Using mapuname Across Subnets and Domains

This procedure guides you through configuring an Advanced Server/9000 installation where you map AS/U users to HP-UX users on remote systems that are in separate domains. With this procedure, you will be able to coordinate all of the components that are necessary to use mapuname over routers and between domains, which will simplify the task.

Configuration Scenarios

There are 5 different network layout scenarios that are applicable:
1. Inter-domain, remote subnets
2. Inter-domain, local subnet
3. Local domain, remote subnets
4. Local domain, local subnet
5. Local system

This procedure will address scenario 1. Scenarios 2 through 5 are increasingly simple, so once scenario 1 is understood, the others will be easily understood.

Strategy

This procedure will use the Master Accounts Domain model (MAD). There will be an Accounts domain, where all of the user accounts and security will be defined. There will also be a Resource domain, where information resources are kept. The users in the Accounts domain will access files in the Resource domain. They will have access to the Resource domain through a trust relationship. Using mapuname and keepunixgroups=yes, you will be able to create files on the Resource domain that will have the user and group attributes of local Resource system HP-UX users.

Components

Here is a list of the components and concepts that will be used in the procedure:

Domains Account Domain Resource Domain

Domain Names Account.DOM Resource.DOM
Server Name (PDCs) Account.PDC Resource.PDC

Clients:
Computer Name Acclient
User Name ASUuser
LMHOST entry on Acclient

UNIX user hpuxuser
UNIX group hpuxgrp

AS/U Local Group Localgrp

Trusts Trusted Domain Trusting Domain

Shares Sharename: resource
Share Directory /home/lanman/resource
Permissions f or Localgrp on Resource
share

HP-UX commands mapuname

lanman.ini keepunixgroups=yes

Name Cache Cache entries Cache entries

Mapuname Procedure

Pre-requisites

Account.DOM and Resource.DOM should be configured on separate subnets. In this example there will be only one server per domain: the PDCs are Account.PDC and Resource.PDC, respectively.

The NT client is a member of Account.DOM. The client computer name is Acclinet, with the user ASUuser configured in the Account.DOM domain security database. Acclinet is on the local Account.DOM subnet.

On the Resource.PDC AS/U server, the HP-UX user hpuxuser is defined (in /etc/passwd). hpuxuser is a member of the hpuxgrp group (in /etc/group). The sub-directory /home/lanman/resource exists and is shared via the Resource share.

Server administration for this procedure is accomplished with the NT Server Tools. The administration of trusts and local groups (necessary for this configuration) can also be done with the AS/U command line net commands.

	NOTE: Ignore steps 2 and 7 in the following procedure if using WINS and all machines are using the same WINS database.

Step #1

Edit the Resource.PDC lanman.ini parm to retain HP-UX group ownership of files:

srvconfig -s hpparms,keepunixgroups=yes

The server must be stopped and re-started for this to take effect:

net stop server net start server

Step #2

Each AS/U PDC and domain name must be added to the other's Name Cache. This allows the PDCs from the different domains to communicate over the router (the router segments the LAN). The PDCs need access to each other for the trust relationship that will be invoked later. Also, the domain names must be entered. On Account.PDC:

nbutil -a Resource.PDC -A 18.123.456.78 -V nbutil -a Resource.DOM -A 18.123.456.78 -D

On Resource.PDC

nbutil -a Account.PDC -A 10.987.654.32 -V nbutil -a Account.DOM -A 10.987.654.32 -D

To display the Name Cache contents, type:

nbutil -p

The Account.PDC Name Cache should look like this:

Cache has 4 entries Name Type Remote Address L ife[sec] -------------------------------------------------------- RESOURCE.PDC <20> UNIQUE 18.123.456.78 -1 RESOURCE.PDC <00> UNIQUE 18.123.456.78 -1 RESOURCE.DOM <1C> GROUP 18.123.456.78 -1 RESOURCE.DOM <00> GROUP 18.123.456.78 -1

The Resource.PDC Name Cache should look like this:

Cache has 4 entries Name Type Remote Address Life [sec] -------------------------------------------------------

ACCOUNT.PDC <20> UNIQUE 10.987.654.32 -1 ACCOUNT.PDC <00> UNIQUE 10.987.654.32 -1 ACCOUNT.DOM <1C> GROUP 10.987.654.32 -1 ACCOUNT.DOM <00> GROUP 10.987.654.32 -1

Step #3

Now that the PDCs can communicate, a trust relationship can be created. The trust will be granted from Resource.DOM (the TRUSTING domain). This requires that Account.DOM (the TRUSTED domain) will permit the trust.

From the NT administrator for Account.DOM:

click on Administrative Tools
click on User Manager
click on Policies
click on Trust Relationships

Under "Permitted to Trust this Domain" Add Resource.DOM

From the NT administrator for Resource.DOM

click on Administrative Tools
click on User Manager
click on Policies
click on Trust Relationships

Under "Trusted Domains" add Account.DOM

The trust is now established between the 2 domains.

Step #4

The just-created trust does not have much use at this point because there are no users from Account.DOM that have permissions in Resource.DOM. In this step we will add a Local Group to Resource.DOM and add to it users from Account.DOM.

From the NT administrator for Resource.DOM

click on Administrative Tools
click on User Manager
click on Users
click on New Local Group
add "Localgrp", enter a description, click on Add
under "List Names From" choose Account.DOM
From the "Names" list choose ASUuser, click on Add
click on OK

The local group "Localgrp" is now created in the Resource.DOM with ASUuser as a member of the group.

Step #5

Now localgrp must be given permission to access the Resource share subdirectory.

From the NT administrator for Resource.DOM

click on Main
click on File Manager
click on Disk
click on Connect Network Drive
in the Path box, enter "\\RESOURCE.PDC\RESOURCE", click OK {the Resource share will be displayed}
click on Security
click on Permissions
click on Replace Permissions on Subdirectories
click on Add
click on localgrp
click on Add
in the Type of Access window choose "Full Control"
click on OK
click on OK

Step #6

On Resource.PDC, at the AS/U command line prompt, map the HP-UX user hpuxuser to the ASUuser in the Account.DOM domain: mapuname -a Account.DOM:ASUuser hpuxuser

Check the mapping by typing at the HP-UX prompt:

mapuname

It should look like this:

Builtin:Backup Operators lmxadmin ACCOUNT.DOM:ASUuser hpuxuser<***********mapping!!!! Builtin:Print Operators lmxadmin Builtin:Administrators lmxadmin :SYSTEM root Builtin:Account Operators lmxadmin account.dom:Domain Admins account.dom:Guest lmxguest account.dom:Domain Guests lmxguest Builtin:Guests lmxguest Builtin:Server Operators lmxadmin account.dom:Administrator lmxadmin

Step #7

The client within the Account.DOM domain needs to have access to the Resource.PDC server where the Resource share is located, which is over a router on a remote subnet. To accomplish this, add the following line to the NT client LMHOSTS file:

18.123.456.78 Resource.PDC #PRE #DOM:Resource.DOM

Summary

Step #1: Allow newly-created files to retain unix groups
Step #2: Allow PDCs and Domains to communicate over router
Step #3: Set up a trust between domains to allow inter-domain permissions
Step #4: Create a local group and add the remote domain user to it
Step #5: Give permissions to the local group
Step #6: Map the remote AS/U user to the local HP-UX user
Step #7: Add Resource IP address to client LMHOSTS file.

Test

On the NT client, log on to the Account.DOM as ASUuser. Under File Manager, connect the network drive to \\resource.pdc\resource. Minimize the File Manager, and use Notepad under Accessories to create a new file. Add some text, then save the file to the Network Drive \\resource.pdc\resource. On the HP-UX Resource.PDC server, list the file that you created, and observe that the owner and group are hpuxuser and hpuxgrp.

-rw-rw-r-- 1 hpuxuser hpuxgrp 27 Jun 28 14:12 testfile