Services for UNIX - Interoperability : Active Directory Lookup

Getting AD Lookup to work without UNIX Attributes tab

Ashish — Thu, 16 Jul 2009 20:03:00 GMT

Getting AD Lookup to work without UNIX Attributes tab The previous post talks about how to get the UNIX Attributes tab to work without installing IdMU components. In this post, I would like to talk about what attributes the NFS components expect to be...(read more)

Using UNIX Attributes tab without installing IdMU

Ashish — Mon, 13 Jul 2009 22:11:00 GMT

Using UNIX Attributes tab without installing IdMU Starting with the Windows Server 2003 R2 release, Microsoft has made it clear that the AD Lookup feature would be the preferred direction to go for identity mapping between Windows and *nix when it comes...(read more)

AD Lookup with ADAM/ADLDS

Ashish — Sat, 11 Jul 2009 01:17:00 GMT

AD Lookup with ADAM/ADLDS With removal of UNM in Vista/W2K8, it became really problematic to map users in non-AD environments to use with Vista/LH NFS Servers and Clients. For client, a workaround was discovered which was essentially a registry tweak...(read more)

Limitation with Active Directory Lookup feature in Microsoft Services for NFS

Ashish — Tue, 16 Dec 2008 01:25:00 GMT

Limitation with Active Directory Lookup feature in Microsoft Services for NFS The Active Directory Lookup feature that was introduced with Windows Server 2003 R2. This feature greatly simplifies the UNIX identity information management but has its own...(read more)

Set up Services for Network File System in Windows Server 2008

Ashish — Tue, 16 Dec 2008 01:03:00 GMT

Set up Services for Network File System in Windows Server 2008 The Microsoft Services for NFS continues to be the part of the operating system in Windows Server 2008 and seems we will see more improvements when Windows Server 2008 R2 is released. In Windows...(read more)

UNIX Interoperability and Windows Vista

Ashish — Tue, 01 May 2007 19:44:00 GMT

UNIX Interoperability and Windows Vista

There was SFU 3.5 Interoperability components. It got ported to Windows Server 2003 R2. And now we have similar interop components packaged with Windows Vista too. Windows Vista Ultimate and Enterprise editions include the Client for NFS and Subsystem for UNIX-based Applications (SUA). These Vista editions are targeted towards power users and large enterprise customers who are more likely to be benefitted from these components. However, none of the server components from SFU product line (namely Server for NFS, User Name Mapping, Server for NIS, Password Synchronization etc) are included with Vista.

You can install these components using the Programs and Features in Control Panel and then using the Turn Windows Features on or off -

Installing SUA adds only the subsystem and a program group - Subsystem for UNIX-based Applications. You need to download the utilities and SDK separately. The newly-added program group has a link to the Utilities and SDK download page.

New additions are SVR-5 Korn shell and over 150 utilities (which are found in the /svr-5 directory) and a Visual Studio Debugger add-in. This release also enables development and porting of custom UNIX applications using the Windows OCI (Oracle Call Interface) and Windows ODBC libraries which are collectively referred to as Mixed Mode.

Shanmugam, Program Manager with Microsoft maintains a blog about SFU, SUA and IDMU. You read more about these components in his blog.

Installing Client for NFS adds a Services for Network File System (NFS) MMC Snap-in to manage the Client for NFS configuration. The noticeable difference from R2 (apart from the GUI itself) is that you have two check-boxes to selectively enable User Name Mapping and/or Active Directory lookup for the UNIX identity mapping information -

Another difference is that now you can use the GUI to instruct the Client for NFS to use (or not to) reserved ports. This was otherwise done by tweaking a registry key (HKLM\software\Microsoft\Client for NFS\CurrentVersion\Default\UseReservedPorts) in previous releases -

Client for NFS in Windows Vista and Windows Server 2003 R2 supports RFC2307 attributes so it can also fetch UIDs/GIDs etc from any LDAP store which is RFC2307 compliant. I have tested this feature with Active Directory and this really is a cool addition to this component.

Active Directory Lookup? Or, User Name Mapping? Or Both?

Ashish — Fri, 13 Apr 2007 22:54:00 GMT

Active Directory Lookup? Or, User Name Mapping? Or Both?

User Name Mapping in Windows Server 2003 R2 and Services for UNIX allows you map UNIX user and group accounts to their Windows counterparts (both local and domain accounts). This service is used by Server for NFS and Client for NFS (also by Windows Remote Shell Service in SFU 3.5).

UNIX uses UIDs and GIDs to identify user and group account while Windows uses SIDs. User Name Mapping provides a mechanism for Windows to correctly authenticate users and groups who access Windows NFS shares from UNIX clients or UNIX NFS shares from Windows clients.

This page talks more about why User Name Mapping is required. And, this link explains how NFS authentication works in Service for UNIX and Windows Server 2003 R2.

User Name Mapping is the only way Services for UNIX components can map UNIX UIDs/GIDs to Windows SIDs (and vice versa) but starting with Windows Server 2003 R2 and Windows Vista, Server for NFS and Client for NFS can also use Active Directory Lookup feature to query this information directly from AD. It adds another level of integration with Active Directory and Server for NIS for these components and can help you do away with User Name Mapping and therefore, reducing administrative overhead.

Note: User Name Mapping in R2 is the final release of this component. It’ll not be supported in future releases of Services for NFS.

If you have tried configuring Server or Client for NFS in R2, you might have noticed that you can use Active Directory Lookup and User Name Mapping at the same time.

Why? Don't they do the same thing? Why would I use them both at the same time?

Active Directory Lookup and User Name Mapping - both allow you to map Windows SIDs to UIDs and GIDs (and vice versa). However, there's big difference - User Name Mapping allows you to do advanced mappings where you can map users who have different login names on Windows and UNIX systems. It also allows you to map multiple Windows accounts to a single UNIX account to simplify NFS access.

If you have populated UNIX attributes for all of your user and group accounts in Active Directory, you should use Active Directory Lookup. But, if you still depend on the passwd and group files or UNIX-based NIS servers to determine UIDs and GIDs for user and group accounts, you are good to go with User Name Mapping.

Using both of them makes sense in a situation where you have a mix of Windows accounts with their UNIX attributes saved in AD and still have a need to map with UNIX sources for some of the accounts.

Using them both can also help you slowly move over to Active Directory for storing UNIX attributes.

Word of caution - if you think using both of them is necessary for your setup, take care that you don’t have accounts in AD with one set of UNIX attributes and then also map those same accounts to another set of UNIX attributes using User Name Mapping. That can lead to confusion while you determine effective permissions.

Important: A memory leak in the Lsass.exe process forces Lsass.exe process to use more memory than expected. This can result in domain controllers becoming unresponsive over time and may need a reboot. This problem can be fixed by installing hot fix 931307. Windows Server 2003 Service Pack 2 includes this fix so if you are already on Service Pack 2, you are safe.