Professional Documents
Culture Documents
Likewise Enterprise
BENEFITS
About Likewise Enterprise
• Enhances operational
By joining Linux, Unix, and Mac computers to Active Directory – a secure,
efficiency.
scalable, stable, and proven identity management system – Likewise gives
• Helps demonstrate regulatory
compliance. you the power to manage all your users' identities in one place, use the
highly secure Kerberos 5 protocol to authenticate users in the same way on
• Hardens network security.
all your systems, apply granular access controls to sensitive resources,
• Eases the managerial burden
for system administrators and
and centrally administer Linux, Unix, Mac, and Windows computers with
security managers. group policies. Likewise includes reporting and auditing capabilities that
• Reduces the cost of managing can help improve regulatory compliance. The result: lower operating costs,
a mixed network. better security, enhanced compliance.
• Consolidates and simplifies
identity management.
The information contained in this document represents the current view of Likewise
Software on the issues discussed as of the date of publication. Because Likewise
Software must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Likewise, and Likewise Software cannot guarantee the
accuracy of any information presented after the date of publication.
These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES
NO WARRANTIES, EXPRESS OR IMPLIED.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in,
or introduced into a retrieval system, or transmitted in any form, by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Likewise Software.
Likewise and the Likewise logo are either registered trademarks or trademarks of
Likewise Software in the United States and/or other countries. All other trademarks are
property of their respective owners.
Likewise Software
15395 SE 30th Place, Suite #140
Bellevue, WA 98007
USA
Table of Contents
INTRODUCTION............................................................................5
ACCESS CONTROL....................................................................11
Features .............................................................................................................11
Benefits ..............................................................................................................12
More Information...............................................................................................12
CACHED CREDENTIALS............................................................12
SINGLE SIGN-ON........................................................................13
How Likewise Makes SSO Happen .................................................................13
Application Support..........................................................................................14
MAC SUPPORT...........................................................................22
More Information...............................................................................................23
INTEGRATION OPTIONS............................................................24
Introduction
Likewise Enterprise joins Linux, Unix, and Mac OS X computers to
Microsoft Active Directory to centrally manage all your computers,
authenticate users, control access to resources, and apply group policies
to non-Windows computers.
The Likewise Agent runs on Linux, Unix, and Mac OS computers so that
you can join them to a domain, manage them within Active Directory, and
use single sign-on.
• Support for more than 100 Linux, Unix, and Mac OS X platforms
• Cached credentials
• Secure authentication
• Access control
• Single sign-on
• Group policies for Linux, Unix, and Mac workstations and servers
• Migration tools
Centralized Management
Likewise Enterprise empowers you to centrally manage all your
computers in Active Directory — bringing you an array of features and
benefits unavailable with NIS, a custom LDAP solution, or an ad hoc
Kerberos key distribution center.
Third, Likewise lets you assign each user a unique ID in Active Directory
while maintaining your NIS domain user information. When you migrate
Linux and Unix users from NIS domains to Active Directory, Likewise
uses cells to preserve the user information in your NIS domains. A cell
provides a custom mapping of a unique and identifiable Active Directory
user to that user’s UIDs and GIDs.
• No site affinity: LDAP will not find the most efficient domain
controller if you change locations.
How It Works
1. A user logs on a Linux or Unix client, and the login program gets the
username and password.
6. The KDC verifies the secret key and then grants the client a TGT.
Benefits
Authenticating Linux, Unix, and Mac computers with Likewise and Active
Directory has the following benefits:
More Information
Access Control
This section outlines the Likewise access control mechanisms.
Features
Benefits
More Information
Read the Likewise technical note titled Access Control for Linux, Unix,
and Mac OS X available at
http://www.likewisesoftware.com/resources/technical_notes/Likewise_Ac
cessControl_TechNote.pdf.
Cached Credentials
Although modern networks are extremely reliable, network architects
should not rely on perfect connectivity, especially when a network spans
multiple geographic sites. Branch offices and other satellite facilities may
be connected to Active Directory through leased lines or through virtual
private networks (VPNs) that are subject to occasional failure.
Single Sign-On
When you log on a Linux, Unix, or Mac OS X computer by using your
Active Directory domain credentials, Likewise initializes and maintains a
Kerberos ticket granting ticket (TGT). With a TGT, you can log on other
computers joined to Active Directory or applications provisioned with a
Service Principal Name and be automatically authenticated with
Kerberos and authorized for access through Active Directory. In a
process transparent to the user, the underlying Generic Security
Services (GSS) system requests a Kerberos service ticket for the
Kerberos-enabled application or server. The result: single sign-on.
To gain access to the other computer, you can use various protocols and
applications:
• SSH
• rlogin
• rsh
• Telnet
• FTP
• Creates a keytab for the computer in the following way: When you
join a Linux or Unix computer to AD, Likewise creates a machine
account for the computer. Likewise then automatically creates a
keytab for the SPN and places it in the standard system location
(typically /etc/krb5.keytab).
