Page 5 of 28

2.3 Restricting Host Access
Since NFS servers do not distinguish between computers that are part of a secure network infrastructure (complete with NIS centralized administration), and computers that exist outside of the sphere of administrator control, a mechanism is needed to protect servers from unauthorized access. In typical UNIX installations, NFS mount points on servers are listed in the /etc/exports file. The mount points listed in the /etc/exports file may also contain restrictions on the clients that can mount the file system. This mechanism can be used to supply added protection to resources on NFS servers.
2.4 Considerations for the HP NetStorage 6000
The HP NetStorage 6000 utilizes an internal file system that is native to UNIX environments. As such, it has UNIX security mechanisms built-in, that may be leveraged when serving files over the NFS protocol. All resources stored on the file system contain the security metadata noted in the previous sections. The HP NetStorage 6000 does not support the concept of the /etc/exports file for managing mount points. Instead, the NAS device automatically creates a single mount point at the root of all volumes created on the system. Since the NAS device is specifically designed to share files, the exporting of mount points has been automated. The root directory of the mount points on the HP NetStorage 6000 are given special permissions to facilitate appropriate access to users. The owner and group of this directory are root (UID = 0, GID = 0), and the permissions are read, write, and execute to owner, group and other (rwxrwxrwx). One consequence of this setting is that all users can delete any file in the root of the mount point. Therefore, administrators are encouraged to avoid storing files in the root of the mount point. The group assignment to files created in a file volume on UNIX can be performed in a variety of ways. On the HP NetStorage 6000, when a new file is created, the group assignment is inherited from the directory where the file is created. For example, if the group owner for directory /acct/usr is accountants (GID = 501), then all files created in that directory will be assigned a group owner of accountants (GID = 501).

2.4.1 Trusted Hosts

All UNIX clients that mount to file systems on the HP NetStorage 6000 use the UID and GID of their account, when accessing files. A special case is the root user (UID = 0). In UNIX, the root user is a Super User, with full access to all files and directories in the file system. Due to the extensive rights provided to the root user, and the extensive damage that can be done by a malicious root user, the HP NetStorage 6000 does not trust them by default. Clients that attach with root privilege are given access as user nobody (UID = 60001), with no special rights or privileges. The administrator can override this default behavior by declaring a particular client to be a Trusted Host. A root user mounting a HP NetStorage 6000 file system from a client that is a Trusted Host will be given root privilege (UID = 0) to the file system. This feature allows administration of the file system by a root user, while at the same time, protecting the file system from other root users that should not have privileged access to the HP NetStorage 6000 file systems.

Page 8 of 28

The following sections explain these security modes in more detail.

3.2 Share Level Security

Share Level security is the simplest SMB security mode to use, but offers the least security. In this mode, each share may be protected by a password. When the server administrator defines a new share, a password is specified to protect the share from unauthorized access. When a user first accesses the share, the user is prompted for the password. Once the password is entered and verified, then the user has full access to all files on the share. Share Level security is the default security mode for Windows for Workgroups and Windows 95. Share Level security may be implemented to allow both Read/Write access, as well as Read Only access to shares. Each share may be protected by one Read/Write password and one Read Only password. The access allowed on the share (Read/Write or Read Only) is dictated by the password entered by the user. This mechanism is sufficient in small networking environments. However, in large environments, the model breaks down. If a different password is used to protect each share, and if many shares are defined on a network, then managing and remembering all those passwords becomes extremely difficult. In addition, the granularity of protection extends only to the share. Any user that has access to the share, has access to all of the files in the share. There is no way to limit access to individual files within a share. In most cases, when a user enters a password to access a share, the client system creates a session with the server that may extend beyond the expected interval. For example, if a user accesses a share via Network Neighborhood (and providing the correct password), closes the Explorer window, and then returns to the share at a later time, the user may not be prompted again for the password, since the original session is still active. In addition, the client system may cache the password, and submit it again automatically on behalf of the user when a session is ended and a new one is activated with the same share. To summarize, users should not expect to have to enter in the password to a share more than once in a typical Windows session.

3.3 User Level Security

User Level Security offers the superior flexibility and ease of use on networks with a significant number of users and/or resources. In this mode, each user is provided a logon account to a computer or network. The user only has to remember the credentials for this one account, instead of numerous passwords for network shares. Resources can be protected with a much finer granularity. Not only can shares be protected, but directories and individual files may be protected as well. Also, each resource may be protected on a user by user basis that allows almost infinite permutations of access restrictions of users and groups of users. User Level Security is the default security mode of Windows NT systems. The user accounts may be either local machine accounts for access to a single computer, or they may be accounts that apply to all computers attached to the network. If a computer is attached to a network, then local machine accounts are of little value, since the user of that account may only access resources on that computer, and not any other computer on the network. On the other hand, network wide accounts allow users to access resources on other computers on the network. In addition, these accounts allow the user to logon to any computer on the network. On NT networks, the network wide user accounts are managed through NT domains. The architecture of NT domains is discussed in the next section.

