Reference Guide
1. secmap is searched for the UID. If the UID is found, the SID mapping is resolved.
2. If the UID is not found in secmap, the UNIX name related to the UID must be found.
a. The UDS (NIS server, LDAP server, or local files) is searched using the UID. If the UID is found, the related UNIX name is
the user name.
b. If the UID is not found in the UDS but there is a default Windows account, the UID is mapped to the SID of the default
Windows account.
3. If the default Windows account information is not used, the UNIX name is translated into a Windows name. The ntxmap is
used for this purpose.
a. If the UNIX name is found in ntxmap, the entry is used as the Windows name.
b. If the UNIX name is not found in ntxmap, the UNIX name is used as the Windows name.
4. The Windows DC or the local group database is searched using the Windows name.
a. If the Windows name is found, the SID mapping is resolved.
b. If the Windows name contains a period, and the part of the name following the last period (.) matches an SMB server
name, the local group database of that SMB server is searched to resolve the SID mapping.
c. If the Windows name is not found but there is a default Windows account, the SID is mapped to that of the default
Windows account.
d. If the SID is not resolvable, access is denied.
If the mapping is found, it is added in the persistent secmap database. If the mapping is not found, the failed mapping is added
to the persistent secmap database.
The following diagram illustrates the process used to resolve a UID to an SID mapping:
UID secmap SID
In
secmap?
Yes
In Local Files
or UDS?
UNIX
Name
In
ntxmap?
No
Windows Name =
UNIX Name
In
Domain
Controller?
Yes Yes
Windows
Name
SID
Yes
No
No
In Local
Group
Database?
SID
Yes
No
SID
No
Default
Windows
Account?
Yes
No
Unresolvable UID
Access Denied
Figure 2. Process used to resolve a UID to an SID mapping
Access policies for NFS, SMB, and FTP
In a multiprotocol environment, the storage system uses file system access policies to manage user access control of its file
systems. There are two kinds of security, UNIX and Windows.
For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-
secure NFS access, where the credential is provided by the host client. User rights are determined from the mode bits and
NFSv4 ACL. The user and group identifiers (UID and GID, respectively) are used for identification. There are no privileges
associated with UNIX security.
For Windows security authentication, the credential is built from the Windows Domain Controller (DC) and Local Group
Database (LGDB) of the SMB server. User rights are determined from the SMB ACLs. The security identifier (SID) is used for
identification. There are privileges associated with Windows security, such as TakeOwnership, Backup, and Restore, that are
granted by the LGDB or group policy object (GPO) of the SMB server.
22
Authentication and access