Likewise Open Installation and Administration Guide

This section skips system requirements and information about pre-configuring clients to cut to the chase: Installing Likewise Open on a Linux computer, connecting it to an Active Directory domain, and logging on with your domain credentials. (Jump to install on Unix or install on Mac OS X.)

Before you deploy Likewise Open in anything other than a test environment, however, you should read the overview of the agent, the chapter on installing the agent, the chapter on joining a domain, and the chapter on configuring the Likewise services.

Step 1: Download Likewise Open

Go to http://www.likewise.com/download/. After you register, right-click the download link for your platform on the Likewise Open Download page and then save the installer to the desktop of your Linux computer. For versions of Linux running glibc 2.2 or earlier, see Install the Agent on Linux with glibc 2.2 or Earlier.

Step 2: Install Likewise Open on Linux

You install Likewise Open by using a shell script that contains a self-extracting executable -- an SFX installer with a file name that ends in sh. Example: LikewiseIdentityServiceEnterprise-6.0.0.3499-linux-i386-rpm.sh.

Step 3: Join Active Directory

After the wizard finishes installing Likewise Open, the user interface for joining a domain appears. If it does not appear, see Join Active Directory with the Command Line.

To join a computer to a domain, you must use the root account and you must have the user name and password of an Active Directory account that has privileges to join computers to the domain.

After you join a domain for the first time, you must restart the computer before you can log on.

To solve problems, see Troubleshooting Domain-Join Problems or run this command at the command line: domainjoin-cli --help

Step 4: Log On with AD Credentials

After you join a domain and restart your Linux computer, you can log on interactively or from the text login prompt with your Active Directory credentials in the following form: DOMAIN\username. If you set a default domain, just use your Active Directory username.

To troubleshoot issues, see Solve Logon Problems on Linux.

This section shows you how to quickly modify two common Likewise settings -- the default domain and the shell -- by running the following lwconfig command-line tool as root:

/opt/likewise/bin/lwconfig

To view the settings you can change with lwconfig, execute the following command:

/opt/likewise/bin/lwconfig --list

The syntax to change the value of a setting is as follows, where setting is replaced by the Likewise option that you want to change and value by the new value that you want to set:

/opt/likewise/bin/lwconfig setting value

Here's an example of how to use lwconfig to change the AssumeDefaultDomain setting:

[root@rhel5d bin]# ./lwconfig --detail AssumeDefaultDomain 
Name: AssumeDefaultDomain
Description: Apply domain name prefix to account name at logon
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

[root@rhel5d bin]# ./lwconfig AssumeDefaultDomain true 

[root@rhel5d bin]# ./lwconfig --show AssumeDefaultDomain 
boolean
true
local policy

Here's another example. To set the shell for a domain account, run lwconfig as root with the LoginShellTemplate setting followed by the path and shell that you want:

[root@rhel5d bin]# /opt/likewise/bin/lwconfig LoginShellTemplate /bin/ksh

For more information, see Set the Home Directory and Shell for Domain Users and the section on lwconfig.

You can give your Active Directory account local administrative rights to execute commands with superuser privileges and perform tasks as a superuser.

On Ubuntu, you can simply add your domain account to the admin group in the /etc/group file by entering a line like the following as root:

admin:x:115:LIKEWISEDEMO\kathy

On other Linux systems, you can add an entry for your Active Directory group to your sudoers file -- typically, /etc/sudoers -- by editing the file with the visudo command as root. Editing the sudoers file, however, is recommended only for advanced users, because an improperly configured sudoers file could lock out administrators, mess up the privileges of important accounts, or undermine the system's security.

Example entry of an AD user account:

% LIKEWISEDEMO\\domain^admins ALL=(ALL) ALL

Note: The example assumes that you are a member of the Active Directory domain administrators group.

For information about how to format your sudoers file, see your computer's man page for sudo.

With Likewise Open 6.0 or later, you can seamlessly upgrade from Likewise Open 5, preserving your local configuration and maintaining your Active Directory state. Simply install Likewise Open 6.0 or later while Likewise Open 5.3 or earlier is running and the computer is joined to a domain. It is unnecessary to leave the domain and uninstall the old version before you install the latest verison. After installation, you will still be connected to your domain.

Likewise Open 6 preserves the changes you made to your local Likewise configuration. When you upgrade, a utility in Likewise Open 6 converts the configuration files from versions 5.0, 5.1, 5.2, and 5.3 into registry files and loads the files into the registry. The registry files that capture the old configuration are stored in /tmp/lw-upgrade; the original configuration files in /etc/likewise are removed.

Although the latest Ubuntu release makes the likewise-open package available through the apt-get install command, the Likewise Open 6 installer does not support upgrading from the package. Before you upgrade from the version available through Ubuntu, it is recommended that you leave the domain, uninstall the domain join GUI package (likewise-open-gui), and uninstall the likewise-open package.

Important: If you plan to upgrade from a 4.x or earlier version of Likewise Open to Likewise Open 6.0 or later, please first contact Likewise Technical Support at support@likewise.com. At this time, it is recommended that you do not attempt to upgrade to a 6.x version from a 4.x version without assistance from Likewise support.

The Likewise agent is installed on a Linux, Unix, or Mac OS X computer to connect it to Microsoft Active Directory and to authenticate users with their domain credentials. The agent integrates with the core operating system to implement the mapping for any application, such as the logon process (/bin/login), that uses the name service (NSS) or pluggable authentication module (PAM). As such, the agent acts as a Kerberos 5 client for authentication and as an LDAP client for authorization. In Likewise Enterprise, the agent also retrieves group policy objects to securely update local configurations, such as the sudo file.

The Likewise agent is also known as the Likewise client and the Likewise identity service.

Likewise Open

The Likewise Open agent comprises the following daemons:

Likewise Enterprise

Likewise Enterprise includes all the daemons that are in Likewise Open. The following additional daemons are in Likewise Enterprise to apply group policies, handle smart cards, and monitor security events:

The Likewise Input-Output Service

The lwiod daemon multiplexes input and output by using SMB1 or SMB2. The daemon's plugin-based architecture includes several drivers, the most significant of which is coded as rdr -- the redirector.

The redirector multiplexes CIFS/SMB connections to remote systems. For instance, when two different processes on a local Linux computer need to perform input-output operations on a remote system by using CIFS/SMB, with either the same identity or different identities, the preferred method is to use the APIs in the lwio client library, which routes the calls through the redirector. In this example, the redirector maintains a single connection to the remote system and multiplexes the traffic from each client by using multiplex IDs.

The input-output service plays a key role in the Likewise architecture because Likewise makes heavy use of DCE/RPC, short for Distributed Computing Environment/Remote Procedure Calls. DCE/RPC, in turn, uses SMB: Thus, the DCE-RPC client libraries use the Likewise input-output client library, which in turn makes calls to lwiod with Unix domain sockets.

When you join a domain, for example, Likewise uses DCE-RPC calls to establish the machine password. The Likewise authentication daemon periodically refreshes the machine password by using DCE-RPC calls. Authentication of users and groups in Active Directory takes place with Kerberos, not RPC. ( View a data-flow diagram that shows how systems interact when you join a domain.)

In addition, when a joined computer starts up, the Likewise authentication daemon enumerates Active Directory trusts by using DCE-RPC calls that go through the redirector. With one-way trusts, the authentication daemon uses RPC to look up domain users, groups, and security identifiers. With two-way trusts, lookup takes place through LDAP, not RPC.

Because the authentication daemon registers trusts only when it starts up, you should restart lsassd with the Likewise Service Manager after you modify a trust relationship.

The Likewise group policy agent also uses the input-output client library and the redirector when it copies files from the sysvol share of a domain controller.

To troubleshoot remote procedure calls that go through the input-output service and its redirector, use a Wireshark trace or a TCP dump to capture the network traffic. Wireshark, a free open-source packet analyzer, is recommended.

To troubleshoot connection problems with the redirector, set the log level of lwiod to debug:

/opt/likewise/bin/lwio-set-log-level debug

PAM Options

Likewise uses three standard PAM options – try_first_pass, use_first_pass, and use_authtok -- and adds three non-standard options to the PAM configuration on some systems: unknown_ok, remember_chpass, and set_default_repository. The unknown_ok option allows local users to continue down the stack (first line succeeds but second line fails) while blocking domain users who do not meet group membership requirements. On AIX systems, which have both PAM and LAM modules, the remember_chpass prevents the AIX computer from trying to change the password twice and prompting the user twice. On Solaris systems, the set_default_repository option is used to make sure password changes work as expected.

Managing the Likewise Daemons

The Likewise Service Manager lets you track and troubleshoot all the Likewise services with a single command-line utility. You can, for example, check the status of the services, view their dependencies, and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the right order. In addition, you can use the service manager to set the logging destination and the log level.

To list status of the services, run the following command with superuser privileges at the command line:

/opt/likewise/bin/lwsm list

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm list
lwreg       running (standalone: 1920)
dcerpc      running (standalone: 2544)
eventlog    running (standalone: 2589)
lsass       running (standalone: 2202)
lwio        running (standalone: 2191)
netlogon    running (standalone: 2181)
npfs        running (io: 2191)
rdr         running (io: 2191)

After you change a setting in the registry, you must use the service manager to force the service to begin using the new configuration by executing the following command with super-user privileges. This example refreshes the lsass service:

/opt/likewise/bin/lwsm refresh lsass

Configuration information for the daemons is stored in the Likewise registry, which you can access and modify by using the registry shell or by executing registry commands at the command line. The registry shell is at /opt/likewise/bin/lwregshell. For more information, see Configuring the Likewise Services with the Registry.

The agent includes a number of libraries in /opt/likewise/lib.

The agent uses the following ports for outbound traffic.

View a data-flow diagram that shows how systems interact when you join a domain.

To maintain the current state and to improve performance, the Likewise authentication service (lsass) caches information about users and groups in memory. You can, however, change the cache to store the information in a SQLite database; for more information, see the chapter on configuring Likewise with the registry.

The Likewise site affinity service, netlogon, caches information about the optimal domain controller and global catalog in the Likewise registry.

The following files are in /var/lib/likewise/db:

Since the default UIDs that Likewise generates are large, the entries made by the operating system in the lastlog file when AD users log in make the file appear to increase to a large size. This is normal and should not cause concern. The lastlog file (typically /var/log/lastlog) is a sparse file that uses the UID and GID of the users as disk addresses to store the last login information. Because it is a sparse file, the actual amount of storage used by it is minimal.

With Likewise Open, you can manage the following settings for your cache by editing the Likewise registry. See Cache Settings in the lsass Branch.

With Likewise Enterprise, you can manage the settings with group policies; see the Group Policy Adminstration Guide.

Additional information about a computer's Active Directory domain name, machine account, site affinity, domain controllers, forest, the computer's join state, and so forth is stored in the Likewise registry. Here's an example of the kind of information that is stored under the Pstore key and the netlogon key:

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\LIKEWISEDEMO.COM\Pstore]
"ClientModifyTimestamp"=dword:4b86d9c6
"CreationTimestamp"=dword:4b86d9c6
"DomainDnsName"="LIKEWISEDEMO.COM"
"DomainName"="LIKEWISEDEMO"
"DomainSID"="S-1-5-21-3190566242-1409930201-3490955248"
"HostDnsDomain"="likewisedemo.com"
"HostName"="RHEL5D"
"MachineAccount"="RHEL5D$"
"SchannelType"=dword:00000002

[HKEY_THIS_MACHINE\Services\netlogon\cachedb\likewisedemo.com-0]
"DcInfo-ClientSiteName"="Default-First-Site-Name"
"DcInfo-DCSiteName"="Default-First-Site-Name"
"DcInfo-DnsForestName"="likewisedemo.com"
"DcInfo-DomainControllerAddress"="192.168.92.20"
"DcInfo-DomainControllerAddressType"=dword:00000017
"DcInfo-DomainControllerName"="w2k3-r2.likewisedemo.com"
"DcInfo-DomainGUID"=hex:71,c1,9e,b5,18,35,f3,45,ba,15,05,95,fb,5b,62,e3
"DcInfo-Flags"=dword:000003fd
"DcInfo-FullyQualifiedDomainName"="likewisedemo.com"
"DcInfo-LMToken"=dword:0000ffff
"DcInfo-NetBIOSDomainName"="LIKEWISEDEMO"
"DcInfo-NetBIOSHostName"="W2K3-R2"
"DcInfo-NTToken"=dword:0000ffff
"DcInfo-PingTime"=dword:00000006
"DcInfo-UserName"=""
"DcInfo-Version"=dword:00000005
"DnsDomainName"="likewisedemo.com"
"IsBackoffToWritableDc"=dword:00000000
"LastDiscovered"=hex:c5,d9,86,4b,00,00,00,00
"LastPinged"=hex:1b,fe,86,4b,00,00,00,00
"QueryType"=dword:00000000
"SiteName"=""

For the Likewise agent to communicate over Kerberos with the domain controller, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. (For more information, see http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Clock-Skew.html.)

The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the domain controller's Kerberos key distribution center that determines the maximum clock skew. Since changing the maximum clock skew in a client's krb5.conf file does not affect the clock skew tolerance of the domain controller, the change will not allow a client outside the domain controller's tolerance to communicate with it.

The clock skew value that is set in the /etc/likewise/krb5.conf file of Linux, Unix, and Mac OS X computers is useful only when the computer is functioning as a server for other clients. In such cases, you can use a Likewise Enterprise group policy to change the maximum tolerance; for more information, see Set the Maximum Tolerance for Kerberos Clock Skew in the Likewise Group Policy Administration Guide.

The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew are discarded. When the server receives an authentication request within the clock skew, it checks the replay cache to make sure the request is not a replay attack.

If you set the system time on your computer with a Network Time Protocol (NTP) server, the time value of the NTP server and the time value of the domain controller could exceed the maximum skew. As a result, you will be unable to log on your computer.

If you use an NTP server with a cron job, there will be two processes trying to synchronize the computer's time -- causing a conflict that will change the computer's clock back and forth between the time of the two sources.

Likewise recommends that you configure your domain controller to get its time from the NTP server and configure the domain controller's clients to get their time from the domain controller.

The Likewise authentication daemon -- lsassd -- manages site affinity for domain controllers and global catalogs and caches the information with netlogond. When a computer is joined to Active Directory, netlogond determines the optimum domain controller and caches the information. If the primary domain controller goes down, lassd automatically detects the failure and switches to another domain controller and another global catalog within a minute.

However, if another global catalog is unavailable within the forest, the Likewise agent will be unable to find the Unix and Linux information of users and groups. The Likewise agent must have access to the global catalog to function. Therefore, it is a recommended that each forest has redundant domain controllers and redundant global catalogs.

In Likewise Open, a UID and GID are generated by hashing the user or group's security identifier, or SID, from Active Directory. With Likewise Open, you do not need to make any changes to Active Directory. A UID and GID stays the same across host machines. With Likewise Open, you cannot set UIDs and GIDs for Linux and Unix in Active Directory; using AD to set and manage UIDs and GIDs is a feature of Likewise Enterprise or the Likewise UID-GID management tool.

If your Active Directory relative identifiers, or RIDs, are a number greater than 524,287, the Likewise Open algorithm that generates UIDs and GIDs can result in UID-GID collisions among users and groups. In such cases, it is recommended that you use Likewise Enterprise or the Likewise UID-GID management tool.

The Likewise Open algorithm is the same in 4.1 and 5.0, and if you are running 4.1 on one computer and 5.0 or later on another, each user and group should have the same UID and GID on both machines.

Note: If you have UIDs and GIDs defined in Active Directory, Likewise Open will not use those UIDs and GIDs.

In Likewise Enterprise, you can specify the UIDs and GIDs that you want, including setting multiple UID and GID values for a given user based on OU membership by using Likewise cells. (Likewise cells, available only in Likewise Enterprise, provide a method for mapping Active Directory users and groups to UIDs and GIDs.) You can also set Likewise Enterprise to automatically generate UID and GID values sequentially.

Both Likewise Open and Likewise Enterprise cache credentials so users can log on when the computer is disconnected from the network or Active Directory is unavailable.

The Likewise agent supports the following Active Directory trusts:

There is information on the types of trusts at http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx.

Notes on Trusts

The following list contains general information about working with trusts.

Trusts and Cells in Likewise Enterprise

In Likewise Enterprise, a cell contains Unix settings, such as a UID and a GID, for an Active Directory user. When an AD user logs on a Likewise client, Likewise Enterprise searches Active Directory for the user's cell information -- and must find it to operate properly. Thus, your AD topology and your trust relationships may dictate where to locate a cell in Active Directory so that your Likewise clients can access their Unix settings.

With a default cell, Likewise searches for a user or group's attributes in the default cell of the domain where the user or group resides. In a multi-domain topology, a default cell must exist in the domain where user and group objects reside in addition to the default cell that exists in the domain to which Unix, Linux, and Mac computers are joined. In a multi-domain topology, then, be sure to create a default cell in each domain.

Ideally, Unix information is stored on the user object in default cell schema mode. If the client computer does not have the access rights to read and write the information to the user object, as in an external one-way trust, the Unix information cannot be stored on the user object. It can, however, be stored locally in a named cell, that is, a cell associated with an organizational unit.

Since a named cell can be linked to the default cell, you can store Unix information on the user object in default cell schema mode when possible, and otherwise in a named cell that represents the external user. For information about cells, see the chapter on planning your Likewise Enterprise installation and deployment.

Likewise includes a tool to install the files necessary to use Samba with Likewise. Located in /opt/likewise/bin, the tool is named samba-interop-install. The Likewise Samba Guide describes how to use the tool to integrate Samba 3.0.25, 3.2.X, or 3.5.X with Likewise Enterprise 6 or Likewise Open 6.

Likewise Open and Likewise Enterprise run on a broad range of Unix, Mac OS X, and Linux platforms. Likewise frequently adds new vendors and distributions to the list of supported platforms.

Before you attempt to join an Active Directory domain, make sure the /etc/nsswitch.conf file contains the following line:

hosts: files dns

The hosts line can contain additional information, but it must include the dns entry, and it is recommended that the dns entry appear after the files entry.

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

When you use Likewise with Multicast DNS 4 (mDNS4) and have a domain in your environment that ends in .local, you must place the dns entry before the mdns4_minimal entry and before the mdns4 entry:

hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4

The default setting for many Linux systems is to list the mdns4 entries before the dns entry -- a configuration that leaves Likewise unable to find the domain.

Important: For Likewise to process changes to your nsswitch.conf file, you must restart the Likewise input-output service (lwiod) and the authentication service (lsassd). Running the following command as root restarts both services:

/opt/likewise/bin/lwsm restart lwio

For Likewise to work correctly, the nsswitch.conf file must be readable by user, group, and world.

For more information on configuring nsswitch, see the man page for nsswitch.conf.

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve SRV records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf

search likewisedemo.com
nameserver 192.168.100.132

For more information on resolv.conf, see your operating system's man page.

The Likewise agent requires several firewall ports to be open for outbound traffic. For a list of the required ports, see Make Sure Outbound Ports Are Open.

On AIX 5.2 and 5.3, you may need to extend the size of certain partitions to complete the installation successfully.

To do so, use IBM's chfs command to change the partition sizes -- for example:

# chfs -a size=+200M /opt

This command increases the size of the opt partition by 200 megabytes, which should be sufficient for a successful installation.

By default, IBM AIX is not configured to support long user and group names, which might present a conflict when you try to log on with a long Active Directory username. On AIX 5.3 and AIX 6.1, the symptom is that group names, when enumerated through the groups command, are truncated.

To increase the max username length on AIX 5.3, use the following syntax:

# chdev - l sys0 -a max_logname=MaxUserNameLength+1

Example:

# chdev - l sys0 -a max_logname=255

This command allocates 254 characters for the user and 1 for the terminating null.

The safest value that you can set max_logname to is 255.

You must reboot for the changes to take effect:

# shutdown - Fr

Note: AIX 5.2 does not support increasing the maximum user name length.  

Members of the Likewise support staff might use a shell script to check the health of a Linux or Unix computer on which you plan to install the Likewise agent. The script helps identify potential system configuration issues before you install the agent and attempt to join a Linux or Unix computer to Active Directory.

With Likewise Open, the script is unavailable, but you can manually check your computer against the list in the table below.

The name of the script is healthchk.sh. To execute it, copy the script to the Unix or  Linux computer that you want to check, and then execute the following command from the shell prompt: likewise-health-check.sh

The script outputs the results of its scan to /tmp/healthchk.out.

The following table lists each item the script checks, describes the item, and suggests action to correct the issue.

You must install the Likewise agent -- the identity service that authenticates users -- on each Linux, Unix, or Mac OS X computer that you want to connect to Active Directory. To obtain the installer or to view a list of supported platforms, see www.likewise.com. The Likewise Open installation package can be downloaded for free at http://www.likewise.com/products/likewise_open/. If you are using Likewise Enterprise, make sure you install the Likewise Enterprise version of the agent.

Important: Before you install the agent, it is recommended that you upgrade your system with the latest security patches. Patch requirements for Unix systems are listed below.

The procedure for installing the Likewise Open agent or the Likewise Enterprise agent depends on the operating system of your target computer or virtual machine. Each procedure is documented in a separate section of this chapter.

You also have the option of installing the agent in unattended mode; see Install the Agent on Linux in Unattended or Text Mode and Install the Agent on a Mac in Unattended Mode.

Checking Your Linux Kernel Release Number

To determine the release number of the kernel on your Linux machine, run the following command:

uname -r

For the Linux machine to be supported by Likewise, the kernel release number must be 2.6 or later.

Package Management Commands

For an overview of commands such as rpm and dpkg that can help you manage Likewise on Linux and Unix platforms, see Package Management Commands.

This section lists requirements for installing and running the Likewise agent. Requirements for the Likewise Management Console, which is part of Likewise Enterprise and the UID-GID module, are detailed in the chapter on installing the console. Likewise Open does not include the Likewise Management Console.

Before you install the Likewise agent, make sure that the following environmental variables are not set: LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH, LD_PRELOAD. Setting any of these environmental variables violates best practices for managing Unix and Linux computers because it causes Likewise to use non-Likewise libraries for its services. For more information on best practices, see http://linuxmafia.com/faq/Admin/ld-lib-path.html. Likewise does not support installations that use these environmental variables. If joining the domain fails with an error message that one of these environmental variables is set, stop all the Likewise daemons, clear the environmental variable, make sure it is not automatically set when the computer restarts, and then try to join the domain again.

If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the Likewise library path (/opt/likewise/lib or /opt/likewise/lib64) before any other path -- but keep in mind that doing so may result in side effects for your other programs, as they will now use Likewise libraries for their services.

Patch Requirements

It is recommended that you apply the latest patches for your operating system before you install Likewise. Known patch requirements are listed below.

Sun Solaris

All Solaris versions require the md5sum utility, which can be found on the companion CD.

Sun Solaris 10 requires update 5 or later. The Solaris 10 05/08 (or later) patch bundle is available at http://sunsolve.sun.com/. Solaris 10_x86 requires the patch for nscd, either patch ID number 138047-02 or the patch that supercedes it, number 138264-02. This patch available for SPARC as patch 138046.

Solaris 8 Sparc should be fully patched according to Sun's recommendations. Likewise depends on the latest patch for libuuid. On Sparc systems, the patch for libuuid is 115831. Sun patch 110934-28 for Solaris 5.8 is also required for Solaris 8.

Solaris 8 Intel systems also require the latest patch for libuuid: 115832-01. Sun patches 110403-06 and 110935-26 are also required. Patch 110403-06 must be installed before you install patch 110935-26.

Solaris 9 requires Sun patch 113713-28 for Solaris 5.9.

OpenSolaris is compatible with Likewise without any patches.

HP-UX

Secure Shell: For all HP-UX platforms, it is recommended that a recent version of HP's Secure Shell be installed. Likewise recommends that you use HP-UX Secure Shell A.05.00.014 or later.

Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable Authentication Module, or PAM, which Likewise requires to allow domain users to execute sudo commands with super-user credentials. It is recommended that you download sudo from the HP-UX Porting Center and make sure that you use the with-pam configuration option when you build it.

HP-UX 11iv1 requires the following patches: PHCO_36229, PHSS_35381, PHKL_34805, PHCO_31923, PHCO_31903, and PHKL_29243. Although these patches may be superceded by subsequent patches, these patches represent the minimum patch level for proper operation.

Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, you must download and install the latest KRB5-Client libraries from the HP Software Depot. (By default, HP-UX 11.31 includes the libraries.)

Other Requirements for the Agent

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.

Secure Shell

To properly process logon events with Likewise, your SSH server or client must support the UsePam yes option. For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other programs that uses PAM for processing authentication requests are compatible with Likewise.

Networking Requirements

Each Unix, Linux, or Mac computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

In addition, several ports must be open; see Make Sure Outbound Ports Are Open.

Disk Space Requirements

The Likewise agent requires 100 MB of disk space in the /opt mount point. The agent also creates configuration files in /etc/likewise and offline logon information in /var/lib/likewise. In addition, the Likewise Enterprise agent caches group policy objects in /var/cache/likewise.  

Memory and CPU Requirements

The agent consists of several daemons that typically use between 9 MB and 14 MB of RAM. Memory utilization of the authentication daemon on a 300-user mail server is typically 7 MB; the other daemons require between 500 KB and 2 MB each. CPU utilization on a 2.0 gigahertz single-core processor under heavy load with authentication requests is about 2 percent. For a description of the Likewise daemons, see About the Likewise Agent.

Clock Skew Requirements

For the Likewise agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default. For more information on time synchronization, see About the Likewise Agent.

You install the Likewise Enterprise agent by using a shell script that contains a self-extracting executable. The file name of the SFX installer ends in sh. Example: LikewiseEnterprise-6.1.0.3499-linux-i386-rpm.sh.

The examples shown are for Linux RPM-based platforms. For other Linux and Unix platforms -- such as Debian, HP-UX, AIX, and Solaris -- simply substitute the right installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Install the Agent on Linux or Unix with the Shell Script

Perform the following procedure with the root account. To view information about the installer or to view a list of command-line options, run the following command: ./LikewiseEnterprise-6.1.0.3499-linux-i386-rpm.sh --help

After the wizard finishes, the user interface for joining a domain appears. To suppress it, you can run the installer with its --dont-join argument.

You can install the agent in unattended mode by using the install command:

./LikewiseEnterprise-6.1.0.67-linux-i386-rpm.sh install

You install the Likewise Open agent or the Likewise Enterprise agent on Sun Solaris, HP-UX, and IBM AIX by using a shell script that contains a self-extracting executable -- an SFX installer with a file name that ends in sh. Example: LikewiseEnterprise-6.1.0.70-solaris-sparc-pkg.sh.

The examples shown below are for Solaris Sparc systems. For other Unix platforms, simply substitute the right installer. The installer's name includes the product name, version and build numbers, operating system, computer type, and platform type.

Note: The name of a Unix installer for Likewise Enterprise on installation media might be truncated to an eight-character file name with an extension. For example, l3499sus.sh is the truncated version of LikewiseEnterprise-6.1.0.3499-solaris-sparc-pkg.sh.

Perform the following procedure with the root account.

To install the Likewise agent on a computer running Mac OS X, you must have administrative privileges on the Mac. Likewise supports Mac OS X 10.4 or later.

The Likewise command-line tools can remotely deploy the shell version of the Likewise agent to multiple Mac OS X computers, and you can automate the installation of the agent by using the installation command in unattended mode.

The commands in this procedure require administrative privileges.

Important: For Intel-based Macs, use the i386 version of the .dmg installer; for example: LikewiseEnterprise-6.1.0.3628-i386.dmg. For Macs that do not have Intel chips, use the powerpc version of the .dmg installer; for example: LikewiseEnterprise-6.1.0.3628-powerpc.dmg

The procedure below assumes you are installing the agent on an i386 Mac; if you are installing on a powerpc, replace the i386 installer with the powerpc installer.

Solaris Zones are a virtualization technology created by Sun Microsystems to consolidate servers. Primarily used to isolate an application, Solaris Zones act as isolated virtual servers running on a single operating system, making each application in a collection of applications seem as though it is running on its own server. A Solaris Container combines system resource controls with the virtual isolation provided by zones.

Every zone server contains a global zone that retains visibility and control in any installed non-global zones. By default, the non-global zones share certain directories, including /usr, which are mounted read-only. The shared directories are writable only for the global zone.

By default, installing Likewise in the global zone results in it being installed in all the non-global zones. You can, however, control the target of the installation by using the following options of the SFX installer:

./LikewiseEnterprise-6.1.0.97-solaris-i386-pkg.sh --help
...
--all-zones           (Solaris) Install to all zones (default)
--current-zone        (Solaris) Install only to current zone

After a new child zone is installed, booted, and configured, you must run the following command as root to complete the installation:

/opt/likewise/bin/postinstall.sh

You cannot join zones to Active Directory as a group. Each zone, including the global zone, must be joined to the domain independently of the other zones.

Caveats

There are some caveats when using Likewise with Solaris Zones:

1. When you join a non-global zone to AD, you will receive an error as Likewise attempts to synchronize the Solaris clock with AD. The error occurs because the root user of the non-global zone does not have root access to the underlying global system and thus cannot set the system clock. If the clocks are within the 5-minute clock skew permitted by Kerberos, the error will not be an issue. Otherwise, you can resolve the issue by manually setting the clock in the global zone to match AD or by joining the global zone to AD before joining the non-global zone.

2. Some group policies may log PAM errors in the non-global zones even though they function as expected. The cron group policy is one example:

Wed Nov 7 16:26:02 PST 2009 Running Cronjob 1 (sh)
Nov 7 16:26:01 zone01 last message repeated 1 time
Nov 7 16:27:00 zone01 cron[19781]: pam_lsass(cron): request failed

Depending on the group policy, these errors may result from file access permissions, attempts to write to read-only directories, or both.

3. By default, Solaris displays auth.notice syslog messages on the system console. Some versions of Likewise generate significant authentication traffic on this facility-priority level, which may lead to an undesirable amount of chatter on the console or clutter on the screen.

To redirect the traffic to a file instead of displaying it on the console, edit your /etc/syslog.conf file as follows:

Change this:

*.err;kern.notice;auth.notice /dev/sysmsg

To this:

*.err;kern.notice /dev/sysmsg

auth.notice /var/adm/authlog

Important: Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from the action field (on the right). Using spaces will cue syslog to ignore the entire line.

Before you upgrade your operating system, you must leave the domain, uninstall the domain join GUI, and uninstall the agent. Then, make sure you are using the correct agent for the new version of your operating system, install it, and rejoin the domain.

If, for example, you plan to upgrade your operating system from Mac OS X 10.5 (Leopard) to Mac OS X 10.6 (Snow Leopard), you must first leave the domain and uninstall the current agent. Then, after upgrading your operating system, install the correct agent for the new version of the operating system and join the domain again. See Uninstall the Agent on a Mac.

