Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 22

Access policies for NFS, SMB, and FTP

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 22 highlights

UID sseeccmImnaapp? Yes SID No In Local Files or UDS? UNIX Yes Name No In ntxmap? No Windows Yes Name Windows Name = UNIX Name In Domain Yes Controller? SID No In Local Yes Group SID Database? No Default Windows Yes SID Account? No Figure 2. Process used to resolve a UID to an SID mapping Unresolvable UID Access Denied Access policies for NFS, SMB, and FTP In a multiprotocol environment, the storage system uses file system access policies to manage user access control of its file systems. There are two kinds of security, UNIX and Windows. For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-secure NFS access, where the credential is provided by the host client. User rights are determined from the mode bits and NFSv4 ACL. The user and group identifiers (UID and GID, respectively) are used for identification. There are no privileges associated with UNIX security. For Windows security authentication, the credential is built from the Windows Domain Controller (DC) and Local Group Database (LGDB) of the SMB server. User rights are determined from the SMB ACLs. The security identifier (SID) is used for identification. There are privileges associated with Windows security, such as TakeOwnership, Backup, and Restore, that are granted by the LGDB or group policy object (GPO) of the SMB server. The following table describes the access policies that define what security is used by which protocols: Access policy Description Native (default) • • • • • Each protocol manages access with its native security. Security for NFS shares uses the UNIX credential associated with the request to check the NFSv3 UNIX mode bits or NFSv4 ACL. The access is then granted or denied. Security for SMB shares uses the Windows credential associated with the request to check the SMB ACL. The access is then granted or denied. NFSv3 UNIX mode bits and NFSv4 ACL permission changes are synchronized to each other. There is no synchronization between the Unix and Windows permissions. Windows • Secures file level access for Windows and UNIX using Windows security. • Uses a Windows credential to check the SMB ACL. • Permissions for newly created files are determined by an SMB ACL conversion. SMB ACL permission changes are synchronized to the NFSv3 UNIX mode bits or NFSv4 ACL. • NFSv3 mode bits and NFSv4 ACL permission changes are denied. UNIX • Secures file level access for Windows and UNIX using UNIX security. • Upon request for SMB access, the UNIX credential built from the local files or UDS is used to check the NFSv3 mode bits or NFSv4 ACL for permissions. • Permissions for newly created files are determined by the UMASK. • NFSv3 UNIX mode bits or NFSv4 ACL permission changes are synchronized to the SMB ACL. 22 Authentication and access

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
UID
secmap
SID
In
secmap?
Yes
In Local Files
or UDS?
UNIX
Name
In
ntxmap?
No
Windows Name =
UNIX Name
In
Domain
Controller?
Yes
Yes
Windows
Name
SID
Yes
No
No
In Local
Group
Database?
SID
Yes
No
SID
No
Default
Windows
Account?
Yes
No
Unresolvable UID
Access Denied
Figure 2. Process used to resolve a UID to an SID mapping
Access policies for NFS, SMB, and FTP
In a multiprotocol environment, the storage system uses file system access policies to manage user access control of its file systems.
There are two kinds of security, UNIX and Windows.
For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-secure NFS
access, where the credential is provided by the host client. User rights are determined from the mode bits and NFSv4 ACL. The user and
group identifiers (UID and GID, respectively) are used for identification. There are no privileges associated with UNIX security.
For Windows security authentication, the credential is built from the Windows Domain Controller (DC) and Local Group Database (LGDB)
of the SMB server. User rights are determined from the SMB ACLs. The security identifier (SID) is used for identification. There are
privileges associated with Windows security, such as TakeOwnership, Backup, and Restore, that are granted by the LGDB or group policy
object (GPO) of the SMB server.
The following table describes the access policies that define what security is used by which protocols:
Access policy
Description
Native (default)
Each protocol manages access with its native security.
Security for NFS shares uses the UNIX credential associated with the request to check the NFSv3 UNIX mode
bits or NFSv4 ACL. The access is then granted or denied.
Security for SMB shares uses the Windows credential associated with the request to check the SMB ACL. The
access is then granted or denied.
NFSv3 UNIX mode bits and NFSv4 ACL permission changes are synchronized to each other.
There is no synchronization between the Unix and Windows permissions.
Windows
Secures file level access for Windows and UNIX using Windows security.
Uses a Windows credential to check the SMB ACL.
Permissions for newly created files are determined by an SMB ACL conversion. SMB ACL permission changes are
synchronized to the NFSv3 UNIX mode bits or NFSv4 ACL.
NFSv3 mode bits and NFSv4 ACL permission changes are denied.
UNIX
Secures file level access for Windows and UNIX using UNIX security.
Upon request for SMB access, the UNIX credential built from the local files or UDS is used to check the NFSv3
mode bits or NFSv4 ACL for permissions.
Permissions for newly created files are determined by the UMASK.
NFSv3 UNIX mode bits or NFSv4 ACL permission changes are synchronized to the SMB ACL.
22
Authentication and access