AWS Storage Gateway User Guide
Using ACLs for SMB File Share Access
Enabling Windows ACLs on a New SMB File Share
Take the following steps to enable Windows ACLs on a new SMB file share.
To enable Windows ACLs when creating a new SMB file share
1. Create a file gateway if you don't already have one. For more information, see Creating a File
Gateway (p. 36).
2. If the gateway is not joined to a domain, add it to a domain. For more information, see Using Active
Directory to Authenticate Users (p. 151).
3. Create an SMB file share. For more information, see Creating a File Share (p. 42).
4. Use the UpdateSMBFileShare API operation to enable options for ACLs as follows:
a. Use the SmbAclEnabled option in the Storage Gateway API to enable Windows ACLs. That is, set
SmbAclEnabled to true.
b. (Optional) Add an admin user to the AdminUsersList, if you want the admin user to have
privileges to update ACLs on all files and folders in the file share.
5. Update the ACLs for the parent folders under the root folder. To do this, use Windows File Explorer
to configure the ACLs on the folders in the SMB file share.
Note
If you configure the ACLs on the root instead of the parent folder under root, the ACL
permissions aren't persisted in Amazon S3.
We recommend setting ACLs at the top-level folder under the root of your file share, instead of
setting ACLs directly at the root of the file share. This approach persists the information as object
metadata in Amazon S3.
6. Enable inheritance as appropriate.
Note
You can enable inheritance for file shares created after May 8, 2019.
If you enable inheritance and update the permissions recursively, Storage Gateway updates all the
objects in the S3 bucket. Depending on the number of objects in the bucket, the update can take a while
to complete.
Enabling Windows ACLs on an Existing SMB File Share
Take the following steps to enable Windows ACLs on an existing SMB file share that has POSIX
permissions.
To enable Windows ACLs on an existing SMB file share
1. Call the UpdateSMBFileShare API operation on an existing SMB file share and set the
SmbAclEnabled option to true.
2. Update the root ACL. To do this, use Windows File Explorer to configure the ACLs on the folders in
the SMB file share.
3. Enable inheritance as appropriate.
Note
We don't recommend setting the ACLs at the root level, because if you do this and delete
your gateway, you need to reset the ACLs again.
If you enable inheritance and update the permissions recursively, Storage Gateway updates all the
objects in the S3 bucket. Depending on the number of objects in the bucket, the update can take a while
to complete.
API Version 2013-06-30
308
To Next Page
Loading...