When Likewise joins a computer to an Active Directory domain, it uses the hostname of the computer to create the name of the computer object in Active Directory. From the hostname, the Likewise domain join tool attempts to derive a fully qualified domain name. By default, the Likewise domain join tool creates the Linux and Unix machine accounts in the default Computers container in Active Directory.

You can, however, choose to pre-create machine accounts in Active Directory before you join your computers to the domain. When you join a computer to a domain, Likewise associates the computer with the pre-existing machine account when Likewise can find it. To locate the machine account, Likewise first looks for a machine account with a DNS hostname that matches the hostname of the computer. If the DNS hostname is not set, Likewise then looks for the name of a machine account that matches the computer's hostname, but only when the computer's hostname is 15 characters or less. Therefore, when the hostname of your computer is more than 15 characters, you should set the DNS hostname for the machine account to ensure that the correct machine account is found. If no match is found, Likewise creates a machine account.

The location of the domain join command-line utility is as follows:

/opt/likewise/bin/domainjoin-cli

After you join a domain for the first time, you must restart the computer before you can log on. If you cannot restart the computer, you must restart each service or daemon that looks up users or groups through the standard nsswitch interface, which includes most services that authenticate users, groups, or computers. You must, for instance, restart the services that use Kerberos, such as sshd.

For Linux computers, there is an optional graphical version of the Likewise domain join tool. It is installed on Linux platforms that are running GTK+ version 2.6 or later. For more information, see Join a Linux Computer to Active Directory with the GUI.

Important: On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on for the first time with your Active Directory domain credentials. For more information, see With NetworkManager, Use a Wired Connection to Join a Domain.

Privileges and Permissions

To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. Instructions on how to delegate rights to join a computer to a domain are at http://support.microsoft.com/kb/932455. The level of privileges that you need is set by Microsoft Active Directory and is typically the same as performing the corresponding action on a Windows computer. For more information on Active Directory privileges, permissions, and security groups, see the following references on the Microsoft Technet web site: Active Directory Privileges, Active Directory Object Permissions, Active Directory Users, Computers, and Groups, Securing Active Directory Administrative Groups and Accounts.

Removing a Computer from a Domain

You can remove a computer from the domain either by removing the computer's account from Active Directory Users and Computers or by running the domain join tool on the Unix, Linux, or Mac OS X computer that you want to remove; see Leave a Domain.

Creation of Local Accounts

After you join a domain, Likewise creates two local user accounts in the following form: machine-name\Administrator and machine-name\Guest. The administrator account is disabled until you enable it by running the lw-mod-user command with the root account. You will be prompted to reset the password the first time you use the account.

You can view information about these accounts by executing the following command:

/opt/likewise/bin/lw-enum-users

Example output:

User info (Level-2):
====================
Name:                       NISHI-01\Administrator
UPN:                        Administrator@NISHI-01
Generated UPN:              YES
Uid:                        1500
Gid:                        1544
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           TRUE
Account Expired:            FALSE
Account Locked:             FALSE
Password never expires:     FALSE
Password Expired:           TRUE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314


User info (Level-2):
====================
Name:                       NISHI-01\Guest
UPN:                        Guest@NISHI-01
Generated UPN:              YES
Uid:                        1501
Gid:                        1546
Gecos:                      <null>
Shell:                      /bin/sh
Home dir:                   /tmp
LMHash length:              0
NTHash length:              0
Local User:                 YES
Account disabled:           TRUE
Account Expired:            FALSE
Account Locked:             TRUE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: YES
User can change password:   NO
Days till password expires: -149314

On Linux, Unix, and Mac OS X computers, the location of the domain join command-line utility is as follows:

 /opt/likewise/bin/domainjoin-cli

Important: To run the command-line utility, you must use a root account. To join a computer to a domain, you must have the user name and password of an Active Directory account that has privileges to join computers to the domain and the full name of the domain that you want to join. Instructions on how to delegate rights to join a computer to a domain are at http://support.microsoft.com/kb/932455. After you join a domain for the first time, you must restart the computer before you can log on with your domain account.

When you join a domain by using the command-line utility, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and then automatically sets the FQDN in the /etc/hosts file. You can also join a domain without changing the /etc/hosts file; see Join Active Directory Without Changing /etc/hosts.

Before Joining a Domain

To join a domain, the computer's name server must be able to find the domain and the computer must be able to reach the domain controller. You can make sure the name server can find the domain by running this command:

nslookup  domainName

You can verify that your computer can reach the domain controller by pinging it:

ping  domainName

If either of these tests fails, see Check System Health Before Installing the Agent and Solve Domain-Join Problems.

Join a Linux or Unix Computer to Active Directory

Execute the following command as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join likewisedemo.com Administrator

Tip: On Ubuntu, execute the sudo su - command before you run the domainjoin-cli command.

Join a Mac Computer to Active Directory

Using sudo, execute the following command in Terminal, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

sudo /opt/likewise/bin/domainjoin-cli join domainName joinAccount

Example: sudo /opt/likewise/bin/domainjoin-cli join likewisedemo.com Administrator

The terminal prompts you for two passwords: The first is for a user account on the Mac that has administrative privileges; the second is for the account in Active Directory that you specified in the join command.

Join a Linux or Unix Computer to an Organizational Unit

Execute the following command as root, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join --ou organizationalUnitName domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --ou Engineering likewisedemo.com Administrator

Join a Linux or Unix Computer to a Nested Organizational Unit

Execute the following command as root, replacing path with the AD path to the OU from the top down, with each node separated by a forward slash (/). In addition, replace organizationalUnitName with the name of the organizational unit that you want to join. Replace domainName with the FQDN of the domain and joinAccount with the user name of an AD account that has privileges to join computers to the target OU:

/opt/likewise/bin/domainjoin-cli join --ou path/organizationalUnitName domainName joinAccount

Here's an example of how to join a deeply nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

The domainjoin-cli command-line interface includes the following options:

Basic Commands

The domain join command-line interface includes the following basic commands:

Advanced Commands

The command-line interface includes advanced commands that you can use to preview the stages of joining or leaving a domain, find out which configurations are required for your system, view information about a module that will be changed, configure a module such as nsswitch, and enable or disable a module. The advanced commands provide a potent tool for troubleshooting issues while configuring a Linux or Unix computer to interoperate with Active Directory.

View a data-flow diagram that shows how systems interact when you join a domain.

Preview the Stages of the Domain Join for Your Computer

To preview the domain, DNS name, and configuration stages that will be used to join a computer to a domain, execute the following command at the command line:

domainjoin-cli join --preview  domainName

Example: domainjoin-cli join --preview likewisedemo.com

Here's an example of the results, which can vary by computer:

[root@rhel4d bin]# domainjoin-cli join --preview likewisedemo.com
Joining to AD Domain:   likewisedemo.com
With Computer DNS Name: rhel4d.likewisedemo.com

The following stages are currently configured to be run during the domain join:
join           - join computer to AD
krb5           - configure krb5.conf
nsswitch       - enable/disable Likewise nsswitch module
start          - start daemons
pam            - configure pam.d/pam.conf
ssh            - configure ssh and sshd

Check Required Configurations

To see a full listing of the modules that apply to your operating system, including those modules that will not be run, execute either the following join or leave command:

domainjoin-cli join --advanced --preview  domainName

domainjoin-cli leave --advanced --preview  domainName

Example: domainjoin-cli join --advanced --preview likewisedemo.com

The result varies by computer:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview likewisedemo.com
Joining to AD Domain:   likewisedemo.com
With Computer DNS Name: rhel4d.likewisedemo.com
    [F] stop           - stop daemons
    [F] hostname       - set computer hostname
    [F] firewall       - open ports to DC
    [F] keytab         - initialize kerberos keytab
[X] [N] join           - join computer to AD
[X] [N] krb5           - configure krb5.conf
[X] [N] nsswitch       - enable/disable Likewise nsswitch module
[X] [N] start          - start daemons
    [F] gdm            - fix gdm presession script for spaces in usernames
[X] [N] pam            - configure pam.d/pam.conf
[X] [S] ssh            - configure ssh and sshd

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
                            requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

View Details about a Module

The Likewise domain join tool includes the following modules -- the components and services that the tool must configure before it can join a computer to a domain:

As the previous section illustrated, you can see the modules that must be configured on your computer by executing the following command:

domainjoin-cli join --advanced --preview  domainName

You can further bore down into the details of the changes that a module will make by using either the following join or leave command:

domainjoin-cli join --details  module domainName  joinAccount

domainjoin-cli leave --details  module domainName  joinAccount

Example: domainjoin-cli join --details nsswitch likewisedemo.com Administrator

The result varies depending on your system's configuration:

domainjoin-cli join --details nsswitch likewisedemo.com Administrator
[X] [N] nsswitch          - enable/disable Likewise nsswitch module

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
                            requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Details for 'enable/disable Likewise nsswitch module':
The following steps are required and can be performed automatically:
    * Edit nsswitch apparmor profile to allow libraries in the /opt/likewise/lib
        and /opt/likewise/lib64 directories
    * List lwidentity module in /usr/lib/security/methods.cfg (AIX only)
    * Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or
        /etc/netsvc.conf

If any changes are performed, then the following services must be restarted:
    * GDM
    * XDM
    * Cron
    * Dbus
    * Nscd

Turn On or Turn Off Domain Join Modules

You can explicitly enable or disable a module when you join or leave a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

Note: If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

The following command, with either join or leave, can be used to disable a module:

domainjoin-cli join --disable module domainName accountName
domainjoin-cli leave --disable module domainName accountName

Example: domainjoin-cli join --disable pam likewisedemo.com Administrator

To enable a module, execute the following command at the command line:

domainjoin-cli join --enable module domainName accountName

Example: domainjoin-cli join --enable pam likewisedemo.com Administrator

Configuration and Debugging Commands

The domainjoin-cli tool includes commands for debugging the domain-join process and for configuring or preconfiguring a module. You can, for example, run the configure command to preconfigure a system before you join a domain -- a useful strategy when you are deploying Likewise in a virtual environment and you need to preconfigure the nsswitch, ssh, or PAM module of the target computers to avoid having to restart them after they are added to the domain. Here's an example with nsswitch:

domainjoin-cli configure --enable nsswitch

The following commands, viewable by running domainjoin-cli --help-internal, are available:

    fixfqdn
    configure { --enable | --disable } pam [--testprefix <dir>]
    configure { --enable | --disable } nsswitch [--testprefix <dir>]
    configure { --enable | --disable } ssh [--testprefix <dir>]
    configure { --enable | --disable } [--testprefix <dir>] 
               [--long <longdomain>] [--short <shortdomain>] krb5
    configure { --enable | --disable } firewall [--testprefix <dir>]
    configure { --enable | --disable } eventfwdd
    configure { --enable | --disable } reapsysld
    get_os_type
    get_arch
    get_distro
    get_distro_version
    raise_error <error code | error name | 0xhex error code>

When you join a computer to a domain by using the Likewise domain join tool, Likewise uses the hostname of the computer to derive a fully qualified domain name (FQDN) and automatically sets the computer’s FQDN in the /etc/hosts file.

To join a Linux computer to the domain without changing the /etc/hosts file, execute the following command as root, replacing domainName with the FQDN of the domain that you want to join and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join --disable hostname domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join --disable hostname likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

If the Computer Fails to Join the Domain

Make sure the computer's FQDN is correct in /etc/hosts. For the computer to process tickets in compliance with the Kerberos protocol and to function properly when it uses cached credentials in offline mode or when its DNS server is offline, there must be a correct FQDN in /etc/hosts. For more information on GSS-API requirements, see RFC 2743.

You can determine the fully qualified domain name of a computer running Linux, Unix, or Mac OS X by executing the following command:

ping -c 1 `hostname`

When you execute this command, the computer looks up the primary host entry for its hostname. In most cases, this means that it looks for its hostname in /etc/hosts, returning the first FQDN name on the same line. So, for the hostname qaserver, here's an example of a correct entry in /etc/hosts:

10.100.10.10 qaserver.corpqa.likewise.com qaserver

If, however, the entry in /etc/hosts incorrectly lists the hostname (or anything else) before the FQDN, the computer's FQDN becomes, using the malformed example below, qaserver:

10.100.10.10 qaserver qaserver.corpqa.likewise.com

If the host entry cannot be found in /etc/hosts, the computer looks for the results in DNS instead. This means that the computer must have a correct A record in DNS. If the DNS information is wrong and you cannot correct it, add an entry to /etc/hosts.

A graphical user interface for joining a domain is included when you install the Likewise agent.

Important: To join a computer to a domain, you must have the user name and password of a user who has privileges to join computers to a domain and the full name of the domain that you want to join.

After you join a domain for the first time, you must restart the computer before you can log on.

To join a computer running Mac OS X 10.4 or later to an Active Directory domain, you must have administrative privileges on the Mac and privileges on the Active Directory domain that allow you to join a computer.

With Likewise Enterprise, the domain join utility includes a tool to migrate a Mac user's profile from a local user account to the home directory specified for the user in Active Directory; see Migrate a User Profile on a Mac.

dscl . -delete /Computers
dscl /Search -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController
dscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /Active\ Directory/All\ Domains
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController

If you have write privileges only for an organizational unit in Active Directory, you can still use Likewise. Your AD rights to create objects in an OU allow you to join Linux and Unix computers to the OU even though you do not have Active Directory Domain Administrator or Enterprise Administrator privileges. (See Delegate Control to Create Container Objects.)

There are additional limitations to this approach:

Join a Linux Computer to an Organizational Unit

To join a computer to a domain, you must have the user name and password of an account that has privileges to join computers to the OU and the full name of the domain that you want to join. The OU path is from the top OU down to the OU that you want.

As root, execute the following command, replacing organizationalUnitName with the path and name of the organizational unit that you want to join, domainName with the FQDN of the domain, and joinAccount with the user name of an account that has privileges to join computers to the domain:

/opt/likewise/bin/domainjoin-cli join -- ou organizationalUnitName domainName joinAccount

Example: /opt/likewise/bin/domainjoin-cli join -- ou Engineering likewisedemo.com Administrator

Example of how to join a nested OU:

domainjoin-cli join --ou topLevelOU/middleLevelOU/LowerLevelOU/TargetOU likewisedemo.com Administrator

After you join a domain for the first time, you must restart the computer before you can log on.

To rename a computer that has been joined to Active Directory, you must first leave the domain. You can then rename the computer by using the domain join command-line interface. After you rename the computer, you must rejoin it to the domain. Renaming a joined computer requires the user name and password of a user with privileges to join a computer to a domain.

Important: Do not change the name of a Linux, Unix, or Mac computer by using the hostname command because some distributions do not permanently apply the changes.

Rename a Computer by Using the Command-Line Tool

The following procedure removes a Unix or Linux computer from the domain, renames the computer, and then rejoins it to the domain.

Rename a Computer by Using the Domain Join Tool GUI

When Likewise adds a computer to a domain, it modifies some system files. The files that are modified depend on the platform, the distribution, and the system's configuration. The following files might be modified.

To see a listing of the changes that joining a domain will make to your operating system, execute the following join command:

domainjoin-cli join --advanced --preview domainName

Note: Not all the following files are present on all computers.

As an example, the following table lists the files that are modified for the default configuration of the operating system of a few selected platforms.

On Linux computers running NetworkManager -- which is often used for wireless connections -- you must make sure before you join a domain that the computer has a non-wireless network connection and that the non-wireless connection is configured to start when the networking cable is plugged in. You must continue to use the non-wireless network connection during the post-join process of restarting your computer and logging on with your Active Directory domain credentials.

