HP NetStorage 6000 Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Storage Server
  5. NetStorage 6000
  6. Manual
HP NetStorage 6000 Manual

HP NetStorage 6000 Manual

File sharing security
Hide thumbs Also See for NetStorage 6000:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Installation Manual
File Sharing Security
on the
hp surestore
netstorage 6000
White Paper
Copyright © 2000 Hewlett-Packard Company
All Rights Reserved
Page 1 of 28

Advertisement

Table of Contents
loading

Related Manuals for HP NetStorage 6000

Summary of Contents for HP NetStorage 6000

  • Page 1 File Sharing Security on the hp surestore netstorage 6000 White Paper Copyright © 2000 Hewlett-Packard Company Page 1 of 28 All Rights Reserved...

  • Page 2: Table Of Contents

    Restricting User Access __ ___ ____ ___ ______ ________ _______ _______ 5 Restricting Host Access __ ___ ____ ___ ______ ________ _______ _______ 6 Considerations for the HP NetStorage 6000 ___ ________ _______ _______ 6 2.4.1 Trusted Hosts __________________________________________________________ 6 2.4.2...
  • Page 3 Windows File Accessed by UNIX Clients ______ ________ _______ ______ 26 File Format Details ____________________________________________ 27 HP NetStorage 6000 Files - passwd, group, users.map, group.map___ ______ 27 UNIX Files - passwd.nis and group.nis __ ______ ________ _______ ______ 28 Acronyms __________________________________________________ 28 Copyright ©...

  • Page 4: Introduction

    This feature allows files to be safely accessed through both protocols. On a network of UNIX clients, the HP NetStorage 6000 provides a native interface to the files on the NAS device through the Network File System (NFS). The NFS protocol is the native file serving protocol of UNIX networks and integrates seamlessly with the established features of UNIX security and file locking.

  • Page 5: Restricting User Access

    To address this security weakness, a second mechanism may be employed that restricts host access to remote resources. Copyright © 2000 Hewlett-Packard Company Page 5 of 28 All Rights Reserved...

  • Page 6: Restricting Host Access

    2.4.1 Trusted Hosts All UNIX clients that mount to file systems on the HP NetStorage 6000 use the UID and GID of their account, when accessing files. A special case is the root user (UID = 0). In UNIX, the root user is a Super User, with full access to all files and directories in the file system.

  • Page 7: The /Etc Directory

    HP NetStorage 6000. 2.4.2 The /etc Directory It is necessary to maintain a number of system files on the HP NetStorage 6000 in an accessible place for administrative purposes. Some of the more common files found in this directory are as follows:...

  • Page 8: Security On Windows Networks

    This security mode is most appropriate in client-server based networks. User Level Security is the default security mode of Windows NT and Windows 2000. Copyright © 2000 Hewlett-Packard Company Page 8 of 28 All Rights Reserved...

  • Page 9: Share Level Security

    On NT networks, the network wide user accounts are managed through NT domains. The architecture of NT domains is discussed in the next section. Copyright © 2000 Hewlett-Packard Company Page 9 of 28 All Rights Reserved...

  • Page 10: Nt Domains

    Each circle in the diagram represents a different NT domain. Domains X, Y and Z are configured as resource domains. Domain A is configured as an account domain. The Copyright © 2000 Hewlett-Packard Company Page 10 of 28...
  • Page 11 The domain that trusts another domain has an arrow pointed at the domain it trusts. Account Domains Trust Relationships Resource Domains Figure 2. Multiple Master Domain Model Copyright © 2000 Hewlett-Packard Company Page 11 of 28 All Rights Reserved...

  • Page 12: User Authentication

    2) If the account is not a local account, then the request is passed onto the NetLogon service, which in turn passes it along to the domain controller where the computers own machine account resides (domain A). Copyright © 2000 Hewlett-Packard Company Page 12 of 28...

  • Page 13: Password Maintenance And Encryption

    Even though it is not feasible to decrypt plaintext equivalent passwords, they can be used to obtain authentication on a server. Copyright © 2000 Hewlett-Packard Company Page 13 of 28 All Rights Reserved...

