312 The IBM TotalStorage NAS Gateway 500 Integration Guide
11.1 CIFS concepts
There are two requirements for granting a Windows user access to a CIFS
Map the user to a NAS file access user. This allows the NAS Gateway 500 to
handle file permissions and access rights.
Authenticate the user to prove that the user is allowed access.
Windows users accessing CIFS shares on the NAS Gateway 500 must be
mapped to a NAS file access user. If the Windows and NAS file access user
names are identical, the user is mapped automatically. When the user names do
not match, a NAS administrator must define a user mapping so that the NAS
Gateway 500 can authenticate and handle the Windows user.
To access shares on the CIFS server, a Windows user must be authenticated.
The CIFS server can handle authentication in two ways, pass-through and local.
The authentication method is selected during initial configuration in the CIFS
Pass-through authentication is commonly used in Microsoft Active Directory or
Windows NT Domain environments. The authentication request is passed off to
an Active Directory Server (ADS) or Primary/Backup Domain Controller
(PDC/BDC), which checks the password.
Local authentication is used if an ADS or PDC/BDC is not available. All password
authentication is handled by the NAS Gateway 500. Passwords may be
encrypted or plain text:
Plain text passwords are insecure, but require little administrative overhead.
CIFS requests are authenticated against the standard system user registry.
The password is compared against the associated NAS file access user’s
Encrypted passwords are more secure, but require the NAS administrator to
define a CIFS user for each NAS file access user account that is used to
access CIFS files. The CIFS user essentially stores an encrypted CIFS
password for a NAS file access user.