C H A P T E R  7

Group, Host, and File Directory Security

This chapter describes the various settings for local groups, hosts, user and group mapping, and file directory security. It includes the following sections:

Note: To configure Windows security, see Configuring Windows Security.


Managing Local Group Privileges

This section provides information about managing privileges for local groups. The following subsections are included:


About Local Groups

The requirements for NAS appliance and gateway-system built-in local groups are different from those of a Windows system. With a network attached storage (NAS) appliance, there are no locally logged on users. All users attach through the network and are authenticated through a domain controller, so there is no need for local groups such as Users or Guests.

Note: Local groups apply only to Common Internet File System (CIFS) networking.

Local groups are primarily used to manage resources and to perform backup-related operations. There are three local groups: administrators, power users, and backup operators.

The system also supports the Authenticated Users and Network built-in groups. All logged on users are automatically made members of both of these internally managed built-in groups. You can add any valid primary or trusted domain user as a member of any built-in local group.


About Configuring Privileges for Local Groups

Privileges provide a secure mechanism to assign task responsibility on a system-wide basis. Each privilege has a well-defined role assigned by the system administrator to a user or a group. On NAS appliances and gateway systems, since there are no local users, privileges are only assigned to groups.

Unlike access rights (which are assigned as permissions on a per-object basis through security descriptors), privileges are independent of objects. Privileges bypass object-based access control lists to allow the holder to perform the role assigned. For example, members of the backup operators group must bypass the normal security checks, to back up and restore files they would normally not be able to access.

The difference between an access right and a privilege is illustrated in the following definitions:

The privileges are shown in the following table. You can assign any of these privileges to any of the built-in groups. Because you can make any domain user a member of the built-in groups, you can assign these privileges to any domain user.


Privilege

User Activity Permitted

Back up files and directories

Perform backups without requiring read access permission on the target files and folders.

Restore files and directories

Restore files without requiring write access permission on the target files and folders.

Take ownership of files and folders

Take ownership of an object without requiring take-ownership access permission. Ownership can only be set to those values that the holder may legitimately assign to an object.


The default privileges assigned to the local built-in groups are shown in the following table. Members of the local administrators group can take ownership of any file or folder and members of the Backup Operators can perform backup and restore operations.


Group

Default Privilege

Administrators

Take ownership

Backup operators

Back up and restore

Power users

None



About Ownership Assignment and Groups

By default, the Domain Admins group of the domain that the appliance or gateway system is a member of is a member of the local administrators group. Thus, when a member of the Domain Admins (including the domain administrator) creates or takes ownership of a file or folder, ownership is assigned to the local administrators group. This ensures maximum portability if the system is moved from one domain to another: objects owned by the local administrators group are still accessible to members of the new domain administrator group.

The ownership assignment rules described above are also true for regular users who are members of the local administrators group. If any member of the local administrators group creates or takes ownership of an object, ownership is assigned to the local administrators group rather than the member.

On Windows systems, the domain administrator membership of the local administrator group can be revoked. In such cases, members of the domain administrator group are treated as regular users. On NAS appliances or gateway systems, however, the domain administrator is always assigned membership in the local administrators group. However, the domain administrator is not listed as a member of this group, so you cannot revoke its membership. Because there are no local users, and thus no local Windows administrators, the domain administrator group must have administrative control on a NAS appliance or gateway system.


Adding and Removing Group Members and Configuring Privileges

The Configure Groups panel lets you add any domain user to any of the three local groups.

Note: In a cluster configuration, changes made to user groups on one server are propagated immediately to the other server.

To add a group, do the following:

1. From the navigation panel, choose Windows Configuration > Configure Groups.

2. Click Add Group.

3. In the Group field, type the name of the group.

4. In the Comment field, type a description of or comments about the group.

5. Click Apply to save your changes.

To remove a group, do the following:

1. From the navigation panel, choose Windows Configuration > Configure Groups.

2. Select the group you want to remove.

3. Click Remove Group.

4. Click Apply to save your changes.

To add or remove a group member, do the following:

1. From the navigation panel, choose Windows Configuration > Configure Groups.

2. Highlight the group to which you want to add members, or from which you want to remove members.

Existing members for the selected group are listed in the Group Members box.

