Table of Contents
Advertisement
Authenticating User Access
NFS export access is granted or denied to clients based on client name or IP address. The
server determines whether a specific client machine has access to an NFS export. No user
logon to the NFS server takes place when a file system is exported by the NFS server.
Permission to read or write to the export is granted to specific client machines. For example, if
client machine M1 is granted access to an export but client M2 is not, user jdoe can access the
export from M1 but not from M2.
Permissions are granted on a per-export basis; each export has its own permissions,
independent of other exports on the system. For example, file system a can be exported to
allow only the Accounting department access, and file system m can be exported allowing
only the Management department access. If a user in Management needs access to the
Accounting information, the a export permissions can be modified to let that one user's client
machine have access. This modification does not affect other client access to the same export,
nor does it allow the Management user or client access to other exports.
After the client machine has permission to the export, the user logon affects file access. The
client machine presents the UNIX user ID (UID) and group ID (GID) to the server. When the
computer accesses a file, the user logon is compared against the typical UNIX permissions of
user, group, and other, and typical UNIX access is applied.
Note:
presented credentials as valid and correct.
If the NFS server does not have a corresponding UID or GID, or if the administrator has set
other conditions to filter out the user, a process called squashing takes effect. Squashing is the
conversion of an unknown or filtered user to an anonymous user. This anonymous user has
very restricted permissions on the system. Squashing helps administrators manage access to
their exports by allowing them to restrict access to certain individuals or groups and to squash
all others down to restricted (or no) access. Squashing enables the administrator to allow
permissions instead of denying access to all the individuals who are not supposed to have
access. See "NFS User and Group Mappings" later in this chapter for specific information
about creating and maintaining mappings.
Indicating the Computer to Use for the NFS User Mapping Server
During the processes of starting and installing the NAS 1000s, the name localhost is assigned
by default to the computer. It is assumed that the NAS 1000s is the computer that will be used
for user name mapping.
If there are other mapping servers and a machine other than the localhost that will store user
name mappings, the name of that computer must be indicated, as detailed below:
1. Use Terminal Services to access the NAS Management Console, click File Sharing,
2. In the Computer name box of the user-mapping screen, type the name of the computer
3. Localhost is the computer name assigned by default on the NAS 1000s. To control user
NAS 1000s Administration Guide
User credentials are not questioned or verified by the NFS server. The server accepts the
Services for UNIX. Click Server for NFS.
user interface.
designated for user mapping and authentication.
mapping from a different computer, enter the name of that computer.
UNIX File System Management
Figure 57
is an example of the Server for NFS
107
Advertisement
Table of Contents
