A number of the readers of my article describing integration between Linux and Active Directory on Windows Server 2003 R2 have inquired about the need to install Server for NIS on a domain controller. Even though we don’t necessarily need NIS for this process (although we will need NIS if we are going to use NFS and automounts), installing the Server for NIS also makes available the “UNIX Attributes†tab in the Active Directory Users and Computers console. You’ll need some sort of access to the attributes in Active Directory (unixHomeDirectory, gidNumber, uid, uidNumber, gecos, loginShell) in order to set them so that Linux and UNIX systems can utilize the information in those attributes, so installing Server for NIS in order to get the “UNIX Attributes†tab makes sense.
It’s not the “UNIX Attributes†tab that’s important; it’s access to those attributes in Active Directory. You could just as well use ADSI Edit, LDP, or programmatically edit the attributes via VBScript or an LDIF import file. It doesn’t matter. All that matters is that you have the ability to set and modify the values in the UNIX-related attributes.
One common workaround that has been mentioned is just registering the nisprop.dll file, using a command like this:
regsvr32 c:\windows\idmu\common\nisprop.dll
Normally, this trick would work well. I used this trick, for example, to make Active Directory Users and Computers available to help desk personnel without having to install all the administrative tools (just copy down dsadmin.dll and register it). Not this time, though.
As Andy Loggia pointed out to me (first in the comments, and again later in a separate e-mail message), registering nisprop.dll requires Schema Admin privileges. At first, I didn’t believe him, but he’s absolutely right. When you register nisprop.dll, a change needs to be made in the Configuration naming context of Active Directory—and making that change requires Schema Admin privileges.
Specifically, registering nisprop.dll adds the CLSID of nisprop.dll to the AdminPropertyPages attribute of the user-display and group-display objects in this location in Active Directory:
CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=example,DC=net
(The “CN=409†would change if you are running a language other than English.) I verified this myself on my own instance of Active Directory in the lab and Andy is absolutely correct. Good work, Andy!
If you are working on Linux-AD integration in your shop, then just keep in mind that at some point during the process you’ll probably need to have Schema Admin privileges. Certainly while you are extending the schema (if it’s not already extended, which you can check using ADSI Edit), then when you install Server for NIS or register nisprop.dll. Alternately, if you don’t want the “UNIX Attributes†tab in Active Directory Users and Computers, you can use tools such as LDP, ADSI Edit, LDIF import files, or scripts to populate and edit the values in the UNIX-related attributes. Populating these values is necessary for the process to work correctly, but the method by which the attributes are populated is up to you.
Tags: ActiveDirectory, Interoperability, Linux, UNIX
-
Excellent blog, excellent information, really saving me loads and loads of time as we wade through the cross-platform integration work. It is funny, some things, like Kerberos, were fall off your stoll easy to setup, while others, like this, are tricky, and will never work until little specific req’s are met. Thanks again. One sugestion, how about a URL to where one can acquire the needed DLL (nisprop.dll).
-
Jason,
I’m glad you’re finding the site helpful. Unfortunately, I can’t post a URL to get nisprop.dll as that is part of the Windows operating system and distributing that software would be illegal. You’ll have to go through Microsoft to get the bits you need.
Scott
-
(all following done as “administrator”) I downloaded SFU 3.5 from ms’s site & extracted that entire thing, and the “nisprop.dll” is in there. I didnt want to install the entire thing right off, sort of get my toes wet, then wade in a bit further next week. I created a folder inside WINNT named “idmu” than “common” inside of that, and then copied “nisprop.dll” from the unzipped archive to that folder, and then used your command above to register the DLL, which succeeded. I waited a minute, tehn opened my user account but no UNIX Attributes tab. Ideas? Thanks in advance for the advice. Jason
-
Jason,
With versions of Windows prior to Windows Server 2003 R2, you have to use SFU. However, in those cases, more than just registering nisprop.dll is required. You must also extend the schema to include the UNIX attributes that nisprop.dll exposes. Make sure your schema has already been extended. If you are using Windows Server 2003 R2, then your schema should already be extended and SFU is NOT necessary. Otherwise, you’ll need to extend the schema using SFU and then register nisprop.dll.
Hope this helps,
Scott -
Scott,
Thanks. If you wouldnt mind my bothering you just a bit more on this specific issue, I think I’m getting there, if I do not want to install all of SFU, what piece of it, or what step can I take using its pieces, to extend the schema so that “UNIX Attributes” tab appears & works. I do have the Support Tools installed already & have used them a few times so know my way around them, if that is my route.
Thanks again.
-
Jason,
I am reasonably sure that if you just attempt to install the “Server for NIS” component of SFU, it will extend the schema and register the nisprop.dll file to enable the “UNIX Attributes” tab. For basic AD-Linux integration, that part alone should be sufficient.
Scott
-
Actually, to add the “UNIX Attributes” tab, you can also install the “Identity Management for Unix” portion of the “Windows Server 2003 R2 Administration Tools Pack” (available in both x86 and x64 flavours). This can be especially useful on Windows XP machines where the “Windows Server 2003 Service Pack 1 Administration Tools Pack” has already be installed, and you want to add the “UNIX Attributes” to your “Active Directory Users and Computers”.
