Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 23

Credentials for file level security, Granting access to unmapped users

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 23 highlights

Access policy Description • SMB ACL permission changes are allowed in order to avoid causing disruption, but these permissions are not maintained. For FTP, authentication with Windows or UNIX depends on the user name format that is used when authenticating to the NAS server. If Windows authentication is used, FTP access control is similar to that for SMB; otherwise, authentication is similar to that for NFS. FTP and SFTP clients are authenticated when they connect to the NAS server. It could be an SMB authentication (when the format of the user name is domain\user or user@domain) or a UNIX authentication (for the other formats of a single user name). The SMB authentication is ensured by the Windows DC of the domain defined in the NAS server. The UNIX authentication is ensured by the NAS server according to the encrypted password stored in either a remote LDAP server, a remote NIS server, or in the local password file of the NAS server. Credentials for file level security To enforce file-level security, the storage system must build a credential that is associated with the SMB or NFS request being handled. There are two kinds of credentials, Windows and UNIX. UNIX and Windows credentials are built by the NAS server for the following use cases: • To build a UNIX credential with more than 16 groups for an NFS request. The extended credential property of the NAS server must be set to provide this ability. • To build a UNIX credential for an SMB request when the access policy for the file system is UNIX. • To build a Windows credential for an SMB request. • To build a Windows credential for an NFS request when the access policy for the file system is Windows. NOTE: For an NFS request when the extended credential property is not set, the UNIX credential from the NFS request is used. When using Kerberos authentication for an SMB request, the Windows credential of the domain user is included in the Kerberos ticket of the session setup request. A persistent credential cache is used for the following: • Windows credentials built for access to a file system having a Windows access policy. • Unix credential for access through NFS if the extended credential option is enabled. There is one cache instance for each NAS server. Granting access to unmapped users Multiprotocol requires the following: • A Windows user must be mapped to a UNIX user. • A UNIX user must be mapped to a Windows user in order to build the Windows credential when the user is accessing a file system that has a Windows access policy. Two properties are associated to the NAS server with regards to unmapped users: • The default UNIX user. • The default Windows user. When an unmapped Windows user attempts to connect to a multiprotocol file system and the default UNIX user account is configured for the NAS server, the user identifier (UID) and primary group identifier (GID) of the default UNIX user are used in the Windows credential. Similarly, when an unmapped UNIX user attempts to connect to a multiprotocol file system and the default Windows user account is configured for the NAS server, the Windows credential of the default Windows user is used. NOTE: If the default UNIX user is not set in the UNIX Directory Services (UDS), SMB access is denied for unmapped users. If the default Windows user is not found in the Windows DC or the LGDB, NFS access on a file system that has a Windows access policy is denied for unmapped users. NOTE: The default UNIX user can be a valid existing UNIX account name or follow the new format @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively, and can be configured on the system through PowerStore Manager. Authentication and access 23

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
Access policy
Description
SMB ACL permission changes are allowed in order to avoid causing disruption, but these permissions are not
maintained.
For FTP, authentication with Windows or UNIX depends on the user name format that is used when authenticating to the NAS server. If
Windows authentication is used, FTP access control is similar to that for SMB; otherwise, authentication is similar to that for NFS. FTP
and SFTP clients are authenticated when they connect to the NAS server. It could be an SMB authentication (when the format of the
user name is
domain\user
or
user@domain
) or a UNIX authentication (for the other formats of a single user name). The SMB
authentication is ensured by the Windows DC of the domain defined in the NAS server. The UNIX authentication is ensured by the NAS
server according to the encrypted password stored in either a remote LDAP server, a remote NIS server, or in the local password file of
the NAS server.
Credentials for file level security
To enforce file-level security, the storage system must build a credential that is associated with the SMB or NFS request being handled.
There are two kinds of credentials, Windows and UNIX. UNIX and Windows credentials are built by the NAS server for the following use
cases:
To build a UNIX credential with more than 16 groups for an NFS request. The extended credential property of the NAS server must be
set to provide this ability.
To build a UNIX credential for an SMB request when the access policy for the file system is UNIX.
To build a Windows credential for an SMB request.
To build a Windows credential for an NFS request when the access policy for the file system is Windows.
NOTE:
For an NFS request when the extended credential property is not set, the UNIX credential from the NFS request
is used. When using Kerberos authentication for an SMB request, the Windows credential of the domain user is included
in the Kerberos ticket of the session setup request.
A persistent credential cache is used for the following:
Windows credentials built for access to a file system having a Windows access policy.
Unix credential for access through NFS if the extended credential option is enabled.
There is one cache instance for each NAS server.
Granting access to unmapped users
Multiprotocol requires the following:
A Windows user must be mapped to a UNIX user.
A UNIX user must be mapped to a Windows user in order to build the Windows credential when the user is accessing a file system that
has a Windows access policy.
Two properties are associated to the NAS server with regards to unmapped users:
The default UNIX user.
The default Windows user.
When an unmapped Windows user attempts to connect to a multiprotocol file system and the default UNIX user account is configured for
the NAS server, the user identifier (UID) and primary group identifier (GID) of the default UNIX user are used in the Windows credential.
Similarly, when an unmapped UNIX user attempts to connect to a multiprotocol file system and the default Windows user account is
configured for the NAS server, the Windows credential of the default Windows user is used.
NOTE:
If the default UNIX user is not set in the UNIX Directory Services (UDS), SMB access is denied for unmapped
users. If the default Windows user is not found in the Windows DC or the LGDB, NFS access on a file system that has a
Windows access policy is denied for unmapped users.
NOTE:
The default UNIX user can be a valid existing UNIX account name or follow the new format
@uid=
xxxx
,gid=
yyyy
@
, where
xxxx
and
yyyy
are the decimal numerical values of the UID and the primary GID,
respectively, and can be configured on the system through PowerStore Manager.
Authentication and access
23