Page 9 of 28

Under User Level security, each computer on the network is responsible for authenticating users, before the user is allowed to access the resources on that computer. Once a user is authenticated on a computer, a session is established with the user. Thus, the user will not need to be authenticated again during that session. This not only applies to users accessing machines directly (interactive logon), but also to users accessing resources on remote servers (remote, or network logon). Interactive logon is a very common experience for most users. Every time a Windows NT computer boots, a user must logon to the system before gaining access to any resource. The user is prompted to press Ctrl-Alt-Del and then enter a name, password and NT Domain name at the console of the local computer. Once the user is authenticated with these credentials, then the user is allowed access to the resources of the computer. Remote logon is not as obvious to most users. When a user attempts to access files on a remote computer (such as through Network Neighborhood, or by mapping a network drive to a drive letter), the remote computer must first authenticate the user before allowing access, even though the user has already logged onto the local system. Unlike the interactive logon, remote logon usually occurs automatically, without user interaction. The local computer will offer the account name and password from the interactive logon as credentials to logon to the remote computer.

3.3.1 NT Domains

NT Domains provide the means of authenticating users on a network, both for interactive logon, as well as remote logon. In addition, NT Domains are used to group together and manage resources on a network. An NT Domain is defined by one or more NT servers acting in the role of a Domain Controller. The NT Domain must have one and only one server configured as the Primary Domain Controller (PDC). All other Domain Controllers in the domain must be Backup Domain Controllers (BDC). All Domain Controllers store a current copy of the Security Accounts Manager (SAM) database, and use this database to authenticate users. The domain administrator manages the SAM database from the Primary Domain Controller. Backup Domain Controllers manage a read-only version of the SAM database, replicated from the PDC. The purpose of having multiple Domain Controllers in a domain is for redundancy and load balancing. One important aspect of NT Domains is the concept of Trust relationships. One NT Domain may be configured to Trust another NT Domain, so that the first domain trusts the members of another domain. Trust relationships are one way. Domain A can be configured to trust Domain B, but the reverse would not be true. When Domain A trusts Domain B, then the user accounts on Domain B are given access to resources on Domain A, just as though the user accounts existed on Domain A. The concept of the Trust allows the administration of the user accounts and the network resources to be distributed among multiple NT Domains. One common architecture is to allocate all resources in one or more resource domains and allocate all user accounts on one or more account domains. There is nothing special about these domains other than how the administrator has used them to manage user and resource accounts. The domains are then linked together by having the resource domains Trust the account domains. A common architecture is to have one or more domains configured as resource domains, and one domain configured as the account domain. All of the resource domains are then configured to trust the account domain. In NT literature, this architecture is known as the Master Domain model. Figure 1 shows a diagram of the trust relationships in the master domain model. Each circle in the diagram represents a different NT domain. Domains X, Y and Z are configured as resource domains. Domain A is configured as an account domain. The

3.3.3 Password Maintenance and Encryption
The following discussion of passwords pertains to Windows NT 4.0. The Windows 2000 encryption mechanisms are not presented here, except to note that Windows 2000 is backward compatible with the Windows NT 4.0 mechanisms described here. User records are stored in the security accounts manager (SAM) database. Each user has two passwords with which it is associated: the LAN Manager (Lan Man 1.2) compatible password and the Windows NT (NT LM 0.12) password. Each password is stored doubly encrypted in the SAM database. The first encryption is a oneway function (OWF) version of the clear text generally considered to be non-decryptable. The second encryption is an encryption of the user's relative ID (RID). The second encryption is decryptable by anyone who has access to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for obfuscation purposes. The LAN Manager compatible password is based on the original equipment manufacturer (OEM) character set, not case sensitive (enforced by upper casing before encryption), and up to 14 characters long. The OWF version (called the LAN Manager OWF or ESTD version) of the password is computed by encrypting a constant with the clear text password using DES encryption. The LAN Manager OWF password is 16 bytes long. The first 7 bytes of the clear text password are used to compute the first 8 bytes of the LAN Manager OWF password. The second 7 bytes of the clear text password are used to computer the second 8 bytes of the LAN Manager OWF password. The Windows NT password is based on the Unicode character set, is case sensitive, and can be up to 128 characters long. The OWF version (called the Windows NT OWF password) is computed using the RSA MD-4 encryption algorithm, which computes a 16-byte "digest" of a variable length string of clear text password bytes. The purpose of maintaining both versions of a password is to ensure compatibility with all clients on the network. In no instance is the password of any user account stored as plaintext it is always encrypted by the OWF first. It is important to note, however, that the encrypted passwords are almost as valuable as the plaintext passwords, and are even commonly referred to as plaintext equivalents. Even though it is not feasible to decrypt plaintext equivalent passwords, they can be used to obtain authentication on a server.

Page 13 of 28

When a client attempts to logon to a server on a network (known as remote logon or network logon), the client is given a 16-byte challenge (or "nonce"). If the client is a LAN Manager client, the client computed a 24-byte challenge response by encrypting the 16-byte challenge with the 16-byte LAN Manager OWF password. This is the algorithm used by LAN Manager. The LAN Manager client passes this "LAN Manager Challenge Response" to the server. If the client is an Windows NT client, the client computed a LAN Manager Challenge Response, just as above. In addition, the Windows NT client computes an "Windows NT Challenge Response" by using the identical algorithm but using the 16-byte Windows NT OWF password instead of the LAN Manager OWF password. The Windows NT client then passes both the LAN Manager Challenge Response and the Windows NT Challenge Response to the server. In either case, the server authenticates the user by passing this response to its Domain Controller which will either process the request, or will pass the request onto another Domain that it has a trust relationship with, depending on the Domain of the user account. The response includes the following information: the domain name, the user name, the original challenge, the LAN Manager Challenge Response, and the optional Windows NT Challenge Response. To authenticate the response, the Domain Controller queries the OWF passwords from SAM, computes the appropriate Challenge Response using the OWF password from SAM and the passed in Challenge, and then compares the computed challenge response to the one passed in. The Windows NT OWF password will be used to authenticate wherever possible. In cases where the Windows NT OWF password is missing from either the SAM or the response, then the LAN Manager password will be used instead. This allows for backward compatibility.

