Likewise Open Installation and Administration Guide

The Likewise agent is installed on Linux, Unix, and Mac OS X computers to connect them to Microsoft Active Directory and to authenticate users with their domain credentials. The agent integrates with the core operating system to implement the mapping for any application, such as the logon process (/bin/login), that uses the name service (NSS) or pluggable authentication module (PAM). As such, the agent acts as a Kerberos 5 client for authentication and as an LDAP client for authorization. In Likewise Enterprise, the agent also retrieves group policy objects to securely update local configurations, such as the sudo file.

The Likewise agent is also known as the Likewise client.

The Likewise agent comprises the following daemons:

Managing the Likewise Daemons

The Likewise Service Manager lets you track and troubleshoot all the Likewise services with a single command-line utility. You can, for example, check the status of the services, view their dependencies, and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the appropriate order. In addition, you can use the service manager to set the logging destination and the log level.

To list status of the services, run the following command with superuser privileges at the command line:

/opt/likewise/bin/lwsm list

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm list
lwreg       running (standalone: 1920)
dcerpc      running (standalone: 2544)
eventlog    running (standalone: 2589)
lsass       running (standalone: 2202)
lwio        running (standalone: 2191)
netlogon    running (standalone: 2181)
npfs        running (io: 2191)
pvfs        stopped
rdr         running (io: 2191)
srv         stopped
srvsvc      stopped

After you change a setting in the registry, you must use the service manager to force the service to begin using the new configuration by executing the following command with super-user privileges. This example refreshes the lsass service.

/opt/likewise/bin/lwsm refresh lsass

Configuration information for the daemons is stored in the Likewise registry, which you can access and modify by using the registry shell or by executing registry commands at the command line. The registry shell is at /opt/likewise/bin/lwregshell. For more information, see Configuring the Likewise Services with the Registry.

The agent includes a number of libraries in /opt/likewise/lib.

The agent uses the following ports for outbound traffic.

To maintain the current state and to improve performance, the Likewise authentication service (lsass) caches information about users and groups in a SQLite database. You can, however, change the cache to store the information in memory, which might improve performance; for more information, see the chapter on configuring Likewise with the registry.

The Likewise site affinity service, netlogon, caches information about the optimal domain controller and global catalog in the Likewise registry.

The following cache files are in /var/lib/likewise/db:

Additional information about a computer's Active Directory domain name, machine account, site affinity, domain controllers, forest, the computer's join state, and so forth is stored in the Likewise registry. Here's an example of the kind of information that is stored under the Pstore key and the netlogon key:

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\Pstore\Default]
"ClientModifyTimestamp"=dword:4b86d9c6
"CreationTimestamp"=dword:4b86d9c6
"DomainDnsName"="LIKEWISEDEMO.COM"
"DomainName"="LIKEWISEDEMO"
"DomainSID"="S-1-5-21-3190566242-1409930201-3490955248"
"HostDnsDomain"="likewisedemo.com"
"HostName"="RHEL5D"
"MachineAccount"="RHEL5D$"
"SchannelType"=dword:00000002

[HKEY_THIS_MACHINE\Services\netlogon\cachedb\likewisedemo.com-0]
"DcInfo-ClientSiteName"="Default-First-Site-Name"
"DcInfo-DCSiteName"="Default-First-Site-Name"
"DcInfo-DnsForestName"="likewisedemo.com"
"DcInfo-DomainControllerAddress"="192.168.92.20"
"DcInfo-DomainControllerAddressType"=dword:00000017
"DcInfo-DomainControllerName"="w2k3-r2.likewisedemo.com"
"DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,95,fb,5b,62,e3
"DcInfo-Flags"=dword:000003fd
"DcInfo-FullyQualifiedDomainName"="likewisedemo.com"
"DcInfo-LMToken"=dword:0000ffff
"DcInfo-NetBIOSDomainName"="LIKEWISEDEMO"
"DcInfo-NetBIOSHostName"="W2K3-R2"
"DcInfo-NTToken"=dword:0000ffff
"DcInfo-PingTime"=dword:00000006
"DcInfo-UserName"=""
"DcInfo-Version"=dword:00000005
"DnsDomainName"="likewisedemo.com"
"IsBackoffToWritableDc"=dword:00000000
"LastDiscovered"=hex:c5,d9,86,4b,00,00,00,00
"LastPinged"=hex:1b,fe,86,4b,00,00,00,00
"QueryType"=dword:00000000
"SiteName"=""

For the Likewise agent to communicate over Kerberos with the domain controller, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. (For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Clock-Skew.html.)

The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the domain controller's Kerberos key distribution center that determines the maximum clock skew. Since changing the maximum clock skew in a client's krb5.conf file does not affect the clock skew tolerance of the domain controller, the change will not allow a client outside the domain controller's tolerance to communicate with it.

The clock skew value that is set in the /etc/likewise/krb5.conf file of Linux, Unix, and Mac OS X computers is useful only when the computer is functioning as a server for other clients. In such cases, you can use a Likewise Enterprise group policy to change the maximum tolerance; for more information, see Set the Maximum Tolerance for Kerberos Clock Skew.

The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew are discarded. When the server receives an authentication request within the clock skew, it checks the replay cache to make sure the request is not a replay attack.

If you set the system time on your computer with a Network Time Protocol (NTP) server, the time value of the NTP server and the time value of the domain controller could exceed the maximum skew. As a result, you will be unable to log on your computer.

If you use an NTP server with a cron job, there will be two processes trying to synchronize the computer's time -- causing a conflict that will change the computer's clock back and forth between the time of the two sources.

Likewise recommends that you configure your domain controller to get its time from the NTP server and configure the domain controller's clients to get their time from the domain controller.

The Likewise authentication daemon -- lsassd -- manages site affinity for domain controllers and global catalogs and caches the information with netlogond. When a computer is joined to Active Directory, netlogond determines the optimum domain controller and caches the information. If the primary domain controller goes down, lassd automatically detects the failure and switches to another domain controller and another global catalog within a minute.

However, if another global catalog is unavailable within the forest, the Likewise agent will be unable to find the Unix and Linux information of users and groups. The Likewise agent must have access to the global catalog to function. Therefore, it is a recommended that each forest has redundant domain controllers and redundant global catalogs.

In Likewise Open, a UID and GID are generated by hashing the user or group's security identifier, or SID, from Active Directory. With Likewise Open, you do not need to make any changes to Active Directory. A UID and GID stays the same across host machines. With Likewise Open, you cannot set UIDs and GIDs for Linux and Unix in Active Directory; using AD to set and manage UIDs and GIDs is a feature of Likewise Enterprise or the Likewise UID-GID management tool. If your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use Likewise Enterprise or that you use the Likewise UID-GID management tool.

The Likewise Open algorithm is the same in 4.1 and 5.0, and if you are running 4.1 on one computer and 5.0 or later on another, each user and group should have the same UID and GID on both machines.

Note: If you have UIDs and GIDs defined in Active Directory, Likewise Open will not use those UIDs and GIDs.

In Likewise Enterprise, you can specify the UIDs and GIDs that you want, including setting multiple UID and GID values for a given user based on OU membership by using Likewise cells. (Likewise cells, available only in Likewise Enterprise, provide a method for mapping Active Directory users and groups to UIDs and GIDs.) You can also specify that Likewise Enterprise automatically generates UID and GID values sequentially.

Both Likewise Open and Likewise Enterprise cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable.

The Likewise agent supports the following Active Directory trusts:

There is information on the types of trusts at http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx.

Notes on Trusts

Aliasing and Trusts

Likewise-CIFS is an open source SMB file system that is included with Likewise Open 5.2 as an early technology preview. It provides client-side and server-side SMB/CIFS support so Microsoft Windows clients can access folders and files on Linux computers. At the same time, the Likewise CIFS FUSE module lets you mount remote Windows shares on a Linux computer to access folders and files. For instructions on how to set up and use the Likewise CIFS file server, see the Likewise CIFS File Server User Guide.

Because Likewise-CIFS is a technology preview and because it is a separate component from the authentication engine in the other Likewise products, it is not covered under your support contract.

Likewise Open and Likewise Enterprise run on a broad range of Unix, Mac OS X, and Linux platforms. Likewise frequently adds new vendors and distributions to the list of supported platforms. To view the list, go to http://www.likewise.com/products/likewise_enterprise/supported_platforms.php.

Before you attempt to join an Active Directory domain, make sure the /etc/nsswitch.conf file contains the following line:

hosts: files dns

The hosts line can contain additional information, but it must include the dns entry, and it is recommended that the dns entry appear after the files entry.

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

When you use Likewise with Multicast DNS 4 (mDNS4) and have a domain in your environment that ends in .local, you must place the dns entry before the mdns4_minimal entry and before the mdns4 entry:

hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4

The default setting for many Linux systems is to list the mdns4 entries before the dns entry -- a configuration that leaves Likewise unable to find the domain.

For more information on configuring nsswitch, see the man page for nsswitch.conf.

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve SRV records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf

search likewisedemo.com
nameserver 192.168.100.132

If your list of nameservers contains multiple nameservers and one of them becomes unavailable, name resolution can time out, delaying the logon process. To improve performance, set up a BIND server on each Linux or Unix computer on which you are running Likewise. Then configure BIND as a local caching resolver and add your nameserver addresses to the forwarder list, leaving /etc/resolv.conf with only the local loopback address:

search likewisedemo.com
nameserver 127.0.0.1

For instructions on how to set up BIND, see the BIND documentation.

For more information on resolv.conf, see your operating system's man page.

The Likewise agent requires several firewall ports to be open for outbound traffic. For a list of the required ports, see Make Sure Outbound Ports Are Open.

On AIX 5.2 and 5.3, you may need to extend the size of certain partitions to complete the installation successfully.

To do so, use IBM's chfs command to change the partition sizes -- for example:

# chfs -a size=+200M /opt

This command increases the size of the /opt partition by 200 megabytes, which should be sufficient for a successful installation.

By default, IBM AIX is not configured to support long user and group names, which might present a conflict when you try to log on with a long Active Directory username. To increase the max username length on AIX 5.3, use the following syntax:

# chdev - l sys0 -a max_logname=MaxUserNameLength+1

Example:

# chdev - l sys0 -a max_logname=255

This command allocates 254 characters for the user and 1 for the terminating null.

The safest value that you can set max_logname to is 255.

You must reboot for the changes to take effect:

# shutdown - Fr

Note: AIX 5.2 does not support increasing the maximum user name length.  

Members of the Likewise support staff might use a shell script to check the health of a Linux or Unix computer on which you plan to install the Likewise Agent. The script helps identify potential system configuration issues before you install the agent and attempt to join a Linux or Unix computer to Active Directory.

