University of Oregon
Information Services
Likewise Enterprise 5.3
Administrator’s Guide
Last Updated: March 2011 V7.1
Contents 1 - Preface ... 4 2 - Definitions ... 5 opt/likewise ... 5 AD ... 5 Domain ... 5 DuckID ... 5 GPO ... 5 UNIX Attributes ... 5 WGM ... 5 3 - Prerequisites ... 6
3.1 - Download the Likewise Enterprise media ... 6
3.2 - Prepare a Windows Admin workstation ... 6
3.3 - Prepare a Mac Admin workstation ... 7
4 - Administrative Tasks ... 8
4.1 - Install Likewise Enterprise on a Mac/Linux/Unix host ... 8
4.2 - Pre-create a Mac/Linux/Unix computer object in Active Directory ... 8
4.3 - Join a Mac 10.x computer to the domain using the GUI tools ... 9
4.4 - Join a Mac 10.x computer to the domain using the terminal ... 9
4.5 - Join a Linux computer to the domain using the shell ... 10
4.6 - Remove a Likewise Enterprise client from the domain ... 10
4.7 - Uninstall Likewise Enterprise\Open ... 10
4.8 - Upgrade from Likewise Open to Likewise Enterprise ... 11
4.9 - Check domain membership of a likewise installed system ... 11
4.10 - Check Likewise version... 11
4.11 - Login to a Likewise Enterprise client with domain credentials ... 11
4.12 - Force a group policy refresh (i.e. GPUPDATE /force) ... 12
4.13 - Create a GPO for Likewise clients on a Windows Admin workstation ... 12
4.14 - Mark a GPO for editing on a Mac Admin workstation ... 12
4.15 - Edit a GPO with Workgroup Manager on a Mac Admin workstation ... 13
4.16 - Migrate a local user profile into a domain user profile ... 13
4.17 - Verify an object has UNIX attributes ... 14
5 - Mac Policy Examples ... 15
5.1 - Grant admin access to a user or group ... 15
5.2 - Enable Mac firewall ... 15
5.4 - Show Hard Disks and Connected Servers on Desktop by default ... 16
5.5 - Universal File Vault settings ... 16
5.6 - Configure login options... 16
5.7 - Configure Energy Saver options ... 17
6 - Universal Linux/Unix/Mac Policy Examples ... 18
6.1 - Allow cached logins ... 18
6.1 - Restrict login to a user or group ... 18
6.2 - Grant a domain group sudo access to a Linux host ... 18
6.3 - Deploy Sudoers file ... 19
6.4 - Set Default Login Shell to /bin/bash ... 19
6.5 - Target a specific non-windows platform ... 20
6.6 - Enable Loopback processing on a GPO ... 20
1 - Preface
This guide is intended for OU Admins in consolidated Active Directory domain at the University of Oregon and will cover aspects of non-Windows computer administration through integration with Active Directory using Likewise Enterprise 5.3. Specifically, prerequisites, common administrative tasks, and example Mac/Linux/Unix policies are covered.
2 - Definitions
/opt/likewise
/opt/likewise refers to the folder path that the Likewise agent is installed by default. Likewise tools are generally found in /opt/likewise/bin/
AD
AD refers to the consolidated ad.uoregon.edu Active Directory domain
Domain
Domain refers to an Active Directory domain in the uoregon.edu forest.
DuckID
DuckID refers to the user’s UO username. This is used throughout the document as <duckid> and should be replaced with the actual username anywhere used. This document also uses ‘adm-<duckid>’ to refer to an OU admin account.
GPO
GPO refers to an Active Directory Group Policy Object.
UNIX Attributes
1. Refers to values for key RFC 2307 attributes on user and group objects. These attributes are a requirement on Users and Groups for use on a Likewise Enterprise client and in Likewise Enterprise policies.
2. Users:
a. To login to a Likewise Enterprise client workstation or to be used in a Likewise Enterprise GPO, a user must have valid uid, uidNumber and gidNumber attributes.
b. All managed user objects have these attributes mapped from the central campus LDAP service.
c. Unmanaged accounts are generally unsupported beyond OU Admin accounts. OU Admin accounts have been populated with the required Unix Attributes.
3. Groups:
a. To be used in a Likewise Enterprise GPO, a group must have a valid gidNumber UNIX attribute. b. All *.OU.ADMIN groups have been assigned values for gidNumber.
c. Other groups may be provisioned on request by emailing adhelp@ithelp.uoregon.edu.
WGM
WGM refers to Apple’s Workgroup Manager. This can be downloaded at no cost from apple and is required to inject Apple MCX policies into Active Directory Group Policy Objects.
3 - Prerequisites
3.1 - Download the Likewise Enterprise media
1. Description: This section describes the steps to download the current release of Likewise Enterprise 5.3. 2. Steps:
a. In a web browser, open: http://it.uoregon.edu/systems/services/ad/likewise/licensing
b. This URL is the ‘Likewise Enterprise Licensing, Support and Installers’ page that contains information on purchasing, receiving support, and downloading installation media.
3. Notes:
a. The Likewise Enterprise Licensing, Support and Installers site is only accessible to the UO Network. If accessing from off-campus, a VPN connection will be required.
