

Note: You do not need to install the domain join GUI to join a domain; for more information, see Join Active Directory with the Command Line.

To install the Likewise agent on a computer running Mac OS X, you must have administrative privileges on the Mac. Likewise supports Mac OS X 10.4 or later.

The Likewise command-line tools can remotely deploy the shell version of the Likewise agent to multiple Mac OS X computers, and you can automate the installation of the agent by using the installation command in unattended mode.

The commands in this procedure require administrative privileges.

Important: For Intel-based Macs, use the i386 version of the .dmg installer; for example: LikewiseEnterprise-5.0.0.3628-i386.dmg. For Macs that do not have Intel chips, use the powerpc version of the .dmg installer; for example: LikewiseEnterprise-5.0.0.3628-powerpc.dmg

The procedure below assumes you are installing the agent on an i386 Mac; if you are installing on a powerpc, replace the i386 installer with the powerpc installer.

Before you upgrade to the latest version of the Likewise agent, it is recommended that you leave the domain, uninstall the domain join GUI, and uninstall the current agent.

Important: If you plan to upgrade from a 4.x or earlier version of Likewise Open to Likewise Open 5.0 or later, please first contact Likewise Technical Support at support@likewise.com. At this time, it is recommended that you do not attempt to upgrade without assistance from Likewise support.

When Likewise joins a computer to an Active Directory domain, it uses the hostname of the computer to create the name of the computer object in Active Directory. From the hostname, the Likewise Domain Join Tool attempts to derive a fully qualified domain name.

By default, the domain join tool creates the Linux and Unix machine accounts in the default Computers container within Active Directory.

You can, however, choose to create machine accounts in Active Directory before you join your Unix, Linux, and Mac OS X computers to the domain. When you join a computer to a domain by running the Domain Join Tool, Likewise associates the Unix or Linux host with the pre-existing machine account. If no match is found, Likewise creates a machine account.

The location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

For Linux computers, there is an optional graphical version of the Likewise Domain Join Tool. It can be installed on Linux platforms that are running GTK+ version 2.6 or later. For more information, see Install the Domain Join GUI and Join a Linux Computer to Active Directory with the GUI.

Important: On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on for the first time with your Active Directory domain credentials. For more information, see With NetworkManager, Use a Wired Connection to Join a Domain.

Removing a Computer from a Domain

You can remove a computer from the domain either by removing the computer's account from Active Directory Users and Computers or by running the Domain Join Tool on the Unix, Linux, or Mac OS X computer that you want to remove; see Leave a Domain.

When you join a domain by using the command-line utility, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the computer’s FQDN in the /etc/hosts file. You can also join a domain without changing the /etc/hosts file; see Join Active Directory Without Changing /etc/hosts.

On Linux, Unix, and Mac OS X computers, the location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

Important: To run the command-line utility, you must use a root account. To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join.

Before Joining a Domain

To join a domain, the computer's name server must be able to find the domain and the computer must be able to reach the domain controller. You can make sure the name server can find the domain by running this command:

nslookup  domainName

You can verify that your computer can reach the domain controller by pinging it:

ping  domainName

If either of these tests fails, see Check System Health Before Installing the Agent and Solve Domain-Join Problems.

Join a Linux or Unix Computer to Active Directory

Join a Mac Computer to Active Directory

Join a Linux or Unix Computer to an Organizational Unit

Join a Linux or Unix Computer to a Nested Organizational Unit

Options and Basic Commands

The following tables list the options and commands of the command-line interface for joining a domain.

Options

The domainjoin-cli command-line interface includes the following options:

Basic Commands

The domain join command-line interface includes the following basic commands:

Advanced Commands

The command-line interface includes advanced commands that you can use to preview the stages of joining or leaving a domain, find out which configurations are required for your system, view information about a module that will be changed, and enable or disable a module. The advanced commands provide a potent tool for troubleshooting issues while configuring a Linux or Unix computer to interoperate with Active Directory.

Preview the Stages of the Domain Join for Your Computer

To preview the domain, DNS name, and configuration stages that will be used to join a computer to a domain, execute the following command at the command line:

domainjoin-cli join --preview  domainName

Example: domainjoin-cli join --preview likewisedemo.com

Here's an example of the results, which can vary by computer:

[root@rhel4d bin]# domainjoin-cli join --preview likewisedemo.com

Joining to AD Domain:   likewisedemo.com

With Computer DNS Name: rhel4d.likewisedemo.com

The following stages are currently configured to be run during the domain join:

join           - join computer to AD

krb5           - configure krb5.conf

nsswitch       - enable/disable Likewise nsswitch module

start          - start daemons

pam            - configure pam.d/pam.conf

ssh            - configure ssh and sshd

Check Required Configurations

To see a full listing of the modules that apply to your operating system, including those module that will not be run, execute either the following join or leave command:

domainjoin-cli join --advanced --preview  domainName

domainjoin-cli leave --advanced --preview  domainName

Example: domainjoin-cli join --advanced --preview likewisedemo.com

The result varies by computer:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview likewisedemo.com