After you have joined the domain and logged on for the first time with your AD domain credentials by using a non-wireless connection, you can then revert to using your wireless connection because your AD logon credentials are cached. (You will not, however, be notified when your AD password is set to expire until you either run a sudo command or log on by using a non-wireless connection.)

If, instead, you attempt to use a wireless connection when you join the domain, you will be unable to log on your computer with AD domain credentials after your computer restarts.

Here's why: NetworkManager is composed of a daemon that runs at startup and a user-mode application that runs only after you log on. NetworkManager is typically configured to auto-start wired network connections when they are plugged in and wireless connections when they are detected. The problem is that the wireless network is not detected until the user-mode application starts -- which occurs only after you have logged on.

Information about NetworkManager is available at http://projects.gnome.org/NetworkManager/.

Likewise includes the following logon options:

Important: When you log on from the command line, you must use a slash to escape the slash character, making the logon form DOMAIN//username.

To use UPN names, you must raise your Active Directory forest functional level to Windows Server 2003, but raising the forest functional level to Windows Server 2003 will exclude Windows 2000 domain controllers from the domain. For more information, see About Schema Mode and Non-Schema Mode.

When you log on a Linux, Unix, or Mac OS X computer by using your domain credentials, Likewise uses the Kerberos protocol to connect to Active Directory's key distribution center, or KDC, to establish a key and to request a Kerberos ticket granting ticket (TGT). The TGT lets you log on to other computers joined to Active Directory or applications provisioned with a service principal name and be automatically authenticated with Kerberos and authorized for access through Active Directory.

After logon, Likewise stores the password in memory and securely backs it up on disk. You can, however, configure Likewise to store logon information in a SQLite database, but it is not the default method. The password is used to refresh the user's Kerberos TGT and to provide NTLM-based single sign-on through the Likewise GSSAPI library. In addition, the NTLM verifier hash -- a hash of the NTLM hash -- is stored to disk to handle offline logons by comparing the password with the cached credentials.

Likewise stores an NTLM hash and LM hash only for accounts in Likewise's local provider. The hashes are used to authenticate users over CIFS. Since Likewise does not support offline logons for domain users over CIFS, it does not store the LM hash for domain users.

See Also

About Single Sign-On

Configure Putty for Windows-Based SSO

Log On and Verify Your Kerberos Tickets

After the Likewise agent has been installed and the Linux or Unix computer has been joined to a domain, you can log on with your Active Directory credentials, either from the command line or interactively through the system console. After you join a domain for the first time, you must reboot your computer before you can log on interactively through the console.

You can log on with SSH by executing the ssh command at the shell prompt in the following format:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

To troubleshoot a problem with a user who cannot log on a to Linux or Unix computer with SSH from Windows, perform the following series of diagnostic tests sequentially.

To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account. The tests can also be used to troubleshoot logon problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

Make Sure You Are Joined to the Domain

Execute the following command:

/opt/likewise/bin/domainjoin-cli query

If you are not joined, see Join Active Directory with the Command Line.

Check Whether You Are Using a Valid Logon Form

When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username. Example: likewisedemo.com\hoenstiv.

When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username. Example: likewisedemo.com\\hoenstiv.

To view a list of logon options, see About Logging On.

Clear the Cache

You might need to clear the cache to ensure that the client computer recognizes the user's ID. See Clear the Authentication Cache.

Destroy the Kerberos Cache

Clear the Likewise Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command with the user account that you are troubleshooting:

/opt/likewise/bin/kdestroy

Check the Status of the Likewise Authentication Daemon

Check the status of the authentication daemon on a Unix or Linux computer running the Likewise Agent by executing the following command as the root user:

/opt/likewise/bin/lwsm status lsass

lsassd is stopped

lsassd (pid 1783) is running...

Check Communication between the Likewise Daemon and AD

Verify that the Likewise daemon can exchange data with AD by executing this command:

/opt/likewise/bin/lw-get-dc-name FullDomainName

Example: /opt/likewise/bin/lw-get-dc-name likewisedemo.com

Verify that Likewise Can Find a User in AD

Verify that the Likewise agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:

/opt/likewise/bin/lw-find-user-by-name domainName\\ADuserName

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab

Make Sure the AD Authentication Provider Is Running

Likewise includes two authentication providers:

If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

/opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:
Agent version: 5.0.0
Uptime:        2 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
        Status:   Online
        Mode:     Local system
[Authentication provider: lsa-activedirectory-provider]
        Status:   Online
        Mode:     Un-provisioned
        Domain:   likewisedemo.com
        Forest:   likewisedemo.com
        Site:     Default-First-Site-Name

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.
The LSASS server is not responding.

Run the id Command to Check the User

Run the following id command to check whether nsswitch is properly configured to handle AD user account information:

id DOMAIN\\username

Example: id likewisedemo\\kathy

If the command does not show information for the user, check whether the /etc/nsswitch.conf file is properly configured for passwd and group: Both entries should include the lsass parameter.

If /etc/nsswitch.conf is properly configured, the Likewise name service libraries might be missing or misplaced. It is also possible that the LD_PRELOAD or LD_LIBRARY_PATH variables are defined without including the Likewise libraries.

Switch User to Check PAM

Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:

su DOMAIN\\username

Example: su likewisedemo\\hoenstiv

Test SSH

Check whether you can log on with SSH by executing the following command:

ssh DOMAIN\\username@localhost

Example: ssh likewisedemo.com\\hoenstiv@localhost

Run the Authentication Daemon in Debug Mode

To troubleshoot the lookup of a user or group ID, you can set the Likewise authentication daemon to run in debug mode and show the log in the console by executing this command:

/opt/likewise/sbin/lsassd --loglevel debug

Check Nsswitch.Conf

Make sure /etc/nsswitch.conf is configured correctly to work with Likewise. For more information, see Configuring Clients Before Agent Installation.

On HP-UX, Escape Special Characters at the Console

When you log on to the console on some versions of HP-UX, such as 11.23, you might need to escape special characters, such as @ and #, by preceding them with a slash (\). For more information, see your HP-UX documentation.

Additional Diagnostic Tools

There are additional command-line utilities that you can use to troubleshoot logon problems in the following directory:

 /opt/likewise/bin

See Also

Resolve an AD Alias Conflict with a Local Account

Here are the top 10 reasons that an attempt to join a domain fails:

See Also

Generate a Domain-Join Log

To troubleshoot problems with joining a Linux computer to a domain, perform the following series of diagnostic tests sequentially on the Linux computer with a root account. The tests can also be used to troubleshoot domain-join problems on a Unix or Mac OS X computer; however, the syntax of the commands on Unix and Mac might be slightly different.

The procedures in this topic assume that you have already checked whether the problem falls under the Top 10 Reasons Domain Join Fails. It is also recommended that you generate a domain-join log.

Verify that the Name Server Can Find the Domain

Run the following command as root:

nslookup YourADrootDomain.com

Make Sure the Client Can Reach the Domain Controller

You can verify that your computer can reach the domain controller by pinging it:

ping YourDomainName

Verify that Outbound Ports Are Open

Run the following command as root:

domainjoin-cli join --details firewall likewisedemo.com

The results of the command show whether you must open any ports.

For a list of ports that must be open on the client, see Make Sure Outbound Ports Are Open.

Check DNS Connectivity

The computer might be using the wrong DNS server or none at all. Make sure the nameserver entry in /etc/resolv.conf contains the IP address of a DNS server that can resolve the name of the domain you are trying to join. The IP address is likely to be that of one of your domain controllers.

Make Sure nsswitch.conf Is Configured to Check DNS for Host Names

The /etc/nsswitch.conf file must contain the following line. (On AIX, the file is /etc/netsvc.conf.)

hosts: files dns

Computers running Solaris, in particular, may not contain this line in nsswitch.conf until you add it.

Generate a Domain-Join Log

To log information about your attempt to join a domain, you can use the command-line utility's log option with the join command. The log option captures information about the attempt to join the domain on the screen or in a file.

After you generate a log, review it for information that might help solve the problem.

Ensure that DNS Queries Are Not Using the Wrong Network Interface Card

If the computer is multi-homed, the DNS queries might be going out the wrong network interface card. Temporarily disable all the NICs except for the card on the same subnet as your domain controller or DNS server and then test DNS lookups to the AD domain. If this works, re-enable all the NICs and edit the local or network routing tables so that the AD domain controllers are accessible from the host.

Determine Whether the DNS Server Is Configured to Return SRV Records

Your DNS server must be set to return SRV records so the domain controller can be located. It is common for non-Windows (bind) DNS servers to not be configured to return SRV records.

Diagnose it by executing the following command:

nslookup -q=srv _ldap._tcp. ADdomainToJoin.com

Make Sure that the Global Catalog Is Accessible

The global catalog for Active Directory must be accessible. A global catalog in a different zone might not show up in DNS. Diagnose it by executing the following command:

nslookup -q=srv _ldap._tcp.gc._msdcs. ADrootDomain.com

From the list of IP addresses in the results, choose one or more addresses and test whether they are accessible on Port 3268 by using telnet.

telnet 192.168.100.20 3268

Trying 192.168.100.20... Connected to sales-dc.likewisedemo.com (192.168.100.20). Escape character is '^]'. Press the Enter key to close the connection: Connection closed by foreign host.  

Verify that the Client Can Connect to the Domain on Port 123

The following test checks whether the client can connect to the domain controller on Port 123 and whether the Network Time Protocol (NTP) service is running on the domain controller. For the client to join the domain, NTP -- the Windows time service -- must be running on the domain controller.

On a Linux computer, run the following command as root:

ntpdate -d -u  DC_hostname 

Example: ntpdate -d -u sales-dc

For more information, see Diagnose NTP on Port 123.

In addition, check the logs on the domain controller for errors from the source named w32tm, which is the Windows time service.

An inaccessible trust can block you from successfully joining a domain. If you know that there are inaccessible trusts in your Active Directory network, you can set Likewise to ignore all the trusts before you try to join a domain. To do so, use the lwconfig tool to modify the values of the DomainManagerIgnoreAllTrusts setting.

First, list the available trust settings:

/opt/likewise/bin/lwconfig --list | grep -i trust

The results will look something like this. The setting at issue is DomainManagerIgnoreAllTrusts.

DomainManagerIgnoreAllTrusts
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList

Second, list the details of the DomainManagerIgnoreAllTrusts setting to see the values it accepts:

[root@rhel5d bin]# ./lwconfig --details DomainManagerIgnoreAllTrusts
Name: DomainManagerIgnoreAllTrusts
Description: When true, ignore all trusts during domain enumeration.
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

Third, change the setting to true so that Likewise will ignore trusts when you try to join a domain.

[root@rhel5d bin]# ./lwconfig DomainManagerIgnoreAllTrusts true

Finally, check to make sure the change took effect:

[root@rhel5d bin]# ./lwconfig --show DomainManagerIgnoreAllTrusts
boolean
true
local policy

Now try to join the domain again. If successful, keep in mind that only users and groups who are in the local domain will be able to log on the computer.

In the example output above that shows the setting's current values, local policy is listed -- meaning that the policy is managed locally through lwconfig because a Likewise Enterprise group policy is not managing the setting. Typically, with Likewise Enterprise, you would manage the DomainManagerIgnoreAllTrusts policy by using the corresponding group policy, but you cannot apply group policies to the computer until after it is added to the domain. The corresponding Likewise group policy is named Lsass: Ignore all trusts during domain enumeration. For more information on the domain manager group policies to set whitelists and blacklists for trusts, see the Group Policy Administration Guide.

For information on the arguments of lwconfig, run the following command:

/opt/likewise/bin/lwconfig --help

This section lists solutions to common errors that can occur when you try to join a domain.

Warning: A resumable error occurred while processing a module.
Even though the configuration of 'krb5' was executed, the configuration did not
fully complete. Please contact Likewise support.

Error: chkconfig failed [code 0x00080019]

When you use the Likewise domain-join utility to join a Linux or Unix client to a domain, the utility might be unable to contact the domain controller on Port 123 with UDP. The Likewise agent requires that Port 123 be open on the client so that it can receive NTP data from the domain controller. In addition, the time service must be running on the domain controller.

You can diagnose NTP connectivity by executing the following command as root at the shell prompt of your Linux machine:

ntpdate -d -u DC_hostname 

Example: ntpdate -d -u sales-dc

If all is well, the result should look like this:

[root@rhel44id ~]# ntpdate -d -u sales-dc
2 May 14:19:20 ntpdate[20232]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)
Looking for host sales-dc and service ntp
host found : sales-dc.likewisedemo.com
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
receive(192.168.100.20)
transmit(192.168.100.20)
server 192.168.100.20, port 123
stratum 1, precision -6, leap 00, trust 000
refid [LOCL], delay 0.04173, dispersion 0.00182
transmitted 4, in filter 4
reference time:    cbc5d3b8.b7439581  Fri, May  2 2008 10:54:00.715
originate timestamp: cbc603d8.df333333  Fri, May  2 2008 14:19:20.871
transmit timestamp:  cbc603d8.dda43782  Fri, May  2 2008 14:19:20.865
filter delay:  0.04207  0.04173  0.04335  0.04178
 0.00000  0.00000  0.00000  0.00000
filter offset: 0.009522 0.008734 0.007347 0.005818
 0.000000 0.000000 0.000000 0.000000
delay 0.04173, dispersion 0.00182
offset 0.008734
2 May 14:19:20 ntpdate[20232]: adjust time server 192.168.100.20 offset 0.008734 sec

Output When There Is No NTP Service

If the domain controller is not running NTP on Port 123, the command returns a response such as no server suitable for synchronization found, as in the following output:

5 May 16:00:41 ntpdate[8557]: ntpdate 4.2.0a@1.1190-r Thu Apr 20 11:28:37 EDT 2006 (1)
Looking for host RHEL44ID and service ntp
host found : rhel44id.likewisedemo.com
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
transmit(127.0.0.1)
127.0.0.1: Server dropped: no data
server 127.0.0.1, port 123
stratum 0, precision 0, leap 00, trust 000
refid [127.0.0.1], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Wed, Feb  6 2036 22:28:16.000
originate timestamp: 00000000.00000000  Wed, Feb  6 2036 22:28:16.000
transmit timestamp:  cbca101c.914a2b9d  Mon, May  5 2008 16:00:44.567
filter delay:  0.00000  0.00000  0.00000  0.00000
 0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
 0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000
5 May 16:00:45 ntpdate[8557]: no server suitable for synchronization found

The Apache web server locks the keytab file, which can block an attempt to join a domain. If the computer is running Apache, stop Apache, join the domain, and then restart Apache.

To quickly change an end-user setting for the Likewise agent, you can run the lwconfig command-line tool as root:

/opt/likewise/bin/lwconfig

The syntax to change the value of a setting is as follows, where setting is replaced by the registry entry that you want to change and value by the new value that you want to set:

/opt/likewise/bin/lwconfig setting value

Here's an example of how to use lwconfig to change the AssumeDefaultDomain setting:

[root@rhel5d bin]# ./lwconfig --detail AssumeDefaultDomain 
Name: AssumeDefaultDomain
Description: Apply domain name prefix to account name at logon
Type: boolean
Current Value: false
Accepted Values: true, false
Current Value is determined by local policy.