3.3.4 Security Descriptors
Windows NT, in conjunction with the NT File System (NTFS), is designed to support restricted access to any object (i.e. files or directories) on the File System. Every file and directory stored on the system contains a small amount of administrative information (often referred to as metadata) which includes the security information associated with the object. This information is known as the Security Descriptor, and contains the following main attributes: Owner SID Group SID The owners security ID. The security ID of the primary group for the object (used only by POSIX). Specifies who has what access to an object Controls the auditing messages the system will generate. System ACLs are controlled by the administrators.
Discretionary Access Control List (DACL) System Access Control List (SACL)
This security mechanism protects the object from unauthorized access, regardless of whether the user attempts to access the object on the local machine, or over the network from a client system. The Discretionary Access Control List (DACL), is by far the most common form of access control list, and is often abbreviated simply as the ACL of an object. An Access Control List is made up of a header and zero or more access control entry (ACE) structures. These entries specify access or auditing permissions to that object for one user or group. There are three ACE types: two for Discretionary ACLs and one for System ACLs. The Discretionary ACEs are AccessAllowed and AccessDenied. They explicitly grant or deny access to a user or group of users. SystemAudit is a System ACE

Page 14 of 28

that is used to keep a log of security events (such as who accesses which files) and to generate and log security audit messages. Each ACE contains a security ID and an access mask. The SID identifies the user or group to be associated with the entry, and the access mask defines the type of access allowed or denied. The access mask varies for different object types. In general, they include Standard types, Specific types, and Generic types. The Standard types are defined as follows: SYNCHRONIZE WRITE_OWNER WRITE_DAC READ_CONTROL DELETE The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. The right to change the owner in the object's security descriptor. The right to modify the DACL in the object's security descriptor. The right to read the information in the object's security descriptor, not including the information in the SACL. The right to delete the object.

Specific types include access options that apply specifically to an object type. Each object type can have up to 16 specific access types. For example, Windows NT files have the following specific access types:

q q q q q q q q

ReadData WriteData AppendData ReadEA (Extended Attribute) WriteEA (Extended Attribute) Execute ReadAttributes WriteAttributes
The granting of access rights to a particular user for a particular object is known as the security policy. Each request to access an object contains a set of desired access rights. These desired access rights are checked against the access control information defined in the objects security descriptor to determine whether or not access should be granted or denied. There are two algorithms used to validate access to an object: 1) The first algorithm determines the maximum access allowed to the object. A grant-access mask and a denyaccess mask is constructed based on the entries in the DACL. 2) The second algorithm is used to determine the specific access allowed, based on the users access token. The main task of these algorithms is to examine each ACE in the DACL. If the SID in the ACE matches a SID in the users access token, the ACE is processed further to determine the access allowed. If any requested access type is specifically denied to the user in one of the entries, then access to the object is denied. If ALL of the requested access types are specifically granted after examining the ACEs in the DACL, then the user is granted access to the object. Otherwise, access is denied. For example, if a user wants to access a file for reading and writing, then the ACEs in the DACL must contain one or more entries that specifically allow both reading and writing to the user. In addition, there must not exist any entry that specifically denies reading or writing to the user. Otherwise, the user will be denied access to the file.

Page 15 of 28

Note: If the object has no DACL, also known as a NULL DACL, the object has no protection and access is granted to everyone. On the other hand, if the object has a DACL with no entries in it (termed an empty DACL), no accesses are specifically granted, so access is implicitly denied to everyone. In all cases, the owner of an object can modify the permissions of the object, regardless of the status of the DACL.
3.4 Considerations for the HP NetStorage 6000 3.4.1 Share Level Security

By default, the HP NetStorage 6000 accepts encrypted passwords for verification. In these cases, Windows NT (also known as NT LM 0.12) password encryption is used. The HP NetStorage 6000 will also accept plaintext passwords from older clients, for backward compatibility. Since the native file system on the HP NetStorage 6000 is UNIX based, all files must have a UID and GID associated with them. However, since Share Level security does not support the concept of users or groups, a single UID and GID is assigned to each share, such that all files created in the share from Windows clients will be assigned the UID and GID of the share. When shares are managed through the web based administration tool, shares are automatically assigned a UID and GID of zero (UID = 0, GID = 0). Since UID of zero effectively gives the share user root privileges, it is up to the administrator to ensure that the Windows shares are created in such places so as not to expose sensitive system files, or the resources of other UNIX users. For administrators with special needs, the default UID and GID of zero may be changed for a given share. The telnet interface of the HP NetStorage 6000 allows the user to specify the UID and the GID to be used for a particular share. In this case, ALL directories and files created in the share will be assigned the UID and GID specified by the administrator.
3.4.2 User Level Security
The HP HP NetStorage 6000 fully supports the security model of Windows NT systems. This includes the assignment and enforcement of Security Descriptors to objects on the file system, as well as the authentication of users attempting to access resources. The CIFS protocol is documented in a public specification. The NetLogon service is not. NetLogon is a proprietary Microsoft service that is used for establishing secure communications with a domain controller, and providing pass-through authentication, as needed. Since a public specification for providing the same service as NetLogon does not exist, the HP NetStorage 6000 must emulate the features of NetLogon where necessary.
The HP NetStorage 6000 does not logon to the domain with a machine account. Thus, it is not a trusted member of the domain. However, it can still advertise its resources through the domain that it is associated with (the resource domain). The HP NetStorage 6000 is designed to authenticate users under the NT LM 0.12 or the Lan Man 1.2 dialects of SMB. The HP NetStorage 6000 simply forwards these requests to an NT domain controller for authentication. The server is not designed to authenticate user accounts that are maintained locally.

