Manage dual-protocol access

Last reviewed 2023-04-05 UTC

You can create volumes of the CVS-Performance service type using NFS (NFSv3 or NFSv4.1) or SMB3, or you can create dual-protocol (NFSv3 and SMB, or NFSv4.1 and SMB) volumes, which combine aspects of both NFS and SMB volumes. This section covers considerations for enabling user access across the two authentication methods. For more information, see Create an NFS volume and Create an SMB volume.

Before you create a dual-protocol volume, you must enable billing and APIs and set up private service access; otherwise, the volume creation process fails.

AD requirements

  • Follow the instructions in Manage Active Directory connections to connect to Microsoft Active Directory.

  • Create a pcuser account in your Active Directory (AD) and make sure that the account is enabled. This account serves as the default user. It is used to map UNIX users for accessing a dual-protocol volume configured with NTFS-style security. You must populate the POSIX attributes with valid values (uid=pcuser, uidNumber=65534, gidNumber=65534). You can set any secure password. It isn't used for the mapping process. The pcuser account is used only when no user is present in the AD. If a user has an account in the AD with the POSIX attributes set, then that account is used for authentication. It doesn't map to the pcuser account.

    For more information, see NFS default local UNIX users and groups.

  • Create a reverse lookup zone on the DNS server and then add a pointer (PTR) record of the AD host machine in that reverse lookup zone. Otherwise, the dual-protocol volume creation fails.

  • Dual-protocol volumes support connections to Active Directory domain servers only.

  • Make sure that your users have valid POSIX attributes in Active Directory. For more information, see Manage LDAP POSIX attributes.

NFS requirements

NFSv3 or NFSv4.1 versions can be used by a dual-protocol volume.

  • Make sure that the NFS client is up to date and running the latest updates for the operating system.

  • Dual-protocol volumes don't support the Windows ACLs extended attributes set and get from NFS clients.

  • NFS clients can't change permissions for the NTFS security style. You can use a Windows client to change the NTFS ACL. The permissions set is also enforced for NFS clients.

  • Windows clients can't change permissions for UNIX-style dual-protocol volumes. You can use an NFS client to change the permissions (with chmod or nfs4_setfacl). The permissions set is also enforced for SMB clients.

    The following table describes the security styles and their effects:

    Security style Clients that can modify permissions Permissions that clients can use Resulting effective security style Clients that can access files
    UNIX NFS NFSv3, NFSv4.1 mode bits, or NFSv4 ACLs UNIX NFS and SMB
    NTFS SMB NTFS ACLs NTFS NFS and SMB

Mapping considerations

The direction in which name mapping occurs (Windows to UNIX, or UNIX to Windows) depends on which protocol is used and which security style is applied to a volume. Protocol access is subject to user identity, the volume's security style, and the file permissions of the accessed file. Windows clients always require Windows-to-UNIX name mapping. Conversely, NFS clients only need to use UNIX-to-Windows name mapping if the NTFS security style is in use.

The following table describes the name mapping directions based on protocol, security style, and permissions:

Protocol Security style Permissions applied Name mapping direction
SMB UNIX UNIX (mode bits or NFSv4.x ACLs) Windows to UNIX
SMB NTFS NTFS ACLs (based on Windows SID accessing share) None
NFS UNIX UNIX (mode bits or NFSv4.x ACLs) None
NFS NTFS NTFS ACLs (based on mapped Windows user SID) UNIX to Windows

Open the Active Directory Attribute Editor

On Windows, you can manage attributes with the Attribute Editor in the Active Directory Users and Computers MMC snap-in.

You open the Attribute Editor as follows:

  1. Select Start, go to Windows Administrative Tools, and select Active Directory Users and Computers.

    The Active Directory Users and Computers window opens.

  2. Select the domain name that you want to view, and then expand the contents.

  3. In the Active Directory Users and Computers View menu, select Advanced Features.

  4. In the left pane, double-click Users.

  5. In the list of users, double-click a user to see its Attribute Editor tab.