[root@rhel5d bin]# ./lwconfig AssumeDefaultDomain true 

[root@rhel5d bin]# ./lwconfig --show AssumeDefaultDomain 
boolean
true
local policy

To view the settings that you can change with lwconfig, execute the following command:

/opt/likewise/bin/lwconfig --list

You can also import and apply a number of settings with a single command by using the --file option combined with a text file that contains the settings that you want to change followed by the values that you want to set. Each setting-value pair must be on a single line. For example, the contents of my flat file, named newRegistryValuesFile and saved to the desktop of my Red Hat computer, looks like this:

AssumeDefaultDomain true
RequireMembershipOf "likewisedemo\\support" "likewisedemo\\domain^admins"
HomeDirPrefix /home/ludwig
LoginShellTemplate /bash/sh

To import the file and automatically change the settings listed in the file to the new values, I would execute the following command as root:

/opt/likewise/bin/lwconfig --file /root/Desktop/newRegistryValuesFile

You can add domain users to your local groups on a Linux, Unix, and Mac OS X computer by placing an entry for the user or group in the /etc/group file. Adding an entry for an Active Directory user to your local groups can give the user local administrative rights. The entries must adhere to the following rules:

So, for users and groups without an alias, the form of an entry is as follows:

root:x:0:LIKEWISEDEMO\kristeva

For users and groups with an alias, the form of an entry is as follows:

root:x:0:kris

In /etc/group, the slash character separating the domain name from the account name does not typically need to be escaped.

Tip: On Ubuntu, you can give a domain user administrative privileges by adding the user to the admin group as follows:

admin:x:119:LIKEWISEDEMO\bakhtin

On a Mac OS X computer, you can AD users to a local group with Apple's directory service command-line utility: dscl. In dscl, go to the /Local/Default/Groups directory and then add users to a group by using the append command.

When you add Active Directory entries to your sudoers file -- typically, /etc/sudoers --  you must adhere to at least the following rules:

So, for users and groups without an alias, the form of an entry in the sudoers file is as follows:

DOMAIN\\username

DOMAIN\\groupname

Example entry of a group:

% LIKEWISEDEMO\\LinuxFullAdmins ALL=(ALL) ALL

Example entry of a user with an alias:

kyle ALL=(ALL) ALL

For more information about how to format your sudoers file, see your computer's man page for sudo.

Check a User's Canonical Name on Linux

To determine the canonical name of a Likewise user on Linux, execute the following command, replacing the domain and user in the example with your domain and user:

getent passwd likewisedemo.com\\hab

LIKEWISEDEMO\hab:x:593495196:593494529: Jurgen Habermas:/home/local/ LIKEWISEDEMO/ hab:/bin/ sh

In the results, the user's Likewise canonical name is the first field.

Although Likewise searches a number of common locations for your sudoers file, on some platforms Likewise might not find it. In such cases, you can specify the location of your sudoers file by adding the following line to the Sudo GP Extension section of /etc/likewise/grouppolicy.conf:

SudoersSearchPath = /your/search/path

Example: SudoersSearchPath = "/opt/sfw/etc";

Here's an example in the context of the /etc/likewise/grouppolicy.conf file:

[{20D139DE-D892-419f-96E5-0C3A997CB9C4}]
Name = "Likewise Enterprise Sudo GP Extension";
DllName = "liblwisudo.so";
EnableAsynchronousProcessing = 0;
NoBackgroundPolicy = 0;
NoGPOListChanges = 1;
NoMachinePolicy = 0;
NoSlowLink = 1;
NoUserPolicy = 1;
PerUserLocalSettings = 0;
ProcessGroupPolicy = "ProcessSudoGroupPolicy";
ResetGroupPolicy = "ResetSudoGroupPolicy";
RequireSuccessfulRegistry = 1;
SudoersSearchPath = "/opt/sfw/etc";

On AIX, you can set up audit classes to monitor the activities of users who log on with their Active Directory credentials. The file named /etc/likewise/auditclasses.sample is a template that you can use to set up audit classes for AD users.

To set up an audit class, make a copy of the file, name it /etc/likewise/auditclasses, and then edit the file to specify the audit classes that you want.

After you set up audit classes for a user, the auditing will take place the next time the user logs in.

The sample Likewise auditclasses file looks like this:

#
# Sample auditclasses file.
#
# A line with no label specifies the default audit classes for
# users that are not explicitly listed:
#
general, files
#
# A line starting with a username specifies the audit classes for
# that AD user.  The username must be specified as the "canonical"
# name for the user: either "DOMAIN\username" or just "username"
# if "--assumeDefaultDomain yes" was passed to domainjoin-cli
# with "--userDomainPrefix DOMAIN".  In Likewise Enterprise, if
# the user has an alias specified in the cell the alias name must
# be used here.
# 
DOMAIN\user1: general, files, tcpip
user2: general, cron
#
# A line starting with an @ specifies the audit classes for members
# of an AD group.  These classes are added to the audit classes
# for the user (or the default, if the user is not listed here).
# Whether to specify "DOMAIN\groupname" or just "groupname" follows
# the same rules as for users.
#
@DOMAIN\mail_users: mail
group2: cron

For information on AIX audit classes, see the IBM documentation for your version of AIX.

Logging can help identify and solve problems. There are debug logs for the following services in Likewise Open and Likewise Enterprise:

In addition, the following services are part of Likewise Enteprise only -- they are not relevant to troubleshooting problems with Likewise Open:

The log messages are processed by syslog, typically through the daemon facility. Although the path and file name of the log vary by platform, they typically appear in a subdirectory of /var/log. Remember that when you change the log level of a Likewise service to debug, you must also add the following line to /etc/syslog.conf, save it, and then restart the syslog service by running service syslog restart at the command line:

*.debug /tmp/debug.log

Alternatively, you can use the logfile option to specify a location and name for the log file, as the procedure to generate an authentication debug log illustrates.

Log levels can be changed both temporarily and permanently. The following log levels are available for most Likewise services: debug, error, warning, info, verbose, and trace. The default is error. To troubleshoot, it is recommended that you change the level to debug. To conserve disk space, it is recommended that you set the log level back to error when you finish troubleshooting.

To temporarily change the log level, you can execute a command for the command line or you can stop the service and then start it up again, specifying the log level you want in the start command. To permanently change the log level, you must modify the service's entry in the Likewise registry.

Instantly Change the Authentication Service's Log Level from the Command Line

You can quickly set the Likewise log level for the Likewise authentication daemon by executing the following command and replacing level with one of the available logging levels: error, warning, info, verbose, debug, trace.

Changing the log level on the fly is useful to isolate and capture information when a command or operation fails. If, for example, you run a command and it fails, you can change the log level and then run the command again to get information about the failure.

/opt/likewise/bin/lw-set-log-level newLevel

Example: /opt/likewise/bin/lw-set-log-level debug

When you change the log level with the lw-set-log-level command, the log level is changed only until the service or the computer restarts. You can use the following command to view the current log level of the authentication service:

/opt/likewise/bin/lw-set-log-level

Syslog messages are logged through the daemon facility. The default setting is error.

Instantly Change the Log Level for Other Services

In /opt/likewise/bin, there are commands to change the log level of several other services:

Change the Log Level to Debug Until the Service Restarts

The following example demonstrates how to change the log level to debug to help troubleshoot a Likewise service. The change is temporary: The service returns to the level specified in the registry when the service restarts. Although this example changes the log level for the site affinity service (netlogon), which detects the optimal domain controller and global catalog, you can use this method to change the log level for the following Likewise daemons: eventlogd, lsassd, lwiod, netlogond, gpagentd, reapsysld, eventfwdd. (See the topics on how to change the log level for the authentication service (lsass) or the group policy agent (gpagentd).)

Permanently Change the Log Level by Editing the Registry

The following example demonstrates how to change the log level to debug by modifying a daemon's arguments in the Likewise registry. You can modify the log level in the registry if you want to permanently change a daemon's log level or log file destination: The log level that you set persists after you restart the service or the computer.

Although the example permanently changes the log level for the authentication service, you can use this method to change the log level and log file location for the following Likewise daemons: eventlogd, lsassd, lwiod, netlogond, gpagentd, reapsysld, eventfwdd.

In the registry, the default setting for lsass looks like this, viewed here by using the registry shell's ls command combined with the path to the lsass key:

/opt/likewise/bin/lwregshell ls '[HKEY_THIS_MACHINE\Services\lsass]'
[HKEY_THIS_MACHINE\Services\lsass]
"Arguments"="/opt/likewise/sbin/lsassd --syslog"
"Autostart"=dword:00000001
"Dependencies"="netlogon lwio lwreg rdr npfs"
"Description"="Likewise Security and Authentication Subsystem"
"Environment"=""
"FdLimit"=dword:00000400
"Path"="/opt/likewise/sbin/lsassd"
"Type"=dword:00000001

Notice that the default is logging target is syslog. You can change the value by executing the registry shell's set_value command from the command line, like this:

/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass]' Arguments "/opt/likewise/sbin/lsassd --logfile /tmp/lsasslog.txt --loglevel debug"

The value of Arguments has been updated to the specified value:

/opt/likewise/bin/lwregshell ls '[HKEY_THIS_MACHINE\Services\lsass]'
[HKEY_THIS_MACHINE\\Services\lsass]
  "Arguments"    REG_SZ          "/opt/likewise/sbin/lsassd --logfile /tmp/lsasslog.txt --loglevel debug"
  "Autostart"    REG_DWORD       0x00000001 (1)
  "Dependencies" REG_SZ          "netlogon lwio lwreg rdr npfs"
  "Description"  REG_SZ          "Likewise Security and Authentication Subsystem"
  "Environment"  REG_SZ          ""
  "FdLimit"      REG_DWORD       0x00000400 (1024)
  "Path"         REG_SZ          "/opt/likewise/sbin/lsassd"
  "Type"         REG_DWORD       0x00000001 (1)

After you modify a registry setting for a Likewise service, you must refresh the corresponding service with the Likewise Service Manager for the changes to take effect.

Note: Permanently changing the log level to info, debug or verbose will likely result in issues with disk space over time.

/opt/likewise/bin/lwconfig --details PAMLogLevel
Name: PAMLogLevel
Description: Configure PAM lsass logging detail level
Type: string
Current Value: "disabled"
Acceptable Value: "disabled"
Acceptable Value: "error"
Acceptable Value: "warning"
Acceptable Value: "info"
Acceptable Value: "verbose"
Current Value is determined by local policy.

/opt/likewise/bin/lwconfig --show PAMLogLevel
string
error
local policy

sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo killall DirectoryService

tcpdump -s0 -wnetwork.pcap

sudo rm /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo killall DirectoryService

/opt/likewise/bin/lwsm stop gpagent
/opt/likewise/sbin/gpagentd --loglevel debug --logfile /tmp/gpagentd.log --start-as-daemon

tcpdump: listening on eth0
28 packets received by filter
0 packets dropped by kernel

The following resources can help troubleshoot time synchronization and other Kerberos issues:

KRB ERROR BAD OPTION

_kerberos._tcp.green.likewisedemo.com 0 100 389 ad2.bluesky.likewisedemo.com
_kerberos._udp.green.likewisedemo.com 0 100 389 ad2.bluesky.likewisedemo.com

[domain_realm]
.bluesky.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM
bluesky.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM

.green.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM
green.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM

[domain_realm]
.bluesky.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM
bluesky.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM
.green.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM
green.likewisedemo.com = BLUESKY.LIKEWISEDEMO.COM

search likewisedemo.com
nameserver 127.0.0.1

For instructions on how to generate a PAM debug log, see the section on Logging.

The Likewise Service Manager lets you track and troubleshoot all the Likewise services with a single command-line utility. You can, for instance, check the status of the services and start or stop them. The service manager is the preferred method for restarting a service because it automatically identifies a service's dependencies and restarts them in the right order. In addition, you can use the service manager to set the logging destination and the log level.

To list the status of the services, run the following command with superuser privileges at the command line:

/opt/likewise/bin/lwsm list

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm list
lwreg       running (standalone: 1920)
dcerpc      running (standalone: 2544)
eventlog    running (standalone: 2589)
lsass       running (standalone: 2202)
lwio        running (standalone: 2191)
netlogon    running (standalone: 2181)
npfs        running (io: 2191)
pvfs        stopped
rdr         running (io: 2191)
srv         stopped
srvsvc      stopped

To restart the lsass service, run the following command with superuser privileges:

/opt/likewise/bin/lwsm restart lsass

After you change a setting in the registry, you must use the service manager to force the service to begin using the new configuration by executing the following command with super-user privileges. This example refreshes the lsass service:

/opt/likewise/bin/lwsm refresh lsass

To view information about the lsass service, including its dependencies, run the following command:

/opt/likewise/bin/lwsm info lsass

Example:

[root@rhel5d bin]# /opt/likewise/bin/lwsm info lsass
Service: lsass
Description: Likewise Security and Authentication Subsystem
Type: executable
Autostart: no
Path: /opt/likewise/sbin/lsassd
Arguments: '/opt/likewise/sbin/lsassd' '--syslog'
Dependencies: netlogon lwio lwreg rdr npfs

To view all the service manager's commands and arguments, run the following command:

/opt/likewise/bin/lwsm --help

To quickly change an end-user setting in the registry for the Likewise agent, you can run the lwconfig command-line tool as root:

/opt/likewise/bin/lwconfig

For more information, see Modify Settings with the lwconfig Tool.

You can access and modify the Likewise registry by using the registry shell -- lwregshell. The shell works in a way that is similar to BASH. You can view a list of the commands that you can execute in the shell by entering help:

/opt/likewise/bin/lwregshell
\> help

You can also manage the registry by executing the registry's commands from the command line. For more information, see Configuring the Likewise Services with the Registry.

Executing the following command exports the contents of the Likewise registry to the editor specified by your EDITOR environment variable. You can use the lw-edit-reg command to quickly view the contents of the registry and make changes to the settings. Then, you can launch the registry shell and import the modified file so that your changes take effect.

/opt/likewise/bin/lw-edit-reg

If you have not set a default editor, the script searches for an available editor in the following order: gedit, vi, friends, emacs. On platforms without gedit, an error may occur. You can correct the error by setting the EDITOR environment variable to an available editor, such as vi:

export EDITOR=vi

You can set the Likewise log level for the Likewise authentication daemon by executing the following command and replacing level with one of the available logging levels: error, warning, info, verbose, debug, trace.

/opt/likewise/bin/lw-set-log-level level

Example: /opt/likewise/bin/lw-set-log-level debug

The log level is changed only until the authentication service (lsass) or the computer restarts. Syslog messages are logged through the daemon facility. The default setting is error.

After you change the hostname of a computer, you must also change the name in the Likewise local provider database so that the local Likewise accounts use the correct prefix. To do so, execute the following command as root, replacing hostName with the name that you want:

/opt/likewise/bin/lw-set-machine-name hostName

On a Unix or Linux computer that is joined to an Active Directory domain, you can check a domain user's or group's information by either name or ID. These commands can verify that the client can locate the user or group in Active Directory.