Joining to AD Domain:   likewisedemo.com

With Computer DNS Name: rhel4d.likewisedemo.com

    [F] stop           - stop daemons

    [F] hostname       - set computer hostname

    [F] firewall       - open ports to DC

    [F] keytab         - initialize kerberos keytab

[X] [N] join           - join computer to AD

[X] [N] krb5           - configure krb5.conf

[X] [N] nsswitch       - enable/disable Likewise nsswitch module

[X] [N] start          - start daemons

    [F] gdm            - fix gdm presession script for spaces in usernames

[X] [N] pam            - configure pam.d/pam.conf

[X] [S] ssh            - configure ssh and sshd

Key to flags

[F]ully configured        - the system is already configured for this step

[S]ufficiently configured - the system meets the minimum configuration

                            requirements for this step

[N]ecessary               - this step must be run or manually performed.

[X]                       - this step is enabled and will make changes

[ ]                       - this step is disabled and will not make changes

View Details about a Module

The Likewise domain join tool includes the following modules -- the components and services that the tool must configure before it can join a computer to a domain:

As the previous section illustrated, you can see the modules that must be configured on your computer by executing the following command:

domainjoin-cli join --advanced --preview  domainName

You can further bore down into the details of the changes that a module will make by using either the following join or leave command:

domainjoin-cli join --details  module domainName  joinAccount

domainjoin-cli leave --details  module domainName  joinAccount

Example: domainjoin-cli join --details nsswitch likewisedemo.com Administrator

The result varies depending on your system's configuration:

[root@rhel4d bin]# domainjoin-cli join --details nsswitch likewisedemo.com Administrator

[X] [N] nsswitch       - enable/disable Likewise nsswitch module

Key to flags

[F]ully configured        - the system is already configured for this step

[S]ufficiently configured - the system meets the minimum configuration

                            requirements for this step

[N]ecessary               - this step must be run or manually performed.

[X]                       - this step is enabled and will make changes

[ ]                       - this step is disabled and will not make changes

Details for 'enable/disable Likewise nsswitch module':

The following steps are required and can be performed automatically:

    * Edit nsswitch apparmor profile to allow libraries in the /opt/likewise/lib

        and /opt/likewise/lib64 directories

    * List lwidentity module in /usr/lib/security/methods.cfg (AIX only)

    * Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or

        /etc/netsvc.conf

If any changes are performed, then the following services must be restarted:

    * GDM

    * XDM

    * Cron

    * Dbus

    * Nscd

Turn On or Turn Off Domain Join Modules

You can explicitly enable or disable a module when you join or leave a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

Note: If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

To disable a module, execute either the following join or leave command:

domainjoin-cli join --disable  module domainName  accountName

domainjoin-cli leave --disable  module domainName  accountName

Example: domainjoin-cli join --disable pam likewisedemo.com Administrator

To enable a module, execute the following command at the command line:

domainjoin-cli join --enable  module domainName  accountName

Example: domainjoin-cli join --enable pam likewisedemo.com Administrator

See Also

Generate a Domain Join Log

When you join a computer to a domain by using the Likewise Domain Join Tool, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the computer’s FQDN in the /etc/hosts file.

To join a Linux computer to the domain without changing the /etc/hosts file, execute the following command at the shell prompt as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

 /opt/likewise/bin/domainjoin-cli join --disable hostname   domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --disable hostname likewisedemo.com Administrator

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in /etc/hosts. For the computer to process tickets in compliance with the Kerberos protocol and to function properly when it uses cached credentials in offline mode or when its DNS server is offline, there must be a correct FQDN in /etc/hosts. For more information on GSS-API requirements, see RFC 2743.

You can determine the fully qualified domain name of a computer running Linux, Unix, or Mac OS X by executing the following command:

ping -c 1 `hostname`

When you execute this command, the computer looks up the primary host entry for its hostname. In most cases, this means that it looks for its hostname in /etc/hosts, returning the first FQDN name on the same line. So, for the hostname qaserver, here's an example of a correct entry in /etc/hosts:

10.100.10.10 qaserver.corpqa.likewise.com qaserver

If, however, the entry in /etc/hosts incorrectly lists the hostname (or anything else) before the FQDN, the computer's FQDN becomes, using the malformed example below, qaserver:

10.100.10.10 qaserver qaserver.corpqa.likewise.com

If the host entry cannot be found in /etc/hosts, the computer looks for the results in DNS instead. This means that the computer must have a correct A record in DNS. If the DNS information is wrong and you cannot correct it, add an entry to /etc/hosts.

After you install the Likewise agent, you can install the Likewise Domain Join Tool, a graphical user interface for joining a domain. The domain join tool is not included when you install the agent; you must install the utility separately. For more information, see Install the Domain Join Utility.

Important: To join a computer to a domain, you must have the user name and password of a user who has privileges to join computers to a domain and the full name of the domain that you want to join.

To join a computer running Mac OS X 10.4 or later to an Active Directory domain, you must have administrative privileges on the Mac and privileges on the Active Directory domain that allow you to join a computer.

