Security in NAS vs. Windows 2000. Windows 2000 uses NTFS-v5 Discretionary Access Control List (DACL) and ACE. I believe that most NAS use SAMBA and CIFS that use another file access control mechanism. They do not work well together. You will notice this by managing DACL within Windows 2000 on a file share service by a Linux server running Samba. You will be able to set-up some access rights but try to review them once setup and you will see that you have lost the information on the DACL. This is because there is a conversion during the process.
If we need the security to be maintained like in Windows 2000, what would be the NAS solution? Also, Windows 2000 in native mode uses the Keberos v-5 authentication mechanisms. If NTLM option is turn off on the Windows 2000 infrastructure, the impact will be that you can authenticate to the NAS if it is based on LAN Manager (NTLM v1).
The only vendor that I'm aware of that support mapping to the hard locks of CIFS is VERITAS with their ServPoint NAS. VERITAS has told me that they have added SAMBA extensions to allow this type of lock mapping. You should also look at using Windows Services for Unix which may be able to give he locking you desire. You can find it at: http://www.microsoft.com/windows2000/sfu/
Regarding turning off NT LANanager, here are two Microsoft articles with long answers. http://www.microsoft.com/windows2000/techinfo/howitworks/sec urity/kerberos.asp and http://www.microsoft.com/TechNet/prodtechnol/windows2000serv /maintain/opsguide/secadmog.asp
Evaluator Group, Inc.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in our Storage Networking discussion forum.
This was first published in March 2002