Configuring User Name Mapping – Part 3 (Advanced Mapping)


Configuring User Name Mapping – Part 3 (Advanced Mapping)


Simply said – when you map users and groups manually with their UNIX counterparts, it’s called Advanced Mapping.


From the last post on User Name Mapping, you may be aware that Simple Mapping automatically creates maps for all users and group who have the same names in your Windows and UNIX environment. It is possible that you aren’t lucky enough to have the same names for users and groups in both the environments. Sometimes, you would want better control on this aspect and may not want to map all the users and groups automatically.


Advanced mappings can be used in such cases. Easy to configure – turn off Simple Maps in User Name Mapping Configuration and map them manually. You can read this page to see how it can be done in a Windows Server 2003 R2 environment.


In Services for UNIX 3.x environments, you can do by using the Services for UNIX Administration console. Select User Name Mapping in the left pane, define the UNIX data source and click on Apply –



To proceed further, click on Mappings in the right pane. You can now click on Show User Mappings or Show Group Mappings depending on what you want to do –



Now, you can display the users/groups in both Windows and UNIX side. Select the objects in both lists and click on Add. You’re done.

Comments (4)

  1. Geoff Kransdorf says:

    We’re using this, and it works fine for UIDs, but it doesn’t seem to work at all for groups.  Here is an example:

    Lets take a Unix Directory

    drwxrwxr-x   unixuser1 unixgroup1       ./test

    Lets map WINuser1 to unixuser2

    An AD group which WINuser1 is a member of is mapped to unixgroup1 in advanced mappings.  For goos measure, unixuser2 is also in unixgroup1 on Unix (his default group is unixgroup2).

    If ./test is set to 777, than WINuser1 can write to it.  It correctly shows the file ownership as unixuser2:unixgroup2.  Otherwise, it ignores both the implicit Unix group membership and also the explicit group mapping.  So if ./test is set to 775, than WINuser1 cannot write to it.

    This is a serious problem.  I don’t mind having to map users and groups individually, but if I can’t use group permissions at all (only user permissions), than it’s impossible to set up security properly for mapped users.

    What is the workaround?

  2. sfu says:

    I guess I will need a network trace capturing the success and failure you get alongwith mapadmin list -all output.

    Drop me a mail using the Email link above so that I can share my email ID with you.

    – Ashish

  3. Geoffrey Kransdorf says:

    We are using files on out SFU NFS gateway server for passwd and group.  AFter discussion with Ashish, I added the Unix user id to the groups within the "groups" text file on the gateway and that made it work as expected.  I’m still not sure how the Windows to Unix group mapping works though, especially if a Windows user ID is in an AD group but their mapped Unix user ID is not in the corresponding Unix group.

    Thanks

    Geoff

  4. All (well, almost) about Client for NFS – Configuration and Performance I was looking at the referrals