Dynamic Access Control - EMC Unity Family Security Configuration Manual

Dynamic Access Control

Realm name: The name of the Kerberos realm, which generally contains all upper-
l
case letters.
Entirely configure a UNIX KDC based Kerberos realm.
l
To ensure that a client mounts an NFS export with a specific security, a security
parameter, sec, is provided that indicates which minimal security is allowed. There are
4 kinds of security:
AUTH_SYS: Standard legacy security which does not use Kerberos. The server
l
trust the credential provided by the client
KRB5: Authentication using Kerberos v5
l
KRB5i: Kerberos authentication plus integrity (signing)
l
KRB5p: Kerberos authentication plus integrity plus privacy (encryption)
l
If a NFS client tries to mount an export with a security that is lower than the
configured minimal security, the access will be denied. For example, if minimal access
is KRB5i, any mount using AUTH_SYS or KRB5 will be rejected.
Building a credential
When a user connects to the system, it presents only its principal, user@REALM,
which is extracted from the Kerberos ticket. Unlike AUTH_SYS security, the
credential is not included in the NFS request. From the principal, the user part (before
the @) is extracted and used to lookup the UDS for the corresponding uid. From that
uid, the credential is built by the system using the active UDS, similar to when the
Extended NFS credential is enabled (with the exception that, without Kerberos, the
uid is provided directly by the request).
If the principal is not mapped in the UDS, the configured default UNIX user credential
is used instead. If the default UNIX user is not set, the credential used will be nobody.
Replication
When a NAS server is the target of a replication, there is the possibility to access data
through NFS for backup or disaster recovery. NFS secure cannot be used in these
case since the usage of direct IP addresses is not compatible with Kerberos. Also,
FQDN cannot be used because it could resolve to either the production interfaces on
the source or the local interfaces on the destination.
Dynamic Access Control (DAC) enables administrators to apply access-control
permissions and restrictions on resources based on well-defined rules that can include
the sensitivity of the resources, the job or role of the user, and the configuration of
the device that is used to access these resources.
DAC Claims Based Access Control (CBAC) is a feature of Windows Server 2012 that
allows access control to be defined on the domain controller through a set of Central
Access Policies (CAPs). Each Central Access Policy (identified by its CAPID) has a
number of Central Access Rules (CARs) associated with it. CAPs can be assigned to
Group Policy Objects (GPOs). This is the mechanism used to distribute CAPs to
individual file servers. The CAP that applies to a particular resource (that is, a
directory or file) is determined by the CAPID. When a NAS Server is created with
Windows Shares (SMB), it will pick up the correct CAP and CAR when it joins the
domain.
Each CAR has the following attributes:
Resource Target Expression
l
Access Control

Dynamic Access Control

27