Do you have a question or two about SFU, click here to mail me.

Configuring User Name Mapping - Part 3 (Advanced Mapping)

Published 24 January 08 11:20 PM | sfu 

Configuring User Name Mapping - Part 3 (Advanced Mapping)

Simply said - when you map users and groups manually with their UNIX counterparts, it's called Advanced Mapping.

From the last post on User Name Mapping, you may be aware that Simple Mapping automatically creates maps for all users and group who have the same names in your Windows and UNIX environment. It is possible that you aren't lucky enough to have the same names for users and groups in both the environments. Sometimes, you would want better control on this aspect and may not want to map all the users and groups automatically.

Advanced mappings can be used in such cases. Easy to configure - turn off Simple Maps in User Name Mapping Configuration and map them manually. You can read this page to see how it can be done in a Windows Server 2003 R2 environment.

In Services for UNIX 3.x environments, you can do by using the Services for UNIX Administration console. Select User Name Mapping in the left pane, define the UNIX data source and click on Apply -

To proceed further, click on Mappings in the right pane. You can now click on Show User Mappings or Show Group Mappings depending on what you want to do -

Now, you can display the users/groups in both Windows and UNIX side. Select the objects in both lists and click on Add. You're done.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Geoff Kransdorf said on March 3, 2008 8:32 PM:

We're using this, and it works fine for UIDs, but it doesn't seem to work at all for groups.  Here is an example:

Lets take a Unix Directory

drwxrwxr-x   unixuser1 unixgroup1       ./test

Lets map WINuser1 to unixuser2

An AD group which WINuser1 is a member of is mapped to unixgroup1 in advanced mappings.  For goos measure, unixuser2 is also in unixgroup1 on Unix (his default group is unixgroup2).

If ./test is set to 777, than WINuser1 can write to it.  It correctly shows the file ownership as unixuser2:unixgroup2.  Otherwise, it ignores both the implicit Unix group membership and also the explicit group mapping.  So if ./test is set to 775, than WINuser1 cannot write to it.

This is a serious problem.  I don't mind having to map users and groups individually, but if I can't use group permissions at all (only user permissions), than it's impossible to set up security properly for mapped users.

What is the workaround?

# sfu said on March 3, 2008 8:38 PM:

I guess I will need a network trace capturing the success and failure you get alongwith mapadmin list -all output.

Drop me a mail using the Email link above so that I can share my email ID with you.

- Ashish

# Geoffrey Kransdorf said on March 5, 2008 12:09 AM:

We are using files on out SFU NFS gateway server for passwd and group.  AFter discussion with Ashish, I added the Unix user id to the groups within the "groups" text file on the gateway and that made it work as expected.  I'm still not sure how the Windows to Unix group mapping works though, especially if a Windows user ID is in an AD group but their mapped Unix user ID is not in the corresponding Unix group.

Thanks

Geoff

# Services for UNIX - Interoperability said on April 15, 2008 2:24 PM:

All (well, almost) about Client for NFS - Configuration and Performance I was looking at the referrals

Leave a Comment

(required) 
(optional)
(required) 
Page view tracker