Active Directory Lookup? Or, User Name Mapping? Or Both?


Active Directory Lookup? Or, User Name Mapping? Or Both?


User Name Mapping in Windows Server 2003 R2 and Services for UNIX allows you map UNIX user and group accounts to their Windows counterparts (both local and domain accounts). This service is used by Server for NFS and Client for NFS (also by Windows Remote Shell Service in SFU 3.5).


UNIX uses UIDs and GIDs to identify user and group account while Windows uses SIDs. User Name Mapping provides a mechanism for Windows to correctly authenticate users and groups who access Windows NFS shares from UNIX clients or UNIX NFS shares from Windows clients.


This page talks more about why User Name Mapping is required. And, this link explains how NFS authentication works in Service for UNIX and Windows Server 2003 R2.


User Name Mapping is the only way Services for UNIX components can map UNIX UIDs/GIDs to Windows SIDs (and vice versa) but starting with Windows Server 2003 R2 and Windows Vista, Server for NFS and Client for NFS can also use Active Directory Lookup feature to query this information directly from AD. It adds another level of integration with Active Directory and Server for NIS for these components and can help you do away with User Name Mapping and therefore, reducing administrative overhead.


Note: User Name Mapping in R2 is the final release of this component. It’ll not be supported in future releases of Services for NFS.


If you have tried configuring Server or Client for NFS in R2, you might have noticed that you can use Active Directory Lookup and User Name Mapping at the same time.


Why? Don’t they do the same thing? Why would I use them both at the same time?


Active Directory Lookup and User Name Mapping – both allow you to map Windows SIDs to UIDs and GIDs (and vice versa). However, there’s big difference – User Name Mapping allows you to do advanced mappings where you can map users who have different login names on Windows and UNIX systems. It also allows you to map multiple Windows accounts to a single UNIX account to simplify NFS access.


If you have populated UNIX attributes for all of your user and group accounts in Active Directory, you should use Active Directory Lookup. But, if you still depend on the passwd and group files or UNIX-based NIS servers to determine UIDs and GIDs for user and group accounts, you are good to go with User Name Mapping.


Using both of them makes sense in a situation where you have a mix of Windows accounts with their UNIX attributes saved in AD and still have a need to map with UNIX sources for some of the accounts.


Using them both can also help you slowly move over to Active Directory for storing UNIX attributes.


Word of caution – if you think using both of them is necessary for your setup, take care that you don’t have accounts in AD with one set of UNIX attributes and then also map those same accounts to another set of UNIX attributes using User Name Mapping. That can lead to confusion while you determine effective permissions.


Important: A memory leak in the Lsass.exe process forces Lsass.exe process to use more memory than expected. This can result in domain controllers becoming unresponsive over time and may need a reboot. This problem can be fixed by installing hot fix 931307. Windows Server 2003 Service Pack 2 includes this fix so if you are already on Service Pack 2, you are safe.


 

Comments (11)

  1. Harri says:

    Now here is the question: How can I make use of the NFS client on Windows to mount my $HOME from my Linux PC? Do I have to buy an expensive server license and another expensive PC to run AD for my home office?

  2. sfu says:

    Too little information to say anything. Send me a mail using the link above with details about how this environment is and I should be able to give you some useful hints.

  3. Dan says:

    Hi, great article.

    I’m attempting to setup a server running NFS (Microsoft services for NFS 1.0 to authenticate a set of Linux clients to corresponding domain accounts.  I’ve attempted to turn on Active Directory lookup and populated the "Unix Attributes" area for all AD Users I’m trying to authenticate, however when I do this I’m never able to authenticate users (always see "permission denied" from the Linux clients.)

    When I turn on the local User Name mapping and configure the exact same domain account mapping on the localhost everything works fine.  I can also turn on user name mapping on the domain controller and this works fine as well.

    Every article I’ve read so far on the topic makes it sound like AD lookup should just work… I haven’t found a good troubleshooting reference yet.  Do you have any ideas about where I should look for troubleshooting hints?  I’m a bit out of my area of expertise here so I’m not sure about the best way to debug AD issues like this.

    Thanks

    Dan

  4. sfu says:

    Dan,

    At first, this looks like a permissions issue on the shares but I am not sure.

    A network capture can reveal why is this happening.

    Use the Email link above to send me a mail and later send me the network capture.

  5. How User Name Mapping works? User Name Mapping is the core NFS authentication component in Services for

  6. Yaron says:

    i have a nfs sharing on windows 2003, and an unix computer.

    How can i map multiple unix users to the same windows users for accesing the nfs shared,i’ve read at http://technet.microsoft.com/en-us/library/bb463218.aspx that it’s not possible.

    When i tried, i got an error user mapping already exist. Perhaps there is another solutions like group mapping ?

    I don’t use NIS, i use nfsmgmt.msc to get the path of the file that contain unix users and update the unix users.

  7. sfu says:

    You can set all of such users’ primary group to one specific group and then map all such users to their Windows counterparts. If it’s an option, you can use anonymous access.

    – Ashish

  8. Finy says:

    Will it be possible for a root user on linux box to create many local users(in /etc/passwd) with different uid and gain access to NFS share(with different windows credentials) hold by Windows?

    Do windows 2008(maybe AD) authenticate the Unix user by his passwd? or just check it’s uid and mapped to a windows account for authorization?

  9. sfu says:

    Pretty much – yes. The NFS server authenticates the users by their UID/GID (which is true for every NFS server out there) and obtains a token so that they can access the files and folder on the Windows NTFS volumes.

    If you have systems where root access is allowed and you cannot trust the user – make use of the client groups and limit access to the shares only from the machines where it is desired.

    – Ashish

  10. RCMD says:

    Is there a way for Windows 2008 to use the Password and Group files the way that 2003 did?  I can only get it to point to a remote server, but I want to look locally.

  11. sfu says:

    Not really. If this is a DC, you can populate the information in AD and use that. If it’s not a DC, ADLDS/ADAM is an option but I am not sure if you would want to do that.

    The guide is here – http://technet.microsoft.com/en-us/library/dd764497(WS.10).aspx

    – Ashish