Kyle Brandt

The current infrastructure at my office uses network information services (NIS) to authenticate users on Linux machines against the office’s Window’s domain. I found this to be unreliable. It depends upon Microsoft Identity Management for Unix, version 5.2, which is flaky in my experience.

My goal was to be able to transition from NIS to authenticating directly with Active Directory (AD) smoothly. I also wanted to maintain the shared home directories that reside on a network file system (NFS) server. The solution I have chosen is Likewise Open, I have found it very easy to set up while still being customizable. In order to maintain the shared home directories I have just taken the automount configuration out of NIS and put it locally on each machine. Even though this may not be as centralized I think it is better because the mounts don’t depend upon Microsoft’s Unix Identity Management.

The following are the steps I took to set this up. Likewise has good documentation so I recommend you look at that before you follow my steps. I am deploying this as I rebuild machines with Centos 5.2 which makes the process a little neater (If you want to transition current machines you will probably need to google nsswitch.conf):

1. When deploying Centos be sure to set up Network Time Protocol (NTP) during the installation because Kerberos authentication depends on approximate clock synchronization between the client and the server.
2. Download and install Likewise Open (as root):
   a) wget http://www.likewisesoftware.com/bits/Fall08/3895/LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer
   b) chmod +x LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer
   c) ./LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer
3. Join the domain (as root):
   a) /opt/likewise/bin/domainjoin-cli join mydomain.com administrator
   b) Where administrator is a user with privileges to join a computer to the domain
4. Customize Likewise to use the mounted home directories (automount of home directories explained in step 5). It is important to do this before logging in, because once users have logged in you can’t change the home directory without reinitializing likewise:
   a) in /etc/likewise/lsassd.conf edit the following:
   i) Change the homedirecy path: homedir-template = %H/users/%U
   ii) Make sure it doesn’t mess up a home directory: create-homedir = no
   iii) Make it so when logging in the domain does not have to be specified: assume-default-domain = yes
   iv) Changed the shell to bash: login-shell-template = /bin/bash
5. Set up automount to mount people’s home directories which live on a NFS server:
   a) Add the following to /etc/auto.master: /home/users /etc/auto.home –timeout 60
   b) Create auto.home and enter the following into the file: * -rw [nfs_server_ip]:/dir_where_homes_are/&
   c) restart autofs: /etc/init.d/autofs restart
   d) The home directories will not appear until you change directory into them, hence automount
6. Migrate from NIS:
   a) After a successful login with a windows username type the id command and note the users UID number. The UID number is what Unix cares about, the name isn’t important. The UID that Likewise generates is a hashed version of the Windows SID.
   b) Log into your Windows domain controller. Click the user properties and then in the “Unix Properties” tab change the UID to match what Likewise generated. This way servers that are still on NIS will be consistent with Likewise Open.
   c) Reown the users home directory with the new UID: chown -R [UID] /home/users/[user]
7. Optional: Change users shell
   a) Since everyone with Likewise uses the same shell, if you like a different shell like zsh you can put the following in /home/users/[user]/.profile : if which zsh; then; exec zsh; fi
   b) The exec command replaces the current shell with whatever command you specify, so you won’t be running zsh within a bash process.

Update: I do not recommend the following the method. It left me with a partial install (which fortunately I have seem to recovered from). Also when trying to install a restricted driver, I had to delete the cdrom source from apt. This was because the restricted drivers GUI would hang when trying to mount the cdrom.

Since I have several computers with Ubuntu that I wanted to upgrade the most efficient way for me to do this was to upgrade using the cdrom. In order to do this you must use the alternate install cd. If you scroll to the bottom of the previous link you can grab the alternate cd from one of the mirrors.

When I did the following upgrade process it was from Hardy Heron to Intrepid Ibex. The following instructions are at your own risk, upgrades can often lead to bad situations.

1. Get the alternate install cd (see above).
2. Mount the .iso image or burn it and put it in the cdrom drive: To mount the iso image, first create the /mnt/iso directory with mkdir /mnt/iso and then: sudo mount ubuntu-8.10-alternate-i386.iso /mnt/iso/ -t iso9660 -o ro,loop=/dev/loop0
3. ssh into your remote machine you wish to upgrade: ssh remote-machine
4. (Optional, but highly recommended): Start a screen session so if you get disconnected it won’t interrupt the upgrade (read how to use screen here): screen
5. Within the screen session, start a text-based cdrom upgrade with the following command: sudo /mnt/iso/cdromupgrade –frontend=DistUpgradeViewText
6. The upgrade will periodically ask you yes/no questions throughout the upgrade, so it is not unattended. If you really wanted it to you could try using the yes command and a pipe to force yes to all, but I wouldn’t recommend it and am not sure if it would work:-) One odd thing is if you type ‘d’ for details it opens the information in the program ‘less’, so if you chose this just press ‘q’ to quit after you are done reading the information.