SMB/CIFS Connector (Multiuser)

Last updated on June 5, 2023

(New in 1906.07 - Appliance Only)

For the single-user SMB/CIFS connector click here.

Overview

The CIFS/SMB connector provides end-users with access to their data stored within the CIFS/SMB shares via Access Anywhere and its multiple channels of access, including web, desktop, and mobile. This can be done with CIFS shares that are on-premises, for example NAS, SAN or Windows Filers, where access is required out of the office or for remote working and/or it can be used to provide access to hosted SMB shares such as Azure Files or Amazon FSx.

The connector binds Identity and Access Management from Access Anywhere (integrated via Active Directory / LDAP integration) with the permissions of the underlying file shares to provide users with secure access into the SMB storage, whilst ensuring that users only see and access data that they have permissions to from the underlying shares.

Your existing administrators will continue to manage and maintain file share permissions directly from the SMB file shares. Furthermore, any changes made on the file shares, whether file, folders, or permissions related are reflected immediately within Access Anywhere.

The multi-user connector was added in v1906.07 of Access Anywhere and is only available in the appliance version. Further enhancements and updates have been added to the multi-user connector in the 1906.08 service pack release. This should be considered the current pre-requisite service pack to deploy the connector.

Prerequisites

Access Anywhere (NAA ) requirements:

  • Version 1906.07 or higher
  • Organization Administrator account (not a member with admin role)
  • Organization connected to your Active Directory via the LDAP Auth Connector.
  • AD Administrative account

Adding the SMB Connector

To begin adding the connector, it must first be enabled in your applicable Package from your appladmin account. In the Package options, ensure that the SMB (multi-user) connector is checked for it to be available to the organization.

Next, logging into the Organization Admin account, visit the Dashboard and click the Add new provider button.

From the dropdown list, select SMB (multi-user) and then click Add provider.

On the next screen, you will be presented with the following fields:

  • Name — This will be the friendly name of the provider. Your users will see this inside of their accounts.
  • Username - The provider will index the storage using an identity that can access the entire storage estate, normally the Administrator user. This field accepts the Username, and should include the domain, for example, “AD\Administrator”.
  • Password - This is the password for the account used in the Username field.
  • Share Path - This is the UNC path to the SMB Share. Enter a Unix compatible path, for example:

    / /londoncifs/sharename

  • Protocol version - This is used to control the SMB protocol version that is used. It is recommended to use SMB version 3.0 as the base SMB protocol for the multi-user connector. If you are considering using a different version please contact support.
  • Use SMBClient for Listing - Using the smbclient can have performance benefits and is recommended.
  • Binding LDAP - A prerequisite noted for this connector is an already established Active Directory connection via LDAP. This should be the same AD domain that is integrated with your SMB share. You should select this Access Anywhere Authentication System from the list.

If you have not already configured at least one LDAP authentication system for the organization then it is possible to complete the provider configuration without specifying an authentication system for the provider. In that case organization members may have read access to the provider and its contents.

Before proceeding with the next step, it is advisable to review the number of threads that will be used for the Synchronization. Increasing the thread count can improve the rate at which the storage is indexed. For details on increasing that, please see this guide.

Once completed, click Continue.

At this point, the NAA will connect to the SMB share, and perform a Provider Sync of the storage metadata.

During the phase of Provider Synchronization, the root directory of the provider will be made automatically into a Shared Team Folder, and permissions on this directory and its subdirectories will be set according to the permissions of your underlying storage.

You can monitor the Provider Sync from the Provider Information screen.

Once the Synchronization has been completed, you should open the Provider Settings page from the Dashboard and set the provider's Cloud Refresh to Enabled.

If this option is not present on your Dashboard, then it may need to be enabled from the appladmin's account under Site Functionality.

The SMB connector automatically establishes itself as a Shared Team Folder. The permissions on its directories and subdirectories will be automatically managed by the NAA .

When users next login to the NAA , they will observe a team shared folder at the root of their view, with access to the data stored on the filer.

If you need to add multiple SMB shares, this can be done by repeating the above steps.

Ports

Both the Single User connector and the Multi User connector work with SMB systems that use port 445 or port 139. smbclient will also work over either port.

Guidelines and Notices

Starting with v2106, companies who use SAML as an authentication mechanism can use SAML with the SMB Multi-user and Nasuni Connectors. See this page for more information.

Because this connector imports and applies access permissions in a way that prevents direct control in Access Anywhere, some of Access Anywhere's behaviours may differ from the behavior with other connector types.

  • By design, this connector cannot be added by individual org members to create personal providers as it involves creating a Shared Team Folder for the organization's users.
  • For each SMB provider that you add, you will find a shared team folder created in the root of the Organization account. The Access Anywhere reads the permissions for the file shares, whether you are mounting the root of a file share, or if you are mounting a sub-path of the share. Where DFS is fronting the shares, all users will have access to the DFS root, and the shares within the DFS server will have permissions applied accordingly.
  • The top level of an Mulit User SMB share is a Shared Team Folder. The Access Anywhere does not allow files in Shared Team Folders (including their descendants) to be made public.
  • Often versioning and trash should be disabled, as the SMB file system will handle these capabilities natively.
  • To prevent overloading your LDAP server with repeat requests, caching of user groups and SIDs is done within the NAA . The default cache expiration time is 300 seconds. This can be tuned using the following configuration parameter:

    var $cifsldapcachetime = 300;

  • The NAA will automatically manage specific mount points on the NAA host machine. Operations performed by users, such as opening, editing and sharing are performed on the individual user's mounts. This underpins the security of the connector.
  • It is recommended to have the following configuration option enabled:

    var $cifs_passwd = '1';

  • It is recommended on the first setup to add this connector using your Organization Admin account, and not a 'delegated admin' account.
  • If a user receives the message “Password not found for user. Please re-login”, they are advised to log-out and re-login again. This occurs when shares are added after users have begun authenticating.
  • You must add this connector using the Organization Administrator account, not a 'delegated admin' account.
  • The baseDN that you specify for LDAP searches must be high enough in the tree to encompass both all of your users and all of your shares. Use the domain name as the baseDN or, if you are using another entry at the baseDN, ensure that all groups for your shares are within the baseDN that you select.
  • If the password of a user who is using Access Anywhere's desktop tools to access storage via this connector changes, she must log in via the web to cause the password to be refreshed, preventing mount errors. As of appliance 2106, end-users will be automatically logged out when passwords on Active Directory if the configuration option on the Authentication System is enabled to check for password changes.
  • Share names configured in Access Anywhere must match the corresponding names on the storage exactly, including case. If the cases differ then you will experience errors when adding the provider.
  • When a folder is being configured as the root of a share, the full folder path configured in Access Anywhere must match the path on the storage exactly, including case. If there are differences in case then Access Anywhere will not be able to fetch and use the storage's access control information.
  • When a user's permissions to access a folder are changed on the storage, that change will not be reflected in Access Anywhere's metadata until Access Anywhere has refreshed its view of the folder. This may lead, for example, to brief periods when a user appears to continue to have access to a folder's contents although the user's access has been removed from the storage. The storage's permissions will apply, however, if the user attempts to access the contents of the folder during this brief period.

For guidance in adding, modifying, or deleting configuration parameters, please follow our guide here.