Configuring Services for Network File System to Use User Name Mapping Service
Applies To: Windows Server 2003 R2
User Name Mapping service can be used instead of Active Directory Domain Lookup to map UNIX users to Windows users and Windows users to UNIX users. Any version of User Name Mapping service from Windows Services for UNIX 3.0 and later can be used by any version of Windows Services for UNIX or the Services for NFS from Windows Server 2003 R2. Windows Server 2003 R2 includes a version of the User Name Mapping service.
Configuring Services for NFS to use User Name Mapping service
To configure Services for NFS to use User Name Mapping service, follow these steps:
Open the Services for NFS console.
In the left pane, at the top of the tree, right-click Services for NFS.
From the Action menu, click Properties to open the dialog box shown in Figure 7 in the Configuring Services for Network File System to Use Active Directory Domain Lookup section of this white paper.
Enter the name or IP address of the User Name Mapping service.
Click OK.
Note
Configuring Services for NFS to use User Name Mapping service may require that you restart your computer or Services for NFS before the change is enabled.
Domain accounts vs. local accounts
If you are running in a domain environment, you should generally use only domain accounts for your mapping. Local accounts are valid only on the single, local computer on which they are located, so you would need to use multiple User Name Mapping services (one for each local computer) if you intended to access resources on more than one Windows server. Obviously, if you are using Active Directory Domain Lookup, you are required to you use domain accounts.
Simple maps
Simple maps are maps between accounts with the exact same name in UNIX and Windows. Keep in mind that although the accounts have the same name and the exact same spelling, they are not the same account. So until you actually create the maps, the accounts will not line up. For the purposes of User Name Mapping service, the account name in Windows is not case sensitive, so Charlie will align with the UNIX account Charlie, charlie, or CHARLIE.
Advanced maps
Advanced maps are used to align accounts that have different names. For example, the Windows user account for Jane H. Doe might be jdoe, but the UNIX account could be jhd. Create an advanced map to align the two accounts. You can also use advanced maps to map users from different Windows domains and explicitly map accounts that would generally be mapped by simple maps.
Authorized hosts
To prevent unauthorized access to the User Name Mapping service, the file .maphosts is used to explicitly specify which computers may access the server. This file is installed when the User Name Mapping service is installed. In Windows Services for UNIX 3.5, the file resides in the %SFUDIR%\Mapper directory, and with Windows Server 2003 R2, the file resides in %WINDIR%\msnfs.
By default, the only computer that can access the User Name Mapping service is the local computer. You need to edit the .maphosts file with a pure ASCII text editor, such as Notepad or gvim, and add the host names or IP addresses of all the hosts that are permitted to access User Name Mapping service. Remember to include any Windows computer on which you have installed Client for NFS or Server for NFS.
During initial setup and configuration of the Server for NFS Authentication, it is a good idea to configure .maphosts to allow all computers to connect to User Name Mapping service. This can be changed after authentication is working correctly. To enable all computers to access User Name Mapping service, type a plus sign (+) on an empty line at the bottom of the file. (For more information about the syntax of entries in .maphosts, see the comments in your .maposts file.)
Configure domain authorization
In addition to configuring User Name Mapping service, Server for NFS requires one additional step before UNIX users can be properly authenticated to access shared network resources on Windows servers if any of the Windows domain controllers (DCs) are not running Windows Server 2003 or if your domain is running at less than Windows Server 2003 domain functional level.
The Server for NFS Authentication must be installed on all Windows 2000 Servers and pre–Windows Server 2003 R2 DCs that has mapped users (available from the Microsoft Download Center: https://go.microsoft.com/fwlink/?linkid=53938).
Verifying installation
The easiest way to verify that the Server for NFS Authentication installation is complete is to check for the presence of the file %WINDIR%\system32\nfssa.dll. Server for NFS Authentication does not install any new service on a computer, and its presence is not easily discovered on the Add/Remove Programs list.
Installing only Server for NFS Authentication
In Windows Services for UNIX 3.0 and 3.5, you can easily install only Server for NFS Authentication by using the command line. This allows for easy scripting across multiple DCs. The command line to silently install Server for NFS Authentication is:
msiexec /I D:\<path>\sfusetup.msi /q addlocal="NFSServerAuth"
D:\<path> is the location of the Windows Services for UNIX 3.5 installation file.
Note that the addlocal parameter:
Is case sensitive.
Will remove any other components of Windows Services for UNIX 3.0 except Server for NFS Authentication.
If you are installing multiple components from the command line, you must use a comma-separated list within the quotes of the addlocal parameter. For example, to install both Server for NFS and Server for NFS Authentication, use:
msiexec /I D:\sfusetup.msi /q addlocal="NFSServer,NFSServerAuth"
Note
If you are using a version of Windows Services for UNIX that is not the free 3.5 download, you need to add pidkey=”key” to this command line, where “key” is the 25-character product key without spaces or hyphens.
In Windows Server 2003 R2, you can install the Server for NFS Authentication component from CD2. The .inf file is: \CMPNENTS\R2\PACKAGES\NEWBINS\<ARCHITECTURE>\NFSAUTH.INF.
<ARCHITECTURE> is replaced by the appropriate folder for your server architecture.
The actual DLL that is installed is: \CMPNENTS\R2\NFSSA.DL_.
Note
For information about how to add Windows components by using the Sysocmgr.exe utility, see the Microsoft Support article a https://go.microsoft.com/fwlink/?LinkId=58064.
Licensing
The Microsoft Software License Terms for Windows Services for UNIX 3.0 explicitly allow for Server for NFS Authentication to be installed on all DCs without purchasing additional licenses. This is not a concern for Windows Services for UNIX 3.5, which is available as a free download from the Microsoft Download Center: https://go.microsoft.com/fwlink/?LinkId=54483.