See Also

Migrate a User Profile on a Mac

If you have only write privileges for an organizational unit in Active Directory, you can still use Likewise. You should enable an organizational unit (OU) for Likewise only when you want to manage your Linux, Unix, and Mac OS X computers within a single OU and you do not have Domain Administrator or Enterprise Administrator privileges, but you have been given rights to create objects in an OU. (See Delegate Control to Create Container Objects.) You can use the write privileges that you have been given for an OU to join Linux and Unix computers to that OU.

There are additional limitations to this approach:

Join a Linux Computer to an Organizational Unit

To join a computer to a domain, you must have the user name and password of an account that has privileges to join computers to the domain and the full name of the domain that you want to join. The OU path is from the top OU down to the OU that you want.

Execute the following command, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join -- ou  organizationalUnitName  domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join -- ou Engineering likewisedemo.com Administrator

Example of how to join a nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

To rename a computer that has been joined to Active Directory, you must first leave the domain. You can then rename the computer by using the domain join command-line interface. After you rename the computer, you must rejoin it to the domain. Renaming a joined computer requires the user name and password of a user with privileges to join a computer to a domain.

Important: Do not change the name of a Linux, Unix, or Mac computer by using the hostname command because some distributions do not permanently apply the changes.

Rename a Computer by Using the Command-Line Tool

The following procedure removes a Unix or Linux computer from the domain, renames the computer, and then rejoins it to the domain.

Rename a Computer by Using the Domain Join Tool

To execute the following procedure, the Likewise Domain Join Tool, a graphical user interface for joining a domain, must be installed on your computer. For more information, see Install the Likewise Domain Join Tool.

The computer's name in /etc/hosts has been changed to the name that you specified and the computer has been joined to the Active Directory domain with the new name.

When Likewise joins a computer to a domain, it modifies some system files. The files that are modified depend on the platform, the distribution, and the system's configuration. The following files might be modified.

To see a listing of the changes that joining a domain will make to your operating system, execute the following join command:

domainjoin-cli join --advanced --preview  domainName

Note: Not all of the following files are present on all computers.

As an example, the following table lists the files that are modified for the default installation of a few selected platforms.

On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on with your Active Directory domain credentials.

After you have joined the domain and logged on for the first time with your AD domain credentials by using a non-wireless connection, you can then revert to using your wireless connection because your AD logon credentials are cached. (You will not, however, be notified when your AD password is set to expire until you either run a sudo command or log on by using a non-wireless connection.)

If, instead, you attempt to use a wireless connection when you join the domain, you will be unable to log on your computer with AD domain credentials after your computer restarts.

Here's why: NetworkManager is composed of a daemon that runs at startup and a user-mode application that runs only after you log on. NetworkManager is typically configured to auto-start wired network connections when they are plugged in and wireless connections when they are detected. The problem is that the wireless network is not detected until after the user-mode application starts -- which occurs only after you have logged on.

Information about NetworkManager is available at http://projects.gnome.org/NetworkManager/.

Likewise includes the following logon options:

Important: When you log on from the command line, you must use a slash to escape the slash character, making the logon form DOMAIN\\username.

To use UPN names, you must raise your Active Directory forest functional level to Windows Server 2003, but raising the forest functional level to Windows Server 2003 will exclude Windows 2000 domain controllers from the domain. For more information, see About Schema Mode and Non-Schema Mode.

See Also

About Single Sign-On

Configure Putty for Windows-Based SSO

Log On and Verify Your Kerberos Tickets

After the Likewise agent has been installed and the Linux or Unix computer has been joined to a domain, you can log on interactively or from the command line with your Active Directory credentials.

You can log on with SSH by executing the ssh command at the shell prompt in the following format:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account. The tests can also be used to troubleshoot logon problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

Make Sure You Are Joined to the Domain

Execute the following command:

/opt/likewise/bin/domainjoin-cli query

If you are not joined, see Join Active Directory with the Command Line.

Check Whether You Are Using a Valid Logon Form

When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username. Example: likewisedemo.com\hoenstiv.

When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username. Example: likewisedemo.com\\hoenstiv.

To view a list of logon options, see About Logging On.

Clear the Cache

You might need to clear the cache to ensure that the client computer recognizes the user's ID. See Clear the Authentication Cache.

Destroy the Kerberos Cache

Clear the Likewise Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command at the shell prompt with the user account that you are troubleshooting:

/opt/likewise/bin/kdestroy

Check the Status of the Likewise Authentication Daemon

Check the status of the authentication daemon on a Unix or Linux computer running the Likewise Agent by executing the following command at the shell prompt as the root user:

/sbin/service lsassd status

lsassd is stopped

lsassd (pid 1783) is running...

Check Communication between the Likewise Daemon and AD

Verify that the Likewise daemon can exchange data with AD by executing this command:

/opt/likewise/bin/lw-get-dc-name FullDomainName

Example: /opt/likewise/bin/lw-get-dc-name likewisedemo.com

Verify that Likewise Can Find a User in AD

Verify that the Likewise agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:

/opt/likewise/bin/lw-find-user-by-name domainName\\ADuserName

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab

Make Sure the AD Authentication Provider Is Running

Likewise includes two authentication providers:

If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

/opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:

Agent version: 5.0.0

Uptime:        2 days 21 hours 16 minutes 29 seconds

[Authentication provider: lsa-local-provider]

        Status:   Online

        Mode:     Local system

[Authentication provider: lsa-activedirectory-provider]

        Status:   Online

        Mode:     Un-provisioned

        Domain:   likewisedemo.com

        Forest:   likewisedemo.com

        Site:     Default-First-Site-Name

[root@rhel4d bin]#

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

Switch User to Check PAM

Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:

su DOMAIN\\username

Example: su likewisedemo\\hoenstiv

Test SSH

Check whether you can log on with SSH by executing the following command:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

Additional Diagnostic Tools

There are additional command-line utilities that you can use to troubleshoot logon problems in the following directory:

 /opt/likewise/bin

See Also

Resolve an AD Alias Conflict with a Local Account

Here are the top 10 reasons that an attempt to join a domain fails:

See Also

Generate a Domain-Join Log

To troubleshoot problems with joining a Linux computer to a domain, perform the following series of diagnostic tests sequentially on the Linux computer with a root account. The tests can also be used to troubleshoot domain-join problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

The procedures in this topic assume that you have already checked whether the problem falls under the Top 10 Reasons Domain Join Fails. It is also recommended that you generate a domain-join log.

Verify that the Name Server Can Find the Domain

Run the following command as root:

nslookup ADrootDomain.com

Make Sure the Client Can Reach the Domain Controller

You can verify that your computer can reach the domain controller by pinging it:

ping domainName

Verify that Outbound Ports Are Open

Run the following command as root:

domainjoin-cli join --details firewall likewisedemo.com

The results of the command show whether you must open any ports.

For a list of ports that must be open on the client, see Make Sure Outbound Ports Are Open.

Check DNS Connectivity

The computer might be using the wrong DNS server or none at all. Make sure the nameserver entry in /etc/resolv.conf contains the IP address of a DNS server that can resolve the name of the domain you are trying to join. This is likely to be the IP address of one of your domain controllers.

Make Sure nsswitch.conf Is Configured to Check DNS for Host Names

The /etc/nsswitch.conf file must contains the following line. (On AIX, the file is /etc/netsvc.conf.)

hosts: files dns

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

Ensure that DNS Queries Are Not Using the Wrong Network Interface Card

If the computer is multi-homed, the DNS queries might be going out the wrong network interface card. Temporarily disable all the NICs except for the card on the same subnet as your domain controller or DNS server and then test DNS lookups to the AD domain. If this works, re-enable all the NICs and edit the local or network routing tables so that the AD domain controllers are accessible from the host.

Determine Whether the DNS Server Is Configured to Return SRV Records

Your DNS server must be set to return SRV records so the domain controller can be located. It is common for non-Windows (bind) DNS servers to not be configured to return SRV records.

Diagnose by executing the following command:

nslookup -q=srv _ldap._tcp. ADdomainToJoin.com

Make Sure that the Global Catalog Is Accessible

The global catalog for Active Directory must be accessible. A global catalog in a different zone might not show up in DNS. Diagnose by executing the following command:

nslookup -q=srv _ldap._tcp.gc._msdcs. ADrootDomain.com

From the list of IP addresses in the results, choose one or more addresses and test whether they are accessible on Port 3268 by using telnet.

telnet 192.168.100.20 3268

Trying 192.168.100.20... Connected to sales-dc.likewisedemo.com (192.168.100.20). Escape character is '^]'. Press the Enter key to close the connection: Connection closed by foreign host.  

Verify that the Client Can Connect to the Domain on Port 123

The following test checks whether the client can connect to the domain controller on Port 123 and whether the Network Time Protocol (NTP) service is running on the domain controller. For the client to join the domain, NTP -- the Windows time service -- must be running on the domain controller.

On a Linux computer, run the following command as root:

ntpdate -d -u  DC_hostname 

Example: ntpdate -d -u sales-dc

For more information, see Diagnose NTP on Port 123.

In addition, check the logs on the domain controller for errors from source w32tm, the Windows time service.

See Also

Solve Logon Problems

There are two configuration files on Linux, Unix, and Mac OS X computers running the Likewise agent:

The lsassd.conf file is the primary configuration file: It contains nearly all the configuration options for the Likewise agent. The netlogon.conf file contains only an entry for setting the expiration of the cache that holds information about the optimal domain controller and global catalog.

After you change a setting in the lsassd.conf file, you must force the Likewise agent to load the change either by restarting the authentication daemon (lsassd) or by executing the following command with super-user privileges:

/opt/likewise/bin/lw-refresh-configuration

After you change a setting in the netlogon.conf file, you must restart netlogond for the changes to take effect.

The following table lists local configuration options that you can set on an AD client; several of them can also be centrally managed with group policies when you use Likewise Enterprise. (There are many more Likewise group policies for managing Linux, Unix, and Mac computers; see About Group Policies.) Likewise Open does not apply group policies. For more information about each option, see the topics referenced in the right column.

See Also

Make Sure Outbound Ports Are Open

With Likewise Open and Likewise Enterprise, you can require that a user be a member of a group to log on a computer, or you can limit logon to only the users that you specify.

Note: With Likewise Enterprise, you can restrict logon rights with a Likewise group policy; see Allow Logon Rights.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

/opt/likewise/bin/lw-refresh-configuration

You can set Likewise to display an error message when a user attempts to log on a computer without the right to access it.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Display a Message of the Day at Logon.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

To replace the slash that acts as the separator between an Active Directory domain name and the SAM account name with a character that you choose, edit the following file:

/etc/likewise/lsassd.conf

In the file, modify the following line to set the replacement character that you want:

domain-separator =

Example:

domain-separator = +

The default replacement character is set to \. So, by default, the Active Directory group DOMAIN\Domain Users appears as DOMAIN\domain^users on target Linux and Unix computers.

The following characters cannot be used as the separator:

Note: The Likewise authentication daemon renders all names of Active Directory users and groups lowercase.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

When you install the Likewise agent on a Linux, Unix, or Mac computer but do not install Likewise Enterprise on Active Directory, you cannot configure local Likewise settings with group policies. Instead, you must edit the local Likewise configuration file.

Note: With Likewise Enterprise, you can manage this setting with a Likewise group policy; see Replace Spaces in Names with a Character.

To replace the spaces in Active Directory user and group names with a character that you choose, edit the following file:

/etc/likewise/lsassd.conf

In the file, modify the following line to set the replacement character that you want:

space-replacement =

Example:

space-replacement = ,

The default replacement character is set to ^. So, by default, the Active Directory group DOMAIN\Domain Users appears as DOMAIN\domain^users on target Linux and Unix computers.

The following characters cannot be used as the separator:

Note: The Likewise authentication daemon renders all names of Active Directory users and groups lowercase.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

With Likewise Open and Likewise Enterprise, you can specify whether a joined computer synchronizes its time with that of the domain controller. By default, when a computer is joined to a domain without using the --notimesync command-line option, the computer's time is synchronized with the domain controller's.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Turn Off System Time Synchronization with a GPO.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

See Also

Set the Maximum Tolerance for Kerberos Clock Skew

If your Active Directory environment has only one domain, you can set Likewise to assume the default domain, liberating users and groups from preceding their user or group name with their domain name when they log on a computer or switch users.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Prepend Domain Name for AD Users and Groups.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

When you install Likewise on a Linux, Unix, or Mac computer but not on Active Directory, you cannot associate a Likewise cell with an organizational unit, and thus you have no way to define a home directory or shell in Active Directory for users who log on the computer with their domain credentials.

To set the home directory and shell for a Linux, Unix, or Mac computer that is using Likewise Open or Likewise Enterprise without cell, edit the following configuration file:

 /etc/likewise/lsassd.conf

If with Likewise Enterprise you set the shell and home directory both in Active Directory and in lsassd.conf, the settings in Active Directory take precedence.

After you change lsassd.conf, you must clear the Likewise authentication cache, log off, and then log on before your changes will take effect.

Set the Shell

Modify the following line to set the shell and home directory that you want:

login-shell-template =

Example: login-shell-template = /bin/bash

Set the Home Directory

You can modify the homedir-template line in /etc/likewise/lsassd.conf to set the home directory that you want by using three variables:

The variables are used in the following order: %H/%D/%U

Example:

homedir-template = %H/local/%D/%U

In the example above, the homedir-template is using the %H variable for the homedir-prefix to set the user's home directory. In the example, the homedir-prefix is not preceded by a slash because the slash is included in the default homedir-prefix to ensure that the path is absolute.

Optionally, you can set the homedir-prefix by uncommenting the homedir-prefix line and then adding the prefix that you want. However, the homedir-prefix must be an absolute path -- so you must precede it with a slash. Example:

homedir-prefix = /home

You must use the default user name variable (%U). You may specify the default domain name by using the domain name variable (%D), but it is not required.

All the users who log on the computer by using their Active Directory domain credentials will have the shell and home directory that you set.

Note: /bin/bash might not be available on all systems.

Important: On Solaris, you cannot create a local home directory in /home, because /home is used by autofs, Sun's automatic mounting service. The standard on Solaris is to create local home directories in /export/home.

Turn Off Home Directories

By default, a user's home directory is created upon logon. To turn off the creation of home directories, uncomment the following line in /etc/likewise/lsassd.conf and set it to no.

create-homedir =

Example: create-homedir = no

See Also

Fix the Shell and Home Directory Paths

Set the Default Home Directory

Set the Default Login Shell

By default, Likewise adds the contents of /etc/skel to the home directory created for a user account on Linux and Unix computers. Using /etc/skel or a directory that you designate ensures that all users begin with the same settings or environment.

