When the Keys Don't Fit the Locks
Although security problems can occur when like systems connect (e.g., NT to NT or UNIX to UNIX), the problems increase dramatically when different systems connect. The keys no longer fit the locks; that is, no standard mechanism is available for sharing user information between the two systems. The two obvious problems that result are difficult to overcome. The first problem is the difference in the way each system defines access to particular resources: No simple one-to-one relationship exists between these definitions. The second problem is that each system stores and manages user information differently. Thus, sharing user information between systems is extremely difficult.
NT 5.0 addresses the second problem to some extent with the Kerberos authentication protocol, which provides authentication services from one database. To use Kerberos, clients encrypt passwords, which increases security. Administration is easier because Kerberos provides a central user database for NT and UNIX. Many applications are already Kerberos-aware.
If you provide UNIX resources to NT clients with NFS, your NT machines need an NFS client and must convert from an NT username to a UNIX username. Some connectivity products provide a separate logon program for connecting NT clients to the NFS server. Often, these tools save the separate password on the local machine, providing an invisible connection from the NT computer to the NFS server. Doing so provides a single logon and one-to-one mapping between an NT user and a UNIX user. In addition, some connectivity products support NIS. With NIS, when users log on to an NT computer, the NIS server can automatically authenticate them. Many connectivity products have mapping tables, so multiple users who log on to one NT machine map to the correct UNIX user. With these products, if the UNIX server is running the pcnfsd daemon, NT users might need only to type in their NT username and password. The UNIX server can then log them in, supplying a UID and GID. If the UNIX server is not running the daemon, NT users must manually input a UID and GID.
Although the problem of sharing user information between systems is the same when a UNIX machine provides connectivity via CIFS, the situation can be different. With NFS, a UNIX server almost exclusively provides connectivity service. However, when a UNIX server uses CIFS to provide connectivity, an NT server in the network might provide authentication.
Different connectivity products take different approaches to this situation. For example, SCO's product OpenServer's Advanced File and Print Server (AFPS) can take over the functions of an NT PDC or backup domain controller (BDC). AFPS maintains a complete user database, as you would find on an NT server, and doesn't map users, because it considers NT and UNIX users identical. When users log on to the domain from an NT workstation, the AFPS server authenticates them, even if the AFPS server functions as a BDC.
AFPS has two added advantages. First, AFPS provides server tools that are identical to the tools on an NT machine (e.g., User Manager, Server Manager) and that you can install on clients. AFPS User Manager can create users, just as NT's User Manager can do. Second, when you create users with the OpenServer interface, they automatically become AFPS users. AFPS gives users access to UNIX resources via NFS and to NT resources via CIFS.
Samba can take over many NT PDC functions. For example, Samba can provide authentication services and logon scripts. When you use Samba you must create users on the local UNIX machine, and Samba does not support the ACL on NT files. However, with Samba, you can designate another server (e.g., NT or AFPS) to provide authentication. Samba also accomplishes one-to-one mappings between NT and UNIX users and can map to multiple users and groups of users. For example, from one machine you can map the NT administrator to the UNIX root user. Doing so gives you root access to all the files on the server. You can also create a group of NT users that need access to one directory and map them to one UNIX user.
Open the Door
Supporting your users sometimes means giving them access to resources on a different OS, whether NT to UNIX or UNIX to NT. If you've been taking the sledgehammer approach and making copies of all your data for both OSs, you need no longer do so. Now that you know which keys fit your NT and UNIX locks, you can open the door to easier and more effective NT-UNIX administration.