Operating System User Name Mapping Service White Paper Abstract The User Name Mapping service is a component of Microsoft® Windows® 2000 Services for UNIX. The User Name Mapping service is used by UNIX-based Server for NFS, Client for NFS, and Gateway for NFS, as well as Remote Shell Service (rshsvc), for mapping UNIX-based network user names to Windows-based network user names and vice versa. This white paper describes the architecture, requirements for, and features of the User Name Mapping service. © 2000 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, Active Directory, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 980526399 • USA 0300 Contents Introduction.............................................................................................. 1 Overview of User Name Mapping .......................................................... 2 User Name Issues in Mixed Network Environments 2 Objectives of User Name Mapping 3 Architecture of User Name Mapping ..................................................... 4 Benefits of User Name Mapping 4 Requirements for User Name Mapping ................................................. 8 Introduction to NFS (UNIX) and Windows Authentication 8 Features of User Name Mapping ........................................................... 9 Central Mapping Server 9 Mapping Between UNIX and Windows Users 9 Supports Both NIS and PCNFS 12 Auto-Refresh of UNIX and Windows User Names 12 Mapping Multiple Windows Users to One UNIX User 12 Squashing 13 Group Mappings 13 Administration Mechanisms 14 NFS Components and User Name Mapping ....................................... 15 Server for NFS and User Name Mapping 15 Client for NFS and User Name Mapping 16 Gateway for NFS and User Name Mapping 17 Summary ................................................................................................ 18 For More Information 18 Introduction As Microsoft Windows NT® and Windows 2000 have added features, reliability, availability, and scalability, a number of businesses have integrated Windowsbased computers into their traditional UNIX-based enterprise networks. These heterogeneous networks are becoming commonplace in enterprises. The Windows and UNIX operating systems use different mechanisms for user identification, authentication, and resource access control. In a heterogeneous network, users have separate accounts in UNIX and Windows networks. Since Windows and UNIX user identifications and user names are stored and used differently, there is no association between the two sets even though the users in the two networks are the same. The User Name Mapping service, a component of Services for UNIX, provides the functionality of mapping Windows-based network user names to UNIXbased network user names and vice versa. This is a means to associate user names in two networks for users who have different identities in Windowsbased and UNIX-based domains. All Services for UNIX Network File Service (NFS) components—Server for NFS, Client for NFS, and Gateway for NFS—use User Name Mapping for NFS authentication and access. In an enterprise, all Services for UNIX NFS component installations can use a central User Name Mapping to have consistent identification and authentication across the network. User Name Mapping makes it easy to administer access to NFS resources between UNIXbased and Windows-based networks. Similarly, Remote Shell Service, included with Services for UNIX, also uses User Name Mapping to map UNIX user names to Windows user names through rsh requests, and executes them under the right context. This paper describes the goals, architecture, and functionality of User Name Mapping. Server for NIS – migration and management of NIS 1 Overview of User Name Mapping User Name Issues in Mixed Network Environments Separate name spaces with different user names or identities and different authentication mechanisms need to be handled by cross-domain file sharing such as NFS. This is necessary for Client for NFS, Server for NFS, and Gateway for NFS. User Identification in NFS By default, NFS protocol uses UNIX user identification for access control1. Consequently, Windows-based NFS servers have to identify the requesting users from NFS requests based solely on standard NFS identification, which consists of a User Identification (UID) and Group Identification (GID). Since Windows-based computers and domains do not use UIDs and GIDs for identification, a mapping is needed from UIDs and GIDs contained in the NFS requests to Windows user names. Windows based NFS clients need to map the requesting Windows user’s user name to UID/GID before forwarding an NFS request. Similarly, an NFS gateway needs to translate Windows user names to UNIX UIDs and GIDs while forwarding the file system requests to NFS servers. Note: User Name Mapping is not a password synchronization mechanism. User Name Mapping stores mappings between Windows names and UNIX UIDs or GIDs, but it does not validate passwords during mapping. Administrative problem The approach used by many administrators of mixed networks is to create a mapping on each computer providing NFS services requiring cross platform identifications. Maintaining these mappings on each such computer or server is problematic and time-consuming. These mappings must be kept correct in face of routine account additions, deletions, and changes such as password changes. With multiple servers in the network, this task is daunting. Consistency across the network Administrators have to create user name mappings on all computers running NFS servers or gateways in their heterogeneous network. On the other hand, Windows based NFS clients need to have a way to map Windows user names to UID/GID and also need the mapping. These mappings must be kept in synchronization in order to provide a consistent identification for all clients and servers. This becomes difficult since different administrators may be administrating these computers. 