Active Directory Integration: Centrify Express vs. Likewise
The market for integrating Linux machines into Active Directory environments has been heating up in recent months, with both Likewise and Centrify releasing new software that does almost exactly the same thing: make joining a domain as simple as a few clicks or keystrokes. Of course, the two companies’ offerings work in different ways. We wanted to know which is best, so we’ve spent the last several weeks testing the competing products. Here’s what we found.
As we’ve explained in past coverage of Likewise Open and Centrify Express, both applications offer the same basic service–simple Active Directory-based authentication for Unix systems–for the same price–free. Each product can also be upgraded to licensed versions that provide more features, but we’ve stuck with the free-to-use releases for the purposes of this post.
More specifically, we compared Likewise Open version 6, which was released about a month ago, to Centrify Express, a new member of the Centrify product suite that was introduced in June. Both applications are available as free downloads on their respective developers’ websites.
Installation
Likewise Open is available from the Ubuntu repositories for releases 8.04 and up, but in order to get the latest version, you’ll have to download an installer from the company’s website. Likewise offers both graphical and command-line installers for Linux.
Centrify doesn’t yet have packages in Ubuntu’s repositories. According to a Centrify employee, however, Canonical validated the product this week, so we should see it in the Software Center soon. In the meantime, installation scripts customized for Ubuntu are available from Centrify’s website. They must be run from the terminal; there’s no graphical interface. Alternatively, rather than running the installation script, you can manually install a set of Debian packages that provide the Centrify binaries.
In both cases, installation via the scripts was pretty straightforward and took only a few minutes. There’s really not much more to say here.
Joining a Domain
Joining machines to a domain after installing Likewise Open and Centrify Express is also pretty simple. Centrify has the advantage of offering the option to join at install time, but both products provide utilities for joining a domain at any later point with a relatively simple command.
Likewise also offers a graphical interface–albeit one with no features beyond the very basic–for joining a domain, as well as a command-line utility. Centrify Express is CLI-only on Linux.
Out-of-the-Box Configuration
Likewise and Centrify are pretty similar as far as installation and joining a domain are concerned. When it comes to configuration, however, the fundamental differences between the two products start to show.
For starters, the out-of-the-box settings of Likewise and Centrify diverge in many places. For example, Centrify assumes that the first domain to which a computer is joined is the “default,” allowing users to log in with a simple:
ssh [email protected]
Likewise doesn’t assume default domain until told to do so, which means the syntax for logging in is more complicated, along the lines of:
ssh 'domain\username'@host
Likewise can be changed to behave like Centrify, but it doesn’t do so out-of-the-box.
Similarly, Likewise creates home directories for new users at /home/<domain>/username, while Centrify defaults to the Unix-standard /home/username. Centrify’s approach seems like it could theoretically lead to collisions if a local account has the same name as a user from the Active Directory, but that risk aside, I prefer having all home folders in the same place regardless of whether the accounts are local or not.
Customization
Of course, the default behavior of Likewise and Centrify can be changed easily enough by editing the relevant configuration files. While both companies provide quite rigorous documentation for configuring their products (see Likewise Open’s Configuration Guide and the Centrify Express Admin Guide), however, the way in which their configuration data is structured is quite different.
Overall, Centrify adheres much more closely to a traditional Unix approach. Its configuration files are stored in plain text under /etc/centrifydc, and are pretty identical in form to the configuration files of most normal Linux applications.
Most of Likewise’s config files, in contrast, are stored at /opt/likewise/share/config–not exactly an intuitive location for Ubuntu users–and look like lists of Windows registry keys. They can be modified with any text editor, or with a special utility that ships with Likewise, but this setup is very different from what many Unix system administrators are used to. And despite representing a departure from earlier releases of Likewise Open, the Windows-esque setup is perhaps not surprising, given that several of Likewise’s VIPs are Microsoft expatriates.
This isn’t to say one product’s approach is better than the other’s, as both certainly have their merits. But depending on whether you see the world through a Linux lens or a Windows one, Centrify might be more appealing than Likewise, or vice-versa.
Licensing
If Likewise’s configuration is more reminiscent of Windows than Centrify’s, the opposite is true when it comes to licensing. Likewise Open is available under the GPL, with full source code publicly released (Likewise Enterprise, of course, is proprietary). In contrast, although Centrify releases the code of its customized versions of Putty, OpenSSH and Samba and contributes some of its work upstream, the source of Centrify Express itself is closed.
These licensing differences don’t affect the performance of either product, but for the ideologically minded, they can be an important consideration.
Restricting Logins
By default, once a computer joins a domain, anyone with a valid account on that domain can log in. This is undesirable in many cases. Both Centrify and Likewise, however, provide mechanisms for restricting logins.
Under Likewise, the system administrator can edit a configuration file to restrict access to certain groups. Another solution, if you like writing bash scripts, is to change Likewise’s default login shell to a wrapper script that decides whether or not the user logging in should be granted a real shell.
