Mailing List Archive: NT Domain Authentication and Filer Access

I am new to administering a filer via NT. Our filers have always been
administered from a UNIX host. We are migrating users from a UNIX
environment to an Windows NT/2000 environment. I have a user that has a
domain account and needs access to the filer. Without having to create an
account on the UNIX, where do I indicate validation via NT domain? I have
a people share on my filer with a folder with his employee number as the
folder name. After logging into the domain, he can see the filer listed in
the domain. When he double clicks it, it prompts him for a username and
password. He has tried what he uses to authenticate on the domain and it
does not work. For our UNIX users they have accounts on our UNIX server
and are authenticated that way. Your help is appreciated. Thanks.

JESSICA A. S. FERNANDEZ ESA-FM-ESH
E-mail: jessicaf@lanl.gov TA-16-661-101, MS-C933
Voice: 505-665-8051 FAX: 505-665-9490
Pager: 104-6707

It sounds like there is an inconsistency between the UNIX login name and the
Windows domain\login name for that user. If they are the same, then odds
are that the user and the filer aren't in the same domain. The joys of
multi-protocol environments. Some of us learned this the hard way...

There are two ways to approach this. The first is to do your best to keep
the UNIX login name (e.g. ctomasi) the same as the domain login
(TGI\CTomasi). Note, case doesn't matter - most of the time.

If, however, the filer is in another domain (assuming full NT trusts are
setup between the domains) you'll need to start tweaking the
/etc/usermap.cfg file on the filer. This is a handy file. Often times it
is used to map "Domain\Administrator" to "root" so you get all your admin
priviledges from either world. It can also be used for other things (see
the docs and/or the comments in the file.) In our case, we have lots of
domains which we will hopefully be consolidating in to fewer with Win2K
Active Directory, but that's beside the point. We use an entry *\* == * in
the usermap.cfg file to help the filer look in other domains to authenticate
the user. In my case, the filer is part of the Win2K domain "NA", but I'm
"TGI\CTomasi" and my UNIX account is "ctomasi". That entry starts a search
for various PDCs (see CIFS PREFDC for some other helpful info.) Note, this
could take a while to authenticate a user if you have to search a bunch of
domains. The user may perceive this delay when they open a connection to a
CIFS share for the first time on that filer.

The filer is just trying to match the Windows name (credentials) with a
corresponding UNIX account. You may need to help it along if you're dealing
with multiple domains or if the login name doesn't correspond between
Windows and UNIX.

I hope that helps.

--Chuck

-----Original Message-----
From: Jessica Fernandez
To: toasters@mathworks.com
Sent: 7/18/2002 12:21 PM
Subject: NT Domain Authentication and Filer Access

I am new to administering a filer via NT. Our filers have always been
administered from a UNIX host. We are migrating users from a UNIX
environment to an Windows NT/2000 environment. I have a user that has a
domain account and needs access to the filer. Without having to create
an account on the UNIX, where do I indicate validation via NT domain? I
have a people share on my filer with a folder with his employee number
as the folder name. After logging into the domain, he can see the filer
listed in the domain. When he double clicks it, it prompts him for a
username and password. He has tried what he uses to authenticate on the
domain and it does not work. For our UNIX users they have accounts on
our UNIX server and are authenticated that way. Your help is
appreciated. Thanks.

JESSICA A. S. FERNANDEZ ESA-FM-ESH
E-mail: jessicaf@lanl.gov TA-16-661-101, MS-C933
Voice: 505-665-8051 FAX: 505-665-9490
Pager: 104-6707