Page 16 of 28

The HP NetStorage 6000 is designed to authenticate users directly with the appropriate NT account domain. It does not pass authentication requests through its own resource domain. This allows the HP NetStorage 6000 to participate on networks where the user accounts are separated from the NT resources (Master Domain model), as well as on networks where user accounts and resources are contained in a single domain. However, on networks designed around the Multiple Master Domain model, the HP NetStorage 6000 may only be configured to authenticate users through only one of the account domains. The HP NetStorage 6000 can discover an appropriate domain controller to communicate with, given the NT domain name. This allows the server to connect to any available domain controller within a domain. The HP NetStorage 6000 can obtain and store Security Descriptor information (ACLs) for its files. This is accomplished through a user account logon to the resource domain. The user account information is provided by the administrator when the system is configured for user level security.

3.4.3 DOS attributes

The DOS attributes are integrated with the file system and may be viewed, set or cleared via Windows applications or utilities. The behavior associated with these attributes is detailed below: archive Whenever a file is modified, locally, via NFS or SMB, this attribute is set. The archive attribute may be used for operations such as network backup via NT systems. If a file is created via NFS whose name begins with., this attribute will be set. It is otherwise ignored by the system. If this attribute is set on a file, it will have the effect of making the file read-only regardless of the UNIX or NT permissions. This attribute is ignored by the system.

hidden

read-only

system

4 Security on Mixed (UNIX/Windows) Networks

4.1 General Overview

The HP NetStorage 6000 works in a heterogeneous environment and supports file sharing between Windows and UNIX clients using CIFS/SMB or NFS file access protocols respectively. In order to understand file sharing in a heterogeneous environment it is necessary to understand the file system that the HP NetStorage 6000 uses, how clients or users are identified in each protocol and how users can be mapped. The HP NetStorage 6000 utilizes a UNIX file system. Objects that are created with NFS protocol and stored on the HP NetStorage 6000 will have UNIX security attributes and classified as UNIX objects. Objects that are created via SMB protocol have both UNIX and Windows security attributes and are classified as NT objects. Since the native file system used by the HP NetStorage 6000 is a UNIX file system, any Windows objects that are created will have both UNIX and NT security attributes associated with these objects. It is possible for a Windows user to modify a UNIX objects' security attribute. After this modification, however, the object will be considered an NT object. As a security policy it is not possible to modify the security attributes on a Windows Copyright 2000 Hewlett-Packard Company All Rights Reserved Page 17 of 28
object via UNIX (chmod or chown commands) and have the object become a UNIX object since this could potentially weaken the access control that protects these objects. In order for clients to share files across Windows and UNIX protocols, it is necessary to establish their credential equivalence in each protocol. With this equivalence established, clients can access the files without regard to their current working environment as the owner, member of a group, or as part of the Everyone or Other account. A Windows client is identified by NT domain name, user name and the RID (relative ID) that is part of the unique security descriptor supplied by the NT domain controller. UNIX clients are identified by their UID and GID values whether they are part of a NIS administered server or not. As described in the previous sections, the Windows and UNIX operating systems use different methods for authentication, user identification, and controlling access to resources through permissions. If users are going to be recognized as the owner of a file in both Windows and UNIX it will be necessary to "map" or create equivalence between users in each environment. It will also be necessary to obtain information from each user that will allow file permissions and access controls to be displayed in a manner that is consistent with each protocol. All of this is accomplished using a series of map files that hold client information that will allow the identification and translation of user credentials from one protocol to another. Before discussing mapping strategies and the mechanisms used to map clients note that mapping is only used when NT clients access UNIX file objects. Because the HP NetStorage 6000 uses a UNIX file system as its native file system, UNIX file objects and NT objects have UNIX security attributes associated with these objects. Therefore, whenever a UNIX client accesses these objects the HP NetStorage 6000 does not need to consult any mapping strategy to determine permissions. It is only when an NT client tries to access UNIX objects that the mapping strategy is employed or necessary. File access and sharing is determined on several different levels including file volume creation, Windows and UNIX security policies, and a choice of mapping strategies that are selected. Each of these aspects controls and refines the access that users will or will not have with the files stored on the HP NetStorage 6000. Each of these topic areas will be covered in the discussion below.

5 File Sharing Configuration
File sharing considerations begin with the file allocation storage that is established when file volumes are created with UNIX and/or Windows permissions. The administrator will need to consider the overall availability and amount of storage resources needed for each of the protocols.
5.1 File Volume Permissions
Before files can be shared in a heterogeneous environment the administrator must establish file sharing policies which will allow both Windows and UNIX clients to gain access to files that are located on the HP NetStorage 6000. When file volumes are created the administrator selects the access that will be available for this volume by selecting Windows clients only, UNIX clients only, or both Windows and UNIX clients. The choices that the administrator makes on one volume will not affect the choices that can be made on other volumes. An example is shown below:

Page 18 of 28

File Volume Name Finance Marketing
File Volume Access Windows only; no UNIX access Windows & UNIX access
Password Restrictions Read access only Read & write access for Windows; Read access for UNIX No passwords Read and write access
Procurement Research & Development
Windows & UNIX access UNIX access only
In this example, clients using either a Windows or UNIX protocol can access Marketing and Procurement files. When clients attempt to mount or access files for the Marketing group they will be challenged for the appropriate password. In the case of files that belong to the Finance group UNIX users will be unable to mount this volume. Similarly Windows users will be unable to see or access the Research and Development file volume since it is only available to UNIX clients.

