Admin and Access to AD Joined SMB File Share


I have an AD joined storage gateway with an SMB File Share. I am having a few issues that I think all add up to something. First, Only Admins have access to files in the gateway. Regular users cannot access files. I tried to Update the ACLs for regular users but they all just showed as SID so I don't know what changes I would be making. I can't tell what the SID belongs to, so I am at a bit of a loss. (I tried using a lookup by the SID in the command line and returned zero results) Because it's a Windows ACL I tried adding a user to the ACL but I got an Access Denied error. I tried to add the user to Admin just for testing (this will only be in place for 1-2 weeks) and it cleared my admin users and I can no longer access the Share via SMB and I cannot add Admins.

How can I fix my File Share without deleting a re-creating it?

asked 22 days ago57 views
1 Answer

When a File Share is created with AD authentication, the default user permission, groups is everyone. Any user with the UNC path to do the mapping will succeed as long as the user is a part of the same AD as that of the Gateway. When you check the NTFS permissions of the share mapped to a windows machine the default is Everyone Full Control.

File Share access permissions take precedence over Windows NTFS permissions. When Allowed and Denied Users and Groups lists is configured at the file share, then Windows ACLs will not grant any access that overrides those lists. The Allowed and Denied Users and Groups lists are evaluated before ACLs, and control which users can mount or access the file share. If any users or groups are placed on the Allowed list, the list is considered active, and only those users can mount the file share.

That said, I would suggest to check the File share access settings using the AWS Storage Gateway console and navigating to the File share or using the API DescribeSMBFileShares to see if you have any Allowed and Denied Users/Groups list configured. If so, clear the list and save the settings. Once the Share is back in "Available" state, try mapping the share and access it using a Domain user from the same AD the gateway belongs to.

Additional Ref:


If the above suggestion did not address the issue, please open a case with AWS support for further investigation. Thank You.

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions