SMB/CIFS File System Security
CloudFS file system security is compatible with and adheres to the Microsoft SMB/CIFS architecture. Files and directories can have user permissions or group permissions known as Active Directory security ACLs.
The security ACL information is made available via Microsoft Active Directory network queries between the client, the Active Directory forest, and the node. This relationship is established and initiated during the client login to the node.
The node is designed to participate in Microsoft Active Directory Enterprise Forest topologies and therefore does not support an SMB workgroup‐only authentication model (an SMB network with no Active Directory Domain node).
An internal DNS server should be accessible to the node during the Active Directory join process. The node will try to understand the Active Directory topology during the join process and locate many Active Directory servers within the domain. These servers will be used as potential candidates during the join process.
The process of joining a node to an Active Directory domain will populate key domain security ACLs within the default BUILTIN groups. This facilitates global read‐write SMB/CIFS file sharing access throughout the Panzura unified namespace for each node in CloudFS (such as ..\cloudfs\cc1, ..\cloudfs\cc2, ..\cloudfs\cc3).
By default, the Active Directory groups 'Domain Admins' and 'Domain Users' are members of the Active Directory BUILTIN groups. If additional domain ACL security is needed, these can be modified after successfully joining the Active Directory domain.
For SMB, the node needs to join the AD domain that enforces the RBAC policies. Enabling a storage device to join the AD domain can be delegated to any user with this privilege. Panzura has found that in most cases, AD administrators tend to manage the devices that can join the AD domain. For this reason, AD administrator credentials are required during initial setup of a node.
WebUI Authentication Using Active Directory
If the node has joined an Active Directory domain, you can set up your AD domain node to allow authentication to the Panzura node using Active Directory credentials without additional setup in the Panzura node. To use this feature, add the following two groups to the AD domain node: priv_panzura_admins , priv_panzura_users
Set the group scope to Global and group type to Security.
Users assigned to either of these groups can then log in to the Panzura node using their AD credentials. Both of the following user name formats are accepted:
To join the Active Directory domain that you configured, navigate to the node WebUI Configuration > Active Directory > Active Directory Configuration. Enter the required AD information and click Configuration > Active Directory > Join Active Directory Domain. Enter your Domain Administrator credentials and click the Join button. The page displays the name of the domain node (if configured) and the current Active Directory domain status.
If you are joining an Active Directory Read Only Domain Controller, see Adding a Read Only Domain Controller.
To remove the node from an Active Directory Domain, navigate to Configuration > Active Directory > Join Active Directory Domain, enter your Domain Administrator credentials, and click the Detach button.
|Active Directory Configuration|
|AD Domain Name||Enter the Active Directory domain name and click Save.|
|Domain NETBIOS||Enter the user name of the NetBIOS domain.|
|Domain Controller (optional)||
Enter the name of the preferred domain controller on your network.
To see a list of available nodes, click the entry field. As a best practice, leave this field as is ("Any").
This optional setting allows you to choose a preferred domain node. However, configuring this optional field pins the Active Directory server selection. This can result in a scenario where an alternate Active Directory server will not be used when the pinned Active Directory server goes offline.
|Join Active Directory Domain|
Click the button to join the domain. The status is displayed above the button. If the node is joined to the domain, you can click Detach to leave the domain.
When joining or detaching from the domain, you are prompted to enter the Domain Administrator username and password.