Table of Contents
Advertisement
Authentication
NFS export access is granted or denied to clients based on client name or IP
address. The server determines whether or not a specific client machine has
access to an NFS export. No user logon to the NFS server takes place when a
file system is exported by the NFS server. Permission to read or write to the
export is granted to specific client machines. For example, if client machine
M1 is granted access to an export but client M2 is not, user jdoe can access the
export from M1 but not from M2.
The permissions are on a per-export basis. That means that each export has its
own permissions, independent of other exports on the system. For example,
file system a can be exported to allow only the Accounting department access,
and file system m can be exported allowing only the Management department
access. If a user in Management needs access to the Accounting information,
the a export permissions can be modified to let that one user's client machine
have access. This modification does not affect other client access to the same
export, nor does it allow the Management user or client access to other
exports.
After the client machine has permission to the export, the user logon affects
file access. The client machine presents the UNIX user's user ID (UID) and
group ID (GID) to the server. When the computer accesses a file, the user
logon is compared against the typical UNIX permissions of "user," "group,"
and "other," and typical UNIX access is applied.
NOTE: User credentials are not questioned or verified by the NFS server. The server
accepts the presented credentials as valid and correct.
If the NFS server does not have a corresponding UID or GID, or if the
administrator has set other conditions to filter out the user, a process called
"squashing" takes effect. Squashing is the conversion of an unknown or
filtered user to an "anonymous" user. This anonymous user has very restricted
permissions on the system. Squashing helps administrators manage access to
their exports by allowing them to restrict access to certain individuals or
groups and to squash all others down to restricted (or no) access. Squashing
enables the administrator to allow permissions instead of denying access to all
the individuals who are not supposed to have access. See the section titled
"User Name Mapping" later in this chapter for more details.
Integrating UNIX into Windows NT 4-5
Advertisement
Chapters
Table of Contents
Troubleshooting