• Creates a keytab for the user during logon. On most systems, the
user keytab is placed in the /tmp directory and named
krb5cc_UID, where UID is the numeric user ID assigned by the
system.
Application Support
Cells can map a user to different UIDs and GIDs for different computers.
Linux and Unix computers that are in the OU (or an OU nested in it) use
the cell to map AD users to UIDs and GIDs. Likewise Enterprise modifies
the Active Directory User and Computers MMC snap-in so that you can
create an associated cell for an OU and then use the cell to manage
UID-GID numbers. In the following screen shot from ADUC, the example
Linking Cells
make management easier, in the Engineering cell you can just specify
the mapping information that deviates from the default cell. You can use
linking to in effect set up a hierarchy of cells.
Likewise includes a feature that lets you define a default cell. It handles
mapping for computers that are not in an OU with an associated cell. The
default cell can contain the mapping information for all your Linux and
Unix computers.
Cell Manager
More Information
For example, you can use a group policy to control who can use sudo for
access to root-level privileges by specifying a common sudoers file for
target computers. You could, for instance, create an Active Directory
group called SudoUsers, add Active Directory users to the group, and
then apply the sudo group policy to the container, giving those users
sudo access on their Linux and Unix computers. In the sudoers file, you
can specify Windows-style user names and identities. Using a group
policy for sudo gives you a powerful method to remotely and uniformly
audit and control access to Unix and Linux resources.
Likewise stores its Unix and Linux group policies in the same locations
and in the same format as the default Windows group policies -- in the
system volume (sysvol) shared directory. Unix and Linux computers
that are joined to an Active Directory domain receive their group policies
in the same way that a Windows system does:
Likewise gives you the option of creating and editing group policies with
either the Group Policy Object Editor (GPOE) or the Group Policy
Management Console (GPMC). When you use the Group Policy
Management Console, you can view group policy settings.
In the Group Policy Object Editor, the Likewise group policies are in the
UNIX and Linux Settings folder in the console tree under Computer
Configuration; the Likewise user settings are under User Configuration:
With the Group Policy Object Editor, you can set group policies to target
all versions of the following platforms.
• Apple Mac OS X
• CentOS Linux
• Debian Linux
• Fedora Linux
• Hewlett-Packard HP-UX
• IBM AIX
• OpenSUSE Linux
• Sun Solaris
• SUSE Linux
• Ubuntu Linux
Gnome Settings
Likewise Enterprise includes several thousand group policies for Linux
user and computer settings -- policies that are based on the Gnome
GConf project to define desktop and application preferences such as the
default web browser. These Gnome configuration settings can be applied
to Linux computers running the Gnome desktop.
The Gnome policies are integrated into the Group Policy Object Editor,
making it easy to manage and apply them. After you add the Gnome
schemas for your Linux platform, the policies appear in the Unix and
Linux User Settings folder under User Configuration or under Computer
Configuration.
The Gnome-based group policies include user and computer settings for
applications like the browser, help viewer, and main menu. For example,
a user policy can define whether the Gnome volume manager
Benefits
• Improve the
security of
Linux
computers by
locking down
Linux desktops.
• Centrally
configure
computers and
applications
running the
Gnome
desktop.
More Information
Mac Support
Likewise Enterprise includes extensive
SUPPORTED MAC VERSIONS
support for Mac OS X workstations and
servers. With Likewise, Mac clients can Likewise supports the 32-bit and
gain single sign-on to OS X servers as 64-bit versions of the following
Mac operating systems:
well as Linux and Unix resources by using
• OS X v10.4 PowerPC
a single Active Directory account.
Likewise also includes group policies • OS X Server v10.4
PowerPC
tailored specfically for the Mac, many of
which are shown in the following screen • OS X v10.4 x86
shot: • OS X v10.3 PowerPC
More Information
Migration Tools
You can use the Likewise migration tool to import Linux, Unix, and Mac
OS X passwd and group files -- typically /etc/passwd and
/etc/group -- and automatically map their UIDs and GIDs to users and
groups defined in Active Directory. Or, you can choose to generate a
Windows automation script to associate the Unix and Linux UIDs and
GIDs with Active Directory users and groups. Before you commit the
changes, you can resolve ambiguous user names and other conflicts.
Integration Options
Likewise provides multiple possible configurations for integrating Unix
and Linux systems into Active Directory. All of these configurations
require that a user’s Unix- and Linux-specific information be associated
with the user’s Active Directory object. All of these configurations can be
automatically provisioned using IBM’s Tivoli Identity Manager solution or
by using Sun Identity Manager.
Report Description
Forest Users and Groups Displays all Unix- and Linux-
enabled users and groups in an
Active Directory forest. This
report can also display duplicate
UIDs, GIDs, login names, and
group aliases.
You can choose the information that you want to include in a report by
selecting from a variety of report columns. Depending on the type of
report, you can select different columns for users, groups, computers,
and cells. When you generate a User Access report, for example, you
can select from such report columns as Login Name, Unix Login Name,
User Status, UID, Primary GID, Gecos, Login Shell, and Home Directory.
