Sun StorageTek[TM] 5000 Series NAS: Limitations of CIFS/NFS Group Credential Mapping

Asset ID:	1-71-1013072.1
Update Date:	2009-05-04
Keywords:

Solution Type Technical Instruction Sure

Solution 1013072.1 : Sun StorageTek[TM] 5000 Series NAS: Limitations of CIFS/NFS Group Credential Mapping

Related Items


Sun Storage 5210 NAS Appliance
 Sun Storage 5220 NAS Appliance
 Sun Storage 5310 NAS Appliance
 Sun Storage 5320 NAS Gateway/Cluster System
 Sun Storage 5320 NAS Appliance
 Sun Storage 5310 NAS Gateway System

Related Categories


GCS>Sun Microsystems>Storage - Disk>Network Attached Storage

PreviouslyPublishedAs
217909

Description
In both Windows and UNIX(R), a user can be a member of many groups. However, in order to accurately represent security and safely share files between the two environments, only a single primary group is mapped from each environment.

Steps to Follow
For UNIX users, the primary group is defined for each user in the passwd file, (or NIS, NIS+ or LDAP). This is well-known and frequently used.
For Windows users, the primary groups are found in User Manager or Active Directory Users and Computers. Windows primary groups are most often left at the default settings. These are "Domain Admins" for administrative users, and "Domain Users" for everyone else.

In this case, it usually works out best to assign them according to the existing UNIX primary groups. The easiest way to do this is with the "Map by Primary GID" policy. This policy pulls the existing primary group assignment from the configured UNIX passwd lookup service and uses it for all file operations and ignores Windows primary group membership. It is also possible to create new Windows primary group assignments by hand to match up with existing UNIX groups.

Another important thing to understand is that each platform is aware only of the primary group on the other platform. For example, a UNIX user accessing a Windows created file will recognize only the primary group of owner of the file. Any other group membership in the Access Control List is ignored.

NOTE: Members of the Domain Admins group are always mapped to root and cannot own files with their individual user account. Files owned by Domain Admins members are always owned by the local group "Administrators".

Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

[email protected]
The Knowledge Queue for this article is KNO-STO-NAS.

NAS, audited, CIFS, NFS, Credential Mapping, group mapping
Previously Published As
90647

Change History
Date: 2007-09-21
User Name: 95826
Action: Approved
Comment: - fixed typo
- verified metadata
- changed review date to 2008-09-19
- checked for TM - 1 added
- checked audience : contract
Publishing
Version: 3
Date: 2007-09-21
User Name: 95826
Action: Accept
Comment:
Version: 0

Attachments

This solution has no attachment