As an extra note, this combination also works for the Windows Server 2003 SP1 + SFU 3.5 - not just for Windows Server 2003 R2.
-
Brilliant Article,
We have been working on this for the last few weeks and where actually considering outside help at this moment. This may have saved us some $. Much Appreciated article.
Thank You!
Tracy Schelts
NC Tech Support Team -
Jason,
I am using Windows 2003 w SP3 ADS with WIndows 2003 Functional Level, I have extended the schema using SFU by installing ‘Server for NIS’ component. I can see the UNIX attributes tab on this DC but not on other DCs whereas this being an schema extension should be visible on all DC. Anyways, i installed ‘Server for NIS’ on other DCs as well and i can see the UNIX Attributes tab. Now, my problem is I can’t get the UNIX Attributes tab while accessing ADUC from a client side console
even running as a domain admin.Please help!
Thanks & Regards,
Davar Ansari -
Well, I’m not Jason but perhaps I can help….
There are two pieces to this. First, the schema has to be extended. If you’re running R2, then the schema is already there. If you’re not, then you’ll need to extend the schema. Installing the “Server for NIS” component extends the schema (if necessary) and adds the necessary pieces for nisprop.dll so that the UNIX Attributes tab will show up.
HOWEVER, even if the schema has already been extended, you must still install “Server for NIS” (or register nisprop.dll) on EVERY domain controller and client from which you would like the UNIX Attributes tab to be visible. Just having the schema extended isn’t all…each instance of ADUC also needs nisprop.dll in order to display that tab.
Hope that helps!
-
Hi Slowe,
Sorry for the mistak-in-identity
I have got my other DCs to show up the UNIX attributes tab by installing “Server for NIS” on each one of them. Now my ID manager uses the ADUC console that we get by installing the Adminpak.msi; I have registered the nisprop.dll on his machine but still can’t he can’t see the UNIX attributes tab
Thanks for the help!
Regards,
Davar Ansari -
I found that adding Server for NIS wasn’t enough to bring the Unix Attributes tab on my fresh Win2k3-R2. I also had to add the Identity Management for Unix before it would appear.
-
This worked for me !
- Extend the schema with SFU 3.5 sfusch.exe /x (only for W2K3 prio R2).
- Then copy the nisprop.dll to the system32 dir on a Domain Controller
- Register the DLL with regsvr32 nisprop.dll. This will add two different CLSIDs of nisprop.dll to the AdminPropertyPages attribute of the user-display and group-display objects in this location in Active Directory: cn=409,CN=DisplaySpecifiers,CN=Configuration,DC=example,DC=netAnd now the UNIX Attribute TAB will be available in dsa.msc !
-
“I found that adding Server for NIS wasn’t enough to bring the Unix Attributes tab on my fresh Win2k3-R2. I also had to add the Identity Management for Unix before it would appear.”
You MUST first put the nisprop.dll in your “windows\system32″ dir, then run “regsvr32.exe nisprop.dll” from that dir.
Then it will show up correctly without installating anything else
-
asif in posting 14 is right on. If you have Server 2003 R2 schema, you don’t need to install any of the SFU 3.5 stuff. Just place nisprop.dll in windows\system32 and register it using “regsvr32.exe nisprop.dll” from that directory.
In our case we have all Windows Server 2003 SP2 DCs but had previously extended the schema to R2 and this procedure above works just dandy.
-
Jason, Asif,
I believe that you are both correct; however, I also believe that Schema Admins privileges are required in order for it to work properly. If you have direct experience otherwise, please let me know. Thanks!
-
Hello,
Do you know how Server for NIS actually functions, what kind of framework it uses to access the information in Active Directory?
It seems like it would not use LDAP, but does it use ADSI or some other method?
-
Jon,
I would guess it uses ADSI or equivalent Win32 API calls to access Active Directory, but as I’m not a programmer I wouldn’t know for certain.
-
I have been able to get AD authentication working for my Linux boxes thanks to your blog. I can administer the UNIX Attributes from the DC; however, that’s the problem. I can only administer these attributes from the DC.
I have installed the Admin Pack on my Windows XP workstation and IDMU. I can view and update attributes on the various tabs. The UNIX Attributes tab appears in the snap-in; however, when I click on the tab, there is a split second delay before it displays an error message titled “Primary Group Missing.” I click OK on the dialog box and it displays the tab with bogus information populated in the UID, Login Shell, and Home Directory. Primary Group is blank. When I view the same user on the DC, everything is populated correctly.
Any ideas why my XP workstation cannot retrieve these attributess?
Any help would be appreciated.
Phil -
ok, I’ve got the attributes tabs in my schema, everything LOOKS fine.
But.. no changes save. If I go in to a group and set its unix attributes, and hit apply and ok, and go back in.. *poof* all gone, same for users and computers.. doesn’t matter.. no changes are saved.
Any ideas?
-
You can install IDMU.EXE from the SUPPORT folder of Windows 2003R2, and you will get the tabs to edit the unix attributes. Works fine on XP as well.
But, I can not modify any attributes, because there is no NIS domain. So it requires registering the NIS domain in AD in some way.
My first attempt at locating the information failed, I will give it another shot using wireshark to look at LDAP queries.
Site Sponsors
21 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2006/11/28/unix-attributes-tab-and-nispropdll/trackback/