By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

File Gateway Share with valid_user_list Groups

0

Hello, when trying to limit an Active Directory Share to some users groups, it doesn't work. my tests:

  • limit access to a single user DOMAIN\user --> ok
  • limit access to a single group DOMAIN\group -> ko when valid_user_list parameter is set, an authentication popup is launch during share access.

It's like FileGateway can't validate my user group membership.

File Gateway is domain integrated AD domain level 2016 smb acl are disabled

any ideas?

Thanks for you help

Best regards

Topics
Storage
Tags
AWS Storage GatewayFile Sharing
Language
English
Maximus
asked 4 months ago142 views
2 Answers
0
Accepted Answer

Hello,

Groups must be prefixed with the @ character. Acceptable formats include: DOMAIN\User1, user1, @group1, and @DOMAIN\group1.

Try updating accordingly and test.

Ref - https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html

Thank you

Harshi
answered 4 months ago
  • Maximus
    4 months ago

    i tried with @ prefix but on Builtin Administators domain group (on my lab). This group don't work custom groups works fine ;) Problem solved! Thanks for your help Harshi

0

When a File Share is created the default user permission, groups is everyone. Any user with the UNC path to do the mapping will succeed as long as the user is a part of the same AD as that of the Gateway. When you check the NTFS permissions of the share mapped to a windows machine the default is Everyone Full Control.

File Share access permissions take precedence over Windows NTFS permissions. When Allowed and Denied Users and Groups lists is configured at the file share, then Windows ACLs will not grant any access that overrides those lists. The Allowed and Denied Users and Groups lists are evaluated before ACLs, and control which users can mount or access the file share. If any users or groups are placed on the Allowed list, the list is considered active, and only those users can mount the file share.

The behavior you have experienced is expected (popup for valid user password) if the User that is trying to access the share is not in the valid user/group configured on the file share.

To further explain, for example, you have two users, User1 and User2. If User1 is added as allowed user through File Share access settings via the Storage Gateway console. And if User2 tries to map/access the file share, it will not succeed even if in NTFS permissions Everyone is Full Control.

For User2 to map/access the share successfully, it will be prompted to enter the password of User1 to mount the share. Or User2 either needs to be allowed as a valid user on the file share or need to allow any domain group that User2 is part of for it to mount the share successfully.

Additional Ref:

  1. https://docs.aws.amazon.com/filegateway/latest/files3/using-smb-fileshare.html
  2. https://docs.aws.amazon.com/filegateway/latest/files3/edit-file-share-access-smb.html

Thank You

Harshi
answered 4 months ago
  • Maximus
    4 months ago

    Hello Harshi, thanks for your answer. I want to control my share access using Allowed and Denied Users and Groups lists. NTFS permissions are Open. without any list, my user can access Configuring an allow list with a wrong user, access is blocked --> ok Configuring an allow list with a good user, access is granted --> ok Configuring an allow list with an AD group (my test user is member of this group), access is blocked --> ko I try to type the group like: DOMAIN\group ou group only without success. Is there any additional configuration for using groups? How can I troubleshoot this?

    Thanks you

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content