1 In standard NFS, remote UNIX NFS servers do not authenticate users. They rely on the authentication performed by the requesting client computer. Server for NIS – migration and management of NIS 2 If the mappings are not kept in synchronization on all computers in the domain, access to files on some NFS servers or from Windows based NFS clients may be incorrect. For example, if two Windows computers with NFS client software have different mappings, the same user requesting NFS resources from the two computers would result in different UID/GID being included in NFS requests. On the other hand if two Windows based NFS servers should have differing mappings, for the same UID/GID both may resolve the NFS requests in the context of different Windows users. Similarly, users will get different permissions to files when accessed via different NFS gateways. Multiple authentications Once logged on, for Windows users accessing Windows resources or for UNIX users accessing UNIX resources <this is must> user identification and authorization for access to Windows resources or to UNIX resources is provided transparently. Users need to authenticate themselves only once for local or remote resource access. However, access to UNIX network resources for Windows users or vice versa is not transparent. Users have to authenticate themselves again on the computer or network from which they are accessing the resource. However, Network users want transparent authentication and a single logon. For example, Windows users accessing NFS files on UNIX networks have to authenticate again, using their UNIX user name and password, even though they have previously authenticated themselves using their Windows domain credentials. Traditional Windows-based NFS clients have adopted the approach of asking the users to authenticate to the UNIX NFS network prior to accessing UNIX resources. Without that, even though a user is authenticated with Windows, the user is still denied access to NFS servers in the network. Objectives of User Name Mapping Microsoft designed User Name Mapping to overcome the difficulties described above. In particular, Microsoft’s objectives are to do the following: Provide Windows users access to their UNIX-based NFS resources with single sign-on. The users do not have to remember two sets of user names and passwords, or sign on separately to the two operating systems. Share a single set of user name mappings across the network. Multiple instances of Client for NFS, Server for NFS and Gateway for NFS should be able to use just one set of mappings. This should allow consistent access for users while using any of the NFS products from any computer. Ease the administrative task of maintaining maps on all Windows computers providing NFS services or Remote Shell Service. Server for NIS – migration and management of NIS 3 Architecture of User Name Mapping User Name Mapping creates mappings between Windows and UNIX user names. These mappings are maintained as a table, as shown in table 1. Table 1. User name mappings between Windows and UNIX user names. Windows user name Windows domain UNIX user name UNIX domain UID/GID JohnDoe Indwindows Johnd Indunix 1090/201 Maryjane Indwindows Maryj Indunix 1223/201 Figure 1, below, depicts how User Name Mapping is used in the network. All Services for UNIX components can be configured to use a specified User Name Mapping server. Once configured, computers running NFS components get their mapping from the specified server. Client for NFS uses User Name Mapping to map an authenticated Windows-based network user to a corresponding UNIX-based network user, and obtains the UID or GID to use in an NFS request to NFS server. Server for NFS uses the User Name Mapping to map a UNIX UID from an NFS request to a corresponding Windows user and determines the access permissions using the mapped Windows users’ identification and credentials. Similarly, Gateway for NFS maps the Windows credentials of each gateway request to a corresponding UNIX UID or GID before forwarding it to the NFS server. User Name Mapping uses Windows user names from a Windows-based domain and UNIX user names from either Network Information System (NIS) or Personal Computer NFS (PCNFS) servers2. It allows administrators to create mappings between names from Windows user names and UNIX user names and provides them to a requesting computer. Benefits of User Name Mapping The following section describes the features and benefits of User Name Mapping for mixed Windows-based and UNIX-based network environments. Central mapping server User Name Mapping can be deployed on a single node in the organization and all Client for NFS, Gateway for NFS, and Server for NFS computers can access this server for mapping. For Windows-based NFS users using Client for NFS or Gateway for NFS, access from any Windows-based computer can be provided using single authentication. Access from all machines will send the same UNIX identification (UID or GID) to NFS servers, resulting in consistent access. 