If an Active Directory (AD) user logs into Cerberus using sAMAccountName or UPN and password, Cerberus queries the domain controller for the user and impersonates their NTFS permissions. User impersonation means that all file access and file operations carried out by that AD user are done as if it were the actual AD user logged into the machine and carrying out those operations.
For native Cerberus users, there is no impersonation going on. The Cerberus FTP Server Windows Service is performing file access operations under whatever account is running the service. Legacy Cerberus releases up until 12.3.0 ran using Local System account by default. This means that directories and files are created under and owned by the Local System account whenever Cerberus users perform file operations.
Problems can occur because AD users usually do not have permission to delete files or directories created under the Local System account. This problem is common when mixing AD users and native users.
One solution is to run the Cerberus FTP Server Windows Service under a different account from Local System. Perhaps under a domain user account.
There are two things to be aware of when changing the underlying service account:
1) The existing Cerberus settings files were created under the Local System account, so switching the Cerberus Windows Service to another account will probably mean that the service will not be able to overwrite the existing Local System account managed settings files. This will lead to errors when the service tries to save and settings or user changes. The problem is relatively easy to fix. You just have to adjust the ownership of the Cerberus settings directory and all sub directories and files to the new account running the service. The settings files on Windows Vista, Windows 2008 and above are all in:
C:\ProgramData\Cerberus LLC\Cerberus FTP Server
2) You will need to ensure you grant full access permissions over any data folders that Cerberus users are accessing.
Comments
0 comments
Please sign in to leave a comment.