With Likewise Open, the script is unavailable, but you can manually check your computer against the list in the table below.

The name of the script is healthchk.sh. To execute it, copy the script to the Unix or  Linux computer that you want to check, and then execute the following command from the shell prompt: likewise-health-check.sh

The script outputs the results of its scan to /tmp/healthchk.out.

The following table lists each item the script checks, describes the item, and suggests action to correct the issue.

You must install the Likewise agent on each Linux, Unix, or Mac OS X computer that you want to connect to Active Directory. To obtain the installer or to view a list of supported platforms, see www.likewise.com. The Likewise Open installation package can be downloaded for free at http://www.likewise.com/products/likewise_open/.

Important: Before you install the agent, it is recommended that you upgrade your system with the latest security patches. Patch requirements for Unix systems are listed below.

The procedure for installing the Likewise Open agent or the Likewise Enterprise agent depends on the operating system of your target computer or virtual machine. Each procedure is documented in a separate section of this chapter.

You also have the option of installing the agent in unattended mode; see Install the Agent on Linux in Unattended or Text Mode and Install the Agent on a Mac in Unattended Mode.

For Likewise Enterprise, you can optionally install the agent with a shell script -- an efficient method of deploying the agent in an enterprise environment; see Install the Agent on Linux or Unix with the Shell Script.

Checking Your glibc Version

To determine the version of glibc on your Linux machine, run the following command:

rpm - q glibc

Package Management Commands

For an overview of commands such as rpm and dpkg that can help you manage Likewise on Linux and Unix platforms, see Package Management Commands.

This section lists requirements for installing and running the Likewise agent. Requirements for installing and running the Likewise Management Console, which is part of Likewise Enterprise and the UID-GID module, are detailed in the chapter on installing the console. Likewise Open does not include the Likewise Management Console.

Patch Requirements

It is recommended that you apply the latest patches for your operating system before you install Likewise. Known patch requirements are listed below.

Sun Solaris

Sun Solaris 10 requires update 5 or later. The Solaris 10 05/08 (or later) patch bundle is available at http://sunsolve.sun.com/. Solaris 10_x86 requires the patch for nscd, either patch ID number 138047-02 or the patch that supercedes it, number 138264-02. This patch available for SPARC as patch 138046.

Solaris 8 Sparc should be fully patched according to Sun's recommendations. Likewise depends on the latest patch for libuuid. On Sparc systems, the patch for libuuid is 115831. Sun patch 110934-28 for Solaris 5.8 is also required for Solaris 8.

Solaris 8 Intel systems also require the latest patch for libuuid: 115832-01. Sun patch 110934-28 for Solaris 5.8 is also required for Solaris 8.

Solaris 9 requires Sun patch 113713-28 for Solaris 5.9.

OpenSolaris is compatible with Likewise without any patches.

HP-UX

Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed. Likewise recommends that you use HP-UX Secure Shell A.05.00.014 or later.

Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable Authentication Module, or PAM, which Likewise requires to allow domain users to execute sudo commands with super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make sure that you use the --with-pam configuration option when you build it.

HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_31903, and PHKL_29243. Although these patches may be superceded by subsequent patches, these patches represent the minimum patch level for proper operation.

Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, you must download and install the latest KRB5-Client libraries from the HP Software Depot. (By default, HP-UX 11.31 includes the libraries.)

Other Requirements for the Agent

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.

Secure Shell

To properly process logon events with Likewise, your SSH server or client must support the UsePam yes option. For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other software that uses PAM for processing authentication requests is compatible with Likewise.

Networking Requirements

Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

In addition, several ports must be open; see Make Sure Outbound Ports Are Open.

Disk Space Requirements

The Likewise agent requires 100 MB of disk space in the /opt mount point. The agent also creates configuration files in /etc/likewise and offline logon information in /var/lib/likewise. In addition, the Likewise Enterprise agent caches group policy objects in /var/cache/likewise.  

Memory and CPU Requirements

The agent consists of several daemons that typically use between 9 MB and 14 MB of RAM. Memory utilization of the authentication daemon on a 300-user mail server is typically 7 MB; the other daemons require between 500 KB and 2 MB each. CPU utilization on a 2.0 gigahertz single-core processor under heavy load with authentication requests is about 2 percent. For a description of the Likewise daemons, see About the Likewise Agent.

Clock Skew Requirements

For the Likewise agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. For more information on time synchronization, see About the Likewise Agent.

You can install the Likewise Enterprise agent by using a shell script that contains a self-extracting executable. The file name of the SFX installer ends in sh. Example: LikewiseIdentityServiceOpen-5.0.0.3499-linux-i386-rpm.sh.

Note: The examples shown are for Linux RPM-based platforms. For other Linux and Unix platforms -- such as Debian, HP-UX, AIX, and Solaris -- simply substitute the appropriate installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type. For Linux computers running glibc 2.2 or earlier, see Install the Agent on Linux with glibc 2.2 or Earlier.

Install the Agent on Linux or Unix with the Shell Script

Perform the following procedure with the root account.

For most Linux platforms, you can install the Likewise Open agent or the Likewise Enterprise agent by using a BitRock installer — an executable whose file name ends with installer. Example: LikewiseOpen-5.0.0.3842-linux-i386-rpm-installer.

The following procedure assumes that you downloaded or copied the Likewise installer to the desktop of your Linux computer.

Linux platforms running glibc 2.2 or earlier require you to use the oldlibc installer -- a shell script that includes oldlibc in its name; example: LikewiseIdentityServiceOpen-5.2.0.7111-linux-oldlibc-i386-rpm.sh.

To check the version of glibc on your Linux computer, execute the following query:

 rpm - q glibc

The following platforms are running glibc 2.2 or earlier and thus require the oldlibc installer:

Install the Agent on glibc 2.2 or Earlier

Perform the following procedure with the root account.

When you use the BitRock installer, command-line tools can help deploy the Likewise agent to multiple computers or install the agent remotely.

You can use the command-line tools to automatically install the agent, join the computer to a domain, and obtain credentials. For example, you can automate the installation of the agent by using the installation command in unattended mode:

 LikewiseEnterprise-5.2.0.7111-linux-x86_64-rpm-installer --mode unattended

For Unix and Linux hosts, you can run the installer from the shell prompt with no special treatment. The installer detects that it is running in character mode and displays a character mode user interface, or you can force it into character mode with the option --mode text:

 LikewiseEnterprise-5.2.0.7111-linux-x86_64-rpm-installer --mode text

You can install the Likewise Open agent or the Likewise Enterprise agent on Sun Solaris, HP-UX, and IBM AIX by using a BitRock installer — an executable whose file name ends with installer. Example: LikewiseIdentityServiceEnterprise-5.0.0.3499-solaris-sparc-pkg-installer.

The examples shown below are for Solaris Sparc systems. For other Unix platforms, simply substitute the appropriate installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Note: The name of a Unix installer for Likewise Enterprise on installation media might be truncated to an eight-character file name with an extension. For example, l3499sus.sh is the truncated version of LikewiseIdentityServiceEnterprise-5.0.0.3499-solaris-sparc-pkg-installer.

Perform the following procedure with the root account.

You can install the optional graphical user interface version of the Likewise domain join tool on a Linux computer after you have installed the Likewise agent. The domain join tool can be installed on Linux platforms that are running GTK+ version 2.6 or later.

Note: You do not need to install the domain join GUI to join a domain; for more information, see Join Active Directory with the Command Line.

To install the Likewise agent on a computer running Mac OS X, you must have administrative privileges on the Mac. Likewise supports Mac OS X 10.4 or later.

The Likewise command-line tools can remotely deploy the shell version of the Likewise agent to multiple Mac OS X computers, and you can automate the installation of the agent by using the installation command in unattended mode.

The commands in this procedure require administrative privileges.

Important: For Intel-based Macs, use the i386 version of the .dmg installer; for example: LikewiseEnterprise-5.0.0.3628-i386.dmg. For Macs that do not have Intel chips, use the powerpc version of the .dmg installer; for example: LikewiseEnterprise-5.0.0.3628-powerpc.dmg

The procedure below assumes you are installing the agent on an i386 Mac; if you are installing on a powerpc, replace the i386 installer with the powerpc installer.

Before you upgrade to the latest version of the Likewise agent, it is recommended that you leave the domain, uninstall the domain join GUI, and uninstall the current agent.

Important: If you plan to upgrade from a 4.x or earlier version of Likewise Open to Likewise Open 5.0 or later, please first contact Likewise Technical Support at support@likewise.com. At this time, it is recommended that you do not attempt to upgrade without assistance from Likewise support.

Before you upgrade your operating system, you must leave the domain, uninstall the domain join GUI, and uninstall the current agent. Then, make sure you are using the correct agent for the new version of your operating system, install it, and rejoin the domain.

If, for example, you plan to upgrade your operating system from Mac OS X 10.5 (Leopard) to Mac OS X 10.6 (Snow Leopard), you must first leave the domain and uninstall the current agent. Then, after upgrading your operating system, install the correct agent for the new version of the operating system and join the domain again. See Uninstall the Agent on a Mac.

When Likewise joins a computer to an Active Directory domain, it uses the hostname of the computer to create the name of the computer object in Active Directory. From the hostname, the Likewise Domain Join Tool attempts to derive a fully qualified domain name.

By default, the Likewise domain join tool creates the Linux and Unix machine accounts in the default Computers container within Active Directory. You can, however, choose to create machine accounts in Active Directory before you join your Unix, Linux, and Mac OS X computers to the domain. When you join a computer to a domain by running the Domain Join Tool, Likewise associates the Unix or Linux host with the pre-existing machine account. If no match is found, Likewise creates a machine account.

The location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

After you join a domain for the first time, you must restart the computer before you can log on. If you cannot restart the computer, you must restart any service or daemon that looks up users or groups through the standard nsswitch interface. This includes most services that authenticate users, groups, or computers.

For Linux computers, there is an optional graphical version of the Likewise Domain Join Tool. It can be installed on Linux platforms that are running GTK+ version 2.6 or later. For more information, see Install the Domain Join GUI and Join a Linux Computer to Active Directory with the GUI.

Important: On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on for the first time with your Active Directory domain credentials. For more information, see With NetworkManager, Use a Wired Connection to Join a Domain.

Removing a Computer from a Domain

You can remove a computer from the domain either by removing the computer's account from Active Directory Users and Computers or by running the Domain Join Tool on the Unix, Linux, or Mac OS X computer that you want to remove; see Leave a Domain.

Creation of Local Accounts

After you join a domain, Likewise creates two local user accounts in the following form: machine-name\Administrator and machine-name\Guest.

You can view information about these accounts by executing the following command:

/opt/likewise/bin/lw-enum-users

Example output:

User info (Level-2):
====================
Name:                       NISHI-01\Administrator
UPN:                        Administrator@NISHI-01
Generated UPN:              YES
Uid:                        1500
Gid:                        1544
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           FALSE
Account Expired:            FALSE
Account Locked:             TRUE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314


User info (Level-2):
====================
Name:                       NISHI-01\Guest
UPN:                        Guest@NISHI-01
Generated UPN:              YES
Uid:                        1501
Gid:                        1546
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /tmp
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           TRUE
Account Expired:            FALSE
Account Locked:             TRUE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314

When you join a domain by using the command-line utility, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the computer’s FQDN in the /etc/hosts file. You can also join a domain without changing the /etc/hosts file; see Join Active Directory Without Changing /etc/hosts.

On Linux, Unix, and Mac OS X computers, the location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

Important: To run the command-line utility, you must use a root account. To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. Instructions on how to delegate rights to join a computer to a domain are at http://support.microsoft.com/kb/932455. After you join a domain for the first time, you must restart the computer before you can log on.

Before Joining a Domain

To join a domain, the computer's name server must be able to find the domain and the computer must be able to reach the domain controller. You can make sure the name server can find the domain by running this command:

nslookup  domainName

You can verify that your computer can reach the domain controller by pinging it:

ping  domainName

If either of these tests fails, see Check System Health Before Installing the Agent and Solve Domain-Join Problems.

Join a Linux or Unix Computer to Active Directory

Join a Mac Computer to Active Directory

Join a Linux or Unix Computer to an Organizational Unit

Join a Linux or Unix Computer to a Nested Organizational Unit

Options and Basic Commands

The following tables list the options and commands of the command-line interface for joining a domain.

Options

The domainjoin-cli command-line interface includes the following options:

Basic Commands

The domain join command-line interface includes the following basic commands:

Advanced Commands

The command-line interface includes advanced commands that you can use to preview the stages of joining or leaving a domain, find out which configurations are required for your system, view information about a module that will be changed, and enable or disable a module. The advanced commands provide a potent tool for troubleshooting issues while configuring a Linux or Unix computer to interoperate with Active Directory.

Preview the Stages of the Domain Join for Your Computer

To preview the domain, DNS name, and configuration stages that will be used to join a computer to a domain, execute the following command at the command line:

domainjoin-cli join --preview  domainName

Example: domainjoin-cli join --preview likewisedemo.com

Here's an example of the results, which can vary by computer:

[root@rhel4d bin]# domainjoin-cli join --preview likewisedemo.com

Joining to AD Domain:   likewisedemo.com

With Computer DNS Name: rhel4d.likewisedemo.com

The following stages are currently configured to be run during the domain join:

join           - join computer to AD

krb5           - configure krb5.conf

nsswitch       - enable/disable Likewise nsswitch module

start          - start daemons

pam            - configure pam.d/pam.conf

ssh            - configure ssh and sshd

Check Required Configurations

To see a full listing of the modules that apply to your operating system, including those module that will not be run, execute either the following join or leave command:

domainjoin-cli join --advanced --preview  domainName

domainjoin-cli leave --advanced --preview  domainName

Example: domainjoin-cli join --advanced --preview likewisedemo.com

The result varies by computer:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview likewisedemo.com

Joining to AD Domain:   likewisedemo.com

With Computer DNS Name: rhel4d.likewisedemo.com

    [F] stop           - stop daemons

    [F] hostname       - set computer hostname

    [F] firewall       - open ports to DC

    [F] keytab         - initialize kerberos keytab

[X] [N] join           - join computer to AD

[X] [N] krb5           - configure krb5.conf

[X] [N] nsswitch       - enable/disable Likewise nsswitch module

[X] [N] start          - start daemons

    [F] gdm            - fix gdm presession script for spaces in usernames

[X] [N] pam            - configure pam.d/pam.conf

[X] [S] ssh            - configure ssh and sshd

Key to flags

[F]ully configured        - the system is already configured for this step

[S]ufficiently configured - the system meets the minimum configuration

                            requirements for this step

[N]ecessary               - this step must be run or manually performed.

[X]                       - this step is enabled and will make changes

[ ]                       - this step is disabled and will not make changes

View Details about a Module

The Likewise domain join tool includes the following modules -- the components and services that the tool must configure before it can join a computer to a domain:

As the previous section illustrated, you can see the modules that must be configured on your computer by executing the following command:

domainjoin-cli join --advanced --preview  domainName

You can further bore down into the details of the changes that a module will make by using either the following join or leave command:

domainjoin-cli join --details  module domainName  joinAccount

domainjoin-cli leave --details  module domainName  joinAccount

Example: domainjoin-cli join --details nsswitch likewisedemo.com Administrator

The result varies depending on your system's configuration:

[root@rhel4d bin]# domainjoin-cli join --details nsswitch likewisedemo.com Administrator

[X] [N] nsswitch       - enable/disable Likewise nsswitch module

Key to flags

[F]ully configured        - the system is already configured for this step

[S]ufficiently configured - the system meets the minimum configuration

                            requirements for this step

[N]ecessary               - this step must be run or manually performed.

[X]                       - this step is enabled and will make changes

[ ]                       - this step is disabled and will not make changes

Details for 'enable/disable Likewise nsswitch module':

The following steps are required and can be performed automatically:

    * Edit nsswitch apparmor profile to allow libraries in the /opt/likewise/lib

        and /opt/likewise/lib64 directories

    * List lwidentity module in /usr/lib/security/methods.cfg (AIX only)

    * Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or

        /etc/netsvc.conf

If any changes are performed, then the following services must be restarted:

    * GDM

    * XDM

    * Cron

    * Dbus

    * Nscd

Turn On or Turn Off Domain Join Modules

You can explicitly enable or disable a module when you join or leave a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

Note: If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

To disable a module, execute either the following join or leave command:

domainjoin-cli join --disable  module domainName  accountName

domainjoin-cli leave --disable  module domainName  accountName

Example: domainjoin-cli join --disable pam likewisedemo.com Administrator

To enable a module, execute the following command at the command line:

domainjoin-cli join --enable  module domainName  accountName

Example: domainjoin-cli join --enable pam likewisedemo.com Administrator

See Also

Generate a Domain Join Log

When you join a computer to a domain by using the Likewise Domain Join Tool, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the computer’s FQDN in the /etc/hosts file.

To join a Linux computer to the domain without changing the /etc/hosts file, execute the following command at the shell prompt as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

 /opt/likewise/bin/domainjoin-cli join --disable hostname   domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --disable hostname likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in /etc/hosts. For the computer to process tickets in compliance with the Kerberos protocol and to function properly when it uses cached credentials in offline mode or when its DNS server is offline, there must be a correct FQDN in /etc/hosts. For more information on GSS-API requirements, see RFC 2743.

You can determine the fully qualified domain name of a computer running Linux, Unix, or Mac OS X by executing the following command:

ping -c 1 `hostname`

When you execute this command, the computer looks up the primary host entry for its hostname. In most cases, this means that it looks for its hostname in /etc/hosts, returning the first FQDN name on the same line. So, for the hostname qaserver, here's an example of a correct entry in /etc/hosts:

10.100.10.10 qaserver.corpqa.likewise.com qaserver

If, however, the entry in /etc/hosts incorrectly lists the hostname (or anything else) before the FQDN, the computer's FQDN becomes, using the malformed example below, qaserver:

10.100.10.10 qaserver qaserver.corpqa.likewise.com

If the host entry cannot be found in /etc/hosts, the computer looks for the results in DNS instead. This means that the computer must have a correct A record in DNS. If the DNS information is wrong and you cannot correct it, add an entry to /etc/hosts.

After you install the Likewise agent, you can install the Likewise Domain Join Tool, a graphical user interface for joining a domain. The domain join tool is not included when you install the agent; you must install the utility separately. For more information, see Install the Domain Join Utility.

Important: To join a computer to a domain, you must have the user name and password of a user who has privileges to join computers to a domain and the full name of the domain that you want to join.

To join a computer running Mac OS X 10.4 or later to an Active Directory domain, you must have administrative privileges on the Mac and privileges on the Active Directory domain that allow you to join a computer.

See Also

Migrate a User Profile on a Mac

If you have only write privileges for an organizational unit in Active Directory, you can still use Likewise. You should enable an organizational unit (OU) for Likewise only when you want to manage your Linux, Unix, and Mac OS X computers within a single OU and you do not have Domain Administrator or Enterprise Administrator privileges, but you have been given rights to create objects in an OU. (See Delegate Control to Create Container Objects.) You can use the write privileges that you have been given for an OU to join Linux and Unix computers to that OU.

There are additional limitations to this approach:

Join a Linux Computer to an Organizational Unit

To join a computer to a domain, you must have the user name and password of an account that has privileges to join computers to the domain and the full name of the domain that you want to join. The OU path is from the top OU down to the OU that you want.

Execute the following command, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join -- ou  organizationalUnitName  domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join -- ou Engineering likewisedemo.com Administrator

Example of how to join a nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

To rename a computer that has been joined to Active Directory, you must first leave the domain. You can then rename the computer by using the domain join command-line interface. After you rename the computer, you must rejoin it to the domain. Renaming a joined computer requires the user name and password of a user with privileges to join a computer to a domain.

Important: Do not change the name of a Linux, Unix, or Mac computer by using the hostname command because some distributions do not permanently apply the changes.

Rename a Computer by Using the Command-Line Tool

The following procedure removes a Unix or Linux computer from the domain, renames the computer, and then rejoins it to the domain.

Rename a Computer by Using the Domain Join Tool

To execute the following procedure, the Likewise Domain Join Tool, a graphical user interface for joining a domain, must be installed on your computer. For more information, see Install the Likewise Domain Join Tool.

The computer's name in /etc/hosts has been changed to the name that you specified and the computer has been joined to the Active Directory domain with the new name.

When Likewise joins a computer to a domain, it modifies some system files. The files that are modified depend on the platform, the distribution, and the system's configuration. The following files might be modified.

To see a listing of the changes that joining a domain will make to your operating system, execute the following join command:

domainjoin-cli join --advanced --preview  domainName

Note: Not all the following files are present on all computers.

As an example, the following table lists the files that are modified for the default installation of a few selected platforms.

On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on with your Active Directory domain credentials.

After you have joined the domain and logged on for the first time with your AD domain credentials by using a non-wireless connection, you can then revert to using your wireless connection because your AD logon credentials are cached. (You will not, however, be notified when your AD password is set to expire until you either run a sudo command or log on by using a non-wireless connection.)

If, instead, you attempt to use a wireless connection when you join the domain, you will be unable to log on your computer with AD domain credentials after your computer restarts.

Here's why: NetworkManager is composed of a daemon that runs at startup and a user-mode application that runs only after you log on. NetworkManager is typically configured to auto-start wired network connections when they are plugged in and wireless connections when they are detected. The problem is that the wireless network is not detected until after the user-mode application starts -- which occurs only after you have logged on.

Information about NetworkManager is available at http://projects.gnome.org/NetworkManager/.

Likewise includes the following logon options:

Important: When you log on from the command line, you must use a slash to escape the slash character, making the logon form DOMAIN\\username.

To use UPN names, you must raise your Active Directory forest functional level to Windows Server 2003, but raising the forest functional level to Windows Server 2003 will exclude Windows 2000 domain controllers from the domain. For more information, see About Schema Mode and Non-Schema Mode.

See Also

About Single Sign-On

Configure Putty for Windows-Based SSO

Log On and Verify Your Kerberos Tickets

After the Likewise agent has been installed and the Linux or Unix computer has been joined to a domain, you can log on with your Active Directory credentials, either from the command line or interactively through the system console. After you join a domain for the first time, you must reboot your computer to log on interactively through the console.

You can log on with SSH by executing the ssh command at the shell prompt in the following format:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

To troubleshoot a problem with a user who cannot log on a Linux or Unix computer with SSH from Windows, perform the following series of diagnostic tests sequentially.

To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account. The tests can also be used to troubleshoot logon problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

Make Sure You Are Joined to the Domain

Execute the following command:

/opt/likewise/bin/domainjoin-cli query

If you are not joined, see Join Active Directory with the Command Line.

Check Whether You Are Using a Valid Logon Form

When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username. Example: likewisedemo.com\hoenstiv.

When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username. Example: likewisedemo.com\\hoenstiv.

To view a list of logon options, see About Logging On.

Clear the Cache

You might need to clear the cache to ensure that the client computer recognizes the user's ID. See Clear the Authentication Cache.

Destroy the Kerberos Cache

Clear the Likewise Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command at the shell prompt with the user account that you are troubleshooting:

/opt/likewise/bin/kdestroy

Check the Status of the Likewise Authentication Daemon

Check the status of the authentication daemon on a Unix or Linux computer running the Likewise Agent by executing the following command at the shell prompt as the root user:

/sbin/service lsassd status

lsassd is stopped

lsassd (pid 1783) is running...

Check Communication between the Likewise Daemon and AD

Verify that the Likewise daemon can exchange data with AD by executing this command:

/opt/likewise/bin/lw-get-dc-name FullDomainName

Example: /opt/likewise/bin/lw-get-dc-name likewisedemo.com

Verify that Likewise Can Find a User in AD

Verify that the Likewise agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:

/opt/likewise/bin/lw-find-user-by-name domainName\\ADuserName

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab

Make Sure the AD Authentication Provider Is Running

Likewise includes two authentication providers:

If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

/opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:

Agent version: 5.0.0

Uptime:        2 days 21 hours 16 minutes 29 seconds

[Authentication provider: lsa-local-provider]

        Status:   Online

        Mode:     Local system

[Authentication provider: lsa-activedirectory-provider]

        Status:   Online

        Mode:     Un-provisioned

        Domain:   likewisedemo.com

        Forest:   likewisedemo.com

        Site:     Default-First-Site-Name

[root@rhel4d bin]#

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

Switch User to Check PAM

Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:

su DOMAIN\\username

Example: su likewisedemo\\hoenstiv

Test SSH

Check whether you can log on with SSH by executing the following command:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

Run the Authentication Daemon in Debug Mode

To troubleshoot the lookup of a user or group ID, you can set the Likewise authentication daemon to run in debug mode and output the log to the console by executing the following command:

/opt/likewise/sbin/lsassd --loglevel debug

Check Nsswitch.Conf

Make sure /etc/nsswitch.conf is configured correctly to work with Likewise. For more information, see Configuring Clients Before Agent Installation.

Additional Diagnostic Tools

There are additional command-line utilities that you can use to troubleshoot logon problems in the following directory:

 /opt/likewise/bin

See Also

Resolve an AD Alias Conflict with a Local Account

Here are the top 10 reasons that an attempt to join a domain fails:

See Also

Generate a Domain-Join Log

To troubleshoot problems with joining a Linux computer to a domain, perform the following series of diagnostic tests sequentially on the Linux computer with a root account. The tests can also be used to troubleshoot domain-join problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

The procedures in this topic assume that you have already checked whether the problem falls under the Top 10 Reasons Domain Join Fails. It is also recommended that you generate a domain-join log.

Verify that the Name Server Can Find the Domain

Run the following command as root:

nslookup ADrootDomain.com

Make Sure the Client Can Reach the Domain Controller

You can verify that your computer can reach the domain controller by pinging it:

ping domainName

Verify that Outbound Ports Are Open

Run the following command as root:

domainjoin-cli join --details firewall likewisedemo.com

The results of the command show whether you must open any ports.

For a list of ports that must be open on the client, see Make Sure Outbound Ports Are Open.

Check DNS Connectivity

The computer might be using the wrong DNS server or none at all. Make sure the nameserver entry in /etc/resolv.conf contains the IP address of a DNS server that can resolve the name of the domain you are trying to join. This is likely to be the IP address of one of your domain controllers.

Make Sure nsswitch.conf Is Configured to Check DNS for Host Names

The /etc/nsswitch.conf file must contains the following line. (On AIX, the file is /etc/netsvc.conf.)

hosts: files dns

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

Ensure that DNS Queries Are Not Using the Wrong Network Interface Card

If the computer is multi-homed, the DNS queries might be going out the wrong network interface card. Temporarily disable all the NICs except for the card on the same subnet as your domain controller or DNS server and then test DNS lookups to the AD domain. If this works, re-enable all the NICs and edit the local or network routing tables so that the AD domain controllers are accessible from the host.

Determine Whether the DNS Server Is Configured to Return SRV Records

Your DNS server must be set to return SRV records so the domain controller can be located. It is common for non-Windows (bind) DNS servers to not be configured to return SRV records.

Diagnose by executing the following command:

nslookup -q=srv _ldap._tcp. ADdomainToJoin.com

Make Sure that the Global Catalog Is Accessible

The global catalog for Active Directory must be accessible. A global catalog in a different zone might not show up in DNS. Diagnose by executing the following command:

nslookup -q=srv _ldap._tcp.gc._msdcs. ADrootDomain.com

From the list of IP addresses in the results, choose one or more addresses and test whether they are accessible on Port 3268 by using telnet.

telnet 192.168.100.20 3268

Trying 192.168.100.20... Connected to sales-dc.likewisedemo.com (192.168.100.20). Escape character is '^]'. Press the Enter key to close the connection: Connection closed by foreign host.  

Verify that the Client Can Connect to the Domain on Port 123

The following test checks whether the client can connect to the domain controller on Port 123 and whether the Network Time Protocol (NTP) service is running on the domain controller. For the client to join the domain, NTP -- the Windows time service -- must be running on the domain controller.

On a Linux computer, run the following command as root:

ntpdate -d -u  DC_hostname 

Example: ntpdate -d -u sales-dc

For more information, see Diagnose NTP on Port 123.

In addition, check the logs on the domain controller for errors from source w32tm, the Windows time service.

This section lists solutions to common errors that can occur when you try to join a domain.

Warning: A resumable error occurred while processing a module.
Even though the configuration of 'krb5' was executed, the configuration did not
fully complete. Please contact Likewise support.

When you use the Likewise domain-join utility to join a Linux or Unix client to a domain, the utility might be unable to contact the domain controller on Port 123 with UDP. The Likewise agent requires that Port 123 be open on the client so that it can receive NTP data from the domain controller. In addition, the time service must be running on the domain controller.

You can diagnose NTP connectivity by executing the following command as root at the shell prompt of your Linux machine:

ntpdate -d -u DC_hostname 

Example: ntpdate -d -u sales-dc

If all is well, the result should look like this:

[root@rhel44id ~]# ntpdate -d -u sales-dc

 2 May 14:19:20 ntpdate[20232]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)

Looking for host sales-dc and service ntp

host found : sales-dc.likewisedemo.com

transmit(192.168.100.20)

receive(192.168.100.20)

transmit(192.168.100.20)

receive(192.168.100.20)

transmit(192.168.100.20)

receive(192.168.100.20)

transmit(192.168.100.20)

receive(192.168.100.20)

transmit(192.168.100.20)

server 192.168.100.20, port 123

stratum 1, precision -6, leap 00, trust 000

refid [LOCL], delay 0.04173, dispersion 0.00182

transmitted 4, in filter 4

reference time:    cbc5d3b8.b7439581  Fri, May  2 2008 10:54:00.715

originate timestamp: cbc603d8.df333333  Fri, May  2 2008 14:19:20.871

transmit timestamp:  cbc603d8.dda43782  Fri, May  2 2008 14:19:20.865

filter delay:  0.04207  0.04173  0.04335  0.04178

         0.00000  0.00000  0.00000  0.00000

filter offset: 0.009522 0.008734 0.007347 0.005818

         0.000000 0.000000 0.000000 0.000000

delay 0.04173, dispersion 0.00182

offset 0.008734

 2 May 14:19:20 ntpdate[20232]: adjust time server 192.168.100.20 offset 0.008734 sec

Output When There Is No NTP Service

If the domain controller is not running NTP on Port 123, the command returns a response such as no server suitable for synchronization found, as in the following output:

 5 May 16:00:41 ntpdate[8557]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)

Looking for host RHEL44ID and service ntp

host found : rhel44id.likewisedemo.com

transmit(127.0.0.1)

transmit(127.0.0.1)

transmit(127.0.0.1)

transmit(127.0.0.1)

transmit(127.0.0.1)

127.0.0.1: Server dropped: no data

server 127.0.0.1, port 123

stratum 0, precision 0, leap 00, trust 000

refid [127.0.0.1], delay 0.00000, dispersion 64.00000

transmitted 4, in filter 4

reference time:    00000000.00000000  Wed, Feb  6 2036 22:28:16.000

originate timestamp: 00000000.00000000  Wed, Feb  6 2036 22:28:16.000

transmit timestamp:  cbca101c.914a2b9d  Mon, May  5 2008 16:00:44.567

filter delay:  0.00000  0.00000  0.00000  0.00000

         0.00000  0.00000  0.00000  0.00000

filter offset: 0.000000 0.000000 0.000000 0.000000

         0.000000 0.000000 0.000000 0.000000

delay 0.00000, dispersion 64.00000

offset 0.000000

 5 May 16:00:45 ntpdate[8557]: no server suitable for synchronization found

The Likewise registry serves as a hierarchical database to store configuration information for Likewise daemons, authentication providers, drivers, and other services. On Linux, Unix, and Mac computers, the Likewise services continually access the registry to obtain settings for a variety of parameters. The Likewise authentication service, for example, queries the registry to determine which log level to use or which home directory template to apply to a user. In Likewise 5.4 or later, the registry replaces the text-based configuration files like lsassd.conf that were used in Likewise 5.3 or earlier.

When you install the Likewise agent skeleton a Linux, Unix, or Mac computer but do not install Likewise Enterprise on a Windows administrative workstation connected to Active Directory, you cannot configure local Likewise settings with group policies. Instead, you must edit the local Likewise registry. You can access the registry and modify the settings in it by using the Likewise registry shell -- lwregshell -- in /opt/likewise/bin.

This chapter describes the structure of the registry, demonstrates how to change a value in it, and lists the local Likewise configuration options. Most of the settings can be centrally managed with group policies when you use Likewise Enterprise; see About Group Policies in the Likewise Enterprise guide. Likewise Open does not apply group policies.

\> ls
[HKEY_THIS_MACHINE]

\> cd HKEY_THIS_MACHINE\
HKEY_THIS_MACHINE\> ls

[HKEY_THIS_MACHINE\Services]

HKEY_THIS_MACHINE\> cd Services\
HKEY_THIS_MACHINE\Services> ls

[HKEY_THIS_MACHINE\Services\]
[HKEY_THIS_MACHINE\Services\dcerpc]
[HKEY_THIS_MACHINE\Services\eventlog]
[HKEY_THIS_MACHINE\Services\lsass]
[HKEY_THIS_MACHINE\Services\lwio]
[HKEY_THIS_MACHINE\Services\lwreg]
[HKEY_THIS_MACHINE\Services\netlogon]
[HKEY_THIS_MACHINE\Services\npfs]
[HKEY_THIS_MACHINE\Services\pvfs]
[HKEY_THIS_MACHINE\Services\rdr]
[HKEY_THIS_MACHINE\Services\srv]
[HKEY_THIS_MACHINE\Services\srvsvc]

[HKEY_THIS_MACHINE\Services\lsass\] 
  "Arguments"    REG_SZ          "/opt/likewise/sbin/lsassd --syslog" 
  "Dependencies" REG_SZ          "netlogon lwio lwreg rdr npfs" 
  "Description"  REG_SZ          "Likewise Security and Authentication Subsystem"
  "Path"         REG_SZ          "/opt/likewise/sbin/lsassd" 
  "Type"         REG_DWORD       0x00000001 (1) 

[HKEY_THIS_MACHINE\Services\lsass\Parameters] 

HKEY_THIS_MACHINE\Services\lsass> cd Parameters
HKEY_THIS_MACHINE\Services\lsass\Parameters> ls

[HKEY_THIS_MACHINE\Services\lsass\Parameters\] 
  "EnableEventlog"             REG_DWORD       0x00000000 (0) 
  "LogLevel"                   REG_SZ          "error"
  "LogNetworkConnectionEvents" REG_DWORD       0x00000001 (1)

[HKEY_THIS_MACHINE\Services\lsass\Parameters\NTLM] 
[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers]
[HKEY_THIS_MACHINE\Services\lsass\Parameters\RPCServers]

[HKEY_THIS_MACHINE\Services\dcerpc]
"Dependencies"=""
"Description"="Likewise DCE/RPC Endpoint Mapper"
"Path"="/opt/likewise/sbin/dcerpcd"

[HKEY_THIS_MACHINE\Services\lwreg]
"Dependencies"=""
"Description"="Likewise Registry Service"
"Path"="/opt/likewise/sbin/lwregd"

[HKEY_THIS_MACHINE\Services\npfs]
"Dependencies"="lwio"
"Description"="Likewise Named Pipe Filesystem"
"Path"="/opt/likewise/lib/libnpfs.sys.so"

[HKEY_THIS_MACHINE\Services\pvfs]
"Dependencies"="lwio"
"Description"="Likewise POSIX VFS Filesystem"
"Path"="/opt/likewise/lib/libpvfs.sys.so"

[HKEY_THIS_MACHINE\Services\rdr]
"Dependencies"="lwio"
"Description"="Likewise CIFS Redirector"
"Path"="/opt/likewise/lib/librdr.sys.so"

[HKEY_THIS_MACHINE\Services\srv]
"Dependencies"="lwio pvfs npfs lsass"
"Description"="Likewise CIFS Server"
"Path"="/opt/likewise/lib/libsrv.sys.so"

[HKEY_THIS_MACHINE\Services\srvsvc]
"Dependencies"="dcerpc lwio srv npfs"
"Description"="Likewise Server Service"
"Path"="/opt/likewise/sbin/srvsvcd"

You can access and modify the registry by using the registry shell -- lwregshell -- in /opt/likewise/bin. The shell works in a way that is similar to BASH. You can navigate the registry's hierarchy with the following commands:

cd
ls
pwd

You can view a list of commands that you can execute in the shell by entering help:

/opt/likewise/bin/lwregshell
\> help
usage: regshell [--file | -f] command_file.txt
       add_key [[KeyName]]
       list_keys [[keyName]]
       delete_key [KeyName]
       delete_tree [KeyName]
       cd [KeyName]
       pwd
       add_value [[KeyName]] "ValueName" Type "Value" ["Value2"] [...]
       set_value [[KeyName]] "ValueName" "Value" ["Value2"] [...]
       list_values [[keyName]]
       delete_value [[KeyName]] "ValueName"
       set_hive HIVE_NAME
       import file.reg
       export [[keyName]] file.reg 
       upgrade file.reg
       exit | quit | ^D

         Type: REG_SZ | REG_DWORD | REG_BINARY | REG_MULTI_SZ
               REG_DWORD and REG_BINARY values are hexadecimal
         Note: cd and pwd only function in interactive mode
         Note: HKEY_THIS_MACHINE is the only supported hive
\> 

You can change a value in the registry by executing the set_value command with the shell. The following procedure demonstrates how to change the value of the PAM key's LogLevel entry. The procedure to change other keys is similar. After you modify a registry setting for a Likewise service, you must refresh the corresponding service with the Likewise Service Manager for the changes to take effect.

You can also change a value in the registry by executing the set_value command from the command line. The following code block demonstrates how to change the value of the PAM key's LogLevel entry without using the shell. After you modify a registry setting for a Likewise service, you must refresh the corresponding service with the Likewise Service Manager for the changes to take effect.

/opt/likewise/bin/lwregshell ls '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]'
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
  "DisplayMotd"         REG_DWORD       0x00000001 (1)
  "LogLevel"            REG_SZ          "error"
  "UserNotAllowedError" REG_SZ          "Access denied"

/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]' LogLevel debug 

/opt/likewise/bin/lwregshell ls '[HKEY_THIS_MACHINE\Services\lsass\Parameters\PAM\]'
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\PAM]
  "DisplayMotd"         REG_DWORD       0x00000001 (1)
  "LogLevel"            REG_SZ          "debug"
  "UserNotAllowedError" REG_SZ          "Access denied"

When you're unsure where to find a setting that you want to change, you can export the registry's structure to a file and then search the file for the value entry's location.

Important: You must export the registry as root.

This section lists value entries in the registry's lsass branch.

"LoginShellTemplate"="/bin/sh"
"HomeDirTemplate"="%H/local/%D/%U"
"HomeDirPrefix"="/home"
"CreateHomeDir"=dword:00000001

System/Library/User Template/Non_localized,
/System/Library/User Template/English.lproj

"TrimUserMembership"=dword:00000001
"NssGroupMembersQueryCacheOnly"=dword:00000001
"NssUserMembershipQueryCacheOnly"=dword:00000000
"NssEnumerationEnabled"=dword:00000000

"AcceptNTLMv1"=dword:00000001

"SendNTLMv2"=dword:00000000
"Support128bit"=dword:00000001
"Support56bit"=dword:00000001
"SupportKeyExchange"=dword:00000001
"SupportNTLM2SessionSecurity"=dword:00000001
"SupportUnicode"=dword:00000001

This section lists value entries in the registry's eventlog branch.

The netlogon branch contains value entries for setting the expiration of the cache that holds information for the site affinity service, including the optimal domain controller and global catalog. The netlogon service generates the value entries under the [HKEY_THIS_MACHINE\Services\netlogon\cachedb] subkey to cache information about your domain controllers and global catalog. It is recommended that you do not change the values of entries under the cachedb subkey. Only the value entries under the Parameters subkey are documented in this section.

[HKEY_THIS_MACHINE\Services\netlogon]
"Arguments"="/opt/likewise/sbin/netlogond --syslog"
"Dependencies"="lwreg"
"Description"="Likewise Site Affinity Service"
"Path"="/opt/likewise/sbin/netlogond"
"Type"=dword:00000001

[HKEY_THIS_MACHINE\Services\netlogon\cachedb]

[HKEY_THIS_MACHINE\Services\netlogon\Parameters]
"NegativeCacheTimeout"=dword:0000003c
"PingAgainTimeout"=dword:00000384
"WritableRediscoveryTimeout"=dword:00000708
"WritableTimestampMinimumChange"=dword:00000000

The lwio branch contains value entries for the input-output service, lwio, that plays a fundamental role in the operation of the CIFS file server.

The value entries under the shares subkey define shared folders and the security descriptors that control access to them. It is recommended that you do not directly change the values under the shares subkey while the lwiod service is running.

To troubleshoot the lookup of a user or group ID, you can set the Likewise authentication daemon to run in debug mode and output the log to the console by executing the following command:

/opt/likewise/sbin/lsassd --loglevel debug

On Linux and Unix

You can check the status of the authentication daemon on a Unix or Linux computer running the Likewise agent by executing the following command at the shell prompt as the root user:

/sbin/service lsassd status

or

/etc/init.d/lsassd status

(On HP-UX, the command is /sbin/init.d/lsassd status.)

If the authentication daemon is running, the result should look like this:

lsassd (pid 25753) is running...

If the service is not running, execute the following command:

/sbin/service lsassd start

or

/etc/init.d/lsassd start

(On HP-UX, the command is /sbin/init.d/lsassd start.)

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The Likewise DCE/RPC daemon handles communication between Linux, Unix, and Mac computers and Microsoft Active Directory.

On Linux and Unix

You can check the status of dcerpcd on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service dcerpcd status

or

/etc/init.d/dcerpcd status

If the daemon is running, the result should look like this:

dcerpcd (pid 21538) is running...

