215-06503_a0

Data ONTAP® 8.1 Cluster-ModeFile Access and Protocols Management Guide

NetApp, Inc.495 East Java DriveSunnyvale, CA 94089 USATelephone: +1 (408) 822-6000Fax: +1 (408) 822-4501Support telephone: +1 (888) 4-NETAPPDocumentation comments: [email protected] Web: http://www.netapp.com

Part number: 215-06503_A0January 2012

Contents

Introduction to file access management ..................................................... 9File protocols that Data ONTAP supports .................................................................. 9

How Data ONTAP controls access to files ................................................................. 9

Authentication-based restrictions .................................................................... 9

File-based restrictions ..................................................................................... 9

Modifying protocols for Vservers ............................................................................. 10

File access using NFS ................................................................................. 13NFS concepts ............................................................................................................. 13

About Data ONTAP support of NFSv4 .................................................................... 13

Limitations of Data ONTAP support for NFSv4 ...................................................... 14

Data ONTAP support for NFSv4.1 ........................................................................... 14

Data ONTAP support for parallel NFS ..................................................................... 15

Supported NFS versions and clients .......................................................................... 15

Setting up file access using NFS ................................................................ 17Creating an NFS server ............................................................................................. 17

Export policies ........................................................................................................... 17

Export policy and rule concepts .................................................................... 18

Export policies and nested junctions ............................................................. 18

Creating an export policy .............................................................................. 18

Adding a rule to an export policy .................................................................. 19

Setting an export rule's index number ........................................................... 21

NFS and Kerberos ..................................................................................................... 22

NFS clients that support Kerberos v5 security services ................................ 22

Creating a Kerberos realm configuration ...................................................... 23

Creating an NFS Kerberos configuration ...................................................... 24

Name mappings ......................................................................................................... 24

Name mapping concepts ............................................................................... 24

Name mapping conversion rules ................................................................... 25

Creating a name mapping .............................................................................. 26

Configuring the default user ...................................................................................... 27

Configuring local UNIX users and groups ................................................................ 27

Creating a local UNIX user ........................................................................... 28

Table of Contents | 3

Loading local UNIX users from a URI ......................................................... 28

Creating a local UNIX group ........................................................................ 29

Loading local UNIX groups from a URI ...................................................... 30

Adding a user to a local UNIX group ........................................................... 30

Loading netgroups into a Vserver ................................................................. 31

Creating a NIS domain configuration ....................................................................... 32

Using LDAP services ................................................................................................ 32

Creating an LDAP client configuration .................................................................... 33

Creating an LDAP configuration .............................................................................. 34

Managing file access using NFS ................................................................ 35Use of hard mounts ................................................................................................... 35

Commands for managing NFS servers ...................................................................... 35

Commands for managing name mappings ................................................................ 35

Commands for managing local UNIX users ............................................................. 36

Commands for managing local UNIX groups ........................................................... 36

Verifying the status of netgroup definitions .............................................................. 37

Commands for managing NIS domain configurations .............................................. 38

Commands for managing LDAP client configurations ............................................. 38

Commands for managing LDAP configurations ....................................................... 38

Commands for managing LDAP client schema templates ........................................ 39

How the access cache works ..................................................................................... 39

Displaying information about NFS Kerberos configurations ................................... 40

Modifying an NFS Kerberos configuration .............................................................. 41

Commands for managing Kerberos realm configurations ........................................ 41

Commands for managing export policies .................................................................. 42

Commands for managing export rules ...................................................................... 42

Locks ......................................................................................................................... 42

About file locking between protocols ........................................................... 43

About read-only bits ...................................................................................... 43

Displaying information about locks .............................................................. 44

Breaking locks ............................................................................................... 44

Enabling or disabling NFSv2 .................................................................................... 45



Enabling or disabling NFSv4.1 ................................................................................. 46

Enabling or disabling parallel NFS ........................................................................... 46

4 | Data ONTAP 8.1 Cluster-Mode File Access and Protocols Management Guide

Specifying the user ID domain for NFSv4 ................................................................ 47

Modifying the NFSv4.1 server implementation ID .................................................. 47

Managing NFSv4 ACLs ............................................................................................ 48

Benefits of enabling NFSv4 ACLs ................................................................ 48

Compatibility between NFSv4 ACLs and Windows (NTFS) ACLs ............ 48

How NFSv4 ACLs work ............................................................................... 48

Enabling or disabling modification of NFSv4 ACLs .................................... 50

How Data ONTAP uses NFSv4 ACLs to determine whether it can

delete a file .............................................................................................. 50

Enabling or disabling NFSv4 ACLs .............................................................. 50

Managing NFSv4 file delegations ............................................................................. 51

How NFSv4 file delegations work ................................................................ 51

Enabling or disabling NFSv4 read file delegations ....................................... 52

Enabling or disabling NFSv4 write file delegations ..................................... 52

Configuring NFSv4 file and record locking .............................................................. 53

About NFSv4 file and record locking ........................................................... 53

Specifying the NFSv4 locking lease period .................................................. 54

Specifying the NFSv4 locking grace period ................................................. 54

How NFSv4 referrals work ....................................................................................... 54

Enabling or disabling NFSv4 referrals ...................................................................... 55

Displaying NFS statistics .......................................................................................... 56

Support for VMware vStorage over NFS .................................................................. 56

Enabling or disabling vStorage support ........................................................ 56

Displaying information about vStorage ........................................................ 57

Enabling or disabling rquota support ........................................................................ 57

File access using CIFS ................................................................................ 59CIFS concepts ........................................................................................................... 59

Supported CIFS clients and domain controllers ........................................................ 59

Unsupported Windows features ................................................................................ 59

Setting up file access using CIFS ............................................................... 61Creating a CIFS server .............................................................................................. 61

Share naming conventions ........................................................................................ 61

CIFS home directory concepts .................................................................................. 61

Adding a home directory search path ........................................................................ 63

Considerations when creating a share ....................................................................... 63

Creating a CIFS share ............................................................................................... 64


About share-level ACLs ............................................................................................ 66

Creating a CIFS share access control list .................................................................. 66

Adding preferred domain controllers ........................................................................ 67

About Kerberos authentication .................................................................................. 67

Export policies ........................................................................................................... 68

Export policy and rule concepts .................................................................... 68

Creating an export policy .............................................................................. 68

Adding a rule to an export policy .................................................................. 69

Setting an export rule's index number ........................................................... 71

Name mappings ......................................................................................................... 72

Name mapping concepts ............................................................................... 72

Name mapping conversion rules ................................................................... 73

Creating a name mapping .............................................................................. 74

Configuring the default user ...................................................................................... 75

Configuring local UNIX users and groups ................................................................ 75

Creating a local UNIX user ........................................................................... 75

Loading local UNIX users from a URI ......................................................... 76

Creating a local UNIX group ........................................................................ 77

Loading local UNIX groups from a URI ...................................................... 77

Adding a user to a local UNIX group ........................................................... 78

Loading netgroups into a Vserver ................................................................. 78

Creating a NIS domain configuration ....................................................................... 79

Using LDAP services ................................................................................................ 80

Creating an LDAP client configuration .................................................................... 80

Creating an LDAP configuration .............................................................................. 81

How CIFS clients can access UNIX symbolic links ................................................. 82

Creating symbolic link mappings for CIFS ............................................................... 83

Managing file access using CIFS ............................................................... 85Commands for managing CIFS servers .................................................................... 85

Commands for managing name mappings ................................................................ 85

Commands for managing local UNIX users ............................................................. 86

Commands for managing local UNIX groups ........................................................... 86

Verifying the status of netgroup definitions .............................................................. 86

Commands for managing NIS domain configurations .............................................. 87

Commands for managing LDAP configurations ....................................................... 88

Commands for managing LDAP client configurations ............................................. 88


Commands for managing LDAP client schema templates ........................................ 88

Displaying information about discovered servers ..................................................... 89

Commands for managing preferred domain controllers ........................................... 90

Displaying information about NetBIOS over TCP connections ............................... 90

Displaying CIFS statistics ......................................................................................... 90

Displaying information about CIFS security settings ............................................... 91

Modifying CIFS security settings ............................................................................. 91

Locks ......................................................................................................................... 92

About file locking between protocols ........................................................... 92

About read-only bits ...................................................................................... 92

Displaying information about locks .............................................................. 93

Breaking locks ............................................................................................... 93

Improving client performance with oplocks ............................................................. 94

Write cache data loss considerations when using oplocks ............................ 94

How CIFS metadata caching works .......................................................................... 95

Enabling the CIFS metadata cache ............................................................................ 95

Configuring the lifetime for CIFS metadata cache entries ........................................ 95

Commands for managing CIFS shares ...................................................................... 96

Commands for managing CIFS share access control lists ........................................ 96

Commands for managing search paths ...................................................................... 96

Commands for managing CIFS group policies ......................................................... 97

Commands for managing export policies .................................................................. 97

Commands for managing export rules ...................................................................... 98

Configuring SMB on your storage system ................................................................ 98

Support for the SMB 1.0 protocol ................................................................. 98



Enabling or disabling the SMB 2.0 protocol ................................................. 99

Changing or resetting the domain account password .............................................. 100

Commands for managing symbolic link mappings ................................................. 100

File sharing between NFS and CIFS ....................................................... 101CIFS file access from NFS clients .......................................................................... 101

About NFS and CIFS file naming ........................................................................... 101

Characters a file name can use .................................................................... 101

Case-sensitivity of a file name .................................................................... 102

How Data ONTAP creates file names ......................................................... 102


Preservation of UNIX permissions ......................................................................... 102

Glossary ..................................................................................................... 105Copyright information ............................................................................. 111Trademark information ........................................................................... 113How to send your comments .................................................................... 115Index ........................................................................................................... 117


Introduction to file access management

Through Data ONTAP, you can manage access to files of different protocols.

File protocols that Data ONTAP supportsData ONTAP supports file access using the NFS and CIFS protocols.

This means clients can access all files on a Vserver regardless of what protocol they are connectingwith or what type of authentication they require.

How Data ONTAP controls access to filesData ONTAP controls access to files according to the authentication-based and file-based restrictionsthat you specify.

To properly manage file access control, Data ONTAP must communicate with external services suchas NIS, LDAP, and Active Directory servers. Configuring a storage system for file access using CIFSor NFS requires setting up the appropriate services depending on your environment in Data ONTAP.

Note: The communication with external services usually happens over the data LIF of the Vserver.In some situations, communication over the data LIF might fail or must be made on a node thatdoes not host data LIFs for the Vserver. In this case, the storage system attempts to use node andcluster management LIFs instead. For these reasons, you must ensure that the Vserver has a dataLIF properly configured to reach all required external services, and that all management LIFs inthe cluster can reach these external services as well.

Authentication-based restrictionsWith authentication-based restrictions, you can specify which client machines and which users canconnect to the Vserver.

Data ONTAP supports Kerberos authentication from both UNIX and Windows servers.

File-based restrictionsWith file-based restrictions, you can specify which users can access which files.

When a user creates a file, Data ONTAP generates a list of access permissions for the file. While theform of the permissions list varies with each protocol, it always includes common permissions, suchas reading and writing permissions.

When a user tries to access a file, Data ONTAP uses the permissions list to determine whether togrant access. Data ONTAP grants or denies access according to the operation that the user isperforming, such as reading or writing, and the following factors:

9

• User account• User groups or netgroups• Client protocol• Client IP address• File type

As part of the verification process, Data ONTAP maps host names to IP addresses using the lookupservice you specify—Lightweight Directory Access Protocol (LDAP), Network Information Service(NIS), Domain Name Service (DNS), or local storage system information.

Modifying protocols for VserversBefore you can configure and use NFS or CIFS on Vservers, you must enable the protocol. This istypically done during Vserver setup, but if you did not enable the protocol during setup, you canenable it later by using the vserver modify command.

Steps

1. Check which protocols are currently enabled for a Vserver by entering the following command:

vserver show -vserver vserver_name -fields allowed-protocols

2. Modify the list of enabled protocols for a Vserver by entering the following command:

vserver modify vserver vserver_name -allowed-protocolsprotocol_name[,protocol_name,...]

You must enter the complete list of protocols you want to be enabled on the Vserver, includingthe protocols that are already enabled. Any protocol not specified with the command isautomatically disabled and moved to the disallowed protocol list.

You can also use the Vserver setup wizard to modify protocols for Vservers by using thevserver setup command.

See the man page for each command for more information.

3. Confirm that the allowed protocol list was updated correctly by entering the following command:

vserver show -vserver vserver_name -fields allowed-protocols

Examples

The following command displays which protocols are currently enabled on a Vserver namedvs1.

vs1::> vserver show -vserver vs1 -fields allowed-protocolsvserver allowed-protocols


------- -----------------vs1 nfs

The following command adds CIFS to the list of enabled protocols on a Vserver named vs1.

vs1::> vserver modify -vserver vs1 -allowed-protocols nfs,cifs

Introduction to file access management | 11

File access using NFS

You can export and unexport file system paths on your storage system, making them available orunavailable, respectively, for mounting by NFS clients.

NFS conceptsNFS clients can access your storage system using the NFS protocol provided Data ONTAP canproperly authenticate the user.

When an NFS client connects to the Vserver, Data ONTAP obtains the UNIX credentials for the userby checking different name services, depending on the name services configuration of the Vserver.The options are local UNIX accounts, NIS domains, and LDAP domains. You must configure at leastone of them so Data ONTAP can successfully authorize the user. You can specify multiple nameservices and the order in which they are searched.

In a pure NFS environment with UNIX volume security styles, this configuration is sufficient toauthenticate a user connecting from an NFS client and provide the proper file access.

If you are using mixed or NTFS volume security styles, Data ONTAP must obtain a CIFS user namefor the UNIX user for authentication with a Windows domain controller. This can happen either bymapping individual users using local UNIX accounts or LDAP domains, or by using a default CIFSuser instead. You can specify for the Vserver which name services are searched in which order, orspecify a default CIFS user.

About Data ONTAP support of NFSv4Data ONTAP supports all the mandatory functionality in NFSv4 except the SPKM3 and LIPKEYsecurity mechanisms.

This functionality consists of the following:

COMPOUND Allows a client to request multiple file operations in a single remote procedure call(RPC) request.

File delegation Allows the server to delegate file control to some types of clients for read andwrite access.

Pseudo-fs Used by NFSv4 servers to determine mount points on the storage system. There isno mount protocol in NFSv4.

Locking Lease-based. There are no separate Network Lock Manager (NLM) or NetworkStatus Monitor (NSM) protocols in NFSv4.

Data ONTAP also supports the NFSv4.1 protocol.

13

For more information about the NFSv4 and NFSv4.1 protocol, see the NFSv4 RFC 3050 and theNFSv4.1 RFC 5661.

Limitations of Data ONTAP support for NFSv4You should be aware of several limitations of Data ONTAP support for NFSv4.

• The SPKM3 and LIPKEY security mechanisms are not supported.• The delegation feature is not supported by every client type.• Names with non-ASCII characters on volumes other than UTF8 volumes are rejected by the

storage system.• All file handles are persistent; the server does not give volatile file handles.• Migration and replication are not supported.• NFSv4 clients are not supported with read-only load-sharing mirrors.

Data ONTAP routes NFSv4 clients to the source of the load-sharing mirror for direct read andwrite access.

• Named attributes are not supported.• All recommended attributes are supported, except for the following:

• archive

• hidden

• homogeneous

• mimetype

• quota_avail_hard

• quota_avail_soft

• quota_used

• system

• time_backup

Note: Although it does not support the quota* attributes, Data ONTAP does support user andgroup quotas through the RQUOTA side band protocol.

Data ONTAP support for NFSv4.1Data ONTAP supports the NFSv4.1 protocol to allow access for NFSv4.1 clients.

By default NFSv4.1 is disabled. You can enable it by specifying the -v4.1 option and setting it toenabled when creating an NFS server on a Vserver. You must also enable NFSv4.0 support to beable to enable NFSv4.1 support.

Data ONTAP does not support NFSv4.1 directory and file level delegations.


Data ONTAP support for parallel NFSData ONTAP supports parallel NFS (pNFS). The pNFS protocol offers performance improvementsby giving clients direct access to the data of a set of files distributed across multiple nodes of aCluster-Mode cluster. It helps clients locate the optimal path to a volume.

Supported NFS versions and clientsBefore you can use NFS in your network, you need to know which NFS versions and clients DataONTAP supports.

For the latest information on which NFS versions and clients Data ONTAP supports, see the UNIXFile Services (NFS) Compatibility Matrix and the NetApp Interoperability Matrix Tool on support.netapp.com/NOW/products/interoperability.

File access using NFS | 15

http://support.netapp.com/NOW/products/interoperability/

Setting up file access using NFS

You must complete a number of steps to allow clients access to files on a Vserver using NFS.

Creating an NFS serverThe NFS server is necessary to provide NFS clients with access to a Vserver. You can use thevserver nfs create command to create an NFS server.

Before you begin

Ensure that the cluster administrator has created the Vserver, installed an NFS license, and createdthe necessary interfaces. The cluster administrator might also want to configure an NTP server forthe Vserver. See the Data ONTAP Cluster-Mode Vserver Administrator Capabilities OverviewGuide for more information.

Before creating an NFS server, you might want to configure a NIS domain for the Vserver. If not, theNFS server uses local-users and local-groups.

Step

1. Use the vserver nfs create command to create an NFS server.

Example

The following command creates an NFS server on a Vserver named vs1. Default values areused for all parameters and no default Windows users are specified.

Note: The -rpcsec-ctx-high and -rpcsec-ctx-idle options are available inadvanced mode only.

vs1::> vserver nfs create -vserver vs1 -access true -rpcsec-ctx-high 0-rpcsec-ctx-idle 0 -v2-enable true -v3-enable true -udp-enable true-tcp-enable true

Export policiesYou can use export policies to restrict access to volumes to specific clients.

17

Export policy and rule conceptsExport policies enable you to restrict access to volumes to clients that match specific IP addressesand specific authentication types. Clients cannot access data on a Vserver until you create an exportpolicy and export rules.

Each volume is associated with exactly one export policy. Each export policy is identified by aunique name and a unique numeric ID. A Data ONTAP cluster can contain up to 1,024 exportpolicies. Each Vserver has at least one export policy called default, which contains no rules. Thisexport policy cannot be deleted, although it can be renamed or modified. Each volume on a Vserverby default is associated with the default export policy.

Export policies consist of individual export rules. An export policy can contain a large number ofrules (approximately 4,000). Each rule specifies access permissions to volumes for one or moreclients. The clients can be specified by hostname, IP address, or netgroup.

Rules are processed in the order in which they appear in the export policy. The rule order is dictatedby the rule index number. You can reorder export rules in a policy by modifying the rule indexnumber.

The rule also specifies the authentication types that are required for both read-only and read-writeoperations. To have any access to a volume, matching clients must authenticate with theauthentication type specified by the read-only rule. To have write access to the volume, matchingclients must authenticate with the authentication type specified by the read-write rule. If a clientmakes an access request that is not permitted by the applicable export policy, the request fails with apermission-denied message. If a client IP address does not match any rule in the volume's exportpolicy, then access is denied. If an export policy is empty, then all accesses are implicitly denied.

