Skip to content

Accessing data on network share over CIFS/SMB

Windows

Mapped network drives in Windows (for example, Z:) are created per-user and per-session. Because the Resilio Active Everywhere Agent runs as a Windows service, it does not have access to user-mapped drives and cannot use mapped drives regardless of which account the service runs under.

For network storage, the Agent must be configured to use a UNC path (for example, \\server\share\path). If that UNC path requires authentication, the Agent must be provided valid SMB credentials (via the service logon account and/or stored credentials as applicable). Otherwise, access will fail because the Agent will not be able to authenticate against the SMB server.

This is a Windows OS limitation which can be bypassed using the following three methods:

  • Changing the user account running the Agent to one that has access to the share, and accessing it with an UNC path.
  • Mapping a network drive manually using the PSEXEC tool.
  • Mapping a network drive automatically using a Run Script Job.

This way implies running the Agent service as a user account which name and password matches the one configured on the SMB/CIFS server. Therefore, the Agent will automatically login to the SMB/CIFS server upon the first attempt to access the files.

New user permissions

If you plan the Agent to also access local files, don't forget to grant new user permissions to relevant folders.

To configure the Agent or the Management Console running as a different user account:

  1. Find username or create a user on your SMB/CIFS server that you'll use for access.
  2. Create a user with the same name and same password on a host running the Agent. You can skip this step if the user you are going to use is a domain user and the computer is part of the domain. 360009579299

  3. Grant full access permissions to the C:\ProgramData\Resilio\Connect Agent folder (or the C:\ProgramData\Resilio\Connect Server folder in case of the Management Console Agent):

    1. Right-click the C:\ProgramData\Resilio\Connect Agent folder and select Properties.

      Agent Folder Context Menu

    2. In the Security tab, click Advanced.

      Agent Folder Properties

    3. In the Advanced Security Settings for Connect Agent window, click Add.

      Advanced Security Settings

    4. In the Permission Entry for Connect Agent window, click Select a principal.

      Select Principal

    5. Enter the name of the previously created user account, then click Check Names.

      Check Names

    6. Click OK.

    7. Select Full control, then click OK.

      Full Control

  4. Run the Agent service under a newly created user account:

    1. On the host running the Agent/Management Console service, open Services.

    2. Locate and right-click the Resilio Connect Agent Service/Resilio Connect Management Console service, then select Properties.

      Resilio Agent Service Context Menu

    3. In the Log On tab, select This account and provide the login credentials to the previously created user account.

      Log On This Account

    4. Click OK to to acknowledge that the account has been granted the Log On As A Service right.

  5. Restart the agent service so it will run under the new user account.

    Tip

    Initial start as a new user may take longer than usual as the operating system must create a new registry hive and new user home directory structure.

Error is expected

The Management Console will display the The Agent cannot decrypt its settings files error which is expected on a change of user account running the Agent service. Approve such an Agent if it requires approval, then restart it one more time to clear the error.

Using the PSEXEC utility allows you to login directly to the system session and manage network resources. This is done locally, and will also allow but not reveal the network share credentials to Management Console Administrators.

  1. Make sure that the Agent is running under the "Local System" account:

    1. Open Services, find Resilio Connect Agent Service.
    2. Right-click and select Properties > Log on.

    3. Check that either the Local System account radio button is selected or This account contains NT AUTHORITY\System or Local System or any other localized username that indicates that the user name is the Local System. Note that the Local System account always has an empty password.

      360002167900

  2. Open the command line with the elevated privileges (Run as Administrator).

    360002260639

  3. Download Sysinternals set of tools , unpack them in a directory, then navigate your Admin command line to the same directory.

  4. In the Admin command line, run the command psexec -i -s cmd.exe. This will open a new command prompt, running from the System account name. Verify that by running the whoami command. The output should be nt authority\system
    360002167920

  5. Run the command net use <drive_letter>: \\<yourservername>\<foldername> <password> /user:<username> /persistent:yes for each drive that needs to be mapped, replacing the drive letter, network path, username, and path accordingly. 360002167940

  6. The mapped drive is going to be visible to all users in your system, though will always show up as "Disconnected" in Explorer.

Disconnect network drive

To disconnect network drive, you'll need to repeat step #2..4 and run the following command in System user command prompt: 

net use <drive_letter>: /delete

The script you place in a Run Script Job gets executed by the Agent, runs in the same system session as the Agent, and therefore accesses the network resource with the proper credentials making it visible to the Agent.

Network share credentials

This method requires the Management Console administrator to have the credentials to access the network share. If this is not possible, there's a different way to accomplish this.

To make sure the network share is accessible to the Agent:

  1. Create a new Run Script Job. 360009577719

  2. Make sure that you only add the Agents that need to access the specified network share. The actual directory is not important (though you should make sure that you pick one that exists on target machine).

  3. Copy the following script and make sure that you select CMD in RUN AS selector:

    net use \\ /persistent:yes /user:`

    360009577799

  4. Save the job and run it. Once the job completes, open the log, and verify that the operation was successful, otherwise the error code will help you to understand why net use command has failed.

    360009578339

Unmapping drive

If you no longer want the Agent to access the network drive, follow the same steps, but this time place a different script in step 3:

net use \\<yourservername>\ /DELETE

Linux

Synchronizing SMB share on a Linux Agent
To synchronize an SMB share mounted on a Linux machine, make sure to use the nolease,actimeo=0 options when mounting the share to avoid potential issues when files in the SMB share are modified from a third-party host.

Warning

If you don't use these options, you may observe incorrect behavior on the Linux system running the Agent, when files in the SMB share are renamed from a third-party host (not participating in the Job). The Agent won't be able to process the name change correctly and will add the renamed file as a new one and misreport the file count.

Linux shares exposed over Samba and accessed using SMB or Samba
In a scenario, where data stored on a Linux system is exposed over Samba, with Agents running on Windows accessing data over SMB, or Agents running on Linux accessing the data over Samba, you may observe issues if the same data is accessed and modified from a third-party host that's outside your Resilio Active Everywhere deployment. This is caused by the caching mechanism on the protocol level.