15.2 Using File System Trustees and Rights

Dynamic Storage Technology requires that file system access control for data be managed by using the OES Trustee Model for file system trustees and trustee rights.

For all NCP volumes (NSS and NCP on Linux POSIX volumes), the trustee information is obtained at volume mount time from the ._NETWARE/.trustee_database.xml file. When trustee changes are made, this trustee database file is updated. Because this file is located on the volume, it follows the volume from node to node as it moves around the cluster.

NCP trustee information is synchronized with the NSS file system. When an NCP user makes a trustee change, the NCP Server informs NSS of the change. When NSS changes a trustee assignment, it generates an event that the NCP Server listens for so NCP can keep up to date on NSS changes. When DST is involved, events from the secondary NSS volume are also noted, and trustee changes are also synchronized with it.

IMPORTANT:For NCP volumes, ensure that the Inherit POSIX Permissions option is disabled (the default setting). When this setting is disabled, the local Linux environment access is restricted to the root user and the file owner or creator, which is the most secure configuration. For information, see Configuring Inherit POSIX Permissions for an NCP Volume in the OES 23.4: NCP Server for Linux Administration Guide.

Rights and trustee management across multiple file systems should all be managed with the NCP tools. There are rights model mapping problems with using a POSIX rights model on NCP volumes, and vice versa.

All the Active Directory users can now access the data on DST volumes via CIFS. To manage the rights of the Active Directory trustees on the DST volumes, you can use OES File Access Rights Management (NFARM) utility or rights utility. For more information, see OES File Access Rights Management (NFARM) and rights in the OES 23.4: NSS File System Administration Guide for Linux.