Extend Microsoft Group Policy to UNIX, Linux and Mac

The Basics

• Introduction
• Why Customers Choose Likewise Enterprise
• How it Works
• Supported Platforms
• Frequently Asked Questions (FAQ)
• Demo

In-Depth Features

• Group Policy
• Cell Technology
• Single Sign-On for Web Applications
• Single Sign-On for Databases
• Single Sign-On for ERP & Storage Applications
• Cross Forest Trusts
• Cached Credentials
• Reporting

Microsoft Active Directory Group Policy Overview

Group Policy is a Windows policy deployment infrastructure built around Microsoft’s Active Directory. Group Policy is used to deliver and apply policy settings to groups of users and computers in Active Directory. Every Windows machine that is joined to Active Directory runs a Group Policy Agent. The Group Policy Agent loads and runs multiple client-side extensions (CSEs) that are responsible of reading specific Group Policy settings from the Directory and writing them to its local store where the settings are affected.

How Group Policy Works with UNIX and Linux

Likewise Enterprise Group Policy works very similar to that of Windows group policy. When a Linux computer has been “joined” to Active Directory, a Likewise Enterprise Group Policy agent runs in the background on the Linux computer. The Likewise Enterprise Group Policy Agent is responsible for determining the list of group policy objects applied to a system. Likewise Software has implemented a set of client side extensions for Linux specific policies. These Linux specific policies are not relevant to Windows computers because the corresponding Linux client side extensions do not exist on a Windows computer.

UNIX and Linux Group Policies

Likewise Enterprise adds support for configuring UNIX and Linux system settings via Group Policy. The following UNIX and Linux Policies can be used to manage and administer computers.

• Script Policy

  The Script Policy allows you to specify a text-based script file to be executed on the UNIX or Linux system. The script is copied to the local machine at the next Group Policy refresh interval and immediately run. The script will be run as the root user account. The shell script policy is executed every time the system reboots and on the first refresh interval after a change is made to the policy.

• Cron Policy

  The Cron Policy allows you to specify crontab and /etc/cron.d files. Cron policies are files run at a regularly scheduled interval and include the following lines:

  • minute (0-59)
  • hour (0-23)
  • day of the month (1-31)
  • month of the year (1-12)
  • day of the week (0-6 with 0=Sunday)
  • Command to run

  Certain UNIX distributions only support crontab and do not support /etc/cron.d files. Please refer to your UNIX documentation for more information.

• Sudo Policy

  The Sudo Policy allows you to specify a sudo configuration file that is copied to the local machine and replaces the current sudo file. Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. Sudo files can reference local users and groups or users and groups that reside in Active Directory.

• Automount Policy

  The Automount policy allows you to specify directories that are auto mounted when you access them. Auto mounts are useful for nfs, samba, and boot mounts/partitions.

Security Policies

Likewise Enterprise allows you to enforce a subset of the Windows Security Policies on a UNIX or Linux computer. The following settings can be enabled under Computer Configuration > Windows Settings > Security Settings. These settings apply to local system accounts when enabled.

• Maximum Password Age

  This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

• Minimum Password Age

  This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

  The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

• Minimum Password Length

  This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

  Certain UNIX and Linux distributions require the minimum password length of 5 characters and will always enforce this minimum length. The enforcement of this policy may be dependent on the specific distribution of Linux or UNIX you are running.

• Password Complexity

  This security setting determines whether passwords must meet complexity requirements.

  If this policy is enabled, passwords must meet the following minimum requirements:

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Be at least six characters in length
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)

  Complexity requirements are enforced when passwords are changed or created.

• Log on Locally (Allow Log on Locally)

  This logon right determines which users can interactively or remotely log on to this computer. Logons can occur locally on the computer or through a remote logon services such as telnet or SSH.

  The Log on Locally policy allows you to select users or groups who can access the system. Users and groups must also be granted access to the Likewise Cell that contains the computer object. By default, all UNIX and Linux computers are joined to the Default Cell and all members of the Domain Users group are allowed access to the Default Cell.

  This policy can also be used to enforce log on rules for local users and groups.