On Mac OS X computers, the default skeleton directory is as follows:

System/Library/User Template/Non_localized,
/System/Library/User Template/English.lproj

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Copy Template Files When Creating a Home Directory.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

Likewise presets the umask for the home directory and all the files in it to 022. With umask value of 022, the default file permissions for your AD user account are as follows: Read-write access for files and read-write-search for directories you own. All others have read access only to your files and read-search access to your directories.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Set Permissions with a File Creation Mask.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can add domain users to your local groups on a Linux, Unix, and Mac OS X computer by placing an entry for the user or group in the /etc/group file. The entries must adhere to the following rules:

So, for users and groups without an alias, the form of an entry is as follows:

root:x:0: LIKEWISEDEMO\kristeva

For users and groups with an alias, the form of an entry is as follows:

root:x:0:kris

In /etc/group, the slash character separating the domain name from the account name does not typically need to be escaped.

When you add Active Directory entries to your sudoers file -- typically, /etc/sudoers --  you must adhere to at least the following rules:

So, for users and groups without an alias, the form of an entry in the sudoers file is as follows:

DOMAIN\\username

DOMAIN\\groupname

Example entry of a group:

% LIKEWISEDEMO\\LinuxFullAdmins ALL=(ALL) ALL

Example entry of a user with an alias:

kyle ALL=(ALL) ALL

For more information about how to format your sudoers file, see your computer's man page for sudo.

Check a User's Canonical Name on Linux

To determine the canonical name of a Likewise user on Linux, execute the following command, replacing the domain and user in the example with your domain and user:

getent passwd likewisedemo.com\\hab

LIKEWISEDEMO\hab:x:593495196:593494529: Jurgen Habermas:/home/local/ LIKEWISEDEMO/ hab:/bin/ sh

In the results, the user's Likewise canonical name is the first field.

See Also

Define a Sudo Policy

When there is cell information in Active Directory, it can prevent users from logging on a computer running Likewise Enterprise or Likewise Open. To allow Active Directory users, regardless of whether they have been provisioned with UID-GID information or other cell information, to access a computer running Likewise Open, you can force the Likewise authentication daemon to ignore cell information when the daemon queries Active Directory. Since the following information is not used by Likewise Open, the authentication daemon can safely ignore it:

Force Likewise Open to Ignore Unix Settings in AD

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

By default, Likewise automatically refreshes user credentials, but you can turn off automatic refreshes be modifying the configuration file of the Likewise authentication daemon.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can specify how long the Likewise agent caches information about a Active Directory user's home directory, logon shell, and the mapping between the user or group and its security identifier (SID). Features that are using offline cached credentials reattempt to log on the Active Directory domain controller at the interval that you set. When online, the Likewise agent also caches the information for the specified time period.

This setting can improve the performance of your system by increasing the expiration time of the cache.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Set the Cache Expiration Time.

Change the Interval When Expired Cache Entries Are Purged

You can change the interval when expired entries are purged from the cache. Purging expired entries from the cache can improve the performance of the authentication daemon.

By default, Likewise creates a .k5login file in the home directory of an Active Directory user who is authenticated by Kerberos when logging on a Linux, Unix, or Mac computer. You can, however, stop the creation of a .k5login file.

The .k5login file contains the user's Kerberos principal, which uniquely identifies the user within the Kerberos authentication protocol. Kerberos can use the .k5login file to check whether a principal is allowed to log on as a user. A .k5login file is useful when your computers and your users are in different Kerberos realms or different Active Directory domains, which can occur when you use Active Directory trusts.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Create a .k5login File in a User's Home Directory.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

To customize Likewise to meet the performance needs of your network, you can specify how the Likewise agent parses and caches group and user membership information with the following four settings in the Likewise agent's configuration file --/etc/likewise/lsassd.conf:

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can set the machine account password's expiration time. The expiration time specifies when a machine account password is reset in Active Directory if the account is not used. The default is 30 days.

Active Directory handles machine accounts for Linux, Unix, and Mac in the same way as those for Windows computers; for more information, see the Microsoft Active Directory documentation.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Set the Machine Account Password Expiration Time.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

Check the Maximum Lifetime for a User Ticket in the Group Policy Object Editor

See Also

Fix a Key Table Entry-Ticket Mismatch

You can specify the duration of local passwords before they must be changed. The Likewise local authentication provider can warn users that they must change their passwords before they expire.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

The Likewise local authentication provider can warn local users that they must change their passwords before they expire. You can set the interval at which to display the warning.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can set Likewise to display a message of the day. It appears after a user logs on but before the logon script executes to give users information about a computer. For example, the message can remind users of the next scheduled maintenance window.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Display a Message of the Day at Logon.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can sign and seal LDAP traffic to certify it and to encrypt it so that others cannot see your LDAP traffic on your network.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

You can capture information about authentication transactions, authorization requests, and other security events by turning on event logging.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Turn on Event Logging with a GPO.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

After you turn on event logging, network connection events are logged by default. On laptop computers, computers with a wireless connection, or other computers whose network status might be influx, you can turn off event logging so that the event log is not flooded with connectivity events.

Note: With Likewise Enterprise, you can manage this setting by using a Likewise group policy; see Turn Off Logging of Network Events.

After you change a setting in lsassd.conf, you must force the Likewise agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

Solaris zones are a virtualization technique created by Sun Microsystems to consolidate servers. Primarily used for application isolation, they give the appearance that the various applications are running on individual servers.

Every zone server contains a global zone that retains visibility and control in any installed non-global zones. By default, the non-global zones share certain file spaces, including /usr and others, which are mounted read-only. These file spaces are writable only for the global zone.

As a result, you cannot install most applications -- including Likewise -- in a zone except by installing it in the global zone. Installing Likewise in the global zone automatically results in it being installed in all the non-global zones. This behavior can be over-ridden with a flag to pkgadd.

Although Likewise installs on all zones, they are not joined to Active Directory (AD) as a group. Each individual zone, including the global zone, can be joined to AD independently of any other zones.

Make Sure /opt/likewise Exists

To work with Solaris zones, the /opt/likewise directory must be present on the target computer. Typically, the Likewise installation script creates it. Solaris zones typically share /opt, so Likewise installations on machines with a shared /opt configuration for zones, called a small zones configuration, can create the likewise directory. However, a big zones configuration in which nothing is shared can result in /opt being different in the global and non-global zones. Thus, even though the Likewise installer can create /opt/likewise in the global zone but cannot create the directory in the non-global zones, and the installation of fails. In such cases, as a work around, pre-create /opt/likewise in the zones.

Caveats

There are some caveats when using Likewise with Solaris zones:

1. When you join a non-global zone to AD, you will receive an error as Likewise attempts to synchronize the Solaris clock with AD. This is because the root user of the non-global zone does not have root access to the underlying (global) system, and therefore cannot set the system clock.

If the clocks are within the five-minute spread required by Kerberos, this will not be an issue. If this is not the case, you can resolve this issue by manually setting the clock in the global zone to match AD, or by joining the global zone to AD before joining the non-global zone.

2. If you create a new global zone after installing the Likewise product, you may receive errors similar to the following:

Installation of these packages generated errors: <likewiseLibXML2 likewiseOpenLDAP likewiseKrb5 likewiseExpat likewiseGroupPolicy likewiseAuth likewiseDomainJoin>

Installation of these packages generated warnings: <SMCx11vnc NXnode NXserver>

The file </zones/zone02/root/var/sadm/system/logs/install_log> contains a log of the zone installation.

The install_log file will show issues related to the packages requiring user interaction. This interaction is simply pkgadd asking if you are sure you want to over-write the package files that already exist in the global zone.

You may safely ignore these messages, since the required files are already installed in the shared file spaces.

3. Some group policies may log PAM errors in the non-global zones even though they function as expected. Cron is one example, as shown below:

Wed Nov 7 16:26:02 PST 2007 Running Cronjob 1 (sh)

Nov 7 16:26:01 zone01 last message repeated 1 time

Nov 7 16:27:00 zone01 cron[19781]: pam_lsass(cron): request failed

Depending on the group policy, these errors may be due to file access permissions, attempts to write to read-only file spaces, or both.

4. By default, Solaris displays auth.notice syslog messages on the system console. Some versions of Likewise generate significant authentication traffic on this facility-priority level, which may cause an undesirable amount of chatter on the console or mangle the graphic desktop.

To redirect this traffic to a file instead of being displayed on the console, edit your /etc/syslog.conf file as follows:

Change this:

*.err;kern.notice;auth.notice /dev/sysmsg

To this:

*.err;kern.notice /dev/sysmsg

auth.notice /var/adm/authlog

Important: Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from the action field (on the right). Using spaces will cause Syslog to ignore the entire line.

You can set the Likewise log level from the shell prompt by executing the following command. Replace level with one of the four available logging levels: error, warning, info, verbose.

 /opt/likewise/bin/lw-set-log-level level

Example: /opt/likewise/bin/lw-set-log-level warning

The configuration file for the Likewise authentication daemon -- /etc/likewise/lsassd.conf -- is modified to include the level you specified in the command.

You can also set the logon level by editing the following line in /etc/likewise/lsassd.conf:

log-level =

The default is error.

On Linux and Unix

You can check the status of the authentication daemon on a Unix or Linux computer running the Likewise agent by executing the following command at the shell prompt as the root user:

/sbin/service lsassd status

or

/etc/init.d/lsassd status

(On HP-UX, the command is /sbin/init.d/lsassd status.)

If the authentication daemon is running, the result should look like this:

lsassd (pid 25753) is running...

If the service is not running, execute the following command:

/sbin/service lsassd start

or

/etc/init.d/lsassd start

(On HP-UX, the command is /sbin/init.d/lsassd start.)

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The Likewise DCE/RPC daemon handles communication between Linux, Unix, and Mac computers and Microsoft Active Directory.

On Linux and Unix

You can check the status of dcerpcd on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service dcerpcd status

or

/etc/init.d/dcerpcd status

If the daemon is running, the result should look like this:

dcerpcd (pid 21538) is running...

If the service is not running, execute the following command:

/sbin/service dcerpcd start

or

/etc/init.d/dcerpcd start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/dcerpcd status

/sbin/init.d/dcerpcd start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The netlogond daemon detects the optimal domain controller and global catalog and caches the data.

On Linux and Unix

You can check the status of netlogond on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service netlogond status

or

/etc/init.d/netlogond status

If the daemon is running, the result should look like this:

netlogond (pid 21438) is running...

If the service is not running, execute the following command:

/sbin/service netlogond start

or

/etc/init.d/netlogond start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/netlogond status

/sbin/init.d/netlogond start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The Likewise input-output service  -- lwrdrd -- communicates over SMB with SMB servers; authentication is with Kerberos 5.

On Linux and Unix

You can check the status of lwrdrd on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service lwrdrd status

or

/etc/init.d/lwrdrd status

If the daemon is running, the result should look like this:

lwrdrd (pid 21638) is running...

If the service is not running, execute the following command:

/sbin/service lwrdrd start

or

/etc/init.d/lwrdrd start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/lwrdrd status

/sbin/init.d/lwrdrd start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

Check the Version and Build Number of the Agent on Linux, Unix, or Mac

To check the version number of the Likewise agent, execute the following command:

 cat /opt/likewise/data/VERSION

Another option is to execute the following command:

 /opt/likewise/bin/ lw-get-status

Check the Version and Build Number of the Agent with ADUC

You can check the version and build number of the Likewise agent from a Windows administration workstation that is connected your domain controller:

Check the Build Number of the Agent

On Linux distributions that support RPM -- for example, Red Hat Enterprise Linux, Fedora, SUSE Linux Enterprise, OpenSUSE, and CentOS -- you can determine the version and build number of the agent (5.0.0.xxxx in the examples below)  by executing the following command at the shell prompt:

rpm -qa | grep likewise

The result shows the build version after the version number:

likewise-sqlite-5.0.0-1.26353.3513

likewise-libxml2-5.0.0-1.26353.3513

likewise-netlogon-5.0.0-1.26353.3513

likewise-openldap-5.0.0-1.26353.3513

likewise-pstore-5.0.0-1.26353.3513

likewise-passwd-5.0.0-1.26353.3513

likewise-domainjoin-5.0.0-1.26353.3513

likewise-lsass-5.0.0-1.26353.3513

likewise-krb5-5.0.0-1.26353.3513

likewise-base-5.0.0-1.26353.3513

likewise-rpc-5.0.0-1.26353.3513

On Unix computers and Linux distributions that do not support RPM, the command to check the build number varies by platform:

On a Unix or Linux computer that is joined to the Active Directory domain, you can check a domain user's or group's information by either name or ID. These commands can verify that the client can locate the user or group in Active Directory.

Find a User by Name

Execute the following command, replacing domain\\ username with the full domain user name or the single domain user name of the user that you want to check:

 /opt/likewise/bin/lw-find-user-by-name domain\\username

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hoenstiv

You can optionally specify the level of detail of information that is returned. Example:

/opt/likewise/bin/lw-find-user-by-name --level 2 likewisedemo\\hab

User info (Level-2):

====================

Name:                       LIKEWISEDEMO\hab

UPN:                         hab@likewisedemo.com

Uid:                        593495196

Gid:                        593494529

Gecos:                      Jurgen Habermas

Shell:                      /bin/sh

Home dir:                   /home/LIKEWISEDEMO/hab

LMHash length:              0

NTHash length:              0

Local User:                 NO

Account disabled:           FALSE

Account Expired:            FALSE

Account Locked:             FALSE

Password never expires:     TRUE

Password Expired:           FALSE

Prompt for password change: YES

For more information, execute the following command:

/opt/likewise/bin/lw-find-user-by-name --help

Find a User by UID

To find a user by UID, execute the following command, replacing UID with the user's ID:

 /opt/likewise/bin/lw-find-user-by-id UID

Example:

/opt/likewise/bin/lw-find-user-by-id 593495196

Find a Group by Name

 /opt/likewise/bin/lw-find-group-by-name domain\\username

Example:

/opt/likewise/bin/lw-find-group-by-name likewisedemo.com\\dnsadmins

Find a Group by ID

 /opt/likewise/bin/lw-find-group-by-id GID

Example:

[root@rhel4d bin]# /opt/likewise/bin/lw-find-group-by-id 593494534

Group info (Level-0):

====================

Name:     LIKEWISEDEMO\schema^admins

Gid:      593494534

SID:     S-1-5-21-382349973-3885793314-468868962-518

Tip: To view this command's options, type the following command:

/opt/likewise/bin/lw-find-group-by-id --help

There are certain conditions under which you might need to clear the cache so that a user's ID is recognized on a target computer.

By default, the user's ID is cached for 4 hours. If you change a user's UID for a Likewise cell with Likewise Enterprise, during the 4 hours after you change the UID you must clear the cache on a target computer in the cell before the user can log on. If you do not clear the cache after changing the UID, the computer will find the old UID until after the cache expires.

There are three Likewise Enterprise group policies that can affect the cache time:

Tip: While you are deploying and testing Likewise, set the cache expiration time of the Likewise agent's cache to a short period of time, such as 1 minute.

Clear the Cache on a Linux Computer