Do you have a question or two about SFU, click here to mail me.

Active Directory Lookup? Or, User Name Mapping? Or Both?

Published 13 April 07 08:54 PM | sfu 

Active Directory Lookup? Or, User Name Mapping? Or Both?

User Name Mapping in Windows Server 2003 R2 and Services for UNIX allows you map UNIX user and group accounts to their Windows counterparts (both local and domain accounts). This service is used by Server for NFS and Client for NFS (also by Windows Remote Shell Service in SFU 3.5).

UNIX uses UIDs and GIDs to identify user and group account while Windows uses SIDs. User Name Mapping provides a mechanism for Windows to correctly authenticate users and groups who access Windows NFS shares from UNIX clients or UNIX NFS shares from Windows clients.

This page talks more about why User Name Mapping is required. And, this link explains how NFS authentication works in Service for UNIX and Windows Server 2003 R2.

User Name Mapping is the only way Services for UNIX components can map UNIX UIDs/GIDs to Windows SIDs (and vice versa) but starting with Windows Server 2003 R2 and Windows Vista, Server for NFS and Client for NFS can also use Active Directory Lookup feature to query this information directly from AD. It adds another level of integration with Active Directory and Server for NIS for these components and can help you do away with User Name Mapping and therefore, reducing administrative overhead.

Note: User Name Mapping in R2 is the final release of this component. It’ll not be supported in future releases of Services for NFS.

If you have tried configuring Server or Client for NFS in R2, you might have noticed that you can use Active Directory Lookup and User Name Mapping at the same time.

Why? Don't they do the same thing? Why would I use them both at the same time?

Active Directory Lookup and User Name Mapping - both allow you to map Windows SIDs to UIDs and GIDs (and vice versa). However, there's big difference - User Name Mapping allows you to do advanced mappings where you can map users who have different login names on Windows and UNIX systems. It also allows you to map multiple Windows accounts to a single UNIX account to simplify NFS access.

If you have populated UNIX attributes for all of your user and group accounts in Active Directory, you should use Active Directory Lookup. But, if you still depend on the passwd and group files or UNIX-based NIS servers to determine UIDs and GIDs for user and group accounts, you are good to go with User Name Mapping.

Using both of them makes sense in a situation where you have a mix of Windows accounts with their UNIX attributes saved in AD and still have a need to map with UNIX sources for some of the accounts.

Using them both can also help you slowly move over to Active Directory for storing UNIX attributes.

Word of caution - if you think using both of them is necessary for your setup, take care that you don’t have accounts in AD with one set of UNIX attributes and then also map those same accounts to another set of UNIX attributes using User Name Mapping. That can lead to confusion while you determine effective permissions.

Important: A memory leak in the Lsass.exe process forces Lsass.exe process to use more memory than expected. This can result in domain controllers becoming unresponsive over time and may need a reboot. This problem can be fixed by installing hot fix 931307. Windows Server 2003 Service Pack 2 includes this fix so if you are already on Service Pack 2, you are safe.

 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Harri said on August 25, 2007 2:25 PM:

Now here is the question: How can I make use of the NFS client on Windows to mount my $HOME from my Linux PC? Do I have to buy an expensive server license and another expensive PC to run AD for my home office?

# sfu said on August 27, 2007 12:14 PM:

Too little information to say anything. Send me a mail using the link above with details about how this environment is and I should be able to give you some useful hints.

# Dan said on September 9, 2007 4:08 PM:

Hi, great article.

I'm attempting to setup a server running NFS (Microsoft services for NFS 1.0 to authenticate a set of Linux clients to corresponding domain accounts.  I've attempted to turn on Active Directory lookup and populated the "Unix Attributes" area for all AD Users I'm trying to authenticate, however when I do this I'm never able to authenticate users (always see "permission denied" from the Linux clients.)

When I turn on the local User Name mapping and configure the exact same domain account mapping on the localhost everything works fine.  I can also turn on user name mapping on the domain controller and this works fine as well.

Every article I've read so far on the topic makes it sound like AD lookup should just work... I haven't found a good troubleshooting reference yet.  Do you have any ideas about where I should look for troubleshooting hints?  I'm a bit out of my area of expertise here so I'm not sure about the best way to debug AD issues like this.

Thanks

Dan

# sfu said on September 10, 2007 10:03 AM:

Dan,

At first, this looks like a permissions issue on the shares but I am not sure.

A network capture can reveal why is this happening.

Use the Email link above to send me a mail and later send me the network capture.

# Services for UNIX - Interoperability said on April 25, 2008 12:33 AM:

How User Name Mapping works? User Name Mapping is the core NFS authentication component in Services for

Leave a Comment

(required) 
(optional)
(required) 
Page view tracker