S4U2 Functionality - HP ProLiant 300 Series Administration Manual

export is granted to specific client machines. For example, if client machine M1 is granted access to an
export but client M2 is not, user jdoe can access the export from M1 but not from M2.
Permissions are granted on a per-export basis; each export has its own permissions, independent of
other exports on the system. For example, file system a can be exported to allow only the Accounting
department access, and file system m can be exported allowing only the Management department
access. If a user in Management needs access to the Accounting information, the A export permissions
can be modified to let that one user's client machine have access. This modification does not affect other
client access to the same export, nor does it allow the Management user or client access to other exports.
After the client machine has permission to the export, the user logon affects file access. The client
machine presents the UNIX user ID (UID) and group ID (GID) to the server. When the computer accesses
a file, the UID and GID of the client are transferred to a Windows user ID and group ID by the mapping
server. The ACLs of the file or directory object being requested are then compared against the mapped
Windows login or group ID to determine whether the access attempt should be granted.
NOTE:
User credentials are not questioned or verified by the NFS server. The server accepts the presented
credentials as valid and correct.
If the NFS server does not have a corresponding UID or GID, or if the administrator has set other
conditions to filter out the user, a process called squashing takes effect. Squashing is the conversion of an
unknown or filtered user to an anonymous user. This anonymous user has very restricted permissions on
the system. Squashing helps administrators manage access to their exports by allowing them to restrict
access to certain individuals or groups, and to squash all others down to restricted (or no) access.
Squashing enables the administrator to allow permissions instead of denying access to all the individuals
who are not supposed to have access. See "NFS User and Group Mappings" later in this chapter for
specific information about creating and maintaining mappings.

S4U2 functionality

Windows Server 2003 Active Directory now has support for the S4U2Proxy extension to the Kerberos
protocol. This extension allows services in the domain to act on behalf of a user. Therefore, you do not
have to install the Server for NFS Authentication dll on domain controllers on a total Windows Server
2003 domain for Server for NFS to authenticate domain users. For more information on the S4U2Proxy,
consult the S4U2Self topic in the following URL:
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/default.aspx
NOTE:
The S4U2 functionality does not work until the domain functional level is elevated to Windows Server
2003.
To elevate the functional level to Windows Server 2003:
1. On the Windows 2003 domain controller, open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to raise functionality, and then click
Raise Domain Functional Level.
3. In Select an available domain functional level, click Windows Server 2003.
126
Services for NFS/UNIX