Articles in this section

SMB Security Settings

Sara Levy
  • Updated
Follow

By default, VAST Cluster supports a predefined privileged SMB client user and grants backup and restore privilege to the built-in Active Directory backup operators group. The privileged user and group are designed to enable emergency backup, restore, permission and ownership fixing of files and directories in emergency situations. The privileged user can read, write, delete, and change permissions on any file which is exposed using an SMB-enabled view.

The SMB privileged user is predefined with the user name 'vastadmin'. This user is supported when added to the Active Directory domain to which the cluster is joined. The user can have any SID. You can change optionally disable the user or change the user name.

The SMB privileged group is a group the members of which can bypass file security to backup and restore files and directories which are exposed by SMB-enabled views. You can optionally disable the group, customize the group SID and change it's access level.

Note

By default, the SMB privileged group SID is that of the standard built-in Backup Operators group, which can be found in any Active Directory domain. There is a known issue that SMB privileges are not effective for members of the default built-in Backup Operators group. However, when you configure a custom SID for the SMB privileged group, the privileges do take effect for that group.

Important

Changes to these features are not guaranteed to take effect for established share mounts. Any changes you make to the privileged user and group apply after the relevant users remount SMB shares on clients, .

Default Configuration of SMB Privileged User and Group

The table below describes the default configuration and the modifications you can make to suit security preferences.

Privileged User/Group

Default Configuration

Configuration Options

SMB privileged user

  • Enabled

  • User name in Active Directory domain: 'vastadmin'

  • User SID: arbitrary

  • This user can bypass file security and perform any SMB operation on any file or directory accessible via SMB.

  • Disable and enable the SMB privileged user

  • Change the user name

SMB privileged group

  • Enabled

  • Group SID: S-1-5-32-551, the built-in Backup Operators domain group

    Note

    Known issue: the privileges are not effective for this default group.

  • Members of this group can bypass file security to back up and restore files in the cluster file system.

  • Disable and enable the SMB privileged group

  • Change the group SID

  • Reduce privileges from full access control control to read access control
 
Privileges Granted to SMB Privileged User and Group

The following privileges are granted to the SMB privileged user and group:

Privilege

Description

Granted to SMB Privileged User (if enabled)

Granted to SMB Privileged Group (if enabled)

SE_BACKUP_NAME

Back up files and directories.

Yes

Yes

SE_RESTORE_NAME,

Restore files and directories.

Yes

If full access is enabled
 
Modifying SMB Security Settings via the VAST Web UI

  1. From the left navigation menu, select Settings and then Cluster.

  2. Optionally change the settings.

    Use SMB privileged user

    • Enabled (default). The SMB privileged user is enabled.

    • Disabled. The SMB privileged user is disabled.

    Use SMB privileged group

    • Enabled (default). The SMB privileged user group is enabled.

    • Disabled. The SMB privileged user group is disabled.

    SMB privileged group full access

    • Enabled (default). The SMB privileged user group has read and write control access. Members of the group can perform backup and restore operations on all files and directories, without requiring read or write access to the specific files and directories.

    • Disabled. The SMB privileged user group has read control access. Members of the group can perform backup operations on all files and directories without requiring read access to the specific files and directories. They cannot perform restore operations without write access to the specific files and directories.

    Optional SMB privileged user name

    Optional custom user name for the SMB privileged user. If not set, the user name is 'vastadmin'.

    Backup operators domain group

    Specify a custom group SID in order to have a working privileged group with backup operator privileges. If not set, the SMB privileged group is set to the Backup Operators domain group (S-1-5-32-551), which, due to a known issue, does not receive backup operator privileges. 
 
Modifying SMB Security Settings via the VAST CLI

To modify SMB security settings via the VAST CLI, use the cluster modify command.

 
 

Related articles

Comments

0 comments

Article is closed for comments.