HP ProLiant ML310 G3 Storage Server Administration Guide (WSS R2 version, March 2006)
Share considera
tions
Planning the content, size, and distribution of shares on the storage ser ver can improve performance,
manageability, and ease of use.
The content of shares should be carefully chosen to avoid two common pitfalls: either having too many
shares of a very specific nature, or of having very few shares of a generic nature. For example, shares for
general use are easier to set up in the beginning, but can cause problems later. Frequently, a better
approach is to create separate shares with a specific purpose or group of users in mind. However,
creating too many shares also has its drawbacks. For example, if it is sufficient to create a single share
for user home directories, create a “homes” share rather than creating separate shares for each user.
By keeping the number of shares and other resources low, the performance of the storage server is
optimized. For example, instead of sharing out each individual user’s home directory as its own share,
share out th
e top-level directory and let the users map personal drives to their own subdirectory.
Defining Access Control Lists
TheAccessControlList(ACL)containstheinformationthatdictateswhichusersandgroupshaveaccess
to a share, as well as the type of access that is permitted. Each share on an NTFS file system has one
ACL with multiple associated user permissions. For example, an ACL can define that User1 has read
and write access to a share, User2 has read only access, and User3 has no access to the share. The
ACL also includes group access information that applies to every user in a configured group. ACLs are
also referred to as permissions.
Integrating local file system security into Windows domain environments
ACLs include properties specific to users and groups from a particular workgroup server or domain
enviro nment. In a multidomain environment, user and group permissions from several domains can apply
to files stored o n the same device. Users and groups local to the storage server ca n be given access
permissions to shares m anag ed by the device. The domain name of the storage server supplies the
context in which the user or group is understood. Permission configuration depends on the network and
domain infrastructure where the server resides.
File-s
haring protocols (except NFS) supply a user and group context for all connections over the network.
(NFS s
upplies a machine-based context.) When new files are created by those users or m a chines, the
appropriate ACLs are applied.
Configuration tools provide the ability to share permissions out to clients. These shared permissions are
propagated into a file system ACL, and when new files are created over the network, the user creating the
file becomes the file owner. In cases where a specific subdirectory of a share has different permissions
from
the share itself, the NTFS permissions on the subdirectory apply instead. This method results in a
hierarchical security m o del where the network protocol permissions and the file permissions work together
to provide appropriate security for shares on the device.
NOTE:
Share permissions and file-level permissions are implemented separately. It is p ossible for files on a
file s
ystem to have different permissions from those applied to a share. When this situation occurs, the
file-level permissions override the share permissions.
Comparing administrative (hidden) and standard sha res
CIFS supports both administrative shares and standard shares.
• Adm inistrative shares are shares with a last character of $. Administrative shares are not included
in the list of sha res when a client browses for available shares on a CIFS server.
• Standard shares are shares that do not end in a $ character. Standard shares are listed whenever
a CIFS client browses for available shares on a CIFS server .
82
File server management