Likewise Extends Active Directory's Embrace to Mac and Linux

 
 
By Jason Brooks  |  Posted 2008-01-14
 
 
 

Likewise Extends Active Directory's Embrace to Mac and Linux


Linux-based operating systems boast some very impressive management features, including detailed configuration controls for the GNOME desktop environment and a unified software management framework that puts Windows and its horde of disparate update applets to shame.

However, the lack in Linux of a well-integrated analogue for Microsoft's Active Directory and Group Policy to tie everything together leaves the open-source operating system with a management whole that adds up to less than the sum of its individually impressive parts.

Enter Likewise Software-formerly known as Centeris-and its Likewise Enterprise 4.0, which enables administrators to make the most of the Linux, Unix and OS X machines under their care by authenticating them against Active Directory and managing them via the same Group Policy tools that serve Windows systems.

In my tests of Likewise Enterprise 4.0, I found the product easy to install, with plenty of provisions for meshing comfortably with existing environments and policies. For instance, I could opt to extend the schema of my AD domain to make way for Unix-specific attributes, or I could choose not to extend my schema and call on Likewise Enterprise to make do with my existing schema.

I found that Likewise Enterprise made joining a Linux client to an AD domain just as easy as joining a Windows client to AD, and I was impressed by the breadth of native Linux configuration settings that I could customize and apply to my test clients via Group Policy. I could access GNOME's XML-based configuration system to control most desktop-oriented settings, manage SELinux, AppArmor and sudo permissions control frameworks, and push down scripts and text files to manage distribution specific elements, such as software repository configurations.

To see a slide show of Jason Brooks' examination of Likewise Enterprise, click here.

If Active Directory lies at the heart of your network or your customers' networks, Likewise Enterprise is worth evaluating as a means for drawing the non-Windows machines that tend to creep into your design or engineering departments more closely into your Windows management structure. What's more, at a price of $50 per managed client or $250 per managed server, a combination of Likewise Enterprise 4.0 and Windows Server could serve as a fairly inexpensive backbone for large deployments of low-cost Linux clients.

On the competitive front, Quest Software's Vintela Authentication Services and Centrify's DirectControl, neither of which I've tested, enable administrators to authenticate their non-Windows systems against Active Directory. Centrify's product also allows for management via Group Policy. Both of these products are priced similarly to Likewise Enterprise 4.0.

One advantage that Likewise Enterprise enjoys over its competition is the availability of Likewise Open, a new open-source software component comprising just the AD authentication portion of Likewise's proprietary offering (which itself relies on the open-source Samba project). Likewise Open will be included in the next versions of Red Hat Enterprise Linux and Ubuntu Linux, which will serve to get Likewise Software's foot in the door of companies that have adopted these popular Linux flavors.

Likewise Enterprise 4.0 supports a broad range of systems, including 11 versions of Novell's SUSE Linux and 21 versions of Red Hat's Enterprise and Fedora Linux distributions, as well as several recent Ubuntu, Debian and CentOS Linux flavors. In addition, Likewise Enterprise supports IBM's AIX, Sun Microsystems' Solaris, Hewlett-Packard's HP-UX, and Apple's OS X 10.3 and 10.4. Details on the product's platform support can be found here.

Likewise Open is currently available in ready-to-install package form for Ubuntu 7.10, Fedora 8 and OpenSUSE 10.3. While I expect other distributions to begin packaging Likewise Open to run on their own systems-the source code is freely available-Likewise should broaden package availability from its end, as well.

Likewise Extends Active Directory's Embrace to Mac and Linux


title=Likewise in the Lab

Likewise Enterprise in the lab

I conducted my tests on an AD domain hosted by Windows Server 2003 Service Pack 2, to which I joined an Ubuntu 7.10 client using Likewise Open. I found that I needed to set a static network address for my Ubuntu client to complete a join operation, because part of the process entailed restarting Ubuntu's NetworkManager service, and my DHCP (Dynamic Host Configuration Protocol) network connection appeared to take too long to come back to life for Likewise Open's liking. Switching temporarily to a static address did the trick, and once I'd joined my domain, I could log in to the Ubuntu client as an Active Directory user whether I was online or offline, courtesy of credentials caching. I imagine that I could solve the DHCP issue I experienced by setting a longer time-out for the join process.

I turned next to upgrading my Likewise Open configuration to Likewise Enterprise, which meant installing software on my domain controller that added a couple of Likewise-specific tabs to AD's configuration dialogs, and extended the available Group Policy controls to include Linux, Unix and Macintosh. The product offered me the option of extending my AD schema to include the Unix-specific attributes introduced to AD in Windows Server 2003 R2. I chose to extend my schema, but you needn't do the same to use the product-an important feature at organizations with conservative schema extension policies.

Likewise Enterprise bridges Unix's NIS (Network Information Service) with Active Directory through "Cells" that map user IDs from AD to one or more NIS store or stores. For my tests, I didn't set out to integrate AD with an existing Unix or Linux authentication infrastructure, so I only created a single default Cell to correspond to my single AD organizational unit. I then Likewise-enabled one of the users on my domain through one of the new configuration tabs my server had picked up when I'd installed the product, and headed for my Linux test client. 

I installed the Likewise client software on a machine running CentOS 5, opened a set of firewall ports specified in the product documentation and joined the CentOS client to my test domain. It would have been handy if Likewise Enterprise had offered to open up the needed ports for me-a la Windows-during installation. I did not experience the same network timeout issue with CentOS and Likewise Enterprise that I had with Likewise Open and Ubuntu.

With basic authentication out of the way, I returned to my domain server to specify some Group Policy objects to apply to my CentOS client. I fired up the Microsoft Group Policy Management Console, where I found new sets of Linux and Macintosh-specific controls for users and machines alongside the native Windows Group Policy controls.

Using the Likewise-extended GPMC, I began by mandating that Linux machines in my default Cell run with their Security Enhanced Linux framework enabled, under the "targeted" SELinux policy, with the system's enforcing mode set to "Permissive," in which the system logs permissions errors but does not act on them. I shifted back to my CentOS client, ran a Likewise Enterprise command to force an immediate Group Policy refresh, and saw that the SELinux adjustments I'd made had been duly applied. I tried contravening my SELinux policy by becoming root and changing the settings I'd specified, but sure enough, once Group Policy refreshed on my client machine, the policies I'd selected were back in place.

I was also able to use Likewise Enterprise and Group Policy to exert detailed control over my CentOS client's GNOME desktop environment. Most of the applications that make up GNOME come with XML schema files for specifying their settings, which a user or administrator can access through GNOME's GConf Editor. I used the Likewise-extended GPMC to select which GNOME schema files I wished to include in my policy object, and then modify them as I wished. For instance, CentOS' file manager application, Nautilus, defaults to the "spatial" mode, but I changed it to the application's classic browser mode.

eWEEK Labs Executive Editor Jason Brooks can be reached at jbrooks@eweek.com


Rocket Fuel