Likewise Open Installation and Administration Guide - Purple Rage

More documents

Recommendations

Info

4. In the GPMC, run the group policy modeling tool to pinpoint the offending policy and then modify the policy to grant the correct level of user right to the computer or user. For more information, see Group Policy Modeling. In the following screen shot, for example, the cause of the problem is that the deny-access-to-this-computer-from-the-network default domain policy contains the domain computers group. 9.4.7. Fix Selective Authentication in a Trusted Domain When you turn on selective authentication for a trusted domain, Likewise can fail to look up users in the trusted domain because the machine account is not allowed to authenticate with the domain controllers in the trusted domain. Here's how to grant the machine account access to the trusted domain: 1. In the domain the computer is joined to, create a global group and add the computer's machine account to the group. 2. In the trusted domain, in Active Directory Users and Computers, select the Domain Controllers container and open Properties. 3. On the Security tab, click Advanced, click Add, enter the global group, and then click OK. 4. In the Permission Entry box, under Apply onto, select Computer objects. Under Permissions, find Allowed to Authenticate and enable it. Click OK and then click Apply in the Advanced Security Settings box. 5. If you have already joined the Likewise client computer to the domain, restart the Likewise authentication service: /opt/likewise/bin/lwsm restart lsass 9.5. Cache 9.5.1. Clear the Authentication Cache There are certain conditions under which you might need to clear the cache so that a user's ID is recognized on a target computer. By default, the user's ID is cached for 4 hours. If you change a user's UID for a Likewise cell with Likewise Enterprise, during the 4 hours after you change the UID you must clear the cache on a target computer in the cell before the user can log on. If you do not clear the cache after changing the UID, the computer will find the old UID until the cache expires. There are three Likewise Enterprise group policies that can affect the cache time:
The Cache Expiration Time, which stores UID-SID mappings, user/group enumeration lists, getgrnam() and getpwnam(), and so forth. Its default expiration time is 4 hours. The ID Mapping Cache Expiration Time, which caches the mapping tables for SIDs, UIDs, and GIDs. Its default is 1 hour. This policy applies only to Likewise Enterprise 4.1 or earlier. The ID Mapping Negative Cache Expiration Time, which stores failed SID-UID-GID lookups to prevent an overload of resolution requests. Its default is 5 minutes. This policy applies only to Likewise Enterprise 4.1 or earlier. Tip: While you are deploying and testing Likewise, set the cache expiration time of the Likewise agent's cache to a short period of time, such as 1 minute. Clear the Cache on a Unix or Linux Computer To delete all the users and groups from the Likewise AD provider cache on a Linux or Unix computer, execute the following command with superuser privileges: /opt/likewise/bin/lw-ad-cache --delete-all You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting. Here's an example: [root@rhel5d bin]# ./lw-ad-cache --enum-users TotalNumUsersFound: 0 [root@rhel5d bin]# ssh likewisedemo.com\\hab@localhost Password: Last login: Tue Aug 11 15:30:05 2009 from rhel5d.likewisedemo.com [LIKEWISEDEMO\hab@rhel5d ~]$ exit logout Connection to localhost closed. [root@rhel5d bin]# ./lw-ad-cache --enum-users User info (Level-0): ==================== Name: LIKEWISEDEMO\hab Uid: 593495196 Gid: 593494529 Gecos: Shell: /bin/bash Home dir: /home/LIKEWISEDEMO/hab TotalNumUsersFound: 1 [root@rhel5d bin]# To view the command's syntax and arguments, execute the following command: /opt/likewise/bin/lw-ad-cache --help Clear the Cache on a Mac OS X Computer On a Mac OS X computer, clear the cache by running the following command with superuser privileges in Terminal: dscacheutil -flushcache 9.5.2. Clear a Corrupted SQLite Cache To clear the cache when Likewise is caching credentials in its SQLite database and the entries in the cache are corrupted, use the following procedure for your type of operating system. Clear the Cache on a Linux Computer 1. Stop the Likewise authentication daemon by executing the following command as root: /opt/likewise/bin/lwsm lsass stop 2. Clear the AD-provider cache and the local-provider cache by removing the following two files: rm -f /var/lib/likewise/db/lsass-adcache.db rm -f /var/lib/likewise/db/lsass-local.db Important: Do not delete the other .db files in the /var/lib/likewise/db directory. 3. Start the Likewise authentication daemon: /opt/likewise/bin/lwsm lsass start Clear the Cache on a Mac 1. In Terminal, stop the Likewise authentication daemon by executing the following command as sudo: /opt/likewise/bin/lwsm lsass stop 2. Clear the AD-provider cache and the local-provider cache by removing the following two files: sudo rm -f /var/lib/likewise/db/lsass-adcache.db sudo rm -f /var/lib/likewise/db/lsass-local.db Important: Do not delete the other .db files in the /var/lib/likewise/db directory. 3. Restart the Likewise authentication daemon:
Page 1 and 2: Likewise Open Installation and Admi
Page 3 and 4: 10.29.1. lw-add-user: Add a Local U
Page 5 and 6: 2. To avoid typing the domain prefi
Page 7 and 8: opt/likewise/sbin/lsassd The Likewi
Page 9 and 10: Additional information about a comp
Page 11 and 12: The hosts line can contain addition
Page 13 and 14: Active Directory. DNS query results
Page 15 and 16: logon information in /var/lib/likew
Page 17 and 18: ./LikewiseEnterprise-6.1.0.97-solar
Page 19 and 20: Before Joining a Domain To join a d
Page 21 and 22: start Starts daemons after configur
Page 23 and 24: 1. In Finder, click Applications. I
Page 25 and 26: 6. In the Domain to join box, enter
Page 27 and 28: Windows Server 2003 will exclude Wi
Page 29 and 30: LSA Server Status: Agent version: 5
Page 31 and 32: Computers running Solaris, in parti
Page 33 and 34: eceive(192.168.100.20) transmit(192
Page 35 and 36: Although Likewise searches a number
Page 37 and 38: opt/likewise/bin/lwsm --help 9.1.2.
Page 39 and 40: The netlogond daemon detects the op
Page 41 and 42: Allow Access to Account Attributes
Page 43: Deny access to this computer from t
Page 47 and 48: 9.6.2. Fix KRB Error During SSO in
Page 49 and 50: To troubleshoot logon failures on a
Page 51 and 52: eventlog running (standalone: 2589)
Page 53 and 54: Tip: To view the command's options,
Page 55 and 56: 10.17. lw-get-metrics This command
Page 57 and 58: This command displays the UUID of t
Page 59 and 60: Create Likewise cell in OU TestOU s
Page 61 and 62: opt/likewise/bin/lw-del-group --hel
Page 63 and 64: [--exec-prefix] Kerberos installed
Page 65 and 66: Event Table Category.... System Eve
Page 67 and 68: ===================================
Page 69 and 70: Table of Contents 13.1. About Singl
Page 71 and 72: host names. Configure PuTTY 1. In t
Page 73 and 74: Valid starting Expires Service prin
Page 75 and 76: Allow from 127.0.0.0/255.0.0.0 ::1/
Page 77 and 78: 7. Return to the Security tab for I
Page 79 and 80: Chapter 14. Configuring the Likewis
Page 81 and 82: "Path"="/opt/likewise/lib/libsrv.sy
Page 83 and 84: set_value AssumeDefaultDomain 1 5.
Page 85 and 86: Example with the value set to 1, or
Page 87 and 88: You must use the default user name
Page 89 and 90: [HKEY_THIS_MACHINE\Services\lsass\P
Page 91 and 92: 14.8. Cache Settings in the lsass B
Page 93 and 94: [HKEY_THIS_MACHINE\Services\eventlo
Page 95 and 96:
Value Entries CLdapMaximumConnectio
Page 97:
Problem: All Active Directory Users
show all

Likewise Open Installation and Administration Guide - Purple Rage

Create successful ePaper yourself

Delete template?

Save as template?