SMB Share with NTFS and Encrypting File System (EFS) Options

[thehammer86]

Hi,

I am wondering if the community could help me out in determining why my Windows domain-joined users cannot copy EFS files to an SMB share on an Active Directory joined FreeNAS 11.2 U9 server. Is it due to:

1) I am missing some critical configuration steps to implement the feature?

or

2) It is a limitation of FreeNAS and/or the SAMBA version at this time?

I have attached a number of screenshots that display how the process is supposed to work. I seem to be able to copy EFS files to a public share on a local PC. Other non-authorized users can see the EFS files but they cannot read them (as expected).

I was also able to successfully set up a remote Windows Server 2019 share to allow my users to copy EFS files by following the guide at:

Enable a remote server for file encryption: Public Key; Security Services | Microsoft Docs

I then followed the same settings in the link above for my Active Directory joined FreeNAS server but I do not seem to be able to copy over EFS files without dropping the encryption.

I know there are other 3rd party methods of encrypting files at the user level as well as encrypting the entire pool in FreeNAS at the server level.

However, I am looking to get the above scenario working if possible.

Thoughts everyone?

 

[Samuel Tai]

I suspect Samba isn't capable of EFS. However, this Microsoft Technet article suggests several things to try:

Remote EFS Operations in a File Share Environment
Remote EFS operations on files stored on network file shares are possible in Windows 2000 or later domain environments only. Domain users can remotely encrypt or decrypt files, but this capability is not enabled by default. The following are requirements for successful remote EFS operations in a file share environment:

1. The files to be encrypted must be available to the user through a network share. Normal share-level security applies.
2. The user must have Write or Modify permissions to encrypt or decrypt a file.
3. The user must have either a local profile on the computer where EFS operations will occur or a roaming profile. If the user does not have a local profile on the remote computer or a roaming profile, EFS creates a local profile for the user on the remote computer.
   If the remote computer is a server in a cluster, the user must have a roaming profile.
4. To encrypt a file, the user must have a valid EFS certificate. If EFS cannot locate a pre-existing certificate, EFS contacts a trusted enterprise certification authority for a certificate. If no trusted enterprise certification authorities are known, a self-signed certificate is created and used. The certificate and keys are stored in the user’s profile on the remote computer or in the user’s roaming profile if available.
   Note To verify a certificate’s authenticity, a certification authority signs the certificates that it issues with its private key. EFS creates and uses a self-signed certificate if no file encryption certificate is available from a certification authority. A self-signed certificate indicates that the issuer and subject in the certificate are identical, and that no certification authority has signed the certificate.
5. To decrypt a file, the user’s profile must contain the private key associated with the public key used to encrypt the file encryption key (FEK).
6. EFS must impersonate the user to obtain access to the necessary public or private key. This requires the following:
   1. The computer must be a domain member in a domain that uses Kerberos authentication because impersonation relies on Kerberos authentication and delegation.
   2. The computer must be trusted for delegation.
   3. The user must be logged on with a domain account that can be delegated.
      Note Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with EFS.