Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 22
Access policies for NFS, SMB, and FTP
View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 22 highlights
UID sseeccmImnaapp? Yes SID No In Local Files or UDS? UNIX Yes Name No In ntxmap? No Windows Yes Name Windows Name = UNIX Name In Domain Yes Controller? SID No In Local Yes Group SID Database? No Default Windows Yes SID Account? No Figure 2. Process used to resolve a UID to an SID mapping Unresolvable UID Access Denied Access policies for NFS, SMB, and FTP In a multiprotocol environment, the storage system uses file system access policies to manage user access control of its file systems. There are two kinds of security, UNIX and Windows. For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-secure NFS access, where the credential is provided by the host client. User rights are determined from the mode bits and NFSv4 ACL. The user and group identifiers (UID and GID, respectively) are used for identification. There are no privileges associated with UNIX security. For Windows security authentication, the credential is built from the Windows Domain Controller (DC) and Local Group Database (LGDB) of the SMB server. User rights are determined from the SMB ACLs. The security identifier (SID) is used for identification. There are privileges associated with Windows security, such as TakeOwnership, Backup, and Restore, that are granted by the LGDB or group policy object (GPO) of the SMB server. The following table describes the access policies that define what security is used by which protocols: Access policy Description Native (default) • • • • • Each protocol manages access with its native security. Security for NFS shares uses the UNIX credential associated with the request to check the NFSv3 UNIX mode bits or NFSv4 ACL. The access is then granted or denied. Security for SMB shares uses the Windows credential associated with the request to check the SMB ACL. The access is then granted or denied. NFSv3 UNIX mode bits and NFSv4 ACL permission changes are synchronized to each other. There is no synchronization between the Unix and Windows permissions. Windows • Secures file level access for Windows and UNIX using Windows security. • Uses a Windows credential to check the SMB ACL. • Permissions for newly created files are determined by an SMB ACL conversion. SMB ACL permission changes are synchronized to the NFSv3 UNIX mode bits or NFSv4 ACL. • NFSv3 mode bits and NFSv4 ACL permission changes are denied. UNIX • Secures file level access for Windows and UNIX using UNIX security. • Upon request for SMB access, the UNIX credential built from the local files or UDS is used to check the NFSv3 mode bits or NFSv4 ACL for permissions. • Permissions for newly created files are determined by the UMASK. • NFSv3 UNIX mode bits or NFSv4 ACL permission changes are synchronized to the SMB ACL. 22 Authentication and access