3. In the Group Members box, highlight the member you want to add or delete, and click the Add or Delete icon.

4. Click Apply to save your changes.

To configure privileges for the group, use the Configure Privileges panel. For more information, see Configuring NT Privileges for Groups.


Configuring NT Privileges for Groups

Follow the steps below to configure NT privileges.

Note: In a cluster configuration, changes made to NT privileges on one server are propagated immediately to the other server.

1. From the navigation panel, choose Windows Configuration > Configure Groups.

2. In the Groups box, select the group for which you want to assign privileges.

3. In the Group Privileges box, select the type of privileges that you want applied to the group.

4. Click Apply to save your changes.


Configuring Hosts

This section provides information about configuring hosts. The following subsections are included:


About Configuring Hosts

The Set Up Local Hosts panel enables you to add, edit, or remove entries from the system host file. The table shows current host information, including host name, host Internet Protocol (IP) address, and whether the host is trusted.


Caution: Exercise caution in granting trusted status to hosts. Trusted hosts have root access to the file system and have read and write access to all files and directories in that file system.


Adding and Editing Hosts

This section provides information about adding and editing hosts. The following subsections are included:

Note: In a cluster configuration, changes made to the host definitions on one server are propagated immediately to the other server.

About Trusted Hosts

The Set Up Local Hosts panel lets you view and edit host information and designate whether a host is trusted. A root user on a Network File System (NFS) client has root privileges on the NAS appliance or gateway system if that client was defined as a trusted host and has access to all files regardless of file permissions.

Adding a Host Manually

Follow these steps to manually add a host to the system configuration:

1. From the navigation panel, choose Unix Configuration > Configure NFS > Set Up Local Hosts.

2. Click Add.

3. Type the name by which the host is known on the system.

The host name must begin with an alphabetic character or a number, and can include up to 63 alphanumeric characters, total: a-z, A-Z, 0-9, hyphens (-), and periods (.).

4. Type the Internet Protocol (IP) address of the new host.

5. If necessary, select the checkbox to assign the host Trusted status.

A trusted host has root access to the NAS appliance or gateway system.

6. Click Apply to save your changes.

Editing Host Information

To edit host information:

1. From the navigation panel, choose Unix Configuration > Configure NFS > Set Up Local Hosts.

2. Select the host you want to edit, then click Edit.

3. Revise the host name, Internet Protocol (IP) address, and trusted status information as needed. For detailed information about these fields, see Set Up Local Hosts Panel.

4. Click Apply to save your changes.

Removing a Host Mapping for a Host

To remove a host mapping for a particular host:

1. From the navigation panel, choose Unix Configuration > Configure NFS > Set Up Local Hosts.

2. Select the host that you want to remove by clicking on the entry in the host list.

3. Click Remove.

4. Click Apply.


Adding and Editing Host Groups

This section provides information about adding and editing host groups. The following subsections are included:

About Adding and Editing Host Groups

The Set Up Hostgroups panel enables you to monitor and manage the host groups database. Groups and group members can be added to or deleted from this database. Host groups are used to define a collection of hosts that can be used for defining Network File System (NFS) exports. Groups consist of predefined system groups and user-defined groups. The predefined groups include:

Adding a Host Group

To add a host group:

1. From the navigation panel, choose Unix Configuration > Configure NFS > Set Up Local Hosts.


2. Click the Add icon () next to the Groups menu to open the Add Hostgroup window.

3. Type the host group name.

The name must begin with a letter of the alphabet (a-z, A-Z), and can include up to 80 alphanumeric characters: a-z, A-Z, 0-9, hyphens (-), and periods (.).

4. Click Apply to save your changes.

Adding a Member to a Host Group

To add a member to a host group:

1. From the navigation panel, choose Unix Configuration > Configure NFS > Set Up Local Hosts.


2. Click the Add icon () next to the Group Members menu.

The Add Hostgroup Member window is displayed.