If the service is not running, execute the following command:

/sbin/service dcerpcd start

or

/etc/init.d/dcerpcd start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/dcerpcd status

/sbin/init.d/dcerpcd start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The netlogond daemon detects the optimal domain controller and global catalog and caches the data.

On Linux and Unix

You can check the status of netlogond on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service netlogond status

or

/etc/init.d/netlogond status

If the daemon is running, the result should look like this:

netlogond (pid 21438) is running...

If the service is not running, execute the following command:

/sbin/service netlogond start

or

/etc/init.d/netlogond start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/netlogond status

/sbin/init.d/netlogond start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

The Likewise input-output service  -- lwiod -- communicates over SMB with SMB servers; authentication is with Kerberos 5.

On Linux and Unix

You can check the status of lwiod on a Unix or Linux computer running the Likewise agent by executing the following command as the root user:

/sbin/service lwiod status

or

/etc/init.d/lwiod status

If the daemon is running, the result should look like this:

lwiod (pid 21638) is running...

If the service is not running, execute the following command:

/sbin/service lwiod start

or

/etc/init.d/lwiod start

On HP-UX

The commands are different on HP-UX:

/sbin/init.d/lwiod status

/sbin/init.d/lwiod start

On Mac OS X

On a Mac OS X computer, you cannot use the status command, but you can monitor the daemon by using Activity Monitor:

Check the Version and Build Number of the Agent on Linux, Unix, or Mac

To check the version number of the Likewise agent, execute the following command:

 cat /opt/likewise/data/VERSION

Another option is to execute the following command:

 /opt/likewise/bin/lw-get-status

Check the Version and Build Number of the Agent with ADUC

You can check the version and build number of the Likewise agent from a Windows administration workstation that is connected your domain controller:

Check the Build Number of the Agent

On Linux distributions that support RPM -- for example, Red Hat Enterprise Linux, Fedora, SUSE Linux Enterprise, OpenSUSE, and CentOS -- you can determine the version and build number of the agent (5.0.0.xxxx in the examples below)  by executing the following command at the shell prompt:

rpm -qa | grep likewise

The result shows the build version after the version number:

likewise-sqlite-5.0.0-1.26353.3513

likewise-libxml2-5.0.0-1.26353.3513

likewise-netlogon-5.0.0-1.26353.3513

likewise-openldap-5.0.0-1.26353.3513

likewise-pstore-5.0.0-1.26353.3513

likewise-passwd-5.0.0-1.26353.3513

likewise-domainjoin-5.0.0-1.26353.3513

likewise-lsass-5.0.0-1.26353.3513

likewise-krb5-5.0.0-1.26353.3513

likewise-base-5.0.0-1.26353.3513

likewise-rpc-5.0.0-1.26353.3513

On Unix computers and Linux distributions that do not support RPM, the command to check the build number varies by platform:

There are certain conditions under which you might need to clear the cache so that a user's ID is recognized on a target computer.

By default, the user's ID is cached for 4 hours. If you change a user's UID for a Likewise cell with Likewise Enterprise, during the 4 hours after you change the UID you must clear the cache on a target computer in the cell before the user can log on. If you do not clear the cache after changing the UID, the computer will find the old UID until after the cache expires.

There are three Likewise Enterprise group policies that can affect the cache time:

Tip: While you are deploying and testing Likewise, set the cache expiration time of the Likewise agent's cache to a short period of time, such as 1 minute.

Clear the Cache on a Unix or Linux Computer

To delete all the users and groups from the Likewise AD provider cache on a Linux or Unix computer, execute the following command with superuser privileges:

/opt/likewise/bin/lw-ad-cache --delete-all

You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting. Example:

[root@rhel5d bin]# ./lw-ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh likewisedemo.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.likewisedemo.com
[LIKEWISEDEMO\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./lw-ad-cache --enum-users
User info (Level-0):
====================
Name:     LIKEWISEDEMO\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>
Shell:    /bin/bash
Home dir: /home/LIKEWISEDEMO/hab
TotalNumUsersFound:      1
[root@rhel5d bin]# 

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ad-cache --help

Clear the Cache on a Mac OS X Computer

On a Mac OS X computer, clear the cache by running the following command with superuser privileges in Terminal:

dscacheutil -flushcache

You can determine the fully qualified domain name of a computer running Linux, Unix, or Mac OS X by executing the following command at the shell prompt:

ping -c 1 `hostname`

On HP-UX

The command is different on HP-UX:

ping `hostname` -n 1

On Solaris

On Sun Solaris, you can find the FQDN by executing the following command (the computer's configuration can affect the results):

FQDN=`/ usr/lib/mail/ sh/ check-hostname|cut - d" " -f7`;echo $FQDN

See Also

Join Active Directory Without Changing /etc/hosts

To locate the Likewise processes on a Mac OS X computer, execute the following command in Terminal:

 sudo launchctl list | grep likewise

There are typically four Likewise daemons running on a Mac:

com.likewisesoftware.lwiod

com.likewisesoftware.netlogond

com.likewisesoftware.dcerpcd

com.likewisesoftware.lsassd

With the Likewise Enterprise agent, the group policy daemon is also running:

com.likewisesoftware.gpagentd

Problem

When an AD machine account password changes two or more times during the lifetime of a domain user's credentials, the computer's entry that matches the Kerberos service ticket is dropped from the Kerberos key table. Even though the service ticket has not expired, an action that depends on the entry, such as reading the event log or using single sign-on, will fail.

To avoid issues with Kerberos key tables, keytabs, and single sign-on, the machine password expiration time must be at least twice the maximum lifetime for user tickets, plus a little more time to account for the permitted clock skew.

The expiration time for a user ticket is set by using an Active Directory group policy called Maximum lifetime for user ticket. The default user ticket lifetime is 10 hours; the default Likewise machine password lifetime is 30 days.

Causes

The machine account password can change more frequently than the user's AD credentials under the following conditions:

Solution

If a computer's entry is dropped from the Kerberos key table, you must remove the unexpired service tickets from the user’s credentials cache by reinitializing the cache. Here's how:

On Linux and Unix, reinitialize the credentials cache by executing the following command with the account of the user who is having the problem:

/opt/likewise/bin/kinit

On Mac, you must run both the native kinit command and the Likewise kinit command with the account of the user who is having the problem. (You must run both commands because the native ssh client uses the native credentials cache while the Likewise processes, such as those that access the event log, use the MIT credentials cache.)

/opt/likewise/bin/kinit

kinit

To help troubleshoot problems with joining a domain, you can use the command-line utility's log option with the join command. The log option captures information about the attempt to join the domain on the screen or in a file.

Execute the following command in a separate session to dump network traffic as the root user and interrupt the trace with CTRL-C:

tcpdump -s 0 -i eth0 -w trace.pcap

The result should look something like this:

tcpdump: listening on eth0
28 packets received by filter
0 packets dropped by kernel

You can set the level of reporting in the PAM debug log for the Likewise authentication daemon on a Linux or Unix computer. PAM stands for pluggable authentication modules.

The log levels are error, warning, info, and verbose.

The logged data is sent to your system's syslog message repository for security and authentication. The location of the repository varies by operating system. Here are the typical locations for a few platforms:

By editing the entries for the lsass service in the Likewise registry, you can specify the level of logging for the Likewise authentication daemon's interaction with PAM. The following log levels are available: error, warning, info, verbose. The default is error.

The log messages are processed by syslog. Although the path and file name of the log varies by platform, they typically appear in a subdirectory of /var/log.

The netlogond daemon detects the optimal domain controller and global catalog and caches the data. You can obtain debugging information about the daemon's lookup requests for domain controllers by executing the following command as root:

 /opt/likewise/sbin/netlogond -- loglevel debug

By default, AIX is not configured to support long user and group names, which might present a conflict when you try to log on with a long Active Directory username. To increase the max username length on AIX 5.3, use the following syntax:

# chdev -l sys0 -a max_logname=MaxUserNameLength+1

Example:

# chdev -l sys0 -a max_logname=255

This command allocates 254 characters for the user and 1 for the terminating null.

The safest value that you can set max_logname to is 255.

You must reboot for the changes to take effect:

# shutdown –Fr

Note: AIX 5.2 does not support increasing the maximum user name length.

If you are using local firewall settings, such as iptables, on a computer running the Likewise agent, make sure the following ports are open for outbound traffic.

Note: The Likewise agent is a client only; it does not listen on any ports.

Tip: To view the firewall rules on a Linux computer using iptables, execute the following command:

iptables - nL

When you use Likewise to set an Active Directory alias for a user, the user can have a file-ownership conflict under the following conditions if the user logs on with the AD account:

To avoid such conflicts, by default Likewise includes the short AD domain name in each user's home directory. If the conflict nevertheless occurs, there are two options to resolve it:

Change Ownership

Log on the computer as root and execute the following commands:

cd <users home directory root>

chown –R <AD user UID>:<AD primary group ID> *.*

Or: chown –R <short domain name>\\<account name>:<short domain name>\\<AD group name> *.*

See Also

Show Duplicate UIDs, GIDs, Login Names, and Group Aliases

Likewise Enterprise and the UID-GID module are compatible with Small Business Server 2003. However, because the server locks down several user account values by default, you must create a group in Active Directory for your Unix computers, add each Likewise client computer to it, and configure the group to read all user information.

On other versions of Windows Server, the user account values are available by default. If, however, you use an AD security setting to lock them down, they will be unavailable to the Likewise agent.

To determine Unix account information, the Likewise agent requires that the AD computer account for the machine running Likewise can access the attributes in the following table.

Allow Access to Account Attributes

See Also

Restart the Authentication Daemon

About Schema Mode and Non-Schema Mode

The Likewise DCE/RPC daemon helps route remote procedure calls between computers on a network by serving as an end-point mapper. For more information and a list of inter-daemon dependencies, see About the Likewise Agent.

On Linux and Unix

You can restart the Likewise DCE/RPC daemon by executing the following command at the shell prompt:

/sbin/service dcerpcd restart

or

/etc/init.d/dcerpcd restart

To stop the daemon, type this command:

/sbin/service dcerpcd stop

To start the daemon, type this command:

/sbin/service dcerpcd start

Note: On Unix systems, the location of the daemon may vary.

On HP-UX

Restart: /sbin/init.d/dcerpcd restart

Stop: /sbin/init.d/dcerpcd stop

Start: /sbin/init.d/dcerpcd start

On Mac OS X

On a Mac, use the following stop and start commands (you cannot use the restart command on a Mac):

sudo launchctl stop com.likewisesoftware.dcerpcd

sudo launchctl start com.likewisesoftware.dcerpcd

The netlogond daemon determines the optimal domain controller and global catalog and caches the data. For more information and a list of start-order dependencies, see About the Likewise Agent.

