Nutanix文件SMB共享默认许可

Proyoung
秩
UserLevel 2
徽章 +1
文件当前支持SMB 2.0和SMB 2.1,SMB 3.0协议。对于SMB 3.0,重要的是要注意
文件已开始支持一些SMB 3.0功能,例如SMB3签名(3.2.0)和SMB3加密支持即将发布。
我们没有任何支持SMB 1.0协议的计划,鉴于出于安全原因,Microsoft不再支持这一点

Nutanix文件分配了新创建的SMB共享的默认权限。Nutanix文件有三个默认组(内置)组:

管理员,
用户,
备份操作员。

内置\管理员小组包括\域名,以及任何文件服务器管理员您可以从棱镜或CLI中指定。
内置\用户组包含\领域用户。
内置\备份默认情况下,操作员组为空,但可以包括您从Prism或CLI指定的任何备份管理员。

分配给管理员和用户组的默认权限取决于共享类型。

代码: 
标准分享
内置\管理员:允许FullControl
内置\用户:允许FullControl

分布式共享
内置\管理员:允许FullControl
内置\用户:允许readandexecute,同步



您可以根据需要修改或删除这些默认权限。您可以使用微软管理控制台(MMC),因此要管理文件共享及其权限。

让我们尝试以示例来理解这一点
有2股普通(非分布)和房屋(分布式)

代码: 
share.list
共享名称:SMB_GP
文件服务器名称:Demofs
共享类型:一般

共享名称:SMB_DEMO
文件服务器名称:Demofs
分享类型:家


共享路径: - \\ demofs \ smb_demo \ tld

代码: 
文件服务器= demofs
smb_demo =家共享
tld =第一个根级目录
filesuser1 =用户目录
smb_gp =一般共享
用户:afsadmin(admin特权)filesuser1(域用户)


有两个用户帐户,让我们看一下他们的小组成员资格

代码: 
> Get-AdprincipalGroupMembership Afsadmin |选择名称

姓名
------
域用户
管理员
模式管理人
企业管理员
域名


> get-adprincipalGroupMembership filesuser1 |选择名称

姓名
------
域用户
Minerva_user



让我们先验证房屋分享。

代码: 
> get-acl \\ demofs \ smb_demo |选择所有者,组,AccessTostring |佛罗里达州


所有者:内置\管理员
组:内置\用户
AccessTostring:创建者所有者允许FullControl
内置\管理员允许FullControl
内置\用户允许readandexecute,同步


> get-acl \\ demofs \ smb_demo \ tld |选择所有者,组,AccessTostring |佛罗里达州


所有者:afslab \ afsadmin
组:AFSLAB \域用户
AccessToString:AFSLAB \ AFSADMIN允许FullControl
创建者所有者允许FullControl
内置\管理员允许FullControl
内置\用户允许readandexecute,同步



> get-acl \\ demofs \ smb_demo \ tld \ filesuser1 |选择所有者,组,AccessTostring |佛罗里达州


所有者:afslab \ afsadmin
组:AFSLAB \域用户
AccessToString:AFSLAB \ AFSADMIN允许FullControl
创建者所有者允许FullControl
内置\管理员允许FullControl
内置\用户允许readandexecute,同步



因此,“ filesuser1”是一个域用户,默认情况下已readAndExecute,默认对用户目录名称“ filesuser1”同步权限。但是,此用户无法在用户文件夹名称TLD中创建文件。

管理所有这些的最简单方法是MMC,您可以在其中更改权限。



让我们看一下名为SMB_GP和同一用户的一般共享。您可以注意到内置\用户具有完全控制。

代码: 
> get-acl \\ demofs \ smb_gp |选择所有者,组,AccessTostring |佛罗里达州


所有者:内置\管理员
组:内置\用户
AccessTostring:创建者所有者允许FullControl
内置\管理员允许FullControl
内置\用户允许FullControl
1个附件
\nFiles has started supporting some of SMB 3.0 Features like SMB3 Signing ( 3.2.0 onward) and SMB3 Encryption support is coming with coming releases.
\nWe do not have any plans to support the SMB 1.0 protocol, given that this is no longer even supported by Microsoft for security reasons
\n
\nNutanix Files assigns default permissions for newly created SMB shares. There are three default (BUILTIN) groups for Nutanix Files:
\n
\nAdministrators,
\nUsers,
\nBackup Operators.
\n
\nThe BUILTIN\\Administrators<\/b> group includes \\Domain Admins<\/b>, as well as any file server admins<\/b> you specify from Prism or the CLI.
\nThe BUILTIN\\Users<\/b> group contains \\Domain<\/b> Users.
\nThe BUILTIN\\Backup<\/b> Operators group is empty by default but can include any backup admins you specify from Prism or the CLI.
\n
\nThe default permissions assigned to the Administrators and Users groups depend on the share type.<\/b>
\n
\n
code:<\/b>
Standard share
BUILTIN\\Administrators: Allow FullControl
BUILTIN\\Users: Allow FullControl

Distributed share
BUILTIN\\Administrators: Allow FullControl
BUILTIN\\Users: Allow ReadAndExecute, Synchronize
<\/pre><\/div>
\n
\n
\nYou can modify or remove these default permissions as needed for your environment. You can use  Microsoft Management Console<\/b><\/a> (MMC), and so onto manage the file shares and their permissions. 
\n
\nLet\u2019s try to understand this by an example <\/b>
\nThere are 2 shares GENERAL (Non-distributed) and HOME (distributed)
\n
\n
code:<\/b>
 share.list
Share name: smb_gp
File server name: demofs
Share type: GENERAL

