Network Folders with NTFS permissions [Staging]


  • If you need to use Network Folders and preserve NTFS permissions, it is strongly recommended that you run FileCloud on Windows instead of Linux.
  • If you are running FileCloud on Linux and want to preserve NTFS Permissions, a Windows server running the FileCloud Helper service is required.
  • We recommend installing and using Memcache to improve performance when using network folders with NTFS permissions.

Many organizations have Windows based Network Folders that are shared with employees. The permissions on these Network Folders are managed using NTFS rights set up for various users and groups (usually from Active Directory). FileCloud can use the same NTFS permissions on Network Folders for user authorization and access to these resources. 

To set up a Network Folder with NTFS permissions: 

  1. Set permissions type to NTFS:


  2. Click Manage Users or Manage Groups and add users to the share as needed. For example, you might want to give the EVERYONE group access to the Network Folder. In this case even if the user has been given access to the share, they are only able to view the share if they have NTFS permissions enabled.


  3. If you are running FileCloud on Linux, you might need to configure and install the FIleCloud Helper service.

Additional Information and Troubleshooting

  • When user membership in an AD group is modified, that change is not propagated immediately and is cached by Windows. As a result, if you change a user's group membership, it might not be picked up for 10 minutes to several hours by NTFS. If you need the changes to be picked up immediately, restart the Helper service.
  • Make sure that you are not using a local machine account name as the domain user account. This will cause problems.
  • If you get authzinitializecontextfromsid errors, make sure the account running the Helper service has full permissions to look up user accounts. Also make sure the user account name is not the same as the computer name.

NTFS special permissions

When sharing a network folder with special permissions ensure that the options below are enabled.  When these options are enabled, the user still has access limited to the folders or subfolders the administrator allows, however, this grants FileCloud the ability to read and display the needed information for that specific user.

NTFS permissions include both standard and special permissions. Standard permissions on a folder are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Standard file
permissions are the same, with the exception of List Folder Contents. Special permissions are considerably more granular.


See Microsoft's documentation at https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx.

Use qualified names in multidomain AD networks

Most organizations that have more than one domain have a legitimate need for users to access shared resources that are located in a different domain.

  • Controlling this access requires that users in one domain can also be authenticated and authorized to use resources in another domain.
  • To provide authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains.
  • Trusts are the underlying technology by which secured Active Directory communications occur and are an integral security component of the Windows Server network architecture.

For example, in an organization called MyCompany, there are two internal domains: domainA and domainB.

  • Active Directory communications between domainA and domainB occur through a trust

  • USER1 is authenticated in domainA
  • There is a shared NTFS permissions based LAN folder on domainA
  • Suppose FileCloud is installed on domainB and a USER1 wants to logon and access the Shared folder on domainA, FileCloud needs to verify NTFS permissions using a fully qualified username which looks like USER1@domainA instead of just USER1.

A fully qualified user name is required in this case to correctly look up the user name that is not in the current domain that FileCloud is running on.

To configure FileCloud Server to use qualified user names:

  1. On the FileCloud server, navigate to the following directory:

    c:\xampp\htdocs\config
  2. Open the following file for editing:

    cloudconfig.php
  3. Add the following line:

    define("TONIDO_USE_QUALIFIEDNAMES_FOR_NTFS", 1);
  4. Save and close the file.

 

NTFS Network Folders with Access Based Enumeration

When using Network Folders with NTFS permissions, it is possible to automatically hide folders that users don't have access to by enabling Access Based Enumeration (ABE) settings.

To enable ABE, in the admin portal go to Settings > Storage > Network Storage and check Enable Access Based Enumeration for NTFS. This enables ABE globally.

 


To disable or enable ABE only for specific Network Folders you can open up the specific Network Folder Details dialog box . In the navigation pane, go to Network Folders, and click the edit icon for the Network Folder.
In Enable ABE (NTFS) select Global Policy to use the global setting, or choose NO or YES to disable or enable ABE only for this network share.


NTFS permission checks read the tokenGroupsGlobalAndUniversal attribute of the SID specified in the call to determine the current user's group memberships. To simplify granting accounts permission to query a user's group information, add accounts that need the ability to look up group information to the Windows Authorization Access Group. Please make sure to add the Windows Authorization Access Group to the FileCloud Account Group that you have created.

Improving performance of NTFS Network Folders 

In general, extracting NTFS permissions for folders and files can add additional processing latency. To improve performance, you can enable caching of NTFS permissions.
This speeds up lookup of NTFS permissions by caching the permissions once accessed once in the memcache server. For this caching to work, the memcache server needs to be installed and running. By default, note that once permissions are cached, they are stored until memcache is restarted. If you change any NTFS Permissions and want FileCloud to pick up the new permissions, make sure to restart the memcache service.