Each type of report includes filters and options. All the reports let you
filter by domain. Depending on the type of report that you create, you can
choose whether to show disabled users or disabled computers. For
some reports you can limit the number of objects by specifying a
maximum. For example, the Group Access report gives you a report
option to set the maximum number of computers per group.
After you generate a report, you can view, save, preview, and print it.
Likewise outputs the report data in XML but displays it in HTML. After
you generate a report, you can save it in XML, HTML, or CSV by clicking
Save As, and then in the Save as type box, clicking the format that you
want.
Benefits
• List all the duplicate UIDs, GIDs, Login Names, and Group
Aliases in an Active Directory forest.
Snap-In Description
Likewise Active Directory Users Provides administrative access to
and Computers users, computers, groups,
organizational units, and Likewise
cells in Active Directory. You can
add, delete, and modify the
properties of Active Directory
objects from your Linux desktop.
It also serves as a Linux-side
ADSI -- you can use it to view and
edit Active Directory attribute
values.
In the Likewise Administrative Console, the Active Directory Users and
Computers snap-in looks like this:
To run the console, you must first install Mono 1.2.5.1 and Mono
WinForms 1.2.5.1. Mono is available for free at http://www.mono-
project.com/, and Mono WinForms is available for free at
http://www.mono-project.com/WinForms.
• CentOS 5
AIX 5L 5.2 ‐
AIX 5L 5.3 ‐
OS X v10.3 PPC
OS X v10.4 PPC
OS X Server v10.4 PPC
OS X v10.4 x86
CentOS 4.0
CentOS 4.1
CentOS 4.2
CentOS 4.3
CentOS 4.4
CentOS 5.0
Debian Linux 3.1
Fedora Core 3 ‐
Fedora Core 4
Fedora Core 5
Fedora Core 6
Fedora Core 7
Supported
Vendor Distribution 32‐ 64‐
bit bit
HP‐UX 11.11 PA‐RISC ‐ Trusted Mode ‐
HP‐UX 11.11 PA‐RISC ‐ Untrusted Mode ‐
HP‐UX 11.23 Itanium ‐ Trusted Mode ‐
HP‐UX 11.23 Itanium ‐ Untrusted Mode ‐
Oracle Enterprise Linux 4
Oracle Enterprise Linux 5
Red Hat Enterprise Linux AS 2.1 ‐
Red Hat Enterprise Linux ES 2.1 ‐
Red Hat Enterprise Linux WS 2.1 ‐
Red Hat Enterprise Linux AS 3.0
Red Hat Enterprise Linux ES 3.0
Red Hat Enterprise Linux WS 3.0
Red Hat Enterprise Linux AS 4.0
Red Hat Enterprise Linux ES 4.0
Red Hat Enterprise Linux WS 4.0
Red Hat Enterprise Linux 5.0
Red Hat Enterprise Linux 5.0 Desktop
Red Hat Enterprise Linux 5.0 Advanced
Platform
Red Hat Linux 7.2 ‐
Supported
Vendor Distribution 32‐ 64‐
bit bit
Red Hat Linux 7.3 ‐
Red Hat Linux 8 ‐
Red Hat Linux 9 ‐
Solaris 8 (SPARC)
Solaris 8 x86
Solaris 9 (SPARC)
Sun Solaris 9 x86
Solaris 10 (SPARC) ‐
Solaris 10 x86 ‐
Open Solaris ‐
SuSE Linux Desktop 8.2 ‐
SuSE Linux Desktop 9.0 ‐
SuSE Linux Desktop 9.1
SuSE Linux Desktop 9.2
SuSE Linux Desktop 9.3
SuSE Linux Enterprise Desktop 10.0
OpenSuSE Linux 10.0
OpenSuSE Linux 10.1
OpenSuSE Linux 10.2
SuSE Linux Enterprise Server 9.0
Supported
Vendor Distribution 32‐ 64‐
bit bit
SuSE Linux Enterprise Server 10.0
Ubuntu Desktop 6.06
Ubuntu Desktop 6.10
Ubuntu Server 6.06
Ubuntu Server 6.10
Ubuntu Desktop 7.04
Ubuntu Desktop 7.10
VMWare ESX Server 2.5 ‐
VMWare ESX Server 3.0.1 ‐
ABOUT LIKEWISE
Likewise Software is an open source company that provides audit and authentication
solutions designed to improve security, reduce operational costs and help
demonstrate regulatory compliance in mixed network environments. Likewise Open
allows large organizations to securely authenticate Linux, UNIX and Mac systems
with a unified directory such as Microsoft Active Directory. Additionally, Likewise
Enterprise includes world-class group policy, audit and reporting modules.
Likewise Software is a Bellevue, WA-based software company funded by leading
venture capital firms Ignition Partners, Intel Capital, and Trinity Ventures. Likewise
has experienced management and engineering teams in place and is led by senior
executives from leading technology companies such as Microsoft, F5 Networks,
EMC and Mercury.