Share name: smb_demo
File server name: demofs
Share type: HOME
<\/pre><\/div>
\n
\nShare Path :- \\\\demofs\\smb_demo\\tld<\/b>
\n
\n
code:<\/b>
File Server = demofs 
smb_demo= Home Share
tld = first root level directory 
filesuser1=user directory 
smb_gp= GENERAL Share
Users : afsadmin ( admin privileges) filesuser1 (domain user) 
<\/pre><\/div>
\n
\nThere are two user accounts, let\u2019s look at their group membership
\n
\n
code:<\/b>
> Get-ADPrincipalGroupMembership afsadmin | select Name

Name
----
Domain Users
Administrators
Schema Admins
Enterprise Admins
Domain Admins


> Get-ADPrincipalGroupMembership filesuser1 | select Name

Name
----
Domain Users
Minerva_User
<\/pre><\/div>
\n
\n
\nLet\u2019s validate Home Share first. <\/b>
\n
\n
code:<\/b>
> get-acl \\\\demofs\\smb_demo | select owner, group, accesstostring | fl


Owner          : BUILTIN\\Administrators
Group          : BUILTIN\\Users
AccessToString : CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize


> get-acl \\\\demofs\\smb_demo\\tld | select owner, group, accesstostring | fl


Owner          : AFSLAB\\afsadmin
Group          : AFSLAB\\Domain Users
AccessToString : AFSLAB\\afsadmin Allow  FullControl
                 CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize



> get-acl \\\\demofs\\smb_demo\\tld\\filesuser1 | select owner, group, accesstostring | fl


Owner          : AFSLAB\\afsadmin
Group          : AFSLAB\\Domain Users
AccessToString : AFSLAB\\afsadmin Allow  FullControl
                 CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  ReadAndExecute, Synchronize

<\/pre><\/div>
\n
\nSo \"filesuser1\" is a domain user who has ReadAndExecute, Synchronize permission by default on user directory names \"filesuser1\". However, this user can't create a file in user folder name tld. 
\n
\nEasiest way to manage all this is MMC from where you can change the permissions. 
\n
\n
<\/a><\/p>
\n
\nLet's take a look at a general share named smb_gp and for same users. You can notice that BUILTIN\\Users have full control. 
\n
\n
code:<\/b>
> get-acl \\\\demofs\\smb_gp | select owner, group, accesstostring | fl


Owner          : BUILTIN\\Administrators
Group          : BUILTIN\\Users
AccessToString : CREATOR OWNER Allow  FullControl
                 BUILTIN\\Administrators Allow  FullControl
                 BUILTIN\\Users Allow  FullControl
<\/pre><\/div>","quoteUsername":"proyoung","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
            
           

          

         

         

          

         

        

        

         

          该主题已关闭以供评论

        

        

         

          
2个答复

          
         

         

          

           

            
             

              戴维
             

             

           

           

            

             UserLevel 2

           

           

            徽章
            +5
           

          

          

           
          

          

           是否有任何PowerShell/ACLI/NCLI命令可以设置共享权限(最好是远程?)

           
SET-ACL/GET-ACL仅操纵NTFS ACE/ACL在我的测试中不共享权限...

          

           
           
\n
\nSet-ACL\/Get-ACL only manipulate NTFS ACE\/ACLs not Share Permissions in my testing...","quoteUsername":"DavidN","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
            
           

           

          

         

         

          

           

            
             

              

               j

             

             

           

           

            

             UserLevel 4

           

           

            徽章
            +12
           

          

          

           
          

          

           
谢谢你
             @proyoung。这篇文章帮助我弄清楚如何每股更改每个用户的权限。我发现的其他信息在这里:https://portal.nutanix.com/page/documents/details?targetid = acropolis-file-services-guide-v20:acr-file-file-file-share-assign-permisign-permission-permission-t.html不如您的帖子那么详细。

           

           
有人知道分配许可的步骤是否有所改善?在Nutanix中创建共享似乎是不寻常的和断开的,然后必须打开Windows MMC控制台才能配置用户级别的权限,甚至需要通过CMDLine进行操作。

           
本来可以期望能够从棱镜/棱镜中央控制台内完成所有这些。

           

           

           

          

          

           
           
Thank You @proyoung<\/user-mention>\u00a0.\u00a0 This post is what helped me figure out how to change permissions per user per share.\u00a0 Only other info I found was here:\u00a0https:\/\/portal.nutanix.com\/page\/documents\/details?targetId=Acropolis-File-Services-Guide-v20:acr-file-share-assign-permission-t.html<\/a>\u00a0which isn\u2019t as detailed as your post.<\/p>
\u00a0<\/p>
Does anyone know whether the steps for assigning permissions has improved?\u00a0 Seems unusual and disconnected to create the share in Nutanix then have to open a Windows MMC console to configure the user level permissions or even need to do it via a cmdline.<\/p>
Would have expected to be able to do all this from within Prism\/Prism Central console.<\/p>
\u00a0<\/p>
\u00a0<\/p>
\u00a0<\/p>","quoteUsername":"j_seet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu