How User Name Mapping works?

How User Name Mapping works?

User Name Mapping is the core NFS authentication component in Services for UNIX, Windows Server 2003 R2 and Windows Vista. It bridges the gap presented by difference in user identification methods used by Windows and UNIX systems. It plays equally important role for Server for NFS and Client for NFS both.

When Server for NFS receives NFS access request from a UNIX client, all it gets is UID, GID and a set of auxiliary GIDs (which represents the secondary group memberships of that user in the UNIX world). Server for NFS then typically performs the following actions to authenticate the UNIX user who’s trying to access Windows NFS share –

    • Server for NFS uses User Name Mapping to obtain the corresponding Windows user name or group name.

    • After the user name is obtained, Server for NFS connects to a domain controller (for a domain account), or to local security authority for a local user –

      • The domain controller authenticates the domain account using Kerberos extension called Service-For-User (S4U).

      • Server for NFS Authentication is needed if the user account in question is a local account. Without Server for NFS authentication, the local security authority cannot authenticate the user and access to the UNIX client will be denied.

NFS authentication may not work for domain accounts if you have domain controllers running Window 2000 operating system. S4U extensions is not supported in Windows 2000 and earlier. In such cases, you need to install Server for NFS Authentication on all of your domain controllers to get the NFS authentication to work.

When you use Client for NFS to access a UNIX NFS share, it’s the UNIX NFS Server which authenticates the Windows user at the end. Since Windows users do not have UNIX-style UIDs and GIDs, the Client for NFS gets this information from the User Name Mapping service and uses them to connect to the UNIX NFS Server.

The NFS components included with Windows Server 2003 R2 and Windows Vista have RFC2307 support and can directly fetch the UIDs and GIDs from Active Directory. This post on this same blog talks more about this feature and User Name Mapping. The Active Directory domain, however, needs to be on the R2 schema level for that to work.

Comments (8)

  1. Ibrahim T says:

    I have one simple question, Where do I find the User Name Mapping service in Windows Vista ultimate x64?

    I tried using the windows xp one and everything went well!

    However on vista, without the user name mapping I cant tell vista which uid and gid I have.

    Anyone know anything?

  2. ashisa says:

    Unfortunately, Vista doesn’t have User Name Mapping included. In fact, User Name Mapping will not be there in Windows Server 2008 (LH Server) too.

    However, you can install User Name Mapping on one of your DCs or XP Machines.

    You can also use Active Directory Lookup in Vista but your accounts need to have UNIX information populated in AD.

    if you are not using domain accounts, you are left with using User Name Mapping from SFU 3.5 🙁

  3. ashisa says:

    Anwering an unpublished comment –

    Active Directory Lookup works only when you are on R2 schema level. For the reason that R2 schema is RFC2307 compliant (with minor deviations).

    And, Server for NIS (whether from SFU or R2 IdMU) can only be installed on a Domain Controller and not on member servers.

  4. Ibrahim T says:

    Hmm, yeh I guess I can install User Name Mapping on my XP, but the weird thing is that when I set the IP-address of the XP machine that has UNM installed so that it can get the UID/GIDs from there it doesnt work neither :/

    I dont have the will to install active directory and what not.

    This is only used for a home network really, not enterprise so I dont use domains for my PCs but rather just workgroup.

  5. ashisa says:

    You need to edit the .maphosts file on the Windows XP system and put a "+" or the IP Address of the other systems in it before other systems can fetch the UNM data from it.

  6. Roy Kaldung says:

    During the set up of SFU I recognized that disabled Active Directory Accounts leads to an error during user name mapping. The chown on the NIS/NFS client failed and results in a NULL SID, the chown on a windows host with the korn shell succeeded.

  7. Jim Carroll says:

    I apologize if this is a duplicate, but it’s been a few hours since I posted, and I don’t see the message.

    So I’m trying to get clear on the situation with Vista Ultimate running Client for NFS.

    We are able to mount a remote share with no problems.  We can even get a directory listing with no problems.

    We attempt to read a file, owned by root:wheel with 0755 perms, and we get error 87 (visual studio reports this error as "The parameter is incorrect").

    BUT if we attempt to read another file, owned by another user (not-root) with perms 0755, we are successful.

    From a purely operational perspective, it would appear the Client For NFS was intentionally blocking access to the file based on UID/GID filtering, even though the server allowed the access.  Is this possible?

    Note: We’ve confirmed the error using several other read only programs.  For example ROBOCOPY reports the same ‘The parameter is incorrect’ message when attempting to copy the file.

    It would appear from the discussion above that even though we’re just using the Client for NFS, we are required to run UNM, but that this software is not available for Vista ?!  

    In this particular remote office, we have a fleet of Unix boxes, and a single Vista Ultimate system (not w2k3, no longhorn and no XP).  Does this mean we cannot access NFS shares?

    Assuming UNM is required why are we only restricted from reading files owned by root, but not others?

    FYI, the Unix box is FreeBSD 4.11.  The /etc/exports file reads

    /var -mapall=root -network -mask

    Any guidance you can offer would be appreciated.


    Jim C.

  8. ashisa says:

    I guess capturing the network wil give us an idea why we see this error with root owned files.

    Drop me a mail using the Email link on this blog and then you can send me the network trace.

    – Ashish