แชร์ผ่าน


Configuring User Name Mapping - Part 1

Configuring User Name Mapping - Part 1

On this page, I have put some information about how you can configure User Name Mapping. It doesn't have the complete step-by-step kind of touch to it since that article was all about getting Server for NFS to work.

To do justice to User Name Mapping, I am beginning a series of posts which discusses different UNIX environments and how they can be used with User Name Mapping to allow Windows systems to interoperate with UNIX environment and help migrating data from UNIX systems to Windows. This post, again, will not have step-by-step guide to configure User Name Mapping. That's something to follow in the next posts.

A typical UNIX environment may use local files (/etc/passwd and /etc/group) to manage authentication and manage access. In addition to local files, a UNIX system can also make use of NIS and LDAP to authenticate users centrally. Having centralized authentication make more sense if people need to access data on NFS servers – more so because all NFS cares about is UIDs and GIDs to allow access to data.

If an environment doesn't have centralized control on user and group accounts, it presents many challenges when it comes to security and managing unique UIDs and GIDs across all UNIX systems. NIS and LDAP reduce this overhead and provide easy to manage repository of user and group accounts. They also provide mechanisms such as netgroups to further strengthen security on NFS shares.

If your environment doesn't use NIS or LDAP for authentication and if your users and groups are scattered on different UNIX systems having their own user and group naming conventions and the UIDs and GIDs are duplicated between them – you really need to make a lot of changes before you can reap the benefits of UNIX interoperability components shipped with Windows and Services for UNIX 3.5 product.

To start with – you would need to ensure that your users and group have unique UIDs and GIDs and there are no conflicts across all systems.
You, of course, need to ensure that the user and group names are unique too.

Most difficult part is to plan and change UIDs and GIDs on UNIX systems. It’s not easy but you follow some simple steps to get it done sooner than later -

    1. Allocate a range of UIDs and GIDs for each of your UNIX system. This range needs to be calculated based on the number of users and groups created on them.
    2. Changing the UIDs and GIDs can be done quickly using the awk command. A simple awk script can scan the /etc/passwd and /etc/group files and change the UIDs and GIDs based on the range you allocated in first step.
    3. Changing UIDs and GIDs will immediately result in access being revoked on the local and remote file system resources since it’s based on UIDs and GIDs and not names of the users and groups. However, you can run a find command with the right syntax to search for the files and directories owned by a user’s old UID and change it to the new UID. Same applies for groups.
      It becomes really easy if you can put together a script which searches and changes UIDs and GIDs on files and folders simultaneously when changing the UIDs and GIDs in /etc/passwd and /etc/group files.
    4. Depending upon how it worked earlier, you might also have to look for accounts which belong to same users and groups on different UNIX systems and match their UIDs and GIDs so that they have same values on all of those systems.
    5. Last and most important part is to now combine /etc/passwd and /etc/group files from all of the systems and form a single master database.
      You can very well use this database to implement a centralized authentication using NIS. Check back later on this blog to look for the steps to do that.

For now, you need to move this master database to the server running the User Name Mapping service and use it configure appropriate user and group mappings.

On the other hand, things become really easy if you have NIS or LDAP already running in your environment – User Name Mapping can directly connect to your NIS servers and fetch the details to create mappings for user and group accounts.

Server for NFS and Client for NFS which ship with Windows Server 2003 R2 and Windows Vista can also talk to your RFC2307-compliant LDAP store to fetch the UID and GID information directly. This will also be featured in Windows Server 2008. It also helps you eliminate User Name Mapping service from your setup and stop worrying about mapping users and groups manually when adding new accounts (if you are not making good use of Simple Mappings).

Comments

  • Anonymous
    July 19, 2007
    I'm trying to setup a schema for having unmapped users have access to a NFS share on windows2003 through an existing mapped group. The scenario is as follow’s: I have group in unix called unixClients which is mapped to windowsClients I created a user called unixunmapped which is not mapped but is a member of the unixClients group The purpose for this is so that I can create as many users that belong to the unixClients group as I want without having to manually create a mapped 1:1 user relationship and have my NFS share work.

  • Anonymous
    July 30, 2007
    Hi David, You also need to map users since mapping just the groups doesn't work as expected with User Name Mapping. User Name Mapping does authentication before NFS request can get through and unless you map user accounts, this authentication doesn't take place. To avoid manual mapping of user accounts, you can make use of Simple maps in UNM configuration which maps Windows and UNIX users having same login names in both the worlds automatically. I'm sorry there was a lot of spamming happening on this blog so your comment went unnoticed till now.

  • Anonymous
    October 18, 2007
    > Server for NFS and Client for NFS which ship with Windows Server 2003 R2 and Windows Vista can also talk to your RFC2307-compliant LDAP store to fetch the UID and GID information directly I am looking at a w2k3 r2 server and see no way to use an LDAP server for looking up UID/GID information.  Where is it configured?

  • Anonymous
    October 18, 2007
    Open the Microsoft Services for NFS MMC snap-in, right click on the top of the hierarchy (on Microsoft Services for NFS) in the MMC snap-in and select Properties. Under the General Settings, you should see this option.

  • Anonymous
    October 23, 2007
    Ok,  Opening up the Properties on Microsoft Services for NFS, I see 2 options. User Name Mapping Server: (Currently set to localhost) and A checkbox for Active Directory Lookup.   A screenshot: http://webusers.physics.uiuc.edu/~ajw/sfu.png This is w2k3 R2 SP2.  Is there something extra that needs to be installed?

  • Anonymous
    October 23, 2007
    The comment has been removed

  • Anonymous
    October 23, 2007
    Ah, I see.  By RFC2307 LDAP server you meant an AD  server with RFC2307 schema enabled.    It's not possible to use a different LDAP server?

  • Anonymous
    October 23, 2007
    It should work with any RFC2307 compliant LDAP Directory. However, no documentation. Maybe, you can confirm :) If you need any help, please send me a mail and I can help you with whatever infomation I may have in this regard.

  • Anonymous
    April 15, 2008
    All (well, almost) about Client for NFS - Configuration and Performance I was looking at the referrals

  • Anonymous
    April 18, 2008
    Configuring User Name Mapping - Part 2 (Simple Mapping) Continuing the discussion from Configuring User