Nutanix Files SMB Share Default Permission

  • 25 July 2019
  • 2 replies
  • 6080 views

Userlevel 3
Badge +1
Files currently supports SMB 2.0 and SMB 2.1, SMB 3.0 protocol. For SMB 3.0, it is important to note that
Files has started supporting some of SMB 3.0 Features like SMB3 Signing ( 3.2.0 onward) and SMB3 Encryption support is coming with coming releases.
We do not have any plans to support the SMB 1.0 protocol, given that this is no longer even supported by Microsoft for security reasons

Nutanix Files assigns default permissions for newly created SMB shares. There are three default (BUILTIN) groups for Nutanix Files:

Administrators,
Users,
Backup Operators.

The BUILTIN\Administrators group includes \Domain Admins, as well as any file server admins you specify from Prism or the CLI.
The BUILTIN\Users group contains \Domain Users.
The BUILTIN\Backup Operators group is empty by default but can include any backup admins you specify from Prism or the CLI.

The default permissions assigned to the Administrators and Users groups depend on the share type.

code:
Standard share
BUILTIN\Administrators: Allow FullControl
BUILTIN\Users: Allow FullControl

Distributed share
BUILTIN\Administrators: Allow FullControl
BUILTIN\Users: Allow ReadAndExecute, Synchronize



You can modify or remove these default permissions as needed for your environment. You can use Microsoft Management Console (MMC), and so onto manage the file shares and their permissions.

Let’s try to understand this by an example
There are 2 shares GENERAL (Non-distributed) and HOME (distributed)

code:
 share.list
Share name: smb_gp
File server name: demofs
Share type: GENERAL

Share name: smb_demo
File server name: demofs
Share type: HOME


Share Path :- \\demofs\smb_demo\tld

code:
File Server = demofs 
smb_demo= Home Share
tld = first root level directory
filesuser1=user directory
smb_gp= GENERAL Share
Users : afsadmin ( admin privileges) filesuser1 (domain user)


There are two user accounts, let’s look at their group membership

code:
> Get-ADPrincipalGroupMembership afsadmin | select Name

Name
----
Domain Users
Administrators
Schema Admins
Enterprise Admins
Domain Admins


> Get-ADPrincipalGroupMembership filesuser1 | select Name

Name
----
Domain Users
Minerva_User



Let’s validate Home Share first.

code:
> get-acl \\demofs\smb_demo | select owner, group, accesstostring | fl


Owner : BUILTIN\Administrators
Group : BUILTIN\Users
AccessToString : CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize


> get-acl \\demofs\smb_demo\tld | select owner, group, accesstostring | fl


Owner : AFSLAB\afsadmin
Group : AFSLAB\Domain Users
AccessToString : AFSLAB\afsadmin Allow FullControl
CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize



> get-acl \\demofs\smb_demo\tld\filesuser1 | select owner, group, accesstostring | fl


Owner : AFSLAB\afsadmin
Group : AFSLAB\Domain Users
AccessToString : AFSLAB\afsadmin Allow FullControl
CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize



So "filesuser1" is a domain user who has ReadAndExecute, Synchronize permission by default on user directory names "filesuser1". However, this user can't create a file in user folder name tld.

Easiest way to manage all this is MMC from where you can change the permissions.



Let's take a look at a general share named smb_gp and for same users. You can notice that BUILTIN\Users have full control.

code:
> get-acl \\demofs\smb_gp | select owner, group, accesstostring | fl


Owner : BUILTIN\Administrators
Group : BUILTIN\Users
AccessToString : CREATOR OWNER Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow FullControl

This topic has been closed for comments

2 replies

Userlevel 3
Badge +6
Are there any Powershell/ACLI/NCLI commands to set Share Permissions (preferably remotely?)

Set-ACL/Get-ACL only manipulate NTFS ACE/ACLs not Share Permissions in my testing...
Userlevel 4
Badge +12

Thank You @proyoung .  This post is what helped me figure out how to change permissions per user per share.  Only other info I found was here: https://portal.nutanix.com/page/documents/details?targetId=Acropolis-File-Services-Guide-v20:acr-file-share-assign-permission-t.html which isn’t as detailed as your post.

 

Does anyone know whether the steps for assigning permissions has improved?  Seems unusual and disconnected to create the share in Nutanix then have to open a Windows MMC console to configure the user level permissions or even need to do it via a cmdline.

Would have expected to be able to do all this from within Prism/Prism Central console.