Articles in this section

See more

SMB Security Settings

Sara Levy
  • Updated
Follow

By default, VAST Cluster supports a predefined privileged SMB client user and grants backup and restore privilege to the built-in Active Directory backup operators group. The privileged user and group are designed to enable emergency backup, restore, permission and ownership fixing of files and directories in emergency situations. The privileged user can read, write, delete, and change permissions on any file which is exposed using an SMB-enabled view, regardless of what the underlying filesystem permissions allow.

The privileged user and group are supported on each tenant that is connected to an SMB-allowed Active Directory domain. Settings pertaining to the user and group are configured in the tenant configuration.

The SMB privileged user is predefined with the user name 'vastadmin'. This user is supported when added to the Active Directory domain to which the cluster is joined. The user can have any SID. You can change optionally disable the user or change the user name.

The SMB privileged group is a group the members of which can bypass file security to backup and restore files and directories which are exposed by SMB-enabled views. You can optionally disable the group, customize the group SID and change its access level.

Note

By default, the SMB privileged group SID is that of the standard built-in Backup Operators group, which can be found in any Active Directory domain. There is a known issue that SMB privileges are not effective for members of the default built-in Backup Operators group. However, when you configure a custom SID for the SMB privileged group, the privileges do take effect for that group.

Important

Changes to these features are not guaranteed to take effect for established share mounts. Any changes you make to the privileged user and group apply after the relevant users remount SMB shares on clients.

Default Configuration of SMB Privileged User and Group

The table below describes the default configuration and the modifications you can make to suit security preferences. These settings are per tenant.

Privileged User/Group

Default Configuration

Configuration Options

SMB privileged user

  • Enabled

  • User name in Active Directory domain: 'vastadmin'

  • User SID: arbitrary

  • This user can bypass file security and perform any SMB operation on any file or directory accessible via SMB.

  • Disable and enable the SMB privileged user

  • Change the user name

SMB privileged group

  • Enabled

  • Group SID: S-1-5-32-551, the built-in Backup Operators domain group

    Note

    Known issue: the privileges are not effective for this default group.

  • Members of this group can bypass file security to back up and restore files in the cluster file system.

  • Disable and enable the SMB privileged group

  • Change the group SID

  • Reduce privileges from full access control control to read access control

Privileges Granted to SMB Privileged User and Group

The following privileges are granted to the SMB privileged user and group:

Privilege

Description

Granted to SMB Privileged User (if enabled)

Granted to SMB Privileged Group (if enabled)

SE_BACKUP_NAME

Back up files and directories.

Yes

Yes

SE_RESTORE_NAME,

Restore files and directories.

Yes

If full access is enabled

Modifying SMB Security Settings via the VAST Web UI

See Modifying Tenants.

Modifying SMB Security Settings via the VAST CLI

To modify SMB security settings via the VAST CLI, use the tenant modify command.

Related articles

Comments

0 comments

Article is closed for comments.