Windows/Unix Interop: HA NFS on Windows Server 2003 - Page 2

By Marcin Policht | Posted Oct 26, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Mapping Active Directory Users to Unix Users

Perform mapping between Active Directory and Unix user and group accounts without introducing forest schema changes or setting up Windows domain controllers as NIS Servers. This can be accomplished by installing User Name Mapping (UNM) service on a Windows 2003 Server R2 computer, which is responsible for associating corresponding accounts across both platforms. It extracts them from its Active Directory domain and either an NIS server or local copies of Unix user and group files (etc/passwd and etc/group, respectively). With the default configuration, the NFS component searches for mapping information on the local host. For this to work properly, both UNM and NFS must reside on the same system. This is not a requirement, however.

It is possible to set up a centralized pool of identically configured servers. You can easily replicate their content with Backup Maps... and Restore Maps... menu commands in the UNM node of Microsoft Services for NFS administrative console. These servers leverage a DNS round-robin mechanism to load balance mapping-related network traffic, which not only offers the benefit of redundancy but also leads to improved performance. This involves generating a DNS alias record that references individual IP addresses of Windows servers with identically configured UNM components and pointing to it each NFS server.

In addition, since, by default, the UNM service accepts only local requests, you must modify content of the .maphost file (located by default in the %windir%msnfs folder on the UNM server), by creating an access list specifying remote computers that are either denied or allowed access. The file contains detailed description of the access list syntax. Mappings between Unix and Windows accounts with matching names (referred to as simple) are automatic, once enabled. In case of different naming conventions across platforms, you have an option of defining advanced mappings. This capability also comes in handy if you must introduce many-to-one associations, in situations where several Windows users need to share the same Unix UID.

This approach might necessitate extra maintenance activities. For example, when relying on password and group files to generate mappings, you will need to keep them synchronized between Unix and Windows UNM servers. With multiple, identical installations of UNM component (in redundant arrangements based on DNS round-robin), you not only have more file copies to deal with, but also must ensure mappings on all of them remain consistent. This might be somehow simplified by applying updates on each server via batch files running MAPADMIN command, which is capable of generating new user and group maps from the command line.

Mapping Local Windows Server SAM database Users to Unix Accounts

Perform mapping between local Windows Server SAM database (rather than Active Directory domain) and Unix accounts. This approach requires Services for NFS Authentication component (part of Windows Services for Unix, included in both Windows 2003 Server R2 and the downloadable version) and the User Name Mapping service operating locally on the server hosting NFS shares. This way, local Windows accounts can be associated with their equivalents in a remote NIS database or local copies of Unix password and group files. Similar to the second option, you can employ simple or advanced mappings with a one-to-one or many-to-one relationship between Windows and Unix platforms. Since both UNM and NFS reside on the same computer, no modifications to .maphosts file are needed. This arrangement is not relevant within the context of this article because it is not suitable for clustered installations due to its dependency on local Windows accounts.

Once you have selected the authentication mechanism that best suits your needs, you are ready to review characteristics and implementation of Windows-based Network File System. This will be the focus of our next article, which will present basic features of Microsoft Services for NSF (included in the Windows 2003 Server R2) as well as step through its installation and configuration process on a Windows server cluster.

Article courtesy of ServerWatch

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter