Operating System
User Name Mapping Service
White Paper
Abstract
The User Name Mapping service is a component of Microsoft® Windows® 2000 Services for UNIX.
The User Name Mapping service is used by UNIX-based Server for NFS, Client for NFS, and Gateway
for NFS, as well as Remote Shell Service (rshsvc), for mapping UNIX-based network user names to
Windows-based network user names and vice versa. This white paper describes the architecture,
requirements for, and features of the User Name Mapping service.
© 2000 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current
view of Microsoft Corporation on the issues discussed as of the date
of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Microsoft, Active Directory, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Other product and company names mentioned herein may be the
trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 980526399 • USA
0300
Contents
Introduction.............................................................................................. 1
Overview of User Name Mapping .......................................................... 2
User Name Issues in Mixed Network Environments
2
Objectives of User Name Mapping
3
Architecture of User Name Mapping ..................................................... 4
Benefits of User Name Mapping
4
Requirements for User Name Mapping ................................................. 8
Introduction to NFS (UNIX) and Windows Authentication
8
Features of User Name Mapping ........................................................... 9
Central Mapping Server
9
Mapping Between UNIX and Windows Users
9
Supports Both NIS and PCNFS
12
Auto-Refresh of UNIX and Windows User Names
12
Mapping Multiple Windows Users to One UNIX User
12
Squashing
13
Group Mappings
13
Administration Mechanisms
14
NFS Components and User Name Mapping ....................................... 15
Server for NFS and User Name Mapping
15
Client for NFS and User Name Mapping
16
Gateway for NFS and User Name Mapping
17
Summary ................................................................................................ 18
For More Information
18
Introduction
As Microsoft Windows NT® and Windows 2000 have added features, reliability,
availability, and scalability, a number of businesses have integrated Windowsbased computers into their traditional UNIX-based enterprise networks. These
heterogeneous networks are becoming commonplace in enterprises.
The Windows and UNIX operating systems use different mechanisms for user
identification, authentication, and resource access control. In a heterogeneous
network, users have separate accounts in UNIX and Windows networks. Since
Windows and UNIX user identifications and user names are stored and used
differently, there is no association between the two sets even though the users
in the two networks are the same.
The User Name Mapping service, a component of Services for UNIX, provides
the functionality of mapping Windows-based network user names to UNIXbased network user names and vice versa. This is a means to associate user
names in two networks for users who have different identities in Windowsbased and UNIX-based domains.
All Services for UNIX Network File Service (NFS) components—Server for
NFS, Client for NFS, and Gateway for NFS—use User Name Mapping for NFS
authentication and access. In an enterprise, all Services for UNIX NFS
component installations can use a central User Name Mapping to have
consistent identification and authentication across the network. User Name
Mapping makes it easy to administer access to NFS resources between UNIXbased and Windows-based networks. Similarly, Remote Shell Service, included
with Services for UNIX, also uses User Name Mapping to map UNIX user
names to Windows user names through rsh requests, and executes them under
the right context. This paper describes the goals, architecture, and functionality
of User Name Mapping.
Server for NIS – migration and management of NIS
1
Overview of User Name
Mapping
User Name Issues in Mixed Network Environments
Separate name spaces with different user names or identities and different
authentication mechanisms need to be handled by cross-domain file sharing
