Concepts on multiple user mapping

  • Article

We do get a lot of questions on multiple users mapping between Windows and Unix users. I have tried to list the questions and the answers for them through this blog:

  1. How does multiple user name mapping works

<Answer> We can map a Windows-based account only to a single UNIX-based account, but
a single Unix based account can be mapped to multiple Windows based account.
The below support document talks more about it https://support.microsoft.com/kb/269736

      2. What is Primary mapping?

<Answer> The primary mapping is used when the UNIX account or group is mapped to multiple Windows account or group. In this scenario, we set one of the Unix and Windows mapping as primary. By default, the first mapping that is created is automatically designated as the primary mapping.

For example, we have NFS shares configured on Unix box and accessing it from windows client. Then in this scenario the ownership information for the file flows as per the primary user map set.

      3. What would be the recommended scenario to use multiple user\group mapping?

  <Answer> Multiple user\group mapping is recommended on the scenario, where we have NFS shares hosted on Unix NFS server and we are accessing the NFS shares from Windows NFS clients (i.e the “Client for NFS” component). 

For example: There is a NFS share on the Unix box which has directories owned by “UnixuserA”. From the Windows box, there would be multiple users who would be accessing the
NFS share. So we mapped all the Windows users to UnixuserA . Now based on the permission set on the NFS share for UnixuserA, all the mapped Windows users will get the same permission. 

However this is not recommended on the scenario, where Windows is hosting the NFS shares (i.e the “Server for NFS” component) and Unix NFS clients are accessing the files. Since we are mapping multiple Windows users to single Unix user, it may get confusing with respect to the permission flow. Also, the way user name mapping works; in case of duplicate ids; only the primary one prevails.

      4. What can be done for the scenario “Server for NFS”

<Answer> So in case of Server for NFS, where the subfolder and files under the NFS shares would be owned by multiple Windows users, we can keep the setting below:

Map a single Windows user to single Unix user. On the parent NFS share make this mapped Windows user as an owner (though this is not a prerequisite) and give him the required permission. Then go to the advance security setting and under the apply to tab, select the option which says “this folder, sub folder
and files”.

With this, you need to check one more registry setting, Keepinheritance under :

HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping. This should have a value 1

More information on managing NTFS permission on a NFS share can be found on the blog below: https://blogs.technet.com/b/sfu/archive/2009/08/27/how-nfs-access-works-over-ntfs-permissions.aspx