File sharing

When files are created and accessed from a Windows® client, all the security features of Windows are available and enforced. When files are created and accessed from UNIX®-based clients, all the security features of UNIX are available and enforced. When files created by a UNIX-based client are accessed by a Windows client, access is controlled using only the semantics and permissions of "other." Similarly, when files created by a Windows-based client are accessed by a UNIX-based client, access is controlled using only the semantics and permissions of "everyone."

Restriction: After a directory, folder or file is created from a particular client type (UNIX or Windows), its security settings cannot be changed to another client type.

File sharing in the SAN File System is classified as either homogenous or heterogeneous. File sharing is positioned primarily for homogenous environments. The ability to share files heterogeneously is recommended for read-only—that is, create files on one platform, and provide read-only access on the other platform. Therefore, set up filesets such that they have a primary allegiance to a single operating system. This means, for example, that certain filesets have files created in them only by Windows-based clients, and other filesets have files created in them only by UNIX-based clients.

Homogenous file sharing

In a homogenous environment (for example, either all UNIX-based-based or all Windows-based clients), SAN File System provides access and semantics that are customized for the operating system running on the client machines. When files are created and accessed from only Windows-based clients, all the security features of Windows are available and enforced. When files are created and accessed from only UNIX-based clients, all the security features of UNIX are available and enforced.

In homogenous file sharing, the permissions are all one type and are managed within the Windows or UNIX domain as appropriate. Therefore permissions propagate to all the sharing clients. Full support is provided for UNIX and Windows standard file access permissions; however, currently UNIX-extended ACLs are not supported.

In order to facilitate homogenous file sharing, you need UIDs and GIDs (UNIX) or SIDs (Windows) to be consistent in your operating system domains. For example, a uid number 2000 on one UNIX-based system must correspond to the same user with uid 2000 on every other UNIX-based system — and similarly for SIDs (security IDs) with Windows. To facilitate this, a common ID management system is required for each domain (Windows and UNIX), for example, Active Directory for Windows and Network Information Services (NIS) for UNIX, or LDAP, or manual synchronization of ID files. This ensures that permissions granted on one client map directly to other clients.

Heterogeneous file sharing

In a heterogeneous environment (for example, both UNIX-based and Windows-based clients), there is a restricted form of access. When files created on an UNIX-based client are accessed by a Windows-based client, access is controlled using only the semantics and permissions of the "Other" permission bits in UNIX. Similarly, when files created on a Windows-based client are accessed on an UNIX-based client, access is controlled using only the semantics and permissions of the "Everyone" user group in Windows.

Because the specific permissions do not match exactly between the two operating systems, translation is required. The following table shows the mapping of permissions types between UNIX and Windows. The permissions or ownership can only be changed from the client machine (that is, Windows or UNIX) where the file or directory was created.

Windows permissions UNIX permissions
Read Write Execute
Traverse Folder/Execute File     X
List Folder/Read Data X    
Read Attributes   X  
Read Extended Attributes      
Create Files/Write Data   X  
Create Folders/Append Data   X (parent)  
Write Attributes   X  
Write Extended Attributes   X  
Delete Subfolders and Files   X (parent)  
Delete   X (parent)  
Read Permissions      
Change Permissions      
Take Ownership      
Synchronize   X  

For files created on a UNIX-based system, SAN File System stores the actual uid/gid numbers and shares them across all UNIX-based clients, but they all appear as SID S-1-0-0 on Windows. For files created on Windows, SAN File System stores the actual SID and shares it across Windows clients, but they all appear as 999999/999999 on UNIX. UIDs, GIDs, and SIDs are all mapped by the client to user, group, or owner according to whatever scheme is in use on the client.

Parent topic: Clients

Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.