Re: Using EFS with Network Shares and SFU 3.5
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 22 Nov 2006 07:19:47 -0700
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:eySgT7aDHHA.4832@xxxxxxxxxxxxxxxxxxxxxxx
Hello all,
Our site is running in an environment that is required to support both
Windows and *nix clients. To help support our clients, we have a central
Windows 2K3 SP1 file server that also has the NFS server component from
Services For Unix 3.5 installed and running on it. The idea is that our
users can access their home directory, regardless of the OS they are
using. This setup hasn't presented any problems, but today I was doing
some testing with EFS on the file server and I found some inconsistencies
when I access an encrypted file over a network share via Windows Explorer
versus accessing the same file from a Linux client that has my home
directory mounted from the Windows file server via NFS.
On my Windows XP client, I can access my home directory on the file server
and encrypt a file. This file is then inaccessible to other network users
via Windows Explorer as I would expect. However, if I log into a Linux
client that has my home directory mounted via NFS, "su" to another user
(same user that couldn't access the file via Windows Explorer - _not_ the
root user), this user can then open that same encrypted file (using vi)
that was previously inaccessible when going through Windows Explorer. If
this file was actually encrypted, I would have expected to see a bunch of
gooblygook.
I have read that EFS encrypted files are transmitted over the network in
the clear and maybe this is a result of that behavior, but I would have
expected that file server check the requesting user's credentials before
allowing access to the file? Along those lines, it may be a result of the
file server being delegated, a topic that I must admit I don't understand
that well. In any event, I'm hoping someone can tell me whether or not I
have a (mis)configuration problem or if this is expected behavior?
I am not familiar with the specifics of your scenario. However, I did
want to point out that, if the network access is not being made with the
credentials to which you have su'd, but the base account, then what you
experience would be pretty much what one would expect.
As tests, can you access this if logged in directly as the account that
you had su'd to ? What are the NTFS permissions allowing on the
file (both accounts?, only the base account?). Can you place an audit
on the files used for testing in order to see what credentials the server
is seeing sent? The delegation only allows use of the credentials that
are received, so it comes down to how the network access is done.
.
- Follow-Ups:
- References:
- Prev by Date: Re: HOW CAN i GET THE ADMINISTRATOR PASSWORD?
- Next by Date: Re: user secuity inwindows 2003 server
- Previous by thread: Using EFS with Network Shares and SFU 3.5
- Next by thread: Re: Using EFS with Network Shares and SFU 3.5
- Index(es):
Relevant Pages
|
