Centralized management of all your systems — Linux, Unix, Windows, and Mac OS X

9

Copyright © 2008 Likewise Software. All rights reserved. 5.15.2008. 1

Product Documentation

Likewise Enterprise

Features and Benefits Of Likewise Enterprise

FEATURES

• Centralized management of all your systems — Linux, Unix, Windows, and Mac OS X.

• One user, one ID.

• Secure authentication with Kerberos 5.

• Single sign-on.

• Access control.

• Group policies for controlling a variety of settings.

• Gnome group policies to lock down Linux computers.

• Advanced cell technology for managing computers and users in Active Directory.

• NIS migration tools and professional services.

• Auditing and reporting modules.

BENEFITS

• Enhances operational efficiency.

• Helps demonstrate regulatory compliance.

• Hardens network security.

• Eases the managerial burden for system administrators and security managers.

• Reduces the cost of managing a mixed network.

• Consolidates and simplifies identity management.

Abstract

Likewise Enterprise lets you join Linux, Unix, and Mac computers to Microsoft Active Directory, yielding a range of benefits for users, system administrators, and security managers.

Users get one ID and single sign-on: They log on once to a workstation that is authenticated through Active Directory and receive Kerberos-based single sign-on for other computers and applications, such as Oracle, Apache, and SAP. System administrators rest easy with the knowledge that users are securely authenticated with Kerberos 5 and authorized for access to resources and applicatons. Managers see their operational costs drop as their Linux, Unix, and Mac computers are centrally managed within Active Directory and configured en masse with Likewise group policies. Security managers find help in their quest for regulatory compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard.

This document outlines the technical features and benefits of using Likewise Enterprise.

About Likewise Enterprise

By joining Linux, Unix, and Mac computers to Active Directory – a secure, scalable, stable, and proven identity management system – Likewise gives you the power to manage all your users' identities in one place, use the highly secure Kerberos 5 protocol to authenticate users in the same way on all your systems, apply granular access controls to sensitive resources, and centrally administer Linux, Unix, Mac, and Windows computers with group policies. Likewise includes reporting and auditing capabilities that can help improve regulatory compliance. The result: lower operating costs, better security, enhanced compliance.

Copyright © 2008 Likewise Software. All rights reserved. 5.15.2008.


Likewise Enterprise: Features and Benefits Overview

The information contained in this document represents the current view of Likewise Software on the issues discussed as of the date of publication. Because Likewise Software must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Likewise, and Likewise Software cannot guarantee the accuracy of any information presented after the date of publication.

These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Likewise Software.

Likewise may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Likewise, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Likewise Software. All rights reserved.

Likewise and the Likewise logo are either registered trademarks or trademarks of Likewise Software in the United States and/or other countries. All other trademarks are property of their respective owners.

Likewise Software 15395 SE 30th Place, Suite #140 Bellevue, WA 98007 USA




Table of Contents

INTRODUCTION............................................................................5

CENTRALIZED MANAGEMENT ...................................................6 Benefits of Likewise Over a Custom LDAP Solution ......................................8

SECURE AUTHENTICATION WITH KERBEROS 5 .....................9 How It Works .......................................................................................................9 Benefits ..............................................................................................................10 More Information...............................................................................................10

ACCESS CONTROL....................................................................11 Features .............................................................................................................11 Benefits ..............................................................................................................12 More Information...............................................................................................12

CACHED CREDENTIALS............................................................12

SINGLE SIGN-ON........................................................................13 How Likewise Makes SSO Happen .................................................................13 Application Support..........................................................................................14

ADVANCED CELL TECHNOLOGY ............................................15 Linking Cells......................................................................................................16 Using a Default Cell ..........................................................................................17 Cell Manager......................................................................................................17 Benefits of Likewise Cell Technology ............................................................18 More Information...............................................................................................18

GROUP POLICIES FOR LINUX, UNIX, AND MAC.....................18 Filtering by Target Platform.............................................................................20