Find a User by Name

Execute the following command, replacing domain\\username with the full domain user name or the single domain user name of the user that you want to check:

/opt/likewise/bin/lw-find-user-by-name domain\\username

Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab

You can optionally specify the level of detail of information that is returned. Example:

/opt/likewise/bin/lw-find-user-by-name --level 2 likewisedemo\\hab
User info (Level-2):
====================
Name:                       LIKEWISEDEMO\hab
UPN:                         hab@likewisedemo.com
Uid:                        593495196
Gid:                        593494529
Gecos:                      Jurgen Habermas
Shell:                      /bin/sh
Home dir:                   /home/LIKEWISEDEMO/hab
LMHash length:              0
NTHash length:              0
Local User:                 NO
Account disabled:           FALSE
Account Expired:            FALSE
Account Locked:             FALSE
Password never expires:     TRUE
Password Expired:           FALSE
Prompt for password change: YES

For more information, execute the following command:

/opt/likewise/bin/lw-find-user-by-name --help

Find a User by UID

To find a user by UID, execute the following command, replacing UID with the user's ID:

 /opt/likewise/bin/lw-find-user-by-id UID

Example:

/opt/likewise/bin/lw-find-user-by-id 593495196

Find a Group by Name

 /opt/likewise/bin/lw-find-group-by-name domain\\username

Example:

/opt/likewise/bin/lw-find-group-by-name likewisedemo.com\\dnsadmins

Find a Group by ID

 /opt/likewise/bin/lw-find-group-by-id GID

Example:

[root@rhel4d bin]# /opt/likewise/bin/lw-find-group-by-id 593494534
Group info (Level-0):
====================
Name:     LIKEWISEDEMO\schema^admins
Gid:      593494534
SID:      S-1-5-21-382349973-3885793314-468868962-518

Tip: To view this command's options, type the following command:

/opt/likewise/bin/lw-find-group-by-id --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can find a user in Active Directory by his or her security identifier (SID). To find a user by SID, execute the following command as root, replacing SID with the user's security identifier:

 /opt/likewise/bin/lw-find-by-sid SID

Example:

[root@rhel4d bin]# /opt/likewise/bin/lw-find-by-sid S-1-5-21-382349973-3885793314-468868962-1180
User info (Level-0):
====================
Name:      LIKEWISEDEMO\hab
SID:      S-1-5-21-382349973-3885793314-468868962-1180
Uid:      593495196
Gid:      593494529
Gecos:     Jurgen Habermas
Shell:    /bin/ sh
Home dir: /home/ LIKEWISEDEMO/ hab

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-find-by-sid --help

To find the groups that a user is a member of, execute the following command followed by either the user's name or UID:

/opt/likewise/bin/lw-list-groups-for-user

Example: /opt/likewise/bin/lw-list-groups-for-user 593495196

Here's the command and its result for the user likewisedemo\\hab:

[root@rhel5d bin]# ./lw-list-groups-for-user likewisedemo\\hab
Number of groups found for user 'likewisedemo\hab' : 2
Group[1 of 2] name = LIKEWISEDEMO\enterprise^admins (gid = 593494535)
Group[2 of 2] name = LIKEWISEDEMO\domain^users (gid = 593494529)

Tip: To view this command's options, type the following command:

/opt/likewise/bin/lw-list-groups-for-user --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can enumerate the groups in Active Directory and view their members, GIDs, and SIDs:

 /opt/likewise/bin/lw-enum-groups --level 1

The Likewise agent enumerates groups in the primary domain. Groups in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-enum-groups --help

On a Linux, Unix, or Mac OS X computer that is joined to a domain, you can enumerate the users in Active Directory and view their members, GIDs, and SIDs:

 /opt/likewise/bin/lw-enum-users

The Likewise agent enumerates users in the primary domain. Users in trusted domains and linked cells are not enumerated. NSS membership settings in the registry do not affect the result of the command.

Tip: To view the command's options, type the following command:

/opt/likewise/bin/lw-enum-users --help

To view full information about the users, include the level option when you execute the command:

/opt/likewise/bin/lw-enum-users --level 2

Example result for a one-user batch:

User info (Level-2):
====================
Name:                       LIKEWISEDEMO\sduval
UPN:                        SDUVAL@LIKEWISEDEMO.COM
Generated UPN:              NO
Uid:                        593495151
Gid:                        593494529
Gecos:                      Shelley Duval
Shell:                      /bin/sh
Home dir:                   /home/LIKEWISEDEMO/sduval
LMHash length:              0
NTHash length:              0
Local User:                 NO
Account disabled:           FALSE
Account Expired:            FALSE
Account Locked:             FALSE
Password never expires:     FALSE
Password Expired:           FALSE
Prompt for password change: NO

Likewise includes two authentication providers:

If the AD provider is offline, you will be unable to log on with your AD credentials. To check the status of the authentication providers, execute the following command as root:

 /opt/likewise/bin/lw-get-status

A healthy result should look like this:

LSA Server Status:
Agent version: 5.4.0
Uptime:        22 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
        Status:   Online
        Mode:     Local system
[Authentication provider: lsa-activedirectory-provider]
        Status:   Online
        Mode:     Un-provisioned
        Domain:   likewisedemo.com
        Forest:   likewisedemo.com
        Site:     Default-First-Site-Name

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication daemon.

If the result looks like the line below, check the status of the Likewise daemons to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

To check the status of the daemons, run the following command as root:

/opt/likewise/bin/lwsm list

This command retrieves the Active Directory domain to which the computer is connected. The command's location is as follows:

/opt/likewise/bin/lw-lsa ad-get-machine account

This command lists the domain controllers for a target domain. You can delimit the list in several ways, including by site. The command's location is as follows:

/opt/likewise/bin/lw-get-dc-list

Example usage:

[root@rhel5d bin]# ./lw-get-dc-list likewisedemo.com
Got 1 DCs:
===========
DC 1: Name = 'steveh-dc.likewisedemo.com', Address = '192.168.100.132'

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-get-dc-list --help

This command displays the name of the current domain controller for the domain you specify. The command can help you select a domain controller. The command's location is as follows:

/opt/likewise/bin/lw-get-dc-name DomainName

To select a domain controller, run the following command as root until the domain controller you want is displayed. Replace DomainName with the name of your domain:

/opt/likewise/bin/lw-get-dc-name DomainName --force

This command displays the time of the current domain controller for the domain that you specify. The command can help you determine whether there is a Kerberos time-skew error between a Likewise client and a domain controller. The command's location is as follows:

/opt/likewise/bin/lw-get-dc-time

Example:

[root@rhel5d bin]# ./lw-get-dc-time likewisedemo.com
DC TIME: 2009-09-08 14:54:18 PDT

This command displays the logging status of the Likewise authentication service. The location of the command is as follows:

/opt/likewise/bin/lw-get-log-info

Example output:

[root@rhel5d bin]# ./lw-get-log-info 
Current log settings:
=================
LSA Server is logging to syslog
Maximum allowed log level: error

This command displays local security events from the Likewise event log. For information about using the log, see Monitoring Events. The location of the command is as follows:

/opt/likewise/bin/lw-get-metrics

Example output:

[root@rhel5d bin]# ./lw-get-metrics 
Failed authentications:       3
Failed user lookups by name:  34
Failed user lookups by id:    0
Failed group lookups by name: 0
Failed group lookups by id:   0
Failed session opens:         32
Failed session closures:      33
Failed password changes:      0
Unauthorized access attempts: 0

To view the command's options, execute the following command:

/opt/likewise/bin/lw-get-metrics --help

You can print out the machine account name, machine account password, SID, and other information by running the following command as root.

/opt/likewise/bin/lw-lsa ad-get-machine account domainDNSName

Example: /opt/likewise/bin/lw-lsa ad-get-machine account likewisedemo.com

After you change a setting in the registry for the Likewise agent, you must force the agent to load the change by executing the following command with super-user privileges:

 /opt/likewise/bin/lw-refresh-configuration

This command turns on trace markers in the messages logged by the lwiod and lsassd daemons. You can use the command to obtain more debugging information than that provided by the log level for debugging.

/opt/likewise/bin/lw-lsa trace-info

Example usage:

/opt/likewise/bin/lw-lsa trace-info --set user-group-queries:0,authentication:1 --get user-group-administration

To view this command's options, type the following command:

/opt/likewise/bin/lw-lsa trace-info --help

This command registers an IP address for the computer in DNS. The command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.

/opt/likewise/bin/lw-update-dns

Here's an example of how to use it to register an IP address:

/opt/likewise/bin/lw-update-dns --ipaddress 192.168.100.4 --fqdn corp.likewisedemo.com

If your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the command once with multiple instances of the ipaddress option:

/opt/likewise/bin/lw-update-dns --fqdn corp.likewisedemo.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7 --ipaddress 192.168.100.9

To troubleshoot, you can add the loglevel option with the debug parameter to the command:

/opt/likewise/bin/lw-update-dns --loglevel debug --fqdn corp.likewisedemo.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7

For more information on the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-update-dns --help

This command manages the Likewise cache for Active Directory users and groups on Linux and Unix computers. The command's location is as follows:

/opt/likewise/bin/lw-ad-cache

You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups. The following example demonstrates how to delete all the users and groups from the cache:

/opt/likewise/bin/lw-ad-cache --delete-all

Tip: To reclaim disk space from SQLite after you clear the cache when you are using the non-default SQLite caching option, execute the following command as root, replacing fqdn with your fully qualified domain name:

/opt/likewise/bin/sqlite3 /var/lib/likewise/db/lsass-adcache.db.fqdn vacuum

You can also use the lw-ad-cache command to enumerate users in the cache, which may be helpful in troubleshooting. Example:

[root@rhel5d bin]# ./lw-ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh likewisedemo.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.likewisedemo.com
[LIKEWISEDEMO\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./lw-ad-cache --enum-users
User info (Level-0):
====================
Name:     LIKEWISEDEMO\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>
Shell:    /bin/bash
Home dir: /home/LIKEWISEDEMO/hab
TotalNumUsersFound:      1
[root@rhel5d bin]# 

To view all the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ad-cache --help

Clear the Cache on a Mac OS X Computer

On a Mac OS X computer, clear the cache by running the following command with superuser privileges in Terminal:

dscacheutil -flushcache

domainjoin-cli is the command-line utility for joining or leaving a domain. For instructions on how to use it, see Join Active Directory with the Command Line.

This command is the Likewise NIS ypcat function for group passwd and netgroup maps.

/opt/likewise/bin/lw-ypcat

Example usage:

/opt/likewise/bin/lw-ypcat -d likewisedemo.com -k map-name

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ypcat --help

This command is the Likewise NIS ypmatch function for group passwd and netgroup maps.

/opt/likewise/bin/lw-ypmatch

Example usage:

/opt/likewise/bin/lw-ypmatch -d likewisedemo.com -k key-name map-name

To view the command's syntax and arguments, execute the following command:

/opt/likewise/bin/lw-ypmatch --help

Likewise Enterprise includes a tool to modify objects in Active Directory from the command line of a Linux, Unix, or Mac OS X computer. Located at /opt/likewise/bin/lw-adtool, the tool has two interrelated functions:

You can view a list of these two categories by executing the following command:

/opt/likewise/bin/lw-adtool --help -a

Here's what the ouput of the command looks like:

[root@rhel5d bin]# ./lw-adtool --help -a

  List of Actions

  Generic Active Directory actions:
  --------------------------------

  add-to-group - add a domain user/group to a security group.
  delete-object - delete an object.
  disable-user - disable a user account in Active Directory.
  enable-user - enable a user account in Active Directory.
  lookup-object - retrieve object attributes.
  move-object - move/rename an object.
  new-computer - create a new computer object.
  new-group - create a new global security group.
  new-ou - create a new organizational unit.
  new-user - create a new user account.
  remove-from-group - remove a user/group from a security group.
  reset-user-password - reset user's password.
  search-computer - search for computer objects, print DNs.
  search-group - search for group objects, print DNs.
  search-object - search for any type of objects using LDAP filter.
  search-ou - search for organizational units, print DNs
  search-user - search for users, print DNs.

  Likewise cell management actions:
  --------------------------------

  add-to-cell - add user/group to a Likewise cell.
  delete-cell - delete a Likewise cell.
  edit-cell - modify Likewise cell properties.
  edit-cell-group - modify properties of a cell's group.
  edit-cell-user - modify properties of a cell's user.
  link-cell - link Likewise cells.
  lookup-cell - retrieve Likewise cell properties.
  lookup-cell-group - retrieve properties of cell's group.
  lookup-cell-user - retrieve properties of cell's user.
  new-cell - create a new Likewise cell.
  remove-from-cell - remove user/group from a Likewise cell.
  search-cells - search for Likewise cells.
  unlink-cell - unlink Likewise cells.

To get information about the options for each action, use the following syntax:

/opt/likewise/bin/lw-adtool --help -a <ACTION>

Here's an example with the information that is returned:

/opt/likewise/bin/lw-adtool --help -a new-user

Usage: lw-adtool [OPTIONS] (-a |--action) new-user <ARGUMENTS>

new-user - create a new user account.

Acceptable arguments ([X] - required):

      --dn=STRING                    DN/RDN of the parent container/OU containing the
                                     user. (use '-' for stdin input)
      --cn=STRING                    Common name (CN) of the new user. (use '-' for
                                     stdin input)
      --logon-name=STRING            Logon name of the new user.  (use '-' for stdin
                                     input) [X]
      --pre-win-2000-name=STRING     Pre Windows-2000 logon name.
      --first-name=STRING            First name of the new user.
      --last-name=STRING             Last name of the new user.
      --description=STRING           Description of the user.
      --password=STRING              User's password. (use '-' for stdin input)
      --no-password-expires          The password never expires. If omitted - user
                                     must change password on next logon.
      --account-enabled              User account will be enabled. By default it is
                                     disabled on creation

Notes on Using the Tool

Privileges: When you run the tool, you must use an Active Directory account with privileges that allow you to perform the command's action. The level of privileges that you need is set by Microsoft Active Directory and is typically the same as performing the corresponding action in Microsoft Active Directory Users and Computers. For example, to add a user to a security group, you must be a member of a security group, such as the enterprise administrators security group, that has privileges to perform the action.

For more information on Active Directory privileges, permissions, and security groups, see the following references on the Microsoft Technet web site: Active Directory Privileges, Active Directory object permissions, Active Directory Users, Computers, and Groups, Securing Active Directory Administrative Groups and Accounts.

Options There are short and long options. You separate arguments from options with either space or equal sign. If you are not sure about the results of an action you want to execute, run it in read-only mode first (-r). Also it can be useful to set log level to TRACE (-l 5) to see all the execution steps the tool is taking. Authentication SSO by default if the machine is domain-joined. Otherwise, KRB5 via a cached ticket, keytab file, or name/password (unless secure authentication is turned-off (--no-sec)) Name resolution In most cases you can reference objects by FQDN, RDN, UPN, or just names that make sense for a specific action. Use “-“ if you want the tool to read values from stdin. This allows you to combine commands via pipes, e.g. search and lookup actions. Multi-forest support You can reference object from a name context (forest) different from the one you are currently connected to, provided that there is a proper trust relation between them. In this way, for instance, you can add a user that lives in one forest to a cell defined in another forest.

Creating a New Cell: When you create a new cell, the tool adds the default primary group (domain users) to the cell. If you are adding a user to the cell and the user has a primary group different from the default group, which is an atypical case, you must add the primary group to the cell, too. The tool does not do it automatically.

Adding Users or Groups Across Domains: If you are adding a user or group to a cell, and the user or group is in a domain different from the one hosting the cell, you must use an account that has write permissions in the cell domain and at least read permissions in the domain hosting the user or group. If, for example, you want to add a user such as CORP\kathy, whose primary group is, say, domain users, to a cell in a domain named CORPQA, two conditions must be met: First, you must be authenticated to the CORPQA domain as a user with administrative rights in the CORPQA domain; second, your user account must exist in the CORP domain with at least read permissions for the CORP domain. Further: Since in this example the primary group of CORP\kathy is CORP\domain users, you must add CORP\domain users to the cell in the CORPQA domain, too.

Automating Commands with a Service Account: To run the tool under a service account, such as a cron job, avoid using krb5 tickets for authentication, especially those cached by the Likewise authentication service in the /tmp directory. The tickets may expire and the tool will not renew them. Instead, it is recommended that you create an entry for the service account in a keytab file and use the keytab file for authentication.

