Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 19

File systems access in a multiprotocol environment, User mapping, UNIX security model

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

UNIX security model When the UNIX policy is selected, any attempt to change file level security from the SMB protocol, such as changes to access control lists (ACLs), is ignored. UNIX access rights are referred to as the mode bits or NFSv4 ACL of a file system object. Mode bits are represented by a bit string. Each bit represents an access mode or privilege that is granted to the user owning the file, the group associated with the file system object, and all other users. UNIX mode bits are represented as three sets of concatenated rwx (read, write, and execute) triplets for each category of users (user, group, or other). An ACL is a list of users and groups of users by which access to, and denial of, services is controlled. Windows security model The Windows security model is based primarily on object rights, which involve the use of a security descriptor (SD) and its ACL. When SMB policy is selected, changes to the mode bits from the NFS protocol are ignored. Access to a file system object is based on whether permissions have been set to Allow or Deny through the use of a security descriptor. The SD describes the owner of the object and group SIDs for the object along with its ACLs. An ACL is part of the security descriptor for each object. Each ACL contains access control entries (ACEs). Each ACE in turn, contains a single SID that identifies a user, group, or computer and a list of rights that are denied or allowed for that SID. File systems access in a multiprotocol environment File access is provided through NAS servers. A NAS server contains a set of file systems where data is stored. The NAS server provides access to this data for NFS and SMB file protocols by sharing file systems through SMB shares and NFS shares. The NAS server mode for multiprotocol sharing allows the sharing of the same data between SMB and NFS. Because the multiprotocol sharing mode provides simultaneous SMB and NFS access to a file system, the mapping of Windows users to UNIX users and defining the security rules to use (mode bits, ACL, and user credentials) must be considered and configured properly for multiprotocol sharing. NOTE: For information about configuring and managing NAS servers with regards to multiprotocol sharing, user mapping, access policies, and user credentials, refer to the PowerStore Manager online help. User mapping In a multiprotocol context, a Windows user needs to be matched to a UNIX user. However, a UNIX user has to be mapped to a Windows user only when the access policy is Windows. This matching is necessary so that file system security can be enforced, even if it is not native to the protocol. The following components are involved in user mapping: • UNIX Directory Services, local files, or both • Windows resolvers • Secure mapping (secmap) - a cache that contains all mappings between SIDs, and UID or GIDs used by a NAS server. • ntxmap NOTE: User mapping does not affect the users or groups that are local to the SMB server. UNIX Directory Services and local files UNIX Directory Services (UDSs) and local files are used to do the following: • Return the corresponding UNIX account name for a particular user identifier (UID). • Return the corresponding UID and primary group identifier (GID) for a particular UNIX account name. The supported services are: • LDAP • NIS • Local files • None (the only possible mapping is through the default user) There should be one UDS enabled or local files enabled, or both local files and a UDS enabled for the NAS server when multiprotocol sharing is enabled. The Unix directory service property of the NAS server determines which is used for user mapping. Authentication and access 19

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
UNIX security model
When the UNIX policy is selected, any attempt to change file level security from the SMB protocol, such as changes to access control lists
(ACLs), is ignored. UNIX access rights are referred to as the mode bits or NFSv4 ACL of a file system object. Mode bits are represented
by a bit string. Each bit represents an access mode or privilege that is granted to the user owning the file, the group associated with the
file system object, and all other users. UNIX mode bits are represented as three sets of concatenated rwx (read, write, and execute)
triplets for each category of users (user, group, or other). An ACL is a list of users and groups of users by which access to, and denial of,
services is controlled.
Windows security model
The Windows security model is based primarily on object rights, which involve the use of a security descriptor (SD) and its ACL. When
SMB policy is selected, changes to the mode bits from the NFS protocol are ignored.
Access to a file system object is based on whether permissions have been set to Allow or Deny through the use of a security descriptor.
The SD describes the owner of the object and group SIDs for the object along with its ACLs. An ACL is part of the security descriptor for
each object. Each ACL contains access control entries (ACEs). Each ACE in turn, contains a single SID that identifies a user, group, or
computer and a list of rights that are denied or allowed for that SID.
File systems access in a multiprotocol
environment
File access is provided through NAS servers. A NAS server contains a set of file systems where data is stored. The NAS server provides
access to this data for NFS and SMB file protocols by sharing file systems through SMB shares and NFS shares. The NAS server mode
for multiprotocol sharing allows the sharing of the same data between SMB and NFS. Because the multiprotocol sharing mode provides
simultaneous SMB and NFS access to a file system, the mapping of Windows users to UNIX users and defining the security rules to use
(mode bits, ACL, and user credentials) must be considered and configured properly for multiprotocol sharing.
NOTE:
For information about configuring and managing NAS servers with regards to multiprotocol sharing, user
mapping, access policies, and user credentials, refer to the PowerStore Manager online help.
User mapping
In a multiprotocol context, a Windows user needs to be matched to a UNIX user. However, a UNIX user has to be mapped to a Windows
user only when the access policy is Windows. This matching is necessary so that file system security can be enforced, even if it is not
native to the protocol. The following components are involved in user mapping:
UNIX Directory Services, local files, or both
Windows resolvers
Secure mapping (secmap) - a cache that contains all mappings between SIDs, and UID or GIDs used by a NAS server.
ntxmap
NOTE:
User mapping does not affect the users or groups that are local to the SMB server.
UNIX Directory Services and local files
UNIX Directory Services (UDSs) and local files are used to do the following:
Return the corresponding UNIX account name for a particular user identifier (UID).
Return the corresponding UID and primary group identifier (GID) for a particular UNIX account name.
The supported services are:
LDAP
NIS
Local files
None (the only possible mapping is through the default user)
There should be one UDS enabled or local files enabled, or both local files and a UDS enabled for the NAS server when multiprotocol
sharing is enabled. The Unix directory service property of the NAS server determines which is used for user mapping.
Authentication and access
19