5.2 Mapping Strategies

Mapping strategies are a means for defining users and groups that have both a Windows and UNIX identity. Mapping is the mechanism that is used to determine whether a user should be granted file access rights in a different protocol. Recall that the two operating systems use two different methods for securing file objects. By establishing either user or group equivalence, the proper access controls can be in place while providing users with greater flexibility in their work. If mapping is desired it can be selected for users and/or groups. Recall from the previous discussion that the HP NetStorage 6000 file system uses a UNIX style file system. Therefore, it is necessary to identify all users with a UID and GID value. Since the Windows protocol does not use UID or GID values, and instead associates a unique security descriptor with each client, it is necessary to create or associate a UID and GID number with each Windows user. Assigning UID and GID values is done based upon the mapping strategy that the user selected. The four possible methods are as follows: User Mapping No mapping (default) - no association between UNIX and NT accounts. A unique UNIX UID will be assigned to all Windows users. If the Windows client has previously accessed the HP NetStorage 6000 the UID value that they were previously assigned will be saved in the passwd file. If no entry for this client is found in the passwd file, they will be given a UID value that is one larger than the largest UID value found in this search. Username mapping - users have equivalent UNIX and NT credentials if the user name is the same in the NT domain and UNIX account. Full name mapping - users have equivalent UNIX and NT credentials if the NT domain full name matches the UNIX comment field for the UNIX account. Group Mapping No mapping (default) - no association between UNIX and NT groups

Page 19 of 28

Group name mapping - groups have equivalent UNIX and NT credentials if the primary group name associated with an NT account is the same as a group defined for UNIX accounts.

5.2.1 User Mapping

There are two ways that a HP NetStorage 6000 user can obtain a UID. In the first case, the user has a UNIX account and the administrator has elected to do some type of mapping - either by user logon name or full name mapping. If the Windows client is matched to a UNIX account then the UID associated with the UNIX account will be assigned to them. Otherwise, the HP NetStorage 6000 will assign a UID number that will be associated with their NT domain, logon name and full name fields. Once the user has a UID assigned to them, then any further activities on the server will have this unique UID associated with the file or directory metadata. The HP NetStorage 6000 assigns UID values beginning with number 60001. This number was chosen so as to not conflict with typical UNIX installations that don't have or use numbers greater than 60000. The HP NetStorage 6000 administrator provides information about their UNIX clients automatically by enabling the NIS server. Where this is enabled, the NIS server database will be automatically downloaded and refreshed on a periodic basis. If this feature is not enabled, or the UNIX administrator is not using a NIS server to manage their UNIX accounts, they will need to manually edit and manage the mapping files that are used to associate UNIX and Windows accounts. For user mapping the passwd.nis file is used.

5.2.2 Group Mapping

In a manner consistent with user mapping, group mapping assigns a unique GID for Windows clients. The HP NetStorage 6000 will attempt to map the Windows clients' primary group with a known UNIX group. If there is no match then the HP NetStorage 6000 will assign a GID beginning with number 60001. Once the group number is assigned this number will be part of the metadata that is associated with the users files and directories. In a similar manner with User mapping, the administrator provides UNIX group information by enabling the automatic download of the NIS server data. For group mapping the group.nis file contains information about UNIX groups along with their associated GID and members. If the NIS server is not enabled or used, then the administrator must manually edit and manage this file.

6 Mapping Clients

User mapping is used to create an equivalence relationship between a UNIX user and an NT user in which both sets of credentials are deemed to have equivalent rights on the system. Since the underlying file system used by the HP NetStorage 6000 is a UNIX system it is really only necessary to map NT users to a UNIX domain. Each time a Windows user logs in to the system, the mapping files are checked to determine the users UNIX credentials. The passwd file and users.map file are searched to determine whether the Windows client had previously been assigned a UNIX UID value. The users NT domain name and user name are used in this search. If a match is found, the UNIX UID is taken from the matching entry. If there is no match, then one of the four mechanisms described below is used to determine the users UNIX UID. The mechanism to be used is controlled via the user mapping policy setting.

Page 20 of 28

The mapping that occurs between clients is done using several files that must be maintained if file security and user credentials are to be established and maintained. For example, the NIS database files will refresh automatically every 5 minutes. However, the passwd and group files are maintained using the HP NetStorage 6000 GUI interface.

6.1 Mapping Files

The following table shows the files that are employed for assigning UID, GID values and creating the association between clients.

File Name

passwd

File Information

NT domain, user logon, UID, GID and comments. If the user resides only in the local HP NetStorage 6000 domain, the default NT domain that is assigned is the local hostname. NT domain, user logon, GID. If the user resides only in the local HP NetStorage 6000 domain, the default NT domain that is assigned is the local hostname. UNIX logon name, encrypted password, UID, and GID

Purpose

Assign a UNIX style UID to an NT client if they do not have a UNIX account.
Assign a UNIX style GID to an NT client's primary group.

passwd.nis

If user mapping is enabled and the NT client has not previously been assigned a UID and GID value, this file is consulted to match on either username or full name values depending upon the mapping strategy that is employed. This file is also used to generate an ACL display list for Windows users for UNIX files.

group.nis

UNIX group name, GID, members of group in text format.
If group mapping is enabled and the NT client has not previously been assigned a GID Page 21 of 28
value, this file is consulted to match the NT primary group with a UNIX group name. This file is also used to generate an ACL display list for Windows users for UNIX files.
The files that contain the association between the clients in Windows and UNIX are the following.

