Windows/Unix Interop: HA NFS on Windows Server 2003 - Page 2
Mapping Active Directory Users to Unix Users
Perform mapping between Active Directory and Unix user and group accounts without introducing forest schema changes or setting up Windows domain controllers as NIS Servers. This can be accomplished by installing User Name Mapping (UNM) service on a Windows 2003 Server R2 computer, which is responsible for associating corresponding accounts across both platforms. It extracts them from its Active Directory domain and either an NIS server or local copies of Unix user and group files (etc/passwd and etc/group, respectively). With the default configuration, the NFS component searches for mapping information on the local host. For this to work properly, both UNM and NFS must reside on the same system. This is not a requirement, however.
It is possible to set up a centralized pool of identically configured servers. You can easily replicate their content with Backup Maps... and Restore Maps... menu commands in the UNM node of Microsoft Services for NFS administrative console. These servers leverage a DNS round-robin mechanism to load balance mapping-related network traffic, which not only offers the benefit of redundancy but also leads to improved performance. This involves generating a DNS alias record that references individual IP addresses of Windows servers with identically configured UNM components and pointing to it each NFS server.
In addition, since, by default, the UNM service accepts only local requests, you must modify content of the .maphost file (located by default in the %windir%msnfs folder on the UNM server), by creating an access list specifying remote computers that are either denied or allowed access. The file contains detailed description of the access list syntax. Mappings between Unix and Windows accounts with matching names (referred to as simple) are automatic, once enabled. In case of different naming conventions across platforms, you have an option of defining advanced mappings. This capability also comes in handy if you must introduce many-to-one associations, in situations where several Windows users need to share the same Unix UID.
Mapping Local Windows Server SAM database Users to Unix Accounts
Perform mapping between local Windows Server SAM database (rather than Active Directory domain) and Unix accounts. This approach requires Services for NFS Authentication component (part of Windows Services for Unix, included in both Windows 2003 Server R2 and the downloadable version) and the User Name Mapping service operating locally on the server hosting NFS shares. This way, local Windows accounts can be associated with their equivalents in a remote NIS database or local copies of Unix password and group files. Similar to the second option, you can employ simple or advanced mappings with a one-to-one or many-to-one relationship between Windows and Unix platforms. Since both UNM and NFS reside on the same computer, no modifications to .maphosts file are needed. This arrangement is not relevant within the context of this article because it is not suitable for clustered installations due to its dependency on local Windows accounts.
Once you have selected the authentication mechanism that best suits your needs, you are ready to review characteristics and implementation of Windows-based Network File System. This will be the focus of our next article, which will present basic features of Microsoft Services for NSF (included in the Windows 2003 Server R2) as well as step through its installation and configuration process on a Windows server cluster.
Article courtesy of ServerWatch