Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
vodobaas Absent Member.
Absent Member.
1586 views

Netfolder Proxy user not working as documented?

Hello,

We are using EDIR For LDAP. Part of our EDIR tree is synced to AD for File shares. I defined netfolder on an AD file server. I created a service account to use as the "Net Folder Proxy User." I gave Full Control file rights on the AD server folder structure to the proxy user service account.

I defined a net folder to a share from the AD server to which the Proxy service account had full control.

The proxy user test when defining the netfolder server reports success.

I gave access rights to 3 users:
an edir user who is synced to AD and is an AD Domain admin - "ADadmin"
an edir user who has no AD presence or security - "EdironlyUser"
a local filr user - "LocalFilrUser"

There is a word doc in the net folder

All the users can see the netfolder & word doc inside
all the users can view the details of the word doc
all the users can view the HTML view of the word doc
the filradmin & ADadmin can download the word doc
When the EDIRonlyUser & LocalFilrUser download a doc and open it, this as the content of the word doc :

File error: Cannot execute [getContentLength] on the resource [70000\The quick brown fox jumps over the lazy dog.doc] - Access is denied

There is also a sample PDF file in the net folder.
The ADAdmin & Filr admin can download the file properly.
The Edironly & localfilr users get broken PDFs.

I even went so far as to grant Everyone full control file access to the ADserver file structure hoping that would make this work.

Thanks for any insights,

Frank

Fdiaz
0 Likes
5 Replies
jmarton2 Absent Member.
Absent Member.

Re: Netfolder Proxy user not working as documented?

vodobaas wrote:

> an edir user who has no AD presence or security - "EdironlyUser"
> a local filr user - "LocalFilrUser"


These two users would never be able to access the NF. The user has to
exist in the LDAP source. Now, an AD user could share a file from a
Windows server with one of these two users and that should work fine
through the proxy user's rights. But the proxy user won't ever come
into play for direct access.

> All the users can see the netfolder & word doc inside
> all the users can view the details of the word doc
> all the users can view the HTML view of the word doc
> the filradmin & ADadmin can download the word doc
> When the EDIRonlyUser & LocalFilrUser download a doc and open it, this
> as the content of the word doc :


Honestly this behavior isn't what I expected as the EidronlyUser and
LocalFilrUser shouldn't ever even seen the NF. Are you sure those
users don't exist in AD at all?

--
Your world is on the move. http://www.novell.com/mobility/
We know what your world looks like. http://www.novell.com/yourworld/

Joe Marton Emeritus Knowledge Partner
0 Likes
vodobaas Absent Member.
Absent Member.

Re: Netfolder Proxy user not working as documented?

The LDAP source for our filr deployment is Edir. The NETfolder is on an AD file server. The Proxy user is an AD user account with file rights to the AD folder structure.

Yes I am sure the edironly and local filr users don't exist in AD. I created them for testing - one in a dev portion of our Edir tree, and the local filr user is named "localFilrUser" and only exists in the filr system.

Am I misunderstanding the documentation? I thought the whole point of the proxy user was to allow those without native rights to access files on network files structures?

Section 5.1.2
Purpose of the Net Folder Server Proxy User
The Net Folder Server proxy user is used to read, write, create, and delete files on your corporate OES or Windows servers on behalf of users who do not have native rights to the files, but have been granted rights via a Share in Filr.
For example, User A has native Read and Write access to a file on an OES server, and User B does not have any native access to that file. User A shares the file with User B in Filr and grants User B Read access. User B can now view the file within Filr because the Net Folder Server proxy user is giving User B the ability to read it, because of the Share. If User B tries to access the same file directly from the OES server, he does not have sufficient rights.
Users with native rights to files do not use the Net Folder Server proxy user.

Fdiaz
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Netfolder Proxy user not working as documented?

vodobaas wrote:

> The LDAP source for our filr deployment is Edir. The NETfolder is on
> an AD file server. The Proxy user is an AD user account with file
> rights to the AD folder structure.
>
> Yes I am sure the edironly and local filr users don't exist in AD. I
> created them for testing - one in a dev portion of our Edir tree, and
> the local filr user is named "localFilrUser" and only exists in the
> filr system.


I'm honestly not sure how the edironly and local filr users are able to
access the AD NetFolder then.

> Am I misunderstanding the documentation? I thought the whole point of
> the proxy user was to allow those without native rights to access
> files on network files structures?


This is only when *sharing* files. If I share a file with you the
proxy user is used which means it doesn't matter if you have native
file system access. However, just to be assigned to a NF directly and
access it you must have filesystem rights (and also share rights if
it's a Windows server) as Filr will authenticate to the backend file
server as the actual Filr user. The proxy user is not used.

--
Your world is on the move. http://www.novell.com/mobility/
We know what your world looks like. http://www.novell.com/yourworld/

Joe Marton Emeritus Knowledge Partner
0 Likes
vodobaas Absent Member.
Absent Member.

Re: Netfolder Proxy user not working as documented?

Thanks for continuing the dialogue.

So is there any way to grant net folder access to network resources for users who do not have an identity in the network (i.e. local filr users or OpenID users)?

Judging by the answers so far, my guess is no.

The only way to share with an non-network user is by sharing an individual file in the desktop client?

With the anomalies we are experiencing, should I open an SR or is there no documented way to share a netfolder to a non-network user?

Thanks again

Fdiaz
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Netfolder Proxy user not working as documented?

vodobaas wrote:

> So is there any way to grant net folder access to network resources
> for users who do not have an identity in the network (i.e. local filr
> users or OpenID users)?
>
> Judging by the answers so far, my guess is no.


Your guess is correct--at least for now. This is one thing we're
investigating though. In the meantime, users who exist in the
particular LDAP source for that server can always share files in the NF
with non-LDAP users.

> With the anomalies we are experiencing, should I open an SR or is
> there no documented way to share a netfolder to a non-network user?


What you've described so far seems in line with current Filr design.

--
Your world is on the move. http://www.novell.com/mobility/
We know what your world looks like. http://www.novell.com/yourworld/

Joe Marton Emeritus Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.