Linking Windows and UNIX Authentication and Authorization Services
Does Microsoft provide tools to link the authentication and authorization services that are used in a Windows Active Directory (AD) environment with the ones that are used in UNIX Network Information Service (NIS) environments?
July 31, 2005
Q: Does Microsoft provide tools to link the authentication and authorization services that are used in a Windows Active Directory (AD) environment with the ones that are used in UNIX Network Information Service (NIS) environments?
A: NIS was one of the first UNIX-based distributed naming services. Sun Microsystems developed NIS, which is also referred to as the Yellow Pages. The primary focus of NIS is to make network management easier by providing a central naming service and name-resolution service. NIS also enables UNIX computers to share authentication- and authorization-related information by storing it in the central NIS repository. An NIS repository holds information such as machine names and addresses, user names, network services, and so forth. This collection of information is referred to as the NIS namespace and is stored in binary files known as NIS maps.
Like Windows NT, NIS uses the notion of a domain to provide an administrative grouping of machines. A UNIX host’s NIS domain determines which NIS server the host will query. Within an NIS domain, NIS uses a single-master information-replication model that consists of a master and multiple slave NIS servers. One of the biggest deficiencies of NIS is its lack of security: NIS doesn't authenticate its users, NIS data are transmitted in the clear, and NIS updates can be spoofed. NIS also lacks an easily extensible data structure and an efficient information replication model.
Microsoft provides an NIS-AD integration solution as part of its Services for UNIX (SFU) Windows-UNIX integration suite: The solution is called Server for NIS. You can find more information about SFU here.
Server for NIS allows Windows Server 2003 and Windows 2000 domain controllers (DCs) to act as NIS master servers. During the installation of Server for NIS, SFU extends the AD schema enabling AD to store NIS-specific data. Figure 1 shows how the AD user and group properties are extended to provide a single point of administration for both Windows and UNIX authentication and authorization data.
Server for NIS lets Windows administrators define both UNIX user and group attributes in AD. Administrators can enter UNIX authentication and authorization attributes manually in AD or pull them over all at once from an existing UNIX NIS server: Server for NIS also includes a set of migration utilities. You can migrate by using the command-line nis2ad executable or via the GUI-based Migration Wizard.
A Server for NIS-enabled Windows DC can receive NIS query requests from UNIX NIS clients, translate them into AD queries, and return the data to the NIS clients in a NIS format. It can also replicate the NIS data to both Windows and UNIX NIS servers.
Server for NIS also provides password synchronization. If a user’s Windows password is changed in AD, it will be automatically changed in the corresponding UNIX password property of the AD user object. Server for NIS will then automatically replicate the password change to the other Windows NIS servers and the UNIX NIS slave servers.
This automatic password synchronization facilitates user management in a mixed environment. It uses the password synchronization service included in SFU. The SFU password-synchronization service is automatically installed when Server for NIS is installed. The Server for NIS password-synchronization feature mandates that in a Windows domain that has different DCs, Server for NIS (together with the password-synchronization service) is installed on each DC. In a multi-master directory-replication model like the one AD uses, you can initiate a password change from different DCs.
About the Author
You May Also Like