question

hamzabenmehidi-1364 avatar image
0 Votes"
hamzabenmehidi-1364 asked hamzabenmehidi-1364 answered

Azure File Share NTFS acces denied

Hello ,
i have a storage account where i'm owner and SMB Elevated Contributor , the storage account is linked correctly to our Active Directory.

i mapped a file share (let's call it poc1) to my windows client machine using AD Credentials (with the role that is SMB elevated Contributor & owner) , i can copy/paste files using windows explorer (GUI) and modify NTFS rules on files (GUI) with no problem. i can too modify NTFS rules on the whole share (so far everything ok) . when i try to copy files to that share using robocopy i get and access denied : impossible to copy NTFS on destination . i tried to do a get-acl/set-acl on the destination and i also get an access denied.

i ran the command in both normal and elevated prompt , my account is an admin account so i'm using the same user for both (no issue on mapping).
when using robocpy , the file is copied to the destination but not it ACL . when i check the share security (GUI) i see that Inheritance is disabled , but each time i try to enable it switch back automatically to disabled . this is insane (tried rebooting the computer , tried from different VMs)

azure-files
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you share the robocopy command you are running? See here for an example command: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-migration-robocopy#phase-4-robocopy

0 Votes 0 ·

Robocopy "c:\test" "w:\" /copyall /v

"W:\" is the mapped file share in this case . i also tried with the UNC .

result of the command :

PS C:\windows\system32> robocopy "c:\test\" "w:\" /copyall /v

it keeps giving me
ERROR 5 (0x00000005) Copie de la sécurité NTFS dans le fichier de destination c:\test\copytest.txt
Access denied.

(sorry message error is in french)

thanks for the help


0 Votes 0 ·

I actually got this to work by changing how I mapped the Azure File Share drive. I went into the Azure Portal and navigated to the share and clicked connect. It gave me the option of using AD or Storage Key authentication. I selected storage key option I haven't tried the AD yet. It gave me a script to use to map the drive when I used that script instead of the net use command I had been using I was able to copy ntfs permissions over with the robocopy command.

0 Votes 0 ·
hamzabenmehidi-1364 avatar image
0 Votes"
hamzabenmehidi-1364 answered

After reaching support , i ended having a definitive answer to this problem , below the support answer :


It is a common scenario to robocopy files between file servers. Unfortunately, this scenario is broken using AD Authentication for Azure Files.
Whenever a request to add a file comes in to Azure Files, if the request is over a Kerberos (authenticated via AD) session, an access check happens to see if the caller has permissions to add a file under the parent directory of the file.
For example, if a user is using robocopy with "/sec", when robocopy transfers a file to the destination, the following access checks occur.
Does the AD user executing robocopy have the permission to add a file or directory under the file's parent? a. This checks if FILE_ADD_FILE permission is granted to the user in the file's parent directory.
Does the AD user executing robocopy have the permission to set an ACL on the file? a. This checks if the user has WRITE_DAC permission to the file.
Does the AD user executing robocopy have the permission to set the owner on the file? a. This checks if the user has WRITE_OWNER permission to the file.

Unfortunately, with check #3, there is currently no AD user that has "Take Ownership" permission on the file share and can set the owner. So if robocopy requires setting the owner, it will fail with access denied.



The only workaround is to map the folder using the Access Key (mapping the file share as a "super admin" ) , and then everything works just fine

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

deherman-MSFT avatar image
0 Votes"
deherman-MSFT answered

@hamzabenmehidi-1364

You are using /copyall which is the equivalent of /COPY:DATSOU. Auditing information can't be stored in an Azure file share, so I suspect this might be causing the issue. Please try your command with /COPY:DATSO to see it resolves your issue. I also recommend reviewing the other options we have suggested in our documentation.

Hope this helps! If this doesn't resolve your issue please let me know and we can work with you more closely.



Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hamzabenmehidi-1364 avatar image
0 Votes"
hamzabenmehidi-1364 answered GreenfieldBrian-2652 commented

@deherman-MSFT tried with with /COPY:DATSO , same issue . the files get copied but not the NTFS (robocopy gives me the same NTFS error with the access denied) . tried in standard and elevated powershell
still able to modify NTFS ACL of the file via the GUI (which is normal as i theorically have the right to do so) , the issue is very weird as everything seems correct from the azure side and the right side . can you please take a closer look to help me detect the issue ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.