3. Do one of the following:

4. Click Apply to save your changes.


Mapping User and Group Credentials

This section provides information about mapping user and group credentials. The following subsections are included:


About Mapping User and Group Credentials

NAS servers are designed to reside in a multiprotocol environment and provide an integrated model for sharing data between Windows and Unix systems. Although files can be accessed simultaneously from both Windows and Unix systems, there is no industry-standard mechanism to define a user in both Windows and Unix environments. Objects can be created using either environment, but the access control semantics in each environment are vastly different. This section addresses credential mapping. For details about the interaction between user or group credential mapping and the securable objects within the system, refer to Mapping and Securable Objects.

Credential mapping is used to establish an equivalence relationship between a Unix user or group defined in a local configuration file or Network Information Service (NIS) database with a Windows domain user or group defined in an Windows Security Accounts Manager (SAM) database. User and group mapping is a mechanism to establish credential equivalence on NAS appliances and gateway systems, to provide common access using either environment.


About Unix Users and Groups

Unix users and groups are defined in local configuration files (passwd and group) or in a Network Information Service (NIS) database. Each user and group is identified using a 32-bit identifier known, respectively, as a user ID (UID) or a group ID (GID). Most Unix systems use 16-bit identifiers but this has been extended to 32-bits on NAS appliances and gateway systems, to avoid limitations imposed by the range of a 16-bit number. Although the UID or GID uniquely identifies a user or group within a single Unix domain, there is no mechanism to provide uniqueness across domains. Traditionally, the value zero is applied to the root user or group. Root is granted almost unlimited access in order to perform administration tasks.


About Windows Users and Groups

Windows users and groups are defined in a Security Account Manager (SAM) database. Each user and group is identified by a security identifier (SID). A SID is a variable length structure that uniquely identifies a user or group both within the local domain and also across all possible Windows domains.

The format of a SID is as follows:


typedef struct _SID_IDENTIFIER_AUTHORITY {
	BYTE Value[6];
} SID_IDENTIFIER_AUTHORITY;
typedef struct _SID {
	BYTE Revision;
	BYTE SubAuthorityCount;
	SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
	DWORD SubAuthority[ANYSIZE_ARRAY];
} SID;
 

TABLE 7-1 shows how to interpret the fields in the SID structure


TABLE 7-1 Fields in the SID

Field

Description

Revision

SID version. The current revision value is 1.

SubAuthorityCount

Number of subauthority entries in the SID. A SID can contain up to 15 subauthority entries.

IdentifierAuthority

6-byte array that identifies the subsystem that issued the SID.

SubAuthority

32-bit array of subauthorities uniquely identifies the appropriate security object: domain, user, group or alias. A domain SID uniquely identifies a domain amongst all other authority domains. A user, group, or alias SID is a domain SID with the appropriate relative identifier (RID) appended. A RID is a 32-bit identifier similar to a Unix user identifier (UID) or group identifier (GID).


For readability, SIDs are often displayed as a string of the form: S-1-5-32-500. This SID contains a version number of 1, the identifier authority is 5 and it contains two subauthorities: 32 and 500. The value 500 is the relative identifier (RID).

Every Windows domain has a unique SID, and every Windows workstation and server designates a local domain named after its host name. Thus every Windows workstation and server has a unique SID. Windows domains that span multiple machines are managed from a primary domain controller (PDC). The PDC provides centralized administration for the domain users and groups, and it defines a unique SID for the entire domain. Therefore, a domain user can be distinguished from a local workstation user by means of the domain part of the user SID.

To integrate with the Windows domain model, each NAS appliance or gateway system also generates a SID to define its local domain. The SID is generated using an algorithm that produces four subauthorities. The first subauthority has the value 4, which represents a nonunique authority. The other three subauthorities are generated using an algorithm that includes the current time and one of the system's MAC3 addresses to ensure uniqueness. This SID will be used to represent both local and Network Information Service (NIS) users by appending the Unix UID or GID to the domain SID. This SID is stored in the equivalent of a local SAM database.


