Monday, July 7, 2014

Labs: Securing Multi-protocol File Access (NFS/CIFS) on NAS (NetApp) Using Centrify and Windows Security Groups


In the previous post, we discussed how to overcome identity limitations in NAS sharing scenarios.  In heterogeneous environments the main issue is about Identity - the filer is unable to consistently translate the Windows identity to a UNIX identity.  With Centrify Zones and the LDAP Proxy we solved the issue providing a unified identity consistently across Windows, Unix, Linux and Macs.

In Summary, here's what we accomplished:

The LDAP Proxy present's user information for the filer with consistency.  The UNIX information corresponds to what the AD user has in the Centrify Zone.

Now, we can let the NetApp filer do it's magic.  Let's look at a very simple example:

Testing Mixed Share Permissions

Set up the NetApp share
  1. Create a new qtree
    qtree create /vol/vol0/mixed
  2. Change the security model as mixed
    qtree security mixed
  3. Export the newly created qtree
    exportfs -p rw /vol/vol0/mixed
Create a New AD Security Group for the Mixed Share Access
  1. Open ADUC browse to an OU for groups
  2. Select New > Group
  3. Give it a name  (e.g. "Mixed-Share-Access")
  4. Add a test user to the newly created share.
Publish the share in Windows
    1. Open Computer Managemetnt
    2. Connect to your NetApp filer
    3. Navigate to System Tools > Shared folders
    4. Follow the wizard to create your share
    5. In the Share Permissions, remove Everyone and add your previously-created AD Group

Now you have:
  • A CIFS share that is a shared folder protected by a Security Group in AD.  Access is governed by group membership and the permissions on the share.  NTFS permissions will be assigned at file/folder creation based on the user's identity.
  • An NFS share that can be mounted from any Unix, Linux or Mac system;  UNIX file permissions will be assigned at folder/file creation based on the user's identity.  We'll leverage the NETGROUPS option with Centrify-exposed options to accomplish this.
Let's see this in action


As outlined in the latter part of the video, there's definitely improvements that can be implemented:
  • On the NetApp side, Kerberos can be implemented for additional security.  Remember that Centrify already provides "hands-off" Kerberos environment optimized for Microsoft's Kerberos.
  • The AD Group used to control access can be UNIX-enabled, this opens the possibility of leveraging the group's UNIX identity as a group owner on the UNIX side.

Key benefits

  • Process consolidation - now a single AD group can be leveraged to control access.
  • Better Security - there's a better grasp on who has access to what.

No comments:

Post a Comment