On Linux and Unix

You can restart the Likewise network logon daemon by executing the following command at the shell prompt:

/sbin/service netlogond restart

or

/etc/init.d/netlogond restart

To stop the daemon, type this command:

/sbin/service netlogond stop

To start the daemon, type this command:

/sbin/service netlogond start

Note: On Unix systems, the location of the daemon may vary.

On HP-UX

Restart: /sbin/init.d/netlogond restart

Stop: /sbin/init.d/netlogond stop

Start: /sbin/init.d/netlogond start

On Mac OS X

On a Mac, use the following stop and start commands (you cannot use the restart command on a Mac):

sudo launchctl stop com.likewisesoftware.netlogond

sudo launchctl start com.likewisesoftware.netlogond

The Likewise input-output service  -- lwiod -- communicates over SMB with SMB servers; authentication is with Kerberos 5. For a list of start-order dependencies, see About the Likewise Agent.

On Linux and Unix

You can restart the input-output service by executing the following command at the shell prompt:

/sbin/service lwiod restart

or

/etc/init.d/lwiod restart

To stop the daemon, type this command:

/sbin/service lwiod stop

To start the daemon, type this command:

/sbin/service lwiod start

Note: On Unix systems, the location of the daemon may vary.

On HP-UX

Restart: /sbin/init.d/lwiod restart

Stop: /sbin/init.d/lwiod stop

Start: /sbin/init.d/lwiod start

On Mac OS X

On a Mac, use the following stop and start commands (you cannot use the restart command on a Mac):

sudo launchctl stop com.likewisesoftware.lwiod

sudo launchctl start com.likewisesoftware.lwiod

The authentication daemon handles authentication, authorization, caching, and idmap lookups. When you restart the authentication daemon (lsassd), you should also restart the lwiod daemon. For more information and a list of inter-daemon dependencies, see About the Likewise Agent.

On Linux and Unix

You can restart the Likewise authentication daemon by executing the following command at the shell prompt:

/sbin/service lsassd restart

or

/etc/init.d/lsassd restart

To stop the daemon, type this command:

/sbin/service lsassd stop

To start the daemon, type this command:

/sbin/service lsassd start

Note: On Unix systems, the location of the daemon may vary.

On HP-UX

Restart: /sbin/init.d/lsassd restart

Stop: /sbin/init.d/lsassd stop

Start: /sbin/init.d/lsassd start

On Mac OS X

On a Mac, use the following stop and start commands (you cannot use the restart command on a Mac):

sudo launchctl stop com.likewisesoftware.lsassd

sudo launchctl start com.likewisesoftware.lsassd

Symptom: A local directory is in the home directory path and the home directory path does not match the path specified in Active Directory or in /etc/password.

Example: /home/local/DOMAIN/USER instead of /home/DOMAIN/USER

The shell might also be different from what is set in Active Directory -- for example, /bin/ksh instead of /bin/bash.

Problem: The computer is not in a Likewise cell in Active Directory.

Solution: Make sure the computer is in a Likewise cell. For more information, see Associate a Cell with an OU or a Domain, or create a default cell.

A default cell handles mapping for computers that are not in an OU with an associated cell. The default cell can contain the mapping information for all your Linux and Unix computers. For instance, a Linux or Unix computer can be a member of an OU that does not have a cell associated with it. In such a case, the home directory and shell settings are obtained from the nearest parent cell, or the default cell. If there is no parent cell and no default cell, the computer will not receive its shell and home directory paths from Active Directory.

See Also

Set the Default Home Directory

Set the Default Login Shell

SUSE Linux Enterprise Desktop 11 includes Likewise Enterprise. When a user gains access to SLED 11 through Nomad -- a remote desktop using RDP protocol with session management -- the default home directory specified in /lib/security/pam_lsass.so is ignored. To correct this issue, change /etc/pam.d/xrdp-sesman to include the following line:

session sufficient /lib/security/pam_lsass.so

SUSE Linux Enterprise Desktop 11 includes Likewise Enterprise. Novell has issued a PAM update (pam-config-0.68-1.22) for SLED 11 that modifies the common-session-pc file to include the following entry:

session optional pam_gnome_keyring.so auto_start_if=gdm

Because the PAM update makes a backup of the file and replaces it with the modified version, the changes that Likewise had made to the file are no longer present, which blocks new AD users from logging on. The following error messages may appear:

Could not update ICEauthority file /home/john/.ICEauthority
There is a problem with the configuration server.
(/user/lib/gconf/2/gconf-sanity-check-2 exited with status 256)

Solution: Open the backed up version of the common-session-pc file, add the following line to it, and then use it to overwrite the new version of the common-session-pc file:

session optional        pam_gnome_keyring.so    auto_start_if=gdm

By default, the configuration file for PAM system authentication – /etc/pam.d/system-auth -- on Red Hat Enterprise Linux 5 and CentOS 5 contains the following line, which blocks a user with a UID value less than or equal to 500 from logging on a computer running the Likewise agent.

auth  requisite  pam_succeed_if.so uid >= 500 quiet

Solution: Either delete the line from /etc/pam.d/system-auth or modify it to allow users with UIDs lower than 500:

auth  requisite  pam_succeed_if.so uid >= 50 quiet

For more information on the PAM test of account characteristics, see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if.html.

When you update AIX, the authentication of users, groups, and computers might fail because the AIX upgrade process overwrites changes that Likewise makes to system files. Specifically, upgrading AIX to version 6.1tl3 overwrites /lib/security/methods.cfg, so you must manually add the following code to the last lines of the file after you finish upgrading:

LSASS: 
   program = /usr/lib/security/LSASS

The following resources can help troubleshoot time synchronization and other Kerberos issues:

The Likewise Service Manager lets you track and troubleshoot all the Likewise services with a single command-line utility. You can, for example, check the status of the services and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the appropriate order. In addition, you can use the service manager to set the logging destination and the log level.

To list status of the services, run the following command with superuser privileges at the command line:

/opt/likewise/bin/lwsm list

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm list
lwreg       running (standalone: 1920)
dcerpc      running (standalone: 2544)
eventlog    running (standalone: 2589)
lsass       running (standalone: 2202)
lwio        running (standalone: 2191)
netlogon    running (standalone: 2181)
npfs        running (io: 2191)
pvfs        stopped
rdr         running (io: 2191)
srv         stopped
srvsvc      stopped

To restart the lsass service, run the following command with superuser privileges:

/opt/likewise/bin/lwsm restart lsass

After you change a setting in the registry, you must use the service manager to force the service to begin using the new configuration by executing the following command with super-user privileges. This example refreshes the lsass service.

/opt/likewise/bin/lwsm refresh lsass

To view information about the lsass service, including its dependencies, run the following command:

/opt/likewise/bin/lwsm info lsass

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm info lsass
Service: lsass
Description: Likewise Security and Authentication Subsystem
Type: executable
Autostart: no
Path: /opt/likewise/sbin/lsassd
Arguments: '/opt/likewise/sbin/lsassd' '--syslog'
Dependencies: netlogon lwio lwreg rdr npfs

To view all the service manager's commands and arguments, execute the following command:

/opt/likewise/bin/lwsm --help

You can access and modify the Likewise registry by using the registry shell -- lwregshell. The shell works in a way that is similar to BASH. You can view a list of the commands that you can execute in the shell by entering help:

/opt/likewise/bin/lwregshell
\> help

You can also manage the registry by executing the registry's commands from the command line. For more information, see Configuring the Likewise Services with the Registry.

Executing the following command exports the contents of the Likewise registry to the editor specified by your EDITOR environment variable. You can use the lw-edit-reg command to quickly view the contents of the registry and make changes to the settings. Then, you can launch the registry shell and import the modified file so that your changes take effect.

/opt/likewise/bin/lw-edit-reg

If you have not set a default editor, the script searches for an available editor in the following order: gedit, vi, friends, emacs. On platforms without gedit, an error may occur. You can correct the error by setting the EDITOR environment variable to an available editor, such as vi:

export EDITOR=vi

You can set the Likewise log level from the shell prompt by executing the following command. Replace level with one of the four available logging levels: error, warning, info, verbose.

/opt/likewise/bin/lw-set-log-level level

Example: /opt/likewise/bin/lw-set-log-level warning

The configuration for the Likewise authentication daemon in the registry is modified to include the level you specified in the command.

You can also set the logon level by editing an entry for the lsass service in the registry; see the chapter on configuring Likewise with the registry.

The default setting is error.

On a Unix or Linux computer that is joined to the Active Directory domain, you can check a domain user's or group's information by either name or ID. These commands can verify that the client can locate the user or group in Active Directory.

Find a User by Name

Execute the following command, replacing domain\\ username with the full domain user name or the single domain user name of the user that you want to check:

/opt/likewise/bin/lw-find-user-by-name domain\\username

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hoenstiv

You can optionally specify the level of detail of information that is returned. Example:

/opt/likewise/bin/lw-find-user-by-name --level 2 likewisedemo\\hab

User info (Level-2):

====================

Name:                       LIKEWISEDEMO\hab

UPN:                         hab@likewisedemo.com

Uid:                        593495196

Gid:                        593494529

Gecos:                      Jurgen Habermas

Shell:                      /bin/sh

Home dir:                   /home/LIKEWISEDEMO/hab

LMHash length:              0

NTHash length:              0

Local User:                 NO

Account disabled:           FALSE

Account Expired:            FALSE

Account Locked:             FALSE

Password never expires:     TRUE

Password Expired:           FALSE

Prompt for password change: YES

For more information, execute the following command:

/opt/likewise/bin/lw-find-user-by-name --help

Find a User by UID

To find a user by UID, execute the following command, replacing UID with the user's ID:

 /opt/likewise/bin/lw-find-user-by-id UID

Example:

/opt/likewise/bin/lw-find-user-by-id 593495196

Find a Group by Name

 /opt/likewise/bin/lw-find-group-by-name domain\\username

Example:

/opt/likewise/bin/lw-find-group-by-name likewisedemo.com\\dnsadmins

Find a Group by ID

 /opt/likewise/bin/lw-find-group-by-id GID

Example:

[root@rhel4d bin]# /opt/likewise/bin/lw-find-group-by-id 593494534

Group info (Level-0):

====================

Name:     LIKEWISEDEMO\schema^admins

Gid:      593494534

SID:     S-1-5-21-382349973-3885793314-468868962-518

Tip: To view this command's options, type the following command:

