Beruflich Dokumente
Kultur Dokumente
and Linux ®
Integration:
Hands-on Solutions for a
Mixed Environment
Jeremy Moskowitz
Thomas Boutell
Upgrading to R2
For the purposes of this book, we’re going to assume you already have Windows 2003 servers
and domain controllers, but will be making an upgrade (of at least one domain controller) to
R2. The installation of R2 from scratch isn’t something we’ll cover in depth here.
We’re not going to talk much about loading a fresh Windows 2003 with R2
from scratch. If you get a Windows 2003 with R2 CD set, the first CD-ROM
(Windows 2003) will eventually prompt you for “Disc 2,” meaning the R2 disc.
Just follow the prompts, and you’ve got a fresh Windows 2003 with R2 ready
to go.
2 Web Appendix Windows 2003 / R2 Updated Procedures
If you have trouble getting R2 to load (i.e., it won’t accept your keycode)
you can try loading the first disc of the R2 set directly over your existing
Windows 2003 installation. Then, it should accept your second disc—
because you’ve “upgraded” to R2 using disc 1.
However, it should be noted that there are basically two upgrading scenarios:
1. Upgrading a domain where SFU is not already installed
2. Upgrading a domain where SFU is already installed
These are two separate scenarios. If you have not already completed the exercises in the printed
book, you might want to first upgrade your domain to R2, then work through the exercises here.
However, in both scenarios, some steps to upgrade the domain are the same, and we’ll per-
form those first.
FIGURE A.1 In order to upgrade Windows 2003 to R2, the schema must be upgraded.
FIGURE A.2 Once you press C to continue, your schema will be upgraded to the R2 schema.
Upgrading to R2 3
Once performed, you can then run the R2Auto.exe on the root of the R2 CD-ROM and select
to “Continue Windows Server 2003 R2 Setup.” At this point, you may be instructed that you
have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select
Yes when you agree to that. When you do, you’ll be at the “R2 Setup Wizard.” The wizard is self-
explanatory.
Once completed, you’ll be able to continue to load R2 components on the particular server
you want via the “Add/Remove Windows Components” found in Add/Remove Programs
in Control Panel. At this point we have to first ask ourselves whether or not SFU 3.5 was
previously installed on this server.
When prompted, select Yes. When you do, you’ll get a brief note that the save was successful,
as seen in Figure A.4.
FIGURE A.4 Your SFU 3.5 configuration will be waiting for you when you upgrade to R2.
Click OK to close the message and cancel out of the Windows Components Wizard.
Next, you’ll need to uninstall SFU 3.5. You’ll do this inside the Add or Remove Programs
window in the Change or Remove Programs section as seen in the Figure A.5. Simply locate the
Microsoft Windows Services for UNIX entry and click Remove.
FIGURE A.5 You need to remove SFU 3.5 before you upgrade to R2.
While SFU 3.5 is being removed, you may be told that your NFS mounts are being discon-
nected. Upon completion, you’ll be asked to reboot and will need to do so.
Once logged back in as Administrator, you’re ready to add the IMU components. Click
Start Control Panel Add or Remove Programs. Select Windows Components.
Locate and check Active Directory Services Identity Management for UNIX and click OK.
This adds three components: Server for NIS, Password Synchronization, and their correspond-
ing Administrative tools.
Additionally, locate and check Other Network File and Print Services and ensure that
Microsoft Services for NFS Server for NFS and all other components are selected (except
Client for NFS) as seen in Figure A.6.
Click OK at each screen to return to the Windows Components. Then, click Next to finish
loading the new Windows Components from R2.
Finally, when finished, you’ll likely be prompted to restart the server. Go ahead and
do so.
Windows 2003 / R2 Authentication Services 5
FIGURE A.6 Ensure all components (except Client for NFS) are selected
FIGURE A.7 Ensure that the “Server for NIS” is started and set to Automatic.
Windows 2003 / R2 Authentication Services 7
Additionally, before proceeding, also make sure that two other services are also set to auto-
matic and started at this point: Server for NFS and User Name Mapping. One of these services
(Server for NFS) can be seen in the screen shot in Figure A.7, but the other (User Name Map-
ping) cannot.
FIGURE A.8 You can start IMU from the Start menu
Remember what we said about the relationship to accounts in Active Directory and their NIS
account counterparts (which are also stored in Active Directory): they’re almost like two sepa-
rate accounts that need to be synchronized with each other.
Once the tools are loaded, we’ll perform two steps: one is changing how long synchroniza-
tion between Active Directory account information and the NIS account information occurs,
and also turning on the actual password synchronization feature. This is accomplished in the
next two sections.
For our purposes, we’ll change this value from 1 day to 5 minutes. With the Microsoft Identity
Management for UNIX console open, right-click over the Server for NIS branch and select
properties. In the General tab, change the time from 1 day to 5 minutes as seen in Figure A.9.
FIGURE A.9 Change the Active Directory to NIS update from 1 day to 5 minutes.
was issued from, say, a Linux machine to the NIS server running on Windows, the password
hash was always exposed.
