Configuring User Name Mapping - Part 1

On this page, I have put some information about how you can configure User Name Mapping. It doesn't have the complete step-by-step kind of touch to it since that article was all about getting Server for NFS to work.

To do justice to User Name Mapping, I am beginning a series of posts which discusses different UNIX environments and how they can be used with User Name Mapping to allow Windows systems to interoperate with UNIX environment and help migrating data from UNIX systems to Windows. This post, again, will not have step-by-step guide to configure User Name Mapping. That's something to follow in the next posts.

A typical UNIX environment may use local files (/etc/passwd and /etc/group) to manage authentication and manage access. In addition to local files, a UNIX system can also make use of NIS and LDAP to authenticate users centrally. Having centralized authentication make more sense if people need to access data on NFS servers – more so because all NFS cares about is UIDs and GIDs to allow access to data.

If an environment doesn't have centralized control on user and group accounts, it presents many challenges when it comes to security and managing unique UIDs and GIDs across all UNIX systems. NIS and LDAP reduce this overhead and provide easy to manage repository of user and group accounts. They also provide mechanisms such as netgroups to further strengthen security on NFS shares.

If your environment doesn't use NIS or LDAP for authentication and if your users and groups are scattered on different UNIX systems having their own user and group naming conventions and the UIDs and GIDs are duplicated between them – you really need to make a lot of changes before you can reap the benefits of UNIX interoperability components shipped with Windows and Services for UNIX 3.5 product.

To start with – you would need to ensure that your users and group have unique UIDs and GIDs and there are no conflicts across all systems.
You, of course, need to ensure that the user and group names are unique too.

Most difficult part is to plan and change UIDs and GIDs on UNIX systems. It’s not easy but you follow some simple steps to get it done sooner than later -

    1. Allocate a range of UIDs and GIDs for each of your UNIX system. This range needs to be calculated based on the number of users and groups created on them.
    2. Changing the UIDs and GIDs can be done quickly using the awk command. A simple awk script can scan the /etc/passwd and /etc/group files and change the UIDs and GIDs based on the range you allocated in first step.
    3. Changing UIDs and GIDs will immediately result in access being revoked on the local and remote file system resources since it’s based on UIDs and GIDs and not names of the users and groups. However, you can run a find command with the right syntax to search for the files and directories owned by a user’s old UID and change it to the new UID. Same applies for groups.
      It becomes really easy if you can put together a script which searches and changes UIDs and GIDs on files and folders simultaneously when changing the UIDs and GIDs in /etc/passwd and /etc/group files.
    4. Depending upon how it worked earlier, you might also have to look for accounts which belong to same users and groups on different UNIX systems and match their UIDs and GIDs so that they have same values on all of those systems.
    5. Last and most important part is to now combine /etc/passwd and /etc/group files from all of the systems and form a single master database.
      You can very well use this database to implement a centralized authentication using NIS. Check back later on this blog to look for the steps to do that.

For now, you need to move this master database to the server running the User Name Mapping service and use it configure appropriate user and group mappings.

On the other hand, things become really easy if you have NIS or LDAP already running in your environment – User Name Mapping can directly connect to your NIS servers and fetch the details to create mappings for user and group accounts.

Server for NFS and Client for NFS which ship with Windows Server 2003 R2 and Windows Vista can also talk to your RFC2307-compliant LDAP store to fetch the UID and GID information directly. This will also be featured in Windows Server 2008. It also helps you eliminate User Name Mapping service from your setup and stop worrying about mapping users and groups manually when adding new accounts (if you are not making good use of Simple Mappings).