Understanding Server for NFS security

Server for NFS security is a combination of Windows security and the security protocols that protect network file system shares (NFS) shares. Both Windows security and NFS security control access to files by individual users, based on the account with which the user logs on. In addition, NFS security controls access to shared directories by specific client computers. Server for NFS enforces both types of access control.

The first time an NFS client computer sends a file-access request to Server for NFS, Server for NFS first checks to determine whether the client computer is allowed the requested access. If not, Server for NFS returns an error message. For information on how to control client access to Server for NFS shares, see To add clients and groups to the shared directory permissions list and To configure access for a client computer or group .

If the client computer is allowed access, Server for NFS tries to determine whether the user on whose behalf the request is being made is allowed the requested access. The first step in this process is to determine whether the user has a Windows account. The account can either be a local account on the Windows computer running Server for NFS, or it can be a Windows domain account. To make this determination, Server for NFS passes to the server running User Name Mapping the user's user identifier (UID) and group identifiers (GIDs). These are obtained from the NFS client. (If the request is anonymous and Server for NFS is configured to allow anonymous access, Server for NFS supplies the anonymous UID and GID instead.) If the UID corresponds to a Windows account in the User Name Mapping database, and if any of the GIDs match a Windows group, User Name Mapping returns the user name and domain name of the account and the group names to Server for NFS.

In the next step, Server for NFS logs the user on by passing the domain name and user name to Server for NFS Authentication, either on the local computer or a domain controller, depending on the type of account it is. Server for NFS Authentication returns the user's security credentials to Server for NFS.

Once Server for NFS has obtained these credentials, it uses them when it requests file access on behalf of the user. When the server receives a request from Server for NFS for access to a file, the server checks the discretionary access control list (DACL) in the file's security descriptor to determine whether the specified user and the groups to which the user belongs are permitted the requested access. If access is permitted, the server allows Server for NFS to read or write the contents of the file on behalf of the NFS client. If access is not permitted, the server returns an error to Server for NFS, which in turn sends an error message to the NFS client.

When a client connection is inactive for 10 minutes, Server for NFS forces the user to be reauthenticated. To learn how to change this interval or disable this feature, see To configure how often authentication is renewed.

For additional information about the security descriptor, DACL, and how Server for NFS supports UNIX security, see the other topics covered in this section and Understanding Windows and UNIX file system security.

This section covers: