The
core of any file server is its file system and ZFS provides the
foundation on which we have built our ubiquitous file sharing and single
access control model. ZFS has a rich, Windows and NFSv4 compatible,
ACL implementation (ZFS only uses ACLs), it understands both UNIX IDs
and Windows SIDs and it is integrated with the identity mapping service;
it knows when a UNIX/NIS user and a Windows user are equivalent, and
similarly for groups. We have a single access control architecture,
regardless of whether you are accessing the system via NFS or SMB/CIFS.The
NFS and SMB protocol services are also integrated with the identity
mapping service and shares are not restricted to UNIX permissions or
Windows permissions. All access control is performed by ZFS, the system
can always share file systems simultaneously over both protocols and
our model is native access to any share from either protocol.Modal
architectures have unnecessary restrictions, confusing rules,
administrative overhead and weird deployments to try to make them work;
they exist as a compromise not because they offer a benefit. Having
some shares that only support UNIX permissions, others that only support
ACLs and some that support both in a quirky way really doesn't seem
like the sort of thing you'd want in a multi-protocol file server.
Perhaps because the server has been built on a file system that was
designed for UNIX permissions, possibly with ACL support bolted on as an
add-on afterthought, or because the protocol services are not truly
integrated with the operating system, it may not be capable of
supporting a single integrated model.With a single, integrated sharing and access control model:
If you connect from Windows or another SMB/CIFS client:
The system creates a credential containing both your Windows
identity and your UNIX/NIS identity. The credential includes UNIX/NIS
IDs and SIDs, and UNIX/NIS groups and Windows groups.
If your Windows identity is mapped to an ephemeral ID, files
created by you will be owned by your Windows identity (ZFS understands
both UNIX IDs and Windows SIDs).
If your Windows identity is mapped to a real UNIX/NIS UID, files created by you will be owned by your UNIX/NIS identity.
If you access a file that you previously created from UNIX, the
system will map your UNIX identity to your Windows identity and
recognize that you are the owner. Identity mapping also supports access
checking if you are being assessed for access via the ACL.
If you connect via NFS (typically from a UNIX client):
The system creates a credential containing your UNIX/NIS identity (including groups).
Files you create will be owned by your UNIX/NIS identity.
If you access a file that you previously created from Windows
and the file is owned by your UID, no mapping is required. Otherwise the
system will map your Windows identity to your UNIX/NIS identity and
recognize that you are the owner. Again, mapping is fully supported
during ACL processing.
The
NFS, SMB/CIFS and ZFS services all work cooperatively to ensure that
your UNIX identity and your Windows identity are equivalent when you
access the system. This, along with the single ACL-based access control
implementation, results in a system that provides that elusive
ubiquitous file sharing experience.
