NFS Documents Index

Pricing and Order
 Choosing best product
DiskAccess
DiskAccess Lite
DiskAccess TS
DiskShare

More products...

DiskAccess Frequently Asked Questions

Tech Tips and TCP/IP Basics for DiskAccess on Windows NT4.0 and Windows 2000/XP

Quick Start Guide for DiskAccess

Configuring Credentials for DiskAccess’ RSH Server

Tech Tips and TCP/IP Basics for DiskAccess on Windows 95 and Windows 98

Tips For Capturing a Network Trace

DiskAccess and AccessNFS Gateway Printing

Tech Tips on Symbolic Links for DiskAccess and AccessNFS Gateway

free download Free to try

Order Network File Sharing products Buy Now

DiskShare Security and Authentication – Mapping Users and Groups to Maintain File Permissions

DiskShare is a Windows-based NFS Server that allows you to share PC directories to UNIX, Linux or any NFS client.  DiskShare supports Windows NT, 2000, and Windows XP.  Note, Windows is referred to throughout this document; however, it is a generic term for the DiskShare supported operating systems mentioned.

This document will help you understand DiskShare Security and the required configuration to maintain file permissions and privileges between UNIX and Windows.  It will take you through the mechanics of a typical setup, which utilizes the DiskShare User Manager utility.  At the end of this document, a Troubleshooting section and a Common Questions section, is included for your reference.

This document is written from a support analyst’s point of view and deals primarily with the necessary information to configure DiskShare in an environment that maintains security between UNIX and Windows.  A basic knowledge of Windows NT, NTFS file permissions, NFS and UNIX permissions are required. 

Additional Support Documents are located in the DiskShare\Support subdirectory.  For detailed information regarding DiskShare configuration and user mapping see the DiskShare HELP and the Frequently Asked Questions (FAQ) documents.

DISKSHARE BASICS

DiskShare allows you to map Windows user accounts to UID’s or UNIX/NFS user accounts for the purpose of maintaining security.  DiskShare supports both, local and domain user mapping.  However, the most commonly used scenario maps UNIX and/or Linux users to Windows Domain users.

One of the first caveats that Windows brings into the picture is the ability for a group to own a file.  UNIX and NFS do not understand this because in their case a user owns a file.  Unlike UNIX, a group can be the owner of Windows files.

DISKSHARE HARD-CODES THE UID/GID for DIRECTORIES THAT ARE OWNED BY THE ‘ADMINISTRATORS’ GROUP. When a Windows user is a member of the group ‘Administrators’ and when this user creates or takes ownership of a file or directory, the owner becomes ‘Administrators’.  In this case, DiskShare is designed to send back a UID/GID pair of 0,0.  Accordingly, if ‘Administrators’ own a Windows directory, a simple UNIX command on the Windows directory (ls -ld mount_point) will show that the owner is root and that the group is root.

If the DiskShare Administrator needs the directory to be owned by an account other than ‘Administrators’, he can login as ‘root’ at the UNIX client system and execute a ‘chown’ command on the directory. 
To have ‘chown’ capabilities or ‘administrator privileges’ on a UNIX client, DiskShare must be configured properly.  The following lists the necessary steps to do so.

  • On the DiskShare machine, you must have exported the directory to the client machine, allowing the client machine to have ‘root’ access.
  • The following user and group mappings must be configured within the DiskShare User/Group Mapping Configuration dialog.
      • UNIX ‘root’ to Windows ‘Administrator’
      • UNIX ‘sys’, or whatever group ‘root’ is a member of, to Windows ‘Administrators’
      • The targeted UNIX account, mapped to its respective Windows account, or the account that you wish to take ownership of the directory.

Another alternative to obtain ‘super user’ or administrator privileges on the UNIX client, would be for the DiskShare Administrator have a Windows account “Take Ownership” of the directory, provided that the account is not a member of ‘Administrators’.

Clearly, the differences between Windows Security and UNIX can be complicated; however, DiskShare allows you to easily map Windows users and groups to appropriate UNIX (or NFS) users and groups to maintain security between Windows and UNIX.  This concept will become clearer as you proceed in this document.  Below are some generic examples that will help.

EXAMPLE 1: 

Shows how several UNIX logins are able to access files (be able to read and write) within a directory via a group mapping, while all other users or the world has read access only.

NOTE

If you want to map UNIX entries to Windows *Domain* entities, the DiskShare Authentication module MUST be installed on all Domain Controllers that handle the Domain where the account resides.

In other words, if you want to map to the ‘bmilton’ account that resides in the ‘SSC’ domain, then the DiskShare Authentication module must be installed on all Domain Controllers that handle the ‘SSC’ domain.

To install the Authentication module, invoke the DiskShare setup and specify a “Custom” installation. In this dialog, select “DiskShare Authentication” ONLY.  A reboot is not necessary if only the Authentication module is installed.

For more details on mapping domain accounts, see the DS_Authentication.doc support document.

In this example and on the Windows side, a user was created called ‘bmilton’. This account is *not* a member of the Windows ‘Administrators’ group. This Windows user is a member of the group called ‘users’.

We wish to allow three UNIX users (‘bmilton’, and ‘kunderwood’, and ‘debbie’) access to this directory. These three UNIX users are members of the UNIX group ‘users’.

  • Create the Windows user ‘bmilton’ and remember to make him a member of the Windows group ‘users’.   Create the other users accordingly.
  • Log out and login as ‘bmilton’.  Create a directory and accept the default permissions. Figure 1 demonstrates the permissions on a newly created directory.  This dialog is sometimes referred to as the DACL (Discretionary Access Control List).