With the password hash known, it’s a lot easier for an attacker to perform a “dictionary
attack” and get the password. Once the attacker has the password, they have the Active Direc-
tory credentials they need to masquerade as that user!
R2 provides two options (where SFU 3.5 only had one):
Option 1: Whenever the Active Directory password is changed, also update the UNIX NIS
password table.
Option 2: Whenever the Active Directory password is changed, don’t update the UNIX NIS
password table.
SFU 3.5 only allowed for option 1. This basically meant the password was always available
and susceptible to prying eyes if they were dedicated enough to acquiring it. The fact that it was
hashed added a layer of security, but it wasn’t much.
Windows 2003 / R2 Authentication Services 9
Now in R2, you can choose not to shuttle the password into the NIS passwd tables. This
adds an additional layer of security by keeping it from being updated in such a public way and
thus less susceptible to prying eyes.
And, this is the default. If you want to seriously consider using Active Directory as your NIS
server, you’ll likely want to turn this on (even though that makes your Active Directory less
secure). To adjust for this, you need to specifically turn on the password synchronization for
accounts that are NIS enabled.
Start by opening up the Identity Management for UNIX console, if it’s not already open, with
Start All Programs Identity Management for UNIX Microsoft Identity Management for
UNIX. Once open, right-click over the words “Password Synchronization” and select Properties.
FIGURE A.10 Be sure to click “Enable Windows to NIS (AC) Password Sync.”
When you click the check box you’ll be asked to scan all domain controllers to ensure they
are using Windows 2003 / SP1. If you do not have SP1 on all your domain controllers, be sure
to do so before continuing in production.
Once performed, click Apply, then OK to finish.
From this point, you’ll jump to Chapter 3, “How to UNIX-Enable your Active Directory
Users and Groups,” page 167 of the book. In my examples here, I’ve created an account called
“nurse4” with a UID of 24601 and who is a member of the “nurses” group, with a GID of
10000 and a password of p@ssw0rd.
You can now check the NIS servers accounts using the command
You can see the output of the command seen in Figure A.11.
FIGURE A.11 The NIS server should dump its database as output with a ypcat command.
Sometimes, I have found that the password hash did not change, but it
worked anyway. I can only suspect this is a bug in the “yp” stack from R2.
This also happened in SFU 3.5.
Microsoft has an excellent document about how to embrace UNIX NIS servers
into the mix, say, as slave (subordinate) servers. It’s in an online-only docu-
ment entitled “Best Practices for Server for NIS” and can be found at http://
tinyurl.com/r7slh.
Windows 2003 / R2 Authentication Services 11
At this point, you could possibly retire UNIX NIS servers, as you’re now using Active Direc-
tory to pretend to be NIS. However, don’t forget to touch your Linux machines and tell them
where the new NIS server is. We have an example on how to do this in Chapter 3 of the book.
TABLE A.1 Original SFU names and new R2 names for corresponding
attributes
msSFU30UidNumber uidNumber
msSFU30GidNumber gidNumber
msSFU30Gecos gecos
msSFU30HomeDirectory unixHomeDirectory
msSFU30LoginShell loginShell
msSFU30ShadowLastChange shadowLastChange
msSFU30ShadowMin shadowMin
msSFU30ShadowMax shadowMax
12 Web Appendix Windows 2003 / R2 Updated Procedures
TABLE A.1 Original SFU names and new R2 names for corresponding
attributes (continued)
msSFU30ShadowWarning shadowWarning
msSFU30ShadowInactive shadowInactive
msSFU30ShadowExpire shadowExpire
msSFU30ShadowFlag shadowFlag
msSFU30MemberUid memberUid
msSFU30MemberNisNetgroup memberNisNetgroup
msSFU30NetgroupDetail nisNetgroupTriple
msSFU30IpServicePort ipServicePort
msSFU30IpServiceProtocol ipServiceProtocol
msSFU30IpProtocolNumber ipProtocolNumber
msSFU30OncRpcNumber oncRpcNumber
msSFU30IpHostNumber ipHostNumber
msSFU30IpNetworkNumber ipNetworkNumber
msSFU30IpNetmaskNumber ipNetmaskNumber
msSFU30MacAddress macAddress
msSFU30BootParameter bootParameter
msSFU30BootFile bootFile
msSFU30NisMapName nisMapName
msSFU30NisMapEntry nisMapEntry
msSFU30Password userPassword
TABLE A.1 Original SFU names and new R2 names for corresponding
attributes (continued)
msSFU30PosixAccount posixAccount
msSFU30ShadowAccount shadowAccount
msSFU30PosixGroup group
msSFU30IpService ipService
msSFU30IpProtocol ipProtocol
msSFU30OncRpc oncRpc
msSFU30IpHost ipHost
msSFU30IpNetwork ipNetwork
msSFU30NisNetgroup nisNetgroup
msSFU30NisMap nisMap
msSFU30NisObject nisObject
msSFU30Ieee802Device ieee802Device
msSFU30BootableDevice bootableDevice
14 Web Appendix Windows 2003 / R2 Updated Procedures
TABLE A.1 Original SFU names and new R2 names for corresponding
attributes (continued)
Note: Wherever the R2 Name is blank, it means that the SFU Name is being
used in the R2 schema as there was no RFC 2307 equivalent to these.