Working with a Default Cell: The tool uses the default cell only when the value of the dn parameter is the root naming context, such as when you use an expression like --dn DC=corp,DC=likewise,DC=com to represent corp.likewise.com.

Options

To view the tool's options and to see examples of how to use them, execute the following command:

/opt/likewise/bin/lw-adtool --help

[root@rhel5d bin]# ./lw-adtool --help
Usage: lw-adtool [OPTIONS] <ACTION> [ACTION_ARGUMENTS]

HELP OPTIONS
  -u, --usage                   Display brief usage message
  -?, --help                    Show this message, help on all actions (-a), or help
                                on a specific action (-a <ACTION>).
  -v, --version                 Print program version and exit.

COMMON OPTIONS
  -l, --log-level=LOG_LEVEL     Acceptable values: 1 (error), 2(warning), 3(info),
                                4(verbose) 5 (trace) (Default: warning).
  -q, --quiet                   Suppress printing to stdout. Just set the return code.
                                print-dn option makes an exception.
  -t, --print-dn                Print DNs of the objects to be looked up, modified or
                                searched for.
  -r, --read-only               Do not actually modify directory objects when
                                executing actions.

CONNECTION OPTIONS
  -s, --server=STRING           Active Directory server to connect to.
  -d, --domain=STRING           Domain to connect to.
  -p, --port=INT                TCP port number
  -m, --non-schema              Turn off schema mode

AUTHENTICATION OPTIONS
  -n, --logon-as=STRING         User name or UPN.
  -x, --passwd=STRING           Password for authentication. (use '-' for stdin input)
  -k, --keytab=STRING           Full path of keytab file, e.g. /etc/krb5.keytab
  -c, --krb5cc=STRING           Full path of krb5 ticket cache file, e.g.
                                /tmp/krb5cc_foo@likewisedemo.com
  -z, --no-sec                  Turns off secure authentication. Simple bind will be
                                used. Use with caution!

ACTION
  -a, --action[=<ACTION>]       Action to execute. Type '--help -a' for a list of
                                actions, or '--help -a <ACTION>' for information on a
                                specific action.

Try '--help -a' for a list of actions.

Examples

In some of the examples below, the command is broken into two lines and the line break is marked by a back slash (\). In such cases, the back slash is not part of the command.

Create OU in a root naming context:
lw-adtool -a new-ou --dn OU=TestOu

Create OU in DC=department,DC=company,DC=com:
lw-adtool -a new-ou --dn OU=TestOu,DC=department,DC=company,DC=com

Create Likewise cell in OU TestOU setting the default login shell property to /bin/ksh:
lw-adtool -a new-ou --dn OU=TestOu --default-login-shell=/bin/ksh

Create a new account for user TestUser in OU=Users,OU=TestOu:
lw-adtool -a new-user --dn OU=Users,OU=TestOu --cn=TestUserCN --logon-name=TestUser --password=$PASSWD

Enable the user account:
lw-adtool -a enable-user --name=TestUser

Reset user's password reading the password from TestUser.pwd file:
cat TestUser.pwd | lw-adtool -a reset-user-password --name=TestUser --password=- --no-password-expires

Create a new group in OU=Groups,OU=TestOu:
lw-adtool -a new-group --dn OU=Groups,OU=TestOu --pre-win-2000-name=TestGrooup --name=TestGroup

Look up "description" attribute of an OU specified by name with a wildcard:
lw-adtool -a search-ou --name='*RootOu' -t | lw-adtool -a lookup-object --dn=- --attr=description

Look up "unixHomeDirectory" attribute of a user with samAccountName TestUser:
lw-adtool -a search-user --name TestUser -t | lw-adtool -a lookup-object --dn=- --attr=unixHomeDirectory

Look up "userAccountControl" attribute of a user with CN TestUserCN:
lw-adtool -a search-user --name CN=TestUserCN -t | lw-adtool -a lookup-object --dn=- --attr=userAccountControl

Look up all attributes of an AD object using filter-based search:
lw-adtool -a search-object --filter '(&(objectClass=person)(displayName=TestUser))' -t | lw-adtool -a lookup-object

Add user TestUser to group TestGroup:
lw-adtool -a add-to-group --user TestUser --to-group=TestGroup

Add group TestGroup2 to group TestGroup:
lw-adtool -a add-to-group --group TestGroup2 --to-group=TestGroup

Remove user TestUser from group TestGroup:
lw-adtool -a remove-from-group --user TestUser --from-group=TestGroup

Rename AD object OU=OldName and move it to a new location:
lw-adtool -a move-object --from OU=OldName,DC=department,DC=company,DC=com \
--to OU=NewName,OU=TestOU,DC=department,DC=company,DC=com

Add group TestGroup to Likewise cell in TestOU:
lw-adtool -a add-to-cell --dn OU=TestOU,DC=department,DC=company,DC=com --group=TestGroup

Remove user TestUser from Likewise cell in TestOU:
lw-adtool -a remove-from-cell --dn OU=TestOU,DC=department,DC=company,DC=com --user=TestUser

Search for cells in a specific location:
lw-adtool -a search-cells --search-base OU=department,DC=country,DC=company,DC=com

Link cell in OU=TestOU1 to the default cell in DC=country:
lw-adtool -a link-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com \
--target-dn DC=country,DC=company,DC=com

Unlink cell in OU=TestOU1 from the default cell in DC=country:
lw-adtool -a unlink-cell --source-dn OU=TestOU1,DC=department,DC=company,DC=com \
--target-dn DC=country,DC=company,DC=com

Change the default login shell property of Likewise cell in TestOU:
lw-adtool -a edit-cell --dn OU=TestOU --default-login-shell=/bin/csh

Find cells linked to Likewise cell in OU=TestOU,DC=department,DC=company,DC=com:
lw-adtool -a lookup-cell --dn OU=TestOU --linked-cells

Look up login shell property of user TestUser in cell created in TestOU:
lw-adtool -a lookup-cell-user --dn OU=TestOU --user TestUser --login-shell

Change login shell property of user TestUser in cell created in TestOU:
lw-adtool -a edit-cell-user --dn OU=TestOU --user TestUser --login-shell=/usr/bin/ksh

Delete a cell object and all its children if any (--force):
lw-adtool -a delete-object --dn OU=TestOU --force

Search for Likewise cells in root naming context containing user TestUser:
lw-adtool -a search-cells --user TestUser

The commands prefaced with lwio are included as part of the Likewise-CIFS technology preview. These commands are not covered under your support contract.

[root@rhel5d bin]# ./lwio-get-log-info 
Current log settings:
=================
SMB Server is logging to syslog
Maximum allowed log level: error

The Likewise local authentication provider for local users and groups includes a full local authentication database. With functionality similar to the local SAM authentication database on every Windows computer, the local authentication provider lets you create, modify, and delete local users and groups on Linux, Unix, and Mac OS X computers by using the following commands.

To execute the commands that modify local accounts, you must use either the root account or an account that has membership in the local administrators group. The account can be an Active Directory account if you manually add it to the local administrators group. For example, you could add the Domain Administrators security group from Active Directory to the local administrators group, and then use an account with membership in the Domain Administrators security group to execute the commands.

Likewise includes several command-line utilities for working with Kerberos. It is recommended that you use these Kerberos utilities, located in /opt/likewise/bin, to manage those aspects of Kerberos authentication that are associated with Likewise. For complete instructions on how to use the Kerberos commands, see the man page for the command.

-sh-3.00$ /opt/likewise/bin/klist
Ticket cache: FILE:/tmp/krb5cc_593495191
Default principal: hoenstiv@LIKEWISEDEMO.COM
Valid starting     Expires            Service principal
07/22/08 16:07:23  07/23/08 02:06:39  krbtgt/LIKEWISEDEMO.COM@LIKEWISEDEMO.COM
        renew until 07/23/08 04:07:23
07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.LIKEWISEDEMO.COM@
        renew until 07/23/08 04:07:23
07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.LIKEWISEDEMO.COM@LIKEWISEDEMO.COM
        renew until 07/23/08 04:07:23
07/22/08 16:06:40  07/23/08 02:06:39  RHEL4D$@LIKEWISEDEMO.COM
        renew until 07/23/08 04:07:23

/opt/likewise/bin/ktutil 
ktutil:  addent -password -p nonexistent@nonexistent -k 1 -e RC4-HMAC
Password for nonexistent@nonexistent: 
ktutil:  wkt /var/OtherPlace/etc/krb5.keytab
ktutil:  quit

The commands and scripts listed in this section are not for end users. It is recommended that you do not use them.

This section covers the command-line tools that are on a Windows computer running Likewise Enterprise. The commands are in C:\Program Files\Likewise\Enterprise.

C:\Program Files\Likewise\Enterprise>lwopt
lwopt - configures local Windows options for Likewise
Usage:  lwopt OPTIONS
OPTIONS:
   --status           Show current configuration status
   --narrowsearch     Only search the default cell on the local domain
   --widesearch       Search the default cell across all domains and
                      two-way forest trusts
   --sequential       Use sequential IDs instead of hased IDs
   --hashed           Use hashed IDs
   --foreignaliases   Allow the use of aliases for users and groups
                      from other domains.
   --noforeignaliases Disallow the use of aliases for users and groups
                      from other domains.
   --usegc            Use the Global Catalog to speed up searches (default)
   --ignoregc         Do not use the Global Catalog to speed up searches
   --startUID=#       Sets the initial UID number for a cell (if --sequential)
   --startGID=#       Sets the initial GID number for a cell (if --sequential)
   --minID=#          Sets minimum UID and GID number configurable through
                      the UI
   --cell=LDAPPATH    Identifies the cell whose initial IDs (if --sequential)
                      Example: LDAP://somedc/ou=anou,dc=somecom,dc=com
   --enableloginnames  Sets the default login names to all the users enabled
                       in all the cells.
   --disableloginnames Disable the enable default login names option to all
                       users enabled in all the cells.
   --help              Displays this usage information
If the --startUID or --startGID options are set, the --cell option must also
be set.

The Likewise Event Log records and categorizes information about authentication transactions, authorization requests, network events, and other security events on Linux, Unix, and Mac OS X computers. Monitoring events such as failed logon attempts and failed sudo attempts can help prevent unauthorized access to commands, applications, and sensitive resources.

The events are stored in a SQLite database, which is included when you install the Likewise agent. The database is at /var/lib/likewise/db/lwi_events.db and its libraries are at /opt/likewise/lib/. For viewing and modifying the database, Likewise includes a command-line utility at /opt/likewise/bin/sqlite3. For information about SQLite and instructions on how to use the command-line utility, see http://www.sqlite.org/.

The event log records the following events: daemon initializations, successful logins, failed logins, denied sudo attempts, the application of new group policy objects, offline-online transitions and other network connectivity events, and a periodic heartbeat that identifies whether the computer is active.

Likewise includes methods by which you can specify which user and group accounts have read or write access permissions to the event log. The typical methods for setting permissions are the local Likewise configuration registry and Likewise Enterprise group policy objects administered from Active Directory. You can filter events in the event log and you can decide which event categories to log.

Event logging is turned off by default. You can turn on event logging by editing the registry or by using a group policy. Then, you can configure the options for the log in the registry or manage them with the corresponding group policies. Keep in mind that group policies are available only with Likewise Enterprise; Likewise Open does not apply group policies.

After you modify the settings in the registry, you must restart the event log daemon with the root account for the changes to take effect:

/opt/likewise/bin/lwsm refresh eventlogd

For information about managing the event log with the registry, see the chapter on configuring the Likewise agent with the registry. For information about managing the event log with group policies, see the chapter on Likewise group policies.

On a Linux, Unix, or Mac OS X computer, you view the local Likewise Event Log by using the eventlog command-line utility with the root account:

/opt/likewise/bin/lw-eventlog-cli

To view the command's arguments, execute the following command:

/opt/likewise/bin/lw-eventlog-cli -h

You can gain access to the event log by using either localhost or the virtual loopback interface of the computer, which is typically assigned to the address 127.0.0.1.

To view a summary of events, execute the following command with the root account:

/opt/likewise/bin/lw-eventlog-cli -s - localhost

Example output:

========================================
Event Record: (392/396) (392 total)
========================================
Event Record ID......... 392
Event Table Category.... System
Event Type.............. Information
Event Date.............. 2010-02-16
Event Time.............. 07:37:58 AM
Event Source............ Likewise LSASS
Event Category.......... Service
Event Source ID......... 1004
Event User.............. SYSTEM
Event Computer.......... glennc-mbp
Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider:           lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs):       2592000
     Cache entry expiry (secs):         14400
     Space replacement character:       '^'
     Domain separator character:        '\'
     Enable event log:                  true
     Logon membership requirements:     
        CORP\GLENNC-MBP_Users
        CORP\EnterpriseTeam
     Log network connection events:     false
     Create K5Login file:               true
     Create home directory:             true
     Sign and seal LDAP traffic:        false
     Assume default domain:             false
     Sync system time:                  true
     Refresh user credentials:          true
     Machine password sync lifetime:    2592000
     Default Shell:                     /bin/sh
     Default home directory prefix:     /Users
     Home directory template:           %H/local/%D/%U
     Umask:                             18
     Skeleton directory:                System/Library/User Template/Non_localized, /System/Library/User Template/English.lproj
     Cell support:                      Invalid
     Trim user membership:              true
     NSS group members from cache only: false
     NSS user members from cache only:  false
     NSS enumeration enabled:           true
     Domain Manager check domain online (secs):          300
     Domain Manager unknown domain cache timeout (secs): 3600

========================================

Or, with the following command, you can view the event log in table format:

/opt/likewise/bin/lw-eventlog-cli -t - localhost

Example:

[root@rhel5d bin]# su likewisedemo\\hab
[LIKEWISEDEMO\hab@rhel5d bin]$ sudo blah
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
sudo: 2 incorrect password attempts
[LIKEWISEDEMO\hab@rhel5d bin]$ exit
[root@rhel5d bin]# /opt/likewise/bin/lw-eventlog-cli -t - localhost
Id:| Type          | Time        | Source         | Category     | Event | User
83 | Information   | 02:11:29 PM | Likewise LSASS | Service      | 1004  | SYSTEM
84 | Success Audit | 02:13:07 PM | Likewise LSASS | Login/Logoff | 1201  | LIKEWISEDEMO\hab
85 | Failure Audit | 02:13:30 PM | Likewise LSASS | Login/Logoff | 1205  | LIKEWISEDEMO\hab
86 | Failure Audit | 02:13:33 PM | Likewise LSASS | Login/Logoff | 1205  | LIKEWISEDEMO\hab
87 | Failure Audit | 02:13:39 PM | Likewise LSASS | Login/Logoff | 1205  | LIKEWISEDEMO\hab
88 | Success Audit | 02:14:57 PM | Likewise LSASS | Login/Logoff | 1220  | LIKEWISEDEMO\hab
[root@rhel5d bin]#

You can also use SQL filters to query the event log by event type, source ID, and a variety of other field names. Example:

[root@rhel5d bin]# /opt/likewise/bin/lw-eventlog-cli -s "(EventType = 'Failure Audit') AND (EventSourceId = 1205)" localhost
Event Record: (1/3) (1 total)
========================================
Event Record ID......... 85
Event Table Category.... Security
Event Type.............. Failure Audit
Event Date.............. 2009-07-29
Event Time.............. 02:13:30 PM
Event Source............ Likewise LSASS
Event Category.......... Login/Logoff
Event Source ID......... 1205
Event User.............. LIKEWISEDEMO\hab
Event Computer.......... rhel5d
Event Description....... Logon Failure:

     Authentication provider: lsa-activedirectory-provider

     Reason:                  Unknown username or bad password
     User Name:               LIKEWISEDEMO\hab
     Login phase:             User authenticate
Event Data.............. Error: The password is incorrect for the given username [error code: 32789]
========================================

The Event Type field is typically one of the following:

SUCCESS_AUDIT_EVENT_TYPE    "Success Audit"
FAILURE_AUDIT_EVENT_TYPE    "Failure Audit"
INFORMATION_EVENT_TYPE      "Information"
WARNING_EVENT_TYPE          "Warning"
ERROR_EVENT_TYPE            "Error"

The Event Source is typically one of the following values: Likewise LSASS, Likewise GPAGENT, Likewise DomainJoin, Likewise NETLOGON, System Log.

Each source defines its own list of Event Source Id values. Here's a list of events categorized by source.

========================================
EventSource = “Likewise LSASS”

LSASS_EVENT_INFO_SERVICE_STARTED                             1000
LSASS_EVENT_ERROR_SERVICE_START_FAILURE                      1001
LSASS_EVENT_INFO_SERVICE_STOPPED                             1002
LSASS_EVENT_ERROR_SERVICE_STOPPED                            1003
LSASS_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED               1004

// Logon events
LSASS_EVENT_SUCCESSFUL_LOGON_AUTHENTICATE                    1200 
LSASS_EVENT_SUCCESSFUL_LOGON_CREATE_SESSION                  1201 
LSASS_EVENT_SUCCESSFUL_LOGON_CHECK_USER                      1203 
LSASS_EVENT_FAILED_LOGON_UNKNOWN_USERNAME_OR_BAD_PASSWORD    1205 
LSASS_EVENT_FAILED_LOGON_TIME_RESTRICTION_VIOLATION          1206 
LSASS_EVENT_FAILED_LOGON_ACCOUNT_DISABLED                    1207 
LSASS_EVENT_FAILED_LOGON_ACCOUNT_EXPIRED                     1208 
LSASS_EVENT_FAILED_LOGON_MACHINE_RESTRICTION_VIOLATION       1209 
LSASS_EVENT_FAILED_LOGON_TYPE_OF_LOGON_NOT_GRANTED           1210 
LSASS_EVENT_FAILED_LOGON_PASSWORD_EXPIRED                    1211 
LSASS_EVENT_FAILED_LOGON_NETLOGON_FAILED                     1212 
LSASS_EVENT_FAILED_LOGON_UNEXPECTED_ERROR                    1213 
LSASS_EVENT_FAILED_LOGON_ACCOUNT_LOCKED                      1214 
LSASS_EVENT_FAILED_LOGON_CHECK_USER                          1215

LSASS_EVENT_LOGON_PHASE_AUTHENTICATE                         1
LSASS_EVENT_LOGON_PHASE_CREATE_SESSION                       2
LSASS_EVENT_LOGON_PHASE_CHECK_USER                           3

// Logoff events
LSASS_EVENT_SUCCESSFUL_LOGOFF                                1220 

// User password change events
LSASS_EVENT_SUCCESSFUL_PASSWORD_CHANGE                       1300 
LSASS_EVENT_FAILED_PASSWORD_CHANGE                           1301 
LSASS_EVENT_SUCCESSFUL_USER_ACCOUNT_KERB_REFRESH             1302
LSASS_EVENT_FAILED_USER_ACCOUNT_KERB_REFRESH                 1303

// Machine password change events
LSASS_EVENT_SUCCESSFUL_MACHINE_ACCOUNT_PASSWORD_UPDATE       1320
LSASS_EVENT_FAILED_MACHINE_ACCOUNT_PASSWORD_UPDATE           1321
LSASS_EVENT_SUCCESSFUL_MACHINE_ACCOUNT_TGT_REFRESH           1322
LSASS_EVENT_FAILED_MACHINE_ACCOUNT_TGT_REFRESH               1323

// Account management events
LSASS_EVENT_ADD_USER_ACCOUNT                                 1400 
LSASS_EVENT_DELETE_USER_ACCOUNT                              1401 
LSASS_EVENT_ADD_GROUP                                        1402 
LSASS_EVENT_DELETE_GROUP                                     1403 

// Lsass provider events
LSASS_EVENT_SUCCESSFUL_PROVIDER_INITIALIZATION               1500
LSASS_EVENT_FAILED_PROVIDER_INITIALIZATION                   1501
LSASS_EVENT_INFO_REQUIRE_MEMBERSHIP_OF_UPDATED               1502
LSASS_EVENT_INFO_AUDITING_CONFIGURATION_ENABLED              1503
LSASS_EVENT_INFO_AUDITING_CONFIGURATION_DISABLED             1504

// Runtime warnings
LSASS_EVENT_WARNING_CONFIGURATION_ID_CONFLICT                1601
LSASS_EVENT_WARNING_CONFIGURATION_ALIAS_CONFLICT             1602

// Network events
LSASS_EVENT_INFO_NETWORK_DOMAIN_ONLINE_TRANSITION            1700
LSASS_EVENT_WARNING_NETWORK_DOMAIN_OFFLINE_TRANSITION        1701


========================================
EventSource = “Likewise DomainJoin”

DOMAINJOIN_EVENT_INFO_JOINED_DOMAIN            1000
DOMAINJOIN_EVENT_ERROR_DOMAIN_JOIN_FAILURE     1001
DOMAINJOIN_EVENT_INFO_LEFT_DOMAIN              1002
DOMAINJOIN_EVENT_ERROR_DOMAIN_LEAVE_FAILURE    1003


========================================
EventSource = “Likewise GPAGENT”

GPAGENT_EVENT_INFO_SERVICE_STARTED                         1000
GPAGENT_EVENT_ERROR_SERVICE_START_FAILURE                  1001
GPAGENT_EVENT_INFO_SERVICE_STOPPED                         1002
GPAGENT_EVENT_ERROR_SERVICE_STOPPED                        1003
GPAGENT_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED           1004

// GPAgent policy update events
GPAGENT_EVENT_POLICY_UPDATED                               1100
GPAGENT_EVENT_POLICY_UPDATE_FAILURE                        1101

// GPAgent policy processing issue events
GPAGENT_EVENT_INFO_POLICY_PROCESSING_ISSUE_RESOLVED        1200
GPAGENT_EVENT_ERROR_POLICY_PROCESSING_ISSUE_ENCOUNTERED    1201


========================================
EventSource = “Likewise NETLOGON”

// Netlogon service events
LWNET_EVENT_INFO_SERVICE_STARTED                             1000
LWNET_EVENT_ERROR_SERVICE_START_FAILURE                      1001
LWNET_EVENT_INFO_SERVICE_STOPPED                             1002
LWNET_EVENT_ERROR_SERVICE_STOPPED                            1003
LWNET_EVENT_INFO_SERVICE_CONFIGURATION_CHANGED               1004


========================================
EventSource = “System Log”

Syslog entries are parsed by the reapsysld daemon 
to create Likewise eventlog entries for the following:

Text console logon failure                                   1
Text console logon success                                   2
SSH logon failure                                            3
SSH logon success                                            4
SUDO bad password                                            5
SUDO access denied                                           6
SUDO success                                                 7
SSH with AD account failure                                  8
SSH with AD account success                                  9
Text console login with AD account failure                   10
Text console login with AD account success                   11

When you leave a domain, Likewise reverses most Likewise-specific settings that were made to a computer's configuration when it was joined to the domain. Likewise also reverses any changes that you manually made to /etc/likewise/lsassd.conf or to the Likewise registry. Changes to the nsswitch module, however, are preserved until you uninstall Likewise, when they are reversed. Before you leave a domain, you can execute the following command to view the changes that will take place:

domainjoin-cli leave --advanced --preview domainName

Example:

[root@rhel4d likewise]# domainjoin-cli leave --advanced --preview likewisedemo.com
Leaving AD Domain:    LIKEWISEDEMO.COM
[X] [S] ssh            - configure ssh and sshd
[X] [N] pam            - configure pam.d/pam.conf
[X] [N] nsswitch       - enable/disable Likewise nsswitch module
[X] [N] stop           - stop daemons
[X] [N] leave          - disable machine account
[X] [N] krb5           - configure krb5.conf
    [F] keytab         - initialize kerberos keytab

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
                            requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

For information on advanced commands for leaving a domain, see Join Active Directory with the Command Line.

The Computer Account in Active Directory

When you leave a domain, the computer's account in Active Directory is not disabled and not deleted. If, however, you include the user name as part of the leave command, the computer's account is disabled but not deleted. You can include the user name as part of the leave command as follows; you will be prompted for the password of the user account:

domainjoin-cli leave  userName

Example: domainjoin-cli leave brsmith

Remove a Linux or Unix Computer from a Domain

Remove a Mac from a Domain

To leave a domain on a Mac OS X computer, you must have administrative privileges on the Mac.

Remove a Mac with the Command Line

Execute the following command with an account that allows you to use sudo:

sudo /opt/likewise/bin/domainjoin-cli leave

On a Linux computer, you can uninstall the domain join GUI from the command line by running the following command as root. The command applies only to Linux computers on which you installed the domain-join GUI as a separate component. In Likewise 6.0 or later, the domain-join GUI is included in the main installation for Linux platforms and cannot be uninstalled separately.

/opt/likewise/setup/djgtk/uninstall

Important: Before uninstalling the agent, you must leave the domain and uninstall the domain-join GUI if you installed it as a separate component. Then execute the uninstall command from a directory other than  likewise so that the uninstall program can delete the likewise directory and all its subdirectories -- for example, execute the command from the root directory.

Uninstall Likewise with the Shell Script on Linux or Unix

If you installed the agent on a Linux or Unix computer by using the shell script, you can uninstall the Likewise agent from the command line by using the same shell script with the uninstall option. (To uninstall the agent, you must use the shell script with the same version and build number that you used to install it.) For example, on a Linux computer running  glibc, change directories to the location of Likewise and then run the following command as root, replacing the name of the script with the version you installed:

./LikewiseOpen-6.0.0.94-linux-oldlibc-i386-rpm.sh uninstall

For information about the script's options and commands, execute the following command:

./LikewiseOpen-6.0.0.8011-linux-i386-rpm.sh help

Uninstall BitRock Installations on Linux or Unix

On a Linux or Unix computer, you can uninstall the Likewise agent from the command line if you originally installed the agent with the BitRock installer, an installer for previous versions of Likewise.

On a Mac OS X computer, you must uninstall the Likewise agent by using Terminal. Before uninstalling the agent, you should leave the domain.

When you log on a Linux, Unix, or Mac OS X computer by using your Active Directory domain credentials, Likewise initializes and maintains a Kerberos ticket granting ticket (TGT). The TGT lets you log on other computers joined to Active Directory or applications provisioned with a service principal name and be automatically authenticated with Kerberos and authorized for access through Active Directory. In a transparent process, the underlying Generic Security Services (GSS) system requests a Kerberos service ticket for the Kerberos-enabled application or server. The result: single sign-on.

To gain access to another computer, you can use various protocols and applications:

How Likewise Makes SSO Happen

Since Microsoft Windows 2000 was released, Active Directory's primary authentication protocol has been Kerberos. When a user logs on to a Windows computer that is joined to a domain, the operating system uses the Kerberos protocol to establish a key and to request a ticket for the user. Active Directory serves as the Kerberos key distribution center, or KDC.

Likewise configures Linux and Unix computers to interact with Active Directory in a similar way. When a user logs on a Linux and Unix computer joined to a domain, Likewise requests a ticket for the user. The ticket can then be used to implement SSO with other applications.

Likewise fosters the use of the highly secure Kerberos 5 protocol by automating its configuration on Linux and Unix computers. To ensure that the Kerberos authentication service is properly configured, Likewise does the following:

Overview of How to Implement SSO with Likewise

When you install Likewise on a Linux, Unix, or Mac OS X computer and join it to Active Directory, Likewise prepares it for single sign-on by creating a keytab for the computer. However, when you use Likewise to implement SSO with other applications or services, you will likely have to configure the application to use GSSAPI and Kerberos 5 authentication and you will likely have to provision each application user for external Kerberos authentication. At the very least, you will have to provision your application with a service principal name in Active Directory. A service principal name, or SPN, is the name with which a client uniquely identifies an instance of a service. Kerberos then uses the SPN to authenticate a service.

Note: Configuring an external application for SSO with Kerberos is beyond the scope of the Likewise documentation; for more information, see the vendor's manual for your application.

The following process outlines the steps for setting up an application or service to use Likewise for single sign-on. For a detailed example of how to configure an application for SSO, see Configure Apache for SSO. For examples of how to create a service account in AD, register an SPN for the service account, and create a keytab for the SPN, see creating a Kerberos service principal and keytab file for SSO on the IBM web site.

If your Active Directory account is not working with SSH, make sure that UsePAM is enabled in sshd_config and make sure that your sshd is linked to the PAM libraries.

1. Determine which sshd is running by executing the following command:

bash-3.2# ps -ef | grep sshd

    root  8199     1  0  Feb  6  ?         0:00 /opt/ssh/sbin/sshd

    root  2987  8199  0  Mar  3  ?         0:04 sshd: root@notty

    root 24864  8199  0 12:16:25 ?         0:00 sshd: root@pts/0

    root  2998  8199  0  Mar  3  ?         0:05 sshd: root@notty

    root 24882 24880  0 12:16:54 pts/0     0:00 grep sshd

2. Either use lsof to find out which conf file it is reading, or start it up with debugging to figure out the default path. Example:

   username@computer:~$ /usr/sbin/sshd -dd -t

   debug2: load_server_config: filename /etc/ssh/sshd_config

   debug2: load_server_config: done config len = 664

   debug2: parse_server_config: config /etc/ssh/sshd_config len 664

   debug1: sshd version OpenSSH_5.1p1 Debian-3ubuntu1

   Could not load host key: /etc/ssh/ssh_host_rsa_key

   Could not load host key: /etc/ssh/ssh_host_dsa_key

3. Verify that UsePAM is enabled in the config file. As a best practice, make a backup copy of the configuration file before you change it.

4. Run ldd on sshd to make sure it links with libpam. Example from an IA64 HP system:

bash-3.2# ldd /opt/ssh/sbin/sshd

        libpam.so.1 =>  /usr/lib/hpux64/libpam.so.1

        libdl.so.1 =>   /usr/lib/hpux64/libdl.so.1

        libnsl.so.1 =>  /usr/lib/hpux64/libnsl.so.1

        libxnet.so.1 => /usr/lib/hpux64/libxnet.so.1

        libsec.so.1 =>  /usr/lib/hpux64/libsec.so.1

        libgssapi_krb5.so =>    /usr/lib/hpux64/libgssapi_krb5.so

        libkrb5.so =>   /usr/lib/hpux64/libkrb5.so

        libpthread.so.1 =>      /usr/lib/hpux64/libpthread.so.1

        libc.so.1 =>    /usr/lib/hpux64/libc.so.1

        libxti.so.1 =>  /usr/lib/hpux64/libxti.so.1

        libxti.so.1 =>  /usr/lib/hpux64/libxti.so.1

        libm.so.1 =>    /usr/lib/hpux64/libm.so.1

        libk5crypto.so =>       /usr/lib/hpux64/libk5crypto.so

        libcom_err.so =>        /usr/lib/hpux64/libcom_err.so

        libk5crypto.so =>       /usr/lib/hpux64/libk5crypto.so