CloudFS and Active Directory

SMB/CIFS File System Security

CloudFS file system security is compatible with and adheres to the Microsoft SMB/CIFS architecture. Files and directories can have user permissions or group permissions known as Active Directory security ACLs.

The security ACL information is made available via Microsoft Active Directory network queries between the client, the Active Directory forest, and the filer. This relationship is established and initiated during the client login to the filer.

Joining a Microsoft Active Directory Domain

The filer is designed to participate in Microsoft Active Directory Enterprise Forest topologies and therefore does not support an SMB workgroup‐only authentication model (an SMB network with no Active Directory Domain filer).

An internal DNS server should be accessible to the filer during the Active Directory join process. The filer will try to understand the Active Directory topology during the join process and locate many Active Directory servers within the domain. These servers will be used as potential candidates during the join process.

The process of joining a filer to an Active Directory domain will populate key domain security ACLs within the default BUILTIN groups. This facilitates global read‐write SMB/CIFS file sharing access throughout the Panzura unified namespace for each node in CloudFS (such as ..\cloudfs\cc1, ..\cloudfs\cc2, ..\cloudfs\cc3).

By default, the Active Directory groups 'Domain Admins' and 'Domain Users' are members of the Active Directory BUILTIN groups. If additional domain ACL security is needed, these can be modified after successfully joining the Active Directory domain.

For SMB, the filer needs to join the AD domain that enforces the RBAC policies. Enabling a storage device to join the AD domain can be delegated to any user with this privilege. Panzura has found that in most cases, AD administrators tend to manage the devices that can join the AD domain. For this reason, AD administrator credentials are required during initial setup of a filer.

WebUI Authentication Using Active Directory

If the filer has joined an Active Directory domain, you can set up your AD domain filer to allow authentication to the Panzura filer using Active Directory credentials without additional setup in the Panzura filer. To use this feature, add the following two groups to the AD domain filer: priv_panzura_admins , priv_panzura_users

Set the group scope to Global and group type to Security.

Users assigned to either of these groups can then log in to the Panzura filer using their AD credentials. Both of the following user name formats are accepted:

username@domainname

domainname\username

To join the Active Directory domain that you configured, navigate to the filer WebUI Configuration > Active Directory > Active Directory Configuration. Enter the required AD information and click Configuration > Active Directory > Join Active Directory Domain. Enter your Domain Administrator credentials and click the Join button. The page displays the name of the domain filer (if configured) and the current Active Directory domain status. 

If you are joining an Active Directory Read Only Domain Controller, see Adding a Read Only Domain Controller.

To remove the filer from an Active Directory Domain, navigate to Configuration > Active Directory > Join Active Directory Domain, enter your Domain Administrator credentials, and click the Detach button. 

AD Setting Description
Active Directory Configuration
AD Domain Name Enter the Active Directory domain name and click Save.
Domain NETBIOS Enter the user name of the NetBIOS domain.
Domain Controller (optional)

Enter the name of the preferred domain controller on your network.

Example: ad2.panzura.com

To see a list of available filers, click the entry field. As a best practice, leave this field as is ("Any").

This optional setting allows you to choose a preferred domain filer. However, configuring this optional field pins the Active Directory server selection. This can result in a scenario where an alternate Active Directory server will not be used when the pinned Active Directory server goes offline.

Join Active Directory Domain
Join 

Click the button to join the domain. The status is displayed above the button. If the filer is joined to the domain, you can click Detach to leave the domain.

When joining or detaching from the domain, you are prompted to enter the Domain Administrator username and password.