By user12612012 on Jun 17, 2011
core of any file server is its file system and ZFS provides the
foundation on which we have built our ubiquitous file sharing and single
access control model. ZFS has a rich, Windows and NFSv4 compatible,
ACL implementation (ZFS only uses ACLs), it understands both UNIX IDs
and Windows SIDs and it is integrated with the identity mapping service;
it knows when a UNIX/NIS user and a Windows user are equivalent, and
similarly for groups. We have a single access control architecture,
regardless of whether you are accessing the system via NFS or SMB/CIFS.
The NFS and SMB protocol services are also integrated with the identity mapping service and shares are not restricted to UNIX permissions or Windows permissions. All access control is performed by ZFS, the system can always share file systems simultaneously over both protocols and our model is native access to any share from either protocol.
Modal architectures have unnecessary restrictions, confusing rules, administrative overhead and weird deployments to try to make them work; they exist as a compromise not because they offer a benefit. Having some shares that only support UNIX permissions, others that only support ACLs and some that support both in a quirky way really doesn't seem like the sort of thing you'd want in a multi-protocol file server. Perhaps because the server has been built on a file system that was designed for UNIX permissions, possibly with ACL support bolted on as an add-on afterthought, or because the protocol services are not truly integrated with the operating system, it may not be capable of supporting a single integrated model.
With a single, integrated sharing and access control model:
If you connect from Windows or another SMB/CIFS client:
- The system creates a credential containing both your Windows
identity and your UNIX/NIS identity. The credential includes UNIX/NIS
IDs and SIDs, and UNIX/NIS groups and Windows groups.
- If your Windows identity is mapped to an ephemeral ID, files
created by you will be owned by your Windows identity (ZFS understands
both UNIX IDs and Windows SIDs).
- If your Windows identity is mapped to a real UNIX/NIS UID, files created by you will be owned by your UNIX/NIS identity.
- If you access a file that you previously created from UNIX, the system will map your UNIX identity to your Windows identity and recognize that you are the owner. Identity mapping also supports access checking if you are being assessed for access via the ACL.
If you connect via NFS (typically from a UNIX client):
- The system creates a credential containing your UNIX/NIS identity (including groups).
- Files you create will be owned by your UNIX/NIS identity.
- If you access a file that you previously created from Windows
and the file is owned by your UID, no mapping is required. Otherwise the
system will map your Windows identity to your UNIX/NIS identity and
recognize that you are the owner. Again, mapping is fully supported
during ACL processing.
The NFS, SMB/CIFS and ZFS services all work cooperatively to ensure that your UNIX identity and your Windows identity are equivalent when you access the system. This, along with the single ACL-based access control implementation, results in a system that provides that elusive ubiquitous file sharing experience.