The goal of single sign-on, in which users on a network log in once and then have access to multiple resources and environments, is still a long way off. It is common for a regular user to maintain and use three or more separate usernames and associated sets of passwords. Services for Unix goes a long way toward making SSI a reality, however, with the User Name Mapping and Password Synchronization capabilities. User Name MappingUser Name Mapping allows specific user accounts in Windows Server 2003 Active Directory to be associated with corresponding Unix user accounts. In addition to mapping identically named user accounts, User Name Mapping allows for the association of user accounts with different names in each organization. This factor is particularly useful considering that Unix user accounts are case sensitive and Windows accounts are not. User Name Mapping supports the capability to map multiple Windows user accounts to a single user account in Unix. This capability allows, for example, multiple administrators to map Windows Server 2003 Active Directory accounts with the Unix root administrator account. Synchronizing Passwords with IDMUGoing hand in hand with the User Name Mapping service, Password Synchronization allows for those user accounts that have been mapped to automatically update their passwords between the two environments. This functionality, accessible from the IDMU MMC Console, as illustrated in Figure 8.6, allows users on either side to change their passwords and have the changes reflected on the mapped user accounts in the opposite platform. Figure 8.6. Adding a Unix server to synchronize with and from.
As previously mentioned, Password Synchronization must be installed on all domain controllers on the Active Directory side because all the DCs must be able to understand the Unix password requests forwarded to them. In addition, Password Synchronization is only supported out of the box in the following Unix platforms:
All other flavors of Unix require a recompile of the platform, which is made easier by the inclusion of makefiles and SFU source code. SFU R2 also includes the encryption libraries, making it even easier to compile a customized solution. Adding NIS Users to Active DirectoryFor users who want their existing NIS servers to continue to provide authentication for Unix and Linux servers, the NIS Migration Wizard is not the best choice. A package of Korn shell scripts downloadable from Microsoft.com makes this process simple. The getusers.ksh script gets a list of all users in a NIS database, including the comment field. This script must be run with an account with the permission to run ypcat passwd. The makeusers.ksh script, which must be run by a user with domain admin privileges, imports these users to Active Directory. The -e flag enables accounts because by default the accounts are created in a disabled state. This is a perfect solution for migrations that require the existing NIS servers to remain intact indefinitely. |