2 In Services for UNIX v. 2.0, User Name Mapping supports only Windows-based PCNFS servers. Server for NIS – migration and management of NIS 4 A central mapping server reduces the cost of administration and results in a lower cost of administering a heterogeneous network. All Windows-based NFS servers have a consistent mapping resulting in identical file access for all UNIX NFS users. Little disruption to UNIX network User Name Mapping can obtain UNIX user names from a UNIX NIS or an NIS+ server working in yp-compatible mode. It can also obtain UNIX user names from Service for UNIX PCNFS servers. This causes minimal disruption in introducing User Name Mapping and other Windows-based NFS components into the network. Introducing User Name Mapping need not change the existing UNIX authentication. Allows simple and advanced mapping User Name Mapping can easily map between users whose user names are the same in Windows-based and UNIX-based networks. With simple mapping, users with identical user names in UNIX and Windows networks are mapped automatically and administrators need no intervention, Users with different user names can also be mapped, using Advanced options of User Name Mapping. User Name Mappings may be created without making changes to the existing user names in either UNIX-based or Windows-based domains. With support for simple mappings, creating default mappings for those users with identical names in two domains is a very easy task. With the support for advanced mapping, if a user has different names in two networks, the two names can be mapped to provide consistent and correct file access. Supports multiple Windows-based and NIS-based domains User Name Mapping can establish advanced mappings between user names from any NIS domains to a user name from any Windows-based domain. This allows the mapping server to be shared between multiple domains. Further, User Name Mapping can map users irrespective of the domains in which the user names were created. If NFS file sharing allows users from different domains to access files, they may be mapped using the mapping server. This feature is particularly useful for roaming users. Maps users and groups The User Name Mapping service includes the capability to map user names as well as group names between the two name spaces. The service allows Windows-based NFS file servers to provide the same semantics as provided by UNIX NFS servers. With group mappings, Server for NIS – migration and management of NIS 5 access to UNIX NFS resources using the group permission bits on a file is honored for Windows-based users. Refreshes NIS, PCNFS, and Windows user names periodically The User Name Mapping periodically refreshes Windows-based and UNIXbased user names from Windows-based domain controllers, and NIS-based servers or PCNFS servers, respectively. Whenever a user gets added, deleted from either UNIX or windows domains, a mapping can get added or deleted from User Name Mapping automatically. If a user is added to both Windows and UNIX NIS domains with identical user names, simple mapping will create a mapping between these to user names automatically. Similarly, if a user is deleted from one of these two domains, the mapping is deleted automatically. The key advantage of this feature is that an addition, a deletion, or a change to users in UNIX and Windows name spaces does not require administrative intervention. Addition or removal of a user account automatically ensures that NFS access is enabled or disabled automatically. Provides command line, graphical and remote administration capability The user name maps can be created, maintained, and managed using graphical user interface (GUI) or command line utilities. Both utilities are capable of administering remote mapping servers. This allows simplicity in administration of user name mappings. It allows addition, deletion, and changes to maps as well as diagnosis of problems for local as well remote mapping servers. Supports backup and restoration of mappings User Name Mapping can save already-created mappings to a file or load them from a file and populate the mapping server. This feature is particularly useful to back up the mappings to address failures of User Name Mapping servers. Allows mapping of multiple Windows users to one UNIX user User Name Mapping has the facility to map multiple Windows user names to a single UNIX user name. This is useful when there is no one-to-one correspondence between UNIX and Windows users. It allows Windows users to be mapped to a few UNIX users. This is useful when access to a UNIX-based file server has to be provided according to different classes of access privileges. This reduces the administrative tasks of creating and managing rights and permissions. Server for NIS – migration and management of NIS 6 Security User Name Mapping ensures that only members of the Administrator’s group can perform administrative tasks. Also, a rogue user cannot set arbitrary mappings on the User Name Mapping and provide unauthorized access to NFS resources. Authenticates UNIX user names and passwords User Name Mapping authenticates a UNIX user name and password using a UNIX cryptography algorithm and provides UNIX identification. User Name Mapping uses UNIX user name and password information from NIS or PCNFS files to authenticate the users. This is useful where the Windows user requires access to UNIX resources using a UNIX account to which the user is not mapped. Server for NIS – migration and management of NIS 7 Requirements for User Name Mapping Introduction to NFS (UNIX) and Windows Authentication In standard NFS implementations3, authentication is not used to gain access to NFS resources. The NFS file server depends upon authentication performed by the client computer. It then uses the standard UNIX identification mechanism (UID and GID) to identify a user. Access control is determined by the native file system, which in the case of UNIX is file-based permission bits. In addition, the NFS server restricts access to file read or write using a list of client computers and permitted access. In contrast, Windows users that access remote Windows shares are identified by their security identification (SID) rather than by their UID. Each computer authenticates the user. Once the user is authenticated the user’s SID determines the access that the user gets to resources Different Identification and Authentication Schemes When a user logs on to a Windows-based computer, he is identified with a Windows Security Identifier (SID). For the user to access NFS resources, he/she needs to acquire UNIX identification consisting of a UID and a GID. This requires the user to be authenticated with the UNIX-based network using either a PCNFS server or an NIS server. The same problem exists in the reverse direction; in other words, when a user logs on to a UNIX-based computer the user is allocated only a UID and GID. The user needs a way to obtain the SID that rightfully identifies that user to Windows-based computers while accessing files from the Windows computer. User Name Mapping addresses the problem of identification for Windows users in a UNIX-based network and for UNIX users in a Windows-based network. It also authenticates Windows users accessing NFS resources in the UNIX-based network using UNIX username and password. User Name Mapping not only maps the Windows user to the UNIX user but also provides the UID and GID by relying on Windows authentication and the maps. On the other hand, it only maps the UNIX UID and GID to a Windows-based user. It is unable to provide a Windows SID4. 3 In case of secure NFS or Kerberos-based NFS, authentication is explicit. 4 Server for NFS uses the User Name Mappping server for UID and GID-to-Windows user name mapping. It obtains a SID for providing file access control by using a separate component called Server for NFS Authentication. This component is installed as a Windows sub-authentication package. Server for NIS – migration and management of NIS 8 Features of User Name Mapping Central Mapping Server Other Windows-based NFS servers or NFS gateways require local mappings to map Windows users to UNIX users and vice versa. On the other hand, Windows based NFS clients require users to authenticate with NIS or PCNFS servers. In contrast, User Name Mapping can be deployed as a central server. It can be installed on one server and all Services for UNIX NFS components can use it. Having a central User Name Mapping server is also useful to set up central policies. Users may be mapped centrally to reflect the enterprise policies. For example, if a Windows-based user is allowed read-only access to some files, you can map that user to a UNIX-based user with read-only permissions on those same files. Access from any NFS client will result in Windows user being identified as the mapped UNIX user. With a single, central mapping server common to the enterprise, the administrative cost of mappings is reduced considerably. The traditional setup of user name mapping per NFS server or NFS gateway is expensive, because the effort of creating and managing the mappings are replicated on each machine. Administering maps on just one central server is far less costly compared to the previous solution. Mapping Between UNIX and Windows Users Simple mapping allows the mapping of users with the same user names in the separate Windows-based and UNIX-based name spaces. When enabled, simple mapping maps users with identical user names between two name spaces. Administrators can associate a Windows domain to a UNIX NIS domain or a PCNFS server for simple mapping. Server for NIS – migration and management of NIS 9 Figure 1. Mapping user names in UNIX NIS domain and Windows domain with Simple mapping Simple mapping provides an easy way to configure large number of users very easily. Most users in the network have identical user names in both Windowsbased network and UNIX-based network. Such users can be mapped with using simple mapping Advanced mapping allows administrators to create explicit mappings between any Windows-based user name and a UNIX-based user name. Advanced mapping provides the following features: It maps users that belong to domains different from Windows- or UNIXbased domains that are mapped using simple mapping. This includes users from other domains that need access to NFS resources. In figure 2, we have mapped UNIX users from NIS domains called maths in addition to the NIS domain ind-unix-dev for simple mapping. It overrides a mapping created by simple mapping by explicitly associating a Windows-based user to a user with a different user name in the UNIX name space (and vice versa). Figure 2 shows that user yench is explicitly associated with UNIX user tdshy, overriding simple mapping that associates yench between Windows- and UNIX-based domains. It maps users that may not have the same user names in Windows and UNIX. Some users may have different user names due to historic or administrative reasons. These may be mapped so that they refer to the same actual user. In the following example, a user has two separate user names in Windows-based and UNIX-based domains, namely, john and johnaz. With advanced mapping, such user names can be mapped to each Server for NIS – migration and management of NIS 10 other using. It maps users that should not have access to NFS resources. These users may be mapped to unassigned users, resulting in no access. This is shown for users i-malrao and sjahn where they are explicitly unassigned from mapping. It maps multiple Windows-based users to a single UNIX-based user. This is used when there is a small set of UNIX-based users that represent a class of access to NFS resources. This is demonstrated where both Windows users john and peterj are mapped same UNIX user johnaz. One of these users is mapped using a primary mapping, which denotes that for UNIX user johnaz, mapping to a Windows user should result in john (not peterj). Figure 2. When a User Name Mapping client sends a request to resolve a mapping by providing a Windows or UNIX user name, the mapping server uses the following algorithm: 1. If an advanced mapping is set for a user, it provides the advanced mapping. A Windows user name may be associated with only one UNIX user name, Server for NIS – migration and management of NIS 11 which is returned for a Windows user. On the other hand, a UNIX user may be associated with several Windows users. If a UNIX user name is associated with number of Windows user names, the one that is marked as primary is returned. 2. If a Windows user name or a UNIX user name is explicitly associated with an unmapped user, User Name Mapping returns that the user is unmapped. This is especially useful to override users who get mapped by default due to simple mapping. This is also useful for assigning an anonymous UID or GID. 3. If there is no explicit mapping created for the user, it looks for an implicit mapping where Windows and UNIX user names are the same. If it finds such a mapping, it returns it. 4. If there is no mapping—either implicit or explicit—for the user, it returns that the user is unmapped. With this sequence, an advanced mapping overrides the simple mapping between Windows users and UNIX users. Supports Both NIS and PCNFS User Name Mapping supports obtaining UNIX user names from both NIS and PCNFS5. If the UNIX-based network uses NIS, the existing infrastructure in the network can remain unchanged when User Name Mapping is introduced. The existing UNIX-based network can continue to operate as before if they use NIS. Auto-Refresh of UNIX and Windows User Names User Name Mapping periodically refreshes Windows and UNIX user names from a domain controller and an NIS server or a PCNFS server, respectively. Any changes to name spaces, such as the addition or deletion of users, are reflected in the mappings automatically. This ensures that any changes to the name spaces are reflected correctly in the mappings. Figure 1 shows the refresh interval of 24 hours. All user names and resulting maps will be updated at 24 hours interval. Consequently, any user that is added to the organization will have mapping within 24 hours and they will have appropriate NFS access. Administrators can modify this interval to suit their requirements. Mapping Multiple Windows Users to One UNIX User The mapping server allows mapping multiple Windows users to one UNIX user, and to receive access privileges according to that of the UNIX user to whom they are mapped. For instance, NFS requests from any of these Windows users are sent with the UID and GID of the UNIX user to whom they are mapped. This is useful when there are fewer user accounts in UNIX—which 5 In this version, Server for NIS supports only Windows-based PCNFS servers. The PCNFS files, namely, passwd and group, must be accessible to User Name Mapping. Server for NIS – migration and management of NIS 12 may represent different classes of database access—and administrators want to associate a number of Windows users with such UNIX users. For example, in the above example, both john and peterj are associated with UNIX user johnaz. NFS requests from a Client for NFS for both john and peterj will contain UID 137. On the other hand NFS requests with UID 137 to Server for NFS will be resolved in the context of vivekntest\john to the primary mapping of johnaz. Squashing User Name Mapping supports mapping users to unmapped users, whether it is mapping a UNIX user to a Windows unmapped user, or a Windows user to a UNIX unmapped user. For a Windows user who is mapped to an unmapped user, an authentication request results in an anonymous UID and GID, typically –2 and –1, respectively, being used on behalf of the user in an NFS request. Similarly, any file created by such a Windows user on Server for NIS is reported as owned by a user with the UID and GID of –2 and –1, respectively. On the other hand, for a UNIX user who is mapped to a Windows unmapped user, any files created by such a user are marked as owned by a Windows Anonymous user. Similarly, NFS requests from a UNIX user who is mapped to a Windows unmapped user will be resolved in the context of the Windows Anonymous user. Typically, only files that have privileges for everyone will be accessible to such UNIX user via NFS. This feature is useful to override a mapping that got created inadvertently due to simple mapping. It avoids associating different users who may be given the identical user names in Windows and UNIX networks. Similarly, mapping a user to an unmapped user is also useful to ensure that some users are provided anonymous NFS access privileges. Group Mappings In addition to user name mappings, User Name Mapping also maps Windowsbased group names to UNIX-based group names (and vice versa). When mapping a Windows user to a UNIX user, the GID of the mapped UNIX user is provided in the NFS request. This allows the appropriate access for the Windows user according to group permission bits on the UNIX files. While mapping the UNIX user to a Windows user for Server for NFS, User Name Mapping maps the GID to a Windows group using the group mappings. Thus access to the file on a Windows-based NFS server is determined by the Windows user name and the ACLs for the mapped Windows group. Server for NIS – migration and management of NIS 13 Administration Mechanisms User Name Mapping provides both a command line and a Microsoft Management Console (MMC)-based GUI tool for managing the User Name Mapping server as well as the mappings themselves. These two tools provide the following functions: Start and stop the User Name Mapping server. Create, delete, and modify mappings, for both simple and advanced mappings. Set the refresh interval to refresh simple mappings periodically. Download UNIX and Windows user names from Windows domain controller and NIS master server and update simple mappings. Map multiple Windows users to a single UNIX user. Set and mark a primary mapping one Windows and UNIX user mapping. List and view user names mappings, list only the advanced user mappings, or list simple user name mappings. Restore and back up user mappings. In addition, administrative tools allow you to administer local or remote User Name Mappings. Server for NIS – migration and management of NIS 14 NFS Components and User Name Mapping Server for NFS and User Name Mapping Server for NFS uses User Name Mapping for mapping UNIX UIDs included in the NFS requests to Windows user names. The Windows user name is used to identify the file system requests. Server for NFS then uses the Server for NFS Authentication component for authentication6 to Windows to gain file access. The diagram in figure 3 describes the sequence of events while Server for NFS fulfills the NFS request from a UNIX-based NFS client. User Name M apping server 0 Server for NFS Server for NFS Domain Controller 3 Windows based network 1 4 NFS client Unix network Figure 3. Flow of events 1. Server for NFS periodically downloads7 the user name mappings from the User Name Mapping server. These mappings are stored by Server for NFS. 2. Server for NFS receives the NFS request with the UID/GID embedded in it. 3. Server for NFS maps UID/GID to a corresponding Windows-based user name using mapping data provided by the User Name Mapping server. 4. Server for NFS authenticates the Windows-based user using the Server for NFS authentication package, typically running on the domain controller of that domain. If the mapped user is local, it uses Server for NFS authentication installed locally. 6 This component is installed as a Windows sub authentication package during Server for NFS authentication. 7 Maps are downloaded only if they have changed since the last download. Server for NIS – migration and management of NIS 15 5. Server for NFS accesses the files by impersonating mapped Windows user and using the credentials of that user and returns the data to the requesting NFS client. 6. Server for NFS downloads the entire set of maps periodically to translate ACLs into UNIX UID/GIDs to return to NFS clients. This is necessary for NFS calls that require returning file attributes such as getFileAttributes. Client for NFS and User Name Mapping Client for NFS allows access to NFS resources using either Windows credentials of the user or the UNIX credentials. Step 0 Username M apping Server Client for NFS Step 1 Windows based network Step 2 mount Step 4 Step 3 – NFS request NFS server Unix network Figure 4. Flow of events 1. The user requests the Client for NFS to map an NFS share or access an NFS share. It provides the credentials used in the Windows network. 2. If the request is on behalf of current a Windows user, Client for NFS sends Windows credentials to the User Name Mapping server, which maps the Windows credentials to the UNIX user name and returns the UID/GID. If the request is on behalf of another user, Client for NFS also authenticates the user using the usual Windows authentication mechanism and provides the resulting credentials for User Name Mapping. 3. Client for NFS stores the returned UID/GID and mounts the NFS share. 