The Server Components
To achieve NIS integration with AD, you must install SFU on a Windows 2003 or Win2K DC. On the DC, navigate to the extracted SFU 3.5 files and run setup.exe. Select a Custom installation to review the various installable services. This server will function as the SFU network-services server, so choose to install only the network-interoperability services: Gateway for NFS, Server for NIS, Password Synchronization, User Name Mapping, and Server for NFS Authentication. (When you later install the client workstation, you'll point to this DC for the NIS and User Name Mapping services.)
After you select which components to install, the system will prompt you for information about the User Name Mapping service. This system will be the only User Name Mapping server, so select Local User Name Mapping Server. (In larger environments, you can install User Name Mapping on multiple computers, in a pool of servers, or on a Windows cluster.) The User Name Mapping service supports pulling user and group account data from either NIS or a UNIX-type construction of password and group text files. Because you're configuring NIS, when prompted, select to use NIS instead of Password and group files. Doing so causes the User Name Mapping service to use the NIS server instead of searching for text files for user account information. Next, specify the Windows domain name and type the name of an existing NIS domain, which will be the name that your UNIX clients use. Essentially, you're importing the NIS data into AD so that you can use Windows-based, centrally managed tools to manage it. If you have an existing NIS domain hosted on UNIX servers, you can enter that domain name here; otherwise, leave the NIS Domain name blank and choose to create a new master NIS server, which I show you how to configure in the next section. Remember that the NIS installation upgrades the AD schema, which is irreversible.
To complete the SFU installation, accept or change the default installation location of C:\SFU, then click Next to begin copying files. The process finishes with a system restart. After the installation, open the Microsoft Management Console (MMC) Services for UNIX Administration snap-in by clicking Start, All Programs, Windows Services for UNIX, Services for UNIX Administration. Use this snap-in to configure the remaining services, beginning with the Server for NIS service.
Configuring the SFU NIS Server
Now, let's configure the SFU NIS server. This component lets you centrally manage a domain of UNIX users through AD. Using NIS means you don't have to create individual user accounts for every UNIX system. NIS has a hierarchical design and supports master and slave servers. The SFU NIS server must be the master NIS server; however, if your organization prefers to run additional NIS servers on UNIX systems, you can specify a UNIX-based NIS server as its slave. Both Windows clients running SFU and UNIX clients can use the SFU NIS server for user authentication. If you're already using NIS (a traditional UNIX service), SFU includes a domain-migration tool to help you migrate an existing NIS domain to an SFU-homed domain. You can now use a Windows computer running SFU to host your NIS environment.
To manage the servers and nodes in your NIS domain, open the Services for UNIX Administration snap-in, expand the Server for NIS node, and click the name of your NIS domain. Here, you can add additional NIS servers to increase your level of redundancy or scalability. When you finish the SFU NIS installation, you'll see the name of the SFU server you installed in the Server for NIS node. Before you can configure User Name Mapping, you'll need to add at least one user account to NIS, which we'll do next. When you add a user account to NIS, it will automatically be available to log in to any UNIX server configured to use the SFU NIS server. You don't have to add user accounts locally on every UNIX server. Also, if you run mostly Windows and use AD, SFU NIS lets you use your AD tools to manage these accounts.
Open the Active Directory Users and Computers snap-in, and bring up the properties of the user for whom you want to enable UNIX access. Click the newly added UNIX Attributes tab, which Figure A shows, and enter the appropriate values for the user. For a new user, enter the Primary group name/GID—for example, the Linux group named users typically corresponds to GID=100.
Now, log in as root (or other privileged user) to your UNIX host, create the home directory for the new user (e.g., /home/username), and assign the user read/write permissions to the directory. This step is important: Your NIS login test might silently fail if a home directory doesn't already exist when the NIS user first logs on.
Now that you have a NIS server configured on the DC, you need to point your UNIX clients to it so that users can use credentials stored in AD to log on to these clients. To do so, on each UNIX client, you generally use the UNIX command ypbind —broadcast or edit the /etc/yp.conf and /etc/defaultdomain files, specifying the domain and NIS server. Depending on the UNIX variant, you might also need to modify the /etc/passwd and /etc/group files by appending +:::::: and +:::, respectively. For detailed instructions about how to configure your UNIX variant to use NIS, consult your system documentation. After this configuration, restart the UNIX NIS daemon and you should now be able to log in to this UNIX client by using the modified AD user account.
If you run into problems authenticating a newly created user, try resetting the user's password in the Active Directory Users and Computers snap-in. Configure your remaining UNIX clients similarly by creating the home directory, and configure the NIS client to point to the Windows SFU NIS domain and server. Also, you'll still be able to use local accounts to log in to your NIS-enabled UNIX workstations.
After you set up the NIS server, you'll be able to manage the user attributes of your UNIX systems directly through AD. For example, you can change the Login Shell from /bin/sh to /bin/bash in Active Directory Users and Computers, then simply log out and back on to a UNIX workstation for the new shell. However, any logged-in NIS UNIX users might experience problems if your NIS server goes down, so redundant NIS servers are a good idea.
Register