Users.map

UNIX username, UID, NT username, NT domain, NT relative ID (RID)
Provides UNIX users with an identity that can be used to display ACL data for Windows users. For Windows users the RID and assigned UID and GID values can be translated. Provides UNIX users with an identity that can be used to display ACL data for Windows users. For Windows users the RID and assigned UID and GID values can be translated.

Group.map

UNIX groupname, GID, primary NT group name, NT domain, NT relative ID (RID)
A discussion about how these files are accessed and used follows.
6.2 Establishing a Windows Client
Each time an NT user logs into the HP NetStorage 6000 the mapping files are checked to determine whether the user has previously established UNIX credentials or whether it will be necessary to assign UID and GID values. The users.map files is consulted to determine if an equivalency already exists between the NT client and a UNIX account with a UID and GID value. If there is no match in the map file, the passwd file is scanned to see if the NT client has previously accessed the server and been assigned a local UNIX UID and GID value. If no mapping has been selected and if both of these checks fail, then the NT client will be added to the local passwd file and assigned a UID and GID with numbers greater than or equal to 60001. The users credentials are checked each time the user logs into the HP NetStorage 6000. The user must have the same NT domain and user name to be considered the same. Copyright 2000 Hewlett-Packard Company All Rights Reserved Page 22 of 28

7 Examples

7.1 Client with both UNIX and Windows Account
If there are clients that have both UNIX and Windows accounts they can easily access their files regardless of their current environment. The client has the following information: Windows User name: msullivan NT domain: Empire UNIX msullivan

User Name

Page 24 of 28
HP NetStorage 6000 Configuration assumptions: Administrator has established file volume permission so that both UNIX and Windows clients can access the file. NIS server administration is used and enabled so that the passwd.nis file is populated with UNIX user account information Administrator has selected user name mapping Client assumptions: Windows client created the file and is the owner of the file. As a Windows client the user has stored the file on the HP NetStorage 6000 Client is accessing HP NetStorage 6000 as a Windows client for the first time Windows logon name matches UNIX logon name

Files Scanned or Read

passwd -no relevant entry

Files Written

The client has never accessed the HP NetStorage 6000 so they don't have an autoassigned number or a UNIX UID value. The UNIX account UID is assigned to this Windows client. A mapping is created.
Passwd.nis file is scanned and a match is made between the UNIX logon name and the NT logon name.
Users.map file has a new entry that contains information about the NT domain and UNIX accounts that have now been matched.
The Windows user can use a tool like Windows Explorer to map a network drive and store the file on the HP NetStorage 6000. When the Windows client examines the Windows file permissions they will find that they are shown as the owner of the file. In addition they will see the group Everyone has Full Access permissions. As the owner the user can modify the permissions to either grant or prohibit access to users and groups as they see fit.
7.2 UNIX File Accessed by Windows Clients
For this example a UNIX client has created a file and UNIX and Windows clients will access it. The client has the following information: Windows User name: msullivan Full name: Mike Sullivan NT domain: Empire UNIX User name: msullivan Comment: Mike Sullivan
HP NetStorage 6000 configuration assumptions: Administrator has established file volume permissions so that both UNIX and Windows clients can access the file. NIS server administration is used and enabled so that the passwd.nis file is populated with UNIX user account information Copyright 2000 Hewlett-Packard Company All Rights Reserved Page 25 of 28

8 File Format Details

8.1 HP NetStorage 6000 Files - passwd, group, users.map, group.map
Passwd Group Users.map Group.map
<NT domain/logon name>:*:<UID>:<GID>:<comment>: <NT domain/logon name>:*:<GID> <UNIX-username>:<UID>:<NT-username>:<domain>:<rid> <UNIX-groupname>:<GID>:<NT-groupname>:<domain>:<RID>

Page 27 of 28

8.2 UNIX Files - passwd.nis and group.nis
File Name passwd.nis File Format <user name>:<encrypted password>:<UID>:<GID>:<comment fields>:<home directory>:<shell> <group name>:< encrypted password >:<GID>:<group members separated by commas>

9 Acronyms

ACL CIFS IP DACL DC DNS GID MAC NAS NetBIOS NFS NIS NT PDC RID SAM SD SID SMB UID Access Control List Common Internet File System Internet Protocol Discretionary Access Control List Domain Controller Domain Name System Group Identifier Machine Access Control Network Attached Storage Network Basic Input/Output System Network File System Network Information Services New Technology Primary Domain Controller Relative Identifier Security Account Manager Security Descriptor Security Identifier Server Message Block User IDentifierReferences

Page 28 of 28

Release Notes
The following late-breaking information supplements the HP SureStore NetStorage User's Guide and online help. If information in the User's Guide conflicts with information presented here, the information in this file should be considered correct.

