Introduction to Services for UNIX
This white paper describes the objectives and features of Microsoft Windows® Services for UNIX. Services for UNIX consists of a number of different components that can bridge the gap between Windows-based and UNIX-based operating systems running in the same network. It is targeted primarily for system administrators and programmers who have to use both these systems. Services for UNIX focuses on are file sharing, remote access and administration, password synchronization, common directory management, and a common set of utilities and a shell.
This white paper describes the objectives and features of Microsoft Windows Services for UNIX 3.0. Services for UNIX provides various components that can bridge the gap between Windows-based and UNIX-based computers in the same network. Services for UNIX 3.0 also provides a way to migrate UNIX scripts and applications conforming to POSIX standards to Windows-based computers.
Businesses have significant investments and skills in both UNIX-based and Windows based applications, databases, and business processes; there is a need for comprehensive integration between these two environments. As Windows is fast becoming the enterprise platform of choice, businesses are looking for a way to preserve existing investments in code and user knowledge and at the same time, make the most of the new opportunities presented by migrating applications to Windows.
Administrators are looking for solutions to integrate a heterogeneous network and share information seamlessly between their Windows and UNIX systems. Users require the ability to work across a collection of networked computers running different operating systems without knowing. Equally important is that the cost of administration should be minimized. Microsoft Services for UNIX 3.0 delivers the protocol support, interoperability tools, the scripting and execution environment, and the administrative framework to make this as simple as possible.
Objectives of Services for UNIX
The primary objective of Services for UNIX is to provide integrated tools that bridge the gap between UNIX and Windows for users and administrators alike. This should help create a logical enterprise network where resources are shared seamlessly and access control is determined by enterprise policies instead of the platform.
The design goals for Services for UNIX are:
Seamless sharing of data between Windows and UNIX hosts in a network
Remote command-line access to both Windows-based computers and UNIX-based computers
Make all POSIX interfaces available on Windows
Scripting: UNIX shells and the full suite of UNIX command-line tools and utilities
Heterogeneous network administration including common directory management and user password synchronization
Ease of installation and deployment in the enterprise
Simplicity of administration and management for all Services for UNIX components
This white paper describes the features and benefits of Windows Services for UNIX in typical deployment scenarios. It is intended for system and network administrators, software programmers, and other technical professionals seeking seamless UNIX and Windows interoperability for their heterogeneous environments.
Features of Services for UNIX
Services for UNIX Addresses Interoperability Requirements
Services for UNIX is designed to easily and seamlessly integrate networks that have UNIX- and Windows-based computers. In this section, the issues that these mixed environments face are described. Next, the features of Services for UNIX that address the issues are explained.
To create a seamless logical network, users should be able to share resources regardless of where they are located. In an enterprise, access to resources should be governed primarily by the corporate policies and not by whether they are Windows-based or UNIX-based resources. Access to resources should be independent of implementation technologies. Users can access applications and databases residing anywhere in the network. Similarly, access to resources users using either UNIX-based or Windows-based computers becomes possible.
Differences in Windows and UNIX Environments
Authentication mechanisms, file access protocols, conventions and procedures differ between UNIX and Windows. However, the tasks that users need to perform are somewhat similar in nature. Services for UNIX provides protocol support, administrative tools and utilities to obviate these differences.
Multiple Authentications and Separate Identities
UNIX- and Windows-based operating systems use different directories and access control mechanisms. In a logical enterprise network, users should be able to use a single-sign on mechanism to access resources on both systems. Due to different authentication mechanisms, users have different user names and passwords. Having different identities and separate passwords is problematic for users and administrators and is contrary to running a logical network.
With the use of different directories on UNIX- and Windows-based networks, even if a user has accounts on both systems, he is represented as a different user in two systems. Access to resources on UNIX from a Windows-based computer, or vice versa, requires separate authentication. Consequently, the network is split into separate islands of Windows and UNIX domains, creating an artificial barrier dividing the single enterprise network.
Differences in Development Environments
Many applications that were previously available on UNIX-based computers are now available on Windows computers. With increase in demand, existing UNIX applications are being ported to Windows. Similarly, new high-end workstation applications are being developed on Windows.
