Configuring Server for NFS File Security Permissions (262984)


The information in this article applies to:

  • Microsoft Windows Services for UNIX 2.0
This article was previously published under Q262984
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes registry settings that you can use to configure file security permissions for the Windows Services for UNIX 2.0 Server for NFS component. These registry entries affect how file permissions are approximated between Microsoft Windows NT/Microsoft Windows 2000 and UNIX. For additional information about how file permissions are approximated, click the article number below to view the article in the Microsoft Knowledge Base:

262965 How UNIX Permissions are Approximated by Server for NFS

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

How to Change the Parameter in Use

To change the parameters listed in this article, use the following steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the appropriate value under the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping

  3. In the right pane, double-click the value, modify the data, and then click OK.
  4. Quit Registry Editor.
  5. Restart Server for NFS.

Registry Parameter Descriptions

Group Full Control

Value:     GroupFullControl
Type:      DWORD
Default:   0 (Off)
Function:  Determines how the Access Control Entry is created for a
           file's group when an NFS client changes permissions to
           Read, Write, Execute.
By default, when an NFS client changes the file permissions of a file's group to Read, Write, Execute (raw), Server for NFS creates an Access Control Entry (ACE) of Special Access: Read, Write, and Execute. By setting this value to 1, Server for NFS creates an ACE for the group of Full Control.

World Full Control

Value:     WorldFullControl
Type:      DWORD
Default:   0
Function:  Determines how the Access Control Entry is created for the
           built-in Everyone group when an NFS client changes
           permissions for all others.
By default, when an NFS client changes the file permissions of all others to Read, Write, and Execute (rwx), Server for NFS creates an Access Control Entry (ACE) of Special Access: Read, Write, and Execute. By setting this value to 1, Server for NFS creates an ACE for the Everyone group of Full Control.

Implicit Permissions

Value:     ImplicitPermissions
Type:      DWORD
Default:   0
Function:  Controls how Server for NFS reports permissions for the NFS
           owner.
By default, if no Access Control Entry exists for the owner of a file, no access is reported for the NFS owner. Setting this value to 1 aggregates the permissions granted to groups of which the NFS owner is a member, including the Everyone group, and reports those permissions for the owner of the file. This is useful when file permissions are not granted to individual user accounts but to group accounts.

Inhibit Group Deny ACE

Value:     InhibitGroupDenyAce
Type:      DWORD
Default:   0
Function:  Determines how the Access Control Entry is created when the
           NFS file mode is set to zero (no permissions).
By default, if the NFS file mode is set to zero (no permissions), Server for NFS creates an Access Control Entry (ACE) for the group of No Access. No Access overrides all other ACEs and may prevent the owner access to the file (if the owner is a member of that group) even though the owner has been granted specific permissions.

Inhibit Owner Deny ACE

Value:     InhibitOwnerDenyACE
Type:      DWORD
Default:   0
Function:  Determines how the Access Control Entry is created when the
           NFS file mode is set to zero (no permissions).
By default, if the NFS file mode is set to zero (no permissions) for the owner of the file, Server for NFS creates an Access Control Entry (ACE) for the owner of No Access. No Access overrides all other ACEs and may prevent the owner access to the file even though the owner may and should have permissions granted by virtue of group membership.

Inhibit Directory Inheritance

Value:     InhibitDirectoryInheritance
Type:      DWORD
Default:   0
Function:  Determines whether Server for NFS will generate inheritance
           Access Control Entries on directories it creates or
           modifies.
For NTFS folders, the folders use not only ACEs to control their own access, but also contain Access Control Entries (ACEs) known as Inheritance ACEs. Inheritance ACEs are placed by default on files and folders that are created within that folder. By default, Server for NFS creates Inheritance ACEs for folders that it creates. Setting the registry parameter to 1 disables the creation of these Inheritance ACEs. Note that you should do this only if you also using Augment DACLs (see the description later in this article). Otherwise, folders that are created by Server for NFS will contain no Inheritance ACEs and files created in these folders will have no ACEs and will be inaccessible to everyone.

Augment DACLs

Value:     AugmentDACL
Type:      DWORD
Default:   0
Function:  Dictates how Server for NFS handles existing Discretionary
           Access Control List entries.
By default, Server for NFS strips any existing Discretionary Access Control List (DACL) entries and adds three: one for the file owner, one for the primary group of the file, and one for the built-in Everyone group. If you change the value to 1, Server for NFS keeps any DACL entries that do not pertain to file owner, file group, and Everyone. Enabling this feature facilitates the sharing of common files with NFS clients and Common Internet File System (CIFS) clients.
Modification Type:MajorLast Reviewed:6/11/2002
Keywords:kbinfo kbUNIXService w2000sfu KB262984
©2002 Microsoft Corporation. All rights reserved.