By: Frank Ohlhorst dnu
Imagine you're a network manager, happily living in your world of Windows servers and desktops, when out of the blue, the CTO marches in to inform you that not only is the art department switching to Macs but the CFO wants to save a few bucks by going the Linux route, and it's up to you to make it happen. As you fall out of your chair with visions of desktop management meltdowns in your mind, you wonder if there is a product to make this work with your deployed Active Directory. Luckily, there is, and it is called Likewise Enterprise.
Likewise Software's Likewise Enterprise 5.3 allows administrators to integrate Linux, Unix and Mac systems with Microsoft's Active Directory, as well as manage AD from non-Windows systems. But that's only part of the story: Features such as directory migration, group policy support, reporting and single sign-on turn the product into a complete identity and policy management suite that offers all the underpinnings to adhere to compliance regulations like HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard). The product accomplishes those lofty goals by providing extensive reporting and logging capabilities, as well as MMC (Microsoft Management Console) plug-ins, native management tools and dashboards.
Licenses for Likewise Enterprise start at around $420 per server and $100 per desktop system. Organizations looking to join only non-Windows systems to AD can turn to the freely downloadable Likewise Open, which hit Version 6.0 in July.
Testing Likewise Enterprise
I tested Likewise Enterprise 5.3 on a Windows Server 2008 R2 network and was surprised at how easy it was to install. Likewise works based on a client/server model, where a Likewise server is set up and a client application is distributed to the endpoints. One installation step that gave me pause was the question of whether or not to extend my AD schema to best manage non-Windows systems via group policy.
I opted to extend the schema on my test system, but I recommend avoiding this step if you are running a complex multiserver environment, especially if you have mixed versions of Windows Server. If I hadn't extended my AD schema, I would have had to manage certain group policy options through the Likewise management console rather than through the regular AD controls-not a bad compromise.
To add my non-Windows test systems to AD, I had to install an agent on each of my test endpoints: an Ubuntu 10.04 PC, a MacBook Pro and an openSUSE 11.4 virtual PC running under a VMware hypervisor. I installed the agents manually-Likewise offers slick graphical installers for each platform it supports-but administrators on large networks may want to investigate automated options for agent deployment.
Once I had the agents installed, I was able to log in to the Windows Domain without any problems. One nit to pick is log-in times, as they can be rather slow, depending on the infrastructure in use and, I assume, the number of policies being enforced. Likewise is working on an updated version of the agent to resolve the slow log-in issues.
With initial setup behind me, I was able to launch the group policy editor and start making changes to the policies that can be associated with the Linux and Mac clients running the agents.
I found that Likewise Enterprise offers an impressive array of policies for Linux users. On Linux systems (running the GNOME desktop environment), I was able to create policies that controlled how the desktop functioned, ranging from screensavers used to dialogs associated with logging out.
However, the real power of the policy controls became evident with the authorization and identification policies. Here, I was able to enable offline log-in support (which allows mobile users to log in to their systems while disconnected), set password expirations and digitally sign communications. What's more, I was able to create policies for creating home directories and store .k5login files, which allows support of multiple users (each with one in their own home directory) with Kerberos services. Policies also exist for setting password lengths and ages, as well as for running script files or cron jobs.