such as NFS. This is necessary for Client for NFS, Server for NFS, and
Gateway for NFS.
User Identification in NFS
By default, NFS protocol uses UNIX user identification for access control1.
Consequently, Windows-based NFS servers have to identify the requesting
users from NFS requests based solely on standard NFS identification, which
consists of a User Identification (UID) and Group Identification (GID). Since
Windows-based computers and domains do not use UIDs and GIDs for
identification, a mapping is needed from UIDs and GIDs contained in the NFS
requests to Windows user names. Windows based NFS clients need to map
the requesting Windows user’s user name to UID/GID before forwarding an
NFS request. Similarly, an NFS gateway needs to translate Windows user
names to UNIX UIDs and GIDs while forwarding the file system requests to
NFS servers.
Note: User Name Mapping is not a password synchronization mechanism.
User Name Mapping stores mappings between Windows names and UNIX
UIDs or GIDs, but it does not validate passwords during mapping.
Administrative problem
The approach used by many administrators of mixed networks is to create a
mapping on each computer providing NFS services requiring cross platform
identifications. Maintaining these mappings on each such computer or server is
problematic and time-consuming. These mappings must be kept correct in face
of routine account additions, deletions, and changes such as password
changes. With multiple servers in the network, this task is daunting.
Consistency across the network
Administrators have to create user name mappings on all computers running
NFS servers or gateways in their heterogeneous network. On the other hand,
Windows based NFS clients need to have a way to map Windows user names
to UID/GID and also need the mapping. These mappings must be kept in
synchronization in order to provide a consistent identification for all clients and
servers. This becomes difficult since different administrators may be
administrating these computers.
1
In standard NFS, remote UNIX NFS servers do not authenticate users. They rely on the authentication
performed by the requesting client computer.
Server for NIS – migration and management of NIS
2
If the mappings are not kept in synchronization on all computers in the domain,
access to files on some NFS servers or from Windows based NFS clients may
be incorrect. For example, if two Windows computers with NFS client software
have different mappings, the same user requesting NFS resources from the two
computers would result in different UID/GID being included in NFS requests.
On the other hand if two Windows based NFS servers should have differing
mappings, for the same UID/GID both may resolve the NFS requests in the
context of different Windows users. Similarly, users will get different
permissions to files when accessed via different NFS gateways.
Multiple authentications
Once logged on, for Windows users accessing Windows resources or for UNIX
users accessing UNIX resources <this is must> user identification and
authorization for access to Windows resources or to UNIX resources is
provided transparently. Users need to authenticate themselves only once for
local or remote resource access. However, access to UNIX network resources
for Windows users or vice versa is not transparent. Users have to authenticate
themselves again on the computer or network from which they are accessing
the resource. However, Network users want transparent authentication and a
single logon.
For example, Windows users accessing NFS files on UNIX networks have to
authenticate again, using their UNIX user name and password, even though
they have previously authenticated themselves using their Windows domain
credentials.
Traditional Windows-based NFS clients have adopted the approach of asking
the users to authenticate to the UNIX NFS network prior to accessing UNIX
resources. Without that, even though a user is authenticated with Windows, the
user is still denied access to NFS servers in the network.
Objectives of User Name Mapping
Microsoft designed User Name Mapping to overcome the difficulties described
above. In particular, Microsoft’s objectives are to do the following:

