Configure NFS Account Mapping Using AD LDS
Applies To: Windows Server 2008, Windows Storage Server 2008 R2
When AD LDS is configured as the mapping source for Services for NFS, the selected AD LDS instance is the repository used to store mapping information between Windows and UNIX user and group accounts. NFS account mapping using AD LDS is compliant with RFC 2307, "An Approach for Using LDAP as a Network Information Service." In this method, Services for NFS uses LDAP queries to locate the Windows user and group accounts in AD LDS that are mapped to the UNIX user and group accounts trying to access the NFS share.
This method is appropriate in instances when any of the following are true:
You do not have an existing AD DS infrastructure and do not plan to deploy an AD DS infrastructure.
The computers running Services for NFS are unable to access the AD DS infrastructure.
UNIX UIDs and GIDs need to be mapped to specific user accounts.
If any of these assumptions are incorrect, then use a different method for NFS account mapping as described in the "NFS Account Mapping Methods" section.
Overview of NFS Account Mapping Using AD LDS
As illustrated in the following figure, NFS account mapping between a UNIX account and its corresponding Windows account is performed by setting the:
uidNumber attribute for the desired Windows user object in AD LDS to the UNIX UID.
gidNumber attribute for user and group objects in AD LDS to the UNIX GID.
Note
The AD LDS schema is extended to include the uidNumber and gidNumber attributes as a part of configuring AD LDS to support NFS account mapping.
.jpg)
As shown in the previous figure, the user name in the passwd file on the UNIX computer does not have to match the SamAccountName object attribute of the user object in AD LDS, but rather the matching is done based on the values of the UID and the uidNumber attribute of the user object. Similarly, the group name in the group file on the UNIX computer does not have to match the SamAccountName object attribute of the group object in AD LDS, but rather the matching is done based on the values of the GID and the gidNumber attribute of the group object.
Note
You can replicate AD LDS instances to provide fault tolerance and load balancing. For more information, see the AD LDS Replication Step-by-Step Guide.
The process used by Services for NFS to perform identity mapping using AD LDS is as follows:
A UNIX operating system running an NFS client requests access to an NFS share on a computer running Server for NFS.
The access request includes the UID and GID of the user initiating the access request.
Services for NFS sends an LDAP query to AD LDS for a:
User object that has a uidNumber attribute that matches the UID provided.
Group object that has a gidNumber attribute that matches the GID provided.
Services for NFS grants access to the file resources in the NFS shared directory:
Based on the credentials returned from the LDAP query.
If the NTFS permissions allow access to that user.
Because NFS is a stateless protocol, each subsequent access uses the same process.
Install and Configure Services for NFS to Use AD LDS for Account Mapping
The process for installing and configuring Services for NFS to use AD LDS as the identity mapping source is as follows:
Ensure at least one AD LDS instance is properly installed by completing the following steps:
Install the AD LDS server role on a computer that can be accessed by Services for NFS. For more information about how to perform this step, see Step 1: Install the AD LDS Server Role.
Create a new AD LDS instance to be used for storing NFS account mapping to be used by Services for NFS. For more information about how to perform this step, see Step 2: Create a New AD LDS Instance.
Extend the AD LDS schema to support user account mapping for Services for NFS. For more information about how to perform this step, see Step 3: Extend the AD LDS Schema to Support NFS User Mapping.
Configure the AD LDS instance created in step b as the default instance name for AD LDS. For more information about how to perform this step, see Step 4: Set a Default Instance Name for AD LDS Instances.
Add the uidNumber and gidNumber object attributes to the user and group objects in the AD LDS schema as described in Step 5: Update the Active Directory Schema.
You can automate these steps by running the scripts described in the "OEM or Customer side (Phase1)'" section in Description of scripts to use to simplify user account mapping between a UNIX client and a Windows-based server.
Identify the UNIX passwd and group files that contain the UIDs and GIDs for the user and group accounts that will be used to access shares exported by Server for NFS.
Note
The UIDs and GIDs could also come from a NIS service. See the configuration of the UNIX environment to determine the appropriate source for UIDs and GIDs.
Install the Services for NFS role service on the target computer.
For more information about how to perform this step:
Interactively using Server Manager, see the "To install Services for NFS components" section in Install and Uninstall Services for Network File System Using the Windows Interface.
From a command line using OCSetup.exe, see Install and Uninstall Services for Network File System Using OCSetup.exe.
