Understanding Solaris User Account Management
The corporate data center landscape is changing. While a few years ago mainframe computers and UNIX servers dominated the data center, Windows NT servers are now becoming major players. It is now common to see Windows NT servers and UNIX servers side by side, providing services to the same population of users.
One of your most common tasks as a system administrator is managing user accounts. While the concept of user accounts is shared between Windows NT and UNIX operating systems such as the Solaris operating environment, the implementation differs. Even though you may be comfortable managing user accounts in one environment, you may not be so comfortable in a different environment.
The purpose of this chapter is to provide insight into how user accounts are managed in Solaris software so that you can effectively manage user accounts in both environments. The intent is not to provide a comprehensive text on Solaris system administration techniques, but rather to draw comparisons between Solaris software and Windows NT, highlighting the differences.
Evolution of Network Operating Systems
The concept of a user account has changed over time. With the advent of networked computing, users now access services provided by several computers during the course of a day and not just the computer they initially log on to. The way Solaris software and Windows NT handle network logons differ in some aspects. Since some of these differences are the result of how the two operating environments evolved, it's worthwhile to look back at the evolution of network computing.
Early UNIX Computers
UNIX has its roots as a multiuser operating system with users connecting to a UNIX server via ascii terminals. In this environment, users have accounts established on the server they are attached to. The purpose of the account is to grant the user permissions for reading and writing files and executing programs. Since local area networking had not come onto the scene yet, users only required access to the computer they were directly attached to. Therefore, all the user account information was kept on the local server.
With the introduction of TCP/IP networking, accessing data and executing programs on remote computers became possible. However, to access remote systems using the TCP/IP telnet (remote login) and ftp ( remote file copying) services, users were required to have an account on that system. Because having to input an account name and password each time a remote access is made is very inconvenient, Solaris software provided a feature allowing users from trusted systems to log into, run programs on, and copy files to and from a remote system without having to supply a user account name and password each time. However, a user account still needed to be maintained on that remote system, which created administration headaches.
With the introduction of UNIX workstations, which replaced the character-based multiuser systems, remote access to other computers became the norm and not the exception. To facilitate file sharing, which was cumbersome using ftp, Sun invented Network File System (NFS) and Network Information Service (NIS). NFS provided transparent file access, while NIS provided a central place to store user account information. Instead of maintaining an account on the local system, the account information was stored on a central server.
Early Personal Computers
Unlike UNIX, which was a multiuser operating system, personal computers (PCs), as the name suggests, were standalone systems. Since there was only one user at a time and networked computers had not evolved, there was no need to maintain user accounts. This situation changed when PCs began to be networked together.
Microsoft's first entre into the network operating system world was Windows for Workgroups (WFWG). Unlike UNIX, which supported telnet and ftp, WFWG employed LAN Manager file sharing as its main protocol. WFWG supported two modes of file sharing: share mode and user mode. In share mode, files could be shared so anyone could read or write to them. In user mode, a username and password were required to access shared files. Each computer kept its own list of users and passwords, much like Solaris software did before NIS was created.
Solaris NFS vs. Windows for Workgroups
The difference between how NFS access is controlled in the Solaris operating environment and how file share access is controlled with WFWG has more to do with the file system structure than with the network protocol. WFWG uses the DOS FAT file system which does not have the notion of file ownership or access rights. In contrast, each file or folder accessed via NFS has an owner and access rights that can be set.
Because no access rights are maintained in the file system itself, the only control WFWG has is at the share level. WFWG controlls access rights by maintaining a list of users who can have access to a file share. NFS generally does not maintain a list of who has access rights, passing that responsibility to the underlying file system. Therefore, there is no notion of share level and user level access. In a sense, NFS uses share level, where the file permissions really dictate what can be accessed and by whom.
WFWG networking has the concept of browsing, while NFS does not. In WFWG networking, workgroups are created for browsing purposes. Only file shares in a computer's workgroup will show up, for example, net view. In Solaris software, there is no notion of a workgroup and no browsing, both of which are perceived as an unnecessary use of network bandwidth.