Provide Windows users access to their UNIX-based NFS resources with
single sign-on. The users do not have to remember two sets of user names
and passwords, or sign on separately to the two operating systems.

Share a single set of user name mappings across the network. Multiple
instances of Client for NFS, Server for NFS and Gateway for NFS should
be able to use just one set of mappings. This should allow consistent
access for users while using any of the NFS products from any computer.

Ease the administrative task of maintaining maps on all Windows
computers providing NFS services or Remote Shell Service.
Server for NIS – migration and management of NIS
3
Architecture of User
Name Mapping
User Name Mapping creates mappings between Windows and UNIX user
names. These mappings are maintained as a table, as shown in table 1.
Table 1. User name mappings between Windows and UNIX user names.
Windows user
name
Windows
domain
UNIX user
name
UNIX domain
UID/GID
JohnDoe
Indwindows
Johnd
Indunix
1090/201
Maryjane
Indwindows
Maryj
Indunix
1223/201
Figure 1, below, depicts how User Name Mapping is used in the network. All
Services for UNIX components can be configured to use a specified User
Name Mapping server. Once configured, computers running NFS components
get their mapping from the specified server. Client for NFS uses User Name
Mapping to map an authenticated Windows-based network user to a
corresponding UNIX-based network user, and obtains the UID or GID to use in
an NFS request to NFS server. Server for NFS uses the User Name Mapping
to map a UNIX UID from an NFS request to a corresponding Windows user and
determines the access permissions using the mapped Windows users’
identification and credentials. Similarly, Gateway for NFS maps the Windows
credentials of each gateway request to a corresponding UNIX UID or GID
before forwarding it to the NFS server.
User Name Mapping uses Windows user names from a Windows-based
domain and UNIX user names from either Network Information System (NIS) or
Personal Computer NFS (PCNFS) servers2. It allows administrators to create
mappings between names from Windows user names and UNIX user names
and provides them to a requesting computer.
Benefits of User Name Mapping
The following section describes the features and benefits of User Name
Mapping for mixed Windows-based and UNIX-based network environments.
Central mapping server
User Name Mapping can be deployed on a single node in the organization and
all Client for NFS, Gateway for NFS, and Server for NFS computers can access
this server for mapping.
For Windows-based NFS users using Client for NFS or Gateway for NFS,
access from any Windows-based computer can be provided using single
authentication. Access from all machines will send the same UNIX identification
(UID or GID) to NFS servers, resulting in consistent access.
2
In Services for UNIX v. 2.0, User Name Mapping supports only Windows-based PCNFS servers.
Server for NIS – migration and management of NIS
4
A central mapping server reduces the cost of administration and results in a
lower cost of administering a heterogeneous network.
All Windows-based NFS servers have a consistent mapping resulting in
identical file access for all UNIX NFS users.
Little disruption to UNIX network
User Name Mapping can obtain UNIX user names from a UNIX NIS or an NIS+
server working in yp-compatible mode. It can also obtain UNIX user names
from Service for UNIX PCNFS servers.
This causes minimal disruption in introducing User Name Mapping and other
Windows-based NFS components into the network. Introducing User Name
Mapping need not change the existing UNIX authentication.
Allows simple and advanced mapping
User Name Mapping can easily map between users whose user names are the
same in Windows-based and UNIX-based networks. With simple mapping,
users with identical user names in UNIX and Windows networks are mapped
automatically and administrators need no intervention, Users with different user
names can also be mapped, using Advanced options of User Name Mapping.
User Name Mappings may be created without making changes to the existing
user names in either UNIX-based or Windows-based domains.
With support for simple mappings, creating default mappings for those users
with identical names in two domains is a very easy task. With the support for