About Credential Mapping

User and group mappings can be defined to ensure that users can access their files from either Windows or Unix systems. This section describes the algorithms used to generate user and group mappings, and the policies applied during the log-in process. The mapping rules used to map Unix users and groups to Windows users and groups are specified through system policy settings, and the specific mappings are held in the system policy database.

Each user mapping describes how a Unix user with a specific user identifier (UID) is mapped to a Windows user in a specific domain with a specific relative identifier (RID). Similarly, each group mapping describes how a Unix group with a specific GID is mapped to an Windows group in a specific domain with a specific RID.

The mapping format is as follows:

<Unix-username>:<UID>:<Windows-username>:<NTDOMAIN>:<RID>
<Unix-groupname>:<GID>:<Windows-groupname>:<NTDOMAIN>:<RID>

Local users and local groups are defined in the local passwd and group files. These files are defined using the following standard Unix format:

<username>:<password>:<UID>:<GID>:<comment>:<home directory>:<shell>
<groupname>:<password>:<GID>:<comma-separated-list-of-usernames>


About User Mapping Policies

This section provides information about user mapping. The following subsections are included:

About User Mapping

User mapping is used to create an equivalence relationship between a Unix user and an Windows user in which both sets of credentials are deemed to have equivalent rights on the system. Although the mapping mechanism supports full bi-directional mapping, there is no need to map Unix users to Windows users for NFS access to the system. This is a result of a policy decision to use the Unix domain as the base mapping domain.

Each time a Windows user logs in to the system, the mapping files are checked to determine the user's Unix credentials. To determine the Windows user's Unix user identifier (UID), the user map is searched for a match on the user's Windows domain name and Windows user name. If a match is found, the Unix UID is taken from the matching entry. If there is no match, the user's Unix UID is determined by the user mapping policy setting.

About User Mapping Policy Settings

There are four user mapping policy settings.

The appropriate group credentials for the Windows user are obtained using the group mapping algorithm. For details, refer to About Group Mapping.

Example: User Mapping Policy

The following example shows a user map that makes the Windows user HOMEBASE\johnm equivalent to the Unix user john and the Windows user HOMEBASE\alanw equivalent to the Unix user amw.

john:638:johnm:HOMEBASE:1031
amw:735:alanw:HOMEBASE:1001


About Group Mapping Policies

This section provides information about group mapping. The following subsections are included:

About Group Mapping

Group mapping is used to create an equivalence relationship between a Unix group and a Windows group. To determine the appropriate Unix group identifier (GID) for a Windows user, the group map is searched using the user's Windows domain name and Windows primary group name. If a match is found, the map entry defines the Unix GID to which the Windows user's group will be mapped. If there is no matching entry in the group map, the Unix GID is determined by the group map policy setting, and a new entry is created in the group map, with the exception of the MAP_UNIXGID policy.

About Group Mapping Policy Settings

There are four group mapping policy settings:

In this case, the group.map file is not consulted. If a GID cannot be determined, the Unix nobody group GID (60001) is used.

The last step is to determine the list of Unix groups to which the user belongs. The group database is searched for occurrences of the Unix user name, as determined through the user mapping procedure. The GID of each group, in which the Unix user name appears, is added to the group list in the user's credentials.

Example: Group Mapping Policy

The following example shows a group map that makes the HOMEBASE\Domain Admins group equivalent to the Unix wheel group and the HOMEBASE\Domain Users group equivalent to the Unix users group.

wheel:800:Domain Admins:HOMEBASE:1005
users:100:Domain Users:HOMEBASE:513

The system default mapping rule will be MAP_NONE for both users and groups:

map.users=MAP_NONE
map.groups=MAP_NONE

There is no requirement for the user mapping rule to match the group mapping rule. An example of a possible mapping configuration is shown below. In this example, the user mapping rule is MAP_USERNAME and the group mapping rule is MAP_ID.

