Authenticating with Active Directory using Likewise Open and Migrating from NIS
The current infrastructure at my office uses network information services (NIS) to authenticate users on Linux machines against the office’s Window’s domain. I found this to be unreliable. It depends upon Microsoft Identity Management for Unix, version 5.2, which is flaky in my experience.
My goal was to be able to transition from NIS to authenticating directly with Active Directory (AD) smoothly. I also wanted to maintain the shared home directories that reside on a network file system (NFS) server. The solution I have chosen is Likewise Open, I have found it very easy to set up while still being customizable. In order to maintain the shared home directories I have just taken the automount configuration out of NIS and put it locally on each machine. Even though this may not be as centralized I think it is better because the mounts don’t depend upon Microsoft’s Unix Identity Management.
The following are the steps I took to set this up. Likewise has good documentation so I recommend you look at that before you follow my steps. I am deploying this as I rebuild machines with Centos 5.2 which makes the process a little neater (If you want to transition current machines you will probably need to google nsswitch.conf):
- When deploying Centos be sure to set up Network Time Protocol (NTP) during the installation because Kerberos authentication depends on approximate clock synchronization between the client and the server.
- Download and install Likewise Open (as root):
a) wget http://www.likewisesoftware.com/bits/Fall08/3895/LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer
b) chmod +x LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer
c) ./LikewiseIdentityServiceOpen-5.0.0.3895-linux-i386-rpm-installer - Join the domain (as root):
a) /opt/likewise/bin/domainjoin-cli join mydomain.com administrator
b) Where administrator is a user with privileges to join a computer to the domain - Customize Likewise to use the mounted home directories (automount of home directories explained in step 5). It is important to do this before logging in, because once users have logged in you can’t change the home directory without reinitializing likewise:
a) in /etc/likewise/lsassd.conf edit the following:
i) Change the homedirecy path: homedir-template = %H/users/%U
ii) Make sure it doesn’t mess up a home directory: create-homedir = no
iii) Make it so when logging in the domain does not have to be specified: assume-default-domain = yes
iv) Changed the shell to bash: login-shell-template = /bin/bash - Set up automount to mount people’s home directories which live on a NFS server:
a) Add the following to /etc/auto.master: /home/users /etc/auto.home –timeout 60
b) Create auto.home and enter the following into the file: * -rw [nfs_server_ip]:/dir_where_homes_are/&
c) restart autofs: /etc/init.d/autofs restart
d) The home directories will not appear until you change directory into them, hence automount - Migrate from NIS:
a) After a successful login with a windows username type the id command and note the users UID number. The UID number is what Unix cares about, the name isn’t important. The UID that Likewise generates is a hashed version of the Windows SID.
b) Log into your Windows domain controller. Click the user properties and then in the “Unix Properties” tab change the UID to match what Likewise generated. This way servers that are still on NIS will be consistent with Likewise Open.
c) Reown the users home directory with the new UID: chown -R [UID] /home/users/[user] - Optional: Change users shell
a) Since everyone with Likewise uses the same shell, if you like a different shell like zsh you can put the following in /home/users/[user]/.profile : if which zsh; then; exec zsh; fi
b) The exec command replaces the current shell with whatever command you specify, so you won’t be running zsh within a bash process.