Skip to content

Accessing data on network share over CIFS/SMB

Windows

All network shares in Windows are specifically connected for the current user's session. By default, the Resilio Active Everywhere Agent runs as a service in system session as the "Local SYSTEM" or "Local Service" user. As a result, the Agent is unable to see any mapped network drives that are normally seen by the current user account. Additionally, when accessing the UNC path, the Agent tries to supply the credentials of the "Local SYSTEM" or "Local Service" to the SMB server and gets rejected.
This is a Windows OS limitation which can be bypassed using the following three methods:

  • Changing the user account running the Agent to one that has access to the share and accessing it with UNC path
  • Mapping a network drive manually using the PSEXEC tool
  • Mapping a network drive automatically using a script job

This way implies running Agent as a user account which name and password matches the one configured on SMB/CIFS server. Therefore, Agent will automatically login to SMB/CIFS server upon first attempt to reach files.

New user permissions

If you plan the Agent to also access local files, don't forget to grant new user permissions to relevant directories.

To configure agent running as a different user account:

  1. Find username or create a user on your SMB/CIFS server that you'll use for access.
  2. Create a user with the same name and same password on a computer running agent. You can skip this step is the user you are going to use is a domain user and the computer is part of the domain. 360009579299

  3. Open permissions of the folder C:\ProgramData\Resilio\Connect Agent (or C:\ProgramData\Resilio\Connect Server for Management Console Agent) and add new user with full access there.

    360009567960

    360009580239

    360009580279

    360009580339

    360009580599

    And click okay until you close the folder properties dialog.

  4. Open Services, find "Resilio Connect Agent Service" service (Resilio Connect Server if you apply it for Management Console Agent) and open it's properties, "Log on" tab. Enter your user name and its credentials.

    360009567220

    Once you click OK, windows may give you a notice that this user is granted a permission to run as service.

  5. Restart the agent service so it will run under new user account. First start as a new user may take a while as Windows will create a new registry hive and new user home directory structure.

Error is expected

The Management Console will display the The Agent cannot decrypt its settings files error which is expected on a change of user account running the Agent service. Approve such an Agent if it requires approval, then restart it one more time to clear the error.

Using the PSEXEC utility allows you to login directly to the system session and manage network resources. This is done locally, and will also allow but not reveal the network share credentials to Management Console Administrators.

  1. Make sure that the Agent is running under the "Local System" account:

    1. Open Services, find Resilio Connect Agent Service.
    2. Right-click and select Properties > Log on.

    3. Check that either the Local System account radio button is selected or This account contains NT AUTHORITY\System or Local System or any other localized username that indicates that the user name is the Local System. Note that the Local System account always has an empty password.

      360002167900

  2. Open the command line with the elevated privileges (Run as Administrator).

    360002260639

  3. Download Sysinternals set of tools , unpack them in a directory, then navigate your Admin command line to the same directory.

  4. In the Admin command line, run the command psexec -i -s cmd.exe. This will open a new command prompt, running from the System account name. Verify that by running the whoami command. The output should be nt authority\system
    360002167920

  5. Run the command net use <drive_letter>: \\<yourservername>\<foldername> <password> /user:<username> /persistent:yes for each drive that needs to be mapped, replacing the drive letter, network path, username, and path accordingly. 360002167940

  6. The mapped drive is going to be visible to all users in your system, though will always show up as "Disconnected" in Explorer.

Disconnect network drive

To disconnect network drive, you'll need to repeat step #2..4 and run the following command in System user command prompt: 

net use <drive_letter>: /delete

The script you place in a Script Job gets executed by the Agent, runs in the same system session as the Agent, and therefore accesses the network resource with the proper credentials making it visible to the Agent.

Network share credentials

This method requires the Management Console Admin to have the credentials to access the network share. If this is not possible, there's a different way to accomplish this.

To make sure the network share is accessible to the Agent:

  1. Create a new Run Script Job. 360009577719

  2. Make sure that you only add the Agents that need to access the specified network share. The actual directory is not important (though you should make sure that you pick one that exists on target machine).

  3. Copy the following script and make sure that you select CMD in RUN AS selector:

    net use \\ /persistent:yes /user:`

    360009577799

  4. Save the job and run it. Once the job completes, open the log, and verify that the operation was successful, otherwise the error code will help you to understand why net use command has failed.

    360009578339

Unmapping drive

If you no longer want the Agent to access the network drive, follow the same steps, but this time place a different script in step 3:

net use \\<yourservername>\ /DELETE

Linux

Synchronizing SMB share on a Linux Agent
To synchronize an SMB share mounted on a Linux machine, make sure to use the nolease,actimeo=0 options when mounting the share to avoid potential issues when files in the SMB share are modified from a third-party host.

Warning

If you don't use these options, you may observe incorrect behavior on the Linux system running the Agent, when files in the SMB share are renamed from a third-party host (not participating in the Job). The Agent won't be able to process the name change correctly and will add the renamed file as a new one and misreport the file count.

Linux shares exposed over Samba and accessed using SMB or Samba
In a scenario, where data stored on a Linux system is exposed over Samba, with Agents running on Windows accessing data over SMB, or Agents running on Linux accessing the data over Samba, you may observe issues if the same data is accessed and modified from a third-party host that's outside your Resilio Active Everywhere deployment. This is caused by the caching mechanism on the protocol level.