l
UNIX - UNIX security is used for both NFS and SMB.
l
Windows - Windows security is used for both NFS and SMB.
l
Native - Uses the security that is native to the protocol, UNIX for NFS or Windows
for SMB.
The UNIX access policy secures file level access using UNIX security, which uses a
UNIX credential for all protocols and enforces only mode bits for all protocols. Upon
processing file level protocol requests for SMB access, the UNIX credential built from
the enabled UDS is used to check mode bits. The access is then granted or denied
based on the mode bits. Windows ACLs are ignored, even for user access through
SMB.
The Windows access policy secures file level access using Windows security. This
policy uses a Windows credential for all protocols and enforces only the SMB ACL for
all protocols. Upon processing file level protocol requests for NFS access, the
Windows credential built from the DC and LGDB is used to check the SMB ACL. The
access is then granted or denied based on the SMB ACL. UNIX mode bits are ignored,
even for user access through NFS.
The Native access policy secures file level access using Native security that uses a
UNIX credential for the NFS protocol or a Windows credential for the SMB protocol
and enforces only mode bits for NFS or SMB ACL for SMB. Upon processing file level
NFS requests, the UNIX credential associated to the request is used to check mode
bits. The access is then granted or denied. Upon processing file level SMB requests,
the Windows credential associated to the request is used to check the SMB ACL. The
access is then granted or denied. There is no synchronization between mode bits and
the SMB discretionary access list (DACL). They are independent.
For FTP, authentication with windows or Unix depends on the user name format that
is used. If windows authentication is used, FTP access control is similar to that for
SMB; otherwise, authentication is similar to that for NFS. FTP and SFTP clients are
authenticated when they connect to the server of the storage processor (SP). It could
be a SMB authentication (when the format of the user name is domain\user or
user@domain) or a Unix authentication (for the other formats of user name). The
SMB authentication is ensured by the Windows DC of the domain defined in the VDM.
The Unix authentication is ensured by the DM according to the encrypted password
stored in either a remote LDAP server, a remote NIS server, or in the local password
file of the VDM.
Credentials for file level security
To enforce file-level security, the storage system must build a credential that is
associated with the SMB or NFS request being handled. There are two kinds of
credentials, Windows and UNIX. In most cases, Windows and UNIX credentials are
built by the NAS server. The only exceptions are:
l
Building a Windows credential for a SMB connection using Kerberos.
l
Building a UNIX credential for an NFS request if extended credential is disabled.
A persistent credential cache is used for the following:
l
Windows credentials built for access through NFS.
l
Unix credential for access through NFS if the extended credential option is
enabled.
There is one cache instance for each NAS server.
Granting access to unmapped users
Multiprotocol requires the following:
Access Control
24 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
To Next Page
Loading...
Need help?
General
