Nutanix Files SMB Share默认权限

  • 2019年7月25日
  • 2回答
  • 3802的浏览量
proyoung
排名
Userlevel 2
徽章 +1
文件目前支持smb2.0、smb2.1、smb3.0协议。对于SMB 3.0,务必注意以下几点
文件已经开始支持SMB 3.0的一些特性,如SMB3签名(3.2.0以后)和SMB3加密支持将随即将发布的版本而来。
我们没有任何支持SMB 1.0协议的计划,因为出于安全原因,微软甚至不再支持该协议

Nutanix Files为新创建的SMB共享分配默认权限。Nutanix文件有三个默认(BUILTIN)组:

管理员,
用户,
备份操作符。

内装式\管理员组包括\域管理员和其他的一样文件服务器管理员你可以从Prism或CLI中指定。
内装式\用户组包含\域用户。
内装式\备份operator组默认为空,但可以包括从Prism或CLI指定的任何备份管理员。

分配给Administrators和Users组的默认权限取决于共享类型。

代码: 
标准的共享
内装式\管理员:允许FullControl
内装式\用户:允许FullControl

分布式共享
内装式\管理员:允许FullControl
内置\用户:允许读取和执行,同步



您可以根据环境的需要修改或删除这些默认权限。您可以使用微软管理控制台(MMC)等来管理文件共享及其权限。

让我们通过一个例子来理解
共有2股:GENERAL(非分布式)和HOME(分布式)

代码: 
share.list
股票名称:smb_gp
文件服务器名称:demofs
分享类型:一般

股票名称:smb_demo
文件服务器名称:demofs
分享类型:回家


共享路径:- \\demofs\smb_demo\tld

代码: 
文件服务器= demofs
smb_demo =家分享
TLD =第一个根级目录
filesuser1 =用户目录
smb_gp =总份额
用户:afsadmin(管理员权限)filesuser1(域用户)


有两个用户帐户,让我们看看他们的组成员身份

代码: 
> Get-ADPrincipalGroupMembership afsadmin | select Name

的名字
----
域用户
管理员
管理员模式
企业管理员
域管理员


> Get-ADPrincipalGroupMembership filesuser1 | select Name

的名字
----
域用户
Minerva_User



让我们先验证Home Share。

代码: 
> get-acl \\demofs\smb_demo | select owner, group, accessstring | fl


老板:内装式\管理员
用户组:内装式\
AccessToString: CREATOR OWNER允许完全控制
内装式\管理员允许FullControl
内置\用户允许读取和执行,同步


> get-acl \\demofs\smb_demo\tld | select owner, group, accessstring | fl


老板:AFSLAB \ afsadmin
组:AFSLAB\域用户
accessstostring: AFSLAB\afsadmin允许完全控制
创建者所有者允许完全控制
内装式\管理员允许FullControl
内置\用户允许读取和执行,同步



> get-acl \\demofs\smb_demo\tld\filesuser1 | select owner, group, accessstring | fl


老板:AFSLAB \ afsadmin
组:AFSLAB\域用户
accessstostring: AFSLAB\afsadmin允许完全控制
创建者所有者允许完全控制
内装式\管理员允许FullControl
内置\用户允许读取和执行,同步



所以"filesuser1"是一个域用户,具有ReadAndExecute权限,默认对"filesuser1"用户目录名具有同步权限。但是,该用户不能在用户文件夹tld中创建文件。

管理所有这些的最简单的方法是MMC,在那里您可以更改权限。



让我们看看一个名为smb_gp的通用共享,它适用于相同的用户。你可以注意到BUILTIN\用户拥有完全的控制权。

代码: 
> get-acl \\demofs\smb_gp | select owner, group, accessstring | fl


老板:内装式\管理员
用户组:内装式\
AccessToString: CREATOR OWNER允许完全控制
内装式\管理员允许FullControl
内装式\用户允许FullControl
1)附件
\nFiles has started supporting some of SMB 3.0 Features like SMB3 Signing ( 3.2.0 onward) and SMB3 Encryption support is coming with coming releases.
\nWe do not have any plans to support the SMB 1.0 protocol, given that this is no longer even supported by Microsoft for security reasons
\n
\nNutanix Files assigns default permissions for newly created SMB shares. There are three default (BUILTIN) groups for Nutanix Files:
\n
\nAdministrators,
\nUsers,
\nBackup Operators.
\n
\nThe BUILTIN\\Administrators<\/b> group includes \\Domain Admins<\/b>, as well as any file server admins<\/b> you specify from Prism or the CLI.
\nThe BUILTIN\\Users<\/b> group contains \\Domain<\/b> Users.
\nThe BUILTIN\\Backup<\/b> Operators group is empty by default but can include any backup admins you specify from Prism or the CLI.
\n
\nThe default permissions assigned to the Administrators and Users groups depend on the share type.<\/b>
\n
\n
code:<\/b>
Standard share
BUILTIN\\Administrators: Allow FullControl
BUILTIN\\Users: Allow FullControl

