Many organizations' IT infrastructures are a mix of Windows, UNIX, and mainframe computers. Platform and application integration inevitably includes integrating core UNIX and Windows security services such as account management (i.e., the management of security principals' identities and attributes—and possibly user privileges) and authentication (i.e., the verification of security principals' identities). Late last year, Microsoft released Windows Services for UNIX (SFU) 3.0, a software suite that facilitates the integration of Windows and UNIX. SFU offers three features that help integrate Windows and UNIX security: Server for Network Information Service (NIS), User Name Mapping, and Password Synchronization.
Server for NIS
Server for NIS is an SFU service that lets Windows Server 2003 and Windows 2000 Server domain controllers (DCs) act as NIS master servers. NIS, which Sun Microsystems released in 1985, was one of the first UNIX-based distributed naming services and is still in use today despite its data-model, replication, and security deficiencies. (The NIS data model can't be extended easily and NIS can't use incremental replication, but NIS's biggest deficiency is its complete lack of security. NIS doesn't authenticate users and transmits data in the clear, and NIS updates can be spoofed.)
You typically install Server for NIS on all the DCs in your Windows domain. As part of the installation process, SFU extends the Active Directory (AD) schema to store NIS-specific user and group data and to provide a single point of administration for Windows and UNIX authentication and authorization. You can define the UNIX data in AD manually, or you can use SFU's nis2ad.exe command-line utility or GUI-based Migration Wizard to pull over all the data from an existing UNIX NIS server.
A Server for NIS DC can receive NIS query requests from UNIX NIS clients, translate those requests into AD queries, and return the data in NIS format to the NIS clients. The Server for NIS DC also uses the AD replication model to replicate updated data to other Windows DCs and uses the NIS yppush protocol to replicate updated data to UNIX NIS servers, as Figure 1 shows.
SFU supports two client-side Pluggable Authentication Module (PAM) options, the pam_unix module and the pam_sso module, so that UNIX clients can use AD-stored credentials to authenticate against both Windows and UNIX systems. PAM technology lets UNIX applications take advantage of different authentication methods. The pam_unix module is UNIX's default PAM module and supports a local or NIS-based repository for crypt(3) hash-based authentication, password updates, and account management. The pam_sso module, which is a special Microsoft PAM module that provides SFU-based password synchronization between Windows and UNIX systems, supports crypt(3) hash-based authentication and password updates. The pam_sso module uses Triple Data Encryption Standard (3DES) to secure exchanges between the module's host (i.e., the UNIX client) and the Server for NIS DC but, unlike the pam_unix module, can't let the host authenticate against a UNIX NIS server.
User Name Mapping
The User Name Mapping service provides centralized user management for both UNIX and Windows environments, basically letting UNIX and Windows applications retrieve correct credentials automatically from a central location. User Name Mapping provides Windows-to-UNIX and UNIX-to-Windows credential mapping to the following SFU UNIX applications: Microsoft Interix, Client for NFS, Gateway for NFS, Server for NFS, and the Remote Shell Service.
User Name Mapping supports simple and advanced username mappings—or maps, as Microsoft calls them. You use simple maps to define one-to-one (1:1) mappings for users or groups that have the same name in UNIX and Windows; you use advanced maps to define 1:1 mappings for users or groups that have different names in UNIX and Windows or to define many-to-one mappings. (A many-to-one mapping can be useful when many UNIX accounts need the same level of access to a Windows-based resource. You can map all the accounts to one Windows account and use that account to set access controls for the resource.)
User Name Mapping doesn't use AD as a repository for mapping data, so you can install it on any Windows 2003, Windows XP, Win2K, or Windows NT 4.0 system, regardless of whether that system has access to AD. The service can access UNIX user and group information from any Server for NIS DC, any Windows client running Personal Computer NFS (PCNFS), any UNIX NIS server, or any UNIX client running the PCNFS daemon (PCNFSD). PCNFS is a simple service that lets a user submit his or her username and password, compares the password with the password in the service's local password file, and—if the passwords match—returns the requested UNIX authorization information (i.e., user identifiers—UIDs—and group identifiers—GIDs).