Pages

Authenticating Active Directory users on Linux with Likewise Open

Historically, if you wanted to use Active Directory to authenticate users on a UNIX box, you were pretty much limited to using LDAP. This works fine for some people, but it’s not particularly elegant – especially if you’re having to create users home directories all the time, which negates some of the point of centralising authentication to begin with.

I’m from a UNIX (mostly Linux) background, so I’m more at home using UNIX-alike platforms. That said, there’s a few things that Microsoft do that are particularly useful, and in my opinion AD is one of them (quiet at the back, there). Handily, there’s a project that can marry the two, and it goes by the name of Likewise.

Likewise Enterprise is Likewise Software’s commercial offering, but they also provide an open-source edition in the form of Likewise Open, which is what I’m going to focus on here. Conceptually, using Likewise is equivalent to binding a Windows machine to a domain, and the method of doing it is similar. The code is somewhat related to Samba, so some parts of it may be familiar to anyone who’s meddled around with Samba in any depth.

Starting out

First off, you’ll need the Likewise Open installer, which you can get from here (signup required). Grab the installer for your particular distro or operating system – for this example I’m using a fresh Debian (lenny) GNU/Linux install, but the process is essentially the same for others, such as Solaris. One you’ve got it, installing it is just a matter of running it:-

adtest:~# chmod +x ./LikewiseIdentityServiceOpen-...-linux-i386-deb-installer
adtest:~# ./LikewiseIdentityServiceOpen-...-linux-i386-deb-installer

Follow the prompts, and after a few seconds you’ll be returned to a prompt. Assuming the install completed successfully, in the case of Debian (or Ubuntu), running ‘dpkg -l | grep likewise‘ will show a few new packages have been installed (for RedHat/CentOS, replace ‘dpkg -l‘ with ‘rpm -qa‘).

Before going any further, make sure your resolvers are set up correctly, and that the local machine’s time is synchronised – either against an external NTP source, or one of the domain controllers. You can check that DNS resolution is working correctly by running:-

adtest:~# host test.example.com

…and all being well, you’ll see something like this:-

test.example.com          A     10.1.1.1
test.example.com          A     10.1.2.1

If you’re okay so far, configuring the machine to use AD requires one command:-

adtest:~# /opt/likewise/bin/domainjoin-cli join test.example.com andys

After a few seconds, providing the local machine can see the domain controllers, you should be prompted for your domain password. As when binding a Windows machine to a domain, the account you use must have the right privileges, which usually means that it’s in the Domain Admins group or similar. So:-

Joining to AD Domain:   test.example.com
With Computer DNS Name: adtest.test.example.com

andys@TEST.EXAMPLE.COM's password: <domain password>

…wait a few seconds…

Warning: System restart required
Your system has been configured to authenticate to Active Directory
for the first time. It is recommended that you restart your system
to ensure that all applications recognize the new settings.

SUCCESS

Now, in my experience you don’t strictly need to reboot, however it’s a good idea to, so go ahead and reboot the machine.

The basics

Assuming the box rebooted, we can now test that AD integration is working. Log in, and at a prompt type:-

adtest:~# id TEST\\andys

…replacing ‘TEST\\andys‘ with your domain and username. The double backslash is important, because most UNIX shells use ‘\’ for escaping characters. If you want, you can also use the ‘user@domain‘ syntax. If all is well, you’ll see something like this:-

uid=2096628820(TEST\andys) gid=2096628225(TEST\domain^users)
groups=2096628225(TEST\domain^users),2096628224(TEST\domain^admins)

At this point I should offer a word of caution: Because the machine is now bound to the domain, it means users on the domain can log into it. Obviously this is the whole point, but it’s something to be mindful of, especially if the domain is used by many people.

The UIDs and GIDs may look ridiculously large, but don’t worry – UIDs under most UNIXen are 32-bit, so this will be fine. There’s also a good reason for it – Likewise guarantees that the IDs will be unique and consistent across all machines bound to the same domain. You’ll also notice that the user’s primary group is set to the primary group from AD, which is usually ‘Domain Users‘.

The domainjoin-cli command also makes some changes to /etc/nsswitch.conf and the PAM configuration. On my example Debian box, having a peek at /etc/pam.d/common-auth reveals:-

auth    sufficient    /lib/security/pam_lsass.so
auth    required    pam_unix.so nullok_secure try_first_pass

pam_lsass.so is the PAM shared library for the lsass – or Local Security Authority Subsystem Service – part of Likewise. The example above is simple enough, and accepts domain users, falling back to standard UNIX users if the given username isn’t a domain user.

Making changes

Likewise installs its configuration files in /etc/likewise. The one that’s probably of most interest is lsassd.conf, which controls how the lsass daemon lsassd handles users. Before going into any detail, you’ll notice that lsassd.conf is split into two sections – the first being for domain users (the [auth provider:lsa-activedirectory-provider] section), and the second being for ‘local’ users (under [auth provider:lsa-local-provider]). The local users are usually just ‘COMPUTER\Administrator‘ and ‘COMPUTER\Guest‘ (where COMPUTER is the name of the local machine), and are synonymous to the Administrator and Guest accounts on Windows machines. Chances are you won’t need to touch the local users section, so we can safely ignore it.

There’s quite a few options to play with in lssasd.conf, but the main ones we’re interested in are:-

  • login-shell-template, which allows us to set the default shell for domain users. This is (by default) set to /bin/sh, so in many cases you might want to change it to /bin/bash.
  • homedir-template, which specifies where domain users’ home directories will be created. The default for this is %H/local/%D/%U, which in our example would expand to /home/local/TEST/andys for my account. Personally, I prefer to drop the ‘local’ bit and use %H/%D/%U, which would change my home directory to /home/TEST/andys.
  • require-membership-of, which lets us specify which groups are allowed to authenticate against this machine in a comma-separated list.

It’s important to note that if you use the last option, any domain user which isn’t a member of one of the specified groups will fail any PAM configuration that calls pam_lsass.so. This means that if you wanted to allow certains groups SSH access, whilst allowing a larger set of groups access to FTP, you don’t want to omit the FTP user groups from here. If you’re building this kind of setup, you’ll want to allow all the groups in lsassd.conf, and then build your PAM configuration to conditionally allow access based on group membership using pam_group.

Once you’ve finished making your configuration changes, you’ll need to tell Likewise to reload the configuration:-

adtest:~# /opt/likewise/bin/lw-refresh-configuration
Configuration successfully loaded from disk.

It also doesn’t hurt (and I’ve sometimes found it neccessary) to clear the local AD cache:-

adtest:~# /opt/likewise/bin/lw-ad-cache --delete-all
The cache has been emptied successfully.

…and that’s it! You should now have AD authentication working through PAM.

Useful commands

Likewise installs quite a few tools in /opt/likewise/bin (many of which are symlinks to lw-lsa), some of which come in handy for testing:-

  • lw-refresh-configuration, which as mentioned above reloads the lsassd configuration from lsassd.conf.
  • lw-ad-cache (also partly mentioned above), which lets us manipulate the local AD cache. For example, lw-ad-cache –enum-users will list the users’ details currently stored in the cache.
  • lw-enum-users/lw-enum-groups, which predictably list all the users and groups in the domain.
  • lw-get-status, which shows quite a bit of information about the domain itself.

These are just a few, so it’s useful to have a poke about in /opt/likewise/bin and see what there is.

Hints

Because Likewise integrates itself via PAM, pretty much everything which can work with normal UNIX users can cope fine with domain users. For instance:-

  • You can use the tilde (~) shortcut to go to a domain user’s home directory, for example cd ~andys@TEST. For some reason, the backslash notation doesn’t work here, and you may also notice that tab completion doesn’t work either.
  • With most things, you can refer to domain users as either TEST\\andys, TEST.EXAMPLE.COM\\andys, andys@TEST or andys@TEST.EXAMPLE.COM, including when logging in on the console or via SSH. There are exceptions (such as the previous point), but they’re few and far between.
  • Sudo happily works with domain groups – just remember to double-backslash.
  • You can use chown and chgrp in the ways you’d normally expect, using either the domain group names, or their GIDs.
  • ACLs (under Linux) also work, so if you’ve mounted a partition with the ‘acl‘ option, you can use setfacl as normal.

If it all goes wrong…

Sometimes things go wrong. With Likewise, it’s usually straightforward. If you’re getting errors when binding to the domain with domainjoin-cli, it’s usually because it’s having problems connecting to the domain controller. If your domain controllers are on a different network, check that any firewalls inbetween aren’t dropping SMB traffic. The domainjoin-cli command should give you a definitive list of ports it needs open to communicate with the domain controller.

Once up and running, I’ve found Likewise Open to be very stable, but on the odd occasion that something has gone awry, it’s often enough to just restart the lsassd daemon. Failing that, try emptying the cache (with lw-ad-cache –delete-all). If you’re still getting odd errors, it might be worth checking out the documentation or the forums.

Where to from here?

Because the PAM magic happens with pam_lsass, in theory anything which uses PAM can be made AD-aware. I’ve personally used it with Pure-FTPd to provide company-wide access to an fileserver, and it works flawlessly with gdm, so you can use it on your desktop. Again, because it’s PAM-based, it can be stacked with other modules such as pam_securid (for RSA’s SecurID tokens) or pam_opie (for one-time password sets).

Ironically, one thing that does require a little bit more configuration is Samba – something I’ll cover in a future post.

Update: Yvo van Doorn comments below with a handy hint if you only need access to one domain, which should save on keyboard wear for some users :-)

Be Sociable, Share!

20 comments to Authenticating Active Directory users on Linux with Likewise Open

  • avatar Paul

    Thanks man, this was really straight forward and got me setup right away! A minor trouble I have run into is that (CentOS 5.4) I cannot change the owner or group of files with any domain user, only root. Any ideas?

  • Hi Paul,

    Domain users are treated in the same way as local users, in that if you don’t own the files you’ll need to be root to modify them.

    If you want to chown something to a domain user, you should be able to type:-

    # chown TEST\\myuser:TEST\\mygroup /path/to/file/or/directory

    (assuming your domain is called TEST)

    Hope this helps!

  • avatar Jon

    Thanks Andy, nice article.
    I’ve done some testing with LW Open on AIX and had problems adding domain users to local AIX groups with /etc/group (should be possible – Section 7.11 in the Install and Admin guide). Doesn’t seem to work for me – have you had any luck?

    Cheers

  • Hi Jon,

    I’ve not tried it personally, but I’ll try it (albeit with Linux) here and see what happens…

  • Jon,

    Just realised that I have done this under Ubuntu, and it works.

    Do you have any joy using usermod -G?

  • avatar Jon

    Andy

    usermod only seems to be valid for local users/groups. Did you make your group change by editing /etc/group (or Ubuntu equivalent) directly?

    This is what I added to /etc/group:

    ldap:!:206:DOMAINNAME\\jon

    but when I try to access files with read permission assigned to the ldap group, I get permission denied.

    Jon

  • Hi Jon,

    I did it with usermod – it seems to work fine. Here’s what I’ve just done to add my user to the local ‘pulse’ group.

    Before the change:-

    root@therapy:~# id HMS\\asmith
    uid=1794114690(HMS\asmith) gid=1794114049(HMS\domain^users)
    groups=1794114049(HMS\domain^users),104(lpadmin),123(scard),
    1794114673(HMS\hmstest),1794114048(HMS\domain^admins)

    Adding my account to the ‘pulse’ group:-

    root@therapy:~# usermod -G HMS\\domain^users,lpadmin,scard,
    HMS\\hmstest,HMS\\domain^admins,pulse HMS\\asmith

    And now checking the account afterwards:-

    root@therapy:~# id HMS\\asmith
    uid=1794114690(HMS\asmith) gid=1794114049(HMS\domain^users)
    groups=1794114049(HMS\domain^users),104(lpadmin),117(pulse),
    123(scard), 1794114673(HMS\hmstest), 1794114048(HMS\domain^admins)

    Looking at /etc/group shows we’ve been added:-

    root@therapy:~# grep "^pulse:" /etc/group
    pulse:x:117:HMS\asmith

    This is under Linux though, so I don’t know if AIX treats things differently – my AIX exposure is limited to a handful of boxes I had to manage a few years back ;-)

    What do you get if you type id DOMAINNAME\\jon – does the ldap group show up as one of the user’s groups?

  • avatar Jon

    Thanks

    that’s pretty clearly working for you…my problem (and it could well be AIX) is that when I try to run this:-

    root@utajona2:/ # usermod -G domain\\domain^users,domain\\cs-gpounrestricteduser,domain\\jlbrallowedrodcpasswordreplicationgroup,ldap domain\\username

    I get the error:

    3004-691 Error changing “domainusername” : Name is too long.

    What’s the max username length in the version of Linux you were using above? In AIX it’s 8 so that could be the limit I’m hitting with this.

    Cheers

    Jon

  • Ah – I think that is the problem :-/

    I’m not sure on the limit these days under Linux – a quick Google suggests at least 32 characters is fine.

    This page seems to suggest that the limit in AIX was 8 character up until one of the 5.x releases, but it’s now 255 characters…

  • avatar Jon

    Thanks for the pointer.

    We don’t usually configure users with more than 8 characters for application compatibility but I’ve changed my AIX 5.3 system to accept a 20 character user and although this works ok:

    root@utajona2:/ # id domain\\tso940
    uid=1115247694(domain\tso940) gid=1115161089(domain\domain^users) groups=1115243261(domain\cs-gpounrestricteduser),1115317722(domain\jlbrallowedrodcpasswordreplicationgroup),1115294180(domain\wrbrallowedrodcpasswordreplicationgroup),1115161766(domain\g_gpo-s-u^unres)

    when I run the command to add my domain user to the local ldap group again, I get another (different) error:

    root@utajona2:/ # usermod -G domain\\domain^users,domain\\cs-gpounrestricteduser,domain\\jlbrallowedrodcpasswordreplicationgroup,domain\\wrbrallowedrodcpasswordreplicationgroup,domain\\g_gpo-s-u^unres,ldap domain\\tso940

    3004-687 User “domaintso940″ does not exist.

    Something malformed there…

    Jon

  • Ooh… I wonder if it’s baulking at the backslashes.

    You can specify usernames in the form user@domain (so tso940@domain in your example) – that might work?

    Failing that, try just specifying the UID (again, in your case 1115247694).

  • If you want to get rid of the DOMAIN\ part…
    edit the following file:
    “vi /etc/likewise/lsassd.conf”
    Find the line that says “assume-default-domain”
    and set it to true or uncomment depending on the version of likewise.
    It’s best to reboot after this just to deal with the change.
    PS. This only works when your user account and computer account are part of the same domain

  • Hi Yvo,

    Thanks for that – I’ve updated the post with a link to your hint.

    Cheers!

  • avatar andrewe

    Hi.

    thanks for this. Worked like a treat in joining to the domain but now I can’t access as root, I can only access as my domain account which has no authority to do anything on the box. If I try accessing as my original user account I get an authentication failure. I can’t sudo under my domain account and obviously can’t modify sudoers.

    Any advice?

    I’m running Likewise 6 and Linux Mint 9.

  • avatar TekBudda

    Hi there!

    I recently installed Linux Mint 9 on a computer for my wife. I also installed Likewise Open & it all seems to be working fine as near as I can tell. I can log in as her using the DOMAIN\username at the login window, but I am wanting to go a step further.

    She was previously on a Windows 2000 machine & I have been using roaming profiles with the Profiles & Home drives located on the 2K3 server with an AD domain. The 2 drives she accesses are her Home Drive & a shared drive between us. The Windows pathes are below:
    * Home: \\SERVER\HOME$\ABC-123
    * Shared: \\SERVER\HOME$\shared
    * Profiles: \\SERVER\PROFILES$\ABC-123 & \\SERVER\PROFILES$\shared

    What I would like to do is her connect to her home drive & the Shared drive. Eventually I would like her profile on the server with common items between Windows, Mac & Linux (i.e. Thunderbird profiles, Firefox Profiles, etc.)…although this is not core right now.

    My questions are:
    * How do I successfully map those drives for her so they will appear on login (preferably with names like Home & Shared? (Similar to the function served by a Windows batch file at login)
    * How do I make it so she will not need the DOMAIN\ before her username?
    * She has a netbook as well & I wonder if there is a way that she can:
    – Connect it to the domain as well?
    – Same login scheme as the desktop?
    – Profile does not need to be copied
    – Sync data on server Home to local home on netbook for access when traveling & sync back upon login back to domain.

    I have scoured some sources on teh net & asked some other Linux folk, but I have either not explained it right or they misunderstood, because the answer has not been clear enough.

    Any help anyone can offer would be excellent!

  • avatar Brad

    Just a quick question, setting the user home directories: is there a way to set the home directory as /GROUP/USER ? I’m looking into using Likewise, and would like to maintain the current home directory setup. Can I (instead of using %U) use /$group/$user as the home directory?

  • […] bits | andy smith’s blog » Authenticating Active Directory users on Linux with Likewise … – December 18th ( tags: likewise linux activedirectory ad setup howto guide tutorial ) […]

  • avatar Xela

    I wonder if you stumble across similar problem…

    When password expires for domain user, on Ubuntu 12.04 LTS machine joined to Microsoft domain via Likewise, lightdm (logon screen) displays that the password is expired and offers to change the password (first current password, then new password and retype new password), but it never succeeds since in the end, it says Invalid password, no matter how many times you try (ofc, new passwords are typed the same).

    Thanks in advance, Alex

  • Is there a way to have the likewise client interface ask for a userid and password only. Right now I get all of the users from AD that can login scrolling on the screen. This takes away 1 of the 2 keys to login.

    It works but I would not like to display all of the accounts that can log in.

  • […] Andy Smiths guide to using Likewise Open (Alot of this has changed) […]

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>