Microsoft KB Archive/262984

= Configuring Server for NFS File Security Permissions =

Article ID: 262984

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows Services for UNIX 2.0 Standard Edition

-



This article was previously published under Q262984



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes registry settings that you can use to configure file security permissions for the Windows Services for UNIX 2.0 Server for NFS component. These registry entries affect how file permissions are approximated between Microsoft Windows NT/Microsoft Windows 2000 and UNIX. For additional information about how file permissions are approximated, click the article number below to view the article in the Microsoft Knowledge Base:

262965 How UNIX Permissions are Approximated by Server for NFS



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

How to Change the Parameter in Use
To change the parameters listed in this article, use the following steps:  Start Registry Editor (Regedt32.exe). Locate the appropriate value under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping

 In the right pane, double-click the value, modify the data, and then click OK. Quit Registry Editor. Restart Server for NFS.

Group Full Control
<pre class="fixed_text">Value:    GroupFullControl Type:     DWORD Default:  0 (Off) Function: Determines how the Access Control Entry is created for a           file's group when an NFS client changes permissions to           Read, Write, Execute. By default, when an NFS client changes the file permissions of a file's group to Read, Write, Execute (raw), Server for NFS creates an Access Control Entry (ACE) of Special Access: Read, Write, and Execute. By setting this value to 1, Server for NFS creates an ACE for the group of Full Control.

World Full Control
<pre class="fixed_text">Value:    WorldFullControl Type:     DWORD Default:  0 Function: Determines how the Access Control Entry is created for the built-in Everyone group when an NFS client changes permissions for all others. By default, when an NFS client changes the file permissions of all others to Read, Write, and Execute (rwx), Server for NFS creates an Access Control Entry (ACE) of Special Access: Read, Write, and Execute. By setting this value to 1, Server for NFS creates an ACE for the Everyone group of Full Control.

Implicit Permissions
<pre class="fixed_text">Value:    ImplicitPermissions Type:     DWORD Default:  0 Function: Controls how Server for NFS reports permissions for the NFS owner. By default, if no Access Control Entry exists for the owner of a file, no access is reported for the NFS owner. Setting this value to 1 aggregates the permissions granted to groups of which the NFS owner is a member, including the Everyone group, and reports those permissions for the owner of the file. This is useful when file permissions are not granted to individual user accounts but to group accounts.

Inhibit Group Deny ACE
<pre class="fixed_text">Value:    InhibitGroupDenyAce Type:     DWORD Default:  0 Function: Determines how the Access Control Entry is created when the NFS file mode is set to zero (no permissions). By default, if the NFS file mode is set to zero (no permissions), Server for NFS creates an Access Control Entry (ACE) for the group of No Access. No Access overrides all other ACEs and may prevent the owner access to the file (if the owner is a member of that group) even though the owner has been granted specific permissions.

Inhibit Owner Deny ACE
<pre class="fixed_text">Value:    InhibitOwnerDenyACE Type:     DWORD Default:  0 Function: Determines how the Access Control Entry is created when the NFS file mode is set to zero (no permissions). By default, if the NFS file mode is set to zero (no permissions) for the owner of the file, Server for NFS creates an Access Control Entry (ACE) for the owner of No Access. No Access overrides all other ACEs and may prevent the owner access to the file even though the owner may and should have permissions granted by virtue of group membership.

Inhibit Directory Inheritance
<pre class="fixed_text">Value:    InhibitDirectoryInheritance Type:     DWORD Default:  0 Function: Determines whether Server for NFS will generate inheritance Access Control Entries on directories it creates or          modifies. For NTFS folders, the folders use not only ACEs to control their own access, but also contain Access Control Entries (ACEs) known as Inheritance ACEs. Inheritance ACEs are placed by default on files and folders that are created within that folder. By default, Server for NFS creates Inheritance ACEs for folders that it creates. Setting the registry parameter to 1 disables the creation of these Inheritance ACEs. Note that you should do this only if you also using Augment DACLs (see the description later in this article). Otherwise, folders that are created by Server for NFS will contain no Inheritance ACEs and files created in these folders will have no ACEs and will be inaccessible to everyone.

Augment DACLs
<pre class="fixed_text">Value:    AugmentDACL Type:     DWORD Default:  0 Function: Dictates how Server for NFS handles existing Discretionary Access Control List entries. By default, Server for NFS strips any existing Discretionary Access Control List (DACL) entries and adds three: one for the file owner, one for the primary group of the file, and one for the built-in Everyone group. If you change the value to 1, Server for NFS keeps any DACL entries that do not pertain to file owner, file group, and Everyone. Enabling this feature facilitates the sharing of common files with NFS clients and Common Internet File System (CIFS) clients.

Additional query words: sfu

Keywords: kbinfo kbunixservice KB262984

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.