Files has started supporting some of SMB 3.0 Features like SMB3 Signing ( 3.2.0 onward) and SMB3 Encryption support is coming with coming releases.
We do not have any plans to support the SMB 1.0 protocol, given that this is no longer even supported by Microsoft for security reasons
Nutanix Files assigns default permissions for newly created SMB shares. There are three default (BUILTIN) groups for Nutanix Files:
Administrators,
Users,
Backup Operators.
The BUILTIN\Administrators group includes \Domain Admins, as well as any file server admins you specify from Prism or the CLI.
The BUILTIN\Users group contains \Domain Users.
The BUILTIN\Backup Operators group is empty by default but can include any backup admins you specify from Prism or the CLI.
The default permissions assigned to the Administrators and Users groups depend on the share type.
code:
Standard share
BUILTIN\Administrators: Allow FullControl
BUILTIN\Users: Allow FullControl
Distributed share
BUILTIN\Administrators: Allow FullControl
BUILTIN\Users: Allow ReadAndExecute, Synchronize
You can modify or remove these default permissions as needed for your environment. You can use Microsoft Management Console (MMC), and so onto manage the file shares and their permissions.
Let’s try to understand this by an example
There are 2 shares GENERAL (Non-distributed) and HOME (distributed)
code:
share.list
Share name: smb_gp
File server name: demofs
Share type: GENERAL
Share name: smb_demo
File server name: demofs
Share type: HOME
Share Path :- \\demofs\smb_demo\tld
code:
File Server = demofs
smb_demo= Home Share
tld = first root level directory
filesuser1=user directory
smb_gp= GENERAL Share
Users : afsadmin ( admin privileges) filesuser1 (domain user)
There are two user accounts, let’s look at their group membership
code:
> Get-ADPrincipalGroupMembership afsadmin | select Name
Name
----
Domain Users
Administrators
Schema Admins
Enterprise Admins
Domain Admins
> Get-ADPrincipalGroupMembership filesuser1 | select Name
Name
----
Domain Users
Minerva_User
Let’s validate Home Share first.
code:
> get-acl \\demofs\smb_demo | select owner, group, accesstostring | fl
Owner : BUILTIN\Administrators
Group : BUILTIN\Users
AccessToString : CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
> get-acl \\demofs\smb_demo\tld | select owner, group, accesstostring | fl
Owner : AFSLAB\afsadmin
Group : AFSLAB\Domain Users
AccessToString : AFSLAB\afsadmin Allow FullControl
CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
> get-acl \\demofs\smb_demo\tld\filesuser1 | select owner, group, accesstostring | fl
Owner : AFSLAB\afsadmin
Group : AFSLAB\Domain Users
AccessToString : AFSLAB\afsadmin Allow FullControl
CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
So "filesuser1" is a domain user who has ReadAndExecute, Synchronize permission by default on user directory names "filesuser1". However, this user can't create a file in user folder name tld.
Easiest way to manage all this is MMC from where you can change the permissions.
Let's take a look at a general share named smb_gp and for same users. You can notice that BUILTIN\Users have full control.
code:
> get-acl \\demofs\smb_gp | select owner, group, accesstostring | fl
Owner : BUILTIN\Administrators
Group : BUILTIN\Users
AccessToString : CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow FullControl