/opt/likewise/bin/lw-find-group-by-id --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can find a user in Active Directory by his or her security identifier (SID). To find a user by SID, execute the following command as root, replacing SID with the user's security identifier:

 /opt/likewise/bin/lw-find-by-sid SID

Example:

[root@rhel4d bin]# /opt/likewise/bin/lw-find-by-sid S-1-5-21-382349973-3885793314-468868962-1180

User info (Level-0):

====================

Name:      LIKEWISEDEMO\hab

SID:      S-1-5-21-382349973-3885793314-468868962-1180

Uid:      593495196

Gid:      593494529

Gecos:     Jurgen Habermas

Shell:    /bin/ sh

Home dir: /home/ LIKEWISEDEMO/ hab

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-find-by-sid --help

To find the groups that a user is a member of, execute the following command followed by either the user's name or UID:

/opt/likewise/bin/lw-list-groups-for-user

Example: /opt/likewise/bin/lw-list-groups-for-user 593495196

Here's the command and its result for the user likewisedemo\\hab:

[root@rhel5d bin]# ./lw-list-groups-for-user likewisedemo\\hab
Number of groups found for user 'likewisedemo\hab' : 2
Group[1 of 2] name = LIKEWISEDEMO\enterprise^admins (gid = 593494535)
Group[2 of 2] name = LIKEWISEDEMO\domain^users (gid = 593494529)

Tip: To view this command's options, type the following command:

/opt/likewise/bin/lw-list-groups-for-user --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can enumerate the groups in Active Directory and view their members, GIDs, and SIDs:

 /opt/likewise/bin/lw-enum-groups --level 1

The Likewise agent enumerates groups in the primary domain. Groups in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-enum-groups --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can enumerate the users in Active Directory and view their members, GIDs, and SIDs:

 /opt/likewise/bin/lw-enum-users

The Likewise agent enumerates users in the primary domain. Users in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-enum-users --help

To view full information about the users, include the level option when you execute the command:

/opt/likewise/bin/lw-enum-users --level 2

Example result for a one-user batch:

User info (Level-2):

====================

Name:                       LIKEWISEDEMO\sduval

UPN:                         SDUVAL@LIKEWISEDEMO.COM

Generated UPN:              NO

Uid:                        593495151

Gid:                        593494529

Gecos:                      Shelley Duval

Shell:                      /bin/sh

Home dir:                   /home/LIKEWISEDEMO/sduval

LMHash length:              0

NTHash length:              0

Local User:                 NO

Account disabled:           FALSE

Account Expired:            FALSE

Account Locked:             FALSE

Password never expires:     FALSE

Password Expired:           FALSE

Prompt for password change: NO

Likewise includes two authentication providers:

If the AD provider is offline, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

 /opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:

Agent version: 5.0.0

Uptime:        2 days 21 hours 16 minutes 29 seconds

[Authentication provider: lsa-local-provider]

        Status:   Online

        Mode:     Local system

[Authentication provider: lsa-activedirectory-provider]

        Status:   Online

        Mode:     Un-provisioned

        Domain:   likewisedemo.com

        Forest:   likewisedemo.com

        Site:     Default-First-Site-Name

[root@rhel4d bin]#

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

This command retrieves the Active Directory domain to which the computer is connected. The command's location is as follows:

/opt/likewise/bin/lw-get-current-domain

This command lists the domain controllers for a target domain. You can delimit the list in several ways, including by site. The command's location is as follows:

/opt/likewise/bin/lw-get-dc-list

Example usage:

[root@rhel5d bin]# ./lw-get-dc-list likewisedemo.com
Got 1 DCs:
===========
DC 1: Name = 'steveh-dc.likewisedemo.com', Address = '192.168.100.132'

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-get-dc-list --help

/opt/likewise/bin/lw-get-dc-name DomainName

This command displays the time of the current domain controller for the domain that you specify. The command's location is as follows:

/opt/likewise/bin/lw-get-dc-time

Example:

[root@rhel5d bin]# ./lw-get-dc-time likewisedemo.com
DC TIME: 2009-09-08 14:54:18 PDT

This command displays the logging status of the Likewise authentication service. The location of the command is as follows:

/opt/likewise/bin/lw-get-log-info

Example output:

[root@rhel5d bin]# ./lw-get-log-info 
Current log settings:
=================
LSA Server is logging to syslog
Maximum allowed log level: error

This command displays local security events from the Likewise event log. For information about using the log, see Monitoring Events. The location of the command is as follows:

/opt/likewise/bin/lw-get-metrics

Example output:

[root@rhel5d bin]# ./lw-get-metrics 
Failed authentications:       3
Failed user lookups by name:  34
Failed user lookups by id:    0
Failed group lookups by name: 0
Failed group lookups by id:   0
Failed session opens:         32
Failed session closures:      33
Failed password changes:      0
Unauthorized access attempts: 0

To view the command's options, execute the following command:

/opt/likewise/bin/lw-get-metrics --help

You can print out the machine account name, machine account password, SID, and other information by running the following command as root.

/opt/likewise/bin/lw-dump-machine-acct domainDNSName

Example: /opt/likewise/bin/lw-dump-machine-acct likewisedemo.com

The result looks like this:

/opt/likewise/bin/lw-dump-machine-acct likewisedemo.com

DomainSID                = S-1-5-21-382349973-3885793314-468868962

DomainName               = LIKEWISEDEMO

Domain DNS Name          = LIKEWISEDEMO.COM

HostName                 = RHEL5D

Machine Account Name     = RHEL5D$

Machine Account Password = xoiy8X!k/BdfiVUj

After you change a setting in the registry for the Likewise agent, you must force the agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

This command turns on trace markers in the messages logged by the lwiod and lsassd daemons.

/opt/likewise/bin/lw-trace-info

Example usage:

lw-trace-info --set user-group-queries:0,authentication:1 --get user-group-administration

To view this command's options, type the following command:

/opt/likewise/bin/lw-trace-info --help

This command registers an IP address for the computer in DNS. Running this command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.

/opt/likewise/bin/lw-update-dns

Example usage:

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-update-dns --help

This command manages the Likewise cache for Active Directory users and groups on Linux and Unix computers. The command's location is as follows:

/opt/likewise/bin/lw-ad-cache

You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups. The following example demonstrates how to delete all the users and groups from the cache:

/opt/likewise/bin/lw-ad-cache --delete-all

You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting. Example:

[root@rhel5d bin]# ./lw-ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh likewisedemo.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.likewisedemo.com
[LIKEWISEDEMO\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./lw-ad-cache --enum-users
User info (Level-0):
====================
Name:     LIKEWISEDEMO\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>
Shell:    /bin/bash
Home dir: /home/LIKEWISEDEMO/hab
TotalNumUsersFound:      1
[root@rhel5d bin]# 

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ad-cache --help

Clear the Cache on a Mac OS X Computer

On a Mac OS X computer, clear the cache by running the following command with superuser privileges in Terminal:

dscacheutil -flushcache

domainjoin-cli is the command-line utility for joining or leaving a domain. For instructions on how to use it, see Join Active Directory with the Command Line.

This command is the Likewise NIS ypcat function for group passwd and netgroup maps.

/opt/likewise/bin/lw-ypcat

Example usage:

/opt/likewise/bin/lw-ypcat -d likewisedemo.com -k map-name

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ypcat --help

This command is the Likewise NIS ypmatch function for group passwd and netgroup maps.

/opt/likewise/bin/lw-ypmatch

Example usage:

/opt/likewise/bin/lw-ypmatch -d likewisedemo.com -k key-name map-name

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ypmatch --help

This command displays the UUID of the user.

/opt/likewise/bin/uuid

Example:

[root@rhel5d bin]# ./uuid
836d9daa-a3b6-11de-885e-000c2961e58e
[root@rhel5d bin]# 

The commands prefaced with lwio are included as part of the Likewise-CIFS technology preview. These commands are not covered under your support contract.

[root@rhel5d bin]# ./lwio-get-log-info 
Current log settings:
=================
SMB Server is logging to syslog
Maximum allowed log level: error

The Likewise local authentication provider for local users and groups includes a full local authentication database. With functionality similar to the local SAM authentication database on every Windows computer, the local authentication provider lets you create, modify, and delete local users and groups on Linux, Unix, and Mac OS X computers by using the following commands.

To execute the commands that modify local accounts, you must use either the root account or an account that has membership in the local administrators group. (The account can be an Active Directory administrators account if you manually add it to the local administrators group. For example, you could add the Domain Administrators security group from Active Directory to the local administrators group, and then use an account with membership in the Domain Administrators security group to execute the commands.)

Likewise includes several command-line utilities for working with Kerberos. It is recommended that you use these Kerberos utilities, located in /opt/likewise/bin, to manage those aspects of Kerberos authentication that are associated with Likewise. For complete instructions on how to use the Kerberos commands, see the man page for the command.

-sh-3.00$ /opt/likewise/bin/klist

Ticket cache: FILE:/tmp/krb5cc_593495191

Default principal: hoenstiv@LIKEWISEDEMO.COM

Valid starting     Expires            Service principal

07/22/08 16:07:23  07/23/08 02:06:39  krbtgt/LIKEWISEDEMO.COM@LIKEWISEDEMO.COM

        renew until 07/23/08 04:07:23

07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.LIKEWISEDEMO.COM@

        renew until 07/23/08 04:07:23

07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.LIKEWISEDEMO.COM@LIKEWISEDEMO.COM

        renew until 07/23/08 04:07:23

07/22/08 16:06:40  07/23/08 02:06:39  RHEL4D$@LIKEWISEDEMO.COM

        renew until 07/23/08 04:07:23

-sh-3.00$

[root@rhel5d bin]# ./krb5-config --all
Version:     Kerberos 5 release 1.7
Vendor:      Massachusetts Institute of Technology
Prefix:      /opt/likewise
Exec_prefix: /opt/likewise

[root@rhel5d bin]# ./krb5-config --help
Usage: ./krb5-config [OPTIONS] [LIBRARIES]
Options:
        [--help]          Help
        [--all]           Display version, vendor, and various values
        [--version]       Version information
        [--vendor]        Vendor information
        [--prefix]        Kerberos installed prefix
        [--exec-prefix]   Kerberos installed exec_prefix
        [--cflags]        Compile time CFLAGS
        [--libs]          List libraries required to link [LIBRARIES]
Libraries:
        krb5              Kerberos 5 application
        gssapi            GSSAPI application with Kerberos 5 bindings
        kadm-client       Kadmin client
        kadm-server       Kadmin server
        kdb               Application that accesses the kerberos database
[root@rhel5d bin]# 

The commands and scripts listed in this section are not for end users. It is recommended that you do not use them.