Export rules can use host entries from a netgroup.

You can modify an export policy dynamically on a running Data ONTAP system.

Export policies and nested junctionsIf export policies are set up so that a less restrictive policy is set on a nested junction but a morerestrictive policy is set on a higher level junction, access to the lower level junction might fail.

You should ensure that higher level junctions have less restrictive export policies than lower leveljunctions.

Creating an export policyBefore creating export rules, you must create an export policy to hold them. You can use thevserver export-policy create command to create an export policy.

Step

1. To create an export policy, enter the following command:


vserver export-policy create -vserver virtual_server_name -policynamepolicy_name

-vserver virtual_server_name specifies the Vserver name.

-policyname policy_name specifies the name of the new export policy.

Example

The following command creates an export policy named rs1 on a Vserver named vs1.

vs1::> vserver export-policy create -vserver vs1 -policyname rs1

After you finish

After you create the policy, add rules to it by using the vserver export-policy rule createcommand.

Adding a rule to an export policyYou can use the vserver export-policy rule create command to create an export rule foran export policy. This enables you to define client access to data.

Before you begin

Before you create export rules, you must have created an export policy to add the export rules to.

Step

1. To create an export rule, enter the following command:

vserver export-policy rule create -vserver virtual_server_name -policyname policy_name -ruleindex integer -protocol {any|nfs2|nfs3|nfs|cifs|nfs4|flexcache},... -clientmatch text -rorule {any|none|never|krb5|ntlm|sys},... -rwrule {any|none|never|krb5|ntlm|sys},... -anon user_ID -superuser {any|none|never|krb5|ntlm|sys},... -allow-suid {true|false} -allow-dev {true|false}


-policyname policy_name specifies the name of the existing export policy to add the rule to.

-ruleindex integer specifies the index number for the rule. Rules are evaluated according totheir order in the list of index numbers; rules with lower index numbers are evaluated first. Forexample, the rule with index number 1 is evaluated before the rule with index number 2.

-protocol {any|nfs2|nfs3|nfs|cifs|nfs4|flexcache} specifies the access protocol. Youcan specify a comma-separated list of multiple access protocols for an export rule. If you specifythe protocol as any, do not specify any other protocols in the list. If you do not specify an accessprotocol, the default value of any is used.

Setting up file access using NFS | 19

-clientmatch text specifies the client to which the rule applies. You can specify the match inany of the following formats:

• As a host name; for instance, host1• As an IPv4 address; for instance, 10.1.12.24• As an IPv4 address with a subnet mask expressed as a number of bits; for instance,

10.1.12.10/4• As an IPv4 address with a network mask; for instance, 10.1.16.0/255.255.255.0• As a netgroup, with the netgroup name preceded by the @ character; for instance, @netgroup• As a domain name preceded by the "." character; for instance, .example.com

Note: Entering an IP address range, such as 10.1.12.10-10.1.12.70, is not allowed. Entries inthis format are interpreted as a text string and treated as a host name.

-rorule {any|none|never|krb5|ntlm|sys|} specifies one or more security types for read-onlyaccess.

-rwrule {any|none|never|krb5|ntlm|sys|} specifies one or more security types for read-writeaccess.

You can specify a comma-separated list of multiple security types for a rule. If you specify thesecurity type as any or never, do not specify any other security types. Choose from the followingvalid security types:

• any

A matching client can access the volume regardless of security type.• none

A matching client can access the volume as an anonymous user if it uses any security type notalready listed. For instance, a read-only rule that specifies the security types ntlm and noneprovides read-only access to clients that use NTLM and anonymous read-only access toclients that use other security types.

Note: If a read-write rule is specified only as none, then only unauthenticated clients canwrite to the volume. If you want to make the volume writable by any user, specify asecurity type of any.

• never

A matching client cannot access the volume regardless of security type.• krb5

A matching client can access the volume if it is authenticated by Kerberos 5.• ntlm

A matching clients can access the volume if it is authenticated by CIFS NTLM.• sys

A matching client can access the volume if it is authenticated by NFS AUTH_SYS.

-anon user_ID specifies a UNIX user ID or user name that is mapped to client requests thatarrive with a user ID of 0 (zero), which is typically associated with the user name root. The


default value is 65534, which is typically associated with the user name nobody. The followingnotes apply to the use of this parameter:

• To disable access by any client with a user ID of 0, you must specify a value of 65535.• To provide a client with a user ID of 0 with access to files and directories owned by the user

ID 0, but no special access to files and directories not owned by the user ID 0, specify theanonymous user as 0 (zero) and superuser access as never.

• If you specify a value of 0 for the anonymous user, you must also specify a value forsuperuser access.Conversely, do not specify a value for superuser access unless you specify a value of 0 for theanonymous user.

-superuser {any|none|never|krb5|ntlm|sys|} specifies the security type or types forsuperuser access if you have specified a value of 0 for the anonymous user.

-allow-suid {true|false} specifies whether to allow access to set user ID (suid) and setgroup ID (sgid). The default is true.

-allow-dev {true|false} specifies whether to allow creation of devices. The default is true.

Example

The following command creates an export rule on a Vserver named vs1 in an export policynamed rs1. The rule has the index number 1. The rule matches all clients. The rule enables allNFS access. It enables read-only access by all clients and requires Kerberos authentication forread-write access. Clients with the UNIX user ID 0 (zero) are mapped to user ID 65534 (whichtypically maps to the user name nobody). The rule enables suid and sgid access but does notenable the creation of devices.

vs1::> vserver export-policy rule create -vserver vs1-policyname rs1 -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0-rorule any -rwrule krb5 -anon 65534 -allow-suid true -allow-dev false

Setting an export rule's index numberYou can use the vserver export-policy rule setindex command to manually set anexisting export rule's index number. This enables you to rearrange the order in which Data ONTAPprocesses export rules.

About this task

If the new index number is already in use, the command inserts the rule at the specified spot andreorders the list accordingly.

Step

1. To modify the index number of a specified export rule, enter the following command:


vserver export-policy rule setindex -vserver virtual_server_name -policyname policy_name -ruleindex integer -newruleindex integer


-policyname policy_name specifies the policy name.

-ruleindex integer specifies the current index number of the export rule.

-newruleindex integer specifies the new index number of the export rule.

Example

The following command changes the index number of an export rule at index number 3 toindex number 2 in an export policy named rs1 on a Vserver named vs1.

vs1::> vserver export-policy rule setindex -vserver vs1-policyname rs1 -ruleindex 3 -newruleindex 2

NFS and KerberosKerberos can be used to provide authentication between Vservers and NFS clients.

Kerberos is a network authentication protocol developed at the Massachusetts Institute ofTechnology. Kerberos uses encryption keys to provide authentication for client/server applications.Authentication provides verification of a user's or process's identity to a server. In the Data ONTAPenvironment, Kerberos is used to provide authentication between Vservers and NFS and CIFSclients. For more information about Kerberos, see web.mit.edu/kerberos/www/.

Related information

web.mit.edu/kerberos/www/

NFS clients that support Kerberos v5 security servicesBefore using Kerberos v5 security services with an NFS client, you should make sure the NFS clientsupports RFC1964 and RFC2203.

The list of NFS clients that support Kerberos v5 security includes widely used NFS clients that havebeen tested either in the production laboratory or at interoperability test events, such as Connectathon(www.connectathon.org).

For more information, see the UNIX File Services (NFS) Compatibility Matrix on support.netapp.com/NOW/products/interoperability.


http://web.mit.edu/kerberos/www


Creating a Kerberos realm configurationIf you want to use Kerberos authentication for client access, you must first configure the Vserver touse an existing Kerberos realm. You can use the vserver services kerberos-realm createcommand to configure a Vserver to use a Kerberos realm.

Before you begin

The Kerberos realm must already exist and be available to the Vserver.

The cluster administrator should have configured NTP on the storage system to avoid authenticationissues. Time differences between a client and server (clock skew) are a common cause ofauthentication failures.

Step

1. Use the vserver services kerberos-realm create command to configure a Vserver touse a Kerberos realm.

Examples

The following command creates a Kerberos realm configuration that uses a Microsoft ActiveDirectory server as the KDC server. The Kerberos configuration is named AUTH. TheKerberos realm is AUTH.EXAMPLE.COM. The Active Directory server is named ad-1 andits IP address is 10.10.8.14. The permitted clock skew is 300 seconds (the default). The IPaddress of the KDC server is 10.10.8.14, and its port number is 88 (the default). Theencryption type is Data Encryption Standard (DES). The comment is "Microsoft Kerberosconfig".

vs1::> vserver services kerberos-realm create -configname AUTH-realm AUTH.EXAMPLE.COM -adserver-name ad-1 -adserver-ip 10.10.8.14-clock-skew 300 -kdc-ip 10.10.8.14 -kdc-port 88 -kdc-vendor Microsoft -comment "Microsoft Kerberos config"

The following command creates a Kerberos realm configuration that uses a UNIX server asthe KDC server. The Kerberos configuration is named SECURE. The Kerberos realm isSECURITY.EXAMPLE.COM. The permitted clock skew is 15 seconds and the activedirectory server and IP address are SUSAN and 10.10.3.1, respectively. The IP address of theKDC server is 10.10.9.1, and its port number is 88. The KDC vendor is Other to indicate aUNIX vendor. The IP address of the administrative server is 10.10.9.1, and its port number is749 (the default). The IP address of the password server is 10.10.9.1, and its port number is464 (the default). The encryption type is DES. The comment is "UNIX Kerberos config".

vs1::> vserver services kerberos-realm create -configname SECURE-realm SECURITY.EXAMPLE.COM. -clock-skew 300 -adserver-name SUSAN -adserver-ip 10.10.3.1-kdc-ip 10.10.9.1 -kdc-port 88 -kdc-vendor Other -adminserver-ip 10.10.9.1 -adminserver-port 749


-passwordserver-ip 10.10.9.1 -passwordserver-port 464 -comment "UNIX Kerberos config"

Creating an NFS Kerberos configurationYou can use the vserver nfs kerberos-config modify command to enable Kerberos and create aKerberos configuration for a Vserver. This enables the Vserver to use Kerberos security services forNFS.

Step

1. Enter the following command:

vserver nfs kerberos-config modify -vserver vserver_name -liflogical_interface-kerberos {enable|disable} -spn service_principal_name-admin-username user_name -admin-password password -keytab-urikeytab_URI

See the man page for the command for more information.

Name mappingsData ONTAP uses name mapping to map CIFS identities to UNIX identities, Kerberos identities toUNIX identities, and UNIX identities to CIFS identities. It needs this information to obtain usercredentials and provide proper file access regardless of whether they are connecting from an NFSclient or a CIFS client.

Name mapping is usually required due to the multi-protocol nature as Data ONTAP supports CIFSand NFS access to the same files, as well as NTFS and UNIX security styles on volumes.

There are two exceptions where you do not have to use name mapping:

• You configure a pure UNIX environment and do not plan to use CIFS access or NTFS securitystyle on volumes.

• You configure the default user to be used instead.

Name mapping conceptsData ONTAP goes through a number of steps when attempting to map user names. They includechecking the local name mapping database and LDAP, trying the user name, and using the defaultuser if configured.

When Data ONTAP has to obtain a UNIX name for a Windows user, it first checks the local namemapping database and/or LDAP for an existing mapping. If no mapping is found, it checks whetherthe lowercase Windows user name is a valid user name in the UNIX domain. If this does not work, ituses the default UNIX user provided it is configured. If the default UNIX user is not configured andit cannot obtain a mapping this way either, it returns an error.

When Data ONTAP has to obtain a Windows name for a UNIX user, it first checks the local namemapping database and/or LDAP for an existing mapping. If Data ONTAP does not find a mapping, it


tries to find a Windows account that matches the UNIX name in the CIFS domain. If this does notwork, it uses the default CIFS user, provided it is configured. If the default CIFS user is notconfigured and it cannot obtain a mapping this way either, it returns an error.

Note: You can modify the order of checking the local name mapping database or LDAP first bymodifying the order of services defined by the -nm-switch for the Vserver.

Name mapping conversion rules

A Data ONTAP system keeps a set of conversion rules for each Vserver. Each rule consists of twopieces: a pattern and a replacement. Conversions start at the beginning of the appropriate list andperform a substitution based on the first matching rule. The pattern is a UNIX-style regularexpression. The replacement is a string containing escape sequences representing subexpressionsfrom the pattern, as in the UNIX sed program.

Regular expressions are case-insensitive when mapping from Windows to UNIX. However, they arecase-sensitive for Kerberos-to-UNIX and UNIX-to-Windows mappings.

As an example, the following rule converts the CIFS user named jones in the domain named ENGinto the UNIX user named jones.

Pattern Replacement

ENG\\jones jones

Note that the backslash is a special character in regular expressions and must be escaped with anotherbackslash.

The caret (^), underscore (_), and ampersand (&) characters can be used as prefixes for digits inreplacement patterns. These characters specify uppercase, lowercase, and initial-casetransformations, respectively. For instance:

• If the initial pattern is (.+) and the replacement pattern is \1, then the string jOe is mapped to jOe(no change).

• If the initial pattern is (.+) and the replacement pattern is \_1, then the string jOe is mapped to joe.• If the initial pattern is (.+) and the replacement pattern is \^1, then the string jOe is mapped to

JOE.• If the initial pattern is (.+) and the replacement pattern is \&1, then the string jOe is mapped to

Joe.

If the character following a backslash-underscore (\_), backslash-caret (\^), or backslash-ampersand(\&) sequence is not a digit, then the character following the backslash is used verbatim.

The following example converts any Windows user in the CIFS domain named ENG into a UNIXuser with the same name in NIS.

Pattern Replacement

ENG\\(.+) \1


The double backslash (\\) matches a single backslash. The parentheses denote a subexpression but donot match any characters themselves. The period matches any single character. The asterisk matcheszero or more of the previous expression. In this example, you are matching ENG\ followed by one ormore of any character. In the replacement, \1 refers to whatever the first subexpression matched.Assuming the CIFS user ENG\jones, the replacement evaluates to jones; that is, the portion of thename following ENG\.

Note: If you are using the CLI, you must delimit all regular expressions with double quotationmarks ("). For instance, to enter the regular expression (.+) in the CLI, type "(.+)" at the commandprompt. Quotation marks are not required in the Web UI.

For further information about regular expressions, see your UNIX system administrationdocumentation, the online UNIX documentation for sed or regex, or Mastering RegularExpressions, published by O'Reilly and Associates.

Creating a name mappingYou can use the vserver name-mapping create command to create a name mapping. DataONTAP supports up to 1024 name mappings for each direction.

Step

1. To create a name mapping, enter the following command:

vserver name-mapping create -vserver virtual_server_name -direction{krb-unix|win-unix|unix-win} -position integer -pattern text -replacement text


-direction {krb-unix|win-unix|unix-win} specifies the mapping direction.

-position integer specifies the desired position in the priority list of a new mapping.

-pattern text specifies the pattern to be matched, up to 256 characters in length.

-replacement text specifies the replacement pattern, up to 256 characters in length.

When Windows-to-UNIX mappings are created, any CIFS clients that have open connections tothe Data ONTAP system at the time the new mappings are created must log out and log back in tosee the new mappings.

Examples

The following command creates a name mapping on a Vserver named vs1. The mapping is amapping from UNIX to Windows at position 1 in the priority list. The mapping maps theUNIX user johnd to the Windows user ENG\John.


vs1::> vserver name-mapping create -vserver vs1 -direction unix-win -position 1 -pattern johnd -replacement "ENG\\John"

The following command creates another name mapping on a Vserver named vs1. The mappingis a mapping from Windows to UNIX at position 1 in the priority list. The mapping mapsevery CIFS user in the domain ENG to users in the NIS domain associated with the Vserver.

vs1::> vserver name-mapping create -vserver vs1 -direction win-unix -position 1 -pattern "ENG\\(.+)" -replacement "\1"

Configuring the default userYou can configure a default user to use if all other mapping attempts fail for a user, or if you do notwant to map individual users between UNIX and Windows. Alternatively, if you want authenticationof non-mapped users to fail, you should not configure a default user.

About this task

For CIFS authentication, if you do not want to map each Windows user to an individual UNIX user,you can instead specify a default UNIX user.

For NFS authentication, if you do not want to map each UNIX user to an individual Windows user,you can instead specify a default Windows user.

Step

1. Perform one of the following actions:

If you want to... Enter the following command...

Configure the default UNIX user vserver cifs options modify -default-unix-useruser_name

Configure the default Windows user vserver nfs modify -default-win-user user_name

Configuring local UNIX users and groupsYou can use local UNIX users and groups for authentication and name mappings.


Creating a local UNIX userYou can use the vserver services unix-user create command to create local UNIX users.A local UNIX user is a UNIX user you create on a Vserver as a UNIX name services option and tobe used in the processing of name mappings.

Step

1. To create a local UNIX user, enter the following command:

vserver services unix-user create -vserver virtual_server_name -useruser_name -id integer -primary-gid integer -full-name full_name


-user user_name specifies the user name.

-id integer specifies the user ID.

-primary-gid integer specifies the primary group ID.

-full-name full_name specifies the full name of the user.

Example

The following command creates a local UNIX user named bettyb on a Vserver named vs1.The user has the ID 123 and the primary group ID 100. The user's full name is "ElizabethBoop".

node::> vserver services unix-user create -vserver vs1 -user bettyb -id 123-primary-gid 100 -full-name "Elizabeth Boop"

Loading local UNIX users from a URIYou can use the vserver services unix-user load-from-uri command to load one or morelocal UNIX users into a Vserver from a uniform resource identifier (URI).

About this task

The URI must contain user information in the UNIX /etc/passwd format:user_name: password: user_ID: group_ID: full_name

The command discards the value of the password field and of the fields after the full_name field( home_directory and shell).

Step

1. To load one or more local UNIX users into a Vserver from a URI, enter the following command:


vserver services unix-user load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri -overwrite {true|false}


-uri {ftp|http}://uri specifies the URI to load from.

-overwrite {true|false} specifies whether to overwrite entries. The default is false.

Example

The following command loads user information from the URI ftp://ftp.example.com/passwd into a Vserver named vs1. Existing users on the Vserver are not overwritten byinformation from the URI.

node::> vserver services unix-user load-from-uri -vserver vs1-uri ftp://ftp.example.com/passwd -overwrite false

Creating a local UNIX groupYou can use the vserver services unix-group create command to create UNIX groups thatare local to a Vserver. Local UNIX groups are used with local UNIX users.

Step

1. To create a local UNIX group, enter the following command:

vserver services unix-group create -vserver virtual_server_name -namegroup_name -id integer


-name group_name specifies the group name.

-id integer specifies the group ID.

Example

The following command creates a local group named eng on a Vserver named vs1. The grouphas the ID 101.


vs1::> vserver services unix-group create -vserver vs1 -name eng -id 101

Loading local UNIX groups from a URIYou can use the vserver services unix-group load-from-uri command to load one ormore local UNIX groups into a Vserver from a uniform resource identifier (URI).

About this task

The URI must contain user information in the UNIX /etc/group format:group_name: password: group_ID: comma_separated_list_of_users

The command discards the value of the password field.

