Network Folders with NTFS permissions [Staging]
- If you need to use Network Folders and preserve NTFS permissions, it is strongly recommended to run FileCloud on Windows Servers instead of Linux.
- If you are running FileCloud on Linux and want to preserve NTFS Permissions, a Windows Server running the FileCloud Helper Service is required (See more information)
- Starting with FileCloud 15.0, it is recommended to install and use Memcache to improve performance when using network folders with NTFS permissions
Many organizations have Windows based Network Folders that are shared with employees. The permissions on these Network Folders are managed using NTFS rights setup for various users and groups (usually from Active Directory). FileCloud can use the same NTFS permissions on the Network Folders for user authorization and access to these resources.
To setup a network Folder with NTFS permissions:
- Step 1: please set permissions type to "NTFS"
- Step 2: Click on Manage Users or Manage Groups and add users to the share as needed. For example, you might want to give EVERYONE group access to the Network Folder. In this case even if the user has been given access to the share, they will only be able to view the share if they have NTFS permissions enabled.
- Step 3: If you are running FileCloud on Linux, you might need to optionally configure and install the FIleCloud helper service
Additional Information and Troubleshooting
- When user membership in a AD group is modified, that change is not propagated immediately and is cached by Windows. As a result, if you change a user group membership, it might not be picked up NTFS helper immediately. It might take some time ranging from 10 minutes to several hours before the change is picked up. If you need the changes to be picked up immediately, you can restart the helper service.
- Make sure that don't have a local machine account name as the domain user account. This will cause problems.
- If you get authzinitializecontextfromsid errors, make sure the account running the Helper service has full permissions to look up user accounts, Also make sure the user account name is not the same as the computer name, use a different name.
NTFS special permissions
When sharing a network folder with special permissions ensure that the options below are enabled. By enabling the options below the user will still be limited to have access
only to the folders or sub-folders the administrator allows however this grants the ability to FileCloud to read and display the needed information for that specific user.
NTFS permissions include both standard and special permissions. Standard permissions on a folder are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Standard file
permissions are the same, with the exception of List Folder Contents. Special permissions are considerably more granula.
For Microsoft Documentation ( https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx )
Use Qualified names in multidomain AD networks
Most organizations that have more than one domain have a legitimate need for users to access shared resources that are located in a different domain.
- Controlling this access requires that users in one domain can also be authenticated and authorized to use resources in another domain.
- To provide authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains.
- Trusts are the underlying technology by which secured Active Directory communications occur and are an integral security component of the Windows Server network architecture.
For example, in an organization called MyCompany, there are two internal domains: domainA and domainB.
Active Directory communications between domainA and domain occur through a trust
- USER1 is authenticated in domainA
- There is a shared NTFS permissions based LAN folder on domainA
- Suppose FileCloud is installed on domainB and a USER1 wants to logon and access the Shared folder on domainA, FileCloud needs to do verification of NTFS permissions using a fully qualified username which looks like USER1@domainA instead of just USER1.
A Fully Qualified User Name is required in this case to correctly look up the User Name who is not in the current domain that FileCloud is running on.
To configure FileCloud Server to use qualified user names:
On the FileCloud server, navigate to the following directory:
Open the following file for editing:
Add the following line:
- Save and close the file.
NTFS Network Folders with Access Based Enumeration
When using Network Folders with NTFS permissions, it is possible to automatically hide folders that users don't have access by enabling Access Based Enumeration (ABE) settings.
To enable ABE, go to Admin Portal->Settings->Storage->Network Storage tab and enable the "Enable Access Based Enumeration for NTFS" checkbox. This will enable ABE globally.
To disable or enable ABE only for specific network folders you can open up the specific Network Folder Properties dialog. Admin Portal->Network Folders, click on "Edit" for a network folder.
Select "Global Policy" to use the global setting, or use the "NO" or "YES" options to disable or enable ABE only for this network share.
NTFS permission checks reads the tokenGroupsGlobalAndUniversal attribute of the SID specified in the call to determine the current user's group memberships. To simplify granting accounts permission to query a user's group information, add accounts that need the ability to look up group information to the Windows Authorization Access Group. Please make sure to add the Windows Authorization Access Group to the FileCloud Account Group that you have created.
Improving performance of NTFS Network Folders
In general, extracting NTFS permissions for folders and files can add additional processing latency. To improve performance, you can enable caching of NTFS permissions.
This speeds up lookup of NTFS permissions by caching the permissions once accessed once in the memcache server. For this caching to work, memcache server needs to be installed and running. By default, note that once permissions are cached, they are stored till memcache is restarted. So if you are changing any NTFS Permissions and want FileCloud to pick up the new permissions, make sure to restart the memcache service.