  • Page 14: Security Descriptors

    Discretionary ACLs and one for System ACLs. The Discretionary ACEs are AccessAllowed and AccessDenied. They explicitly grant or deny access to a user or group of users. SystemAudit is a System ACE Copyright © 2000 Hewlett-Packard Company Page 14 of 28...
  • Page 15 In addition, there must not exist any entry that specifically denies reading or writing to the user. Otherwise, the user will be denied access to the file. Copyright © 2000 Hewlett-Packard Company Page 15 of 28 All Rights Reserved...

  • Page 16: Considerations For The Hp Netstorage 6000

    For administrators with special needs, the default UID and GID of zero may be changed for a given share. The telnet interface of the HP NetStorage 6000 allows the user to specify the UID and the GID to be used for a particular share.

  • Page 17: Dos Attributes

    SMB protocol have both UNIX and Windows security attributes and are classified as NT objects. Since the native file system used by the HP NetStorage 6000 is a UNIX file system, any Windows objects that are created will have both UNIX and NT security attributes associated with these objects. It is possible for a Windows user to modify a UNIX objects' security attribute.

  • Page 18: File Sharing Configuration

    UNIX security policies, and a choice of mapping strategies that are selected. Each of these aspects controls and refines the access that users will or will not have with the files stored on the HP NetStorage 6000. Each of these topic areas will be covered in the discussion below.

  • Page 19: Mapping Strategies

    If mapping is desired it can be selected for users and/or groups. Recall from the previous discussion that the HP NetStorage 6000 file system uses a UNIX style file system. Therefore, it is necessary to identify all users with a UID and GID value.

  • Page 20: User Mapping

    5.2.1 User Mapping There are two ways that a HP NetStorage 6000 user can obtain a UID. In the first case, the user has a UNIX account and the administrator has elected to do some type of mapping - either by user logon name or full name mapping.

  • Page 21: Mapping Files

    UNIX files. group.nis UNIX group name, If group mapping is GID, members of group enabled and the NT in text format. client has not previously been assigned a GID Copyright © 2000 Hewlett-Packard Company Page 21 of 28 All Rights Reserved...

  • Page 22: Establishing A Windows Client

    UID and GID with numbers greater than or equal to 60001. The users credentials are checked each time the user logs into the HP NetStorage 6000. The user must have the same NT domain and user name to be considered the same.
  • Page 23 UNIX client where the NT Windows full name matches the contents of the UNIX comment field which is frequently used for the users full name. If the HP NetStorage 6000 is able to find a match in the passwd.nis file then the UID and GID that will be associated with this Windows client will be that UID and GID...

  • Page 24: Establishing A Unix Client

    NIS server information since the HP NetStorage 6000 did not perform user authentication or account name resolution. When a UNIX client attaches to the HP NetStorage 6000 they have a UID and GID that have been previously assigned to them by their UNIX administrator. Since there is no need to assign these values the purpose for obtaining UNIX user information is to synthesize ACL information that can be displayed to the Windows clients or for mapping UNIX to Windows clients.

  • Page 25: Unix File Accessed By Windows Clients

    The Windows user can use a tool like Windows Explorer to map a network drive and store the file on the HP NetStorage 6000. When the Windows client examines the Windows file permissions they will find that they are shown as the owner of the file. In addition they will see the group Everyone has Full Access permissions. As the owner the user can modify the permissions to either grant or prohibit access to users and groups as they see fit.

  • Page 26: Windows File Accessed By Unix Clients

    Client assumptions: Windows client created the file and is the owner of the file. As a Windows client the user has stored the file on the HP NetStorage 6000 Client has accessed the HP NetStorage 6000 as a Windows client...

  • Page 27: File Format Details

    Marketing group will be able to access this file according to the permissions that have been granted by the creator or owner of the file. 8 File Format Details 8.1 HP NetStorage 6000 Files - passwd, group, users.map, group.map Passwd <NT domain/logon name>:*:<UID>:<GID>:<comment>: Group <NT domain/logon name>:*:<GID>...

  • Page 28: Unix Files - Passwd.nis And Group.nis

    Network Basic Input/Output System Network File System Network Information Services New Technology Primary Domain Controller Relative Identifier Security Account Manager Security Descriptor Security Identifier Server Message Block User IDentifierReferences Copyright © 2000 Hewlett-Packard Company Page 28 of 28 All Rights Reserved...

This manual is also suitable for:

Surestore netstorage 6000

Table of Contents