Many software programmers who are traditionally UNIX programmers are now developing applications for Windows-based computers. These users expect a UNIX-like environment on Windows, which makes their transition easy. UNIX users need a shell and a collection of command-line UNIX utilities that they use for day-to-day software development tasks. They need tools such as grep, find, ps, tar, and scripting abilities provided by shell to script more complex tools. Availability of a familiar environment on Windows is needed to reduce the cost of learning newer sets of tools. Availability of UNIX-like tools can also help increase the efficiency of UNIX programmers when they switch to Windows software development.
System administration tools and mechanisms on Windows and UNIX differ significantly from each other. UNIX system administrators typically use command-line tools and shell scripts to manage them. Windows, on the other hand, primarily relies on graphical tools supplemented by command-line scripts managed through Windows Script Host (WSH).
With such differences between Windows and UNIX, administration and management of heterogeneous enterprise networks becomes a challenge.
Familiar management tools
The cost of running heterogeneous networks increases with the significant learning curve required for administrators to administer two different networks. Administrators of a heterogeneous network need similar mechanisms and tools to administer both Windows- and UNIX-based computers. Such tools should allow remote administration as well as automation of repetitive administration tasks.
Differences in directory services
In addition to differences in UNIX and Windows administration mechanisms, another significant administration issue is the difference in directories. The UNIX and Windows operating systems use different directories to store their users, groups, and other network objects. Managing two directories separately and keeping them in synchronization is a time-consuming burden on administrators.
Although most users and directory objects in the two networks are the same, users must be added, deleted, and managed in two directories separately. Whenever a user joins the organization, that user must be added to both networks differently. This duplicates the work and increases the cost of user and directory management. In addition, there is a danger of leaving the two directories inconsistent with each other, which may lead to access and authentication problems.
Needs of Windows-based network administrators
Windows-based network administrators can benefit from scripting and command-line tools to simplify their routine system management tasks. GUI-based tools are useful for a novice user to help discover and increase the productivity quickly. However, command-line tools and scripts are helpful for automating repetitive tasks. They are also useful for more experienced users to increase productivity.
Features of Services for UNIX
Services for UNIX provide a single comprehensive package to meet the interoperability requirements described above. Services for UNIX implements the following features:
File sharing between UNIX- and Windows-based operating systems using Network File System (NFS); Services for UNIX provides NFS client, NFS server, and NFS gateway functionality.
Remote command-line access between Windows- and UNIX-based computers or between two Windows-based computers using Telnet client and server, Remote Shell.
Full support for POSIX standard interfaces provided by the Interix subsystem
Korn Shell, C Shell, and over 350 commonly used UNIX commands and utilities.
Common network administration by providing NIS server functionality using Microsoft Windows 2000 Active Directory® directory service.
Password synchronization between Windows and UNIX.
Installation using Microsoft Windows Installer.
Administration of Services for UNIX components and services using Microsoft Management Console (MMC).
Management of Services for UNIX components using Windows Management Instrumentation (WMI).
Services for UNIX can be installed on Microsoft Windows NT®–based or Windows 2000–based computers and can interoperate with a variety of UNIX-based computers, specifically: Solaris (2.7 and above); HP-UX (10.20 and above); IBM AIX (4.3 and above); Linux (RedHat 6.2 and above).
File Sharing Between UNIX and Windows through NFS
Services for UNIX provides file sharing through NFS components installed on Windows-based computer. It provides three different components: Server for NFS, Client for NFS, and Gateway for NFS. It provides NFS file access using Windows authentication and a Services for UNIX feature called User Name Mapping.
Server for NFS
Server for NFS is an NFS server implemented on a Windows-based server. It allows UNIX-based NFS clients to access files on Windows-based computers the same way files on other UNIX NFS servers may be accessed. For UNIX-based NFS users, this process is completely transparent. File level access is determined by the user's UID or GID as well as by Windows access control lists (ACLs). Server for NFS supports NFS on all Windows-based file systems including FAT, CDFS, and NTFS.
NFS versions 2 and 3 support: Server for NFS allows UNIX and other NFS clients to access files stored on Windows-based file servers using NFS protocol. Server for NFS provides complete support for the NFS version 2 and 3 protocols. It supports NFS file locking specified by the Network Lock Manager (NLM) protocol.
