MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

The User Name Mapping Server, a component of SFU, provides the functionality of mapping Windows-based network user names to UNIX-based network user names and vice versa. This is a means to associate user names in two networks for users who have different identities in Windows-based and UNIX-based domains.

All SFU NFS components—Server for NFS, Client for NFS, and Gateway for NFS—use User Name Mapping For NFS Authentication And Access. In an enterprise, all SFU NFS component installations can use a Central User Name Mapping to have consistent identification and authentication across the network. User Name Mapping makes it easy to administer access to NFS resources between UNIX-based and Windows-based networks. Similarly, Remote Shell Service, which is included with SFU, also uses User Name Mapping to map UNIX user names to Windows user names through remote shell (rsh) requests and executes them under the right context.

After this lesson, you will be able to

• List three benefits of using the User Name Mapping Service
• Describe the advantage of using a central mapping server
• Distinguish between simple and advanced mapping
• Install Username Mapping Server

Estimated lesson time: 15 minutes

Benefits of User Name Mapping Service

User Name Mapping service provides the following benefits:

• This service can be deployed on a single node in the organization and all Client for NFS, Gateway for NFS, and Server for NFS computers can access this server for mapping. A central mapping server reduces the cost of administration and results in a lower cost of administering a heterogeneous network.
• This service can obtain UNIX user names from a UNIX NIS or an NIS+ server working in yp-compatible mode. It can also obtain UNIX user names from Service for UNIX PCNFS servers. This causes minimal disruption in introducing User Name Mapping and other Windows-based NFS components into the network.
• Allows simple and advanced mapping. With support for simple mappings, creating default mappings for those users with identical names in two domains is a very easy task. With the support for advanced mapping, if a user has different names in two networks, the two names can be mapped to provide consistent and correct file access.
• Supports multiple Windows-based and UNIX-based domains. This allows the mapping server to be shared between multiple domains. Further, User Name Mapping can map users irrespective of the domains in which the user names were created.
• Maps users and groups. The service allows Windows-based NFS file servers to provide the same semantics as provided by UNIX NFS servers. With group mappings, access to UNIX NFS resources using the group permission bits on a file is honored for Windows-based users.
• Refreshes NIS, PCNFS, and Windows user names periodically. The key advantage of this feature is that an addition, a deletion, or a change to users in UNIX and Windows name spaces does not require administrative intervention.
• Provides command-line, graphical, and remote administration capability. This allows simplicity in administration of User Name Mappings.
• Supports backup and restoration of mappings.
• Allows mapping of multiple Windows users to one UNIX user. This reduces the administrative tasks of creating and managing rights and permissions.
• User Name Mapping ensures that only members of the Administrator's group can perform administrative tasks.
• User Name Mapping authenticates a UNIX user name and password using a UNIX cryptography algorithm and provides UNIX identification. This is useful where the Windows user requires access to UNIX resources using a UNIX account to which the user is not mapped.

NOTE

In particular, Microsoft's objectives for the User Mapping Server do the following:

• Provide Windows users access to their UNIX-based NFS resources with single sign-on. The users do not have to remember two sets of user names and passwords or sign on separately to the two operating systems.
• Share a single set of User Name Mappings across the network. Multiple instances of Client for NFS, Server for NFS, and Gateway for NFS should be able to use just one set of mappings. This should allow consistent access for users while using any of the NFS products from any computer.
• Ease the administrative task of maintaining maps on all Windows computers providing NFS services or Remote Shell Service.

Central Mapping Server

Other Windows-based NFS servers or NFS gateways require local mappings to map Windows users to UNIX users and vice versa. Windows-based NFS clients require users to authenticate with NIS or PCNFS servers.

User name mapping can be deployed as a central server. It can be installed on one server and all SFU NFS components can use it.

Having a central user name mapping server is also useful to set up central policies. Users may be mapped centrally to reflect the enterprise policies. For example, if a Windows-based user is allowed read-only access to some files, you can map that user to a UNIX-based user with read-only permissions on those same files. Access from any NFS client results in the Windows user being identified as the mapped UNIX user.

With a single, central mapping server common to the enterprise, the administrative cost of mappings is considerably reduced. The traditional setup of User Name Mapping per NFS server or NFS gateway is expensive because the effort of creating and managing the mappings are replicated on each machine. Administering maps on just one central server is far less costly compared to the solution used earlier.

Mapping Between UNIX and Windows Users

Simple mapping allows the mapping of users with the same user names in the separate Windows-based and UNIX-based name spaces. When enabled, simple mapping maps users with identical user names between two name spaces. Administrators can associate a Windows domain to a UNIX NIS domain or a PCNFS server for simple mapping. Simple mapping provides an easy way to configure large number of users. Most users in the network have identical user names in both Windows-based network and UNIX-based network. Such users can be mapped using simple mapping.

Advanced mapping allows administrators to create explicit mappings between any Windows-based user name and a UNIX-based user name.

Advanced mapping provides the following features:

• It maps users that belong to domains different from Windows- or UNIX-based domains that are mapped using simple mapping. This includes users from other domains that need access to NFS resources.
• It overrides a mapping created by simple mapping by explicitly associating a Windows-based user to a user with a different user name in the UNIX name space and vice versa.
• It maps users that may not have the same user names in Windows and UNIX. Some users may have different user names due to historical or administrative reasons. These may be mapped so that they refer to the same actual user.
• It maps users that should not have access to NFS resources. These users may be mapped to unassigned users, resulting in no access.
• It maps multiple Windows-based users to a single UNIX-based user. This is used when there is a small set of UNIX-based users that represent a class of access to NFS resources.

When a User Name Mapping client sends a request to resolve a mapping by providing a Windows or UNIX user name, the mapping server uses the following algorithm:

1. If an advanced mapping is set for a user, it provides the advanced mapping. A Windows user name may be associated with only one UNIX user name, which is returned for a Windows user. On the other hand, a UNIX user may be associated with several Windows users. If a UNIX user name is associated with number of Windows user names, the one that is marked as primary is returned.
2. If a Windows user name or a UNIX user name is explicitly associated with an unmapped user, User Name Mapping returns that the user is unmapped. This is especially useful to override users who get mapped by default due to simple mapping. This is also useful for assigning an anonymous UID or GID.
3. If there is no explicit mapping created for the user, it looks for an implicit mapping where Windows and UNIX user names are the same. If it finds such a mapping, it returns it.
4. If there is no mapping—either implicit or explicit—for the user, it returns that the user is unmapped.

With this sequence, an advanced mapping overrides the simple mapping between Windows users and UNIX users.

Installing Username Mapping Server

If you select User Name Mapping Server to map and authenticate your users, you need to install it on any computer that is running Windows NT or Windows 2000 and acting as a mapping server.

Follow these steps to install User Name Mapping Server from Windows:

1. Run Services For UNIX setup.
2. Click Custom Installation.
3. Select User Name Mapping Server, and then select Run It From My Computer.

Administration Mechanisms

User Name Mapping provides both a command-line- and a MMC-based graphical user interface (GUI) tool for managing the User Name Mapping Server as well as the mappings themselves. These two tools provide the following functions:

• Start and stop the User Name Mapping Server.
• Create, delete, and modify mappings, for both simple and advanced mappings.
• Set the refresh interval to refresh simple mappings periodically. Download UNIX and Windows user names from Windows domain controller and NIS master server and update simple mappings.
• Map multiple Windows users to a single UNIX user. Set and mark a primary mapping for one-to-one Windows and UNIX user mapping.
• List and view User Name Mappings; list only the advanced user mappings, or list simple User Name Mappings.
• Restore and back up user mappings.

In addition, Administrative Tools allow you to administer local or remote User Name Mappings.

Lesson Summary

The User Name Mapping Service, a component of SFU, provides the functionality of mapping Microsoft Windows-based network user names to UNIX-based network user names and vice versa. This is a means to associate user names in two networks for users who have different identities in Windows-based and UNIX-based domains.