GNOME SETTINGS.....................................................................21 Benefits ..............................................................................................................22 More Information...............................................................................................22

MAC SUPPORT...........................................................................22 More Information...............................................................................................23




MIGRATION TOOLS ...................................................................23

INTEGRATION OPTIONS............................................................24

AUDITING AND REPORTING .....................................................24 Benefits ..............................................................................................................26

LIKEWISE ADMINISTRATIVE CONSOLE..................................27

BROAD PLATFORM SUPPORT .................................................29




Introduction Likewise Enterprise joins Linux, Unix, and Mac OS X computers to Microsoft Active Directory to centrally manage all your computers, authenticate users, control access to resources, and apply group policies to non-Windows computers.

Likewise Enterprise comprises two main components: The Likewise Management Console and the Likewise Agent.

The console runs on a Windows administrative workstation that can connect to the Active Directory domain controller and includes management tools that are integrated into Active Directory Users and Computers, the Group Policy Management Console, and the Group Policy Object Editor. The console also includes Cell Manager, an MMC snap-in for managing Likewise cells.

The Likewise Agent runs on Linux, Unix, and Mac OS computers so that you can join them to a domain, manage them within Active Directory, and use single sign-on.

In addition, Likewise Enterprises includes tools for migrating non-Windows systems to Active Directory and modules for auditing and reporting.

The following diagram highlights the role of Likewise in a mixed network:




More information about the architecture of Likewise Enterprise is available in the Likewise Technical Overview at http://www.likewisesoftware.com/resources/technical_notes/LikewiseEnterprise4.0_TechnicalOverview.pdf.

With Likewise Enterprise, you get the following features:

• Support for more than 100 Linux, Unix, and Mac OS X platforms

• Centralized management of your mixed network

• One user, one ID

• Cached credentials

• Secure authentication

• Access control

• Single sign-on

• Advanced cell technology

• Group policies for Linux, Unix, and Mac workstations and servers

• Gnome settings centrally managed through Likewise group policies

• Migration tools

• Auditing and reporting

Each of these features is discussed below.

Centralized Management Likewise Enterprise empowers you to centrally manage all your computers in Active Directory — bringing you an array of features and benefits unavailable with NIS, a custom LDAP solution, or an ad hoc Kerberos key distribution center.

First, Likewise radically simplifies user account management: It lets you manage all your users and computers with a single identity management




system. Provisioning, password maintenance, security policies, and de-provisioning can all be done through Active Directory.

Second, Likewise lets you assign a unique ID to each person with computer access — a best practice and a requirement of such regulatory standards as the Payment Card Industry Data Security Standard. Active Directory makes ID assignment simple: one ID, one user. Likewise extends that functionality to Linux, Unix, and Mac OS X users. With one unique ID provisioned and centrally managed through Active Directory, a user can log on Windows, Unix, Linux, and Mac OS X computers with an encrypted password that is securely authenticated with Kerberos 5 against the Active Directory database.

Third, Likewise lets you assign each user a unique ID in Active Directory while maintaining your NIS domain user information. When you migrate Linux and Unix users from NIS domains to Active Directory, Likewise uses cells to preserve the user information in your NIS domains. A cell provides a custom mapping of a unique and identifiable Active Directory user to that user’s UIDs and GIDs.

Fourth, Likewise is integrated with Microsoft Active Directory Users and Computers (ADUC), which streamlines the management of Linux, Unix, and Mac users — you can manage them in Active Directory just like you manage your Windows users. For example, Likewise integrates the following tab into the user properties sheets in ADUC:




Benefits of Likewise Over a Custom LDAP Solution

A custom LDAP approach can have the following drawbacks:

• Complexity: With LDAP, you must use certificates and, for example, SSL for security — which adds a lot of complexity to the system, making it difficult to set up, troubleshoot, and maintain.

• No site affinity: LDAP will not find the most efficient domain controller if you change locations.

• No support for cached credentials support. Users won’t be able to log on computers when the computers cannot connect to the domain.

• No group policies for centrally configuring and managing management Linux, Unix, and Mac computers.




Likewise, in contrast, gives you simplicity, site affinity, cached credentials, and hundreds of group policies.

Secure Authentication with Kerberos 5 Why does enterprise-wide authentication require so much work? For many businesses, it is because they use different Identity Management Systems for different operating systems: Windows users might authenticate through Active Directory, Linux and Unix users might authenticate through NIS, and Mac OS X users might authenticate through an ad hoc Kerberos key distribution center. Every time a user joins or leaves your company, you have to update each of these identity management systems separately — a time-consuming process that can leave security holes. The complexity of these identity management systems and their lack of central management increases the likelihood that something will go wrong. A user account with access to protected data, for example, might not get deprovisioned from one of the systems when the user leaves the company.

Likewise's ability to join non-Windows computers to an Active Directory domain immediately yields the benefit of making Active Directory's authentication process available to Unix, Linux, and Mac OS X computers. Because Active Directory functions as a Kerberos key distribution center, Likewise can validate Unix and Linux usernames and passwords with the Kerberos 5 network authentication protocol. Kerberos lets users and computers communicating over an insecure network prove their identity to one another in a secure manner.

How It Works

With Likewise, authentication works like this:

1. A user logs on a Linux or Unix client, and the login program gets the username and password.

2. The username and password are sent to PAM.

3. The pam_lwidentity.so library communicates with the Likewise authentication daemon.

4. From the username and password, the Likewise authentication daemon generates a secret key.




5. Using the secret key, the Likewise authentication daemon requests a ticket granting ticket, or TGT, from the Active Directory's Kerberos key distribution center, or KDC.

6. The KDC verifies the secret key and then grants the client a TGT.

7. The client and the KDC exchange messages to authenticate the client.

8. The Likewise authentication daemon can then use the TGT to request service tickets for other services, such as SSH.

Benefits

Authenticating Linux, Unix, and Mac computers with Likewise and Active Directory has the following benefits:

• Consolidate your identity management systems into a single secure, scalable, stable, and proven identity management system.

• Stop maintaining /etc/passwd files.

• Reduce your administrators reliance on using the root account, an insecure practice that runs counter to accepted security standards and regulations.

• Eliminate labor-intensive ad hoc Kerberos key distribution centers and custom LDAP implementations.

• Eliminate NIS authentication systems, which are difficult to scale, cumbersome to implement for multiple operating systems, and far less secure than LDAP and Kerberos.

• Get a variety of access control methods.

More Information




For more information on authentication, see the Likewise Enterprise Technical Overview at http://www.likewisesoftware.com/resources/technical_notes/LikewiseEnterprise4.0_TechnicalOverview.pdf.

Access Control This section outlines the Likewise access control mechanisms.

Features

Likewise Enterprise provides several mechanisms to control access to Linux, Unix, and Mac OS X computers, beginning with the strong cryptographic mechanism — Kerberos 5 — that Likewise uses to communicate with Active Directory to verify that a username and password correspond to a valid user in AD. This fundamental form of access control lets administrators stop using local accounts on Unix, Linux, and Mac OS X computers. Instead, Likewise empowers them to manage all their user accounts centrally in AD. A user is allowed to log on only if he or she has a valid AD user account explicitly enabled for Unix, Linux, and Mac access.

In addition, Likewise provides the following mechanisms for controlling access:

Access Control Mechanism Description Likewise Cell Technology Only users with membership in a cell

can log on the Unix, Linux and Mac OS X machines in the cell. Judicious use of cells can provide a convenient way of controlling access to different classes of Unix, Linux and Mac OS X computers.

Allow Logon Rights Group Policy (require_membership_of)

This Likewise group policy can specify that a user be a member of a particular group to log on a computer within the scope of the group policy object. You can designate one or more groups. A user is allowed to log on only if he or she is a member of at least one of the designated groups.

Logon Hours With Likewise, you can use Microsoft




Active Directory Users and Computers (ADUC) to set the days of the week and times of day that a user is allowed to log on any Linux, Unix, and Mac machines.

Logon List Likewise lets you use ADUC to specify the Linux, Unix, and Mac computers that a user can log on.

Disable Account With Likewise and ADUC, you can disallow logons by a user.

Benefits

• Greater control over access to Linux, Unix, and Mac workstations and servers.

• Access control options to help improve regulatory compliance.

• Improved network security.

• Likewise access reports help demonstrate regulatory compliance.

More Information

Read the Likewise technical note titled Access Control for Linux, Unix, and Mac OS X available at http://www.likewisesoftware.com/resources/technical_notes/Likewise_AccessControl_TechNote.pdf.

Cached Credentials Although modern networks are extremely reliable, network architects should not rely on perfect connectivity, especially when a network spans multiple geographic sites. Branch offices and other satellite facilities may be connected to Active Directory through leased lines or through virtual private networks (VPNs) that are subject to occasional failure.

Likewise Enterprise tolerates communication failures. The Likewise agent caches user account information so that it can authenticate users even if it has temporarily lost connectivity with AD domain controllers. It uses the same logic employed by Microsoft Windows: If a user has previously logged on a machine, the machine caches the user’s credentials and lets the user log on again even when the domain




controller is unavailable. The lifetime of the Likewise Enterprise credential cache can be configured to be short for optimal security or long for laptop and other computers that may be disconnected for protracted periods.

Single Sign-On When you log on a Linux, Unix, or Mac OS X computer by using your Active Directory domain credentials, Likewise initializes and maintains a Kerberos ticket granting ticket (TGT). With a TGT, you can log on other computers joined to Active Directory or applications provisioned with a Service Principal Name and be automatically authenticated with Kerberos and authorized for access through Active Directory. In a process transparent to the user, the underlying Generic Security Services (GSS) system requests a Kerberos service ticket for the Kerberos-enabled application or server. The result: single sign-on.

To gain access to the other computer, you can use various protocols and applications:

• SSH

• rlogin

• rsh

• Telnet

• FTP

• Firefox (for browsing of intranet sites)

• LDAP queries against Active Directory

• HTTP with an Apache HTTP Server

How Likewise Makes SSO Happen

Since Microsoft Windows 2000, Active Directory's primary authentication protocol has been Kerberos. When a user logs on a Windows computer that is joined to a domain, the operating system uses the Kerberos protocol to establish a key and to request a ticket for the user. Active Directory serves as the Kerberos key distribution center, or KDC.




Likewise configures Linux and Unix computers to interact with Active Directory in a similar way. When a user logs on a Linux and Unix computer joined to a domain, Likewise requests a ticket for the user. The ticket can then be used to implement SSO with other applications.

Likewise fosters the use of the highly secure Kerberos 5 protocol by automating its configuration and use on Linux and Unix computers. To ensure that the Kerberos authentication infrastructure is properly configured, Likewise does the following:

• Ensures that DNS is properly configured to resolve names associated with Active Directory (AD).

• Provides tools to join Linux, Unix, and Mac OS X computers to AD.

• Performs secure, dynamic DNS updates to ensure that Linux and Unix computer names can be resolved with AD-integrated DNS servers.

• Configures Kerberos. In an environment with multiple KDCs, Likewise makes sure that Kerberos selects the appropriate server.

• Configures SSHD to support SSO through Kerberos (by using GSSAPI).

• Creates a keytab for the computer in the following way: When you join a Linux or Unix computer to AD, Likewise creates a machine account for the computer. Likewise then automatically creates a keytab for the SPN and places it in the standard system location (typically /etc/krb5.keytab).

• Provides a tool, lwinet, to generate additional keytab entries for other applications or services.