3.2 - Prepare a Windows Admin workstation
1. Description: This section details the steps required to setup your Windows XP/7 Admin workstation to manage Likewise Enterprise clients. Note that this only differs from configuring a standard AD Admin workstation by installing the Likewise Enterprise extensions. Likewise Enterprise simply extends the Active Directory User and Computers and Group Policy Management Console MMCs.
2. Steps:
a. Identify a Windows workstation currently joined to the AD domain to run the AD Administrative tools with the Likewise add-on.
b. Install the Active Directory User & Computers Console: i. Windows XP:
1. Download adminpak.msi from Microsoft:
a. http://download.microsoft.com/download/c/7/5/c750f1af-8940-44b6-b9eb-d74014e552cd/adminpak.exe
ii. Windows 7
1. Download ‘Remote Server Administration Tools for Windows 7
a. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
2. Enable Active Directory Users & Computers Console a. Open ‘Control Panel’
b. Open ‘Programs and Features’ c. Click ‘Turn Windows Features on or off’ d. In the ‘Windows Features’ window
e. Expand ‘Remote Server Administration Tools’ f. Expand ‘Role Administration Tools’
g. Expand ‘AD DS Tools’
h. Check ‘Active Directory Administrative Center’ i. Check ‘AD DS Snap-ins and Command-line Tools’ c. Install the Group Policy Management Console (gpmc.msc)
i. Windows XP:
1. Download gpmc.msc from Microsoft:
a. http://download.microsoft.com/download/a/d/b/adb5177d-01a7-4f04-bfcc-cb7cea8b5bb7/gpmc.msi
ii. Windows 7:
a. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
2. Enable Group Policy Management Console a. Open ‘Control Panel’
b. Open ‘Programs and Features’ c. Click ‘Turn Windows Features on or off’
d. In the ‘Windows Features’ window, browse to ‘Remote Server Administration Tools’ then ‘Feature Administration Tools’
e. Check ‘Group Policy Management Tools
d. Install the appropriate Likewise Console on your Windows Admin workstation i. Double-click one of the following:
1. SetupLikewise-<version>.exe - for 32bit hosts 2. SetupLikewise64-<version>.exe - for 64bit hosts
ii. At the ‘Welcome to Likewise Enterprise’ screen, select ‘Only Basic Management Components’. iii. Accept the license agreement.
iv. Click ‘Next’ v. Click ‘Start’
vi. After installation finishes, click ‘Next’.
vii. At the ‘Installation Complete’ final page, uncheck ‘Run Enterprise Console’ and click ‘Finish’. 3. Notes:
a. IMPORTANT: Likewise Enterprise installs two visible applications:
i. Enterprise Console: This is not used in our environment. In essence this only links you to other tools and provides information on the current LWE installation status.
ii. Likewise Cell Manager: This is not generally use in our environment as we are using the ‘default Cell’ in Schema mode.
3.3 - Prepare a Mac Admin workstation
1. Description: This section details the steps required to setup your Mac 10.6 Admin workstation to manage Likewise Enterprise clients with Workgroup Manager.
2. Steps:
a. Identify a Mac OS workstation to use as an Admin workstation with Apple Workgroup Manager. b. Follow the steps in section ‘Join a Mac 10.x computer to the AD domain using the GUI tools’ c. Install the Mac Server admin tools from Apple.
i. Server Admin Tools 10.6.5: http://support.apple.com/kb/DL1071
d. Login with credentials:
i. Username: ad\adm-<duckid>
ii. Password: (Your adm-<duckid> password) 3. Notes:
a. If you are unable to login with you adm-<duckid> account, it may not have UNIX attributes. Follow the steps in ‘Verify an object has UNIX attributes’ to confirm. If it does not, submit a ticket to adhelp@ithelp.uoregon.edu to have this enabled.
b. IMPORTANT: Do not attempt to setup Workgroup Manager after installation. Unlike using WGM in an
OpenDirectory environment, you will not configure WGM to connect directly to one of the directory servers. The proper steps are covered in more depth in section ‘Edit a GPO with Workgroup Manager on a Mac Admin workstation’.
4 - Administrative Tasks
4.1 - Install Likewise Enterprise on a Mac/Linux/Unix host
1. Description: This section details the process of installing Likewise Enterprise on a Mac/Linux/Unix host. 2. Steps:
a. Follow the steps in ‘Download the Likewise Enterprise Media’. b. Mac:
i. Run the dmg image. For most modern Mac systems, this will be:
1. LikewiseEntDpy-5\agents\darwin\x86_64\dmg\LikewiseIdentityServiceEnterprise-5.3.0.7838-OSX10.6-universal.dmg
ii. From the mounted DMG, double-click LikewiseIdentityServiceEnterprise-5.3.0.7838-OSX10.6-universal.mpkg
iii. In the ‘Install Likewise Identity Server *Enterprise+ 5.3.0’ window, click ‘Continue’. iv. Click Continue
v. Click Continue, then click ‘Agree’
vi. Select the installation location and click ‘Continue’ vii. Click ‘Install’
c. Linux/Unix:
i. Insert the Likewise 5.3 installation media or mount a share containing the installation files and run install.sh
1. CIFS Share example:
a. mkdir /mnt/likewise
b. mount -t cifs //DEPT-SERVERNAME/SHARE /mnt/likewise -o username=AD\\<duckid> c. <Enter user password>
d. sudo /mnt/likewise/install.sh 2. cdrom Example:
a. sudo /mnt/cdrom/install.sh ii. Hit ‘Enter’ to view License Agreement.
iii. Continue hitting enter until ‘Do you accept this license’ *y/n+ is shown. iv. Enter ‘y’, then hit ‘Enter’.
v. If using a 64bit OS, enter 1, 2, or 3 at the ’32-bit Compatibility Libraries’ prompt. ‘Auto’ *1+ is default. vi. At the ‘Setup is now ready to begin installing Likewise Identify…’ prompt, select ‘Y’ then hit ‘Enter’. 3. Notes:
a. Mac installation must use the DMG image from the GUI. Command-line installation will simply indicate the requirement to open the DMG.
