RE: NT + Unix access rights - toasters

30 May 2000


      The NetApp security model is that each file/directory has exactly one type of
security style; Unix or NT.  When accessing the file from the native security
side (i.e. NT accessing a file with ACLs) then Native security rules apply.
When accessing from the other side (i.e. NFS accessing a file with an ACL), we
must first map the user into an NT user. Once we do that we can use normal ACL
rules.  Normally we just convert the UID into a user name and then look up the
user name in the filer's domain ( or in a list of trusted domains).  It is
possible to override this default mapping using the mapping file described
below. These are used when the names are different on the two sides ( e.g.
Administrator on NT and root on UNIX).
This is a more detailed article on the security model
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/conc...
.shtml
Here are two articles that will allow you to diagnose security problems:
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/ts2....
l
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/ts1....
l
The console commands wcc and cifs security -s can help in understanding how the
mapping operates.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mailto: hawleyr@netapp.com            US Mail: Network Appliance Inc.
Phone:  408-822-6661                       495 East Java Drive
FAX:    408-822-4521                        Sunnyvale, CA 94089
-----Original Message-----
From: 	Bruce Sterling Woodcock [mailto:sirbruce@ix.netcom.com] 
Sent:	Monday, May 29, 2000 5:06 PM
To:	Michael van Elst
Cc:	toasters@mathworks.com
Subject:	Re: NT + Unix access rights
----- Original Message ----- 
From: "Michael van Elst" mlelstv@xlink.net
To: "Bruce Sterling Woodcock" sirbruce@ix.netcom.com
Cc: "Michael van Elst" mlelstv@xlink.net; toasters@mathworks.com
Sent: Monday, May 29, 2000 4:30 PM
Subject: Re: NT + Unix access rights
...
On Mon, May 29, 2000 at 10:14:10AM -0700, Bruce Sterling Woodcock wrote:
...
...
The usermap maps the UNIX 'root' account to the NT 'Administrator'
account. The NT 'Administrator' account is mapped to an unprivileged
UNIX account different from the file owner.
Can someone explain this?  I don't follow.
The software release 5.3 has the feature to map Accounts independently
for the UNIX side and the NT side. I.e. the usermap file has the lines:
Administrator <= root
Administrator => ntadmin
where ntadmin is an unprivileged account and root is the regular
privileged account.
Is the mapping only for access, or only for ownership?
I understand that if root creates a file, and you look at it from NT,
it will be owned by Administrator (with the mapping given above).
But when Administrator tries to access it, he'll be mapped to
ntadmin, which doesn't have access??
Bruce