OS Upgrade

OS Version: After upgrading from the original version of the OS (build 81) to version 3.3.x.x you cannot go back to the original version without risking data corruption. If your file volumes are very large, the upgrade process may take considerable time to complete. The progress of the upgrade can be seen on the HP NetStorage 6000 LCD display located on the front panel of the unit.
Administrative Password Challenge for Internet Explorer 5.5: When upgrading from software build 81 to version 3.3.x.x, you may be challenged for an administrative password whether or not you set one previously. In order to correct this problem, you need to: Clear your local cache Circumvent the web proxy cache To clear your local cache and circumvent the web proxy cache: 1. Open Internet Explorer. 2. Select Tools > Internet Options. 3. Under the General Tab, in the Temporary Internet Files section, click Delete Files. 4. In the confirmation dialog box, click OK. You may optionally choose to delete your off-line content stored locally at this time. 5. Under the Content Tab, in the Certificates section, select Publishers. 6. Select every occurrence of Hewlett-Packard or Hewlett-Packard Company, if any exist, and click Remove. 7. Click OK. If you use a proxy server: 8. Under the Connections Tab, select LAN Settings. 9. In the Proxy Server section, check the box to Bypass proxy server for local addresses and click OK. 10. Click OK again to close the Internet Options dialog box. 11. In order for you settings to take effect, you must shut down Internet Explorer and restart it. Administrative Passwords: When upgrading from software build 81 to version 3.3.x.x, the administrative password is lost. The administrator must input the password again after the upgrade.
Share Level Security Passwords: In software build 81, share level security passwords were not casesensitive. In software version 3.3.x.x, share level security passwords are case-sensitive. For example, JaneD561 and janed561 would not be recognized as the same password.

General

Administrative GUI Access: Access the administrative GUI pages directly through the HP NetStorage 6000 address (either IP or name) rather than attempting to access through an IIS server that is redirecting to the HP NetStorage 6000. Occasionally this hangs the device and it is necessary to reboot to access it again.
Renaming extended File Volumes: The HP NetStorage 6000 does not allow extended File Volumes (volumes that have been extended across two partitions) to be renamed.
Context-sensitive help: The HP TopTools help button is not context-sensitive to the HP NetStorage 6000 page you are viewing. Press the ? button in the upper right corner of the page to view context-sensitive help.
IP address: If DHCP is enabled, but fails, the HP NetStorage 6000 may revert back to a previously assigned static IP address. This may lead to some confusion as the NetStorage web interface indicates that DHCP is enabled (which it actually still is), even though it failed and the IP address was not DHCP generated.

Front panel Ready message: The front panel LCD displays Ready prior to the HP NetStorage 6000 actually being accessible. You should wait until the LCD displays the System Name and CPU Load before trying to access files.
Backup - single file restore: When doing a single file restore the name of the file being restored is NOT case sensitive. As an NFS client, when you restore a file that contains the same characters, you will get a restore of all the files. For example, a file named GoodDoc, GOODDOC, or gooddoc will all be restored as a single file restore operation.
Spanned tapes in backup: When a single file spans two tapes during a backup operation it is possible that the ACL information for this file may be corrupted. The data integrity of the file is however, never in jeopardy. To restore the ACL an administrator or root can take ownership of the file and set the appropriate permissions.
NIC port order: The PCI bus is scanned from right to left (as viewed from the front of the HP NetStorage 6000). NIC cards would, therefore, be expected to be discovered in the same order. However, single port NICs are always discovered before dual port NIC cards and may, therefore, cause confusion regarding the mapping of physical ports to port numbers. In general, scanning from right to left (as viewed from the front of the HP NetStorage 6000), the first single port NIC is Port 1. For dual port NICs, the bottom port is numbered logically lower than the upper port.
Dual-port NIC card: Computer Associates Unicenter TNG Framework may have problems properly detecting and classifying an HP NetStorage 6000 box that is using a dual-port NIC card. If this problem occurs, one port is properly identified under Network_Storage > HP_Storage and an icon is displayed in the Unicenter TNG 2-D Map. The other port is classified under Interface > IP_Interface and does not have an icon associated with it. All traps associated with the HP NetStorage 6000 are sent to the Unicenter TNG Event Console Log. If using a dual-port NIC card, it is recommended that the Unicenter TNG Event Console Log is used to manage the HP NetStorage device rather than the Unicenter TNG 2-D map.
Multi-NIC connectivity: Connectivity issues may arise on a multi-NIC HP NetStorage 6000 if a client is running Windows 95/98 or NT Service Pack 5 and trying to access the NetStorage 6000 by its IP address. Possible workarounds include upgrading the client to NT Service Pack 6 or accessing the NetStorage 6000 by its system name instead of its IP address.
Host file management: The NetStorage web interface does not allow a host to be added to the local host file if the host is already present in the host.nis file. A work around is to bypass the web interface and manually add the host entry to the local host file.

