Overcoming Barriers to Linux Active Directory Integration

There are several key barriers to integrating Unix, Linux, and Mac OS X computers into Microsoft Active Directory:

Joining Linux and Unix computers to an Active Directory domain.
Authenticating users by using Active Directory.
Mapping Linux and Unix UID and GID information to corresponding objects in Active Directory.
Authorizing Active Directory users to access resources on Unix and Linux computers.
Applying group policies to Linux and Unix computers by using Active Directory.
Managing Active Directory objects from Unix, Linux, and Mac with the Likewise Administrative Console.

Joining a Domain
Likewise Enterprise agent provides the foundation for interoperability by empowering you to quickly and easily join Linux, Unix, and Mac computers to an Active Directory domain. To join the domain, the agent uses the DCE-RPC, LDAP, and Kerberos protocols to communicate with Active Directory. When the domain join utility joins the computer to the domain, it establishes a machine account in Active Directory. The machine account can then be used to make authenticated LDAP and RPC calls to Active Directory.

Authentication
Authentication is the process by which a system verifies the identity of a user who wants to access a computer or application. Without using Likewise, authentication on a Linux or Unix computer typically consists of using the Pluggable Authentication Modules (PAM) to validate usernames and passwords against the /etc/passwd and /etc/group files and using the name service (nsswitch) to associate the username with a user identifier (UID) and a group identifier (GID).

Likewise's ability to join non-Windows computers to an Active Directory domain immediately yields the benefit of making Active Directory's authentication process available to Unix, Linux, and Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, Likewise can validate Unix and Linux usernames and passwords with the Kerberos 5 network authentication protocol. Kerberos lets users and computers communicating over an insecure network prove their identity to one another in a secure manner.

Processing UID-GID Information in Active Directory
The challenge: Allow AD users to access resources on Unix and Linux hosts. Why is this difficult? It's because the Unix and Linux permission settings for users and groups that are defined by UIDs and GIDs are simple integers, typically 32-bit numbers, while in Active Directory, security identifiers (SIDs) contain a domain-specific universally unique ID. In Active Directory, a SID uniquely identifies a user, group, or computer within a forest. Interoperability thus requires a method to map SIDs to UIDs and GIDs. Likewise Enterprise overcomes this mismatch by mapping SIDs to UID's and primary GID's and storing the information in Active Directory.

Likewise has two operating modes: schema mode and non-schema mode. Schema mode takes advantage of the Unix- and Linux-specific RFC 2307 object classes and attributes to store Linux and Unix user and group information. In contrast, non-schema mode stores Linux and Unix data without requiring RFC 2307 object classes and attributes and without modifying the existing schema. Thus, with Likewise, there is no requirement to change your schema and there is no need for additional infrastructure.

Authorisation
With Likewise, both schema mode and non-schema mode provide a method for storing Unix and Linux information in Active Directory -- including UIDs and GIDs -- so that Likewise can map SIDs to UIDs and GIDs and vice versa. This mapping enables Likewise to use an Active Directory user account to grant a user access to a Unix or Linux resource that is governed by a UID-GID scheme. When an AD user logs on a Unix or Linux computer, the Likewise agent communicates with the Active Directory domain controller through standard LDAP protocols to obtain the following authorization data:

UID
Primary GID
Secondary GIDs
Home directory
Login shell

Likewise uses this information to authorize the user to access Unix and Linux resources.

Group Policies for Linux, Unix, and Mac
The final challenge in achieving interoperability between Active Directory and Unix, Linux, and Mac OS X computers is the application of group policy. Likewise empowers you to centrally manage non-Windows systems by using the Microsoft Group Policy Object Editor and the Microsoft Group Policy Management Console to apply more than 80 Likewise group policies and thousands of Gnome-based policies to computers running Linux, Unix, and Mac OS X.

For example, you can use a group policy to control who can use sudo to access root-level commands by specifying a common sudoers file for target computers in a domain. Using a group policy for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.

In addition, Likewise Enterprise lets you set Managed Client Settings for Mac computers with Workgroup Manager, a free server administration tool from Apple for remotely managing user, group, and computer settings on Mac OS X machines. Likewise Enterprise integrates Workgroup Manager with Active Directory by storing and applying Managed Client Settings (MCX) as standard Microsoft Active Directory group policy objects, or GPOs.

Managing Active Directory objects from Unix, Linux, and Mac
The Likewise Administrative Console is an extensible service for running management applications, called snap-ins or plug-ins, on a Linux or Mac computer. For example, the console lets you run an Active Directory User and Computers snap-in on a Linux computer so you can modify objects in Active Directory without leaving your Linux desktop.

Managing AD objects from Unix, Linux and Mac

You are here:: Home>Likewise>Enterprise>Overcoming Barriers