Reviewing /etc/ldap.conf
In Chapter 3, we talked about how to get Linux clients to authenticate directly to Active Direc-
tory using the SFU 3.5 schema. Using the SFU 3.5 schema, we told /etc/ldap.conf what to
look for inside an Active Directory when we used the SFU 3.5 schema.
Now, with only some slight changes, we can make that same Linux client talk to Active
Directory—using the new R2 schema. All we need to do is to tell the Linux client’s /etc/
ldap.conf what RFC 2307 attributes to use—which is what R2 uses—and we’re in business.
Listing A.1 is the listing you will substitute in place of Listing 3.1 on page 178 of the book.
Listing A.1: /etc/ldap.conf for LDAP authentication against Active Directory with R2
(RFC 2307) updates
# Here, we'll use unencryupted LDAP port 389. ("ldap")
uri ldap://windc1.ad.corp.com
base dc=ad,dc=corp,dc=com
binddn cn=dirsearch,cn=Users,dc=ad,dc=corp,dc=com
bindpw p@ssw0rd
nss_base_passwd dc=ad,dc=corp,dc=com
nss_base_shadow dc=ad,dc=corp,dc=com
nss_base_group dc=ad,dc=corp,dc=com
The first portions of the listing don’t change. Again, in the first portion, we’re providing the
pieces required to “touch” Active Directory: the Active Directory “dirsearch” account and where
in Active Directory to start our searches. None of that changes. The only things that do change are
the attributes—the SFU 3.5 attributes that are being dumped for the R2/RFC 2307 attributes.
The rest of the authentication story pretty much stays the same. Be sure to follow the direc-
tions in the rest of Chapter 3 to complete the story, especially the part on how to create home
directories on the fly as users log in.
The second box, labeled “NIS server name (optional)” is not optional. Yes, you read that
right—it’s not optional. Put in either the IP address or the name of your Windows NIS
server, or enter in localhost as seen in Figure A.12.
The third box requests the “Windows domain.” This should be automatically populated.
FIGURE A.12 Ensure that you put in the word “localhost” in the NIS Server Name
(optional) field—which is not optional. Also be sure to put your NIS domain in lowercase.
local host
Click OK to close each of the windows to return back to the Microsoft Services for NFS con-
sole. Now, to verify Simple Maps are working, right-click over the words “User Maps” and
check the checkbox labeled “Show Simple Maps.” Then, click F5 while “User Maps” is high-
lighted to see the map of any Active Directory user and their UNIX-enabled counterpart as seen
in Figure A.13.
FIGURE A.13 Ensure that you see the Active Directory (Windows User) and the UNIX
users in the simple map.
Final Thoughts 17
If this fails to work, it’s likely because you omitted the entry for “NIS server
name (optional).” Again, this isn’t optional.
Once you’ve performed User Name Mapping successfully, you’re ready to use Windows NFS
in precisely the same way as we performed in the book. You can create unified Windows and
UNIX home drives, for instance by following our guidance in the book.
Note that in R2, there is no more NFS gateway. That is, you cannot use a single
R2 system to arbitrate incoming SMB requests from Windows XP machines
and have them locate NFS mounts.
Final Thoughts
R2 is nice because it takes the most used components and puts them right into the operating sys-
tem. It also extends the schema with RFC 2307, which means Microsoft’s implementation of
storing UNIX accounts in Active Directory is now “standards compliant.”
Even with all that good news, SFU 3.5 might still be useful in some cases, even though R2 is
available. Specifically, the NFS client for Windows XP is only found in SFU 3.5, and also, it should
be noted that it is built into the “business edition” versions of Windows Vista. And, the NFS Gate-
way isn’t part of R2. So, if you need to set up an NFS gateway on a Windows 2003 (not with R2)
or, say a Windows 2000 Server—SFU 3.5 is the only game in town. So, you can still download it
at http://tinyurl.com/24pys. It is supported by Microsoft Product Support (PSS) via paid
support until 2009.
The programmers out there might want to get their hands on the “R2 Utilities and SDK for
UNIX-based Applications.” This pack of goodies has the following components:
Base Utilities
SVR-5 Utilities
Base SDK
GNU SDK
GNU Utilities
UNIX Perl
Visual Studio Debugger Add-in
You can track that down here
http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall
.mspx (shortened to http://tinyurl.com/q7eps)
18 Web Appendix Windows 2003 / R2 Updated Procedures
Additionally, you may be interested in seeing some “live motion” about these new R2
features. I found two resources to help you out.
http://www.microsoft.com/technet/community/events/windows2003srvR2/add-52
.mspx (shortened to http://tinyurl.com/la4p8)
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=77 (short-
ened to http://tinyurl.com/nvmdb)