Configure Unmapped UNIX User Access
Applies To: Windows Server 2008, Windows Storage Server 2008 R2
If an NFS share is configured to enable Unmapped UNIX User Access and there is no existing user account mapping available in either AD DS or AD LDS, then Server for NFS automatically generates a custom SID based on the owner and group information of the UNIX user. Files created by this UNIX user are automatically assigned a security descriptor consisting of the generated SIDs.
Unmapped user accounts use custom SIDs generated by the Server for NFS for accessing the NFS share. Unmapped UNIX User Access is a new feature that is only available in Windows Server 2008 R2, Windows Storage Server 2008, and later Windows Server operating systems.
This method is appropriate in instances when you want to:
Grant user access to NFS shares without requiring the administrative overhead of administering NFS account mapping.
Identify the users and groups that own files or that access files, unlike anonymous access.
If any of these assumptions are incorrect, then use a different method for NFS account mapping as described in the previous "NFS" section in this document.
Note
This method can be used alone or in conjunction with mapped user access using AD DS or AD LDS.
Overview of Unmapped UNIX User Access
As illustrated in the following figure, for NFS shares configured to allow Unmapped UNIX User Access, the Server for NFS automatically generates custom SIDs using the UNIX UID, GID, of the user initiating the request. Services for NFS uses these custom SIDs to access the files and folders in NFS shares.
Note
The Windows SIDs generated by Unmapped UNIX User Access are custom SIDs that do not map to known Windows user or group SIDs.
As illustrated in the previous figure, the Unmapped UNIX User Access feature uses the following process in Services for NFS to generate custom SIDs:
The UNIX operating system running an NFS client requests access to an NFS share on a computer running Services for NFS.
The access request includes the UID and GID of the user initiating the access request.
Services for NFS determines that a user account mapping does not exist in AD DS or AD LDS and uses Unmapped UNIX User Access.
Services for NFS generates the owner SID, group SID, mode SID, and UNIX other SID.
For more information about how NFS generates these SIDs, see Appendix A: Product Behavior.
Because NFS is a stateless protocol, each subsequent access uses the same process.
When creating a file or a folder in the NFS share, the Windows security descriptor for the file or folder is set as follows:
The Owner field is set to the custom generated owner SID.
The PrimaryGroup field is set to the custom generated group SID.
The discretionary access control list (DACL) field is generated using the following of Access Control Entries (ACEs):
The built-in SYSTEM account is granted Full Control permissions.
The custom generated owner SID, group SID, and other SID are used to construct a set of grant and deny ACEs that are based on an encoding of the UNIX mode bits.
For more information about how the UNIX mode bits are encoded to create the set of grant and deny ACEs, see Permissions In Microsoft Services for UNIX v3.0.
A deny ACE is created using the custom generated permission mask SID, which directly encodes the UNIX mode for the file.
For more information about UNIX mode, see Permissions In Microsoft Services for UNIX v3.0.
Additional ACEs may be inherited from the parent directory of the file being processed.
For more information about DACLs in Server for NFS, see Understanding DACLs in Server for NFS.
When configuring access to NFS shares using Unmapped UNIX User Access, include these security behaviors:
Granting the execute file permission allows read access to NFS clients. In Windows permissions, a file may have only the execute file permission set, which allows a Server Message Block (SMB) client to run the program in the file but not read the contents of the file. However, an NFS client can read the contents of the file.
NFS clients require the write file permission to delete a file or folder. In Windows permissions, a file may have only the delete permission set, which allows a SMB client to delete a file or folder. However, an NFS client cannot delete a file or folder unless the write permission is also granted.
Enable Services for NFS to Use Unmapped UNIX User Access
Unmapped UNIX User Access is available in Windows Server 2008 R2 and Windows Storage Server 2008 R2. You can enable Unmapped UNIX User Access by using one of the methods described in the "How to enable Unmapped UNIX User Access" section in NFS Account Mapping Task Reference.
Manage Unmapped UNIX User Access
After you have installed and configured Server for NFS to use Unmapped UNIX User Access, you must perform ongoing management tasks. The following table lists the management tasks to perform when using Unmapped UNIX User Access.
Table 11. Management Tasks for Unmapped UNIX User Access
Task |
Instructions to perform it |
Enable Unmapped UNIX User Access on an NFS share. |
"How to Enable Unmapped UNIX User Access" in NFS Account Mapping Task Reference. |
View the configuration of Unmapped UNIX User Access on an NFS share. |
"How to View Unmapped UNIX User Access Configuration" in NFS Account Mapping Task Reference. |
Disable Unmapped UNIX User Access for an NFS share. |
"How to Disable Unmapped UNIX User Access" in NFS Account Mapping Task Reference. |
The following table lists the resource management tasks to be performed on the Server for NFS.
Table 12. Server for NFS Resource Management Tasks
Task |
Instructions to perform it |
Provision an NFS share. |
"Provision an NFS Share" in NFS Account Mapping Task Reference. |
Manage user and group access to an NFS share. |
"Manage User and Group Access to an NFS Share" in NFS Account Mapping Task Reference. |
View user and group access to an NFS share. |
"View User and Group Access to an NFS Share" in NFS Account Mapping Task Reference. |