Microsoft Services for NFS
110
NAS 1500s and 500s Administration Guide
Accounting information, the A export permissions can be modified to let that one user's client
machine have access. This modification does not affect other client access to the same export,
nor does it allow the Management user or client access to other exports.
After the client machine has permission to the export, the user logon affects file access. The
client machine presents the UNIX user ID (UID) and group ID (GID) to the server. When the
computer accesses a file, the UID and GID of the client are transferred to a Windows user ID
and group ID by the mapping server. The ACLs of the file or directory object being requested
are then compared against the mapped Windows login or group ID to determine whether the
access attempt should be granted.
Note:
User credentials are not questioned or verified by the NFS server. The server accepts the
presented credentials as valid and correct.
If the NFS server does not have a corresponding UID or GID, or if the administrator has set
other conditions to filter out the user, a process called squashing takes effect. Squashing is the
conversion of an unknown or filtered user to an anonymous user. This anonymous user has
very restricted permissions on the system. Squashing helps administrators manage access to
their exports by allowing them to restrict access to certain individuals or groups and to squash
all others down to restricted (or no) access. Squashing enables the administrator to allow
permissions instead of denying access to all the individuals who are not supposed to have
access. See “NFS User and Group Mappings” later in this chapter for specific information
about creating and maintaining mappings.
S4U2 functionality
Windows Server 2003 Active Directory now has support for the S4U2Proxy extension to the
Kerberos protocol. This extension allows services in the domain to act on behalf of a user.
Therefore, you do not have to install the Server for NFS Authentication dll on domain
controllers on a Windows Server 2003 domain for Server for NFS to authenticate domain
users. For more information on the S4U2Proxy, consult the S4U2Self topic in the following
URL:
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/default.aspx
Note:
The S4U2 functionality does not work until the domain functional level is elevated to Windows
Server 2003.
To elevate the functional level to Windows Server 2003:
1. On the Windows 2003 domain controller, open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to raise functionality, and
then click Raise Domain Functional Level.
3. In Select an available domain functional level, click Windows Server 2003.
4. Click Raise.
NFS Authentication is still the primary user name mapping authentication method used for
domain mappings. If NFS Authentication fails it will try to use S4U2. Thus, the NFS
Authentication dll is still the primary method with S4U2 being the backup method.