• Creates a keytab for the user during logon. On most systems, the user keytab is placed in the /tmp directory and named krb5cc_UID, where UID is the numeric user ID assigned by the system.

Application Support




Likewise supports single sign-on for a variety of applications and services, including the following:

Application or Service For More Information Apache HTTP Server See Configuring Apache Web Server for Single Sign-On with Likewise at

http://www.likewisesoftware.com/resources/user_documentation/Likewise-Apache-SSO-Guide.pdf.

SAP See Using Likewise for Active Directory-Based Single Sign-On with SAP at http://www.likewisesoftware.com/resources/technical_notes/Likewise-SAP-SSO-Tech-Note.pdf.

Oracle See Using Likewise for Single Sign-On with Kerberos and Active Directory at http://www.likewisesoftware.com/resources/technical_notes/Likewise-SSO-Overview-Tech-Note.pdf.

Network Appliances See Using Likewise for Single Sign-On with Kerberos and Active Directory at http://www.likewisesoftware.com/resources/technical_notes/Likewise-SSO-Overview-Tech-Note.pdf.

Advanced Cell Technology Active Directory uses Organizational Units to group related objects in a common container to manage the objects in a uniform and consistent way. To map Active Directory users to Linux and Unix user identifiers (UIDs) and group identifiers (GIDs), Likewise associates cells with Organizational Units.

When a Unix or Linux computer running the Likewise agent connects to Active Directory, it determines the OU of which it is a member and checks whether a Likewise cell is associated with it. If a cell is not associated with the OU, the Likewise Agent on the Unix computer searches the parent and grandparent OUs until it finds an OU that has a cell associated with it. If an OU with an associated cell is not found, the agent uses the default cell to map its username to UID and GID information.

Cells can map a user to different UIDs and GIDs for different computers. Linux and Unix computers that are in the OU (or an OU nested in it) use the cell to map AD users to UIDs and GIDs. Likewise Enterprise modifies the Active Directory User and Computers MMC snap-in so that you can create an associated cell for an OU and then use the cell to manage UID-GID numbers. In the following screen shot from ADUC, the example




user, Raymond Williams, is allowed to access the Linux and Unix computers that are in the selected Likewise cells:

Linking Cells

To provide a mechanism for inheritance and to ease system management, Likewise can link cells. Linking specifies that users and groups in a linked cell can access resources in the target cell. For example, if your default cell contains 100 system administrators and you want those administrators to have access to another cell, called Engineering, you do not need to provision those users in the Engineering cell. You can simply link the Engineering cell to the default cell, and then the Engineering cell inherits the settings of the default cell. Then, to




make management easier, in the Engineering cell you can just specify the mapping information that deviates from the default cell. You can use linking to in effect set up a hierarchy of cells.

Using a Default Cell

Likewise includes a feature that lets you define a default cell. It handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers.

A Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the group polices associated with the OU apply to the Linux and Unix computer, but user UID-GID mappings follow the policy of the nearest parent cell, or the default cell. Likewise does not require you to have a default cell.

Cell Manager

Cell Manager is a Likewise MMC snap-in for managing cells associated with Active Directory Organizational Units. With Cell Manager, you can delegate management, change permissions for a cell, add cells, view cells, and associate cells with OUs to provide users and groups with Linux and Unix access. Cell Manager also lets you filter cells to reduce clutter and connect to another domain. Cell Manager is automatically installed when you install the Likewise Console.




Benefits of Likewise Cell Technology

Likewise cell technology provides the following benefits:

• A hierarchical processing model that mirrors the hierarchy of Active Directory organizational units.

• The ability to maintain existing NIS mapping information for users and groups when you migrate them to Active Directory.

• The ability to delegate administrative rights by cell.

• The ability to control access to computers. Only users with membership in a cell can log on the Unix, Linux and Mac OS X machines in the cell. Judicious use of cells can provide a convenient way of controlling access to different classes of Unix, Linux and Mac OS X computers.

