Windows and UNIX User and Group Identities

Applies To: Windows Server 2003 R2

When a UNIX user requests access to a Windows resource, or when a Windows user requests access to a UNIX resource, the computers need to map the UNIX user to the proper Windows user or vice versa. Windows Services for UNIX 3.5 uses User Name Mapping service (still used by Windows Server 2003 R2). However, Windows Server 2003 R2 adds direct lookup of UNIX User ID (UID) and Group ID (GID) from Active Directory Domain Services, with no User Name Mapping service required.

When a UNIX user requests access to a file or folder (“object”) stored on a Windows Network File System (NFS) shared network resource, the first step is for Windows to map the UNIX user to the Windows user. This is accomplished through Active Directory Domain Lookup or User Name Mapping service.

The request for access to the Windows object is authenticated against a Windows domain controller by using the security identifier (SID) of the mapped Windows user. (In the special case of using a local Windows account with a local User Name Mapping service, the request is authenticated against the local Windows computer.)

If the mapped Windows user has the appropriate access permissions, the UNIX user who initiated the request is granted access to the object. Conversely, if the Windows user does not have sufficient permission for the UNIX user to access the object, access is denied to the UNIX user.

Access is not mapped to a Windows user and the permissions of an anonymous user are used if:

• The UNIX user does not have a mapped Windows account.

• The User Name Mapping service can’t be reached.

• Active Directory Domain Services does not include the UNIX user’s identity data.

When a Windows user tries to access an object stored on a UNIX computer, the same process is used but in reverse.