Reference Guide

ManualsBrandsDell ManualsCompellent (SCPowerStore 5000X

The following table describes the access policies that define what security is used by which protocols:

Access policy Description

Native

(default)

● Each protocol manages access with its native security.

● Security for NFS shares uses the UNIX credential associated with the request to check the NFSv3 UNIX

mode bits or NFSv4 ACL. The access is then granted or denied.

● Security for SMB shares uses the Windows credential associated with the request to check the SMB ACL.

The access is then granted or denied.

● NFSv3 UNIX mode bits and NFSv4 ACL permission changes are synchronized to each other.

● There is no synchronization between the Unix and Windows permissions.

Windows

● Secures file level access for Windows and UNIX using Windows security.

● Uses a Windows credential to check the SMB ACL.

● Permissions for newly created files are determined by an SMB ACL conversion. SMB ACL permission

changes are synchronized to the NFSv3 UNIX mode bits or NFSv4 ACL.

● NFSv3 mode bits and NFSv4 ACL permission changes are denied.

UNIX

● Secures file level access for Windows and UNIX using UNIX security.

● Upon request for SMB access, the UNIX credential built from the local files or UDS is used to check the

NFSv3 mode bits or NFSv4 ACL for permissions.

● Permissions for newly created files are determined by the UMASK.

● NFSv3 UNIX mode bits or NFSv4 ACL permission changes are synchronized to the SMB ACL.

● SMB ACL permission changes are allowed in order to avoid causing disruption, but these permissions are

not maintained.

For FTP, authentication with Windows or UNIX depends on the user name format that is used when authenticating to the NAS

server. If Windows authentication is used, FTP access control is similar to that for SMB; otherwise, authentication is similar to

that for NFS. FTP and SFTP clients are authenticated when they connect to the NAS server. It could be an SMB authentication

(when the format of the user name is domain\user or user@domain) or a UNIX authentication (for the other formats of a

single user name). The SMB authentication is ensured by the Windows DC of the domain defined in the NAS server. The UNIX

authentication is ensured by the NAS server according to the encrypted password stored in either a remote LDAP server, a

remote NIS server, or in the local password file of the NAS server.

Credentials for file level security

To enforce file-level security, the storage system must build a credential that is associated with the SMB or NFS request being

handled. There are two kinds of credentials, Windows and UNIX. UNIX and Windows credentials are built by the NAS server for

the following use cases:

● To build a UNIX credential with more than 16 groups for an NFS request. The extended credential property of the NAS

server must be set to provide this ability.

● To build a UNIX credential for an SMB request when the access policy for the file system is UNIX.

● To build a Windows credential for an SMB request.

● To build a Windows credential for an NFS request when the access policy for the file system is Windows.

NOTE:

For an NFS request when the extended credential property is not set, the UNIX credential from the NFS request is

used. When using Kerberos authentication for an SMB request, the Windows credential of the domain user is included in the

Kerberos ticket of the session setup request.

A persistent credential cache is used for the following:

● Windows credentials built for access to a file system having a Windows access policy.

● Unix credential for access through NFS if the extended credential option is enabled.

There is one cache instance for each NAS server.

Granting access to unmapped users

Multiprotocol requires the following:

● A Windows user must be mapped to a UNIX user.

Authentication and access