While Centrify supports the wrapper-script strategy, it can also restrict logins using arguments that are passed to the pam_centrifydc PAM module to tell it to grant access only to certain users or groups. For my money, this approach is a bit better than Likewise’s because it allows access to be granted not only at the group level but also on a per-user basis. On the other hand, if you preferconfiguring access in a configuration file over dealing with PAM, you’ll be more comfortable under Likewise.
Conclusions
Overall, Centrify Express and Likewise Open are both very capable products that certainly blow Winbind and all its hassle out of the water. Each solution is so capable, in fact, that we can’t deem one better than the other. They both have their strengths and weaknesses, but neither comes out decisively on top.
Perhaps the most important factor to take into consideration when deciding which service to adopt is the way the applications are structured: while Centrify looks and feels much more like a traditional Unix program, Likewise will be more familiar to administrators accustomed to Windows. In other words, if you like doing things the Unix way, choose Centrify. If you feel more at home with GUIs and the Windows registry, Likewise will probably fit your needs better.
The upgrade paths available for Centrify and Likewise are also an important item to consider when deciding which product to deploy. While Likewise Open and Centrify Express are both free and sufficient for the needs of home users and small organizations, administrators of larger environments will want to upgrade to the licensed versions of the software, such as Likewise Enterprise and Centrify Platinum. Centrify, with its broader suite of products, offers a bit more flexibility when it comes to upgrading, but figuring out which product line makes most sense is a question particular to the needs of each individual organization. We won’t dive into it here, but stay tuned for more on this topic in weeks to come.
Likewise is founded by Ex-Microsoft employees with special purpose of destroying Samba.
Their enterprise edition is proprietary so I have no idea why someone regard them as Open source company. Once they feel like they fulfilled their objective (of destroying Samba) they will stop making “community edition”. They have no outside contributors, so removing GPL version probably won’t result in fork because nobody know the code, beyond their employees, that is.
Dear Jack,
Thanks for you humorous comment. I needed a good laugh this morning. 🙂 But in case you did not mean this as a joke, I should point out that your information is, although funny, entirely incorrect.
Point (1) – I spent 11 years of my life working on Samba. I’ve spent the past 5 years years working at Likewise. I’ve never worked at Microsoft. I’m currently Director of Engineering at Likewise and the Likewise Open Project lead. And although I left Samba in April of 2009 to work on Likewise-CIFS, I have the utmost respect for every friend that I have still working on that project.
Point (2) – The reason why we choose the LGPLv2.1(or later) and GPLv2(or later) licenses was specifically so that projects like Samba could reuse any of our code. In contrast, if we had chosen GPLv2 only (no “or later” clause), then Samba and other GPLv3 licensed code bases would not be able to re-use any of our code due to license compatibilities.
Point (3) – Why is Likewise Open released as open source in the first place? Because I personally believe that people have struggled for too long with the AD integrated authentication problem. It has prevented Linux deployments in some cases and forced specific platform decisions in others. I want to remove that barrier and give people the freedom to select the platform that best suits their needs. I personally prefer Ubuntu. But that is just me.
In closing, when one release source code under an open license (GPL or BSD or anything else), that person gives others the freedom to choose their own destiny even as he choose his own. So please, take my code and enjoy. I hope you find it in some way useful.
Cheers, Jerry
Director of Engineering
Likewise Software
Chris – thanks for the review. Don’t work, won’t get into the Samba vs. Likewise debate. In reviewing the websites from the vendors, I noticed that Centrify Express also includes a product DirectManage Express that does centralized pre-install checking and deployment of the Centrify software. Any reason why you did not mention that in your review of Centrify Express? Seems like a useful tool and a key potential differentiator, especially if you have a large environment. Thanks, B.
Blake: good point about DirectManage Express. I was actually planning to write that up separately (although in retrospect it is definitely worth mentioning as a feature unique to Centrify, so thanks for bringing it up here)–stay tuned.
[…] can integrate well with AD in server land but has issues for end user desktops. Workswithu did a article comparing the two programs too for those interested. Overall Centrify is an acceptable solution, but falls short of a Linux […]
Is there any difference between Quest, Likewise and Centrify offerings other than Centrify’s ad gives everyone ‘the finger’?
Hello my name is Bill Gates and I happen to be the CEO of microsoft. Now you must believe everything I write, because, I am Bill Gates.
PFFT whatever.
Likewise just sold off its AD software, exiting the market.
Leaves Centrify and Quest in the fray for UNIX/Linux AD.
Will be interesting if Quest wins its AD lawsuit against Centrify.
All this free stuff sure does seem to be making sure none of them are making any money… which bodes badly for innovation and development.
In the end, you gets whats ya pays for!
We should be able to download and use Likewise Source? Where can we download the likewise source and binaries?
Of three AD freeware companies –
Likewise sold to BeyondTrust.
Quest sold to Dell.
Question is when rather than if Centrify will be sold since has exactly same legal and financial difficulties as the other two — high costs and staff turn-over, unprofitable ‘me too’ AD and recently MDM offerings.
Not necessarily a bad exit event for execs, not necessarily a good thing for any of the customers who bought in recent fire sales
Hey – Cody http://www.centrify.com/express 😉
You must first uninstall Winbind in order to use Likewise!