Simple sharing: Server for NFS provides an easy way to share directories and set NFS access permissions on Windows-based computers. A directory can be shared using the NFS Sharing tab accessible from the context menu for the directory. Files may also be shared using the nfsshare command. It is possible to restrict NFS access permissions to read, read/write, and root-based on individual computers or on a group of computers.
Access control and authentication: Server for NFS integrates UNIX and Windows access control mechanisms in a natural manner. UNIX UIDs and GIDs from NFS requests are mapped to a corresponding Windows-based network user and file access is provided in the context of the mapped user, ensuring only authenticated access. This ensures that users get file access that is consistent with their UID and privileges on a UNIX-based computer. A UNIX UID-to-Windows-based user name mapping is provided using a Service for UNIX component called User Name Mapping. On the other hand, authentication of NFS requests is provided by a Services for UNIX component called Server for NFS Authentication. Access may be provided to both local users and domain users.
Simple administration: Server for NFS provides both graphical and command-line tools for administering Server for NFS. Administration tools provide easy options for configuring server settings and for logging all activities related to NFS access. It also allows monitoring and reclaiming of NFS locks. In this version, a new "Server Settings" tab is included in the MMC Snap-in that allows the administrator to control an additional range of configuration settings.
Client for NFS
Client for NFS allows Windows-based computers to access files and directories that are stored on UNIX-based NFS file servers. It provides access to UNIX NFS shares similarly to the way access to Windows file shares is provided natively on Windows. Client for NFS supports NFS versions 2 and 3, and has the following features:
Simple access mechanism. For the user, accessing NFS shares is no different from accessing any other Windows share. Access to NFS shares is provided using the same familiar mechanisms. Users may browse NFS servers in the NFS network and access NFS shares by either mapping them to a drive letter or by using UNC names. NFS files may also be accessed using the net or mount commands.
Authentication. Access to NFS shares is provided with the help of another Services for UNIX component, the User Name Mapping service. This allows access to NFS shares with single sign on; in other words, using Windows authentication without providing the UNIX user name and password. This makes NFS access completely transparent as far as user is concerned. NFS requests are sent using the UID or GID of the mapped user. Thus, the Windows-based user gets the access privileges of the mapped user on the NFS share. For users who have accounts on both UNIX and Windows, they will get the same privileges whether accessing files from a UNIX NFS client or from a Windows NFS client.
Performance tuning. Administrators may tune performance characteristics of the NFS mount using administration tools for Client for NFS. They can set or change characteristics of the NFS mounts such as the read/write buffer size, or soft vs. hard mount. It also provides a tool called Autotune that helps detect optimum read/write buffer sizes for connecting to a particular NFS share.
Gateway for NFS
Gateway for NFS allows access to NFS shares for computers without NFS client software installed on them. This is useful for Windows operating systems-based computers without Client for NFS installed on them. Gateway for NFS acts as a gateway between the Windows-based network and the UNIX-based network.
Gateway for NFS mounts NFS shares and exports them as Windows shares. Windows-based computers access NFS shares using Windows-based networking using the share exported by the Gateway for NFS.
Gateway for NFS also uses the User Name Mapping service to map Windows-based credentials to UNIX UIDs or GIDs before forwarding the file access requests to NFS servers. Each gateway request from a separate user is properly identified and Windows user names are mapped to corresponding UNIX users before being forwarded to the NFS server. This ensures that clients accessing NFS servers from machines with NFS client software get the same privileges that they would get from UNIX NFS clients. Since access to Gateway for NFS shares is provided using Windows-based networking, these requests are authenticated using Windows-based credentials.
Administrators can export NFS shares and Windows shares using a simple tool that allows the administrator to specify the NFS server and the Windows-based share name that this NFS share should be exported with.
User Name Mapping
The User Name Mapping service is a component of Services for UNIX that allows mapping Windows user names to UNIX user names and vice versa. This is a means to associate user names or identifications in Windows- and UNIX-based domains. NFS components listed above use User Name Mapping for bridging the gap between Windows authentication and the UNIX UID or GID that is part of NFS requests. It maps an authenticated Windows user's credentials to a UID/GID. With this, Client for NFS or Gateway for NFS allows Windows users access to NFS resources without explicit UNIX authentication. Server for NFS uses this mapping to provide access privileges to NFS requests originating from UNIX-based computers containing only UNIX identification1.
User Naming Mapping can be used as a central server in the enterprise network. This simplifies the task of administration since mappings need to be maintained only on one server. If all Windows-based NFS components use the central user name mapping, users get consistent access to NFS resources from anywhere in the network. User Name Mapping also provides the following features:
Support for NIS or PCNFS. User Name Mapping retrieves UNIX user names from a UNIX NIS-based domain or using PCNFS files. With support for NIS, User Name Mapping can be used with very little disruption to the rest of the NIS infrastructure. For Windows users, it obtains user names from the Windows-based domain controllers. It also periodically refreshes user names from both UNIX and Windows domains.
Support for simple and advanced mappings. User Name Mapping can be configured to map, by default, Windows and UNIX users who have the same user names in the Windows-based domain and in NIS domain or PCNFS. In addition, administrators can map users who have different user names in Windows and UNIX domains, and they can map multiple Windows user names to the same UNIX user name.
Squashing support. User name mapping supports the ability to squash Windows or UNIX usersin other words, to map them to unmapped user. This is useful to override users who may get mapped automatically due to simple mapping or those users who should be explicitly squashed, or in other words, should be explicitly treated as anonymous user.
Groups mapping. User Name Mapping also maps groups between Windows and UNIX. Through this feature, UNIX-based NFS users can also get group-based file access.
Remote Access through Telnet
Services for UNIX provides a telnet server and telnet client for Windows. Telnet is a TCP/IP-based protocol that allows remote terminals to be connected to a computer. Together, the telnet client and server provide a way to access and administer Windows-based computers remotely.
With telnet server for Windows, UNIX users can connect to Windows computers for executing programs or administering the computer. This allows administrators to administer Windows computers without leaving their desktop.
Telnet server supports the NTLM authentication scheme, which allows Services for UNIX and other telnet clients that support NTLM to connect without sending a password over the network. Telnet server supports two modes of operations, console mode and stream mode. Console mode is useful to run screen-oriented programs such as vi. On the other hand, stream mode operates similar to UNIX dumb terminal type but is not suitable to use with programs such as vi. Telnet server supports a new terminal type called VTNT that supports access to the complete functionality of the Windows command console.
Telnet server logs a variety of telnet-related activities, such as auditing, monitoring telnet sessions, and sending messages to telnet connections. Telnet server allows the user to keep applications running even after disconnecting.
With Telnet client for Windows, Windows users can connect to a remote UNIX- or Windows-based computer and execute programs remotely. Telnet client supports a variety of terminal emulators including VT100, ANSI, and VTNT. It also supports authentication using NTLM.
Telnet client provides features to log the entire telnet session to a file. It also supports a variety of options that are applicable to connecting to telnet servers.
Common Network Administration Using Server for NIS
Services for UNIX implements Server for Network Information Service (NIS), which provides NIS server functionality based on Windows 2000 Active Directory. Server for NIS installed on a Windows 2000 Server domain controller can be used as a master NIS server to administer a UNIX NIS domain. Server for NIS implements NIS 2.0 protocol. It supports both UNIX-based NIS subordinate (slave) servers as well UNIX-based NIS clients.
Server for NIS stores NIS objects in Active Directory. Further, it integrates UNIX users, groups, and hosts into their Windows-based equivalents. With this, UNIX users and groups can be administered the same way Windows users and groups are administered. NIS data can be managed using Active Directory tools such as the User and Computer snap-in. Further, any users who are common to both UNIX and Windows networks can be represented uniquely in Active Directory. This creates a common name space, reducing the administrative overhead of managing two separate names spaces and directories. Using Server for NIS also has the following benefits:
Use of Active Directory to store NIS data. Active Directory has the advantages of security, data replication, and schema-based data storage and access. Through Active Directory, NIS data may be accessed using the ADSI and LDAP protocols, in addition to NIS.
Migration of NIS domains to Server for NIS. Server for NIS allows administrators to migrate NIS domains or maps and merge them with existing NIS domains. This allows an existing NIS server running on UNIX to be migrated to Window 2000-based computers.
