M100723: Windows Services for UNIX


Implementation notes for Windows Services for UNIX.

The following Services for UNIX (SFU) components are installed:

  • Password Synchronization on every Domain Controller. This is required so that whenever a user changes their password, their UNIX password is also changed.
  • Server for NIS on dc01b.win.mgsft.comdc01b runs a NIS server, to make the passwd and group files available to UNIX servers.

The UNIX Accounts OU

There is an OU in Active Directory, \UNIX Accounts. All UNIX specific accounts and groups are stored here.

The "g_" group prefix

All UNIX groups are prefixed with "g_", e.g. g_lab. UNIX allows a user account and a group account with the same name to exist, but Active Directory does not. As a workaround, UNIX groups have the "g_" prefix in Active Directory, but not in UNIX. So g_lab in Active Directory would correspond to the UNIX group lab.

To achieve this, edit the group in ADSI edit, and change the msSFU30Name attribute, removing the "g_" prefix.

UNIX-Only Accounts

Since a user's UNIX account information is stored in Active Directory, a user must have an Active Directory account to have a UNIX account.

An account which is valid only in UNIX can still be created.

To create such an account, create the account in Active Directory, edit the UNIX Attributes tab to create the UNIX account, and then disable the Active Directory account. Even though the Active Directory account is disabled, the UNIX account will still appear in the NIS passwd file.

The \UNIX Accounts\Users OU lists all accounts which exist in UNIX only.

UNIX Password Synchronization

A staff user's UNIX password is stored in Active Directory. The NIS server on dc01b allows UNIX servers to access this password.

All UNIX servers authenticate staff users using NIS.

However, there are some services, such as Apache, CVS and Subversion which require a passwd file to be stored locally.

All such passwd files are automatically generated from the accounts in NIS.

The PopulateUNIXAttributes script

There is a script, PopulateUNIXAttributes.wsf which runs regularly on dc01b.

There are some UNIX attributes (detailed below) which are not synchronized with the Windows equivalents. All these attributes start with "msSFU330" and are viewable using ADSI Edit.

PopulateUNIXAttributes.wsf will check all user and group accounts, and update the msSFU30 attributes if they differ from the Windows equivalent.

Refer to the PopulateUNIXAttributes.wsf script on dc01b for more details.

The Auto Populated OU

If you look at the properties of a UNIX-enabled group (on dc01b), there are two tabs where members can be added:

  • Members: Members of the Windows group
  • UNIX Attributes: Members of the UNIX group

The data in these two tabs is NOT synchronized by Active Directory. If you add someone under the Members tab, they are not added to the UNIX group, and vice versa.

Furthermore, the Members tab can contain both users and groups, but the UNIX Attributes tab can only contain users.

To solve this, the PopulateUNIXAttributes script will do the following:

  1. Scan the OU \UNIX accounts\Groups\Auto Populated for any groups
  2. All members of the Windows group are copied to the UNIX group. i.e. members in the Members tab are copited to the UNIX Attributes tab. Windows groups are expanded so that each user is added individually to the UNIX group.

Disabled Staff Accounts

Because disabled accounts still appear in the NIS file, the PopulateUNIXAttributes script will check for disabled staff accounts:

  1. All accounts in the OU \Non-User Accounts\Disabled accounts (former staff)\Users are checked.
  2. Any accounts found in the NIS domain mgsft.com will be moved to the NIS domain disabled.

If a user's NIS domain is set to <none>, their UNIX uid and gid are lost. That is why they are moved to a different domain, in case this information is needed in the future.

Other Attributes

The PopulateUNIXAttributes script will populate the following other SFU attributes:

  • msSFU30Gecos: The Gecos field of a UNIX account is by default blank with SFU. Some UNIX scripts need this information (e.g. add-kb-user when creating staff KB accounts). A user's displayName is copied to themsSFU30Gecos attribute.


Powered by Zendesk