Editing SMB settings for a gateway - Amazon Storage Gateway
Set gateway security levelConfigure Active Directory authenticationProvide guest accessConfigure local groupsSet file share visibility
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Editing SMB settings for a gateway

Gateway-level SMB settings let you configure the security strategy, Active Directory authentication, guest access, local group permissions, and file share visibility for the SMB file shares on a gateway.

To edit gateway level SMB settings

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways, then choose the gateway for which you want to edit SMB settings.

  3. From the Actions dropdown menu, choose Edit SMB settings, then choose the settings you want to edit.

This section contains the following topics, which provide additional information and procedures related to configuring each of the individual SMB settings for your gateway.

Set a security level for your gateway

By using a S3 File Gateway, you can specify a security level for your gateway. By specifying this security level, you can set whether your gateway should require Server Message Block (SMB) signing or SMB encryption, or whether you want to allow SMB version 1.

To configure security level

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways, then choose the gateway for which you want to edit SMB settings.

  3. From the Actions dropdown menu, choose Edit SMB settings, then choose SMB security settings.

  4. For Security level, choose one of the following:

    Note

    For information about configuring this setting using the Amazon API, see UpdateSMBSecurityStrategy in the Amazon Storage Gateway API Reference.

    A higher security strategy level can affect performance of the gateway.

    • Mandatory encryption – If you choose this option, S3 File Gateway only allows connections from SMBv3 clients that use 256-bit AES encryption algorithms. 128-bit algorithms are not allowed. This option is recommended for environments that handle sensitive data. It works with SMB clients on Microsoft Windows 8, Windows Server 2012, or later.

    • Enforce encryption – If you choose this option, S3 File Gateway only allows connections from SMBv3 clients that have encryption turned on. Both 256-bit and 128-bit algorithms are allowed. This option is recommended for environments that handle sensitive data. It works with SMB clients on Microsoft Windows 8, Windows Server 2012, or later.

    • Enforce signing – If you choose this option, S3 File Gateway only allows connections from SMBv2 or SMBv3 clients that have signing turned on. This option works with SMB clients on Microsoft Windows Vista, Windows Server 2008, or later.

    • Client negotiated – If you choose this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment.

    Note

    For gateways activated before June 20, 2019, the default security level is Client negotiated.

    For gateways activated on June 20, 2019 and later, the default security level is Enforce encryption.

  5. Choose Save.

Use Active Directory to authenticate users

To use your corporate Active Directory or Amazon Managed Microsoft AD for user authenticated access to your SMB file share, edit the SMB settings for your gateway with your Microsoft AD domain credentials. Doing this allows your gateway to join your Active Directory domain and allows members of the domain to access the SMB file share.

Note

Using Amazon Directory Service, you can create a hosted Active Directory domain service in the Amazon Web Services Cloud.

To use Amazon Managed Microsoft AD with an Amazon EC2 gateway, you must create the Amazon EC2 instance in the same VPC as the Amazon Managed Microsoft AD, add the _workspaceMembers security group to the Amazon EC2 instance, and join the AD domain using the Admin credentials from the Amazon Managed Microsoft AD.

For more information about Amazon Managed Microsoft AD, see the Amazon Directory Service Administration Guide.

For more information about Amazon EC2, see the Amazon Elastic Compute Cloud Documentation.

Anyone who can provide the correct password gets guest access to the SMB file share.

You can also activate access control lists (ACLs) on your SMB file share. For information about how to activate ACLs, see Using Windows ACLs to limit SMB file share access.

To turn on Active Directory authentication

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways, then choose the gateway for which you want to edit SMB settings.

  3. From the Actions drop-down menu, choose Edit SMB settings, then choose Active Directory settings.

  4. For Domain name, enter the name of the Active Directory domain you want your gateway to join.

    Note

    Active Directory status shows Detached when a gateway has never joined a domain.

    Your Active Directory service account must have the requisite permissions. For more information, see Active Directory service account permission requirements.

    Joining a domain creates an Active Directory computer account in the default computers container (which is not an OU), using the gateway's Gateway ID as the account name (for example, SGW-1234ADE). It is not possible to customize the name of this account.

    If your Active Directory environment requires that you pre-stage accounts to facilitate the join domain process, you will need to create this account ahead of time.

    If your Active Directory environment has a designated OU for new computer objects, you must specify that OU when joining the domain.

    If your gateway can't join an Active Directory directory, try joining with the directory's IP address by using the JoinDomain API operation.

  5. For Domain user and Domain password, enter the credentials for the Active Directory service account that the gateway will use to join the domain.

  6. (Optional) For Organization unit (OU), enter the designated OU that your Active Directory uses for new computer objects.

  7. (Optional) For Domain controller(s) (DC), enter the name of one or more DCs through which your gateway will connect to Active Directory. You can enter multiple DCs as a comma-separated list. You can leave this field blank to allow DNS to automatically select a DC.

  8. Choose Save changes.

To limit file share access to specific AD users and groups

  1. In the Storage Gateway console, choose the file share that you want to limit access to.

  2. From the Actions drop-down menu, choose Edit file share access settings.

  3. In the User and group file share access section, choose your settings.

    For Allowed users and groups, choose Add allowed user or Add allowed group and enter an AD user or group that you want to allow file share access. Repeat this process to allow as many users and groups as necessary.

    For Denied users and groups, choose Add denied user or Add denied group and enter an AD user or group that you want to deny file share access. Repeat this process to deny as many users and groups as necessary.

    Note

    The User and group file share access section appears only if Active Directory is selected.

    Groups must be prefixed with the @ character. Acceptable formats include: DOMAIN\User1, user1, @group1, and @DOMAIN\group1.

    If you configure Allowed and Denied Users and Groups lists, then Windows ACLs will not grant any access that overrides those lists.

    The Allowed and Denied Users and Groups lists are evaluated before ACLs, and control which users can mount or access the file share. If any users or groups are placed on the Allowed list, the list is considered active, and only those users can mount the file share.

    After a user has mounted a file share, ACLs then provide more granular protection that controls which specific files or folders the user can access. For more information, see Activating Windows ACLs on a new SMB file share.

  4. When you finish adding your entries, choose Save.

Provide guest access to your file share

You can configure your S3 File Gateway to allow guest access for any user that is able to provide the correct guest account username and password. If you want this to be the only method by which users can access your file gateway, then you do not need to join the gateway to a Microsoft Active Directory domain. You can also use this guest access method to create file shares on an S3 File Gateway that is a member of an Active Directory domain.

When you configure a file share to use the Guest Access authentication method, the guest access username is smbguest. Before you can create a file share using guest access, you need to change the default password for the smbguest user.

You can use the following procedure to change the password for the guest user smbguest.

To change the guest access password

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways from the navigation pane on the left side of the console page, and then choose the Name of the gateway for which you want to provide guest access.

  3. From the Actions drop down menu, choose Edit SMB settings, and then choose Guest access settings.

  4. For Guest password, enter the guest access password you want to set, and then choose Save changes.

Configure local groups for your gateway

Local Group settings allow you to grant Active Directory users or groups special permissions for the SMB file shares on your gateway.

You can use Local Group settings to assign Gateway Admin permissions. Gateway Admins can use the Shared Folders Microsoft Management Console snap-in to force-close files that are open and locked.

Note

You must add at least one Gateway Admin user or group before you can join your gateway to an Active Directory domain.

To assign Gateway Admins

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways, then choose the gateway for which you want to edit SMB settings.

  3. From the Actions dropdown menu, choose Edit SMB settings, then choose Local Group settings.

  4. In the Local Group settings section, choose your settings. This section appears only for file shares that use Active Directory.

    For Gateway Admins, add Active Directory users and groups that you want to grant local Gateway Admin permissions. Add one user or group per line, including the domain name. For example, corp\Domain Admins. To create additional lines, choose Add new Gateway Admin.

    Note

    Editing Gateway Admins disconnects and reconnects all SMB file shares.

  5. Choose Save changes, then choose Proceed to acknowledge the warning message that appears.

Set file share visibility

File share visibility controls whether the shares on a gateway are visible when listing shares to users.

To set file share visibility

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose Gateways, then choose the gateway for which you want to edit SMB settings.

  3. From the Actions drop-down menu, choose Edit SMB settings, then choose File share visibility settings.

  4. For Visibility status, select the check box to have the shares on this gateway appear when listing shares to users. Keep the check box cleared to have the shares on this gateway not appear when listing shares to users.