advanced mapping, if a user has different names in two networks, the two
names can be mapped to provide consistent and correct file access.
Supports multiple Windows-based and NIS-based domains
User Name Mapping can establish advanced mappings between user names
from any NIS domains to a user name from any Windows-based domain.
This allows the mapping server to be shared between multiple domains.
Further, User Name Mapping can map users irrespective of the domains in
which the user names were created. If NFS file sharing allows users from
different domains to access files, they may be mapped using the mapping
server. This feature is particularly useful for roaming users.
Maps users and groups
The User Name Mapping service includes the capability to map user names as
well as group names between the two name spaces.
The service allows Windows-based NFS file servers to provide the same
semantics as provided by UNIX NFS servers. With group mappings,
Server for NIS – migration and management of NIS
5
access to UNIX NFS resources using the group permission bits on a file is
honored for Windows-based users.
Refreshes NIS, PCNFS, and Windows user names periodically
The User Name Mapping periodically refreshes Windows-based and UNIXbased user names from Windows-based domain controllers, and NIS-based
servers or PCNFS servers, respectively. Whenever a user gets added, deleted
from either UNIX or windows domains, a mapping can get added or deleted
from User Name Mapping automatically. If a user is added to both Windows
and UNIX NIS domains with identical user names, simple mapping will create a
mapping between these to user names automatically. Similarly, if a user is
deleted from one of these two domains, the mapping is deleted automatically.
The key advantage of this feature is that an addition, a deletion, or a change to
users in UNIX and Windows name spaces does not require administrative
intervention. Addition or removal of a user account automatically ensures that
NFS access is enabled or disabled automatically.
Provides command line, graphical and remote administration capability
The user name maps can be created, maintained, and managed using
graphical user interface (GUI) or command line utilities. Both utilities are
capable of administering remote mapping servers.
This allows simplicity in administration of user name mappings. It allows
addition, deletion, and changes to maps as well as diagnosis of problems for
local as well remote mapping servers.
Supports backup and restoration of mappings
User Name Mapping can save already-created mappings to a file or load them
from a file and populate the mapping server.
This feature is particularly useful to back up the mappings to address failures of
User Name Mapping servers.
Allows mapping of multiple Windows users to one UNIX user
User Name Mapping has the facility to map multiple Windows user names to a
single UNIX user name.
This is useful when there is no one-to-one correspondence between UNIX and
Windows users. It allows Windows users to be mapped to a few UNIX users.
This is useful when access to a UNIX-based file server has to be provided
according to different classes of access privileges. This reduces the
administrative tasks of creating and managing rights and permissions.
Server for NIS – migration and management of NIS
6
Security
User Name Mapping ensures that only members of the Administrator’s group
can perform administrative tasks.
Also, a rogue user cannot set arbitrary mappings on the User Name Mapping
and provide unauthorized access to NFS resources.
Authenticates UNIX user names and passwords
User Name Mapping authenticates a UNIX user name and password using a
UNIX cryptography algorithm and provides UNIX identification.
User Name Mapping uses UNIX user name and password information from NIS
or PCNFS files to authenticate the users. This is useful where the Windows
user requires access to UNIX resources using a UNIX account to which the
user is not mapped.
Server for NIS – migration and management of NIS
7
Requirements for User
Name Mapping
Introduction to NFS (UNIX) and Windows Authentication
In standard NFS implementations3, authentication is not used to gain access to
NFS resources. The NFS file server depends upon authentication performed by
the client computer. It then uses the standard UNIX identification mechanism
(UID and GID) to identify a user. Access control is determined by the native file
system, which in the case of UNIX is file-based permission bits. In addition, the
NFS server restricts access to file read or write using a list of client computers
and permitted access.
In contrast, Windows users that access remote Windows shares are identified
by their security identification (SID) rather than by their UID. Each computer
authenticates the user. Once the user is authenticated the user’s SID
determines the access that the user gets to resources
Different Identification and Authentication Schemes
When a user logs on to a Windows-based computer, he is identified with a
Windows Security Identifier (SID). For the user to access NFS resources,
he/she needs to acquire UNIX identification consisting of a UID and a GID. This
requires the user to be authenticated with the UNIX-based network using either
a PCNFS server or an NIS server. The same problem exists in the reverse
direction; in other words, when a user logs on to a UNIX-based computer the
user is allocated only a UID and GID. The user needs a way to obtain the SID
that rightfully identifies that user to Windows-based computers while accessing
files from the Windows computer.
User Name Mapping addresses the problem of identification for Windows users
in a UNIX-based network and for UNIX users in a Windows-based network. It
also authenticates Windows users accessing NFS resources in the UNIX-based
network using UNIX username and password. User Name Mapping not only
maps the Windows user to the UNIX user but also provides the UID and GID by
relying on Windows authentication and the maps. On the other hand, it only
maps the UNIX UID and GID to a Windows-based user. It is unable to provide a
Windows SID4.
3
In case of secure NFS or Kerberos-based NFS, authentication is explicit.
4
Server for NFS uses the User Name Mappping server for UID and GID-to-Windows user name mapping. It
obtains a SID for providing file access control by using a separate component called Server for NFS
Authentication. This component is installed as a Windows sub-authentication package.
Server for NIS – migration and management of NIS
8
Features of User Name
Mapping
Central Mapping Server
Other Windows-based NFS servers or NFS gateways require local mappings to
map Windows users to UNIX users and vice versa. On the other hand,
Windows based NFS clients require users to authenticate with NIS or PCNFS
servers.
In contrast, User Name Mapping can be deployed as a central server. It can be
installed on one server and all Services for UNIX NFS components can use it.
Having a central User Name Mapping server is also useful to set up central
policies. Users may be mapped centrally to reflect the enterprise policies. For
example, if a Windows-based user is allowed read-only access to some files,
you can map that user to a UNIX-based user with read-only permissions on
those same files. Access from any NFS client will result in Windows user being
identified as the mapped UNIX user.
With a single, central mapping server common to the enterprise, the
administrative cost of mappings is reduced considerably. The traditional setup
of user name mapping per NFS server or NFS gateway is expensive, because
the effort of creating and managing the mappings are replicated on each
machine. Administering maps on just one central server is far less costly
compared to the previous solution.
Mapping Between UNIX and Windows Users
Simple mapping allows the mapping of users with the same user names in the
separate Windows-based and UNIX-based name spaces. When enabled,
simple mapping maps users with identical user names between two name
spaces. Administrators can associate a Windows domain to a UNIX NIS
domain or a PCNFS server for simple mapping.
Server for NIS – migration and management of NIS
9
Figure 1. Mapping user names in UNIX NIS domain and Windows domain with Simple
mapping
Simple mapping provides an easy way to configure large number of users very
easily. Most users in the network have identical user names in both Windowsbased network and UNIX-based network. Such users can be mapped with
using simple mapping
Advanced mapping allows administrators to create explicit mappings between
any Windows-based user name and a UNIX-based user name.
Advanced mapping provides the following features:

It maps users that belong to domains different from Windows- or UNIXbased domains that are mapped using simple mapping. This includes users
from other domains that need access to NFS resources. In figure 2, we
have mapped UNIX users from NIS domains called maths in addition to the
NIS domain ind-unix-dev for simple mapping.

It overrides a mapping created by simple mapping by explicitly associating
a Windows-based user to a user with a different user name in the UNIX
name space (and vice versa). Figure 2 shows that user yench is explicitly
associated with UNIX user tdshy, overriding simple mapping that
associates yench between Windows- and UNIX-based domains.

It maps users that may not have the same user names in Windows and
UNIX. Some users may have different user names due to historic or
administrative reasons. These may be mapped so that they refer to the
same actual user. In the following example, a user has two separate user
names in Windows-based and UNIX-based domains, namely, john and
johnaz. With advanced mapping, such user names can be mapped to each
Server for NIS – migration and management of NIS
10
other using.

It maps users that should not have access to NFS resources. These users
may be mapped to unassigned users, resulting in no access. This is shown
for users i-malrao and sjahn where they are explicitly unassigned from
mapping.

It maps multiple Windows-based users to a single UNIX-based user. This is
used when there is a small set of UNIX-based users that represent a class
of access to NFS resources. This is demonstrated where both Windows
users john and peterj are mapped same UNIX user johnaz. One of these
users is mapped using a primary mapping, which denotes that for UNIX
user johnaz, mapping to a Windows user should result in john (not peterj).
Figure 2.
When a User Name Mapping client sends a request to resolve a mapping by
providing a Windows or UNIX user name, the mapping server uses the following
algorithm:
1.
If an advanced mapping is set for a user, it provides the advanced mapping.
A Windows user name may be associated with only one UNIX user name,
Server for NIS – migration and management of NIS
11
which is returned for a Windows user. On the other hand, a UNIX user may
be associated with several Windows users. If a UNIX user name is
associated with number of Windows user names, the one that is marked as
primary is returned.
2.
If a Windows user name or a UNIX user name is explicitly associated with an
unmapped user, User Name Mapping returns that the user is unmapped.
This is especially useful to override users who get mapped by default due to
simple mapping. This is also useful for assigning an anonymous UID or GID.
3.
If there is no explicit mapping created for the user, it looks for an implicit
mapping where Windows and UNIX user names are the same. If it finds such
a mapping, it returns it.
4.
If there is no mapping—either implicit or explicit—for the user, it returns that
the user is unmapped.
With this sequence, an advanced mapping overrides the simple mapping
between Windows users and UNIX users.
Supports Both NIS and PCNFS
User Name Mapping supports obtaining UNIX user names from both NIS and
PCNFS5. If the UNIX-based network uses NIS, the existing infrastructure in the
network can remain unchanged when User Name Mapping is introduced. The
existing UNIX-based network can continue to operate as before if they use NIS.
Auto-Refresh of UNIX and Windows User Names
User Name Mapping periodically refreshes Windows and UNIX user names
from a domain controller and an NIS server or a PCNFS server, respectively.
Any changes to name spaces, such as the addition or deletion of users, are
reflected in the mappings automatically. This ensures that any changes to the
name spaces are reflected correctly in the mappings. Figure 1 shows the
refresh interval of 24 hours. All user names and resulting maps will be updated
at 24 hours interval. Consequently, any user that is added to the organization
will have mapping within 24 hours and they will have appropriate NFS access.
Administrators can modify this interval to suit their requirements.
Mapping Multiple Windows Users to One UNIX User
The mapping server allows mapping multiple Windows users to one UNIX user,
and to receive access privileges according to that of the UNIX user to whom
they are mapped. For instance, NFS requests from any of these Windows
users are sent with the UID and GID of the UNIX user to whom they are
mapped. This is useful when there are fewer user accounts in UNIX—which
5
In this version, Server for NIS supports only Windows-based PCNFS servers. The PCNFS files, namely,
passwd and group, must be accessible to User Name Mapping.
Server for NIS – migration and management of NIS
12
may represent different classes of database access—and administrators want
to associate a number of Windows users with such UNIX users.
For example, in the above example, both john and peterj are associated with
UNIX user johnaz. NFS requests from a Client for NFS for both john and peterj
will contain UID 137. On the other hand NFS requests with UID 137 to Server
for NFS will be resolved in the context of vivekntest\john to the primary
mapping of johnaz.
Squashing
User Name Mapping supports mapping users to unmapped users, whether it is
mapping a UNIX user to a Windows unmapped user, or a Windows user to a
UNIX unmapped user.
For a Windows user who is mapped to an unmapped user, an authentication
request results in an anonymous UID and GID, typically –2 and –1,
respectively, being used on behalf of the user in an NFS request. Similarly, any
file created by such a Windows user on Server for NIS is reported as owned by
a user with the UID and GID of –2 and –1, respectively. On the other hand, for
a UNIX user who is mapped to a Windows unmapped user, any files created by
such a user are marked as owned by a Windows Anonymous user. Similarly,
NFS requests from a UNIX user who is mapped to a Windows unmapped user
will be resolved in the context of the Windows Anonymous user. Typically, only
files that have privileges for everyone will be accessible to such UNIX user via
NFS.
This feature is useful to override a mapping that got created inadvertently due
to simple mapping. It avoids associating different users who may be given the
identical user names in Windows and UNIX networks. Similarly, mapping a user
to an unmapped user is also useful to ensure that some users are provided
anonymous NFS access privileges.
Group Mappings
In addition to user name mappings, User Name Mapping also maps Windowsbased group names to UNIX-based group names (and vice versa).
When mapping a Windows user to a UNIX user, the GID of the mapped UNIX
user is provided in the NFS request. This allows the appropriate access for the
Windows user according to group permission bits on the UNIX files. While
mapping the UNIX user to a Windows user for Server for NFS, User Name
Mapping maps the GID to a Windows group using the group mappings. Thus
access to the file on a Windows-based NFS server is determined by the
Windows user name and the ACLs for the mapped Windows group.
Server for NIS – migration and management of NIS
13
Administration Mechanisms
User Name Mapping provides both a command line and a Microsoft
Management Console (MMC)-based GUI tool for managing the User Name
Mapping server as well as the mappings themselves. These two tools provide
the following functions:

Start and stop the User Name Mapping server.

Create, delete, and modify mappings, for both simple and advanced
mappings.

Set the refresh interval to refresh simple mappings periodically. Download
UNIX and Windows user names from Windows domain controller and NIS
master server and update simple mappings.

Map multiple Windows users to a single UNIX user. Set and mark a primary
mapping one Windows and UNIX user mapping.

List and view user names mappings, list only the advanced user mappings,
or list simple user name mappings.

Restore and back up user mappings.
In addition, administrative tools allow you to administer local or remote User
Name Mappings.
Server for NIS – migration and management of NIS
14
NFS Components and
User Name Mapping
Server for NFS and User Name Mapping
Server for NFS uses User Name Mapping for mapping UNIX UIDs included in
the NFS requests to Windows user names. The Windows user name is used to
identify the file system requests. Server for NFS then uses the Server for NFS
Authentication component for authentication6 to Windows to gain file access.
The diagram in figure 3 describes the sequence of events while Server for NFS
fulfills the NFS request from a UNIX-based NFS client.
User Name
M apping
server
0
Server for
NFS
Server
for NFS
Domain
Controller
3
Windows based network
1
4
NFS
client
Unix network
Figure 3.
Flow of events
1. Server
for NFS periodically downloads7 the user name mappings from the
User Name Mapping server. These mappings are stored by Server for NFS.
2. Server
for NFS receives the NFS request with the UID/GID embedded in it.
3. Server
for NFS maps UID/GID to a corresponding Windows-based user
name using mapping data provided by the User Name Mapping server.
4. Server
for NFS authenticates the Windows-based user using the Server for
NFS authentication package, typically running on the domain controller of
that domain. If the mapped user is local, it uses Server for NFS
authentication installed locally.
6
This component is installed as a Windows sub authentication package during Server for NFS authentication.
7
Maps are downloaded only if they have changed since the last download.
Server for NIS – migration and management of NIS
15
5. Server
for NFS accesses the files by impersonating mapped Windows user
and using the credentials of that user and returns the data to the requesting
NFS client.
6. Server
for NFS downloads the entire set of maps periodically to translate
ACLs into UNIX UID/GIDs to return to NFS clients. This is necessary for NFS
calls that require returning file attributes such as getFileAttributes.
Client for NFS and User Name Mapping
Client for NFS allows access to NFS resources using either Windows
credentials of the user or the UNIX credentials.
Step 0
Username
M apping
Server
Client for
NFS
Step 1
Windows based network
Step 2 mount
Step 4
Step 3 – NFS
request
NFS
server
Unix network
Figure 4.
Flow of events
1. The
user requests the Client for NFS to map an NFS share or access an
NFS share. It provides the credentials used in the Windows network.
2. If
the request is on behalf of current a Windows user, Client for NFS sends
Windows credentials to the User Name Mapping server, which maps the
Windows credentials to the UNIX user name and returns the UID/GID. If the
request is on behalf of another user, Client for NFS also authenticates the
user using the usual Windows authentication mechanism and provides the
resulting credentials for User Name Mapping.
3. Client
for NFS stores the returned UID/GID and mounts the NFS share.
4. For
the subsequent NFS calls for the same NFS share, Client for NFS sends
the request to the NFS server using the previously returned UID/GID.
5. The
NFS server sends the data for the requesting UID/GID.
Server for NIS – migration and management of NIS
16
This is true for access to NFS resources from a Windows-based user interface
such as Microsoft Internet Explorer, via net command, or via mount command.
In the case of access to NFS resources using UNIX credentials, the flow of
events is slightly different, as follows:
1. The
user requests the Client for NFS to map an NFS share or access an
NFS share.
2. Client
for NFS sends the UNIX user name and encrypted UNIX password to
the User Name Mapping server.
3. User
Name Mapping uses the data from either PCNFS or NIS to authenticate
the UNIX user name and the password and returns the UID/GID to the NFS
client.
4. Client
for NFS stores the returned UID/GID and mounts the NFS share.
5. For
the subsequent NFS calls for the same NFS share, Client for NFS sends
the NFS request to the NFS server using previously returned UID/GID.
Access to NFS resources using UNIX credentials is provided through a mount
command. The user mounts the NFS share using a command such as:
"mount * \\server\share -u:user -p:passwd"
where the user name is a UNIX user name and passwd is the UNIX password.
Gateway for NFS and User Name Mapping
The interaction between Gateway for NFS and User Name Mapping is very
similar to the interaction between the Client for NFS and User Name Mapping.
Requests from Windows 95-, Windows 98-, Windows NT-, or Windows 2000based clients without NFS clients are handled by the Gateway for NFS.
Flow of events
1. Gateway
for NFS mounts UNIX shares using the root account and exports
the mapped drives as Windows shares.
2. The
user requests the Gateway for NFS to access the NFS share mapped by
Gateway for NFS. The Windows-based request is sent using Windows
credentials.
3. Gateway
for NFS sends Windows credentials to the User Name Mapping
server, which maps the Windows credentials to the UNIX user name and
returns the UID/GID.
4. Gateway
for NFS stores the returned UID/GID by associating the given
gateway request with UID/GID.
5. For
the subsequent NFS calls for the same NFS share, Gateway for NFS
sends the NFS request to the NFS server using previously the returned
UID/GID.
Server for NIS – migration and management of NIS
17
Summary
The User Name Mapping service, a component of Services for UNIX, provides
the functionality of mapping Microsoft® Windows®-based network user names
to UNIX-based network user names and vice versa. This is a means to
associate user names in two networks for users who have different identities in
Windows-based and UNIX-based domains.
This white paper described these benefits of the User Name Mapping service:

