Network Folders with NTFS Permissions
- If you need to use Network Folders and preserve NTFS permissions, it is strongly recommended to run FileCloud on Windows Servers instead of Linux.
- If you are running FileCloud on Linux and want to preserve NTFS Permissions, a Windows Server running the FileCloud Helper Service is required (See more information)
- Starting with FileCloud 15.0, it is recommended to install and use Memcache to improve performance when using network folders with NTFS permissions
Many organizations have Windows based Network Folders that are shared with employees. The permissions on these Network Folders are managed using NTFS rights setup for various users and groups (usually from Active Directory). FileCloud can use the same NTFS permissions on the Network Folders for user authorization and access to these resources.
To setup a network Folder with NTFS permissions:
- Step 1: please set permissions type to "NTFS"
- Step 2: Click on Manage Users or Manage Groups and add users to the share as needed. For example, you might want to give EVERYONE group access to the Network Folder. In this case even if the user has been given access to the share, they will only be able to view the share if they have NTFS permissions enabled.
- Step 3: If you are running FileCloud on Linux, you might need to optionally configure and install the FIleCloud helper service
Additional Information and Troubleshooting
- When user membership in a AD group is modified, that change is not propagated immediately and is cached by Windows. See http://support.microsoft.com/kb/871159 for more information. As a result, if you change a user group membership, it might not be picked up NTFS helper immediately. It might take some time ranging from 10 minutes to several hours before the change is picked up. If you need the changes to be picked up immediately, you can restart the helper service.
- Make sure that don't have a local machine account name as the domain user account. This will cause problems.
- If you get authzinitializecontextfromsid errors, make sure the account running the Helper service has full permissions to look up user accounts, Also make sure the user account name is not the same as the computer name, use a different name.
How share permissions and NTFS permissions work together
When sharing a network folder, it is important that the Share Permissions for the network share are setup with the right permissions for all the users. If you are setting up NTFS permissions in the folders, make sure to allow full control in the Share Permissions dialog.
From Microsoft's Documentation at (http://windows.microsoft.com/en-us/windows-vista/share-files-and-folders-over-the-network-from-windows-vista-inside-out)
The implementation of share permissions and NTFS permissions is confusingly similar, but it’s important to recognize that these are two separate levels of access control. Only connections that successfully pass through both gates are granted access.
Share permissions control network access to a particular resource. Share permissions do not affect users who log on locally. You set share permissions in the Advanced Sharing dialog box, which you access from the Sharing tab of a folder’s properties dialog box.
NTFS permissions apply to folders and files on an NTFS-formatted drive. They provide extremely granular control over an object. For each user to whom you want to grant access, you can specify exactly what they’re allowed to do: run programs, view folder contents, create new files, change existing files, and so on. You set NTFS permissions on the Security tab of the properties dialog box for a folder or file.
It’s important to recognize that the two types of permissions are combined in the most restrictive way. If, for example, a user is granted Read permission on the network share, it doesn’t matter whether or not the account has Full Control NTFS permissions on the same folder; the user gets only Read access when connecting over the network.
NTFS Network Folders with Access Based Enumeration
When using Network Folders with NTFS permissions, it is possible to automatically hide folders that users don't have access by enabling Access Based Enumeration (ABE) settings.
To enable ABE, go to Admin Portal->Settings->Storage->Network Storage tab and enable the "Enable Access Based Enumeration for NTFS" checkbox. This will enable ABE globally.
To disable or enable ABE only for specific network folders you can open up the specific Network Folder Properties dialog. Admin Portal->Network Folders, click on "Edit" for a network folder.
Select "Global Policy" to use the global setting, or use the "NO" or "YES" options to disable or enable ABE only for this network share.
NTFS permission checks reads the tokenGroupsGlobalAndUniversal attribute of the SID specified in the call to determine the current user's group memberships. To simplify granting accounts permission to query a user's group information, add accounts that need the ability to look up group information to the Windows Authorization Access Group. Please make sure to add the Windows Authorization Access Group to the FileCloud Account Group that you have created.
Improving performance of NTFS Network Folders
In general, extracting NTFS permissions for folders and files can add additional processing latency. To improve performance, you can enable caching of NTFS permissions.
This speeds up lookup of NTFS permissions by caching the permissions once accessed once in the memcache server. For this caching to work, memcache server needs to be installed and running. By default, note that once permissions are cached, they are stored till memcache is restarted. So if you are changing any NTFS Permissions and want FileCloud to pick up the new permissions, make sure to restart the memcache service.