Replacing Network Information Services (NIS)
Traditional Linux and UNIX organizations have long since recognized the need for a centralized service to store usernames and group names in an organization. One of the earlier efforts for a centralized identity store was the Network Information Service (NIS). NIS allows systems administrator to provision a central server to store /etc/passwd and /etc/group files. All cooperating UNIX machines access the NIS server whenever a user logs into them. Although NIS provides for centralized storage of user accounts, many companies find it useful and/or necessary to run multiple NIS servers.
In spite of some early success, the use of NIS is declining. NIS has security weaknesses that are considered unacceptable by modern standards. Additionally, Microsoft Windows does not support NIS and, as such, it cannot be used for all authentication purposes.
Solutions that aim to replace NIS (for example, Likewise Enterprise) must provide better security, support for multiple operating systems and an easy migration path from one or more NIS servers. Additionally, because multiple NIS servers can result in a single user being mapped to multiple user and group IDs, any NIS replacement must also be able to provide this feature.
Likewise Cell Technology
Likewise Enterprise solves this one-to-many ID mapping for a user by defining the notion of a Cell. A Likewise Cell is a grouping of Linux/UNIX computers where an Active Directory user will be mapped to a specific UNIX profile. Likewise Enterprise associates Cells with AD organizational units (OUs). Linux/UNIX computers that are joined to a particular OU that is associated with a Cell are said to be members of the Cell.
Creating a Cell
To associate a Likewise Enterprise Cell with an Active Directory organizational unit, the AD administrator downloads and installs the Likewise Enterprise Management Tools. These tools add a set of extensions to the Active Directory Users and Computers snap-in. When the administrator selects the target organizational unit object and clicks on Properties, a new property page, Likewise Settings, is now available. The administrator then clicks on the button that says "Enable OU for Cell Access". Once this is done, a Likewise Cell is created and associated with the target organizational unit.
Adding a Linux/UNIX Computer to the Cell
In order for a Linux/UNIX computer to participate in the AD-to-UNIX-profile specified by a Cell, the computer must be joined to the AD OU with which the cell is associated. This OU can be specified during the join process or can be specified, in Windows, by using the Active Directory Users and Computers snap-in to create or to move the computer account in/to the appropriate OU.
Allowing an AD User to Access a Linux/UNIX Computer in a Cell
Before an AD user can access a Linux/UNIX computer, the user must be enabled in the Cell to which the computer belongs. Again, the Likewise Settings property page in Active Directory Users and Computers is used to do this. When the administrator enables an AD user to access a cell, the administrator provides the required UNIX settings for the user (a User ID, a primary Group ID, etc.) These settings will only apply when the user accesses a computer in that specific cell. From this point, when the selected user logs into any Linux or UNIX computer that is contained within the target organizational unit, he or she is assigned the specific properties that were set for this user within the cell.
Migrating NIS Servers to Likewise Enterprise
Likewise Software provides a migration tool to facilitate the migration of user accounts from NIS to Likewise Enterprise. This tool can import NIS maps and associate Linux/UNIX users with existing AD user accounts. The migration tool can automatically create Likewise Enterprise Cells to contain the ID mapping information previously stored in the NIS server.
Other Uses for Likewise Enterprise Cells
Although Cells are useful for migrating NIS server maps to Likewise Enterprise, there are other valuable uses for Cells, too. A Cell is, essentially, a custom mapping of an AD-user to a set of UNIX attributes. Cells are useful anytime that we want to vary a user’s UNIX attributes according to which machine he or she is connecting. For example, Cells can be used to provide users with different primary and second group memberships on different machines. This can be used as a basis for "role-based access control". A user can be configured to be part of the oracleadmins group in one Cell but not in another.