Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
cloudappliance:cifs [2020_06_18 09:27] – [Overview] jim | cloudappliance:cifs [2023_06_05 05:53] – [Guidelines and Notices] dan | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | # CIFS/SMB Connector (Multi User) | + | # SMB/CIFS Connector (Multiuser) |
- | == Last updated on June 15, 2020 == | + | == Last updated on June 5, 2023 == |
//(New in 1906.07 - Appliance Only)// | //(New in 1906.07 - Appliance Only)// | ||
- | For the single-user | + | For the single-user SMB/CIFS connector [[cloudappliance/cifs-single|click here]]. |
===== Overview ===== | ===== Overview ===== | ||
- | The CIFS/SMB connector provides end-users with access to their data stored within the CIFS/SMB shares via the Enterprise File Fabric and its' | + | The CIFS/SMB connector provides end-users with access to their data stored within the CIFS/SMB shares via the Enterprise File Fabric and its multiple channels of access, including web, desktop, and mobile. This can be done with CIFS shares |
The connector binds Identity and Access Management from the Enterprise File Fabric (integrated via Active Directory / LDAP integration) with the permissions of the underlying file shares to provide users with secure access into the SMB storage, whilst ensuring that users only see and access data that they have permissions to from the underlying shares. | The connector binds Identity and Access Management from the Enterprise File Fabric (integrated via Active Directory / LDAP integration) with the permissions of the underlying file shares to provide users with secure access into the SMB storage, whilst ensuring that users only see and access data that they have permissions to from the underlying shares. | ||
Your existing administrators will continue to manage and maintain file share permissions directly from the SMB file shares. Furthermore, | Your existing administrators will continue to manage and maintain file share permissions directly from the SMB file shares. Furthermore, | ||
+ | |||
+ | The multi-user connector was added in v1906.07 of the File Fabric and is only available in the appliance version. Further enhancements and updates have been added to the multi-user connector in the 1906.08 service pack release. This should be considered the current pre-requisite service pack to deploy the connector. | ||
===== Prerequisites ===== | ===== Prerequisites ===== | ||
Line 17: | Line 19: | ||
Enterprise File Fabric (EFF) requirements: | Enterprise File Fabric (EFF) requirements: | ||
* Version 1906.07 or higher | * Version 1906.07 or higher | ||
- | * Organization | + | * Organization |
* Organization connected to your Active Directory via the LDAP Auth Connector. | * Organization connected to your Active Directory via the LDAP Auth Connector. | ||
* AD Administrative account | * AD Administrative account | ||
Line 33: | Line 35: | ||
* **Name** — This will be the friendly name of the provider. Your users will see this inside of their accounts. | * **Name** — This will be the friendly name of the provider. Your users will see this inside of their accounts. | ||
- | * **Username** - The provider will index the storage using an identity that can access the entire storage estate, normally the Administrator user. This field accepts the Username, and should include the domain, for example " | + | * **Username** - The provider will index the storage using an identity that can access the entire storage estate, normally the Administrator user. This field accepts the Username, and should include the domain, for example, " |
* **Password** - This is the password for the account used in the **Username** field. | * **Password** - This is the password for the account used in the **Username** field. | ||
Line 41: | Line 43: | ||
/ / | / / | ||
- | * **Protocol version** - This is used to control the SMB protocol version that is used. As of writing, **3.0** is the most secure and most recommended | + | * **Protocol version** - This is used to control the SMB protocol version that is used. It is recommended to use SMB version |
* **Use SMBClient for Listing** - Using the smbclient can have performance benefits and is recommended. | * **Use SMBClient for Listing** - Using the smbclient can have performance benefits and is recommended. | ||
* **Binding LDAP** - A prerequisite noted for this connector is an already established Active Directory connection via LDAP. This should be the same AD domain that is integrated with your SMB share. You should select this Enterprise File Fabric Authentication System from the list. | * **Binding LDAP** - A prerequisite noted for this connector is an already established Active Directory connection via LDAP. This should be the same AD domain that is integrated with your SMB share. You should select this Enterprise File Fabric Authentication System from the list. | ||
+ | |||
+ | <WRAP center round important 100%> | ||
+ | If you have not already configured at least one LDAP authentication system for the organization then it is possible to complete the provider configuration without specifying an authentication system for the provider. | ||
+ | </ | ||
Before proceeding with the next step, it is advisable to review the number of threads that will be used for the Synchronization. Increasing the thread count can improve the rate at which the storage is indexed. For details on increasing that, [[provider-synchronization|please see this guide]]. | Before proceeding with the next step, it is advisable to review the number of threads that will be used for the Synchronization. Increasing the thread count can improve the rate at which the storage is indexed. For details on increasing that, [[provider-synchronization|please see this guide]]. | ||
Line 57: | Line 64: | ||
You can monitor the Provider Sync from the Provider Information screen. | You can monitor the Provider Sync from the Provider Information screen. | ||
- | Once the Synchronization has been completed, you should open the **Dashboard** and set the **Real-time refresh** option | + | Once the Synchronization has been completed, you should open the **Provider Settings** page from the **Dashboard** and set the provider' |
+ | \\ | ||
+ | {{ :: | ||
+ | \\ | ||
+ | If this option is not present on your Dashboard, then it may need to be enabled from the **appladmin**' | ||
The SMB connector automatically establishes itself as a [[organisationcloud/ | The SMB connector automatically establishes itself as a [[organisationcloud/ | ||
Line 64: | Line 75: | ||
If you need to add multiple SMB shares, this can be done by repeating the above steps. | If you need to add multiple SMB shares, this can be done by repeating the above steps. | ||
+ | |||
+ | ==== Ports ==== | ||
+ | Both the Single User connector and the Multi User connector work with SMB systems that use port 445 or port 139. smbclient will also work over either port. | ||
===== Guidelines and Notices ===== | ===== Guidelines and Notices ===== | ||
+ | <WRAP center round info 100%> | ||
+ | Starting with v2106, companies who use SAML as an authentication mechanism can use SAML with the SMB Multi-user | ||
+ | </ | ||
+ | |||
+ | <WRAP center round tip 100%> | ||
+ | Because this connector imports and applies access permissions in a way that prevents direct control in the File Fabric, some of the File Fabric' | ||
+ | </ | ||
* By design, this connector cannot be added by individual org members to create personal providers as it involves creating a Shared Team Folder for the organization' | * By design, this connector cannot be added by individual org members to create personal providers as it involves creating a Shared Team Folder for the organization' | ||
* For each SMB provider that you add, you will find a shared team folder created in the root of the Organization account. The File Fabric reads the permissions for the file shares, whether you are mounting the root of a file share, or if you are mounting a sub-path of the share. Where DFS is fronting the shares, all users will have access to the DFS root, and the shares within the DFS server will have permissions applied accordingly. | * For each SMB provider that you add, you will find a shared team folder created in the root of the Organization account. The File Fabric reads the permissions for the file shares, whether you are mounting the root of a file share, or if you are mounting a sub-path of the share. Where DFS is fronting the shares, all users will have access to the DFS root, and the shares within the DFS server will have permissions applied accordingly. | ||
+ | * The top level of an Mulit User SMB share is a Shared Team Folder. | ||
* Often versioning and trash should be disabled, as the SMB file system will handle these capabilities natively. | * Often versioning and trash should be disabled, as the SMB file system will handle these capabilities natively. | ||
* To prevent overloading your LDAP server with repeat requests, caching of user groups and SIDs is done within the EFF. The default cache expiration time is 300 seconds. This can be tuned using the following configuration parameter: | * To prevent overloading your LDAP server with repeat requests, caching of user groups and SIDs is done within the EFF. The default cache expiration time is 300 seconds. This can be tuned using the following configuration parameter: | ||
Line 81: | Line 103: | ||
var $cifs_passwd = ' | var $cifs_passwd = ' | ||
``` | ``` | ||
- | * If a user receives the message " | ||
* It is recommended on the first setup to add this connector using your Organization Admin account, and not a ' | * It is recommended on the first setup to add this connector using your Organization Admin account, and not a ' | ||
+ | * If a user receives the message " | ||
- | For guidance in adding, modifying, or deleting configuration parameters, [[appliance/ | + | * You must add this connector using the Organization Administrator account, not a ' |
+ | * The baseDN that you specify for LDAP searches must be high enough in the tree to encompass both all of your users and all of your shares. | ||
+ | * If the password of a user who is using the File Fabric' | ||
+ | * Share names configured in the File Fabric must match the corresponding names on the storage exactly, including case. If the cases differ then you will experience errors when adding the provider. | ||
+ | |||
+ | * When a folder is being configured as the root of a share, the full folder path configured in the File Fabric must match the path on the storage exactly, including case. If there are differences in case then the File Fabric will not be able to fetch and use the storage' | ||
+ | |||
+ | * When a user's permissions to access a folder are changed on the storage, that change will not be reflected in File Fabric' | ||
+ | |||
+ | For guidance in adding, modifying, or deleting configuration parameters, [[appliance/ |