Configure NFS Account Mapping Using AD DS

Applies To: Windows Server 2008, Windows Storage Server 2008 R2

When Active Directory Domain Services (AD°DS) is configured as the mapping source for Services for NFS, the selected AD DS domain is the repository used to store mapping information between Windows and UNIX user and group accounts. NFS account mapping using AD DS is compliant with RFC 2307, "An Approach for Using LDAP as a Network Information Service." In this method, Services for NFS uses LDAP queries to locate the Windows user and group accounts in AD DS that are mapped to the UNIX user and group accounts trying to access the NFS share.

This method is appropriate in instances when all of the following are true:

• You have an existing AD DS infrastructure or are planning to deploy and AD DS infrastructure.

• The computer running Services for NFS can access the AD DS infrastructure.

• UNIX user identifiers (UID) and group identifiers (GID) need to be mapped to specific Windows domain user or group accounts.

If any of these assumptions are incorrect, then use a different method for NFS account mapping as described in the section, “NFS Account Mapping Methods”, in NFS Account Mapping Guide.

Overview of NFS Account Mapping Using AD DS

As illustrated in the following figure, NFS account mapping between a UNIX account and its corresponding Windows account is performed by setting the:

• uidNumber attribute for the desired Windows user object in AD DS to the UNIX UID.

• gidNumber attribute for user and group objects in AD DS to the UNIX GID.

As shown in the previous figure, the user name in the passwd file on the UNIX computer does not have to match the SamAccountName object attribute of the user object in AD DS, but rather the matching is done based on the values of the UID and the uidNumber attribute of the user object. Similarly, the group name in the group file on the UNIX computer does not have to match the SamAccountName attribute of the group object in AD DS, but rather the matching is done based on the values of the GID and the gidNumber attribute of the group object.

The process used by Services for NFS to perform identity mapping using AD DS is as follows:

1. A UNIX operating system running an NFS client requests access to an NFS share on a computer running Server for NFS.

   The access request includes the UID and GID of the user initiating the access request.

2. Server for NFS sends an LDAP query to AD DS for a:

   • User object that has a uidNumber attribute that matches the UID provided.

   • Group object that has a gidNumber attribute that matches the GID provided.

3. Server for NFS grants access to the file resources in the NFS shared directory:

   • Based on the credentials returned from the LDAP query.

   • If the NTFS permissions for the share allow access to that user.

Because NFS is a stateless protocol, each subsequent access uses the same process.

Install and Configure Services for NFS to Use AD DS for Account Mapping

The process for installing and configuring Services for NFS to use AD DS as the identity mapping source is as follows:

1. Ensure an AD DS infrastructure is properly installed and can be accessed by Services for NFS.

2. Ensure the server running Services for NFS is a member of an Active Directory domain.

3. Identify the UNIX passwd and group files that contain the UIDs and GIDs corresponding to users who need access to shares exported by the Server for NFS.

4. Install the Services for NFS role service on the target computer.

   For more information about how to perform this step:

   • Interactively using Server Manager, see the "To install Services for NFS components" section of Install and Uninstall Services for Network File System Using the Windows Interface.

   • From a command line using OCSetup.exe, see Install and Uninstall Services for Network File System Using OCSetup.exe.

5. Configure the AD DS domain to be used by Services for NFS for performing identity lookup.

   For more information about how to perform this step:

   • Interactively using the Services for Network File System (NFS) console, see the "To specify how Server for NFS obtains UID and GID information using the Windows interface" section in Specify How Server for NFS Obtains Windows User and Group Information.

   • Interactively using the Share and Storage Management snap-in using the Identity Mapping Wizard on the Services for NFS Configuration Guide dialog box.

   • From a command line using Nfsadmin.exe, see the "To specify how Server for NFS obtains UID and GID information using the command line" section in Specify How Server for NFS Obtains Windows User and Group Information.

6. Configure the remaining Services for NFS settings based on the requirements of your organization.

7. For more information about how to perform this step, see Configuring Server for NFS.

8. Secure the computer running Services for NFS based on the requirements of your organization.

   For more information about how to perform this step, see Securing Server for NFS.

9. Populate the gidNumber object attribute for group objects in AD DS for:

   • Individual group objects using the Set-ADGroup Windows PowerShell™ cmdlet as described in the "How to Add or Modify NFS Group Mappings for an Individual Group Using the Set-ADGroup Cmdlet" section in NFS Account Mapping Task Reference.

   • Multiple group objects using the Import-CSV and Set-ADGroup Windows PowerShell cmdlets as described in the "How to Add or Modify NFS Group Mappings for a Specific Set of Groups Using a .csv File" section in NFS Account Mapping Task Reference.

   • Individual group objects using the ADSI Edit snap-in as described in the “NFS User and Group Mapping Management Using ADSI Edit" section in NFS Account Mapping Task Reference.

10. Populate the uidNumber and gidNumber object attributes for user objects in AD DS for:

    • Individual user objects using the Set-ADUser Windows PowerShell cmdlet as described in the "How to Add or Modify NFS User Account Mapping for an Individual User Using the Set-ADUser Cmdlet" section in NFS Account Mapping Task Reference.

    • Multiple user objects using the Import-CSV and Set-ADUser Windows PowerShell cmdlets as described in the "How to Add or Modify NFS User Account Mappings for a Specific Set of Users Using a .csv File" section in NFS Account Mapping Task Reference.

    • Individual user objects using the ADSI Edit snap-in as described in the "NFS User and Group Account Mapping Management Using ADSI Edit" section in NFS Account Mapping Task Reference.

You can also synchronize identity information between UNIX and AD DS by using:

• The Identity Management for UNIX role service in Windows Server. For more information, see Identity Management for UNIX.

• Forefront Identity Manager 2010. For more information, see Forefront Identity Manager 2010.

Manage NFS Account Mapping Using AD DS

After you have installed and configured Services for NFS to use AD DS as the identity mapping source, there are ongoing management tasks to perform.

The following table lists the NFS user account mapping related management tasks to perform when using AD DS as the identity mapping source.

Table 5. NFS User Account Mapping Tasks for AD DS

The following table lists the NFS group account mapping related management tasks, to be performed when using AD DS as the identity mapping source.

Table 6. NFS Group Account Mapping Tasks for AD DS

The following table lists the resource management tasks to be performed on the Server for NFS, when using AD DS as the identity mapping source.

Table 7. Server for NFS Resource Management Tasks