Enabling NFS symlink traversal for SMB clients

Summary

VAST SMB supports traversing NFS-created symbolic links. However, by default, most Windows clients do not have the remote SMB symbolic links capability enabled.

Enabling Local Windows Client

You will need local Administrator privileges on a Windows client to perform this change.

Open a CMD prompt (start -> run -> cmd.exe)

Type the following to verify what is enabled:

c:\fsutil behavior query symlinkevaluation
Local to local symbolic links are enabled.
Local to remote symbolic links are enabled.
Remote to local symbolic links are disabled.
Remote to remote symbolic links are disabled

In the above output, you can see that both types of remote symbolic links are disabled. to enable:

c:\fsutil behavior set SymlinkEvaluation R2R:1 R2L:1

Then re-run the query command, and all will show as enabled. You can now successfully traverse NFS symbolic links from this SMB client!

You can enable this through GPO (Group Policy Objects), domain-wide.

To enable symbolic link evaluations via the Group Policy Management Console/MMC

Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → Group Policy Management.
In the left pane, navigate to Forest: <forest_name> → Domains → <domain_name> → Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.

The screenshot illustrates the Group Policy Management console, showing options to manage Default Domain Policy under a specific domain in an Active Directory structure. The security filtering section is set to apply settings only to 'Authenticated Users'. — Group Policy MGMT

In the Group Policy Management Editor, navigate to Computer Configuration → Policies→ Administrative Templates: Policy definitions → System → Filesystem.
In the Filesystem configuration, double-click the Selectively allow the evaluation of a symbolic link setting.

The Group Policy Management Editor is shown with the "Administrative Templates: Policy definition" expanded, focusing on options related to NTFS settings such as disabling delete notifications and selectively allowing symbolic link evaluation. — Group Policy, edit symbolic link

In the dialog that opens, select Enabled, then check all types of symbolic link evaluation under Options.

The settings in this configuration window allow administrators to selectively enable or disable the evaluation of various types of symbolic links, including local-to-local and remote-to-remote targets, to mitigate potential vulnerabilities in applications on Windows Vista and subsequent versions. — Selectively allow the evaluation of a symbolic link

Navigate to Start → Run and type "cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.

The image shows an Administrator Command Prompt running on Windows 7, where the command `gpupdate /force` has been executed successfully to update both User and Computer policies as indicated by the message "User Policy update has completed successfully" and "Computer Policy update completed successfully." — Force GPupate