SMB user authentication
When a client connects to an SMB share, InfiniBox can authenticate the connecting user using either Active Directory or a local SMB user repository.
- When the user is defined in an Active Directory (AD) domain, AD is responsible for authenticating the user.
To support Active Directory domains, the InfiniBox system must be a member of a trusted domain, which means the InfiniBox must have joined the AD domain previously.
See Managing InfiniBox's membership in Active Directory for SMB.
When the user is defined in the InfiniBox local SMB user repository, InfiniBox is responsible for authenticating the user. InfiniBox prompts the user to enter a username and password, and authenticates these credentials against its repository.
For more information, see Managing local SMB users and groups.
SMB user authorization
Upon each request by an authenticated user for filesystem share access, InfiniBox determines if the user is authorized to access the requested file, and what the user is authorized to do with the file.
For each step in the authorization process, InfiniBox compares the settings of the requested file and all the folders in the file path, with the permissions of the user and all groups that contain it.
- If the user, or any of its groups, is assigned a Windows privilege level, those privileges overrides any more restrictive settings. Otherwise, the most restrictive setting applies.
- File access permissions are checked from the shared folder (the SMB share internal path) that the file belongs to, through all the levels of sub-folders, until the file itself.
- User permissions are checked from the highest-level group that the user belongs to, through all the levels of sub-groups, until the user itself.
1. Windows privilege levels
The Windows privilege level assigned to the user or the user's group in the user repository override the permissions that are set on objects.
A user, or a member of a group, that is assigned privileges can perform the tasks that its privilege levels allow.
For the list of supported user privilege levels for local users, see Windows user privilege levels.
For the list of user privilege levels for AD users, refer to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn221963(v=ws.11).
2. Share permissions
An SMB share can only be accessed by a user, or a member of a group, that has permissions to access the requested share.
The permission options for each user or group on each share are:
- Read Only
- Read Write
- Full Control
- None (no access)
A user can only perform the tasks that its, or any of its groups', share-level permission level allows.
Unless the InfiniBox administrator has modified the permissions of a share, all authenticated users are granted full control of the share. For information about setting share permissions, see Modifying share-level permissions.
3. SMB file attributes
If attributes of the requested file, and the folders that contain it, restrict access to the file or its folder, the restriction applies to all users. For example, if the file is in a folder whose attribute is Read-only, users cannot edit the file.
4. ACL permissions
A user can only perform the tasks allowed by its, or any of its groups', permissions in the ACLs of the requested file and the folders that contains it.