• The ability to link cells to streamline administration of Linux and Unix users.

• The ability to use a default cell to ease administration.

More Information

See Using Likewise Cell Technology To Manage Users and Computers.

Group Policies for Linux, Unix, and Mac Likewise empowers you to define group policies for computers running Linux, Unix, and Mac OS X. Likewise includes more than 100 policies that are custom made for non-Windows computers. All the policies are integrated into the Microsoft Group Policy Object Editor.

For example, you can use a group policy to control who can use sudo for access to root-level privileges by specifying a common sudoers file for target computers. You could, for instance, create an Active Directory group called SudoUsers, add Active Directory users to the group, and then apply the sudo group policy to the container, giving those users sudo access on their Linux and Unix computers. In the sudoers file, you can specify Windows-style user names and identities. Using a group policy for sudo gives you a powerful method to remotely and uniformly audit and control access to Unix and Linux resources.




Likewise stores its Unix and Linux group policies in the same locations and in the same format as the default Windows group policies -- in the system volume (sysvol) shared directory. Unix and Linux computers that are joined to an Active Directory domain receive their group policies in the same way that a Windows system does:

Likewise gives you the option of creating and editing group policies with either the Group Policy Object Editor (GPOE) or the Group Policy Management Console (GPMC). When you use the Group Policy Management Console, you can view group policy settings.

In the Group Policy Object Editor, the Likewise group policies are in the UNIX and Linux Settings folder in the console tree under Computer Configuration; the Likewise user settings are under User Configuration:




Filtering by Target Platform

With the Group Policy Object Editor, you can set group policies to target all versions of the following platforms.

• Apple Mac OS X

• CentOS Linux

• Debian Linux

• Fedora Linux

• Hewlett-Packard HP-UX

• IBM AIX

• OpenSUSE Linux

• Red Hat Linux

• Red Hat Enterprise Linux (ES and AS)

• Sun Solaris

• SUSE Linux

• SUSE Linux Enterprise Desktop

• SUSE Linux Enterprise Server

• Ubuntu Linux

The dialog for setting target platforms looks like this:




Gnome Settings Likewise Enterprise includes several thousand group policies for Linux user and computer settings -- policies that are based on the Gnome GConf project to define desktop and application preferences such as the default web browser. These Gnome configuration settings can be applied to Linux computers running the Gnome desktop.

The Gnome policies are integrated into the Group Policy Object Editor, making it easy to manage and apply them. After you add the Gnome schemas for your Linux platform, the policies appear in the Unix and Linux User Settings folder under User Configuration or under Computer Configuration.

The Gnome-based group policies include user and computer settings for applications like the browser, help viewer, and main menu. For example, a user policy can define whether the Gnome volume manager




automatically mounts removable storage drives when they are inserted into a computer. Another Gnome policy can lock down Linux desktops.

Benefits

• Improve the security of Linux computers by locking down Linux desktops.

• Centrally configure computers and applications running the Gnome desktop.

• Control access to the command line.

• Manage Gnome settings on a user-by-user or computer-by-computer basis.

More Information

For more information, see Applying Gnome Settings to Linux Desktops with Group Policies.

Mac Support Likewise Enterprise includes extensive support for Mac OS X workstations and servers. With Likewise, Mac clients can gain single sign-on to OS X servers as well as Linux and Unix resources by using a single Active Directory account. Likewise also includes group policies tailored specfically for the Mac, many of which are shown in the following screen shot:

SUPPORTED MAC VERSIONS

Likewise supports the 32-bit and 64-bit versions of the following Mac operating systems:

• OS X v10.4 PowerPC

• OS X Server v10.4 PowerPC

• OS X v10.4 x86

• OS X v10.3 PowerPC




More Information

See the Benefits of Joining Mac Computers To Active Directory with Likewise at http://www.likewisesoftware.com/resources/technical_notes/LikewiseEnterprise4.0_JoiningMacToADTechnicalNote.pdf and the Mac Group Policy Administrator’s Guide at http://www.likewisesoftware.com/resources/user_documentation/LikewiseEnterprise4.0_MacintoshGroupPolicyAdministratorGuide.pdf.

Migration Tools You can use the Likewise migration tool to import Linux, Unix, and Mac OS X passwd and group files -- typically /etc/passwd and /etc/group -- and automatically map their UIDs and GIDs to users and groups defined in Active Directory. Or, you can choose to generate a Windows automation script to associate the Unix and Linux UIDs and GIDs with Active Directory users and groups. Before you commit the changes, you can resolve ambiguous user names and other conflicts.




Integration Options Likewise provides multiple possible configurations for integrating Unix and Linux systems into Active Directory. All of these configurations require that a user’s Unix- and Linux-specific information be associated with the user’s Active Directory object. All of these configurations can be automatically provisioned using IBM’s Tivoli Identity Manager solution or by using Sun Identity Manager.

Auditing and Reporting Likewise empowers you to create custom reports about Linux and Unix users, groups, computers, forests, and domains within Active Directory. From the Reports tab in the Likewise Console, you can generate the following reports:

Report Description

Forest Users and Groups Displays all Unix- and Linux-enabled users and groups in an Active Directory forest. This report can also display duplicate UIDs, GIDs, login names, and




group aliases.

User Access Shows the Unix and Linux machines that each Active Directory user can access.

Group Access Lists the Unix and Linux machines that each Active Directory group can access.

Group Membership Shows the members of each Unix- and Linux-enabled Active Directory group.

Computer Access Lists the users who can access each Unix and Linux computer.

You can choose the information that you want to include in a report by selecting from a variety of report columns. Depending on the type of report, you can select different columns for users, groups, computers, and cells. When you generate a User Access report, for example, you can select from such report columns as Login Name, Unix Login Name, User Status, UID, Primary GID, Gecos, Login Shell, and Home Directory.

Each type of report includes filters and options. All the reports let you filter by domain. Depending on the type of report that you create, you can choose whether to show disabled users or disabled computers. For some reports you can limit the number of objects by specifying a maximum. For example, the Group Access report gives you a report option to set the maximum number of computers per group.

After you generate a report, you can view, save, preview, and print it.

Likewise outputs the report data in XML but displays it in HTML. After you generate a report, you can save it in XML, HTML, or CSV by clicking Save As, and then in the Save as type box, clicking the format that you want.




Benefits

• Help demonstrate regulatory compliance by generating reports showing the users and groups that have access to computers in a cell or OU.

• List all the duplicate UIDs, GIDs, Login Names, and Group Aliases in an Active Directory forest.

• Generating a report that shows duplicate UIDs, GIDs, Login Names, and Group Aliases can help you troubleshoot and resolve conflicts within your Active Directory forest.

• Generate a Computer Access report to show the users who have access to the Linux and Unix computers in each Likewise cell within the scope that you specify. You can customize the report by selecting the user details, computers, and domains that the report displays.




• A Group Membership report shows the members of your Unix and Linux Active Directory groups. You can customize the report by selecting the user details, group details, domains, and groups that the report displays.

Likewise Administrative Console The Likewise Administrative Console is an extensible service for running management applications, or snap-ins, on a Linux computer. The following Likewise snap-ins are available after you install the console:

Snap-In Description

Likewise Active Directory Users and Computers

Provides administrative access to users, computers, groups, organizational units, and Likewise cells in Active Directory. You can add, delete, and modify the properties of Active Directory objects from your Linux desktop. It also serves as a Linux-side ADSI -- you can use it to view and edit Active Directory attribute values.

In the Likewise Administrative Console, the Active Directory Users and Computers snap-in looks like this:




To run the console, you must first install Mono 1.2.5.1 and Mono WinForms 1.2.5.1. Mono is available for free at http://www.mono-project.com/, and Mono WinForms is available for free at http://www.mono-project.com/WinForms.

The Likewise Administrative Console runs on the following Linux platforms:

• SUSE Linux Enterprise Server 10.0

• SUSE Linux Enterprise Desktop 10

• Ubuntu Desktop 7.1

• Red Hat Fedora 7 and 8

• CentOS 5

• Red Hat Enterprise Linux




Broad Platform Support Supported

Vendor Distribution 32‐bit

64‐bit

AIX 5L 5.2 ‐

AIX 5L 5.3 ‐

OS X v10.3 PPC

OS X v10.4 PPC

OS X Server v10.4 PPC

OS X v10.4 x86

CentOS 4.0

CentOS 4.1

CentOS 4.2

CentOS 4.3

CentOS 4.4

CentOS 5.0

Debian Linux 3.1

Fedora Core 3 ‐

Fedora Core 4

Fedora Core 5

Fedora Core 6

Fedora Core 7




Supported


64‐bit

HP‐UX 11.11 PA‐RISC ‐ Trusted Mode ‐

HP‐UX 11.11 PA‐RISC ‐ Untrusted Mode ‐

HP‐UX 11.23 Itanium ‐ Trusted Mode ‐

HP‐UX 11.23 Itanium ‐ Untrusted Mode ‐

Oracle Enterprise Linux 4

Oracle Enterprise Linux 5

Red Hat Enterprise Linux AS 2.1 ‐

Red Hat Enterprise Linux ES 2.1 ‐

Red Hat Enterprise Linux WS 2.1 ‐

Red Hat Enterprise Linux AS 3.0

Red Hat Enterprise Linux ES 3.0

Red Hat Enterprise Linux WS 3.0

Red Hat Enterprise Linux AS 4.0

Red Hat Enterprise Linux ES 4.0

Red Hat Enterprise Linux WS 4.0

Red Hat Enterprise Linux 5.0

Red Hat Enterprise Linux 5.0 Desktop

Red Hat Enterprise Linux 5.0 Advanced Platform

Red Hat Linux 7.2 ‐




Supported


64‐bit

Red Hat Linux 7.3 ‐

Red Hat Linux 8 ‐

Red Hat Linux 9 ‐

Solaris 8 (SPARC)

Solaris 8 x86

Solaris 9 (SPARC)

Solaris 9 x86

Solaris 10 (SPARC) ‐

Solaris 10 x86 ‐

Sun

Open Solaris ‐

SuSE Linux Desktop 8.2 ‐

SuSE Linux Desktop 9.0 ‐

SuSE Linux Desktop 9.1



SuSE Linux Enterprise Desktop 10.0

OpenSuSE Linux 10.0

OpenSuSE Linux 10.1

OpenSuSE Linux 10.2

SuSE Linux Enterprise Server 9.0




Supported


64‐bit

SuSE Linux Enterprise Server 10.0

Ubuntu Desktop 6.06

Ubuntu Desktop 6.10

Ubuntu Server 6.06

Ubuntu Server 6.10

Ubuntu Desktop 7.04

Ubuntu Desktop 7.10

VMWare ESX Server 2.5 ‐

VMWare ESX Server 3.0.1 ‐




ABOUT LIKEWISE

Likewise Software is an open source company that provides audit and authentication solutions designed to improve security, reduce operational costs and help demonstrate regulatory compliance in mixed network environments. Likewise Open allows large organizations to securely authenticate Linux, UNIX and Mac systems with a unified directory such as Microsoft Active Directory. Additionally, Likewise Enterprise includes world-class group policy, audit and reporting modules.

Likewise Software is a Bellevue, WA-based software company funded by leading venture capital firms Ignition Partners, Intel Capital, and Trinity Ventures. Likewise has experienced management and engineering teams in place and is led by senior executives from leading technology companies such as Microsoft, F5 Networks, EMC and Mercury.

Documents

Centralized management of all your systems — Linux, Unix, Windows, and Mac OS X