File Security: NT Security Descriptors display the wrong owner information if the domain\administrator takes ownership of the file. Instead of displaying the owner as domain\administrator, XXXXX\administrator displays (where XXXXX is the HP NetStorage system name).
File Security: Domain\administrator that have no rights to a file can still change the permissions on a file without first taking ownership of it.
File Security: If the system is a member of a Windows 2000 domain (configured in mixed mode), with trust relationships to other domains, then taking ownership of files may not work as expected. Domain users on NT 4.0 workstations will not be able to take ownership of files stored on the NetStorage 6000. On NT 4.0 workstations, only domain administrators will be able to take ownership of such files. On Windows 2000 workstations, this limitation does not exist, although the user may see an erroneous message box stating the contrary.
User mapping strategy: An NT to UNIX user mapping strategy (no user mapping, user name mapping or full name mapping) should be chosen prior to giving end users access to the HP NetStorage 6000. Based on the mapping strategy selected, the system adds entries to the user map files (even if no user mapping is selected). Changes to mapping after users have already attached or created files may result in users not having expected ownership of previously generated files or expected mapping not taking place on newly generated files.
Workstations with login restrictions: In cases where an administrator has established workstation login restrictions (for example where a user is restricted to logging into one workstation and one workstation only) they will be challenged for a password and will be unable to access the NetStorage 6000. The administrator should remove login restrictions to prevent this problem.
Removing a user or group: Entries in the user map file are not automatically removed when a user is no longer in the passwd.nis file. Entries in the map file must be manually deleted. Entries in the group map file are not automatically removed when a group is no longer in the group.nis file. Entries in the group map file must be manually deleted.

After Backup, file volumes disappear: After restoring files from a backup tape the browser may contain stale or incorrect information about the file volumes. Selecting Storage > File Volumes shows that no file volumes are configured. Either click the Refresh button on the browser for the correct file volume information to appear, or close the browser window and open another one.
E-mail Notifications: The URL pointing to the failed device always uses the host name instead of the IP address, even if the host name is not resolvable via DNS. In such cases, clicking on the URL causes unpredictable behavior.
System log online help: The online help for the system log references specific notes for Redhat Linux 6.1. This note should include Redhat Linux 6.x and 7.0.
Shared resources: There is a known issue with reusing a share point name after deleting a shared directory from a client OS (as opposed to removing it from the NetStorage 6000 web management user interface). The share name cannot be used again since the NetStorage 6000 retains this name and will indicate that the name is still being used. The only way to remove the name is through the telnet interface. For example, if a share point is created in the web management interface for directory \vol1\SharedDocs, called SharedDocs, and this directory is then deleted from a Windows NT client (not using the web management interface), the share name SharedDocs cannot be used again as a share point name.
Partition Size Limit: The HP NetStorage 6000 has a limit of 256GB (262144 MB) per partition.
File Volume Size Limit: You must select 262144MB or less when formatting partitions into file volumes. To create a file volume that is greater than this, simply use the Expand File Volume feature to distribute space across multiple partitions.
DLT Autoloader 818: This device has a maximum native capacity of 320GB, and a compressed capacity between 480GB and 640GB, depending on compression efficiency. On an HP NetStorage 6000 that is fully loaded with 73GB drives, it is possible that the stored data will exceed the storage capacity of the tape device. In such situations, split the data into at least two sets, and back up each data set separately.

Drive Rebuild Time: When rebuilding drives, it may take a long time to initialize a logical drive (RAID set) containing 73GB drives. The rebuild time is dramatically affected by how much the logical drive is being used for file serving operations at the time of initialization. This also applies to logical drives that have failed over to a hot spare, and to the rebuild of a replaced drive.
Reboots after Drive Changes: When drives are removed, added, or replaced while the system is powered down, it is normal for the device to execute two boot sequences when it is powered on. This is required to synchronize the RAID controller with the new drive configuration.
IBM Tivoli NetView This management application is no longer supported.

General Browser Issues

Performance: After changing NIC parameters and clicking Apply, the browser may appear to hang while the operation completes. The delay in the system responding is a function of the number of NIC ports and changes requested.
Performance: Browsing the directory tree, and deleting directories from within the configuration interface can take a long time, depending on the number of files and directories stored on the system. During such operations, the web browser may appear to hang.
Security warnings: Denying additional privileges to Hewlett-Packard in a security warning window in Netscape generates additional security warning windows. Granting privileges in one of the succeeding windows does not actually grant the privileges needed. You must grant privileges on the first security warning window.

Internet Explorer Issues

Error on exit: Some versions of Internet Explorer may generate the following application error on exit:
The instruction at "(some address)" referenced memory at "(some other address)." The memory could not be "(read or written)."
This does not cause any problems managing the HP NetStorage 6000, but is a nuisance. Try upgrading to the latest version of Internet Explorer to solve this.
Viewing multiple devices: You may not be able to view pages from two or more HP NetStorage 6000s at the same time with some versions of Internet Explorer. Additionally, you may not be able to view pages from two or more web-manageable devices that have similar user interfaces. Upgrading to the latest version of Internet Explorer version may solve this.
Netscape Navigator Issues
Netscape Navigator ver. 6.0: The NetStorage 6000 web management user interface does not support Netscape Navigator ver 6.0. Use a previous version of Netscape or Internet Explorer to view the management GUI.
Java applets: The NetStorage 6000 interface is a web-based utility that makes extensive use of Java applets. In some versions of Netscape, Java applets are known to fail to execute on occasion. If some portion of the management interface fails to function, re-launch the browser to reload the applets.

Index search: If you are on a UNIX system and using Netscape as your browser, the search field in the index of the online help may not display correctly. You can use the scroll bar to locate the entry you are looking for.
Resizing browser window: On UNIX systems using Netscape, resizing the browser window may cause the entire management interface to reload. When this happens, the browser may not advance past the Loading HP NetStorage 6000. page. If this happens, press the browser's Reload button.
Event log scrolling: On UNIX systems using Netscape, the Status > Event Log page may not show a scroll bar. Click in the event log area and use an arrow key; the scroll bar should then appear.
Browser loading: On UNIX systems using Netscape, the browser window may not advance past the Loading HP NetStorage 6000. page when you press Reload. If this happens, press Reload again.