Skip to main content

SMB Protocol

Connector name

  • nrcifs for Active Directory DN

  • nrsmb for Legacy Active Directory (Connector Pack 4.5 or earlier)

Connector type

Executable

Type (UI field value)

  • SMB Protocol for Active Directory DN

  • SMB Protocol for Legacy Active Directory (Connector Pack 4.5 or earlier)

Target system versions supported / tested

In most scenarios, these connectors are used with an Active Directory connector to manage network resources. However, they can be used for operations the Active connector cannot do. For example, you could use SMB protocol to target the server where the user’s home directories are located. This way, a home directory can also be created when a new user account is created.

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Upgrade notes

Caution

The nrsmb connector is shipped with Connector Pack 4.5 or earlier however as of version 4.6.0 this connector is no longer available.

The nrcifs connector for Active Directory DN connector is available for Connector Pack 4.0 or newer.

Bravura Security Fabric uses network resource connectors to:

  • Update ACLs for shares and folders

  • Create, delete, and rename folders on an Active Directory server

  • Create, delete, and modify shares; for example, share and unshare existing folders, or modify shares

See also:

Active Directory DN for information about setting up, and targeting network resources on an Active Directory DN server.

Supported operations

The SMB protocol network resource connectors support the following operations on a network resource target system using the SMB Protocol:

  • nrcreate create a shared folder.

  • nrdelete delete or unshare a shared folder

  • nrmove rename or move a shared folder

  • nrupdate update access rights for a shared folder

These operations must be added by a request rewrite plugin. The network resource target system is used to store the credentials, configure the account attributes when operating on folders/shares, and configure the target system address to the domain to look up SID/account information.

Targeting Network Resources

For each Active Directory DN or Legacy Active Directory server, add a target (Manage the system > Resources > Target systems) :

  • Type is one of the following, listed under Network Resource :

    • SMB Protocol for Active Directory DN

    • SMB Protocol for Legacy Active Directory (4.5 or earlier)

  • Address for:

    • Active Directory DN uses options listed in the table below.

    • Legacy Active Directory uses only Domain or domain controller and Connection over SSL settings:

  • Administrator ID and Password are the credentials used to contact the Active Directory domain and update folders/shares on the file servers.

Table 1. SMB Protocol for Active Directory DN address configuration

Option

Description

Options marked with a redstar.png are required.

Domain or domain controller redstar.png

The DNS domain name, the domain controller’s FQDN, a custom DNS name to target or IP address; for example:

globaldomain.example.com or

\\mydomaincontroller.example.com or

\\mydomaincontroller or

\\customdnsname

Use the IP address only if DNS is not resolving, otherwise avoid using the IP address of the domain controller. The DNS domain name or the FQDN should be specified.

A custom DNS name should only be used if absolutely necessary. (key: server)

Connection over SSL

Select to enforce SSL connections.

(key: ssl)

Custom LDAP search expression for filtering users

Restrict user listing by using LDAP search filters.

(key: userFilter)

Custom LDAP search expression for filtering groups

Restrict group listing by using LDAP search filters.

(key: groupFilter)

OUs to list users from

List only those users who exist in one or more containers .

(key: listOUs)

Groups to list users from

List only those users who exist in one or more groups.

(key: listGroups)

OUs to list groups from

List only those groups that exist in one or more containers.

(key: listGroupOUs)

Groups to list member groups from

List only those groups that exist in one or more groups.

(key: listGroupGroups)

OUs to list computers from

List only those computer objects that exist in one or more containers.

(key: listComputerOUs)

Groups to list computers from

List only those computer objects that exist in one or more groups .

(key: listComputerGroups)

OUs to exclude from listing

Exclude certain OUs to further restrict listing.

(key: excludeOUs)

List nested groups

Recursively list all users and computers contained within groups specified by the " Groups to list. ." options.

(key: listNestedGrps)

List members for nested groups

Recursively list users’ group membership for groups contained within groups specified by the Groups to list users from option.

(key: listNestedNOSGrps)

Abort listing when an invalid group is encountered

Return failure when a group list includes an invalid group.

(key: listFailOnNonExistentGrp)

Abort listing when an invalid OU is encountered

Return failure when an OU list includes an invalid OU.

(key: listFailOnNonExistentOU)

When listing group members and managers, list groups as their individual user members

Depending on the version of Bravura Security Fabric you have installed, you may need to list groups and group managers in flattened form if nested groups are not supported. Bravura Security Fabric versions 9.0.1 or earlier do not support nested groups .

(key: listFlatGroups)

List entire forest

List objects outside the domain specified in the Domain or domain ontroller target address option.

(key: listForest)

Delete users with sub objects

Delete users with leaf objects. In some environments, Active Directory accounts will have a leaf object created, for example Exchange with ActiveSync. By default these users will not be deleted.

(key: deleteSubs)

Create an OU when creating user if it does not already exist

If enabled, when an account is being created, and a non-existing OU is specified , the OU will be created instead of giving an error.

(key: createOU)

List deleted users on supported systems

Choose whether to list only regular users (default), only deleted users, or both. Deleted users are listed in NT4 format. Active Directory moves deleted accounts to a "recycle bin". If enabled in Bravura Security Fabric , these accounts are restrored.

(key: listDeleted)

Name format

Use NT4 format or fully qualified domain name (FQDN).

(key: nameFormat)

Group Name format

Use NT4 format or fully qualified domain name (FQDN).

(key: groupNameFormat)

Attribute specifying group owners

The attribute name that specifies the owner or list of owners for a group. The default value is managedBy.

When set to a single valued attribute such as managedBy, the Target system supports multiple owners on groups target system option should be unchecked. Only one group owner is supported in this case.

A multi-valued attribute may also be specified in order to support multiple group owners. In this case, the Target system supports multiple owners on groups target system option should be checked.

(key: grpowner_attr)

Persistent list search wait time (in seconds)

The interval time in seconds that the connector will wait to search for changes in the native target.

The default value is 7,200 seconds (2 hours).

If this value is set too small for a large native target, the connector may not be able to retrieve changes completely in the native target. Setting the value too small will also impose excess load on related services, which drag down the system performance.

(key: persistentSearchWait)

Disable recursive searches of members in domain groups to improve nr performance

Recursively traverse all groups contained with groups when checking permissions in the network resources sub folder operation. Turning this option on is more precise for the checking of permissions, however it will have a performance impact.

Default is false.

(key: nrIsMemberOfDomainGroupRecursive)

Note

The option Disable recursive searches of members in domain groups to improve nr performance was added in Connector Pack 4.6.0.



Account attributes for shared folders

The following account attributes exist for creating and updating shared folders:

  • ntfs-sddl An SDDL (Security Descriptor Definition Language) string which represents the ACL to set on the newly-created folder. This attribute can be used to perform "copy" or "replace" operations; the SID of the modeluid will be replaced with the SID of the account in the SDDL string. This attribute can also be used for setting, and can be ignored if the other ntfs- attributes are preferred.

    When part of the sddl string contains %ACCT_SID%, it will be replaced by the SID of the Active Directory account ID or the value of the pseudo-attribute _acctSID.

  • ntfs-dacl A multi-valued attribute where each value represents the modification to the ACL of the folder. Each value in this attribute uses "bare" the KVGroup syntax format to apply the modification. This attribute can be configured using one of the following formats:

    • {grant=<sid|acct>;mask={<perm>;<perm>;};flags={<flag>;<flag>;};[replace;]}

    • {deny=<sid|acct>;mask={<perm>;<perm>;};flags={<flag>;<flag>;};[replace;]}

    • {remove=<sid|acct>;[granted;|denied;]}

    Where:

    • <sid|acct> is the SID or account to which to apply the access.

    • <perm> is a permission mask with one of the following values:

      Simple permissions:

      • N – No access F – Full access M – Modify access RX – Read and execute access R – Read-only access W – Write-only access D – Delete access

      Fine-grained permissions

      • DE – Delete RC – Read control WDAC – Write DAC WO – Write owner S – Synchronize AS – Access system security MA – Maximum allowed GR – Generic read GW – Generic write GE – Generic execute GA – Generic all RD – Read data/list directory WD – Write data/add file AD – Append data/add sub-directory REA – Read extended attributes WEA – Write extended attributes X – Execute/traverse DC – Delete child RA – Read attributes WA – Write attributes

    • <flag> is one of the following:

      • OI – Object inherit CI – Container inherit IO – Inherit only NP – Don’t propagate inherit

    • replace – Replace the specified permissions, rather than modify individual permissions.

    • granted – Remove granted permissions

    • denied – Remove denied permissions

  • ntfs-owner The SID or account name of the group or account which should be the owner for this folder.

  • ntfs-group The SID or group name for the group which should be the primary group for this folder. This is only used for POSIX sub-systems.

  • inherit Controls inheritance behavior for ACLs on the folder. It can be configured to use one of the following values:

    • E – enable inheritance. This is valid for both create and update.

    • D – disable inheritance and copy ACE’s (only valid for update)

    • R – remove all inherited ACE’s (only valid for update)

    • N – no inheritance (only valid for create)

    Use of ntfs-sddl in conjunction with ntfs-dacl, ntfs-owner, ntfs-group or inherit is not permitted because the ntfs-sddl string contains all of the information in the other attributes.

  • propagate Controls permission propagation when updating folder ownership. It can be configured to use one of the following values:

    • S -- If ACLs are specified they are propagated based on inheritance rules.

    • R -- If ACLs are specified all child objects have their ACLs replaced with the specified ones.

    • E -- If ACLs are specified all inherited ACLs are replaced, but explicit ones are left.

    • N -- Only set permission of the object itself.

    R is the default value if nothing is specified. For ownership, S, R and E will cause the ownership to be set on all child objects. The attribute is ignored for create since there will not be child objects.

  • share-sddl An SDDL (Security Descriptor Definition Language) string which represents the ACL to set on the newly created folder. This attribute can be used to perform copy/replace operations; the SID of the modeluid is replaced with the SID of the account in the SDDL string. This attribute can also be used for setting and can be ignored if the other share-dacl is preferred.

    When part of the sddl string contains %ACCT_SID%, it will be replaced by the SID of the Active Directory account ID or the value of the pseudo-attribute _acctSID.

  • share-dacl A multi-valued attribute where each value represents the modification to the ACL of the folder. The format of each value of this attribute uses "bare" KVG syntax to apply the modification. It can use one of the following formats:

    • {grant=<sid|acct>;mask={<perm>;<perm>;}[replace;]}

    • {deny=<sid|acct>;mask={<perm>;<perm>;};[replace;]}

    • {remove=<sid|acct>;[granted;|denied;]}

    This is a simplified version of the ntfs-dacl attribute. The following <perm> mappings are equivalent to the share UI perms:

    • Full – F;

    • Read – RX;

    • Read and Write – RX;W;D

    Use of share-sddl in conjunction with share-dacl is not permitted because the share-sddl string contains all of the information in the share-dacl attribute.

  • share-comment The comment to be specified for the share.

  • share-path The local file system path to which the share applies.

  • share-max-uses The maximum number of connections to the share at any one time. Use the value of -1 for unlimited.

  • _acctSID Pseudo-attribute used to transfer the "objectSid" value from Active Directory.

  • _acctSAM Pseudo-attribute used to transfer the "sAMAccountName" value from Active Directory.

See Account attributes for more information about configuring account attributes.

In this section: