Tech Note 0031

NAS Authentication

How authenticated Network Attached Storage interacts with ExpeDat/SyncDat servers

NAS Authentication

Some Network Attached Storage systems may enforce their own authentication and access controls which may restrict access by an ExpeDat or SyncDat server.  Some operating systems restrict the ability of server software to access authenticated network attached storage.  Some operating systems may also limit NAS mounts on a per-user basis, requiring special settings for access by multiple users.

This note is about configuring the ExpeDat or SyncDat server, servedat, to work with authenticated Network Attached Storage systems.  It requires familiarity with servedat's access control mechanisms:

Windows

For an authenticated NAS mount, Windows requires that access be performed by a system authenticated user with the same username and password as the NAS mount.  This means that even though an NAS path may be mounted, servedat will be prevented from accessing it unless the credentials being used by servedat exactly match those of the NAS.  There are three ways to accomplish this.

The easiest is if the Windows system and the NAS system both share the same Active Directory domain.  Enabling SysAuth will then allow credentials to be passed through servedat to the NAS.  If the authentication used by the NAS system is independent of the one used by Windows, then you must create matching accounts in both Windows and the NAS.

Using Active Directory requires that you enable the SysAuth option in servedat and manage those users with Active Directory.  By default, such users may attempt to access any path in the host system.  To limit the accessible paths, use RestrictHome and AllowPath.

If you must use servedat's private authentication mechanism with network attached storage, then either the authentication on the NAS must be disabled or you must change the properties of the servedat Windows service to run as a user account with access to the NAS.  Disabling the extra layer of NAS authentication is the simplest.  Running the servedat service as a particular user may allow AuthFile users to access the NAS, but it may also disable SysAuth functionality.

Microsoft's recommend solution is to have the NAS share the same Active Directory domain as the Windows system.

macOS

Network file systems in macOS are typically mounted on a per-user basis.  This means that a given mount path will have the credentials and access rights of only the one user who created the mount.  If multiple users are logged in to the system, they may have multiple mounts of the same NAS, each with different credentials.

For servedat users to access files and folders on a macOS NAS mount, the mount must have "Sharing & Permissions" enabled for "everyone".

Unix / NFS

Unix systems using NFS mounts handle user credentials by passing through numeric user and group ids.  System authenticated users (SysAuth) inherit the id numbers of their system account.  For private authentication users (AuthFile), you may specify which UID and GID to use in the AuthFile itself.

Tech Note History

Mar072014First Post