You can create volumes of the CVS-Performance service type using NFS (NFSv3 or NFSv4.1) or SMB3, or you can create dual-protocol (NFSv3 and SMB, or NFSv4.1 and SMB) volumes, which combine aspects of both NFS and SMB volumes. This section covers considerations for enabling user access across the two authentication methods. For more information, see Create an NFS volume and Create an SMB volume.
Before you create a dual-protocol volume, you must enable billing and APIs and set up private service access; otherwise, the volume creation process fails.
AD requirements
Follow the instructions in Manage Active Directory connections to connect to Microsoft Active Directory.
Create a
pcuseraccount in your Active Directory (AD) and make sure that the account is enabled. This account serves as the default user. It is used to map UNIX users for accessing a dual-protocol volume configured with NTFS-style security. You must populate the POSIX attributes with valid values (uid=pcuser,uidNumber=65534,gidNumber=65534). You can set any secure password. It isn't used for the mapping process. Thepcuseraccount is used only when no user is present in the AD. If a user has an account in the AD with the POSIX attributes set, then that account is used for authentication. It doesn't map to thepcuseraccount.For more information, see NFS default local UNIX users and groups.
Create a reverse lookup zone on the DNS server and then add a pointer (PTR) record of the AD host machine in that reverse lookup zone. Otherwise, the dual-protocol volume creation fails.
Dual-protocol volumes support connections to Active Directory domain servers only.
Make sure that your users have valid POSIX attributes in Active Directory. For more information, see Manage LDAP POSIX attributes.
NFS requirements
NFSv3 or NFSv4.1 versions can be used by a dual-protocol volume.
Make sure that the NFS client is up to date and running the latest updates for the operating system.
Dual-protocol volumes don't support the Windows ACLs extended attributes
setandgetfrom NFS clients.NFS clients can't change permissions for the NTFS security style. You can use a Windows client to change the NTFS ACL. The permissions set is also enforced for NFS clients.
Windows clients can't change permissions for UNIX-style dual-protocol volumes. You can use an NFS client to change the permissions (with
chmodornfs4_setfacl). The permissions set is also enforced for SMB clients.The following table describes the security styles and their effects:
Security style Clients that can modify permissions Permissions that clients can use Resulting effective security style Clients that can access files UNIX NFS NFSv3, NFSv4.1 mode bits, or NFSv4 ACLs UNIX NFS and SMB NTFS SMB NTFS ACLs NTFS NFS and SMB
Mapping considerations
The direction in which name mapping occurs (Windows to UNIX, or UNIX to Windows) depends on which protocol is used and which security style is applied to a volume. Protocol access is subject to user identity, the volume's security style, and the file permissions of the accessed file. Windows clients always require Windows-to-UNIX name mapping. Conversely, NFS clients only need to use UNIX-to-Windows name mapping if the NTFS security style is in use.
The following table describes the name mapping directions based on protocol, security style, and permissions:
| Protocol | Security style | Permissions applied | Name mapping direction |
|---|---|---|---|
| SMB | UNIX | UNIX (mode bits or NFSv4.x ACLs) | Windows to UNIX |
| SMB | NTFS | NTFS ACLs (based on Windows SID accessing share) | None |
| NFS | UNIX | UNIX (mode bits or NFSv4.x ACLs) | None |
| NFS | NTFS | NTFS ACLs (based on mapped Windows user SID) | UNIX to Windows |
Open the Active Directory Attribute Editor
On Windows, you can manage attributes with the Attribute Editor in the Active Directory Users and Computers MMC snap-in.
You open the Attribute Editor as follows:
Select Start, go to Windows Administrative Tools, and select Active Directory Users and Computers.
The Active Directory Users and Computers window opens.
Select the domain name that you want to view, and then expand the contents.
In the Active Directory Users and Computers View menu, select Advanced Features.
In the left pane, double-click Users.
In the list of users, double-click a user to see its Attribute Editor tab.