Distributed share
BUILTIN\\Administrators: Allow FullControl
BUILTIN\\Users: Allow ReadAndExecute, Synchronize
<\/pre><\/div>
\n
\n
\nYou can modify or remove these default permissions as needed for your environment. You can use  Microsoft Management Console<\/b><\/a> (MMC), and so onto manage the file shares and their permissions. 
\n
\nLet\u2019s try to understand this by an example <\/b>
\nThere are 2 shares GENERAL (Non-distributed) and HOME (distributed)
\n
\n
code:<\/b>
 share.list
Share name: smb_gp
File server name: demofs
Share type: GENERAL

Share name: smb_demo
File server name: demofs
Share type: HOME
<\/pre><\/div>
\n
\nShare Path :- \\\\demofs\\smb_demo\\tld<\/b>
\n
\n
code:<\/b>
File Server = demofs 
smb_demo= Home Share
tld = first root level directory 
filesuser1=user directory 
smb_gp= GENERAL Share
Users : afsadmin ( admin privileges) filesuser1 (domain user) 
<\/pre><\/div>
\n
\nThere are two user accounts, let\u2019s look at their group membership
\n
\n
code:<\/b>
> Get-ADPrincipalGroupMembership afsadmin | select Name

Name
----
Domain Users
Administrators
Schema Admins
Enterprise Admins
Domain Admins


> Get-ADPrincipalGroupMembership filesuser1 | select Name

Name
----
Domain Users
Minerva_User
<\/pre><\/div>
\n
\n
\nLet\u2019s validate Home Share first. <\/b>
\n
\n
code:<\/b>
> get-acl \\\\demofs\\smb_demo | select owner, group, accesstostring | fl


Owner          : BUILTIN\\Administrators
Group          : BUILTIN\\Users
AccessToString : CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize


> get-acl \\\\demofs\\smb_demo\\tld | select owner, group, accesstostring | fl


Owner          : AFSLAB\\afsadmin
Group          : AFSLAB\\Domain Users
AccessToString : AFSLAB\\afsadmin Allow  FullControl
                 CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize



> get-acl \\\\demofs\\smb_demo\\tld\\filesuser1 | select owner, group, accesstostring | fl


Owner          : AFSLAB\\afsadmin
Group          : AFSLAB\\Domain Users
AccessToString : AFSLAB\\afsadmin Allow  FullControl
                 CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize

<\/pre><\/div>
\n
\nSo \"filesuser1\" is a domain user who has ReadAndExecute, Synchronize permission by default on user directory names \"filesuser1\". However, this user can't create a file in user folder name tld. 
\n
\nEasiest way to manage all this is MMC from where you can change the permissions. 
\n
\n
<\/a><\/p>
\n
\nLet's take a look at a general share named smb_gp and for same users. You can notice that BUILTIN\\Users have full control. 
\n
\n
code:<\/b>
> get-acl \\\\demofs\\smb_gp | select owner, group, accesstostring | fl


Owner          : BUILTIN\\Administrators
Group          : BUILTIN\\Users
AccessToString : CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  FullControl
<\/pre><\/div>","quoteUsername":"proyoung","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
            
           

          

         

         

          

         

        

        

         

          
2回答

          
         

         

          

           

            
             

              DavidN
             

             

           

           

            

             Userlevel 2

           

           

            徽章
            + 4
           

          

          

           
          

          

           是否有任何Powershell/ACLI/NCLI命令来设置共享权限(最好是远程?)

           
Set-ACL/Get-ACL只操作NTFS ACE/ acl不共享权限在我的测试…

          

           
           
\n
\nSet-ACL\/Get-ACL only manipulate NTFS ACE\/ACLs not Share Permissions in my testing...","quoteUsername":"DavidN","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
            
           

           

          

         

         

          

           

            
             

              

               J

             

             

           

           

            

             Userlevel 4

           

           

            徽章
            + 12
           

          

          

           
          

          

           
谢谢你!
             @proyoung.这篇文章帮助我弄清楚了如何改变每个用户的共享权限。我在这里找到的其他信息https://portal.nutanix.com/page/documents/details?targetId=Acropolis-File-Services-Guide-v20:acr-file-share-assign-permission-t.html没有你的帖子那么详细。

           

           
是否有人知道分配权限的步骤是否有所改进?在Nutanix中创建共享似乎不寻常和断开连接,然后必须打开Windows MMC控制台来配置用户级别的权限,甚至需要通过cmdline来完成。

           
希望能在Prism/Prism中央控制台中实现所有这些功能。

           

           

           

          

          

           
           
Thank You @proyoung<\/user-mention>\u00a0.\u00a0 This post is what helped me figure out how to change permissions per user per share.\u00a0 Only other info I found was here:\u00a0https:\/\/portal.nutanix.com\/page\/documents\/details?targetId=Acropolis-File-Services-Guide-v20:acr-file-share-assign-permission-t.html<\/a>\u00a0which isn\u2019t as detailed as your post.<\/p>
\u00a0<\/p>
Does anyone know whether the steps for assigning permissions has improved?\u00a0 Seems unusual and disconnected to create the share in Nutanix then have to open a Windows MMC console to configure the user level permissions or even need to do it via a cmdline.<\/p>
Would have expected to be able to do all this from within Prism\/Prism Central console.<\/p>
\u00a0<\/p>
\u00a0<\/p>
\u00a0<\/p>","quoteUsername":"j_seet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
            

           

           

          

         

        

        

         

          
回复
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu