EMC Unity Family Security Configuration Manual page 25

A Windows user must be mapped to a UNIX user.
l
A UNIX user must be mapped to a Windows user in order to build the Windows
l
credential when the user is accessing a file system that has a Windows access
policy.
In storage system OE version 3.1, two new properties are associated to the NAS
server:
The default UNIX user.
l
The default Windows user.
l
When a Windows user is not mapped, the user identifier (UID) and primary group
identifier (GID) of the default UNIX user are used in the Windows credential. Similarly
when a UNIX user is not mapped, the Windows credential of the default Windows user
is used.
Note
If the default UNIX user is not set in the UNIX Directory Services (UDS), SMB access
is denied. If the default Windows user is not found in the Windows DC or the LGDB,
NFS access on a file system that has a Windows access policy is denied.
UNIX credential for NFS requests
The UNIX credential is always embedded in each request; however, the credential is
limited to 16 extra groups. The NAS server extended-unix-cred property provides the
ability to build a credential with more than 16 groups. If this property is set, the active
UDS is queried with the UID to get the primary GID and all the group GIDs to which it
belongs. If the UID is not found in the UDS, the UNIX credential embedded in the
request is used.
UNIX credential for SMB requests
In order to connect, a Windows credential must first be built for a SMB user at the
session setup time. The UID of the user is included in the Windows credential. When
accessing a file system with a UNIX access policy, the UID of the user is used to query
the UDS to build the UNIX credential, similar to building an extended credential for
NFS.
Windows credential for SMB requests
The Windows credential for SMB needs to be built only once at the session setup
request time when the user connects.
When using Kerberos authentication, the credential of the user is included in the
Kerberos ticket of the session setup request, unlike when using NTLM. Other
information is queried from the Windows DC or the LGDB. For Kerberos the list of
extra group SIDs is taken from the Kerberos ticket and the list of extra local group
SIDs and the list of privileges are taken from the LGDB. For NTLM the list of extra
group SIDs is taken from the Windows DC and the list of extra local group SIDs and
the list of privileges are taken from the LGDB.
Additionally, the corresponding UID is also retrieved from the user mapping
component. Since the primary group SID is not used for access checking, the UNIX
primary GID is used instead.
Windows credential for NFS requests
The Windows credential is only built/retrieved when a user is accessing a file system
that has a Windows access policy. The UID is extracted from the NFS request. There
is a global Windows credential cache to help avoid building the credential on each NFS
request with an associated retention time. If the Windows credential is found in this
cache, no other action is required. If the credential is not found, an attempt is made to
map the UID to an SID using the user mapping component. If a mapping is found the
Credentials for file level security
Access Control
25