4.2 - Pre-create a Mac/Linux/Unix computer object in Active Directory
1. Description: This section details the steps to pre-create a computer object in Active Directory. This is an optional step when using Likewise Enterprise to join a computer to the domain, though the most common method.
2. Steps:
a. On the Windows Admin workstation, open the Active Directory Users & Computers mmc console i. Start > Run > dsa.msc, or
b. Browse to your unit’s Computers OU
i. Ad.uoregon.edu \ Units \ <unit> \ Computer c. Right-click > New > Computer
d. Enter a name of the computer object
i. ex: ad.uoregon.edu\Units\IS\Computers\SYS\is-mac-2385fh3 3. Notes:
a. IMPORTANT: The computer name must begin with your departments prefix (ex: is-mac-2385fh3) and be 15 characters or less.
4.3 - Join a Mac 10.x computer to the domain using the GUI tools
1. Description: This section details the process of domain joining a Mac computer to the domain with the GUI Likewise Enterprise application.
2. Steps:
a. Follow the steps in ‘Install Likewise Enterprise on a Mac/Linux/Unix host’.
b. Follow the steps in ‘Pre-create a Mac/Linux/Unix computer object in Active Directory’ to create the computer object.
c. Configure the Mac to use this computer name i. From the GUI:
1. Apple Menu > System Preferences > Sharing > Computer Name 2. Enter the name from step ‘b’ in the ‘Computer Name’ field. ii. From the command line”
1. Sudo scutil --set HostName dept-wks-name.ad.uoregon.edu d. Open ‘Directory Utility’.
i. Mac OS 10.6.x:
1. Open ‘System Preferences’ 2. Open ‘Accounts’
3. Click ‘Login Options’
4. Click ‘Join’ to the right of ‘Network Account Server’ 5. Click ‘Open Directory Utility’
ii. Mac OS 10.5.x:
1. Open ‘Applications’ 2. Open ‘Utilities’ 3. Open ‘Directory Utility’
e. Double-click ‘Likewise - Active Directory’ to open the ‘Likewise Domain Join’ app.
i. This will require you to unlock Directory Utility page and enter admin credentials. f. Enter the following in the ‘Likewise Domain Join’ app:
i. Computer name: (confirm this matches name set in step 1) ii. Domain to join: ad.uoregon.edu
iii. At ‘Specify an Organizational Unit’, leave as ‘Computers container or existing…’ iv. Click ‘Join’
v. Enter your adm-<duckid> username\password. g. Restart the Mac system.
h. Follow the steps in ‘Login to a Likewise Enterprise client with domain credentials’ to test login. 3. Notes:
a. When joining the Mac computer to the domain, enter your adm-<duckid> username (not ad\adm-<duckid>). b. When logging into the computer with domain credentials, the username entered must be in the format
ad\<duckid>. The ‘ad\’ prefix is required.
c. The user used to login must have valid Unix Attributes.
d. In step 2c, the GUI method of setting the computer name may not always work as expected. In this case, use ‘scutil’.
e. The default computer name displayed in step ‘g’ may not match the name you set in step ‘b’. This is because Likewise performs a reverse DNS lookup for the workstation’s IP address. If a DNS record is found, Likewise will default to this DNS name. You may either fix the DNS entry or ignore the incorrect DNS entry and change the Computer Name field in the Likewise Domain Join app to the correct name.
f. If the computer object for the Mac workstation has not been pre-created or was misspelled, the domain join operation will fail.
4.4 - Join a Mac 10.x computer to the domain using the terminal
1. Description: This section details the steps to run the Likewise domain join command from the terminal after installation. 2. Steps:
a. Perform steps A through C from ‘Join a Mac 10.x computer to the AD domain using the GUI tools’ b. Run the following from the terminal:
i. sudo /opt/likewise/bin/domainjoin-cli join ad.uoregon.edu adm-<duckid>
c. Follow the steps in ‘Login to a Likewise Enterprise client with domain credentials’ to test login. 3. Notes:
a. If the computer object has not been pre-created or does not match, the domain join operation will fail.
4.5 - Join a Linux computer to the domain using the shell
1. Description: This section details the steps to install Likewise Enterprise on a supported host and join the domain. 2. Steps:
a. Follow the steps in ‘Pre-create a Mac/Linux/Unix computer object in Active Directory’ to create the computer object.
b. Configure an appropriate hostname that follows the AD domain naming conventions i. RedHat:
1. /etc/sysconfig/network
2. Enter the short name of the host (IS-RH-NAME) 3. Reboot the system
c. sudo domainjoin-cli join ad.uoregon.edu adm-<duckid> d. Enter the adm-<duckid> user password when prompted. e. Reboot
f. Follow the steps in ‘Login to a Likewise Enterprise client with domain credentials’ to test login. 3. Notes:
a. If the computer object has not been pre-created or does not match, the domain join operation will fail.