Grant the computers running Services for NFS access to the AD LDS instance. For more information about how to perform this step from a command line using Dsacls.exe, see Step 7: Authorize Appropriate Access to the ADS LDS Namespace Object.
Configure the AD LDS instance to be used by Services for NFS for performing identity lookup. For more information about how to perform this step from a command line using Nfsadmin.exe, see Step 8: Configure the Mapping Source.
Configure the remaining Services for NFS settings based on the requirements of your organization. For more information about how to perform this step, see Configuring Server for NFS.
Secure the computer running Services for NFS based on the requirements of your organization. For more information about how to perform this step, see Securing Server for NFS.
Populate the gidNumber object attribute for group objects in AD LDS using one of the following methods:
Individual group objects using the Set-ADGroup Windows PowerShell cmdlet as described in the “How to Add or Modify NFS Group Mappings for an Individual Group Using the Set-ADGroup Cmdlet” section in NFS Account Mapping Task Reference.
Multiple group objects using the Import-CSV and Set-ADGroup Windows PowerShell cmdlets as described in the "How to Add or Modify NFS Group Mappings for a Specific Set of Groups Using a .csv File" section in NFS Account Mapping Task Reference.
Multiple group objects by running the scripts described in the "Customer side (Phase2)" section in Description of scripts to use to simplify user account mapping between a UNIX client and a Windows-based server.
Individual group objects using the ADSI Edit snap-in as described in the "NFS User and Group Mapping Management Using ADSI Edit" section in NFS Account Mapping Task Reference.
Populate the uidNumber and gidNumber object attributes for user objects in AD LDS using one of the following methods:
Individual user objects using the Set-ADUser Windows PowerShell cmdlet as described in the "How to Add or Modify NFS User Account Mapping for an Individual User Using the Set-ADUser Cmdlet" section in NFS Account Mapping Task Reference.
Multiple user objects using the Import-CSV and Set-ADUser Windows PowerShell cmdlets as described in the "How to Add or Modify NFS User Account Mappings for a Specific Set of Users Using a .csv File" section in NFS Account Mapping Task Reference.
Multiple user objects by running the scripts described in the "Customer side (Phase2)" section in Description of scripts to use to simplify user account mapping between a UNIX client and a Windows-based server.
Individual user objects using the ADSI Edit snap-in as described in the "NFS User and Group Account Mapping Management Using ADSI Edit" section in NFS Account Mapping Task Reference.
You can also synchronize identity information between UNIX and AD LDS by using:
The Identity Management for UNIX role service in Windows Server. For more information, see Identity Management for UNIX.
Forefront Identity Manager 2010. For more information, see Forefront Identity Manager 2010.
Manage NFS Account Mapping Using AD LDS
After you have installed and configured Services for NFS to use AD LDS as the identity mapping source, there are ongoing management tasks that need to be performed.
The following table lists the NFS user account mapping related management tasks to be performed when using AD LDS as the identity mapping source.
Table 8. NFS User Account Mapping Tasks for AD LDS
Task |
Instructions to perform it |
View user account mapping for an individual user. |
|
View user account mapping for multiple users. |
|
Add or modify a user account mapping for an individual user. |
|
Add or modify user account mappings for a specific set of users. |
|
Remove the user account mapping for an individual user. |
|
Remove the user account mapping for multiple users. |
|
The following table lists the NFS group account mapping related management tasks to be performed when using AD LDS as the identity mapping source.
Table 9. NFS Group Account Mapping Tasks for AD LDS
Task |
Instructions to perform it |
View group account mapping for an individual group. |
|
View group account mapping for multiple groups. |
|
Add or modify a group account mapping for an individual group. |
|
Add or modify group account mappings for a specific set of groups. |
|
Remove the group account mapping for an individual group. |
|
Remove the group account mapping for multiple groups. |
|
The following table lists the resource management tasks to be performed on the Server for NFS, when using AD LDS as the identity mapping source.
Table 10. Server for NFS Resource Management Tasks
Task |
Instructions to perform it |
Provision an NFS share. |
"Provision an NFS Share" in NFS Account Mapping Task Reference. |
Manage users and group access to an NFS share. |
"Manage User and Group Access to an NFS Share" in NFS Account Mapping Task Reference. |
View users and group access to an NFS share. |
"View User and Group Access to an NFS Share" in NFS Account Mapping Task Reference. |