Supports yppasswdd and user password synchronization. Server for NIS keeps Windows and UNIX passwords in synchronization. Whenever a user's Windows-based password is changed, the corresponding UNIX password is also changed. At the same time, it supports yppasswd, which allows UNIX users to change their passwords from UNIX-based client computers. However, when a UNIX password is changed, the Windows password is not changed.
Services for UNIX version 2 has added two-way password synchronization. It allows Windows-to-UNIX password synchronization and vice versa. Password synchronization can synchronize passwords for local passwords as well as domain passwords. For domain passwords, Password Synchronization must be installed on Windows NT or Windows 2000-based domain controllers.
Password change requests are sent to only to those computers selected by administrators. The list of hosts is specified in a configuration file for UNIX-to-Windows synchronization, whereas they are specified using administration tools for Windows-to-UNIX synchronization.
Administrators can specify users for whom passwords should be synchronized or those for whom passwords should not be synchronized. Password change requests are sent or accepted for only for specified users. Password change requests sent over the wire are encrypted using the Triple-DES algorithm.
Services for UNIX version 3.0 now includes the Interix subsystem, a complete POSIX runtime environment that is implemented over the Windows NT kernel. The Interix Subsystem implements more than 1900 programmatic interfaces consistent with the ISO 9945-1 \ ANSI/IEE 1003.1 POSIX specification. This enables the migration of existing applications that use system calls conforming to the POSIX standards.
The source code for the applications needs to be recompiled on Windows using the SDK tools that are included with the product. The resulting application runs natively on Windows.
UNIX Shells and Utilities
This version of Services for UNIX includes the Korn shell, C-shell and over 350 UNIX utilities. These utilities provide the full range of tools that UNIX users are familiar with. These utilities assist programmers and system administrators in easing their task of migrating to Windows from UNIX-based computers. For example monitoring processes or viewing disk usage and available space. Utilities that allow administrators to do repetitive tasks include, ps, kill, and top for process management, and du and df for disk space monitoring.
Administrators also use command-line utilities for a variety of purposes. For example, they use cut and grep to filter and process data. Developers and administrators also use utilities such as find, grep, or diff to process files.
Support of Microsoft Technologies
Services for UNIX supports a number of Microsoft technologies. The tools described in this section help Services for UNIX take advantage of the technologies available in the Windows NT, Windows 2000 and newer Windows operating systems such as Windows XP.
Installation Using Microsoft Windows Installer
Services for UNIX is installed using Microsoft Windows Installer, which is included with the Windows Operating System. It provides features for a variety of setup-related functions such as installation, removal of installation, adding and removing features, or repairing the existing installation.
Administration Using Microsoft Management Console (MMC)
Services for UNIX features are administered using MMC, which is a framework for hosting administrative consoles. This allows administrative consoles to be created for delegation, for controlling specific services, or for remote management.
Windows Management Instrumentation (WMI) Support
Services for UNIX supports Windows Management Instrumentation (WMI). WMI architecture lets administrators manage a variety of services across the enterprise. It provides a consistent view of various services, which are accessible through the WMI application programming interface (API).
This white paper described the features and benefits of Windows Services for UNIX and the environments in which it is useful. Services for UNIX is designed to provide a comprehensive set of tools to help bridge the gap between UNIX-based computers and Windows-based computers for users and administrators. This helps create a logical enterprise network where resources are shared seamlessly and access control is determined by enterprise policies instead of the platform.
In summary, this paper discussed the following features and benefits of Services for UNIX:
Seamless sharing of data between two networks
Remote command-line access from a Windows-based computer to another UNIX-based or Windows-based computer
Running UNIX applications natively on Windows
Scripting: UNIX shells and command-line tools and utilities
Heterogeneous network administration including common directory management and user password synchronization
Ease of installation
Simplicity of administration and management of Services for UNIX components
For the latest information, see the Services for UNIX site at http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx.
For the latest information on Windows 2000 Server, check out our website at http://www.microsoft.com/windows2000.
|1||User Name Mapping does not authenticate UNIX NFS requests sent to Server for NFS. Server for NFS uses Server for NFS Authentication component for authenticating NFS requests from UNIX clients.|