4.6 - Remove a Likewise Enterprise client from the domain
1. Description: This section details the steps to remove a domain-joined Likewise Enterprise client from the domain 2. Steps:
a. Login to the host with the local root / admin account. b. Leave the domain:
i. sudo /opt/likewise/bin/domainjoin-cli leave (adm-<duckid>) 3. Notes:
a. The (adm-<duckid>) argument is optional. If you do not enter provide a username, the computer will simply drop from the domain. If you enter a username, you will be prompted for credentials. If the user has sufficient permissions to the computer object in AD, the object will be disabled as well.
4.7 - Uninstall Likewise Enterprise\Open
1. Description: This section details the steps to uninstall Likewise Enterprise from a workstation/server. 2. Steps:
a. Check for domain-joined status by following the steps in ‘Check domain membership of a Likewise Enterprise client’. b. If the workstation/server is domain-joined, follow the steps in “Remove a Likewise Enterprise client from the
domain”.
c. Run the Likewise Uninstaller: i. Likewise Enterprise 5.3:
1. Mac OS: sudo /opt/likewise/bin/macuninstall.sh
2. Other Linux/Unix: sudo /opt/likewise/setup/lwise/uninstall ii. Likewise Open 6.0:
1. Mac OS: sudo /opt/likewise/bin/macuninstall.sh
3. Notes:
a. IMPORTANT: The uninstall process is different on a Mac than on other Linux/Unix systems.
4.8 - Upgrade from Likewise Open to Likewise Enterprise
1. Description: This section details the steps to upgrade an installation of Likewise Open, the free version of Likewise, to Likewise Enterprise.
2. Steps:
a. Login to the host with the local root / admin account.
b. Follow the steps from ‘Uninstall Likewise Enterprise\Open’ to remove the computer from the domain and uninstall Likewise Open.
c. Follow the steps in ‘Join a Linux Computer to the Domain using the Shell’ to install Likewise Enterprise and re-join the domain.
3. Notes:
a. In testing, a complete removal of the Likewise Open client prior to installation of Likewise Enterprise has been the most successful.
4.9 - Check domain membership of a likewise installed system
1. Description: This section shows the command to get a host’s current domain status. This can be useful when troubleshooting failed login attempts.
2. Steps:
a. Run the following command: /opt/likewise/bin/lw-get-current-domain 3. NOTES:
a. Result indicating the system is domain-joined: ‘Current Domain = AD.UOREGON.EDU’
b. Result indicating the system is not domain-joined:
‘Failed communication with the LWNET Agent. Error code 136 (ERROR_NOT_JOINED)
4.10 - Check Likewise version
1. Description: This section shows the command to find the Likewise Enterprise/Open version of a host. 2. Steps: a. cat /opt/likewise/data/VERSION 3. NOTES: a. Example output: VERSION=5.3.0 BUILD=7827 REVISION=51441
4.11 - Login to a Likewise Enterprise client with domain credentials
1. Description: This section provides the steps to login to a Likewise Enterprise client from the console and ssh. 2. Steps:
a. Console login:
i. Username: AD\<duckid> ii. Password: <duckid password> b. SSH:
i. Username: AD\\<duckid> ii. Password: <duckid password> 3. NOTES:
a. If unable to login to a host through a service with AD\<duckid> (other than direct console login), try entering AD\\<duckid>.
4.12 - Force a group policy refresh (i.e. GPUPDATE /force)
1. Description: This section shows the command to force a Likewise Enterprise client to update it’s set of Group Policies. This is similar to the Windows command ‘gpupdate /force’
2. Steps:
a. Confirm Likewise Enterprise is installed by navigating to the Likewise installation directory (/opt/likewise). b. From the terminal, run the following command: sudo /opt/likewise /bin/gporefresh
3. Notes:
a. You must run this command with sudo privilege or as root or it will fail with the error ‘This program requires super-user privileges Error: Access Denied’
b. Group Policy will automatically refresh at the default interval of 30 minutes unless otherwise set by GPO. c. Restarting a computer while plugged into the network will also prompt a GPO refresh on startup.
4.13 - Create a GPO for Likewise clients on a Windows Admin workstation
1. Description: This section details the steps to create a GPO from the Windows Admin workstation as well as where to look for Likewise-specific policies.
2. Steps:
a. Follow the steps in ‘Windows Admin workstation’ to prepare your Windows Admin workstation. b. Open ‘Group Policy Management’ Console
i. Start Menu > Run > gpmc.msc
ii. Or, Start > Administrative Tools > Group Policy Management c. Create a GPO for your unit and attach to the OU required.
d. Name the GPO to include your department prefix, the user/comp target, and the purpose. i. E.g. IS-COMP-Linux_Sudoer_Access
e. Edit the GPO.
f. Expand ‘Computer Configuration’ or ‘User Configuration’. g. Expand ‘Policies’.
h. You will now see a new section named ‘Unix and Linux Settings’. 3. Notes:
a. All Likewise settings are stored under ‘Unix and Linux Settings’.
4.14 - Mark a GPO for editing on a Mac Admin workstation
1. Description: This section details the steps to mark an Active Directory GPO for management by a Mac admin workstation with Workgroup Manager. Workgroup Manager can only see GPOs that have been marked in this manner and can only embed User and/or Computer policies if the appropriate switch is set on the User and/or Computer policy side of the GPO. 2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Right-click > Edit
c. Expand ‘Computer Configuration’ or ‘User Configuration’ d. Expand ‘Unix and Linux Policies’
e. Expand ‘Mac Settings’
f. Click ‘Workgroup Manager Settings’
g. Double-click ‘’Enable Workgroup Manager to configure settings for computers’. h. Check the box ‘Define this policy setting’.
3. Notes:
a. Workgroup Manager on the Admin Mac workstation is only able to see policies when the ‘Enable Workgroup Manager….’ Option is selected from either the ‘Computer Configuration’ or ‘User Configuration’ node.
b. Workgroup manager can only inject Computer policies into the GPO when the ‘Computer Configuration’ option is enabled. Similarly, User policies may only be injected when the ‘User Configuration’ option is enabled.
c. Once you have published a Mac policy to this GPO, the XML values of the policy will appear in the box ‘Current file content’.
4.15 - Edit a GPO with Workgroup Manager on a Mac Admin workstation
1. Description: This section provides the basic steps to edit a GPO with Workgroup manager. This assumes the policy has been properly tagged for editing per section ‘Mark a GPO for editing on a Mac Admin workstation’.
2. Steps:
a. Follow the steps in ‘Mark a GPO for editing on a Mac Admin workstation’ to enable a GPO for policy injection. b. Open Workgroup Manager.
i. Applications \ Server \ Workgroup Manager
ii. Ignore initial popup window “Workgroup Manager Connect” c. Click the ‘Server’ drop down, then ‘View Directories’.
d. Click ‘OK’ at the local configuration database warning prompt.
e. Click on the left top where it says “Viewing local directory: /Local/Default”, this will popup several options. Select ‘Other…’ from this list.
f. Select ‘Likewise…irectory’ > Select ‘AD.UOREGON.EDU’. You will see a list of Mac enabled policies in the 3rd column. g. Select the policy you wish to edit and click ‘OK’.
h. At the top right, there should be a small picture of a lock. This may show as locked. Click this lock to authenticate against this policy.
i. Enter ad\adm-<username> with the appropriate password. If successful, the lock will change to a picture of an opened lock.
3. Notes:
a. There are 4 icons on the top left of the Workgroup Manager window. These correspond to ’Users’, ‘User Groups’, ‘Computers’ and ‘Computer Groups’. The group icons are the only that are used for Likewise (Users and Computers). b. Depending on the purpose of the policy, click either the ‘Users’ or ‘Computers’ icon. You should see an entry show
up for ‘Group of Users/Computers managed by GPO’. These ‘groups’ are used by likewise to apply the GPO settings to any computer in the OU that the GPO is attached to.
4.16 - Migrate a local user profile into a domain user profile
1. Description: This section details the steps to migrate an existing local user profile on a Mac workstation or server into a domain user profile. This can simplify the transition of a user into a domain account.
2. Steps:
a. Follow the steps in ‘Join a Mac 10.x computer to the AD domain using the GUI tools’ b. Once joined, re-open ‘Directory Utility’.
c. Mac OS 10.6.x:
i. Open ‘System Preferences’ ii. Open ‘Accounts’
iii. Click ‘Login Options’
iv. Click ‘Join’ to the right of ‘Network Account Server’ v. Click ‘Open Directory Utility’
d. Mac OS 10.5.x:
i. Open ‘Applications’ ii. Open ‘Utilities’ iii. Open ‘Directory Utility’
e. Double-click ‘Likewise - Active Directory’ to open the ‘Likewise Domain Join’ app.
i. This will require you to unlock Directory Utility page and enter admin credentials. f. Click ‘Migrate’
g. In the ‘Source - Local Account’ section, click the dropdown list and find the local user account.
h. Enter the DOMAIN\USERNAME of the user from the domain you wish to have this profile. (ex: ad\jdoe) i. Click the button shaped like a check mark.
j. Select ‘Copy Profile’. k. Click ‘Migrate’.
l. At the ‘Likewise Migrate User Profile’ popup, click ‘Yes’. 3. Notes:
a. This process will take up to several minutes to complete as the local user profile is copied to a new profile for the domain user.
b. The log file for this migration can be found at /tmp/lw-migrate.<source_account_username>.log
c. IMPORTANT: Make sure enough disk space is available on the OS drive to allow the copy operation to complete successfully. The Migration wizard does not report on a failure of this type.
4.17 - Verify an object has UNIX attributes
1. Description: This section details the steps to check a user or group object for valid UNIX attributes. 2. Steps:
a. From the Windows admin workstation, open the Active Directory Users and Computers console. b. Browse to the user or group object in your OU.
i. Ex: AD\IS\Groups\IS.ALLUSERS c. Right-click > Properties
d. Select the ‘Likewise Settings’ tab
e. Check the ‘Cells’ section. If the ‘(Default)’ box is selected, the object should have UNIX attributes specified in the fields beneath.
3. Notes:
a. Managed users should have UNIX attributes automatically populated from the central LDAP service. b. Unmanaged users will not have UNIX attributes assigned with the exception of OU Admin accounts.
c. Groups will not have UNIX attributes by default, except for *.OU.ADMIN groups. Others may be requested by sending a request to adhelp@ithelp.uoregon.edu.
5 - Mac Policy Examples
5.1 - Grant admin access to a user or group
1. Description: This section details the steps to allow specified users or groups Administrator access to a Mac workstation or server. Without this policy, all domain users are only standard users.
2. Steps:
a. Follow the steps in ‘Create/Edit GPOs for Likewise clients on a Windows Admin workstation’ b. Right-click > Edit
c. Expand ‘Computer Configuration’ d. Expand ‘Unix and Linux Policies’ e. Expand ‘Mac Settings’
f. Click ‘DS Plugin Settings’
g. Double-click ‘Allow administration by’
i. Add the group you would like to grant local admin access. h. Double-click ‘Allow admins group local entries’ > Select True. 3. Notes:
a. *IMPORTANT*: The groups and users selected must have UNIX attributes to function. If you are intending to use a group that does not currently have UNIX attributes, contact Systems via the adhelp@ithelp.uoregon.edu RT queue to have this setup.
5.2 - Enable Mac firewall
1. Description: This section details the steps to enable and configure the Mac firewall. 2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Right-click > Edit
c. Expand ‘Computer Configuration’ d. Expand ‘Unix and Linux Policies’ e. Expand ‘Mac Settings’
f. Expand ‘Mac System Preferences’ g. Click ‘Firewall’
h. Double-click ‘Use firewall protection’ i. Check ‘Define this policy settings’ j. Select ‘Enabled’
k. (Optional) Enable firewall logging
i. Double-click ‘Turn on firewall logging’ ii. Check ‘Define this policy settings’ iii. Select ‘Enabled’
l. (Optional) Block UDP traffic
i. Double-click ‘Block UDP traffic usage’ ii. Check ‘Define this policy settings’ iii. Select ‘Enabled’
m. (Optional) Enable firewall stealth mode
i. Double-click ‘Use firewall stealth mode’ ii. Check ‘Define this policy settings’ iii. Select ‘Enabled’
n. Click ‘Apply Now’.
o. Any Mac in the OU that the GPO is attached will now receive these settings on next gpupdate. 3. Notes: N/A
1. Description: This section details the steps to apply a pre-logon warning message to users of a workstation or server. A common warning would display ‘Authorized use only’ along with any laws, regulation, and warnings about acceptable use as required. This is a recommended practice for both Windows and Mac hosts.
2. Steps:
a. Follow the steps in ‘Using Workgroup Manager to edit tagged GPOs from your Mac Admin workstations’. b. Select ‘Group of Computers managed by GPO’.
c. At the top of the Workgroup Manager window, click ‘Preferences’. This will show you all of the Computer-related settings you may set in this policy by category.
d. Select ‘Login’
e. Select the ’Window’ tab.
f. Choose ‘Always’ at the top of the new Login settings window. g. Enter any text into the ‘Message:’ field.
h. Click ‘Apply Now’.
i. Any Mac in the OU that the GPO is attached will now receive these settings on next gpupdate. 3. Notes: N/A
5.4 - Show Hard Disks and Connected Servers on Desktop by default
1. Description: This section details the steps to force a Mac workstation or server to show network, external and local drives on the user’s desktop.
2. Steps:
a. Follow the steps in ‘Using Workgroup Manager to edit tagged GPOs from your Mac Admin workstations’. b. Select ‘Group of Computers managed by GPO’.
c. At the top of the Workgroup Manager window, click ‘Preferences’. This will show you all of the Computer-related settings you may set in this policy by category.
d. Select ‘Finder’.
e. Select the ‘Preferences’ tab.
f. Check ‘Hard Disks’, ‘External Drives’, ‘CDs, DVDs, and iPods’, and ‘Connected Servers’ under ‘Show these items on the Desktop.
g. Click ‘Apply Now’.
h. Any Mac in the OU that the GPO is attached will now receive this pre-logon message. 3. Notes: N/A
5.5 - Universal File Vault settings
1. Description: This section provides an example usage of the Likewise file deployment mechanism to control FileVault settings across manages Mac workstations. This should be done with extreme caution and testing.
2. Steps:
a. On a Mac workstation without FileVault setup, setup the master FileVault password you intend to use on every system.
b. Follow the steps in ‘Deploy a File to a Mac workstation’ to deploy: i. /Library/Keychains/FileVaultMaster.cer
ii. /Library/Keychains/FileVaultMaster.keychain
c. Match the ACL settings on each file in the GPO to those set on the Mac.
d. Uncheck ‘Delete when policy is removed’, or these files will be removed from the system if it removed from scope of the policy.
3. Notes:
a. Be sure to read the following article for more information on this strategy:
http://www.mactech.com/articles/mactech/Vol.24/24.07/2407MacEnterprise-FileVaultintheEnterprisePart1/index.html
5.6 - Configure login options
1. Description: This section details the steps to configure login options, such as Automatic login, Fast User Switching, Guest account, and screensaver timeouts.
2. Steps:
a. Follow the steps in ‘Edit a GPO with Workgroup Manager on the Mac Admin workstation’. b. Select ‘Group of Computers managed by GPO’.
c. At the top of the Workgroup Manager window, click ‘Preferences’. This will show you all of the Computer-related settings you may set in this policy by category.
d. Select ‘Login’.
e. Select the ‘Options’ tab.
f. Uncheck ‘Enable automatic login’. g. Uncheck ‘Enable Fast User Switching’. h. Uncheck ‘Enable Guest Account’.
i. Check ‘Start screen saver after XX minutes’. j. Enter a number of minutes to start screen saver. k. Click the ‘…’ button to the right of ‘Use module at path:’
l. Browse to the desired screensaver (/System/Library/Screen Savers/*.saver m. Click ‘Apply Now’.
n. Any Mac in the OU that the GPO is attached will now receive these settings. 3. Notes:
a. Mac MCX policies are not as granular as many Windows GPO settings. In this example, you must decide what settings you want to use for *all* options in the ‘Login\Options’ configuration section as all will be enforced. You cannot decide to set any as ‘undefined’ as you would in a GPO (allowing local override).
5.7 - Configure Energy Saver options
1. Description: This section details the steps to apply managed Energy Saver options to Mac workstations. This is typically used to force workstation to sleep and disable displays after a fixed amount of time.
2. Steps:
a. Follow the steps in ‘Edit a GPO with Workgroup Manager on the Mac Admin workstation’. b. Select ‘Group of Computers managed by GPO’.
c. At the top of the Workgroup Manager window, click ‘Preferences’. This will show you all of the Computer-related settings you may set in this policy by category.
d. Select ‘Energy Saver. e. Select Manage: ‘Always’
f. Select ‘Sleep’ from the ‘Settings’ dropdown list.
g. Select a time for ‘Put the computer to sleep when it is inactive for:’
h. Select a time for ‘Put the display(s) to sleep when the computer is inactive for:’ i. Check/Uncheck ‘Put the hard disk(s) to sleep when possible’.
j. Select ‘Options’ from the ‘Settings dropdown list. k. Uncheck ‘Wake when modem detects a ring’
l. Check ‘Wake for Ethernet network administrator access’ m. Check/Uncheck ‘Allow power button to sleep the computer’ n. Check/Uncheck ‘Restart automatically after a power failure’ o. Click ‘Apply Now’.
p. Any Mac in the OU that the GPO is attached will now receive these settings. 3. Notes: N/A
6 - Universal Linux/Unix/Mac Policy Examples
6.1 - Allow cached logins
1. Description: This section details the steps to enable cached logins. Cached logins allows a user to login to a host even when it is offline, as long as a successful login event has occurred previously. This is common to set on workstations and laptops. 2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Expand ‘Computer Configuration’
c. Expand ‘Unix and Linux Policies’ d. Expand ‘Likewise Settings’ e. Select ‘Logon’
f. Double-click ‘Allow cached logons (cached_login)’ g. Check ‘Define this Policy Settings’.
h. Select ‘Authorization and Identification’ i. Double-click ‘Allow offline logon support’ j. Check ‘Define this Policy Settings’. k. Select ‘Enable’
3. Notes:
a. For this policy to be effective, a user must successfully logon at least one time after this policy is applied to the host.
6.1 - Restrict login to a user or group
4. Description: This section details the steps to restrict login to a workstation or server. Example of this usage would be to to only allow staff from a particular department to login to a workstation, or deny login to a server system by anyone other than an admin group/user.
5. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Right-click > Edit
c. Expand ‘Computer Configuration’ d. Expand ‘Unix and Linux Policies’ e. Expand ‘Likewise Settings’ f. Select ‘Logon’
g. Double-click ‘Allow logon rights’ h. Check ‘Define this Policy Settings’. i. Click the button resembling a pencil.
j. Find the group you would like to grant local logon rights.
k. (Optional): Enter a message to be displayed when logon is denied. l. Double-click ‘Denied logon rights message Properties’.
m. Check ‘Define this Policy Settings’.
n. Edit text in the ‘Logon error message’ box as required. The default text may work for your purposes. 6. Notes:
a. You may select multiple groups to grant logon rights. These must be entered in a comma separated list, though this is done automatically when searching and selecting a group.
b. *IMPORTANT*: The groups and users selected must have UNIX attributes to function. If you are intending to use a group that does not currently have UNIX attributes, contact Systems via the adhelp@ithelp.uoregon.edu RT queue to have this setup.
6.2 - Grant a domain group sudo access to a Linux host
1. Description: This section details the steps to allow a domain group or user sudo privileges on a Linux host. These steps allow any member of the group specified to perform admin operations.
2. Steps:
a. Follow the steps in “Join a Linux computer to the domain using the shell”. b. Edit the sudoers file on the Linux system
i. sudo nano /etc/sudoers c. Look for the entry:
‘root ALL=(ALL) ALL’ or ‘root ALL=ALL’ d. Directly beneath this, enter the following:
%AD\\GROUPNAME ALL=(ALL) ALL e. Reboot the system
f. Login with a domain user that is a member of the group you added to the sudoers file. g. Confirm sudo access by running an elevated command
3. Notes:
a. GROUPNAME must be replaced with a valid domain group. All members of this group will be granted sudo access to the Linux host.
b. The group selected must have valid UNIX attributes.