This service can be deployed on a single node in the organization and all
Client for NFS, Gateway for NFS, and Server for NFS computers can
access this server for mapping. A central mapping server reduces the cost
of administration and results in a lower cost of administering a
heterogeneous network.

This service can obtain UNIX user names from a UNIX NIS or an NIS+
server working in yp-compatible mode. It can also obtain UNIX user names
from Service for UNIX PCNFS servers. This causes minimal disruption in
introducing User Name Mapping and other Windows-based NFS
components into the network.

Allows simple and advanced mapping. With support for simple mappings,
creating default mappings for those users with identical names in two
domains is a very easy task. With the support for advanced mapping, if a
user has different names in two networks, the two names can be mapped
to provide consistent and correct file access.

Supports multiple Windows-based and UNIX-based domains. This allows
the mapping server to be shared between multiple domains. Further, User
Name Mapping can map users irrespective of the domains in which the
user names were created.

Maps users and groups. The service allows Windows-based NFS file
servers to provide the same semantics as provided by UNIX NFS servers.
With group mappings, access to UNIX NFS resources using the group
permission bits on a file is honored for Windows-based users.

Refreshes NIS, PCNFS, and Windows user names periodically. The key
advantage of this feature is that an addition, a deletion, or a change to
users in UNIX and Windows name spaces does not require administrative
intervention.

Provides command line, graphical, and remote administration capability.
This allows simplicity in administration of user name mappings.

Supports backup and restoration of mappings.

Allows mapping of multiple Windows users to one UNIX user. This reduces
the administrative tasks of creating and managing rights and permissions.

User Name Mapping ensures that only members of the Administrator’s
Server for NIS – migration and management of NIS
18
group can perform administrative tasks.

User Name Mapping authenticates a UNIX user name and password using
a UNIX cryptography algorithm and provides UNIX identification. This is
useful where the Windows user requires access to UNIX resources using a
UNIX account to which the user is not mapped.
For More Information
For the latest information on Windows 2000 Server, check out our Web site at
http://www.microsoft.com/windows2000 and the Windows 2000/NT Forum at
http://computingcentral.msn.com/topics/windowsnt.
Server for NIS – migration and management of NIS
19