map.users=MAP_USERNAME
map.groups=MAP_ID


About Built-In Credential Mapping Policies

This section provides information about built-in credential mapping. The following subsections are included:

About Built-In Credential Mapping

The Unix root identifier, 0 (user identifier (UID) or group identifier (GID)), is always mapped to the local Administrators group. The security identifier (SID) for the local Administrators group is a built-in (predefined) Windows SID: S-1-5-32-544. This mapping conforms to the ownership assigned by Windows to files created by the Domain Administrator. Ownership of such files is always assigned to the built-in local Administrators group to provide domain independence; that is, to avoid losing access to these files in the event that the system is moved from one Windows domain to another. In the Windows permissions display box this SID appears as host-name\Administrators, where host-name is the NAS appliance or gateway-system host name.

Defining the Mapping Policy

To define the mapping policy:

1. From the navigation panel, choose Windows Configuration > Manage SMB/CIFS Mapping > Configure Mapping Policy.

2. Select a user mapping setting from the Windows <--> Unix User Mapping Choice section. For detailed information about these settings, see Configure Mapping Policy Panel.

3. Select a group mapping setting from the Windows <--> Unix Group Mapping Choice section.

4. Click Apply to save your changes.

For more detail about the interaction between user or group credential mapping and the securable objects within the system, see Mapping and Securable Objects.


Mapping Windows Groups and Users to Unix Groups and Users

To map Windows groups and users to Unix groups and users:

1. From the navigation panel, choose Windows Configuration > Manage SMB/CIFS Mapping > Configure Maps.

2. Click Add.

3. In the NT User box, type the following information:

4. In the Unix User box, type the following information:

5. Click Apply to save your changes.

For more information about the interaction between user or group credential mapping and the securable objects within the system, see Mapping and Securable Objects.


Editing a Mapping Between a Windows Group or User and a Unix Group or User

To edit a mapping between a Windows group or user and a Unix group or user:

1. From the navigation panel, choose Windows Configuration > Manage SMB/CIFS Mapping > Configure Maps.

2. Select Users or Groups, depending on the type of mapping that you want to edit.

3. In the table, click the mapping that you want to edit, and click Edit.

The Edit SMB/CIFS Group Map window is displayed.

4. (Optional) In the NT User or the NT Group box, edit the following information:

5. (Optional) In the Unix User or Unix Group box, edit the following information:

6. Click Apply to save your changes.

For more information about the interaction between user or group credential mapping and the securable objects within the system, see Mapping and Securable Objects.


Setting File Directory Security

There are two methods for setting file directory security, described in the following sections:


About Setting File Directory Security in Workgroup Mode

In Workgroup/Secure Share mode, all security is set on the share itself (share-level security) through Web Administrator.

In Workgroup mode, the system behaves as if no authentication has been performed on the client, and explicitly asks for permission requiring a password with every share-connection request.

See Creating Static Shares for instructions on setting share-level security while adding a share. See Editing an Existing SMB Share for instructions on setting share-level security while editing shares.


Setting File Directory Security in Domain Mode

You can manage access rights from Windows 2000 or Windows XP only.

Note: When the system is configured in Domain mode, the setting of object permissions is handled the same as object permissions on a standard Windows Domain controller. There is more than one right way to locate servers and map drives in order to set and manage share permissions. Only one example of this process is shown below.

Note: NAS appliances and gateway systems support security on files and directories only, and setting security on a share will pass that security assignment to the underlying directory.

To set file directory security in Domain mode:

1. Open Windows Explorer.

2. Click Tools > Map Network Drive.

3. In the Map Network Drive window, select a drive letter from the Drive drop-down menu.

4. Locate and select the NAS appliance or gateway system.

5. Click OK.

6. In the Windows Explorer window, right-click the system share for which you want to define user-level permissions.

7. Select Properties from the drop-down menu.

8. Select the Security tab in the Properties window.

9. Click the Permissions button.

10. Set the desired permissions.

See your Windows documentation for more information on setting permissions.

11. Click OK.