By: Frank Ohlhorst dnu
Imagine you’re a network manager, happily living in your world of Windows servers and desktops, when out of the blue, the CTO marches in to inform you that not only is the art department switching to Macs but the CFO wants to save a few bucks by going the Linux route, and it’s up to you to make it happen. As you fall out of your chair with visions of desktop management meltdowns in your mind, you wonder if there is a product to make this work with your deployed Active Directory. Luckily, there is, and it is called Likewise Enterprise.
Likewise Software’s Likewise Enterprise 5.3 allows administrators to integrate Linux, Unix and Mac systems with Microsoft’s Active Directory, as well as manage AD from non-Windows systems. But that’s only part of the story: Features such as directory migration, group policy support, reporting and single sign-on turn the product into a complete identity and policy management suite that offers all the underpinnings to adhere to compliance regulations like HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard). The product accomplishes those lofty goals by providing extensive reporting and logging capabilities, as well as MMC (Microsoft Management Console) plug-ins, native management tools and dashboards.
Licenses for Likewise Enterprise start at around $420 per server and $100 per desktop system. Organizations looking to join only non-Windows systems to AD can turn to the freely downloadable Likewise Open, which hit Version 6.0 in July.
Testing Likewise Enterprise
I tested Likewise Enterprise 5.3 on a Windows Server 2008 R2 network and was surprised at how easy it was to install. Likewise works based on a client/server model, where a Likewise server is set up and a client application is distributed to the endpoints. One installation step that gave me pause was the question of whether or not to extend my AD schema to best manage non-Windows systems via group policy.
I opted to extend the schema on my test system, but I recommend avoiding this step if you are running a complex multiserver environment, especially if you have mixed versions of Windows Server. If I hadn’t extended my AD schema, I would have had to manage certain group policy options through the Likewise management console rather than through the regular AD controls-not a bad compromise.
To add my non-Windows test systems to AD, I had to install an agent on each of my test endpoints: an Ubuntu 10.04 PC, a MacBook Pro and an openSUSE 11.4 virtual PC running under a VMware hypervisor. I installed the agents manually-Likewise offers slick graphical installers for each platform it supports-but administrators on large networks may want to investigate automated options for agent deployment.
Once I had the agents installed, I was able to log in to the Windows Domain without any problems. One nit to pick is log-in times, as they can be rather slow, depending on the infrastructure in use and, I assume, the number of policies being enforced. Likewise is working on an updated version of the agent to resolve the slow log-in issues.
With initial setup behind me, I was able to launch the group policy editor and start making changes to the policies that can be associated with the Linux and Mac clients running the agents.
I found that Likewise Enterprise offers an impressive array of policies for Linux users. On Linux systems (running the GNOME desktop environment), I was able to create policies that controlled how the desktop functioned, ranging from screensavers used to dialogs associated with logging out.
However, the real power of the policy controls became evident with the authorization and identification policies. Here, I was able to enable offline log-in support (which allows mobile users to log in to their systems while disconnected), set password expirations and digitally sign communications. What’s more, I was able to create policies for creating home directories and store .k5login files, which allows support of multiple users (each with one in their own home directory) with Kerberos services. Policies also exist for setting password lengths and ages, as well as for running script files or cron jobs.
Bringing Macs into the Fold
Bringing Macs into the Fold
Administrators looking to bring Macs into the AD fold will find a plethora of options, policies and objects that rival AD’s native support for Windows PCs. Likewise allows AD to interact with a Mac’s MCX (Managed Client Settings), which means group policies can update MCX-extending AD security and controls directly into Mac OS X computers-without the need for software shims or OS hacks.
Likewise Enterprise accomplishes that by integrating Workgroup Manager for Mac into AD and enabling MCX settings to be saved as standard AD Group Policy Objects without modifying existing AD schema. There are policies that can prevent automatic log-ons, control the firewall, secure system preferences and so on.
I also found that Likewise Enterprise offers “green policies” for Mac OS X systems, allowing you to enforce sleep mode, automatically shut down systems and perform many other functions related to power savings. Larger enterprises using a number of Macs will find that employing energy-saving policies can lower electric costs noticeably.
Network managers should appreciate the Mac server administration tool, which I found to be a real timesaver. I used it to remotely manage users, groups and computer settings on Macs, all without having to physically touch the systems. Enhanced support for Mac clients removes many of the barriers that have prevented Macs from joining a Windows network. Not only does Likewise Enterprise solve authentication and management issues, but compliance considerations as well. Compliance requirements are usually one of the reasons Macs are excluded from a network. Auditors complain that there is no way to fully audit and report on the compliance status of networked Macs. With Likewise Enterprise, that complaint is no longer valid: The product includes compliance reports that will provide the critical information auditors need to determine the level of compliance. Reports are available to meet the needs of Sarbanes-Oxley Act, HIPPA and PCI requirements. Those reports include Macs, Linux systems and pretty much anything Likewise manages.
Likewise Enterprise offers hundreds of policies for Mac, Linux and Unix systems that can be combined to deliver complete policy control, even in the largest of enterprises.
The reports can be used to validate policies in effect, track machines connected and gather information from system logs. They can be generated as Excel spreadsheets or in PDF format. Dozens of reports are included, and since each is customizable, administrators can create any report they need. I found that the inventory reports offered very useful information during the deployment process, as I was able to quickly determine if new systems were properly added to the domain and were able to successfully log in. In addition, a group policy security report helps identify whether the proper security policies have been applied to member systems.
Frank Ohlhorst is a journalist, IT business consultant and speaker with more than 25 years of experience in the technology arenas.