Step

1. To load one or more local UNIX groups into a Vserver from URI, enter the following command:

vserver services unix-group load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri -overwrite {true|false}




Example

The following command loads group information from the URI ftp://ftp.example.com/group into a Vserver named vs1. Existing groups on the Vserver are not overwritten byinformation from the URI.

vs1::> vserver services unix-group load-from-uri -vserver vs1-uri ftp://ftp.example.com/group -overwrite false

Adding a user to a local UNIX groupYou can use the vserver services unix-group adduser command to add a user to a UNIXgroup that is local to a Vserver.

Step

1. To add a user to a local UNIX group, enter the following command:

vserver services unix-group adduser -vserver virtual_server_name -namegroup_name -username user_name



-name group_name specifies the name of the UNIX group to add the user to.

-username user_name specifies the user name of the user to add to the group.

Example

The following command adds a user named max to a local UNIX group named eng on aVserver named vs1.

vs1::> vserver services unix-group adduser -vserver vs1 -name eng-username max

Loading netgroups into a VserverYou can use the vserver services netgroup load-from-uri command to load netgroupsinto a Vserver from a uniform resource identifier (URI).

About this task

You should run this command only one time on any given cluster.

Step

1. To load netgroups into a Vserver from an FTP or HTTP URI, enter the following command:

vserver services netgroup load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri



The netgroup definitions are automatically propagated to all of the nodes in the cluster.

Example

The following command loads netgroup definitions into a Vserver named vs1 from the HTTPURL http://intranet/downloads/corp-netgroup.


vs1::> vserver services netgroup load-from-uri -vserver vs1-uri http://intranet/downloads/corp-netgroup

Creating a NIS domain configurationIf you specified NIS as a name service option during Vserver setup, you must create a NIS domainconfiguration for the Vserver. You can use the vserver services nis-domain createcommand to create a NIS domain configuration.

About this task

You can create multiple NIS domains. However, you can only use one that is set to active.

Step

1. Use the vserver services nis-domain create command to create a NIS domainconfiguration.

Example

The following command creates a NIS domain configuration for a NIS domain callednisdomain on Vserver vs1 with a NIS server at IP address 192.0.2.180 and makes it active.

vs1::> vserver services nis-domain create -vserver vs1 -domain nisdomain -active true -servers 192.0.2.180

Using LDAP servicesData ONTAP supports LDAP for user authentication, file access authorization, user lookup andmapping services between NFS and CIFS. If the Vserver is set up to use LDAP as a name serviceusing the -ns-switch ldap option or for name mapping using the -nm-switch ldap option, youshould create an LDAP configuration for it.

About this task

An LDAP server enables you to centrally maintain user information.

If you store your user database on an LDAP server, you can configure your Vserver to look up userinformation in the LDAP database. For example, on your LDAP server, you can store logins andpasswords for administrative users of the console and the rsh, telnet, http, https, and ssh protocols,making it possible for you to centrally manage them.


Creating an LDAP client configurationYou can use the vserver services ldap client create command to create an LDAP clientconfiguration. You must set up an LDAP client first to be able to use LDAP services.

Step

1. To create an LDAP client configuration, enter the following command:

vserver services ldap client create -client-config client_config_name {-servers LDAP_server_list | -ad-domain ad_domain -preferred-ad-serverspreferred_ad_server_list -bind-as-cifs-server {true|false}} -schemaschema -port port -query-timeout integer -min-bind-level {anonymous|simple|sasl} -bind-dn LDAP_DN -bind-password password -base-dn LDAP_DN -base-scope {base|onelevel|subtree}

-client-config client_config_name specifies the name of the new LDAP clientconfiguration.

-servers LDAP_server_list specifies one or more LDAP servers by IP address in a comma-delimited list.

-ad-domain ad_domain specifies the AD domain.

-preferred-ad-servers preferred_ad_server_list specifies one or more preferredActive Directory servers by IP address in a comma-delimited list.

-bind-as-cifs-server {true|false} specifies whether to bind using the Vserver's CIFScredentials. The default is false.

-schema schema specifies the schema template to use. You can either use one of the two defaultschemas, AD-SFU or RFC-2307, or create your own schema by copying a default schema (theyare both read-only) and modifying the copy.

-port port specifies the LDAP server port. The default is 389.

-query-timeout integer specifies the query timeout in seconds. The allowed range is 0-10seconds. The default is 3 seconds.

-min-bind-level {anonymous|simple|sasl} specifies the minimum bind authenticationlevel. The default is anonymous.

-bind-dn LDAP_DN specifies the Bind user. For Active Directory servers, specify the user in theaccount (DOMAIN\user) or principal ([email protected]) form. Otherwise, specify the user indistinguished name (CN=user,DC=domain,DC=com) form.

-bind-password password specifies the Bind password.

-base-dn LDAP_DN specifies the base DN. The default is "" (none).


-base-scope {base|onelevel|subtree} specifies the base search scope. The default issubtree.

Creating an LDAP configurationTo associate an LDAP client configuration with a Vserver, you must create an LDAP configurationand sets its -client-config parameter to the name of the LDAP client. You can use the vserverservices ldap create command to configure a Vserver to use an LDAP client.

Before you begin

An LDAP domain must already exist within the network and must be accessible to the Vserver'scluster.

An LDAP client configuration must exist on the Vserver.

Step

1. To create an LDAP configuration, enter the following command:

vserver services ldap create -vserver virtual_server_name -client-configclient_config_name -client-enabled {true|false}


-client-config client_config_name specifies the client configuration name.

-client-enabled {true|false} specifies whether the LDAP client is enabled. The default istrue.


Managing file access using NFS

After you have enabled NFS on a Vserver and configured it, there are a number of tasks you mightwant to perform to manage file access using NFS.

Use of hard mountsWhen troubleshooting mounting problems, you need to be sure that you are using the correct mounttype. NFS supports two mount types: soft mounts and hard mounts. You should use only hardmounts for reliability reasons.

You should not use soft mounts, especially when there is a possibility of frequent NFS timeouts.Race conditions can occur as a result of these timeouts, which can lead to data corruption.

Commands for managing NFS serversThere are specific Data ONTAP commands for managing NFS servers.

If you want to... Use this command...

Create an NFS server vserver nfs create

Display NFS servers vserver nfs show

Modify an NFS server vserver nfs modify

Delete an NFS server vserver nfs delete


Commands for managing name mappingsThere are specific Data ONTAP commands for managing name mappings.


Create a name mapping vserver name-mapping create

Insert a name mapping at a specific position vserver name-mapping insert

Display name mappings vserver name-mapping show

Exchange the position of two name mappings vserver name-mapping swap

35


Modify a name mapping vserver name-mapping modify

Delete a name mapping vserver name-mapping delete


Commands for managing local UNIX usersThere are specific Data ONTAP commands for managing local UNIX users.


Create a local UNIX user vserver services unix-user create

Display local UNIX users vserver services unix-user show

Modify a local UNIX user vserver services unix-user modify

Delete a local UNIX user vserver services unix-user delete


Commands for managing local UNIX groupsThere are specific Data ONTAP commands for managing local UNIX groups.


Add a user to a local UNIX group vserver services unix-group adduser

Create a local UNIX group vserver services unix-group create

Display local UNIX groups vserver services unix-group show

Modify a local UNIX group vserver services unix-group modify

Delete a user from a local UNIX group vserver services unix-group deluser

Delete a local UNIX group vserver services unix-group delete



Verifying the status of netgroup definitionsAfter loading netgroups into a Vserver, you can use the vserver services netgroup statuscommand to verify the status of netgroup definitions. This enables you to determine whethernetgroup definitions are consistent on all of the nodes that back a Vserver.

Step

1. To verify the status of netgroup definitions, enter the following command:

vserver services netgroup status

The command is available only at the advanced privilege level and higher. It displays thefollowing information:

• Vserver name• Node name• Load time for netgroup definitions• Hash value of the netgroup definitions

You can display additional information in a more detailed view. See the reference page for thecommand for details.

Example

The following command displays netgroup status for all Vservers.

vs1::> set -privilege advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.Do you wish to continue? (y or n): y

vs1::*> vserver services netgroup statusVirtualServer Node Load Time Hash Value--------- --------------- ------------------- --------------------------------vs1 node1 9/20/2006 16:04:53 e6cb38ec1396a280c0d2b77e3a84eda2 node2 9/20/2006 16:06:26 e6cb38ec1396a280c0d2b77e3a84eda2 node3 9/20/2006 16:08:08 e6cb38ec1396a280c0d2b77e3a84eda2

Managing file access using NFS | 37

node4 9/20/2006 16:11:33 e6cb38ec1396a280c0d2b77e3a84eda2

Commands for managing NIS domain configurationsThere are specific Data ONTAP commands for managing NIS domain configurations.


Create a NIS domain configuration vserver services nis-domain create

Display NIS domain configurations vserver services nis-domain show

Modify a NIS domain configuration vserver services nis-domain modify

Delete a NIS domain configuration vserver services nis-domain delete


Commands for managing LDAP client configurationsThere are specific Data ONTAP commands for managing LDAP client configurations.


Create an LDAP client configuration vserver services ldap client create

Display LDAP client configurations vserver services ldap client show

Modify an LDAP client configuration vserver services ldap client modify

Delete an LDAP client configuration vserver services ldap client delete


Commands for managing LDAP configurationsThere are specific Data ONTAP commands for managing LDAP configurations.


Create an LDAP configuration vserver services ldap create

Display LDAP configurations vserver services ldap show

Modify an LDAP configuration vserver services ldap modify



Delete an LDAP configuration vserver services ldap delete


Commands for managing LDAP client schema templatesThere are specific Data ONTAP commands for managing LDAP client schema templates.

Note: The vserver services ldap client schema copy, modify, and deletecommands are only available at the advanced privilege level and higher.


Copy an existing LDAP schema template vserver services ldap client schema

copy

Display LDAP schema templates vserver services ldap client schema

show

Modify an LDAP schema template vserver services ldap client schema

modify

Delete an LDAP schema template vserver services ldap client schema

delete


How the access cache worksThe Data ONTAP access cache reduces the likelihood of having to perform a reverse DNS lookup orparse netgroups when granting or denying an NFS client access to a volume. This results inperformance improvements due to less time used for DNS lookups.

Whenever an NFS client attempts to access a volume, Data ONTAP must determine whether to grantor deny access. Except in the most simple cases (for example, when a volume is exported with justthe ro or rw option), Data ONTAP grants or denies access according to a value in the access cachethat corresponds to the following things:

• The volume• The NFS client's IP address, access type, and security type

This value might not exist in the access cache entry if Data ONTAP has not made a previous accessdetermination for this particular NFS client-volume combination. In this case, Data ONTAP grants ordenies access according to the result of a comparison between the following things:


• The NFS client’s IP address (or host name, if necessary), access type, and security type• The volume export rules

Data ONTAP then stores the result of this comparison in the access cache for five minutes.

Displaying information about NFS Kerberos configurationsYou can use the vserver nfs kerberos-config show command to display information aboutNFS Kerberos configurations. This enables you to determine how NFS Kerberos is configured.

Step

1. To display information about NFS Kerberos configurations, enter the following command:

vserver nfs kerberos-config show

The command displays the following information:

• Virtual server name• Logical interface name• Logical interface IP address• Whether Kerberos is enabled or disabled• Kerberos SPN• Numeric ID of the configuration


Example

The following command displays detailed information about an NFS Kerberos configuration:

vs1::> vserver nfs kerberos-config show -vserver vs1-lif datalif1

Virtual Server: vs1 Logical Interface: datalif1 Ip Address: 172.19.4.1


Kerberos Enabled: DisabledService Principal Name: nfs/[email protected]

Modifying an NFS Kerberos configurationYou can use the vserver nfs kerberos-config modify command to modify a Kerberosconfiguration for NFS. This enables you to enable or disable the NFS-enabled Vserver to useKerberos authentication.

Step

1. Use the vserver nfs kerberos-config modify command to modify an NFS Kerberosconfiguration

Examples

The following command enables an NFS Kerberos configuration on a Vserver named vs1 anda logical interface named datalif1. The SPN is nfs/[email protected] the keytab file to be loaded is at the URL ftp://ftp.example.com/keytab.

vs1::> vserver nfs kerberos-config modify -vserver vs1 -lif datalif1 -kerberos enable -spn nfs/[email protected] -admin-username admin -keytab-uri ftp://ftp.example.com/keytab

Data ONTAP then prompts the user for the password for the admin-user. The admin-usershould have permission on the KDC to add the principal to the principal's database.

The following command disables the NFS Kerberos configuration that was created in theprevious example.

vs1::> vserver nfs kerberos-config modify -vserver vs1 -lif datalif1 -kerberos disable

Commands for managing Kerberos realm configurationsThere are specific Data ONTAP commands for managing Kerberos realm configurations.


Create a Kerberos realm configuration vserver services kerberos-realm

create

Display Kerberos realm configurations vserver services kerberos-realm show



Modify Kerberos realm configurations vserver services kerberos-realm

modify

Delete a Kerberos realm configuration vserver services kerberos-realm

delete


Commands for managing export policiesThere are specific Data ONTAP commands for managing export policies.


Display information about export policies vserver export-policy show

Rename an export policy vserver export-policy rename

Copy an export policy vserver export-policy copy

Delete an export policy vserver export-policy delete


Commands for managing export rulesThere are specific Data ONTAP commands for managing export rules.


Create an export rule vserver export-policy rule create

Display information about export rules vserver export-policy rule show

Modify an export rule vserver export-policy rule modify

Delete an export rule vserver export-policy rule delete


LocksYou can display information about a Vserver's current locks as a first step to determining why aclient cannot access a volume or file.


About file locking between protocolsFile locking is a method used by client applications to prevent a user from accessing a file previouslyopened by another user. How Data ONTAP locks files depends on the protocol of the client.

If the client is an NFS client, locks are advisory; if the client is a CIFS client, locks are mandatory.

Because of differences between the NFS and CIFS file locks, some attempts by an NFS client toaccess a file opened by a CIFS application fail.

The following occurs when an NFS client attempts to access a file locked by a CIFS application:

• In mixed or NTFS volumes, file manipulation operations, such as rm, rmdir, and mv, can causethe NFS application to fail.

• NFS read and write operations are denied by CIFS deny-read and deny-write open modes,respectively.

• NFS write operations fail when the written range of the file is locked with an exclusive CIFSbytelock.

About read-only bitsThe read-only bit is a binary digit, which holds a value of 0 or 1, that is set on a file-by-file basis toreflect whether a file is writable (disabled) or read-only (enabled).

CIFS clients that use MS-DOS and Windows can set a per-file read-only bit. NFS clients do not set aper-file read-only bit, because NFS clients do not have any protocol operations that use a per-fileread-only bit.

Data ONTAP can set a read-only bit on a file when a CIFS client that uses MS-DOS or Windowscreates that file. Data ONTAP can also set a read-only bit when a file is shared between NFS clientsand CIFS clients. Some software, when used by NFS clients and CIFS clients, requires the read-onlybit to be enabled.

For Data ONTAP to keep the appropriate read and write permissions on a file shared between NFSclients and CIFS clients, it treats the read-only bit according to the following rules:

• NFS treats any file with the read-only bit enabled as if it has no write permission bits enabled.• If an NFS client disables all write permission bits and at least one of those bits had previously

been enabled, Data ONTAP enables the read-only bit for that file.• If an NFS client enables any write permission bit, Data ONTAP disables the read-only bit for that

file.• If the read-only bit for a file is enabled and an NFS client attempts to discover permissions for the

file, the permission bits for the file are not sent to the NFS client; instead, Data ONTAP sends thepermission bits to the NFS client with the write permission bits masked.

• If the read-only bit for a file is enabled and a CIFS client disables the read-only bit, Data ONTAPenables the owner’s write permission bit for the file.

• Files with the read-only bit enabled are writable only by root.


Note: Changes to file permissions take effect immediately on CIFS clients, but might not takeeffect immediately on NFS clients if the NFS client enables attribute caching.

Displaying information about locksYou can use the vserver locks show command to display the current file locks. If a file lock heldby a client is impeding access by other clients, displaying the current locks is the first step inresolving the issue.

Step

1. To display information about locks, enter the following command:

vserver locks show


• Vserver name• Volume name• Path of the locked object• Logical interface name• Protocol by which the lock was established• Type of lock• Client

Note: The client IP address cannot be displayed for locks established through NFSv4 orNFSv4.1.

By default, the command displays information about all locks. You can use command parametersto display information about locks for a specific Vserver or to filter the command's output byother criteria. See the man page for the command for more information.

Breaking locksYou can use the vserver locks break command to break locks. This enables you to correctissues where a file lock prevents client access to files.

About this task

Examples of scenarios in which you might need to break locks include debugging applications orresolving networking problems.

Step

1. To break locks, enter the following command:

vserver locks break -vserver virtual_server_name -volume volume_name -path path -lif lif



-volume volume_name specifies the volume name.

-path path specifies the path.

-lif lif specifies the logical interface.


The command is available only at the advanced privilege level and higher.

Enabling or disabling NFSv2You can enable or disable NFSv2 by modifying the -v2 option. This allows file access for clientsusing the NFSv2 protocol. By default, NFSv2 is disabled.

Before you begin

This option is only available at the advanced privilege level or higher.

Step


If you want to... Then...

Enable NFSv2 Enter the following command:

vserver nfs modify -vserver vserver_name -v2 enabled

Disable NFSv2 Enter the following command:

vserver nfs modify -vserver vserver_name -v2 disabled

Enabling or disabling NFSv3You can enable or disable NFSv3 by modifying the -v3 option. This allows file access for clientsusing the NFSv3 protocol. By default, NFSv3 is enabled.

Step



Enable NFSv3 vserver nfs modify -vserver vserver_name -v3 enabled

Disable NFSv3 vserver nfs modify -vserver vserver_name -v3 disabled


Enabling or disabling NFSv4You can enable or disable NFSv4 by modifying the -v4.0 option. This allows file access for clientsusing the NFSv4 protocol. By default, NFSv4 is disabled.

Step



Enable NFSv4 vserver nfs modify -vserver vserver_name -v4.0 enabled

Disable NFSv4 vserver nfs modify -vserver vserver_name -v4.0 enabled

Enabling or disabling NFSv4.1You can enable or disable NFSv4 by modifying the -v4.1 option. This allows file access for clientsusing the NFSv4.1 protocol. By default, NFSv4.1 is disabled.

Before you begin

NFSv4 must be enabled.

Step



Enable NFSv4.1 vserver nfs modify -vserver vserver_name -v4.1 enabled

Disable NFSv4.1 vserver nfs modify -vserver vserver_name -v4.1 enabled

Enabling or disabling parallel NFSTo enable or disable parallel NFS (pNFS), you can modify the -v4.1-pnfs option. By defaultpNFS is enabled.

Before you begin

NFSv4.0 and NFSv4.1 support is required to be able to use pNFS.


Step


If you want to... Enter the command...

Enable pNFS vserver nfs modify -vserver vserver_name -v4.1-pnfs enabled

Disable pNFS vserver nfs modify -vserver vserver_name -v4.1-pnfsdisabled

Specifying the user ID domain for NFSv4To specify the user ID domain, you can set the -v4-id-domain option.

About this task

The domain that Data ONTAP uses for NFSv4 user ID mapping by default is the NIS domain, if oneis set. If an NIS domain is not set, the DNS domain is used. You might need to set the user IDdomain if, for example, you have multiple user ID domains.

Step


vserver nfs modify -vserver vserver_name -v4-id-domain NIS_domain_name

Modifying the NFSv4.1 server implementation IDYou can modify the server implementation ID default values. Changing the default values can beuseful for example when gathering usage statistics or troubleshooting interoperability issues. Formore information, see RFC 5661.

Before you begin

These options are only available at the advanced privilege level or higher.

About this task

The NFSv4.1 protocol includes a server implementation ID that documents the server domain, name,and date. By default, the server domain is netapp.com, the name is the Data ONTAP build string, andthe date is the build date.

Step



If you want to modify theimplementation ID...

Enter this command...

Domain vserver nfs modify -v4.1-implementation-domain domain

Name vserver nfs modify -v4.1-implementation-namename

Date vserver nfs modify -v4.1-implementation-datedate

Managing NFSv4 ACLsYou can enable, disable, set, modify, and view NFSv4 access control lists (ACLs).

Benefits of enabling NFSv4 ACLsThere are many benefits to enabling NFSv4 ACLs.

The benefits of enabling NFSv4 ACLs include the following:

• Finer-grained control of user access for files and directories• Better NFS security• Improved interoperability with CIFS• Removal of the NFS limitation of 16 groups per user

Compatibility between NFSv4 ACLs and Windows (NTFS) ACLsNFSv4 ACLs are different from Windows file-level ACLs (NTFS ACLs), but Data ONTAP can mapNFSv4 ACLs to Windows ACLs for viewing on Windows platforms.

Permissions displayed to NFS clients for files that have Windows ACLs are "display" permissions,and the permissions used for checking file access are those of the Windows ACL.

Note: Data ONTAP does not support POSIX ACLs.

How NFSv4 ACLs workA client using NFSv4 ACLs can set and view ACLs on files and directories on the system. When anew file or subdirectory is created in a directory that has an ACL, the new file or subdirectoryinherits all ACL Entries (ACEs) in the ACL that have been tagged with the appropriate inheritanceflags.

For access checking, CIFS users are mapped to UNIX users. The mapped UNIX user and that user’sgroup membership are checked against the ACL.


If a file or directory has an ACL, that ACL is used to control access no matter what protocol—NFSv2, NFSv3, NFSv4, or CIFS—is used to access the file or directory and is used even if NFSv4 isno longer enabled on the system.

Files and directories inherit ACEs from NFSv4 ACLs on parent directories (possibly withappropriate modifications) as long as the ACEs have been tagged with the appropriate inheritanceflags.

Note: The maximum number of ACEs is 400.

When a file or directory is created as the result of an NFSv4 request, the ACL on the resulting file ordirectory depends on whether the file creation request includes an ACL or only standard UNIX fileaccess permissions, and whether the parent directory has an ACL:

• If the request includes an ACL, that ACL is used.• If the request includes only standard UNIX file access permissions, but the parent directory has

an ACL, the ACEs in the parent directory's ACL are inherited by the new file or directory as longas the ACEs have been tagged with the appropriate inheritance flags.

Note: A parent ACL is inherited even if -v4.0-acl is set to off.

• If the request includes only standard UNIX file access permissions, and the parent directory doesnot have an ACL, the client file mode is used to set standard UNIX file access permissions.

• If the request includes only standard UNIX file access permissions, and the parent directory has anon-inheritable ACL, a default ACL based on the mode bits passed into the request is set on thenew object.

The security semantics of a volume are determined by its security style and its ACL (NFSv4 orNTFS):

For a volume with UNIX security style:

• NFSv4 ACLs and mode bits are effective.• NTFS ACLs are not effective.• Windows clients cannot set attributes.

For a volume with NTFS security style:

• NFSv4 ACLs are not effective.• NTFS ACLs and mode bits are effective.• UNIX clients cannot set attributes.

For a volume with mixed security style:

• NFSv4 ACLs and mode bits are effective.• NTFS ACLs are effective.• Both Windows and UNIX clients can set attributes.

Note: Files and directories in a volume can have either an NFSv4 ACL or an NTFS ACL, but notboth. Data ONTAP remaps one type to the other, as necessary.


Enabling or disabling modification of NFSv4 ACLsThe default behavior of NFSv4 is to drop the ACL of a file or directory in response to a chmodcommand. Data ONTAP offers the option -v4-acl-preserve to retain the existing NFSv4 ACLand modify it to reflect the mode bit change.

About this task

This option is enabled by default when NFSv4.1 is enabled. You can disable this option to return thedefault behavior. This option is available only at the advanced privilege level and higher.

Step


If you want to... Enter the following command

Enable retention and modification of existingNFSv4 ACLs (default)

vserver nfs modify -vservervserver_name -v4-acl-preserve enabled

Disable retention, drop NFSv4 ACLs whenchanging mode bits

vserver nfs modify -vservervserver_name -v4-acl-preserve disabled

How Data ONTAP uses NFSv4 ACLs to determine whether it can delete afile

To determine whether it can delete a file, Data ONTAP uses a combination of the file's DELETE bit,and the containing directory's DELETE_CHILD bit. For more information, see the NFS 4.1 RFC5661.

Enabling or disabling NFSv4 ACLsTo enable or disable NFSv4 ACLs, you can modify the -v4.0-acl option. This option is disabledby default.

About this task

The -v4.0-acl option controls the setting and viewing of NFSv4 ACLs; it does not controlenforcement of these ACLs for access checking. For more information, see the na_options(1) manpage.

Step




Enable NFSv4 ACLs Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-aclenabled

Disable NFSv4 ACLs Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-aclenabled

Managing NFSv4 file delegationsYou can enable and disable NFSv4 file delegations and retrieve NFSv4 file delegation statistics.

How NFSv4 file delegations workData ONTAP supports read and write file delegations in accordance with RFC 3530.

As specified in RFC 3530, when an NFSv4 client opens a file, Data ONTAP can delegate furtherhandling of opening and writing requests to the opening client. There are two types of filedelegations: read and write. A read file delegation allows a client to handle requests to open a file forreading that do not deny read access to others. A write file delegation allows the client to handle allopen requests.

Delegation works on files within any style of qtree, whether or not opportunistic locks (oplocks) havebeen enabled.

Delegation of file operations to a client can be recalled when the lease expires, or when the storagesystem receives the following requests from another client:

• Write to file, open file for writing, or open file for “deny read”• Change file attributes• Rename file• Delete file

When a lease expires, the delegation state is revoked and all of the associated states are marked“soft.” This means that if the storage system receives a conflicting lock request for this same filefrom another client before the lease has been renewed by the client previously holding the delegation,the conflicting lock is granted. If there is no conflicting lock and the client holding the delegationrenews the lease, the soft locks are changed to hard locks and are not removed in the case of aconflicting access. However, the delegation is not granted again upon a lease renewal.

When the server reboots, the delegation state is lost. Clients can reclaim the delegation state uponreconnection instead of going through the entire delegation request process again. When a clientholding a read delegation reboots, all delegation state information is flushed from the storage systemcache upon reconnection. The client must issue a delegation request to establish a new delegation.


Enabling or disabling NFSv4 read file delegationsTo enable or disable NFSv4 read file delegations, you can modify the -v4.0-read-delegationoption. By default, this option is disabled. By enabling read file delegations, you can eliminate muchof the message overhead associated with the opening and closing of files.

About this task

The disadvantage of enabling read file delegations is that the server and its clients must recoverdelegations after the server reboots or restarts, a client reboots or restarts, or a network partitionoccurs.

Step



Enable read file delegations Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-read-delegation enabled

Disable read file delegations Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-read-delegation disabled

Result

The file delegation options take effect as soon as they are changed. There is no need to reboot orrestart NFS.

Enabling or disabling NFSv4 write file delegationsTo enable or disable write file delegations, you can modify the -v4.0-write-delegation option.By default, this option is disabled. By enabling write file delegations, you can eliminate much of themessage overhead associated with file and record locking in addition to opening and closing of files.

About this task

The disadvantage of enabling write file delegations is that the server and its clients must performadditional tasks to recover delegations after the server reboots or restarts, a client reboots or restarts,or a network partition occurs.

Step




Enable write file delegations Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-write-delegation enabled

Disable write file delegations Enter the following command:

vserver nfs modify -vserver vserver_name -v4.0-write-delegation disabled

Result

The file delegation options take effect as soon as they are changed. There is no need to reboot orrestart NFS.

Configuring NFSv4 file and record lockingYou can configure NFSv4 file and record locking by specifying the locking lease period and graceperiod.

About NFSv4 file and record lockingFor NFSv4 clients, Data ONTAP supports the NFSv4 file-locking mechanism, maintaining the stateof all file locks under a lease-based model.

In accordance with RFC 3530, Data ONTAP "defines a single lease period for all state held by anNFS client. If the client does not renew its lease within the defined period, all state associated withthe client's lease may be released by the server." The client can renew its lease explicitly or implicitlyby performing an operation, such as reading a file.

Furthermore, Data ONTAP defines a grace period, which is a period of special processing in whichclients attempt to reclaim their locking state during a server recovery.

Term Definition (see RFC 3530)

Lease The time period in which Data ONTAP irrevocably grants a lock to aclient.

Grace period The time period in which clients attempt to reclaim their locking statefrom Data ONTAP during server recovery.

Lock Refers to both record (byte-range) locks as well as file (share) locksunless specifically stated otherwise.

Data ONTAP maintains a maximum of 512K file-locking states for each node in the cluster. DataONTAP does not maintain a maximum for each single client.


Specifying the NFSv4 locking lease periodTo specify the NFSv4 locking lease period (that is, the time period in which Data ONTAPirrevocably grants a lock to a client), you can modify the -v4-lease-seconds option.

About this task

By default, this option is set to 30. The minimum value for this option is 10. The maximum value forthis option is the locking grace period, which you can set with the locking.lease_secondsoption.

As specified in RFC 3530, "short leases are good for fast server recovery," whereas "longer leasesare kinder and gentler to large internet servers handling very large numbers of clients."

The option is available only at the advanced privilege level and higher.

Step


vserver nfs modify -vserver vserver_name -v4-lease-secondsnumber_of_seconds

Specifying the NFSv4 locking grace periodTo specify the NFSv4 locking grace period (that is, the time period in which clients attempt toreclaim their locking state from Data ONTAP during server recovery), you can modify the -v4-grace-seconds option.

About this task

By default, this option is set to 45.

The option is available only at the advanced privilege level and higher.

Step


vserver nfs modify -vserver vserver_name -v4-grace-secondsnumber_of_seconds

How NFSv4 referrals workWhen you enable NFSv4 referrals, Data ONTAP provides intra-vserver referrals to NFSv4 clients.Intra-vserver referral is when a cluster node receiving the NFSv4 request refers the NFSv4 client toanother LIF on the Vserver.

The NFSv4 client should access the path that got the referral at the target LIF from that pointonwards. The original cluster node gives such a referral when it determines that there exists a LIF in


the Vserver that is resident on the cluster node on which the data volume resides, thereby allowingthe clients faster access to the data and avoiding extra cluster communication.

Support for NFSv4 Referrals is not uniformly available in all NFSv4 clients. In an environmentwhere not all clients support this feature, you should not enable referrals. If the feature is enabled anda client that does not support it gets a referral from the server, the client is unable to access thevolume and experiences failures.

See RFC3530 for more details on referrals.

Enabling or disabling NFSv4 referralsYou can enable NFSv4 referrals by enabling the options -v4-fsid-change and -v4.0-referrals or -v4.1-referrals.

Before you begin

The option to enable referrals is only available at the advanced privilege level.

You must enable FSID change when enabling referrals.

Steps

1. Enter the following command to enable showing FSID change:

vserver nfs modify -vserver vserver_name -v4-fsid-change enabled


If you want to... Enter the command...

Enable NFSv4 referrals vserver nfs modify -vserver vserver_name -v4.0-referrals enabled

Disable NFSv4 referrals vserver nfs modify -vserver vserver_name -v4.0-referrals disabled

Enable NFSv4.1 referrals vserver nfs modify -vserver vserver_name -v4.1-referrals enabled

Disable NFSv4.1 referrals vserver nfs modify -vserver vserver_name -v4.1-referrals disabled


Displaying NFS statisticsYou can display NFS statistics for the storage system to monitor performance and diagnose issues.

Step


If you want to display... Then...

NFSv3 statistics Enter the following command:

statistics nfs show-v3

NFSv4 statistics Enter the following command:

statistics nfs show-v4

Support for VMware vStorage over NFSData ONTAP supports certain VMware vStorage APIs for Array Integration (VAAI) features in anNFS environment.

The following features are supported:

Copy offload Enables an ESXi host to copy virtual machines or virtual machine disksdirectly between the source and destination data store location withoutinvolving the host. This conserves ESXi host CPU cycles and networkbandwidth.

Spacereservation

Guarantees storage space for a virtual machine disk file (VMDK) by reservingspace for it.

Note the following limitations when using VMware vStorage over NFS:

• Migrating a LIF is not supported when the LIF is used for VMware vStorage.

Enabling or disabling vStorage supportYou can enable or disable VMware vStorage over NFS support by using the vserver nfs modifycommand. By default, vStorage support over NFS is disabled.

Step



If you want to... Enter the following command

Enable vStorage support vserver nfs modify -vserver vserver_name -vstorageenabled

Disable vStorage support vserver nfs modify -vserver vserver_name -vstoragedisabled

Displaying information about vStorageYou can display vStorage status support for a Vserver by using the vserver nfs show command.

Step

1. To display vStorage support status for a Vserver, enter the following command:

vserver nfs show -vserver vserver_name -instance

Enabling or disabling rquota supportData ONTAP supports the remote quota protocol version 1 (rquota v1). The rquota protocol enablesNFS clients to obtain quota information for users and groups from a remote machine. You can enablerquota per Vserver by using the vserver nfs modify command.

About this task

By default, rquota is disabled.

Step



Enable rquota support for a Vserver vserver nfs modify -vserver vserver_name -rquota enable

Disable rquota support for a Vserver vserver nfs modify -vserver vserver_name -rquota disable

For more information about quotas, see the Data ONTAP Cluster-Mode Logical StorageManagement Guide.


File access using CIFS

You can enable and configure a CIFS server to let CIFS clients access files on your storage system.

CIFS conceptsCIFS clients can access files on a Vserver using the CIFS protocol provided Data ONTAP canproperly authenticate the user.

When a CIFS client connects to a Vserver, Data ONTAP authenticates the user with a Windowsdomain controller. Data ONTAP uses two methods to obtain the domain controllers to use forauthentication:

• It queries DNS servers in the domain that the Vserver is configured to use for domain controllerinformation.

• It queries a list of preferred domain controllers you can optionally specify.

Next, Data ONTAP must obtain UNIX credentials for the user. It does this by using mapping ruleson the Vserver or a LDAP server, or by using a default UNIX user instead. You can specify for aVserver which mapping services are searched in which order, or specify a default UNIX user.

Data ONTAP then checks different name services for UNIX credentials for the user, depending onthe name services configuration of a Vserver. The options are local UNIX accounts, NIS domains,and LDAP domains. You must configure at least one of them so Data ONTAP can successfullyauthorize the user. You can specify multiple name services and the order in which they are searched.

Supported CIFS clients and domain controllersBefore you can use CIFS with your Vserver, you need to know which CIFS clients and domaincontrollers Data ONTAP supports.

For the latest information on which CIFS clients and domain controllers Data ONTAP supports, seethe CIFS (Windows File Services) Compatibility Matrix and the NetApp Interoperability MatrixTool on support.netapp.com/NOW/products/interoperability.

Unsupported Windows featuresBefore you use CIFS in your network, you need to be aware of certain Windows features that DataONTAP does not support.

Data ONTAP does not support the following Windows features:

• Encrypted File System (EFS)

59


• Logging of NT File System (NTFS) events in the change journal• Microsoft File Replication Service (FRS)• Microsoft Windows Indexing Service• Remote storage through Hierarchical Storage Management (HSM)• Local users and groups• Quota management from Windows clients• Windows quota semantics• The LMHOSTS file• NT File System (NTFS) native compression


Setting up file access using CIFS

You must complete a number of steps to allow clients access to files on a Vserver using CIFS.

Creating a CIFS serverA CIFS server is necessary to provide CIFS clients with access to a Vserver. You can use thevserver cifs create command to create a CIFS server.

Before you begin

You need to be sure that the cluster administrator has created a Vserver, installed a CIFS license, andcreated the necessary interfaces. The cluster administrator might also want to configure an NTPserver for the Vserver. See the Data ONTAP Cluster-Mode Vserver Administrator CapabilitiesOverview Guide for more information.

Step

1. Use the vserver cifs create command to create a CIFS server

Example

The following command creates a CIFS server CIFSSERVER1 on Vserver vs1 and joins theCIFS server to the cifs.lab.example.com domain.

vs1::> vserver cifs create -vserver vs1 -name CIFSSERVER1 -domain cifs.lab.example.com

Share naming conventionsShare naming conventions for Data ONTAP are the same as for Windows.

For example, share names ending with the $ character are hidden shares, and certain share names,such as ADMIN$ and IPC$, are reserved.

Share names are not case-sensitive.

CIFS home directory conceptsThe Data ONTAP CIFS home directory feature enables you to configure a share that maps todifferent directories based on the user that connects to it and a set of variables. Instead of having to

61

create separate shares for each user, you can configure a single share with a few home directoryparameters to define a user's relationship between an entry point (the share) and their home directory(a directory on the Vserver).

There are four variables that determine how a user is mapped to a directory:

Share name This is the name of the share that you create that the user connects to. It can be static(for example: home), dynamic (for example: %w), or a combination of the two. Youmust set the homedirectory property for this share.

The share name can use the following dynamic names:

• %w (the user's Windows user name)• %d (the user's Windows domain name)

Share path This is the relative path, defined by the share and therefore associated with one of theshare names, that is appended to each search path to generate the user's entire homedirectory path from the root of the Vserver. It can be static (for example: home),dynamic (for example: %w), or a combination of the two.

Search path This is the absolute path from the root of a Vserver that you specify to tell DataONTAP where to search for home directories. You specify one or more search pathsby using the vserver cifs home-directory search-path add command. Ifyou specify multiple search paths, Data ONTAP tries them in the order specifieduntil it finds a valid path.

Directory This is the user's actual home directory that you create for the user. It is usually theuser's name. You must create it in one of the directories defined by the search paths.

As an example, consider the following setup:

• User: John Smith• User domain: acme• User name: jsmith• Vserver name: vs1• Home directory share name #1: home - share path: %w• Home directory share name #2: %w - share path: %d/%w• Search path #1: /vol/aggr0home/home• Search path #2: /vol/aggr1home/home• Search path #3: /vol/aggr2home/home• Home directory: /vol/aggr1home/home/jsmith

Scenario 1: The user connects to \\vs1\home. This matches the first home directory share name andgenerates the relative path jsmith. Data ONTAP now searches for a directory named jsmith bychecking each search path in order:

• /vol/aggr0home/home/jsmith does not exist; moving on to search path #2.


• /vol/aggr1home/home/jsmith does exist, therefore search path #3 is not checked; the user isnow connected to his home directory.

Scenario 2: The user connects to \\vs1\jsmith. This matches the second home directory sharename and generates the relative path acme/jsmith. Data ONTAP now searches for a directorynamed acme/jsmith by checking each search path in order:

• /vol/aggr0home/home/acme/jsmith does not exist; moving on to search path #2.• /vol/aggr1home/home/acme/jsmith does not exist; moving on to search path #3.• /vol/aggr2home/home/acme/jsmith does not exist; the home directory does not exist,

therefore the connection fails.

Adding a home directory search pathIf you want to use the CIFS home directory feature, you must add at least one home directory searchpath. You can add a home directory search path by using the vserver cifs home-directorysearch-path add command.

Step

1. Use the vserver cifs home-directory search-path add command to add a homedirectory search path.

The following example adds the path /home1 to the CIFS home directory configuration onVserver vs1.

vs1::> vserver cifs home-directory search-path add -vserver vs1 -path /home1

Considerations when creating a shareThere are certain guidelines you should take into consideration when creating CIFS shares.

A CIFS share is a named access point in a volume that enables CIFS clients to view, browse, andmanipulate files on a file server. The name of each share must be unique for the Vserver.

Note: You must not use spaces or Unicode characters in CIFS share names. You can usealphanumeric characters and the following special characters : ".", "!", "@", "#", "$", "%", "&","(", ")", ",", "_", ' " , "{", "}", "~", and "-".

The maximum length of a share name is 256 characters.

A share is tied to the CIFS configuration of its Vserver and is deleted if either the Vserver or its CIFSconfiguration with which it is associated is removed from the system.

Setting up file access using CIFS | 63

When you create a share, you must provide all of the following information:

• The complete path in a volume to the CIFS share, beginning with the junction path the volume• The name of the share entered by users when they connect to the share

Note: You can select from a list of access rights, or enter specific access rights for each user or agroup of users.

When you create a share, you can optionally specify a description for the share. The share descriptionappears in the Comment field when you browse the shares on the network.

If you create the share from the Data ONTAP command line, you can also specify the followingshare properties:

• Support for widelinks in the share• The umask value for the share• Whether the share is a home directory share• Whether the share supports opportunistic locks• Whether the share is browsable• Whether the share shows Snapshot copies• Whether the share supports change notification• Whether metadata caching is enabled for the share

Note: You can change these properties at any time after you create a share.

When you create a CIFS share, Data ONTAP creates a default ACL for the share with full controlpermissions. To manage CIFS share access control lists, use the vserver cifs share access-control command family.

Creating a CIFS shareYou must first create a CIFS share before you can share data on a Vserver with CIFS clients. Youcan use the vserver cifs share create command to create a CIFS share.

Step

1. To create a CIFS share on a Vserver, enter the following command:

vserver cifs share create -vserver virtual_server_name -share-nameshare_name -path path -share-properties share_property,... -symlink-properties share_symlink_property,... -file-umask octal_integer -dir-umask octal_integer -comment text -attribute-cache-ttl

-vserver virtual_server_name specifies the CIFS-enabled Vserver on which to create theshare.

-share-name share_name specifies the name of the new CIFS share.


-path path specifies the directory path to the CIFS share. This path must exist. A directory pathname can be up to 255 characters long. If there is a space in the path name, the entire string mustbe quoted (for example,"/new volume/mount here").

-share-properties share_property specifies an optional list of properties for the share.The list can include one or more of the following:

• homedirectoryThe Data ONTAP CIFS home directory feature allows you to configure a share that maps todifferent directories based on the user that connects to it and a set of variables. Instead ofhaving to create separate shares for each user, you can configure a single share with a fewhome directory parameters to define a user's relationship between an entry point (the share)and their home directory (a directory on the Vserver).

• oplocksThis specifies that the share uses opportunistic locks, also known as client-side caching.Opportunistic locks are enabled on shares by default; however, some applications do not workwell when opportunistic locks are enabled. In particular, database applications such asMicrosoft Access are vulnerable to corruption when opportunistic locks are enabled. Anadvantage of shares is that a single path can be shared multiple times, with each share havingdifferent properties. For instance, if a path named /dept/finance contains both a databaseand other types of files, you can create two shares to it, one with opportunistic locks disabledfor safe database access and one with opportunistic locks enabled for client-side caching.

• browsableThis specifies that the share can be browsed by Windows clients. This is the default initialproperty for all shares.

• showsnapshotThis specifies that Snapshot copies can be viewed and traversed by clients.

• changenotifyThis specifies that the share supports ChangeNotify requests.

• attributecacheThis property enables the file attribute caching on the CIFS share in order to provide fasteraccess of attributes.

-symlink-properties share_symlink_property specifies how UNIX symbolic links(symlinks) are presented to CIFS clients. Possible values include enabled for read-write access,read_only for read-only access, and hide to prevent CIFS clients from seeing symlinks.

-file-umask octal_integer specifies the default UNIX umask for new files created on theshare. If not specified, the umask defaults to 022.

-dir-umask octal_integer specifies the default UNIX umask for new directories created onthe share. If not specified, the umask defaults to 000.

Note: Accessing an existing directory or file through multiple CIFS shares that have differentvalues for the file umask and directory umask parameters returns consistent permissions andaccess rights. For instance, assume you have a share named share1 that has a file umask of 000and a share named share2 that has a file umask of 022, and that these shares overlap (that is,can access the same directories). If you create a file named \\server\share1\abc, the


umask for that file is 000. If you create a file named \\server\share2\123, the umask forthat file is 022.

-comment text specifies a text description of the share. The description can be up to 255characters long. If there is a space in the description, the entire string must be quoted (forexample, "This is engineering's share.").

attribute-cache-ttl specifies the lifetime for the attribute cache share property, which youspecify as the value of the -share-properties parameter.

Example

The following command creates a CIFS share named SHARE1 on a Vserver named vs1. Itsdirectory path is /u/eng. Opportunistic locks and browsability are specified on the share, andthe UNIX umask is explicitly set as 022 on files and 000 on directories.

vs1::> vserver cifs share create -vserver vs1 -share-name SHARE1-path /u/eng -share-properties browsable,oplocks -file-umask 022-dir-umask 000

About share-level ACLsWhen a CIFS user tries to access a share, Data ONTAP always checks the share-level ACL todetermine whether access should be granted, regardless of the security style of the qtree containingthe share.

A share-level ACL (access control list) consists of a list of access control entries (ACEs). Each ACEcontains a user or group name and a set of permissions that determines user or group access to theshare.

A share-level ACL only restricts access to files in the share; it never grants more access than the file-level ACLs.

Creating a CIFS share access control listYou can use the vserver cifs share access-control create command to create an accesscontrol list for a CIFS share. This enables you to control the level of access to a share for users andgroups.

Step

1. Use the vserver cifs share access-control create command to create an accesscontrol list for a CIFS share.


The following command gives Change permissions to the group salesteam for the share saleson a Vserver named vs1.

vs1::> vserver cifs share access-control create -vserver vs1 -share sales -user-or-group salesteam -permission Change

Adding preferred domain controllersData ONTAP automatically discovers domain controllers through DNS. Optionally, you can use thevserver cifs domain preferred-dc add command to add one or more domain controllers tothe list of preferred domain controllers for a specific domain.

Step

1. To add to the list of preferred domain controllers, enter the following command:

vserver cifs domain preferred-dc add -vserver virtual_server_name -domain domain_name -preferred-dc IP_address, ...


-domain domain_name specifies the fully qualified Active Directory name of the CIFS domain.

-preferred-dc IP_address,... specifies one or more IP addresses of the preferred domaincontrollers, as a comma-delimited list, in order of preference.

Example

The following command adds domain controllers 172.17.102.25 and 172.17.102.24 to the listof preferred domain controllers that the CIFS server on Vserver vs1 uses to manage externalaccess to the cifs.lab.example.com domain.

vs1::> vserver cifs domain preferred-dc add -vserver vs1 -domain cifs.lab.example.com -preferred-dc 172.17.102.25,172.17.102.24

About Kerberos authenticationWith Kerberos authentication, upon connection to your storage system, the client negotiates thehighest possible security level. However, if the client is unable to use Kerberos authentication,Microsoft NTLM or NTLM V2 is used to authenticate with the CIFS server.


Export policiesYou can use export policies to restrict access to volumes to specific clients.

Export policy and rule conceptsExport policies enable you to restrict access to volumes to clients that match specific IP addressesand specific authentication types. Clients cannot access data on a Vserver until you create an exportpolicy and export rules.

Each volume is associated with exactly one export policy. Each export policy is identified by aunique name and a unique numeric ID. A Data ONTAP cluster can contain up to 1,024 exportpolicies. Each Vserver has at least one export policy called default, which contains no rules. Thisexport policy cannot be deleted, although it can be renamed or modified. Each volume on a Vserverby default is associated with the default export policy.

Export policies consist of individual export rules. An export policy can contain a large number ofrules (approximately 4,000). Each rule specifies access permissions to volumes for one or moreclients. The clients can be specified by hostname, IP address, or netgroup.

Rules are processed in the order in which they appear in the export policy. The rule order is dictatedby the rule index number. You can reorder export rules in a policy by modifying the rule indexnumber.

The rule also specifies the authentication types that are required for both read-only and read-writeoperations. To have any access to a volume, matching clients must authenticate with theauthentication type specified by the read-only rule. To have write access to the volume, matchingclients must authenticate with the authentication type specified by the read-write rule. If a clientmakes an access request that is not permitted by the applicable export policy, the request fails with apermission-denied message. If a client IP address does not match any rule in the volume's exportpolicy, then access is denied. If an export policy is empty, then all accesses are implicitly denied.

Export rules can use host entries from a netgroup.

You can modify an export policy dynamically on a running Data ONTAP system.

Creating an export policyBefore creating export rules, you must create an export policy to hold them. You can use thevserver export-policy create command to create an export policy.

Step

1. To create an export policy, enter the following command:

vserver export-policy create -vserver virtual_server_name -policynamepolicy_name



-policyname policy_name specifies the name of the new export policy.

Example

The following command creates an export policy named rs1 on a Vserver named vs1.

vs1::> vserver export-policy create -vserver vs1 -policyname rs1

After you finish

After you create the policy, add rules to it by using the vserver export-policy rule createcommand.

Adding a rule to an export policyYou can use the vserver export-policy rule create command to create an export rule foran export policy. This enables you to define client access to data.

Before you begin

Before you create export rules, you must have created an export policy to add the export rules to.

Step

1. To create an export rule, enter the following command:

vserver export-policy rule create -vserver virtual_server_name -policyname policy_name -ruleindex integer -protocol {any|nfs2|nfs3|nfs|cifs|nfs4|flexcache},... -clientmatch text -rorule {any|none|never|krb5|ntlm|sys},... -rwrule {any|none|never|krb5|ntlm|sys},... -anon user_ID -superuser {any|none|never|krb5|ntlm|sys},... -allow-suid {true|false} -allow-dev {true|false}


-policyname policy_name specifies the name of the existing export policy to add the rule to.

-ruleindex integer specifies the index number for the rule. Rules are evaluated according totheir order in the list of index numbers; rules with lower index numbers are evaluated first. Forexample, the rule with index number 1 is evaluated before the rule with index number 2.

-protocol {any|nfs2|nfs3|nfs|cifs|nfs4|flexcache} specifies the access protocol. Youcan specify a comma-separated list of multiple access protocols for an export rule. If you specifythe protocol as any, do not specify any other protocols in the list. If you do not specify an accessprotocol, the default value of any is used.

-clientmatch text specifies the client to which the rule applies. You can specify the match inany of the following formats:

• As a host name; for instance, host1


• As an IPv4 address; for instance, 10.1.12.24• As an IPv4 address with a subnet mask expressed as a number of bits; for instance,

10.1.12.10/4• As an IPv4 address with a network mask; for instance, 10.1.16.0/255.255.255.0• As a netgroup, with the netgroup name preceded by the @ character; for instance, @netgroup• As a domain name preceded by the "." character; for instance, .example.com

Note: Entering an IP address range, such as 10.1.12.10-10.1.12.70, is not allowed. Entries inthis format are interpreted as a text string and treated as a host name.

-rorule {any|none|never|krb5|ntlm|sys|} specifies one or more security types for read-onlyaccess.

-rwrule {any|none|never|krb5|ntlm|sys|} specifies one or more security types for read-writeaccess.

You can specify a comma-separated list of multiple security types for a rule. If you specify thesecurity type as any or never, do not specify any other security types. Choose from the followingvalid security types:

• any

A matching client can access the volume regardless of security type.• none

A matching client can access the volume as an anonymous user if it uses any security type notalready listed. For instance, a read-only rule that specifies the security types ntlm and noneprovides read-only access to clients that use NTLM and anonymous read-only access toclients that use other security types.

Note: If a read-write rule is specified only as none, then only unauthenticated clients canwrite to the volume. If you want to make the volume writable by any user, specify asecurity type of any.

• never

A matching client cannot access the volume regardless of security type.• krb5

A matching client can access the volume if it is authenticated by Kerberos 5.• ntlm

A matching clients can access the volume if it is authenticated by CIFS NTLM.• sys

A matching client can access the volume if it is authenticated by NFS AUTH_SYS.

-anon user_ID specifies a UNIX user ID or user name that is mapped to client requests thatarrive with a user ID of 0 (zero), which is typically associated with the user name root. Thedefault value is 65534, which is typically associated with the user name nobody. The followingnotes apply to the use of this parameter:

• To disable access by any client with a user ID of 0, you must specify a value of 65535.


• To provide a client with a user ID of 0 with access to files and directories owned by the userID 0, but no special access to files and directories not owned by the user ID 0, specify theanonymous user as 0 (zero) and superuser access as never.

• If you specify a value of 0 for the anonymous user, you must also specify a value forsuperuser access.Conversely, do not specify a value for superuser access unless you specify a value of 0 for theanonymous user.

-superuser {any|none|never|krb5|ntlm|sys|} specifies the security type or types forsuperuser access if you have specified a value of 0 for the anonymous user.

-allow-suid {true|false} specifies whether to allow access to set user ID (suid) and setgroup ID (sgid). The default is true.

-allow-dev {true|false} specifies whether to allow creation of devices. The default is true.

Example

The following command creates an export rule on a Vserver named vs1 in an export policynamed rs1. The rule has the index number 1. The rule matches all clients. The rule enables allNFS access. It enables read-only access by all clients and requires Kerberos authentication forread-write access. Clients with the UNIX user ID 0 (zero) are mapped to user ID 65534 (whichtypically maps to the user name nobody). The rule enables suid and sgid access but does notenable the creation of devices.

vs1::> vserver export-policy rule create -vserver vs1-policyname rs1 -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0-rorule any -rwrule krb5 -anon 65534 -allow-suid true -allow-dev false

Setting an export rule's index numberYou can use the vserver export-policy rule setindex command to manually set anexisting export rule's index number. This enables you to rearrange the order in which Data ONTAPprocesses export rules.

About this task

If the new index number is already in use, the command inserts the rule at the specified spot andreorders the list accordingly.

Step

1. To modify the index number of a specified export rule, enter the following command:

vserver export-policy rule setindex -vserver virtual_server_name -policyname policy_name -ruleindex integer -newruleindex integer



-policyname policy_name specifies the policy name.

-ruleindex integer specifies the current index number of the export rule.

-newruleindex integer specifies the new index number of the export rule.

Example

The following command changes the index number of an export rule at index number 3 toindex number 2 in an export policy named rs1 on a Vserver named vs1.

vs1::> vserver export-policy rule setindex -vserver vs1-policyname rs1 -ruleindex 3 -newruleindex 2

Name mappingsData ONTAP uses name mapping to map CIFS identities to UNIX identities, Kerberos identities toUNIX identities, and UNIX identities to CIFS identities. It needs this information to obtain usercredentials and provide proper file access regardless of whether they are connecting from an NFSclient or a CIFS client.

Name mapping is usually required due to the multi-protocol nature as Data ONTAP supports CIFSand NFS access to the same files, as well as NTFS and UNIX security styles on volumes.

There are two exceptions where you do not have to use name mapping:

• You configure a pure UNIX environment and do not plan to use CIFS access or NTFS securitystyle on volumes.

• You configure the default user to be used instead.

Name mapping conceptsData ONTAP goes through a number of steps when attempting to map user names. They includechecking the local name mapping database and LDAP, trying the user name, and using the defaultuser if configured.

When Data ONTAP has to obtain a UNIX name for a Windows user, it first checks the local namemapping database and/or LDAP for an existing mapping. If no mapping is found, it checks whetherthe lowercase Windows user name is a valid user name in the UNIX domain. If this does not work, ituses the default UNIX user provided it is configured. If the default UNIX user is not configured andit cannot obtain a mapping this way either, it returns an error.

When Data ONTAP has to obtain a Windows name for a UNIX user, it first checks the local namemapping database and/or LDAP for an existing mapping. If Data ONTAP does not find a mapping, ittries to find a Windows account that matches the UNIX name in the CIFS domain. If this does notwork, it uses the default CIFS user, provided it is configured. If the default CIFS user is notconfigured and it cannot obtain a mapping this way either, it returns an error.


Note: You can modify the order of checking the local name mapping database or LDAP first bymodifying the order of services defined by the -nm-switch for the Vserver.

Name mapping conversion rules

A Data ONTAP system keeps a set of conversion rules for each Vserver. Each rule consists of twopieces: a pattern and a replacement. Conversions start at the beginning of the appropriate list andperform a substitution based on the first matching rule. The pattern is a UNIX-style regularexpression. The replacement is a string containing escape sequences representing subexpressionsfrom the pattern, as in the UNIX sed program.

Regular expressions are case-insensitive when mapping from Windows to UNIX. However, they arecase-sensitive for Kerberos-to-UNIX and UNIX-to-Windows mappings.

As an example, the following rule converts the CIFS user named jones in the domain named ENGinto the UNIX user named jones.

Pattern Replacement

ENG\\jones jones

Note that the backslash is a special character in regular expressions and must be escaped with anotherbackslash.

The caret (^), underscore (_), and ampersand (&) characters can be used as prefixes for digits inreplacement patterns. These characters specify uppercase, lowercase, and initial-casetransformations, respectively. For instance:

• If the initial pattern is (.+) and the replacement pattern is \1, then the string jOe is mapped to jOe(no change).

• If the initial pattern is (.+) and the replacement pattern is \_1, then the string jOe is mapped to joe.• If the initial pattern is (.+) and the replacement pattern is \^1, then the string jOe is mapped to

JOE.• If the initial pattern is (.+) and the replacement pattern is \&1, then the string jOe is mapped to

Joe.

If the character following a backslash-underscore (\_), backslash-caret (\^), or backslash-ampersand(\&) sequence is not a digit, then the character following the backslash is used verbatim.

The following example converts any Windows user in the CIFS domain named ENG into a UNIXuser with the same name in NIS.

Pattern Replacement

ENG\$.+) \1

The double backslash (\$ matches a single backslash. The parentheses denote a subexpression but donot match any characters themselves. The period matches any single character. The asterisk matcheszero or more of the previous expression. In this example, you are matching ENG\ followed by one or


more of any character. In the replacement, \1 refers to whatever the first subexpression matched.Assuming the CIFS user ENG\jones, the replacement evaluates to jones; that is, the portion of thename following ENG\.

Note: If you are using the CLI, you must delimit all regular expressions with double quotationmarks ("). For instance, to enter the regular expression (.+) in the CLI, type "(.+)" at the commandprompt. Quotation marks are not required in the Web UI.

For further information about regular expressions, see your UNIX system administrationdocumentation, the online UNIX documentation for sed or regex, or Mastering RegularExpressions, published by O'Reilly and Associates.

Creating a name mappingYou can use the vserver name-mapping create command to create a name mapping. DataONTAP supports up to 1024 name mappings for each direction.

Step

1. To create a name mapping, enter the following command:

vserver name-mapping create -vserver virtual_server_name -direction{krb-unix|win-unix|unix-win} -position integer -pattern text -replacement text


-direction {krb-unix|win-unix|unix-win} specifies the mapping direction.

-position integer specifies the desired position in the priority list of a new mapping.

-pattern text specifies the pattern to be matched, up to 256 characters in length.

-replacement text specifies the replacement pattern, up to 256 characters in length.

When Windows-to-UNIX mappings are created, any CIFS clients that have open connections tothe Data ONTAP system at the time the new mappings are created must log out and log back in tosee the new mappings.

Examples

The following command creates a name mapping on a Vserver named vs1. The mapping is amapping from UNIX to Windows at position 1 in the priority list. The mapping maps theUNIX user johnd to the Windows user ENG\John.

vs1::> vserver name-mapping create -vserver vs1 -direction unix-win -position 1 -pattern johnd -replacement "ENG\\John"

The following command creates another name mapping on a Vserver named vs1. The mappingis a mapping from Windows to UNIX at position 1 in the priority list. The mapping mapsevery CIFS user in the domain ENG to users in the NIS domain associated with the Vserver.


vs1::> vserver name-mapping create -vserver vs1 -direction win-unix -position 1 -pattern "ENG\\(.+)" -replacement "\1"

Configuring the default userYou can configure a default user to use if all other mapping attempts fail for a user, or if you do notwant to map individual users between UNIX and Windows. Alternatively, if you want authenticationof non-mapped users to fail, you should not configure a default user.

About this task

For CIFS authentication, if you do not want to map each Windows user to an individual UNIX user,you can instead specify a default UNIX user.

For NFS authentication, if you do not want to map each UNIX user to an individual Windows user,you can instead specify a default Windows user.

Step



Configure the default UNIX user vserver cifs options modify -default-unix-useruser_name

Configure the default Windows user vserver nfs modify -default-win-user user_name

Configuring local UNIX users and groupsYou can use local UNIX users and groups for authentication and name mappings.

Creating a local UNIX userYou can use the vserver services unix-user create command to create local UNIX users.A local UNIX user is a UNIX user you create on a Vserver as a UNIX name services option and tobe used in the processing of name mappings.

Step

1. To create a local UNIX user, enter the following command:

vserver services unix-user create -vserver virtual_server_name -useruser_name -id integer -primary-gid integer -full-name full_name



-user user_name specifies the user name.

-id integer specifies the user ID.

-primary-gid integer specifies the primary group ID.

-full-name full_name specifies the full name of the user.

Example

The following command creates a local UNIX user named bettyb on a Vserver named vs1.The user has the ID 123 and the primary group ID 100. The user's full name is "ElizabethBoop".

node::> vserver services unix-user create -vserver vs1 -user bettyb -id 123-primary-gid 100 -full-name "Elizabeth Boop"

Loading local UNIX users from a URIYou can use the vserver services unix-user load-from-uri command to load one or morelocal UNIX users into a Vserver from a uniform resource identifier (URI).

About this task

The URI must contain user information in the UNIX /etc/passwd format:user_name: password: user_ID: group_ID: full_name

The command discards the value of the password field and of the fields after the full_name field( home_directory and shell).

Step

1. To load one or more local UNIX users into a Vserver from a URI, enter the following command:

vserver services unix-user load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri -overwrite {true|false}




Example

The following command loads user information from the URI ftp://ftp.example.com/passwd into a Vserver named vs1. Existing users on the Vserver are not overwritten byinformation from the URI.


node::> vserver services unix-user load-from-uri -vserver vs1-uri ftp://ftp.example.com/passwd -overwrite false

Creating a local UNIX groupYou can use the vserver services unix-group create command to create UNIX groups thatare local to a Vserver. Local UNIX groups are used with local UNIX users.

Step

1. To create a local UNIX group, enter the following command:

vserver services unix-group create -vserver virtual_server_name -namegroup_name -id integer


-name group_name specifies the group name.

-id integer specifies the group ID.

Example

The following command creates a local group named eng on a Vserver named vs1. The grouphas the ID 101.

vs1::> vserver services unix-group create -vserver vs1 -name eng -id 101

Loading local UNIX groups from a URIYou can use the vserver services unix-group load-from-uri command to load one ormore local UNIX groups into a Vserver from a uniform resource identifier (URI).

About this task

The URI must contain user information in the UNIX /etc/group format:group_name: password: group_ID: comma_separated_list_of_users

The command discards the value of the password field.

Step

1. To load one or more local UNIX groups into a Vserver from URI, enter the following command:

vserver services unix-group load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri -overwrite {true|false}





Example

The following command loads group information from the URI ftp://ftp.example.com/group into a Vserver named vs1. Existing groups on the Vserver are not overwritten byinformation from the URI.

vs1::> vserver services unix-group load-from-uri -vserver vs1-uri ftp://ftp.example.com/group -overwrite false

Adding a user to a local UNIX groupYou can use the vserver services unix-group adduser command to add a user to a UNIXgroup that is local to a Vserver.

Step

1. To add a user to a local UNIX group, enter the following command:

vserver services unix-group adduser -vserver virtual_server_name -namegroup_name -username user_name


-name group_name specifies the name of the UNIX group to add the user to.

-username user_name specifies the user name of the user to add to the group.

Example

The following command adds a user named max to a local UNIX group named eng on aVserver named vs1.

vs1::> vserver services unix-group adduser -vserver vs1 -name eng-username max

Loading netgroups into a VserverYou can use the vserver services netgroup load-from-uri command to load netgroupsinto a Vserver from a uniform resource identifier (URI).

About this task

You should run this command only one time on any given cluster.


Step

1. To load netgroups into a Vserver from an FTP or HTTP URI, enter the following command:

vserver services netgroup load-from-uri -vserver virtual_server_name -uri {ftp|http}://uri



The netgroup definitions are automatically propagated to all of the nodes in the cluster.

Example

The following command loads netgroup definitions into a Vserver named vs1 from the HTTPURL http://intranet/downloads/corp-netgroup.

vs1::> vserver services netgroup load-from-uri -vserver vs1-uri http://intranet/downloads/corp-netgroup

Creating a NIS domain configurationIf you specified NIS as a name service option during Vserver setup, you must create a NIS domainconfiguration for the Vserver. You can use the vserver services nis-domain createcommand to create a NIS domain configuration.

About this task

You can create multiple NIS domains. However, you can only use one that is set to active.

Step

1. Use the vserver services nis-domain create command to create a NIS domainconfiguration.

Example

The following command creates a NIS domain configuration for a NIS domain callednisdomain on Vserver vs1 with a NIS server at IP address 192.0.2.180 and makes it active.


vs1::> vserver services nis-domain create -vserver vs1 -domain nisdomain -active true -servers 192.0.2.180

Using LDAP servicesData ONTAP supports LDAP for user authentication, file access authorization, user lookup andmapping services between NFS and CIFS. If the Vserver is set up to use LDAP as a name serviceusing the -ns-switch ldap option or for name mapping using the -nm-switch ldap option, youshould create an LDAP configuration for it.

About this task

An LDAP server enables you to centrally maintain user information.

If you store your user database on an LDAP server, you can configure your Vserver to look up userinformation in the LDAP database. For example, on your LDAP server, you can store logins andpasswords for administrative users of the console and the rsh, telnet, http, https, and ssh protocols,making it possible for you to centrally manage them.

Creating an LDAP client configurationYou can use the vserver services ldap client create command to create an LDAP clientconfiguration. You must set up an LDAP client first to be able to use LDAP services.

Step

1. To create an LDAP client configuration, enter the following command:

vserver services ldap client create -client-config client_config_name {-servers LDAP_server_list | -ad-domain ad_domain -preferred-ad-serverspreferred_ad_server_list -bind-as-cifs-server {true|false}} -schemaschema -port port -query-timeout integer -min-bind-level {anonymous|simple|sasl} -bind-dn LDAP_DN -bind-password password -base-dn LDAP_DN -base-scope {base|onelevel|subtree}

-client-config client_config_name specifies the name of the new LDAP clientconfiguration.

-servers LDAP_server_list specifies one or more LDAP servers by IP address in a comma-delimited list.

-ad-domain ad_domain specifies the AD domain.

-preferred-ad-servers preferred_ad_server_list specifies one or more preferredActive Directory servers by IP address in a comma-delimited list.


-bind-as-cifs-server {true|false} specifies whether to bind using the Vserver's CIFScredentials. The default is false.

-schema schema specifies the schema template to use. You can either use one of the two defaultschemas, AD-SFU or RFC-2307, or create your own schema by copying a default schema (theyare both read-only) and modifying the copy.

-port port specifies the LDAP server port. The default is 389.

-query-timeout integer specifies the query timeout in seconds. The allowed range is 0-10seconds. The default is 3 seconds.

-min-bind-level {anonymous|simple|sasl} specifies the minimum bind authenticationlevel. The default is anonymous.

-bind-dn LDAP_DN specifies the Bind user. For Active Directory servers, specify the user in theaccount (DOMAIN\user) or principal ([email protected]) form. Otherwise, specify the user indistinguished name (CN=user,DC=domain,DC=com) form.

-bind-password password specifies the Bind password.

-base-dn LDAP_DN specifies the base DN. The default is "" (none).

-base-scope {base|onelevel|subtree} specifies the base search scope. The default issubtree.

Creating an LDAP configurationTo associate an LDAP client configuration with a Vserver, you must create an LDAP configurationand sets its -client-config parameter to the name of the LDAP client. You can use the vserverservices ldap create command to configure a Vserver to use an LDAP client.

Before you begin

An LDAP domain must already exist within the network and must be accessible to the Vserver'scluster.

An LDAP client configuration must exist on the Vserver.

Step

1. To create an LDAP configuration, enter the following command:

vserver services ldap create -vserver virtual_server_name -client-configclient_config_name -client-enabled {true|false}


-client-config client_config_name specifies the client configuration name.


-client-enabled {true|false} specifies whether the LDAP client is enabled. The default istrue.

How CIFS clients can access UNIX symbolic linksYou must understand certain concepts about how Data ONTAP enables you to manage symboliclinks. This is important to provide access to CIFS users connecting to the storage system.

A symbolic link is a file created in a UNIX environment that contains a reference to another file ordirectory. If a client accesses a symbolic link, it is redirected to the target file or directory that thesymbolic link refers to.

Data ONTAP provides CIFS clients the ability to follow UNIX symbolic links on the storage system.This feature is optional and you can configure it on a per-share basis with one of the following threeoptions:

• Enabled with read/write access• Enabled with read-only access• Disabled by hiding symbolic links from CIFS clients

There are two types of symbolic links:

Relative A relative symbolic link contains a reference to the file or directory relative to its parentdirectory. Therefore the path of the file it is referring to should not begin with a slash (/) .A relative symbolic link always refers to a file or directory within the same file system.If you enable symbolic links on a share, relative symbolic links work without furtherconfiguration.

Absolute An absolute symbolic link contains a reference to a file or directory in the form of anabsolute path. Therefore the path of the file it is referring to should begin with a slash (/).It is treated as an absolute path location of the file from the root of the file system. Anabsolute symbolic link can refer to a file or directory within or outside of the file systemof the symbolic link. If the target is not in the same local file system, the symbolic link iscalled a widelink. If you enable symbolic links on a share, absolute symbolic links donot work right away. You must first create a mapping between the UNIX path of thesymbolic link to the destination CIFS path. When creating absolute symbolic linkmappings, you specify whether it is a local or widelink. If you create an absolutesymbolic link to a file or directory outside of the local share but set the locality tolocal, Data ONTAP disallows access to the target.

Note that if a client attempts to delete a local symbolic link (absolute or relative), onlythe symbolic link is deleted, not the target file or directory. However, if a client attemptsto delete a widelink, it might delete the actual target file or directory that the widelinkrefers to. Data ONTAP does not have control over this since the client can explicitlyopen the target file or directory outside the storage system and delete it.


Creating symbolic link mappings for CIFSYou can use the vserver cifs symlink create command to create mappings of UNIXsymbolic links for CIFS users.

Step

1. To create symbolic link mappings for CIFS, enter the following command:

vserver cifs symlink create -vserver virtual_server_name -unix-path path-share-name share_name -cifs-path path -cifs-server server_name -locality {local|widelink}


-unix-path path specifies the UNIX path.

-share-name share_name specifies the name of the CIFS share to map.

-cifs-path path specifies the CIFS path.

-cifs-server server_name specifies the CIFS server name. The CIFS server name can bespecified as a DNS name (for example, mynetwork.cifs.server.com), IP address, or NetBIOSname. The NetBIOS name can be determined by using the vserver cifs domain showcommand. The default value is "" (none).

-locality {local|widelink} specifies whether to create a local or wide symbolic link. Alocal symbolic link maps to the local CIFS share, and a wide symbolic link maps to any CIFSshare on the network. The default value is local.

Example

The following command creates a symbolic link mapping on a Vserver named vs1. It has theUNIX path /src/, the CIFS share name SOURCE, the CIFS path /mycompany/source/,the CIFS server IP address 123.123.123.123, and is a widelink.

vs1::> vserver cifs symlink create -vserver vs1-unix-path /src/ -share-name SOURCE -cifs-path "/mycompany/source/" -cifs-server 123.123.123.123 -locality widelink


Managing file access using CIFS

After you have enabled CIFS on a Vserver and configured it, there are a number of tasks you mightwant to perform to manage file access using CIFS.

Commands for managing CIFS serversThere are specific Data ONTAP commands for managing CIFS servers.


Create a CIFS server vserver cifs create

Display CIFS servers vserver cifs show

Modify a CIFS server vserver cifs modify

Delete a CIFS server vserver cifs delete


Commands for managing name mappingsThere are specific Data ONTAP commands for managing name mappings.


Create a name mapping vserver name-mapping create

Insert a name mapping at a specific position vserver name-mapping insert

Display name mappings vserver name-mapping show

Exchange the position of two name mappings vserver name-mapping swap

Modify a name mapping vserver name-mapping modify

Delete a name mapping vserver name-mapping delete


85

Commands for managing local UNIX usersThere are specific Data ONTAP commands for managing local UNIX users.


Create a local UNIX user vserver services unix-user create

Display local UNIX users vserver services unix-user show

Modify a local UNIX user vserver services unix-user modify

Delete a local UNIX user vserver services unix-user delete


Commands for managing local UNIX groupsThere are specific Data ONTAP commands for managing local UNIX groups.


Add a user to a local UNIX group vserver services unix-group adduser

Create a local UNIX group vserver services unix-group create

Display local UNIX groups vserver services unix-group show

Modify a local UNIX group vserver services unix-group modify

Delete a user from a local UNIX group vserver services unix-group deluser

Delete a local UNIX group vserver services unix-group delete


Verifying the status of netgroup definitionsAfter loading netgroups into a Vserver, you can use the vserver services netgroup statuscommand to verify the status of netgroup definitions. This enables you to determine whethernetgroup definitions are consistent on all of the nodes that back a Vserver.

Step

1. To verify the status of netgroup definitions, enter the following command:


vserver services netgroup status

The command is available only at the advanced privilege level and higher. It displays thefollowing information:

• Vserver name• Node name• Load time for netgroup definitions• Hash value of the netgroup definitions


Example

The following command displays netgroup status for all Vservers.

vs1::> set -privilege advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.Do you wish to continue? (y or n): y

vs1::*> vserver services netgroup statusVirtualServer Node Load Time Hash Value--------- --------------- ------------------- --------------------------------vs1 node1 9/20/2006 16:04:53 e6cb38ec1396a280c0d2b77e3a84eda2 node2 9/20/2006 16:06:26 e6cb38ec1396a280c0d2b77e3a84eda2 node3 9/20/2006 16:08:08 e6cb38ec1396a280c0d2b77e3a84eda2 node4 9/20/2006 16:11:33 e6cb38ec1396a280c0d2b77e3a84eda2

Commands for managing NIS domain configurationsThere are specific Data ONTAP commands for managing NIS domain configurations.


Create a NIS domain configuration vserver services nis-domain create

Display NIS domain configurations vserver services nis-domain show

Modify a NIS domain configuration vserver services nis-domain modify

Managing file access using CIFS | 87


Delete a NIS domain configuration vserver services nis-domain delete


Commands for managing LDAP configurationsThere are specific Data ONTAP commands for managing LDAP configurations.


Create an LDAP configuration vserver services ldap create

Display LDAP configurations vserver services ldap show

Modify an LDAP configuration vserver services ldap modify

Delete an LDAP configuration vserver services ldap delete


Commands for managing LDAP client configurationsThere are specific Data ONTAP commands for managing LDAP client configurations.


Create an LDAP client configuration vserver services ldap client create

Display LDAP client configurations vserver services ldap client show

Modify an LDAP client configuration vserver services ldap client modify

Delete an LDAP client configuration vserver services ldap client delete


Commands for managing LDAP client schema templatesThere are specific Data ONTAP commands for managing LDAP client schema templates.

Note: The vserver services ldap client schema copy, modify, and deletecommands are only available at the advanced privilege level and higher.



Copy an existing LDAP schema template vserver services ldap client schema

copy

Display LDAP schema templates vserver services ldap client schema

show

Modify an LDAP schema template vserver services ldap client schema

modify

Delete an LDAP schema template vserver services ldap client schema

delete


Displaying information about discovered serversYou can use the vserver cifs domain discovered-servers show command to display all ora subset of the information related to discovered servers.

Step

1. To display all or a subset of the information related to discovered servers, enter the followingcommand:

vserver cifs domain discovered-servers show

By default, the command displays the following information about discovered servers:

• Node name• Vserver name• CIFS domain name• Server type• Preference• Domain controller name• Domain controller address• Status



Commands for managing preferred domain controllersThere are specific Data ONTAP commands for managing preferred domain controllers.


Add a preferred domain controller vserver cifs domain preferred-dc add

Display preferred domain controllers vserver cifs domain preferred-dc

show

Remove a preferred domain controller vserver cifs domain preferred-dc

remove


Displaying information about NetBIOS over TCPconnections

You can use the vserver cifs nbtstat command to display information about NetBIOS overTCP (NBT) connections. This can be useful when troubleshooting NetBIOS related issues.

Step

1. Use the vserver cifs nbtstat command to display information about NetBIOS over TCPconnections.


Displaying CIFS statisticsYou can use the statistics show command to display various CIFS statistics. This enables you tomonitor performance and diagnose issues.

Step


If you want to display CIFS statistics for... Enter the following command...

Both SMB1 and SMB2 statistics show -object cifs

SMB1 statistics show -object smb1


If you want to display CIFS statistics for... Enter the following command...

SMB2 statistics show -object smb2

The CIFS subsystem of the node statistics show -object nblade_cifs

See the man page for more information.

Displaying information about CIFS security settingsYou can use the vserver cifs security show command to display information about CIFSsecurity settings.

Step

1. To display information about CIFS security settings, enter the following command:

vserver cifs security show

To customize the output, you can specify one or more optional parameters. For more information,see the Data ONTAP Cluster-Mode Administration Reference.

Modifying CIFS security settingsYou can use the vserver cifs security modify command to modify CIFS security settings.

Step

1. To modify CIFS security settings, enter the following command:

vserver cifs security modify -vserver virtual_server_name -kerberos-clock-skew integer_in_minutes -kerberos-ticket-age integer_in_hours -kerberos-renew-age integer_in_days


-kerberos-clock-skew integer_in_minutes specifies the maximum allowed Kerberosclock skew time in minutes. The default setting is five minutes.

-kerberos-ticket-age integer_in_hours specifies the Kerberos ticket lifetime in hours.The default is ten hours.

-kerberos-renew-age integer_in_days specifies the maximum number of ticket renewaldays. The default is seven days.


LocksYou can display information about a Vserver's current locks as a first step to determining why aclient cannot access a volume or file.

About file locking between protocolsFile locking is a method used by client applications to prevent a user from accessing a file previouslyopened by another user. How Data ONTAP locks files depends on the protocol of the client.

If the client is an NFS client, locks are advisory; if the client is a CIFS client, locks are mandatory.

Because of differences between the NFS and CIFS file locks, some attempts by an NFS client toaccess a file opened by a CIFS application fail.

The following occurs when an NFS client attempts to access a file locked by a CIFS application:

• In mixed or NTFS volumes, file manipulation operations, such as rm, rmdir, and mv, can causethe NFS application to fail.

• NFS read and write operations are denied by CIFS deny-read and deny-write open modes,respectively.

• NFS write operations fail when the written range of the file is locked with an exclusive CIFSbytelock.

About read-only bitsThe read-only bit is a binary digit, which holds a value of 0 or 1, that is set on a file-by-file basis toreflect whether a file is writable (disabled) or read-only (enabled).

CIFS clients that use MS-DOS and Windows can set a per-file read-only bit. NFS clients do not set aper-file read-only bit, because NFS clients do not have any protocol operations that use a per-fileread-only bit.

Data ONTAP can set a read-only bit on a file when a CIFS client that uses MS-DOS or Windowscreates that file. Data ONTAP can also set a read-only bit when a file is shared between NFS clientsand CIFS clients. Some software, when used by NFS clients and CIFS clients, requires the read-onlybit to be enabled.

For Data ONTAP to keep the appropriate read and write permissions on a file shared between NFSclients and CIFS clients, it treats the read-only bit according to the following rules:

• NFS treats any file with the read-only bit enabled as if it has no write permission bits enabled.• If an NFS client disables all write permission bits and at least one of those bits had previously

been enabled, Data ONTAP enables the read-only bit for that file.• If an NFS client enables any write permission bit, Data ONTAP disables the read-only bit for that

file.


• If the read-only bit for a file is enabled and an NFS client attempts to discover permissions for thefile, the permission bits for the file are not sent to the NFS client; instead, Data ONTAP sends thepermission bits to the NFS client with the write permission bits masked.

• If the read-only bit for a file is enabled and a CIFS client disables the read-only bit, Data ONTAPenables the owner’s write permission bit for the file.

• Files with the read-only bit enabled are writable only by root.

Note: Changes to file permissions take effect immediately on CIFS clients, but might not takeeffect immediately on NFS clients if the NFS client enables attribute caching.

Displaying information about locksYou can use the vserver locks show command to display the current file locks. If a file lock heldby a client is impeding access by other clients, displaying the current locks is the first step inresolving the issue.

Step

1. To display information about locks, enter the following command:

vserver locks show


• Vserver name• Volume name• Path of the locked object• Logical interface name• Protocol by which the lock was established• Type of lock• Client

Note: The client IP address cannot be displayed for locks established through NFSv4 orNFSv4.1.

By default, the command displays information about all locks. You can use command parametersto display information about locks for a specific Vserver or to filter the command's output byother criteria. See the man page for the command for more information.

Breaking locksYou can use the vserver locks break command to break locks. This enables you to correctissues where a file lock prevents client access to files.

About this task

Examples of scenarios in which you might need to break locks include debugging applications orresolving networking problems.


Step

1. To break locks, enter the following command:

vserver locks break -vserver virtual_server_name -volume volume_name -path path -lif lif


-volume volume_name specifies the volume name.

-path path specifies the path.

-lif lif specifies the logical interface.


The command is available only at the advanced privilege level and higher.

Improving client performance with oplocksOplocks (opportunistic locks) enable a CIFS client in certain file-sharing scenarios to perform client-side caching of read-ahead, write-behind, and lock information. A client can then read from or writeto a file without regularly reminding the server that it needs access to the file in question. Thisimproves performance by reducing network traffic.

Write cache data loss considerations when using oplocksUnder some circumstances, if a process has an exclusive oplock on a file and a second processattempts to open the file, the first process must invalidate cached data and flush writes and locks. Theclient must then relinquish the oplock and access to the file. If there is a network failure during thisflush, cached write data might be lost.

Data loss possibilities: Any application that has write-cached data can lose that data under thefollowing set of circumstances:

• It has an exclusive oplock on the file.• It is told to either break that oplock or close the file.• During the process of flushing the write cache, the network or target system generates an error.

Error handling and write completion: The cache itself does not have any error handling—theapplications do. When the application makes a write to the cache, the write is always completed. Ifthe cache, in turn, makes a write to the target system over a network, it must assume that the write iscompleted because if it does not, the data is lost.


How CIFS metadata caching worksWhen enabled, the CIFS metadata cache stores path and file attribute data for a limited amount oftime. This can improve CIFS performance for common workloads.

The CIFS protocol can be very communication intensive. For certain tasks, it creates a significantamount of traffic that can include multiple identical queries for path and file metadata. The DataONTAP CIFS metadata cache feature improves performance by reducing the amount of redundantqueries by fetching information from the cache instead.

Note: While unlikely, it is possible that the metadata cache might serve stale information to CIFSclients. If your environment cannot afford this risk, you should not enable this feature.

Enabling the CIFS metadata cacheYou can enable the CIFS metadata cache feature for individual shares to improve CIFS performance.By default, this feature is disabled.

Step

1. To enable CIFS metadata caching for a share, enter the following command:

vserver cifs share modify -share-name share_name -share-propertiesattributecache

Configuring the lifetime for CIFS metadata cache entriesYou can configure the lifetime for CIFS metadata cache entries by modifying the -attribute-cache-ttl option of a share. This allows you to optimize the CIFS metadata cache performance inyour environment. The default is 10 seconds.

Before you begin

You must have enabled the CIFS metadata cache feature.

Step

1. To configure the lifetime of CIFS metadata cache entries, enter the following command:

vserver cifs share -modify -share-name share_name -attribute-cache-ttlttl_in_seconds


Commands for managing CIFS sharesThere are specific Data ONTAP commands for managing CIFS shares.


Create a CIFS share vserver cifs share create

Display CIFS shares vserver cifs share show

Modify a CIFS share vserver cifs share modify

Delete a CIFS share vserver cifs share delete


Commands for managing CIFS share access control listsThere are specific Data ONTAP commands for managing CIFS share access control lists (ACLs).


Create a new ACL vserver cifs share access-control

create

Display ACLs vserver cifs share access-control

show

Modify an ACL vserver cifs share access-control

modify

Delete an ACL vserver cifs share access-control

delete

Commands for managing search pathsThere are specific Data ONTAP commands for managing search paths for CIFS home directoryconfigurations.


Add a search path vserver cifs home-directory search-

path add



Display search paths vserver cifs home-directory search-

path show

Change the search path order vserver cifs home-directory search-

path reorder

Remove a search path vserver cifs home-directory search-

path remove


Commands for managing CIFS group policiesThere are specific Data ONTAP commands to manage CIFS group policies.


Enable a group policy configuration vserver cifs group-policy modify -

status enabled

Disable a group policy configuration vserver cifs group-policy modify -

status disabled

Display the status of group policies vserver cifs group-policy show

Display information about applied group policysettings

vserver cifs group-policy show-

applied

Display information about defined group policyconfigurations

vserver cifs group-policy show-

defined

Update a group policy configuration vserver cifs group-policy update


Commands for managing export policiesThere are specific Data ONTAP commands for managing export policies.


Display information about export policies vserver export-policy show

Rename an export policy vserver export-policy rename



Copy an export policy vserver export-policy copy

Delete an export policy vserver export-policy delete


Commands for managing export rulesThere are specific Data ONTAP commands for managing export rules.


Create an export rule vserver export-policy rule create

Display information about export rules vserver export-policy rule show

Modify an export rule vserver export-policy rule modify

Delete an export rule vserver export-policy rule delete


Configuring SMB on your storage systemIn addition to the CIFS protocol, Data ONTAP supports the Server Message Block (SMB) 1.0protocol and SMB 2.0.

Support for the SMB 1.0 protocolData ONTAP supports the SMB 1.0 protocol, which extends CIFS with security, file, and disk-management features.

Support for the SMB 2.0 protocolIn addition to the SMB 1.0 protocol, Data ONTAP supports the SMB 2.0 protocol, which providesseveral enhancements.

The SMB 2.0 protocol is a major revision of the SMB 1.0 protocol in that it uses completely differentpacket formats.

Note: Data ONTAP does not support symbolic links, which are an optional feature of the SMB 2.0protocol.

If the SMB 2.0 protocol is disabled on the storage system, communication between the SMB 2.0client and the storage system falls back to the SMB 1.0 protocol (assuming that the SMB 2.0 clientincludes the SMB 1.0 dialect in its negotiate request).


For more information, see the SMB 2.0 protocol specification.

Support for the SMB 2.1 protocolThe SMB 2.1 protocol provides several minor enhancements to the SMB 2.0 protocol. Data ONTAPsupports most of the SMB 2.1 protocol features. Support for SMB 2.1 is enabled automatically whenyou enable the SMB 2.0 protocol on the storage system.

Support for SMB 2.1 is part of the SMB 2.0 implementation in Data ONTAP and does not requireseparate configuration.

Data ONTAP does not support the following SMB 2.1 features:

• Large MTU• Resilient handles• Branch Cache

For more information, see the SMB 2.1 protocol specification.

Enabling or disabling the SMB 2.0 protocolYou can enable or disable the SMB 2.0 protocol by using the -smb2-enabled option. This allowsclients to connect to the storage system using the SMB 2.0 protocol. By default, this option is set toon.

About this task

This option is available at the advanced privilege level.

Step


If you want the SMB 2.0protocol to be...

Enter the command...

Enabled vserver cifs options modify -vservervserver_name -smb2-enabled true

Disabled vserver cifs options modify -vservervserver_name -smb2-enabled false


Changing or resetting the domain account passwordThe CIFS server on a Vserver has an Active Directory domain account. You can change thepassword for this account for good security practices, or reset it if the password is lost.

Step


If you... Use the command...

Know the password and want to change it vserver cifs password-change

Do not know the password and want to reset it vserver cifs password-reset

See the man page for each comand for more information.

Commands for managing symbolic link mappingsThere are specific Data ONTAP commands for managing symbolic link mappings.


Create a symbolic link mapping vserver cifs symlink create

Display information about symbolic linkmappings

vserver cifs symlink show

Modify a symbolic link mapping vserver cifs symlink modify

Delete a symbolic link mapping vserver cifs symlink delete



File sharing between NFS and CIFS

Data ONTAP allows NFS clients to access CIFS files and CIFS clients to access NFS files. Thiseliminates the need to have the same data stored on two separate CIFS and NFS servers to provideaccess to the same data through both protocols.

To allow NFS and CIFS client access, you must set up both an NFS server and a CIFS server on theVserver. You must also configure name mappings or the default users.

CIFS file access from NFS clientsData ONTAP uses Windows NT File System (NTFS) security semantics to determine whether aUNIX user, on an NFS client, has access to a file in a mixed or NTFS qtree.

Data ONTAP does this by converting the user’s UNIX User ID (UID) into a CIFS credential, thenusing the CIFS credential to verify that the user has access rights to the file. A CIFS credentialconsists of a primary Security Identifier (SID), usually the user’s Windows user name, and one ormore group SIDs that correspond to Windows groups of which the user is a member.

The time Data ONTAP takes converting the UNIX UID into a CIFS credential can be from tens ofmilliseconds to hundreds of milliseconds because the process involves contacting a domaincontroller. Data ONTAP maps the UID to the CIFS credential and enters the mapping in a credentialcache to reduce the verification time caused by the conversion.

About NFS and CIFS file namingFile naming conventions depend on both the network clients’ operating systems and the file-sharingprotocols.

The operating system and the file-sharing protocols determine the following:

• Length of a file name• Characters a file name can use• Case-sensitivity of a file name

Characters a file name can useIf you are sharing a file between clients on different operating systems, you should use charactersthat are valid in both operating systems.

For example, if you use UNIX to create a file, don’t use a colon (:) in the file name because the colonis not allowed in MS-DOS file names. Because restrictions on valid characters vary from oneoperating system to another, see the documentation for your client operating system for moreinformation about prohibited characters.

101

Case-sensitivity of a file nameFile names are case-sensitive for NFS clients and case-insensitive but case-preserving for CIFSclients.

For example, if a CIFS client creates Spec.txt, both CIFS and NFS clients display the file name asSpec.txt. However, if a CIFS user later tries to create spec.txt, the name is not allowed because,to the CIFS client, that name currently exists. If an NFS user later creates a file named spec.txt,NFS and CIFS clients display the file name differently, as follows:

• On NFS clients, you see both file names as they were created, Spec.txt and spec.txt, becausefile names are case-sensitive.

• On CIFS clients, you see Spec.txt and Spec~1.txt.Data ONTAP creates the Spec~1.txt file name to differentiate the two files.

How Data ONTAP creates file namesData ONTAP creates and maintains two file names for files in any directory that has access from aCIFS client: the original long name and a file name in 8.3 format.

For file names that exceed the eight character name or the three character extension limit, DataONTAP generates an 8.3-format file name as follows:

• It truncates the original file name to six characters, if the file name exceeds six characters.• It appends a tilde (~) and a number, one through five, to file names that are no longer unique after

being truncated.If it runs out of numbers because there are more than five similar names, it creates a unique filename that bears no relation to the original file name.

• It truncates the file name extension to three characters.

Example: If an NFS client creates a file named specifications.html, the 8.3 format file namecreated by Data ONTAP is specif~1.htm. If this name already exists, Data ONTAP uses adifferent number at the end of the file name. For example, if the NFS client creates another filenamed specifications_new.html, the 8.3 format of specifications_new.html isspecif~2.htm.

Preservation of UNIX permissionsData ONTAP preserves UNIX permissions when files are edited and saved by Windowsapplications.

When applications on Windows clients edit and save files, they read the security properties of thefile, create a new temporary file, apply those properties to the temporary file, and then give thetemporary file the original file name.

When Windows clients perform a query for the security properties, they receive a constructed ACLthat exactly represents the UNIX permissions. The sole purpose of this constructed ACL is topreserve the file's UNIX permissions as files are updated by Windows applications to ensure the


resulting files have the exact same UNIX permissions. Data ONTAP does not set any NTFS ACLsusing the constructed ACL.

This feature also enables you to manipulate the UNIX permissions of files using the Security tab onWindows clients or using applications that can query and set Windows ACLs.

File sharing between NFS and CIFS | 103

Glossary

To understand the file access and protocols management concepts in this document, you might needto know how certain terms are used.

A

ACL Access control list. A list that contains the users' or groups' access rights toeach share.

adapter A SCSI card, network card, hot-swap adapter, serial adapter, or VGA adapterthat plugs into an expansion slot. Sometimes called expansion card.

address resolution The procedure for determining an address corresponding to the address of aLAN or WAN destination.

agent A process that gathers status and diagnostic information and forwards it tonetwork management stations, for example, SNMP agent.

appliance A device that performs a single, well-defined function and is simple to installand operate, for example, a NetCache appliance or NetApp storage system.

ATM Asynchronous Transfer Mode. A network technology that combines thefeatures of cell-switching and multiplexing to offer reliable and efficientnetwork services. ATM provides an interface between devices such asworkstations and routers, and the network.

AutoSupport A storage system daemon that triggers email messages from the customersite to technical support or another specified email recipient when there is apotential storage system problem.

B

big-endian A binary data format for storage and transmission in which the mostsignificant byte comes first.

C

CIFS Common Internet File System. A protocol for networking PCs.

client A workstation or PC in a client-server architecture; that is, a computersystem or process that requests services from and accepts the responses ofanother computer system or process.

cluster monitor The software that administers the relationship of nodes in a cluster.

community A logical relationship between an SNMP agent and one or more SNMPmanagers. A community is identified by name, and all members of thecommunity have the same access privileges.

105

console The physical or virtual terminal that is used to monitor and control a storagesystem.

Copy-On-Write(COW)

The technique for creating Snapshot copies without consuming excess diskspace.

D

degraded mode The operating mode of a storage system when a disk in the RAID group failsor the batteries on the NVRAM card are low.

disk ID number The number assigned by the storage system to each disk when it probes thedisks at startup.

disk shelf A shelf that contains disk drives and is attached to a storage system.

E

Ethernet adapter An Ethernet interface card.

expansion card A SCSI card, NVRAM card, network card, hot-swap card, or console cardthat plugs into a storage system expansion slot. Sometimes called an adapter.

expansion slot The slots on the storage system board into which you insert expansion cards.

F

FDDI adapter A Fiber Distributed Data Interface (FDDI) interface card.

FDDI-fiber An FDDI adapter that supports a fiber-optic cable.

FDDI-TP An FDDI adapter that supports a twisted-pair cable.

G

GID See Group ID (GID).

Group ID (GID) The number used by UNIX systems to identify groups.

H

heartbeat A repeating signal transmitted from one storage system to the other thatindicates that the storage system is in operation. Heartbeat information is alsostored on disk.

hot spare disk A disk installed in the storage system that can be used to substitute for afailed disk. Before the disk failure, the hot spare disk is not part of the RAIDdisk array.

hot swap The process of adding, removing, or replacing a disk while the storagesystem is running.

hot swap adapter An expansion card that makes it possible to add or remove a hard disk withminimal interruption to file system activity.

I


inode A data structure containing information about files on a storage system andin a UNIX file system.

interrupt switch A switch on some storage system front panels used for debugging purposes.

L

LAN Emulation(LANE)

The architecture, protocols, and services that create an Emulated LAN usingATM as an underlying network topology. LANE enables ATM-connectedend systems to communicate with other LAN-based systems.

local storagesystem

The system you are logged in to.

M

magic directory A directory that can be accessed by name but does not show up in a directorylisting. The .snapshot directories, except for the one at the mount point or atthe root of the share, are magic directories.

mail host The client host responsible for sending automatic email to technical supportwhen certain storage system events occur.

