Likewise Enterprise: Linux to Active Directory Integration?

Deploying Linux desktops across large organizations has been getting easier with each new release. However, in practice, installing, configuring and securing such deployments is not so simple. With this fact in mind, we recently got in touch with Likewise vice-president Ken Cheney for a hands-on look at using his company’s chief product to simply and secure corporate deployments.  Here’s what we found …

Before delving into the nitty-gritty of the Likewise configuration itself, Cheney outlined why systems administrators should be interested in Likewise Enterprise and similar solutions for integrating Unix machines with Microsoft Active Directory, rather than relying on do-it-yourself approaches which can get ugly:

In the case of Linux desktops, it can be argued that enterprise adoption has lagged behind expectations given the perceived pain of simply getting Linux desktops to ‘play nice’ with legacy infrastructure investments. Despite a simpler path existing, many enterprises attempt to tie-in Linux desktops to their enterprise identity and access management infrastructure through sheer will, leveraging ‘baling wire and duct tape’ with homegrown solutions made up of Kerberos and LDAP. The result is often a costly and difficult environment to maintain and frequent end-user frustration, which impacts further adoption.

In contrast to solutions based on Kerberos and LDAP, Cheney observed, identity and access-management products consolidate directory services. They “remove the pain of the homegrown approach and are surprisingly easy to deploy.”

Deploying Likewise Enterprise on Ubuntu

Cheney then moved on to a discussion of the deployment and configuration of Enterprise Likewise, using an Ubuntu client as an example. Likewise Enterprise is the licensed version of the Likewise suite, providing more features than the free and open source Likewise Open, which supports basic AD integration but not advanced features such as UID/GID support for group policy, compliance reporting for auditors, and event management and dashboards.

Breaking the process down step-by-step, Cheney outlined the work needed to “operationalize” an Ubuntu machine as a happy constituent of an AD environment with the assistance of Likewise Enterprise:

Step 1 – Fire up the Likewise installer on a Windows Member Server, and go through the install wizard (you may also install the Likewise Tools separately on a workstation if you use ADUC/GPMC from your personal machine):

The install wizard will do the following:

• Install the Likewise Tools
• Install a MSFT SQL Express 2005 database
• Install the auditing and event collection services
• Creates a Likewise cell
• Creates an OU for your machines to join to (We will use “UNIXComputers” in our example)
• Creates a GPO called “Likewise Enterprise settings for UNIXComputers”
• Configures that GPO with all of the auditing settings
• Turns on assume default domain

Step 2 – Now let’s add Logon Restrictions:

• Go into your Group Policy Management Console (GPMC) and edit the GPO
• Choose the “Computer” section of the “Likewise Enterprise For Unix Computers” GPO
• Select the “Unix & Linux Settings” folder – it’s a blue folder that AD admins won’t be used to seeing
• Select “Likewise Settings”
• Select “Allow Logon Rights” policy\
• Specify which AD user and/or group that you will allow on to the new Ubuntu machine

Step 3 – Now we need to install Likewise Enterprise agent on the Ubuntu Machine:

• Run command /opt/likewise/bin/domainjoin-cli join –ou UNIXComputers yourdomain.com Administrator (or use the GUI) to join the domain
• Go back ADUC in AD and refresh (F5) – a new computer account shows up in the UNIXComputers OU in AD. The Group Policy agent on the Ubuntu host grabs all the settings from the GPO and applies them to itself

Step 4 – At this point all you have done to AD is add the Likewise Enterprise plug-in and add an OU. No schema changes or invasive changes have been made. This is called ‘Non-Schema mode.’

• Now it’s time to add a user or group to the new Ubuntu machine.
  • Right click on a user “Jimmer” in ADUC (Active Directory Users & Computers)
  • Choose Properties
  • Choose “Likewise Settings” Tab (insert photo here)
  • Check the “UNIXComputers” cell (stuff below will un-gray)
  • Enter a custom UID or click “generate” to generate a hashed UID number (based on the user’s SID/RID in AD)
  • Select the dropdown for “Domain Users” group (all the default settings will then fill in)
  • Click “Accept” to accept the defaults or customize for your environment
• Now do the same steps for adding the Windows group you put in the GPO above when setting up the Logon Restrictions to the Likewise UNIXComputers Cell. Only this time, you’ll be assigning a GID number to the group.

Step 5 – User “Jimmer” can now login to the Ubuntu machine with his AD credentials. It’s tracked in the event log, you can run reports on it, set additional group policies. SSH single sign-on will just work, and connecting to Windows shares from Ubuntu should automatically work.

Now you can either a) retire the “baling wire and duct-tape” approach you’ve been using or b) successfully “operationalize” your Ubuntu desktop rollout from day one.

And thus are the individual steps needed to operationalize an Ubuntu machine for an AD environment. Broken down like this, identity-management solutions demonstrate their value over hopelessly complex, hacked-together alternatives based on Kerberos and LDAP.

This isn’t to say, of course, that Likewise doesn’t have its complexities — witness the long documentation that explains the product’s advanced features — but its basic deployment can be quite facile, and is doubtless superior to hacking Kerberos configuration files by hand.

Sign up for The VAR Guy’s Weekly Newsletter, Webcasts and Resource Center. Follow The VAR Guy via RSS, Facebook and Twitter. Follow experts at VARtweet. Read The VAR Guy’s editorial disclosures here.