6.3 - Deploy Sudoers file
1. Description: This section details the steps to deploy a working sudoers file to Linux hosts in order to standardize your sudoers user list across managed servers. You may also create multiple GPO with different sudoers files as necessary. 2. Steps:
a. Follow the steps in section ‘Grant a domain group sudo access to a Linux host’
b. Copy the sudoers file from this host to a network location. (e.g. \\fileserver\share\sudoers) c. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ d. Right-click > Edit
e. Expand ‘Computer Configuration’ f. Expand ‘Unix and Linux Policies’ g. Expand ‘Security Settings’ h. Select ‘SUDO command’
i. Double-click ‘Define Sudoers file’ j. Check ‘Define this Policy Settings’. k. Click ‘Import…’
l. Browse to the network location (e.g. \\fileserver\share\sudoers) and select the file. m. Confirm the information imported into the ‘Current file content’ is correct.
n. Click ‘OK’. 3. Notes:
a. The sudoers file should be prepared for each class of host and thoroughly tested before mass deployment to protect against version or platform specific settings.
6.4 - Set Default Login Shell to /bin/bash
1. Description: This section details the steps required to set the default login shell on a Linux/Unix/Mac host. This is commonly used to set the default shell to /bin/bash as many platforms will default to /bin/sh.
2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Right-click > Edit
c. Expand ‘Computer Configuration’ d. Expand ‘Unix and Linux Policies’ e. Expand ‘Likewise Settings’
f. Select ‘Authorization and Identification' g. Double-click ‘Login shell template’ h. Check ‘Define this policy setting’ i. In the ‘Shell:’ field, enter /bin/bash j. Click ‘OK’.
3. Notes:
a. This policy should be put in place *before* a user logs in. If a user has already logged in and has another shell set, you may need to restart the host
6.5 - Target a specific non-windows platform
1. Description: This section details the steps to target a specific Linux/Unix/Mac platform. This is used to assign policies to only a particular platform, such as Mac OS or Redhat. In conjunction with OU structure, this can be used to define GPO
assignment at a granular level. 2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Expand ‘Computer Configuration’
c. Expand ‘Unix and Linux Policies’ d. Select ‘Target Platform Filter’ e. Double-click ‘Target platforms’ f. Check ‘Define this policy setting’ g. Select ‘Select from the List’
h. Check all platforms to which this policy should apply. i. Click ‘OK’.
3. Notes: a. N/A
6.6 - Enable Loopback processing on a GPO
1. Description: This section details the steps required to enable Loopback processing. This feature allows User GPO settings to be attached to Computer GPOs. Settings then merge into or replace the policy settings normally assigned by User GPOs. This is common when creating policies for kiosk stations where an admin intends to override and user GPO settings. Additionally, this is a common method to assign User GPOs in the campus Active Directory environment due to the architecture and IDM integration.
2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Expand ‘Computer Configuration’
c. Expand ‘Unix and Linux Policies’ d. Expand ‘Likewise Settings’ e. Click ‘Group Policy Agent’
f. Double-click ‘User policy loopback processing mode’ g. Check ‘Define this Policy Setting’
h. Select ‘Replace’ or ‘Merge’ as required. 3. Notes:
a. Standard loopback processing set for Windows workstations will not work on non-windows workstations. You must enable loopback processing for Likewise clients through the ‘Unix and Linux Settings’ node.
b. Merge is the most common setting for loopback processing in our environment. This enables any GPOs assigned to the workstation that contain user-specific settings to overwrite any conflicting settings, but leave others.
c. ‘Replace’ is typically used with kiosk systems that require the user-specific settings to be completely ignored. This setting overwrites and conflicts, but also removes any other settings set by any user GPOs.
6.7 - Deploy a File
1. Description: This section details the steps to deploy a file to managed Linux/Unix/Mac hosts. This is targeted at the deployment of small configuration files for applications and should not be used for large file deployment.
2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Expand ‘Computer Configuration’
c. Expand ‘Unix and Linux Policies’ d. Expand ‘File System Settings’ e. Select ‘Files, Directories and Links’
f. Double-click ‘Create Directories, Install Files, Configure Links’ g. Check the ‘Define this policy setting’ box
h. Click ‘Add…’ i. Select ‘File’
j. Browse to the file location
k. Enter the patch the file should be deployed to.
l. Set file ACL values (read/write/execute for User/Group/Other) m. Select an AD User/Group if desired
n. Check/Uncheck ‘Delete when policy is removed’ as necessary o. Click ‘OK’
3. Notes:
a. IMPORTANT: This file deployment method is intended for small files. Do not deploy large files using this method as this can directly impact the performance of Active Directory.
b. Deployed files are stored inside the GPO and distributed to clients from there. Unlike a GPO Preferences policy for Windows, the UNC path (e.g. \\server\shared\file.ext) is not used.
6.8 - Set AD domain as default for user logon
1. Description: This section details the steps to automatically set Likewise-enabled computers to automatically prepend the default domain (AD) to users for logon.
2. Steps:
a. Follow the steps in ‘Create a GPO for Likewise clients on a Windows Admin workstation’ b. Expand ‘Computer Configuration’
c. Expand ‘Unix and Linux Policies’ d. Expand ‘Likewise Settings
e. Select ‘Authorization and Identification’
f. Double-click ‘Lsassd: Prepend default domain name for AD users and groups’ g. Check the ‘Define this policy setting’ box
h. Click Select ‘Enabled’ i. Click ‘OK’
3. Notes:
a. After the next policy refresh, users will be able to logon to a machine affected by this policy with only their DuckID username. Adding ‘AD\’ will no longer required.