4. For the subsequent NFS calls for the same NFS share, Client for NFS sends the request to the NFS server using the previously returned UID/GID. 5. The NFS server sends the data for the requesting UID/GID. Server for NIS – migration and management of NIS 16 This is true for access to NFS resources from a Windows-based user interface such as Microsoft Internet Explorer, via net command, or via mount command. In the case of access to NFS resources using UNIX credentials, the flow of events is slightly different, as follows: 1. The user requests the Client for NFS to map an NFS share or access an NFS share. 2. Client for NFS sends the UNIX user name and encrypted UNIX password to the User Name Mapping server. 3. User Name Mapping uses the data from either PCNFS or NIS to authenticate the UNIX user name and the password and returns the UID/GID to the NFS client. 4. Client for NFS stores the returned UID/GID and mounts the NFS share. 5. For the subsequent NFS calls for the same NFS share, Client for NFS sends the NFS request to the NFS server using previously returned UID/GID. Access to NFS resources using UNIX credentials is provided through a mount command. The user mounts the NFS share using a command such as: "mount * \\server\share -u:user -p:passwd" where the user name is a UNIX user name and passwd is the UNIX password. Gateway for NFS and User Name Mapping The interaction between Gateway for NFS and User Name Mapping is very similar to the interaction between the Client for NFS and User Name Mapping. Requests from Windows 95-, Windows 98-, Windows NT-, or Windows 2000based clients without NFS clients are handled by the Gateway for NFS. Flow of events 1. Gateway for NFS mounts UNIX shares using the root account and exports the mapped drives as Windows shares. 2. The user requests the Gateway for NFS to access the NFS share mapped by Gateway for NFS. The Windows-based request is sent using Windows credentials. 3. Gateway for NFS sends Windows credentials to the User Name Mapping server, which maps the Windows credentials to the UNIX user name and returns the UID/GID. 4. Gateway for NFS stores the returned UID/GID by associating the given gateway request with UID/GID. 5. For the subsequent NFS calls for the same NFS share, Gateway for NFS sends the NFS request to the NFS server using previously the returned UID/GID. Server for NIS – migration and management of NIS 17 Summary The User Name Mapping service, a component of Services for UNIX, provides the functionality of mapping Microsoft® Windows®-based network user names to UNIX-based network user names and vice versa. This is a means to associate user names in two networks for users who have different identities in Windows-based and UNIX-based domains. This white paper described these benefits of the User Name Mapping service: This service can be deployed on a single node in the organization and all Client for NFS, Gateway for NFS, and Server for NFS computers can access this server for mapping. A central mapping server reduces the cost of administration and results in a lower cost of administering a heterogeneous network. This service can obtain UNIX user names from a UNIX NIS or an NIS+ server working in yp-compatible mode. It can also obtain UNIX user names from Service for UNIX PCNFS servers. This causes minimal disruption in introducing User Name Mapping and other Windows-based NFS components into the network. Allows simple and advanced mapping. With support for simple mappings, creating default mappings for those users with identical names in two domains is a very easy task. With the support for advanced mapping, if a user has different names in two networks, the two names can be mapped to provide consistent and correct file access. Supports multiple Windows-based and UNIX-based domains. This allows the mapping server to be shared between multiple domains. Further, User Name Mapping can map users irrespective of the domains in which the user names were created. Maps users and groups. The service allows Windows-based NFS file servers to provide the same semantics as provided by UNIX NFS servers. With group mappings, access to UNIX NFS resources using the group permission bits on a file is honored for Windows-based users. Refreshes NIS, PCNFS, and Windows user names periodically. The key advantage of this feature is that an addition, a deletion, or a change to users in UNIX and Windows name spaces does not require administrative intervention. Provides command line, graphical, and remote administration capability. This allows simplicity in administration of user name mappings. Supports backup and restoration of mappings. Allows mapping of multiple Windows users to one UNIX user. This reduces the administrative tasks of creating and managing rights and permissions. User Name Mapping ensures that only members of the Administrator’s Server for NIS – migration and management of NIS 18 group can perform administrative tasks. User Name Mapping authenticates a UNIX user name and password using a UNIX cryptography algorithm and provides UNIX identification. This is useful where the Windows user requires access to UNIX resources using a UNIX account to which the user is not mapped. For More Information For the latest information on Windows 2000 Server, check out our Web site at http://www.microsoft.com/windows2000 and the Windows 2000/NT Forum at http://computingcentral.msn.com/topics/windowsnt. Server for NIS – migration and management of NIS 19