In part 1, we set up the SME appliance with a Microsoft DFS Storage Provider. Today we will continue the setup, enabling AD user authentication, corporate shares, department shares, and home directories for each user.
Prerequisites
This article assumes you followed along in Part 1 and met the prerequisites there, in addition you’ll need a few more shares configured on your fileserver, and a few users and groups configured in Active Directory.
Delegate Authentication
Last week we finished by showing how to add a default share for the organization. This is the first step when setting up the appliance.
Now that this is done, we can start with user configuration. The first thing to do is to enable Active Directory users to authenticate to SME.
To achieve this, complete the following steps:
Log into the webgui with an organizational admin account and select Auth Systems.
Under “Add Auth System” you will have to fill in details about your Active Directory setup. I select LDAP as my connector this time. You will have to fill out the fields with values that fit your environment. I will share mine to get you started, but please don’t blindly copy / paste, some of the values will have to be adjusted to fit your environment. I Will leave some options out of the below table, the options I leave out are left to their default values.
| Auth System | LDAP |
| Auth System Name: | “SME AD” Note: Friendly name. |
| LDAP Server host or IP: | “sme.com” Note: with AD DNS, provides round robin access to my domain controllers. |
| LDAP Server Port | 389 |
| Connection Encryption | None |
| Base DN | “CN=Users,DC=sme,DC=com” Note: Only look under Users , don’t search all of AD |
| Administrator User DN: | “CN=LDAP Bind,OU=Service Accounts,DC=sme,DC=com” |
| Administrator User Password: | Password |
| Update user roles/groups on login: | Checked Note: If you plan to use AD groups to define your roles, this should be checked to reflect changes in AD over time. |
| User Object Class: | “person” Note: A way to limit the LDAP query, object class in AD is person (or organizationalPerson) |
| Login Field: | sAMAccountName |
| Unique User Attribute: | userPrincipalName |
| User Name Field: | displayName |
| Group (Role) Id Field: | cn |
| Group (Role) Object Class: | group |
| Role Name Field: | name |
Once you have filled in the values matching your environment, click “Test Settings”. A popup might give you an error, if this happens, address the error and try again. When the popup announces: “Settings are OK.” Go ahead and click “Add Auth System”.
Import Roles
Once we are configured to use Active Directory, let’s go ahead and import the Active Directory groups that we plan to use for the SME Authorization.
To do this, select “Roles” from the Organization dropdown.
On the roles page, select to import remote roles by clicking on “Choose what roles to import”.
On the “import roles page”, you can enter a filter, and select “Get roles”. The AD groups I am interested in end with “_USERS” so putting that filter in makes it easy.
I will simply import all groups that matched my filter.
Import Users
Once the groups are imported, let us populate them with users. Same thing here, go to the Users section in the Organization dropdown.
Select import users from a remote source, click on “Choose what users to import”.
Once you click get users, you will get a listing of all your users in your Active Directory. You could also put in a filter here, but for a large AD environment it is sometimes not enough, however there are more filter settings for users in the LDAP setup page that you can explore if this is the case for you.
Note how you can see the AD group membership for each user, you could also add the user to local roles here. We will use these roles later for department drives.
I select my two users for this demo and click “Import selected users”.
Verify LDAP
Let’s verify that users can log in. Simply logout, and back in again with one of the AD accounts. Note here how the user login by default is “sAMAccountName”@”orgname”.
My SME organization is called sme.com so I will log in as “erik@sme.com”. You can of course change this if you want to log in with email address, or only with the short username. Contact me if you want to know more
Once logged in to my homepage, I select the File Manager.
I only see “MyDFS files”, the company wide share we set up in Part 1. What about my home drive?
Configure home directories
First we have to ensure that users are allowed to map their personal storage provider.
Log back into the appliance as an admin user for your organization and select “Options” in the Organization menu.
On the first page, towards the bottom, locate “Private User Clouds”, and ensure:
“Org members can add private clouds:” is set to “YES”. Also verify that CIFS is selected as an option in “Provider types to add as private clouds:” just below that.
Note above how this configuration would allow each user to add an additional private cloud to their account. They could, for example, attach a Google Apps account here.
Once you have saved your changes, select “Auth systems” from the “Organization” menu.
Click the little pencil to edit your LDAP connector.
At the bottom, select “CIFS” from the dropdown below “Auto-Config Provider (Optional)”.
3 new fields appear:
CIFS provider name: Is the name the end user will see in his or her File Manager.
CIFS shared folder: The UNC for the share. Note the variable {USERLOGIN} here.
CIFS user login: If you need a prefix or suffix for the username to authenticate properly to the fileserver, you can enter it here.
Save your settings.
BTW, I know we could have done this while configuring the LDAP connector for Authentication, but I wanted this Home folder section as a separate section.
Now log back in again as a test user, you should see a “Home Dir” share appear in your File Manager. All users will have this share with the same name, but it will be pointing to their personal user share.
Adding department specific shares
To demonstrate department share based on AD group membership, I have added two shares to my DFS namespace, one called ENG and one called HR.
I will separate these, so members of the ENG_USERS AD group get the ENG share mounted and similarly members of HR_USERS get the HR share.
To get started, as an admin user, go to your Dashboard and select “Add a Cloud Provider, select Primary and CIFS:”
On the following page, fill in your connection specific details. My values:
Name your Cloud: Engineering share
CIFS username: cifs.service
CIFS password: Password!
CIFS shared folder: //sme.com/SMEStorage/ENG
I do the same for the HR share:
Name your Cloud: HR share
CIFS username: cifs.service
CIFS password: Password!
CIFS shared folder: //sme.com/SMEStorage/HR
At this point the File Manger for the admin user looks like this:
Note how the admin user does not have a home directory.
Convert the two new folders to shared team folders from the right-click context menu. (Check part 1 if you cannot remember) Once they are converted to team folders, from the Organization menu select “Shared Team Folders”. If you cannot see them here, go back to the File Manager and ensure you have made them shared folders.
My snapshot below:
As you can see, there is “No access” to these folders by default. Grant Permissions to the ENG folder for the Engineering group, and HR folder for the HR group by doing the following:
This screenshot showed the process for the engineering share. Repeat the process for the HR share.
If you recall from the “import users” section, user Erik is a member of the ENG_USERS group in AD and Peter is a member of HR_USERS. Let us log in and see how their File Manager differs.
First Erik:
You can see the Engineering share but not HR, what if we switch and log in as Peter?
Let’s try:
User Peter only has access to and can only see HR share. He can see his Home folder and they can both see My DFS files that was set up in part 1. What a relief!
I hope you found this walk through interesting and that I might have sparked some ideas of how SME can help breathe life into that old CIFS / DFS infrastructure, and remember it doesn’t matter if you access it from Web, Windows, Mac, Linux, iOS or Android. Across all platforms the same permissions, views, audit logs and even file locking are honored. Reach out if you have any questions or request for a specific article in the future.
by 