Maintenance mode An option when booting a storage system from a system boot disk.Maintenance mode provides special commands for troubleshooting hardwareand configuration.

MIB Management Information Base. ASCII files that describe the information thatthe SNMP agent sends to network management stations.

MIME Multipurpose Internet Mail Extensions. A specification that defines themechanisms for specifying and describing the format of Internet messagebodies. An HTTP response containing the MIME Content-Type headerallows the HTTP client to invoke the application that is appropriate for thedata received.

MultiStore In Data ONTAP 7-Mode, an optional software product that enables you topartition the storage and network resources of a single storage system so thatit appears as multiple storage systems on the network.

N

NDMP Network Data Management Protocol. A protocol that allows storage systemsto communicate with backup applications and provides capabilities forcontrolling the robotics of multiple tape backup devices.

network adapter An Ethernet, FDDI, or ATM card.

networkmanagementstation

See NMS.

Glossary | 107

NMS Network Management Station. A host on a network that uses third-partynetwork management application (SNMP manager) to process status anddiagnostic information about a storage system.

null user The Windows NT machine account used by applications to access remotedata.

NVRAM cache Nonvolatile RAM in a storage system, used for logging incoming write dataand NFS requests. Improves system performance and prevents loss of data incase of a storage system or power failure.

NVRAM card An adapter that contains the storage system’s NVRAM cache.

NVRAM mirror A synchronously updated copy of the contents of the storage systemNVRAM (nonvolatile random access memory) contents kept on the partnerstorage system.

P

panic A serious error condition causing the storage system or V-Series system tohalt. Similar to a software crash in the Windows system environment.

parity disk The disk on which parity information is stored for a RAID4 disk drive array.In RAID groups using RAID-DP protection, two parity disks store the parityand double-parity information. Used to reconstruct data in failed disk blocksor on a failed disk.

PCI Peripheral Component Interconnect. The bus architecture used in newerstorage system models.

POST Power-on self-tests. The tests run by a storage system after the power isturned on.

PVC Permanent Virtual Circuit. A link with a static route defined in advance,usually by manual setup.

Q

qtree A special subdirectory of the root of a volume that acts as a virtualsubvolume with special attributes.

R

RAID Redundant Array of Independent Disks. A technique that protects againstdisk failure by computing parity information based on the contents of all thedisks in an array. Storage systems use either RAID4, which stores all parityinformation on a single disk, or RAID-DP, which stores all parityinformation on two disks.

RAID diskscrubbing

The process in which a system reads each disk in the RAID group and triesto fix media errors by rewriting the data to another disk area.

S


SCSI adapter An expansion card that supports SCSI disk drives and tape drives.

SCSI address The full address of a disk, consisting of the disk’s SCSI adapter number andthe disk’s SCSI ID, such as 9a.1.

SCSI ID The number of a disk drive on a SCSI chain (0 to 6).

serial adapter An expansion card for attaching a terminal as the console on some storagesystem models.

serial console An ASCII or ANSI terminal attached to a storage system’s serial port. Usedto monitor and manage storage system operations.

share A directory or directory structure that has been made available to networkusers and can be mapped to a drive letter on a CIFS client. Also known as aCIFS share.

SID Security identifier used by the Windows operating system.

Snapshot copy An online, read-only copy of an entire file system that protects againstaccidental deletions or modifications of files without duplicating filecontents. Snapshot copies enable users to restore files and to back up thestorage system to tape while the storage system is in use.

SVC Switched Virtual Circuit. A connection established through signaling. Theuser defines the endpoints when the call is initiated.

system board A printed circuit board that contains a storage system’s CPU, expansion busslots, and system memory.

T

trap An asynchronous, unsolicited message sent by an SNMP agent to an SNMPmanager indicating that an event has occurred on the storage system.

tree quota A type of disk quota that restricts the disk usage of a directory created by thequota qtree command. Different from user and group quotas that restrict diskusage by files with a given UID or GID.

U

UID user identification number.

Unicode A 16-bit character set standard. It was designed and is maintained by thenonprofit consortium Unicode Inc.

V

VCI Virtual Channel Identifier. A unique numerical tag defined by a 16-bit fieldin the ATM cell header that identifies a virtual channel over which the cell isto travel.

VGA adapter An expansion card for attaching a VGA terminal as the console.

Glossary | 109

volume • For Data ONTAP, a logical entity that holds user data that is accessiblethrough one or more of the supported access protocols, includingNetwork File System (NFS), Common Internet File System (CIFS),HyperText Transfer Protocol (HTTP), Fibre Channel (FC), and InternetSCSI (iSCSI). V-Series treats an IBM volume as a disk.

• For IBM, the area on the storage array that is available for a V-Seriessystem or non V-Series host to read data from or write data to. The V-Series documentation uses the term array LUN to describe this area.

VPI Virtual Path Identifier. An eight-bit field in the ATM cell header thatindicates the virtual path over which the cell should be routed.

W

WAFL Write Anywhere File Layout. A file system designed for the storage systemto optimize write performance.

WINS Windows Internet Name Service.


Copyright information

Copyright © 1994–2012 NetApp, Inc. All rights reserved. Printed in the U.S.A.

No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in anelectronic retrieval system—without prior written permission of the copyright owner.

Software derived from copyrighted NetApp material is subject to the following license anddisclaimer:

THIS SOFTWARE IS PROVIDED BY NETAPP "AS IS" AND WITHOUT ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE,WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL NETAPP BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTEGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHERIN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NetApp reserves the right to change any products described herein at any time, and without notice.NetApp assumes no responsibility or liability arising from the use of products described herein,except as expressly agreed to in writing by NetApp. The use or purchase of this product does notconvey a license under any patent rights, trademark rights, or any other intellectual property rights ofNetApp.

The product described in this manual may be protected by one or more U.S.A. patents, foreignpatents, or pending applications.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject torestrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.277-7103 (October 1988) and FAR 52-227-19 (June 1987).

111

Trademark information

NetApp, the NetApp logo, Network Appliance, the Network Appliance logo, Akorri,ApplianceWatch, ASUP, AutoSupport, BalancePoint, BalancePoint Predictor, Bycast, CampaignExpress, ComplianceClock, Cryptainer, CryptoShred, Data ONTAP, DataFabric, DataFort, Decru,Decru DataFort, DenseStak, Engenio, Engenio logo, E-Stack, FAServer, FastStak, FilerView,FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexSuite, FlexVol, FPolicy, GetSuccessful,gFiler, Go further, faster, Imagine Virtually Anything, Lifetime Key Management, LockVault,Manage ONTAP, MetroCluster, MultiStore, NearStore, NetCache, NOW (NetApp on the Web),Onaro, OnCommand, ONTAPI, OpenKey, PerformanceStak, RAID-DP, ReplicatorX, SANscreen,SANshare, SANtricity, SecureAdmin, SecureShare, Select, Service Builder, Shadow Tape,Simplicity, Simulate ONTAP, SnapCopy, SnapDirector, SnapDrive, SnapFilter, SnapLock,SnapManager, SnapMigrator, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot,SnapSuite, SnapValidator, SnapVault, StorageGRID, StoreVault, the StoreVault logo, SyncMirror,Tech OnTap, The evolution of storage, Topio, vFiler, VFM, Virtual File Manager, VPolicy, WAFL,Web Filer, and XBB are trademarks or registered trademarks of NetApp, Inc. in the United States,other countries, or both.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International BusinessMachines Corporation in the United States, other countries, or both. A complete and current list ofother IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.

Apple is a registered trademark and QuickTime is a trademark of Apple, Inc. in the U.S.A. and/orother countries. Microsoft is a registered trademark and Windows Media is a trademark of MicrosoftCorporation in the U.S.A. and/or other countries. RealAudio, RealNetworks, RealPlayer,RealSystem, RealText, and RealVideo are registered trademarks and RealMedia, RealProxy, andSureStream are trademarks of RealNetworks, Inc. in the U.S.A. and/or other countries.

All other brands or products are trademarks or registered trademarks of their respective holders andshould be treated as such.

NetApp, Inc. is a licensee of the CompactFlash and CF Logo trademarks.

NetApp, Inc. NetCache is certified RealSystem compatible.

113

http://www.ibm.com/legal/copytrade.shtml

How to send your comments

You can help us to improve the quality of our documentation by sending us your feedback.

Your feedback is important in helping us to provide the most accurate and high-quality information.If you have suggestions for improving this document, send us your comments by e-mail to [email protected]. To help us direct your comments to the correct division, include in thesubject line the product name, version, and operating system.

You can also contact us in the following ways:

• NetApp, Inc., 495 East Java Drive, Sunnyvale, CA 94089• Telephone: +1 (408) 822-6000• Fax: +1 (408) 822-4501• Support Telephone: +1 (888) 4-NETAPP

115

mailto:[email protected]

IndexA

absolutesymbolic links 82

access cacheexplained 39

access control listsCIFS, managing 96

access control lists (ACLs)compatibility between NFSv4 and NTFS 48NFSv4 48NFSv4, benefits of enabling 48NFSv4, enabling or disabling 50NFSv4, managing 48share-level, defined 66

ACLsNFSv4, modifying 50

ACLs (access control lists)compatibility between NFSv4 and NTFS 48NFSv4 48NFSv4, benefits of enabling 48NFSv4, enabling or disabling 50NFSv4, managing 48share-level, defined 66

addingCIFS preferred domain controllers 67home directory search paths 63preferred domain controllers 90rules to export policies 19, 69search paths 96users to local UNIX groups 30, 78

authenticationKerberos 22, 67

authentication-basedrestrictions 9

B

breakinglocks 44, 93

C

cachingCIFS metadata 95

case-sensitivity

of file names 102CIFS

access control lists, creating 66access control lists, managing 96adding preferred domain controllers 67concepts 59creating CIFS shares 64creating servers 61creating symbolic link mappings 83file access

file accessCIFS 59

file locking 43, 92file names 101file sharing with NFS 101files, accessing from NFS clients 101home directory concepts 61managing file access 85metadata cache, configuring 95metadata cache, enabling or disabling 95metadata, caching 95modifying protocols for Vservers 10read-only bits 43, 92security settings, displaying 91security settings, modifying 91setting up file access 61shares considerations 63statistics, displaying 90supported clients 59supported domain controllers 59

CIFS group policiesmanaging 97

CIFS serversmanaging 85

CIFS sharesmanaging 96

clientsCIFS, supported 59

configuringCIFS metadata cache 95default users 27, 75local UNIX users and groups 27, 75NIS domains 38, 87

copyingexport policies 42, 97

creating

Index | 117

CIFS servers 61, 85CIFS share access control lists 66CIFS shares 64, 96export policies 18, 68export rules 42, 98file names 102Kerberos realm configurations 23, 41LDAP client configurations 33, 38, 80, 88LDAP client schema templates 39, 88LDAP configurations 34, 38, 81, 88local UNIX groups 29, 36, 77, 86local UNIX users 28, 36, 75, 86name mappings 26, 74NFS servers 17NIS domain configuration 32, 79NIS domains 38, 87symbolic link mappings 100symbolic link mappings for CIFS 83

D

default usersconfiguring 27, 75

deletingCIFS servers 85CIFS shares 96export policies 42, 97export rules 42, 98Kerberos realm configurations 41LDAP client configurations 38, 88LDAP client schema templates 39, 88LDAP configurations 38, 88local UNIX groups 36, 86local UNIX users 36, 86name mappings 35, 85NFS servers 35NIS domains 38, 87symbolic link mappings 100users from local UNIX groups 36, 86

disablingCIFS group policies 97NFSv2 45NFSv3 45NFSv4 46NFSv4.1 46parallel NFS 46pNFS 46referrals 55rquota 57SMB 2.0 99

vStorage 56displaying

CIFS group policies 97CIFS servers 85CIFS shares 96CIFS statistics 90export policies 42, 97export rules 42, 98information about CIFS security settings 91information about discovered servers 89information about locks 44, 93information about vStorage 57Kerberos realm configurations 41LDAP client configurations 38, 88LDAP client schema templates 39, 88LDAP configurations 38, 88local UNIX groups 36, 86local UNIX users 36, 86name mappings 35, 85NetBIOS over TCP information 90NFS Kerberos configurations, information about 40NFS servers 35NFS statistics 56NIS domains 38, 87preferred domain controllers 90search paths 96symbolic link mappings 100

domain controllersadding preferred 67CIFS, supported 59preferred, managing 90

E

enablingCIFS group policies 97CIFS metadata cache 95NFSv2 45NFSv3 45NFSv4 46NFSv4.1 46parallel NFS 46pNFS 46referrals 55rquota 57SMB 2.0 99vStorage 56

exchangingname mappings 35, 85

export policies


adding rules 19, 69concepts 18, 68creating 18, 68managing 42, 97nested junctions 18setting index numbers for rules 21, 71using 17, 68

export rulesmanaging 42, 98

F

file accessCIFS, managing 85CIFS, setting up 61control 9introduction 9NFS, managing 35NFS, setting up 17using NFS 13

file and record locking, NFSv4 53file delegations

NFSv4 51NFSv4, managing 51

file lockingexplained 43, 92

file namescase-sensitivity 102creating 102for NFS and CIFS 101valid characters 101

file sharingbetween NFS and CIFS 101

file-basedrestrictions 9

G

glossary 105groups

local, UNIX, configuring 27, 75UNIX, adding users to local 30, 78UNIX, creating local 29, 77UNIX, loading local from URIs 30, 77

H

hard mounts 35home directories

adding search paths 63CIFS, concepts 61

I

insertingname mappings 35, 85

K

Kerberosauthentication 22, 67configuration, creating 24creating realm configurations 23displaying configuration information for NFS 40enabling 24modifying configuration for NFS servers 41NFS clients supporting v5 security services 22realms, managing 41

L

LDAPcommands for managing 38, 88commands for managing client configurations 38,

88commands for managing client schema templatess

39, 88creating client configurations 33, 80creating configurations 34, 81using 32, 80

lifetimeCIFS metadata cache, configuring 95

limitationsof Data ONTAP support for NFSv4 14

linkssymbolic 82

loadinglocal UNIX groups from URIs 30, 77local UNIX users from URIs 28, 76

locking grace periodNFSv4, specifying 54

locking lease periodNFSv4, specifying 54

locksbreaking 44, 93displaying information about 44, 93using 42, 92

Index | 119

M

managingCIFS group policies 97CIFS servers 85CIFS shares 96export policies 42, 97export rules 42, 98Kerberos realm configurations 41LDAP client configurations 38, 88LDAP client schema templates 39, 88LDAP configurations 38, 88local UNIX groups 36, 86local UNIX users 36, 86name mappings 35, 85NFS servers 35preferred domain controllers 90symbolic link mappings 100

metadataCIFS, caching 95

metadata cacheCIFS, configuring 95

modfyingname mapping patterns 35, 85

modifyingCIFS security settings 91CIFS servers 85CIFS shares 96export rule index numbers 21, 71export rules 42, 98Kerberos realm configurations 41LDAP client configurations 38, 88LDAP client schema templates 39, 88LDAP configurations 38, 88local UNIX groups 36, 86local UNIX users 36, 86NFS Kerberos configuration 41NFS servers 35NFSv4 ACLs 50NIS domains 38, 87protocols for Vservers 10server implementation ID 47symbolic link mappings 100

mounts 35

N

name mappingexplained 24, 72

name mappings

conversion rules 25, 73creating 26, 74managing 35, 85

NetBIOSover TCP, displaying information 90

netgroupsloading from URIs 31, 78verifying status of definitions 37, 86

NFSbenefits of enabling v4 ACLs 48clients supporting Kerberos v5 security services 22clients, accessing CIFS files 101compatibility between v4 and NTFS ACLs 48concepts 13displaying statistics 56enabling or disabling v2 45enabling or disabling v3 45enabling or disabling v4 46enabling or disabling v4 ACLs 50enabling or disabling v4 write file delegations 52enabling or disabling v4.1 46file access 13file and record locking, v4 53file locking 43, 92file names 101file sharing with CIFS 101Kerberos configuration, displaying information

about 40Kerberos configuration, modifying 41managing file access 35managing v4 ACLs 48modifying protocols for Vservers 10parallel 15read-only bits 43, 92setting up file access 17specifying user ID domain for v4 47supported clients 15v4 ACLs 48v4 support 13v4, determining file deletion 50v4, enabling or disabling read file delegations 52v4, file delegations 51v4, limitations of Data ONTAP support 14v4, managing file delegations 51v4, specifying locking grace period 54v4, specifying locking lease period 54v4.1 14v4.1 support 13

NFS serverscreating 17


managing 35NFSv4

ACLs, modifying 50referrals 54

NIS domainconfiguring 38, 87creating 32, 38, 79, 87deleting 38, 87displaying 38, 87modifying 38, 87

NTFSACLs, compatibility with NFSv4 48

Ooplocks

improving client performance with 94write cache data loss considerations 94

Pparallel NFS

enabling or disabling 46passwords

changing 100resetting 100

performanceclient, improving with oplocks 94

permissionspreservation of 102

pNFSenabling or disabling 46

preferred domain controllersadding 67

protocolsmodifying for Vservers 10supported 9

Rread file delegations

NFSv4, enabling or disabling 52read-only bits

explained 43, 92referrals

enabling or disabling 55NFSv4 54

relativesymbolic links 82

removingpreferred domain controllers 90search paths 96

renamingexport policies 42, 97

reorderingsearch paths 96

restrictionsauthentication-based 9file-based 9

rquotaenabling or disabling 57

S

search pathsadding 96displaying 96for home directories, adding 63removing 96reordering 96

security settingsCIFS, displaying 91CIFS, modifying 91

server implementation IDmodifying 47

serversdiscovered, displaying information about 89

sharesCIFS, considerations 63CIFS, creating 64managing 96naming conventions 61

SMBconfiguring 98support for v1.0 98support for v2.0 98support for v2.1 99v2.0, enabling or disabling 99

soft mounts 35statistics

CIFS, displaying 90NFS, displaying 56

supported protocols 9symbolic link mappings

managing 100symbolic links

creating mappings for CIFS 83

U

UNIXadding users to local groups 30, 78

Index | 121

configuring local users and groups 27, 75creating local groups 29, 77creating local users 28, 75loading local groups from URIs 30, 77loading local users from URIs 28, 76managing local groups 36, 86managing local users 36, 86security properties 102

unsupported featuresWindows 59

updatingCIFS group policies 97

URIsloading local UNIX groups from 30, 77loading local UNIX users from 28, 76loading netgroups from 31, 78

user ID domainspecifying for NFSv4 47

usersadding to local UNIX groups 30, 78local, UNIX, configuring 27, 75UNIX, creating local 28, 75UNIX, loading local from URIs 28, 76

Vverifying

status of netgroup definitions 37, 86Vservers

adding CIFS preferred domain controllers 67CIFS, creating 61creating CIFS shares 64loading netgroups into 31, 78modifying protocols 10NIS domain configuration, creating 32, 79

vStoragedisplaying information about 57enabling or disabling 56

W

widelinks 82Windows

unsupported features 59write cache

data loss considerations when using oplocks 94write file delegations

enabling or disabling, NFSv4 52


215-06503_a0

Documents

nfs concepts

data ontap support of

nfs clients

data ontap controls

parallel nfs

nfs kerberos configuration

nfs server

export policy