Stopping and Restarting CIFS

ƒ To terminate CIFS service (a complete

shutdown) where all CIFS sessions are ended:
system> cifs terminate [-t minutes]
– To stop a cifs terminate command if you
have set a duration, click Control-C
ƒ To restart CIFS service after terminating:
system> cifs restart
– Or reconfigure CIFS services (will start
automatically)
system> cifs setup

© 2010 NetApp, Inc. All rights reserved.

STOPPING AND RESTARTING CIFS

6 - 36 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Stopping and Restarting CIFS

ƒ As an example, stop and restart CIFS services

on the storage system called “system”
system> cifs terminate
CIFS local server is shutting down...
CIFS local server has shut down...

system> cifs restart

CIFS local server is running.
GMT[nbt.nbns.registrationComplete:info]: NBT:
All CIFS name registrations have completed for
the local server.

© 2010 NetApp, Inc. All rights reserved.

CLI: STOPPING AND RESTARTING CIFS

6 - 37 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

6 - 38 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ License CIFS on a storage system
ƒ Join a storage system to a Windows
workgroup environment using the cifs
setup command
ƒ Observe the results of cifs setup
ƒ Manage newly created configuration files for
the CIFS workgroup environment

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

6 - 39 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Exercise
Module 6: CIFS Workgroups
Estimated Time: 30 minutes

EXERCISE
Please refer to your Exercise Guide for more instruction.

6 - 40 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ In cifs setup, what are the two security

style choices for which a storage system can
be configured?
ƒ During the initial questions in cifs setup, for
which root user can you enter a password?
ƒ What are the three default share volumes
created as a result of cifs setup?
ƒ What is the name of the NetBIOS alias file?

© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

6 - 41 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Workgroups
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Shares and
Sessions
Module 7
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

CIFS SHARES AND SESSIONS

7-1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Display all shares available on the storage
system
ƒ List the default shares
ƒ Configure a client machine to access any
share
ƒ Identify the CIFS sessions established by
accessing a share on the storage system
ƒ Add, modify, and delete shares

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

7-2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Share Administration

ƒ Shares may be managed by way of:

– The command-line interface
– NetApp® System Manager
– Microsoft® Management Console (MMC)
ƒ Computer Management
ƒ Share administration includes:
– Display shares
– Add shares
– Provide access to shares
– Remove shares

© 2010 NetApp, Inc. All rights reserved.

SHARE ADMINISTRATION

7-3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Displaying Shares

© 2010 NetApp, Inc. All rights reserved.

DISPLAYING SHARES

7-4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Displaying CIFS Shares

ƒ As a result of setting up the CIFS service,

default shares are created
ƒ To display all shares: cifs shares
ƒ Example:

system> cifs shares

Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
BUILTIN\Administrators / Full Control

HOME /vol/vol0/home Default Share

everyone / Full Control

C$ / Remote Administration
BUILTIN\Administrators / Full Control

© 2010 NetApp, Inc. All rights reserved.

CLI: DISPLAYING CIFS SHARES

7-5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: Displaying CIFS Shares

Shares
Default Shares

Exports

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: DISPLAYING CIFS SHARES

7-6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Displaying Storage System Shares

Connect to the storage system by right-clicking, and

then selecting “Connect to another computer…”
You are now interacting with the storage system.

NOTE: You must log in with a user account that is defined in the
BUILTIN\Administrators group
© 2010 NetApp, Inc. All rights reserved.

MMC: DISPLAYING STORAGE SYSTEM SHARES

To display storage system shares, first connect to the storage system by right-clicking and then selecting
“Connect… to another computer…” Click the Shares folder in the console tree. The three default
shares
C$, ETC$, and HOME
display, as does the hidden IPC$ share.
The IPC$ share is an inter-process communications mechanism for temporary connections between clients
and servers. It is primarily used to administer network servers remotely. This share enables the
communication between the Windows® Computer Management GUI and the storage system.

7-7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Accessing Shares

© 2010 NetApp, Inc. All rights reserved.

ACCESSING SHARES

7-8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Accessing a Share

ƒ After the share has been created, it may be

accessed from Windows by:
– Microsoft’s net use command
C:\> net use e: \\toaster\jdoe /user:marketing\jdoe
– Using the run dialog
– Mapping a drive from the GUI

© 2010 NetApp, Inc. All rights reserved.

ACCESSING A SHARE

7-9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Run Dialog

© 2010 NetApp, Inc. All rights reserved.

RUN DIALOG
On a Windows workstation using the Windows “run line,” access the C$ share on the storage system
“system” by performing the following steps:
ƒ On the Windows desktop, click the Start menu and choose Run. The Run window appears.
ƒ In the Open text box, type \\storage_system_name\C$ (\\system\C$). Note: The storage system name can
be the name or IP address. Click the OK button, and then the Connect To window appears.
ƒ In the Connect To window, type the user name administrator and the password, and then click the OK
button. The \\system\C$ window appears with the share access to C$ that displays the “etc” and “home”
folders.

7 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Mapping a Drive to a Share

\\10.254.134.35\C$...

© 2010 NetApp, Inc. All rights reserved.

MAPPING A DRIVE TO A SHARE

On a Windows workstation, map a network drive letter to a share by performing the following steps:
ƒ Open Windows Explorer and go to Tools > Map Network Drive. The Map Network Drive window
appears.
ƒ In the Drive list box, select any unused letter. In the example, the letter K is selected.
ƒ In the Folder list box, type \\storage_system\C$. Note: The storage system name can be the name or IP
address.
ƒ Click the Finish button. The Map Network Drive attempts to connect to the storage system and share.
ƒ When the Connect to window appears, in the User name text box, type administrator and in the
Password text box, type the administrator’s password.
ƒ Click the OK button.

7 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Mapping a Drive to a Share (Cont.)

© 2010 NetApp, Inc. All rights reserved.

MAPPING A DRIVE TO A SHARE (CONT.)

(The following continues the mapping of a network drive letter to a share.)
ƒ The mapped network drive letter (K is shown in this example) displays the mapping to the C$ share. Both
the etc and home folders are in the C$ share.

7 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Encoding

ƒ CIFS uses Unicode for its encoding

ƒ If a volume is exclusively being accessed by
CIFS, consider:
system> vol options vol create_ucode on
system> vol options vol convert_ucode on
ƒ If the ucode options are not set, Data ONTAP®
will transparently convert a non-Unicode
directory when first accessed by CIFS
– Time consuming
– If read-only (that is, Snapshot™ copy), then
access is refused

© 2010 NetApp, Inc. All rights reserved.

ENCODING
The CIFS protocol requires the Unicode encoding method. Unicode is an industry standard allowing
computers to consistently represent text in most of the world’s writing systems. Unicode provides a unique
number for every character regardless of the language. See www.unicode.org for more information.
If a volume is exclusively being accessed by CIFS or NFS v4 or later, then consider setting the
create_ucode and convert_ucode volume options. The Create_ucode option forces newly created
directories to be Unicode directories for both NFS and CIFS. By default it is set to off, in which case all
directories are created in a non-Unicode format and the first CIFS access will convert it to the Unicode
format. The convert_ucode on option forces all directories to be converted to the Unicode format when
accessed from both NFS and CIFS. By default, this option is set to off.
Unicode is not defaulted on a storage system because Unicode directories take up more space and are slower
on some workloads.

7 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Sessions

© 2010 NetApp, Inc. All rights reserved.

SESSIONS

7 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Sessions

ƒ A client establishes a session with a storage

system upon the first share access
– Access is based on user authentication and
share access rules
ƒ Display a CIFS session status by using these
methods:
– CLI: cifs sessions command
– NetApp System Manager
– Windows Computer Management: MMC >
System Tools > Shared Folders > Sessions

© 2010 NetApp, Inc. All rights reserved.

CIFS SESSIONS
A client user establishes a session with a storage system upon the first share access. Access is based on user
authentication and share access rules. The authentication method is defined by the environment into which the
storage system is added.
You can display a CIFS session status by using these methods:
ƒ CLI cifs sessions command
ƒ NetApp System Manager
ƒ Windows Computer Management GUI ->SystemTools -> SharedFolders -> Sessions

7 - 15 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 cifs sessions Command

With the cifs sessions command, you can

display the following types of session
information:
ƒ A summary of session information, including the
number of open shares and files opened by user
system> cifs sessions
ƒ Share and file information about a specified connected
user or all connected users, including shares and files
opened
system> cifs sessions [username|IPaddress|host]
system> cifs sessions * [all connected users]
ƒ Security information
system> cifs sessions -s

© 2010 NetApp, Inc. All rights reserved.

CIFS SESSIONS COMMAND

With the cifs sessions command, you can display the following types of session information:
ƒ A summary of session information, including storage system information and the number of open shares
and files opened by each connected user:
– cifs sessions
ƒ Share and file information about a specified connected user or all connected users, including:
– The names of shares opened by a specified connected user or all connected users
– The access levels of opened files
ƒ cifs sessions user_name | IP_address |workstation_name
ƒ cifs sessions * [all connected users]
ƒ Security information about a specified connected user or all connected users, including the UNIX® user
ID (UID) and a list of UNIX groups and Windows groups to
ƒ which the user belongs:
– cifs sessions –s user_name | IP_address | workstation_name
– cifs sessions –s [all connected users]
NOTE: The number of open shares shown in the session information includes the hidden IPC$ share.
The cifs sessions command can be used as a “status” command even when there is no session.
Example 1 is a storage system in a Windows workgroup. The storage system uses local user authentication.
system> cifs sessions
Server Registers as 'system' in workgroup 'WORKGROUP1'Root volume language is
not set. Use vol lang. Using Local Users authentication
Comment: This is a Windows workgroup server
===================================================
PC IP(PC Name) (user) #shares #files

7 - 16 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

Example 2 is a storage system in a Windows 2000 Server domain. The storage system uses the domain
controller for authentication.
system> cifs sessions
Server Registers as 'system' in Windows 2000 domain 'DEVELOPMENT'
Root volume language is not set. Use vol lang.
Selected domain controller \\DEVDC01 for authentication
Comment: This is a Windows 2000 member server
====================================================
PC IP(PC Name) (user) #shares #files
Options:
ƒ The -t option displays the total count of CIFS sessions, open shares, and open files.
ƒ If you include the user argument, the command displays information about the specified user, along with
the names and access level of files that user has opened. If you use * as the specified user, the command
lists all users.
ƒ Specifying the -c option with a user argument will display the names of open directories and the number
of active change notify requests against the directory.
ƒ The -s option displays security information for a specified connected user. If you do not specify a user or
workstation name, the command displays security information for all users.
Here are examples using the machine_name and machine_IP_address arguments:
system> cifs sessions 192.168.228.4
users shares/files opened
TORTOLA (nt-domain\danw - root)
HOME
system> cifs sessions tortola
users shares/files opened
TORTOLA (nt-domain\danw - root)
HOME
Here is an example using the -t option:
system> cifs sessions -t
Using domain authentication. Domain type is Windows NT.
Root volume language is not set. Use vol lang.
Number of WINS servers: 2
CIFS sessions: 1
CIFS open shares: 1
CIFS open files: 3
CIFS sessions using security signatures: 0

7 - 17 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 cifs sessions Example

ƒ The following example of the cifs sessions

command shows a session with a storage
system in a Windows domain

system> cifs sessions

Server Registers as ‘system' in workgroup ‘WORKGROUP'
Root volume language is not set. Use vol lang.
Using Local Users authentication
====================================================
PC IP(PC Name) (user) #shares #files
10.254.134.40() (system\administrator 1 0
- root)

© 2010 NetApp, Inc. All rights reserved.

CIFS SESSIONS EXAMPLE

The following example of the cifs sessions command shows a session with a storage system in a Windows
workgroup.
The PC IP address 10.254.134.40 is the Windows workstation WIN.
The system\administrator user is the local administrator account on the storage system.
The user mapping for this account is root.
One share is currently being accessed.

7 - 18 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: cifs sessions Security Information
system> cifs sessions -s
users
Security Information
10.254.134.40() (system\administrator - root)
***************
UNIX uid = 0
user is a member of group daemon (1)
user is a member of group daemon (1)

NT membership
system\administrator
BUILTIN\Administrators
User is also a member of Everyone, Network Users,
Authenticated Users
***************

© 2010 NetApp, Inc. All rights reserved.

CLI: CIFS SESSIONS SECURITY INFORMATION

The following example of cifs sessions -s command shows security information for a user with a
session with a storage system in a Windows workgroup.

7 - 19 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NetApp System Manager: CIFS Sessions

Current Sessions

Local storage system’s administrator

account shown

Highlighted session’s
access volume

© 2010 NetApp, Inc. All rights reserved.

NETAPP SYSTEM MANAGER: CIFS SESSIONS

7 - 20 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: CIFS Sessions

GUI connected to the storage system

List and terminate all the current sessions except

the session that Computer Management uses

© 2010 NetApp, Inc. All rights reserved.

MMC: CIFS SESSIONS

With the Computer Management GUI, click the System Tools->SharedFolders->Sessions folders to display
the CIFS sessions.
In this example, the local administrator has a session with the storage system DEV270-1, which is in a
Windows workgroup.
ƒ The name of the administrator’s computer is 10.254.134.40
ƒ The number of Open Files is 3
ƒ This account is not a Guest account

7 - 21 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Broadcasting a Message
ƒ To display a message on Windows users’ sessions:
system> cifs broadcast [workstation| -v
volname] “message”
– You can inform users about pending terminations or
other important events
ƒ The Messenger service on the Windows workstation
must be enabled
1. On your Windows workstation, go to: Start > Programs
> Administrative Tools > Services > Messenger
2. If the Messenger service is disabled, start the service

NOTE: The Messenger service is not available on Microsoft

Windows Server 2008 R2 and therefore the cifs broadcast
command is not available
© 2010 NetApp, Inc. All rights reserved.

BROADCASTING A MESSAGE
To display a message on Windows users’ workstations, use the following command:
cifs broadcast {workstation | -v volname} “message”
You can inform users about pending terminations or other important events.
The Messenger service on the Windows workstation must be enabled. NOTE: It is disabled by default for
security reasons.
To enable the Messenger service on your Windows workstation:
ƒ Go to Start->Programs->Administrative Tools->Services->Messenger.
ƒ If the Messenger service is disabled, start the service. (The default is disabled.)

7 - 22 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Broadcasting a Message Example

ƒ Example of broadcasting a message from a

storage system:
system> cifs broadcast -v flexvol1 "The
shutdown will start in 10 minutes."
ƒ The following message displays on the
Windows workstation:

© 2010 NetApp, Inc. All rights reserved.

BROADCASTING A MESSAGE EXAMPLE

The following is an example of broadcasting a message using the volume option from a storage system:
system> cifs broadcast -v flexvol1 "The shutdown will start in 10 minutes."
The message “The shutdown will start in 10 minutes” will be broadcasted to all users that have sessions on
the volume named flexvol1.

7 - 23 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Terminating Sessions

cifs terminate Host1

Host1
cifs terminate [-t time] [host]

Host2

cifs terminate

Host3

Host4

© 2010 NetApp, Inc. All rights reserved.

TERMINATING SESSIONS
The cifs terminate command stops the CIFS service. If a single host is named, all CIFS sessions opened
by that host are terminated. If a host is not specified, all CIFS sessions are terminated and the CIFS service is
shut down.
If you run the cifs terminate command without specifying a time until shutdown and there are users with
open files, you are prompted to enter the number of minutes to delay before terminating. If the CIFS service is
terminated immediately on a host that has one or more files open, users will not be able to save changes. You
can use the -t option to warn users of an impending service shutdown. If you execute cifs terminate
from rsh, you must supply the -t option.

EXAMPLE RESULT

cifs terminate -t 10 Terminates a session in 10 minutes for the host gloriaswan.

gloriaswan Alerts are sent periodically to the affected host(s).

cifs terminate -t 0 Terminates all CIFS sessions immediately for all clients.

cifs restart Reconnects the storage appliance to the domain controller and
restarts CIFS service.

7 - 24 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Creating and Deleting
Shares

© 2010 NetApp, Inc. All rights reserved.

CREATING AND DELETING SHARES

7 - 25 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Default Shares

ƒ As you recall, three default share definitions

are created upon completion of cifs setup:
– C$
– ETC$
– HOME
ƒ But you can create new shares…

© 2010 NetApp, Inc. All rights reserved.

DEFAULT SHARES

7 - 26 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Creating a Share

ƒ When you create a share, you must provide:

– Complete path name
– Name of the share
– Optionally, a description of the share
ƒ Data ONTAP CLI also allows:
– Group membership for files in the share
– Support for wide symbolic links
– Disabling or enabling of virus scanning when
files in the share are first opened
ƒ MMC also allows permissions for the share

© 2010 NetApp, Inc. All rights reserved.

CREATING A SHARE
When you create a share, you must provide these items:
ƒ The complete path name of an existing volume or directory to be shared
ƒ The name of the share entered by users when they connect to the share
ƒ Optionally, a description of the share
When creating a share from the Data ONTAP command-line interface, you can specify a variety of share
properties, including group membership for files in the share, support for wide symbolic links, and disabling
of virus scanning when files in the share are first opened. Virus scanning occurs when files are opened,
renamed, and closed after being modified.
Microsoft interfaces additionally allow the administrator to set permissions as the share is created.

7 - 27 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Creating a Share (Cont.)

ƒ Additional properties can be set or modified

after creating a share:
– Maximum number of users who can
simultaneously access the share
ƒ If not specified, the limit is defined by the storage
system’s memory
– Share-level access control list (ACL)

© 2010 NetApp, Inc. All rights reserved.

CREATING A SHARE (CONT.)

After you have created a share, you can specify these share properties:
ƒ Maximum number of users who can simultaneously access the share
– If you do not specify a number, the number of users is limited by storage system memory
ƒ Share-level access control list (ACL)

7 - 28 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Preparing to Create a Share

ƒ You can create shares for folders, qtrees, or

volumes
ƒ For example:
– To prepare for creating a share on a qtree, first
create the following resources:
ƒ An aggregate (aggr1)
ƒ A flexible volume (flexvol1) on aggr1
ƒ A qtree (datatree1) on flexvol1

NOTE: This path example will be used throughout

this module

© 2010 NetApp, Inc. All rights reserved.

CLI: PREPARING TO CREATE A SHARE

You can create shares for volumes or directories including qtrees.
For example, to prepare for creating a share on a qtree, first create the following resources:
ƒ An aggregate (aggr1)
ƒ A flexible volume (flexvol1) on aggr1
ƒ A qtree (datatree1) on flexvol1

7 - 29 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Adding a Share

ƒ As an example, add a share called datatree1

(for the qtree datatree1)
system> cifs shares -add datatree1
/vol/flexvol1/datatree1
-comment "Qtree for Windows Users"
The share name 'datatree1' will not be accessible by
some MS-DOS workstations
Are you sure you want to use this share name? [n]: y

Name Mount Point Description

---- ----------- -----------
datatree1 /vol/flexvol1/datatree1 Qtree for
everyone / Full control Windows Users

Default access control (discussed later)

© 2010 NetApp, Inc. All rights reserved.

CLI: ADDING A SHARE

For example, on a storage system, add a share called datatree1 (for the qtree datatree1).
system> cifs shares -add datatree1 /vol/flexvol1/datatree1 -comment "Qtree for
Windows Users"
The share name 'datatree1' will not be accessible by some MS-DOS workstations
Are you sure you want to use this share name? [n]:y
system> cifs shares datatree1
Name Mount Point Description
---- ----------- -----------
datatree1 /vol/flexvol1/datatree1 Qtree for Windows Users
everyone / Full Control
The default access control is full control for everyone.

7 - 30 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NetApp System Manager: Adding a Share

Select Shares/Exports

Follow the
wizard…

© 2010 NetApp, Inc. All rights reserved.

NETAPP SYSTEM MANAGER: ADDING A SHARE

7 - 31 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Adding a Share

Right-click Shares
Path always
begins
with
C:\vol\

Choose New Share...

© 2010 NetApp, Inc. All rights reserved.

MMC: ADDING A SHARE

As an example with the Windows Computer Management GUI, add a new share called datatree1 (for the
qtree datatree1) on volume flexvol1 by performing the following steps:
ƒ In the console tree, right-click the Shares folder and choose New Share…. The Welcome to the Share a
Folder Wizard appears.
ƒ Click the Next button to start the wizard, and the Folder path page displays with the Computer name text
box showing your storage system name or IP address.
ƒ In the Folder path text box, type the path C:\vol\flexvol1\datatree1 for the datatree1 share, and click the
Next button.

7 - 32 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Adding a Share (Cont.)

Choose New Share...

Click the Customize button.

© 2010 NetApp, Inc. All rights reserved.

MMC: ADDING A SHARE (CONT.)

(The following continues the adding of a CIFS share.)
ƒ On the “Name, Description, and Settings” page, in the Share name text box, enter datatree1.
ƒ In the Description text box, type Qtree for Windows Users, and then click the Next button.
ƒ In the “Permissions” page, mark the Use custom share and folder permissions radio button, and then
click the Customize button.

7 - 33 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Adding a Share (Cont.)

© 2010 NetApp, Inc. All rights reserved.

MMC: ADDING A SHARE (CONT.)

(The following continues the adding of a CIFS share.)
ƒ In the Customize Permissions window, mark the check boxes for Full Control, Change, and Read, and
click the OK button.
ƒ In the Permissions page, click the Finish button.
ƒ You receive a message stating that sharing was successful.
ƒ Click the Close button to close the wizard.

7 - 34 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Deleting a Share

ƒ As an example, delete the share called

datatree1

system> cifs shares -delete datatree1

system> cifs shares

Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
BUILTIN\ Administrators / Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
BUILTIN\ Administrators / Full Control

NOTE: The share datatree1 is deleted not the underlying

volume, qtree, or directory

© 2010 NetApp, Inc. All rights reserved.

CLI: DELETING A SHARE

For example, delete the share called datatree1:
system> cifs shares -delete datatree1
system> cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
BUILTIN\Administrators / Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
BUILTIN\Administrators / Full Control
NOTE: The share datatree1 is deleted.

7 - 35 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NetApp System Manager: Deleting a Share

Select the share and

click Stop Sharing

© 2010 NetApp, Inc. All rights reserved.

NETAPP SYSTEM MANAGER: DELETING A SHARE

7 - 36 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Deleting a Share

Right-click datatree1 share

Choose Stop Sharing

Click the Yes button to confirm stop sharing datatree1

© 2010 NetApp, Inc. All rights reserved.

MMC: DELETING A SHARE

As an example with the Windows Computer Management GUI, delete the share called datatree1 by
performing the following steps:
ƒ In the Computer Management window, right-click the datatree1 share and choose Stop Sharing.
ƒ In the Shared Folders window, when it asks if you are sure that you wish to stop sharing datatree1, click
the Yes button.

7 - 37 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

7 - 38 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ Display all shares available on the storage
system
ƒ List the default shares
ƒ Configure a client machine to access any
share
ƒ Identify the CIFS sessions established by
accessing a share on the storage system
ƒ Add, modify, and delete shares

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

7 - 39 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Exercise
Module 7: CIFS Shares and
Sessions
Estimated Time: 15 minutes

EXERCISE
Please refer to your Exercise Guide for more instruction.

7 - 40 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ For which storage objects can you create

shares?
ƒ What are three methods to manage CIFS
shares?
ƒ What command would you use to view the
connected CIFS users?

© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

7 - 41 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Shares and Sessions
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Access
Control
Module 8
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

CIFS ACCESS CONTROL

8-1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Create and manage local users for a storage system
ƒ Identify how to create a local group and make a local
user a member of that group
ƒ Use the command-line interface, NetApp® System
Manager or Microsoft® tools to add, delete, and modify
access permissions of shares
ƒ Use Microsoft tools to add, delete, and modify access
permissions of files and folders

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

8-2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Local Users

© 2010 NetApp, Inc. All rights reserved.

LOCAL USERS

8-3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Local Users

Local users are:

ƒ Accounts that are authenticated locally
ƒ Associated with groups on the storage system
ƒ Created and managed using the useradmin
command or a text editor
ƒ Saved in /etc/registry or /etc/passwd

© 2010 NetApp, Inc. All rights reserved.

LOCAL USERS
On the storage system, the domain administrators group and the local administrator account are part of the
BUILTIN\Administrators group. They can do the following:
ƒ Provide a text editor to edit configuration files. Data ONTAP® does not include an editor.
ƒ Provide the ability to administer a storage system and hence have access to the root file system (C$ and
ETC$).
ƒ Modify the share access for C$ and ETC$ to grant additional users access.
ƒ The local administrator can set up local users on the storage system with the useradmin user add
command.

8-4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Purpose of Local Users

Two main reasons for local user authentication:

1. Provides local administrators the ability to
configure the storage system
– Discussed in the Data ONTAP 8.0 7-Mode
Administration course
2. Provides local client users access to the
resources on the storage system for all
environments
– Windows® workgroup
– Non-Windows workgroup
– Windows domain

NOTE: You can create a maximum of 96 local user accounts

© 2010 NetApp, Inc. All rights reserved.

PURPOSE OF LOCAL USERS

Reasons for local user accounts include the following:
ƒ Windows workgroup
– You must create local user accounts so that the storage system can authenticate local users.
ƒ Non-Windows workgroup (UNIX mode)
– Do not create local user accounts because the storage system authenticates users with the UNIX password
(/etc/passwd) database.
ƒ Windows domain
– The storage system can authenticate users (with the local user accounts) who try to connect to the storage
system from an untrusted domain.
– Local users can access the storage system when the domain controller is down or not available for domain
authentication.
NOTE: You can create a maximum of 96 local user accounts.

8-5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Purpose of Local Users (Cont.)

When the CIFS server is configured for:

ƒ Windows workgroup
– You must create local user accounts so that the
storage system can authenticate users
– Use the useradmin command
– User accounts are stored in /etc/registry
ƒ Non-Windows workgroup (UNIX mode)
– You must create local UNIX users
– Use the passwd command
– User accounts are stored in /etc/passwd and
/etc/shadow
© 2010 NetApp, Inc. All rights reserved.

PURPOSE OF LOCAL USERS (CONT.)

8-6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Purpose of Local Users (Cont.)

When the CIFS server is configured for:

ƒ Windows domain
– Storage system can authenticate users (with the
local user accounts) who try to connect to the
storage system from an untrusted domain
– Local users can access the storage system
when the domain controller is down or not
available for domain authentication
– Use the useradmin command
– User accounts are stored in /etc/registry

© 2010 NetApp, Inc. All rights reserved.

PURPOSE OF LOCAL USERS (CONT.)

8-7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Local Administrator

As you recall, during cifs setup, the local

administrator account may be created
It is highly recommended that you create the local
administrator account: (system\administrator) for
this filer. This account allows access to CIFS
from Windows when domain controllers are not
accessible.

Do you want to create the system\administrator

account? [y]:

Enter the new password for system\administrator:

Retype the password:

© 2010 NetApp, Inc. All rights reserved.

LOCAL ADMINISTRATOR

8-8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Local User Definitions

List the local users on the storage system

system> useradmin user list
Name: root This is the storage
Info: Default system administrator. system root user
Rid: 0 account
Groups:

Name: administrator
Info: Built-in account for administering the filer
Rid: 500
Groups: Administrators

© 2010 NetApp, Inc. All rights reserved.

LOCAL USER DEFINITIONS

A local administrator is added to the user list if the response during cifs setup was to create a local
administrator account for the storage system. Be sure to set an appropriate password for the administrator
account.

8-9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Administrating Local Users

ƒ Local users
– Must provide a unique name
– Associate user to a group
– Created only by way of the command-line
interface’s useradmincommand when the
storage system is set to CIFS workgroup
authentication

© 2010 NetApp, Inc. All rights reserved.

ADMINISTRATING LOCAL USERS

8 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Local User Management

ƒ Manage local users fully by using the

command-line interface useradmin command
ƒ To add a new local user:
system> useradmin user add user –g group

ƒ To modify a local user :

system> useradmin user modify user –g group

ƒ To list user information:

system> useradmin user list user

ƒ To delete a local user:

system> useradmin user delete user

© 2010 NetApp, Inc. All rights reserved.

LOCAL USER MANAGEMENT

8 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Adding a New Local User

ƒ As an example, add a local user called Jane to

the predefined Guests group

NOTE: User names are not case sensitive

system> useradmin user add jane -g Guests

New password:
Password is typed but
Retype new password: not displayed
user <jane> added.
system> Mon Jul 31 01:13:18 GMT
[useradmin.added.deleted:info]:
The user 'jane' has been added.

© 2010 NetApp, Inc. All rights reserved.

CLI: ADDING A NEW LOCAL USER

As an example, add a local user called Jane to the predefined Guests group.
NOTE: User names are not case sensitive.
system> useradmin user add jane -g Guests
New password:Retype new password:User <jane> added.system> Mon Jul 31 01:13:18
GMT [useradmin.added.deleted:info]: The user 'jane' has been added.
NOTE: The password is typed but not displayed.

8 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Adding a New Local User (Cont.)

ƒ In the example, verify that the local user Jane

has been added to the predefined Guests
group

system> useradmin user list jane

Name: jane
Info:
Rid: 131075
Groups: Guests
Full Name:
Allowed Capabilities:
Password min/max age in days: 0/4294967295
Status: enabled

© 2010 NetApp, Inc. All rights reserved.

CLI: ADDING A NEW LOCAL USER (CONT.)

In the example, verify that the local user Jane has been added to the predefined Guests group.
system> useradmin user list jane
Name: jane
Info:
Rid: 131075
Groups: Guests
Allowed Capabilities:
Password min/max age in days: 0/4294967295
Status: enabled
NOTE: Jane has no allowed capabilities in the Guests group, but she can log in and be authenticated.

8 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Local Groups

© 2010 NetApp, Inc. All rights reserved.

LOCAL GROUPS

8 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Local Groups

ƒ Local groups
– Contain local and domain users
– Created only by way of the command-line
interface’s useradmin command when the
storage system is set to CIFS workgroup
authentication

© 2010 NetApp, Inc. All rights reserved.

LOCAL GROUPS
MMC tools have some capabilities that are discussed in the next module because they only are available when
the storage system is using CIFS domain authentication.

8 - 15 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Group Management
ƒ Manage local groups by using the command-line
interface command useradmin
– To add a new group:
system> useradmin group add group –r role
– To modify an existing group:
system> useradmin group modify group –g newName
– To list group information:
system> useradmin group list group
– To delete a group:
system> useradmin group delete group

© 2010 NetApp, Inc. All rights reserved.

CLI: GROUP MANAGEMENT

8 - 16 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Local Groups
ƒ As an example, add a local group called
Helpers with the predefined admin role
system> useradmin group add Helpers -r admin
Group <Helpers> added.
system > Mon Jul 31 02:02:43 GMT
[useradmin.added.deleted:info]: The group
'Helpers' has been added.
system > useradmin group list Helpers
Name: Helpers
Info:
Rid: 131076
Roles: admin
Allowed Capabilities: login-*, cli-*, api-*,
security-*

© 2010 NetApp, Inc. All rights reserved.

CLI: LOCAL GROUPS

As an example, add a local group called Helpers with the predefined admin role and verify the results.
system> useradmin group add Helpers -r admin
Group <Helpers> added.system> Mon Jul 31 02:02:43 GMT
[useradmin.added.deleted:info]: The group 'Helpers' has been added.
system> useradmin group list Helpers
Name: Helpers
Info:
Rid: 131076
Roles: admin
Allowed Capabilities: login-*,cli-*,api-*,security-*
NOTE: The admin role has full capabilities.
When groups are created, they are placed in the lclgroups.cfg file. Normally, this file is for administrative
reference only; it is not used to reload groups into the system memory. However, sometimes you need Data
ONTAP to reload this file
for example, when you migrate a storage system. Do not edit this file without
direction from Technical Support.

8 - 17 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Share Permissions

© 2010 NetApp, Inc. All rights reserved.

SHARE PERMISSIONS

8 - 18 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Permissions

ƒ Permissions can be set at:

– Share level
– Folder or file level
ƒ Both permission levels must be satisfied to
gain access to the resource

© 2010 NetApp, Inc. All rights reserved.

PERMISSIONS

8 - 19 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Share Permissions

ƒ Share permissions can be managed by:

– Command-line interface: cifs access
command
– NetApp System Manager
– MMC such as Computer Management
ƒ Windows share permissions are the following:
– Read-only
– Full control
– Change
ƒ If all the permissions are denied, then there is
no access
© 2010 NetApp, Inc. All rights reserved.

SHARE PERMISSIONS

8 - 20 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 cifs access Command
ƒ The command-line interface cifs access command
sets or modifies the share-level ACL to share definitions
– To modify a share access:
cifs access <share> [-g] [user_rights]
– To delete an ACL entry for a user on a share:
cifs access -delete <share> [-g] [user]
ƒ The –g option specifies that the user is the name of a
UNIX group; use this command when you have:
– A UNIX group and a UNIX user or an NT user or
group with the same name

© 2010 NetApp, Inc. All rights reserved.

CIFS ACCESS COMMAND

The command-line interface cifs access command sets or modifies the share-level access control list (ACL) to
share definitions.
ƒ To modify a share access:
cifs access <sharename> [-g] [user_rights]
ƒ To delete an ACL entry for a user on a share:
cifs access -delete <sharename> [-g] [user]
The -g option specifies that the user is the name of a UNIX group. Use this command when you have a UNIX
group and a UNIX user or an NT user or group with the same name.

8 - 21 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: Setting and Deleting Share Access
ƒ As an example, on the datatree1 share, set the share
access for the friends group to Full Control and delete
the Everyone access
system> cifs access datatree1 friends Full Control
1 share(s) have been successfully modified

system> cifs access -delete datatree1 everyone

1 share(s) have been successfully modified

system> cifs shares datatree1

Name Mount Point Description
---- ----------- -----------
datatree1 /vol/flexvol1/datatree1 Windows Qtree
system\friends / Full Control

NOTE: This is the storage system local administrator

© 2010 NetApp, Inc. All rights reserved.

CLI: SETTING AND DELETING SHARE ACCESS

8 - 22 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: Setting Share Access

Select the share and

right-click or click Edit

Click the Click the Add button to add

Share Windows users or groups to
Permissions the share
tab

Click the Local button to add

Data ONTAP users or groups

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: SETTING SHARE ACCESS

8 - 23 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: Deleting Share Access

Select everyone

Click the Remove button

Click the OK or Apply button to commit the changes

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: DELETING SHARE ACCESS

8 - 24 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Setting and Deleting Share Access

Connect to storage system

Right-click datatree1 share

Choose Properties

Click the Share Permissions tab

© 2010 NetApp, Inc. All rights reserved.

MMC: SETTING AND DELETING SHARE ACCESS

As an example with Windows Computer Management GUI, on the datatree1 share, set the share access for the
administrator to Full Control and delete the Everyone access by performing the following steps:
ƒ Right-click the datatree1 share and choose Properties.
ƒ In the datatree1 Properties window, the General tab appears displaying the share name, folder path, and
description for the datatree1 share. Click the Share Permissions tab.

8 - 25 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Managing Share Access (Cont.)

Location of users or groups

Click the Add button

Type Friends

© 2010 NetApp, Inc. All rights reserved.

MMC: MANAGING SHARE ACCESS (CONT.)

(The following continues the setting and deleting of share access.)
ƒ In the Share Permissions tab, click the Add button. The Select Users, Computers, or Groups window
appears.
ƒ In the Enter the object names to select text box, type friends group and click the OK button. The
datatree1 Properties window appears, displaying the new share access for the friends group.

8 - 26 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Managing Share Access (Cont.)

Select Everyone
Full control, defaults
to Read only

Click the Remove button

Click the OK or Apply
button to commit the
changes

© 2010 NetApp, Inc. All rights reserved.

MMC: MANAGING SHARE ACCESS (CONT.)

(The following continues the setting and deleting of share access.)
ƒ In the dataree1 Properties window, select Everyone and click the Remove button to delete share access
for Everyone.
ƒ The datatree1 Properties window displays that the Everyone share access is deleted.

8 - 27 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 File Permissions

© 2010 NetApp, Inc. All rights reserved.

FILE PERMISSIONS

8 - 28 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Folder and File Permissions

ƒ A storage system stores the NTFS file-level

permissions for folders and files
– Managed only from a Windows client or GPOs
ƒ Standard Windows GUI tools display and set
permissions
ƒ Manage permissions as you would an NTFS
file system on a Windows workstation or
server

© 2010 NetApp, Inc. All rights reserved.

FOLDER AND FILE PERMISSIONS

A storage system stores the NTFS file-level permissions for folders and files. They can be managed from a
Windows client only or Group Policy Objects (GPOs).
Standard Windows GUI tools display and set permissions. Manage permissions as you would an NTFS file
system on a Windows workstation or server.

8 - 29 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 File Permissions of a Mapped Drive

Right-click and choose Properties

© 2010 NetApp, Inc. All rights reserved.

FILE PERMISSIONS OF A MAPPED DRIVE

To display the file permissions, perform the following steps:
ƒ From a mapped network drive, right-click the file.
ƒ Choose Properties from the shortcut menu.

8 - 30 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Security Tab

Click the Security tab

NOTE: Grayed out permission

is inherited from parent folders

The Everyone system group

has full control for permissions,
including Modify, Read & Execute,
Read, Write, and Special Permissions

© 2010 NetApp, Inc. All rights reserved.

SECURITY TAB
ƒ In the file Properties window, click the Security tab.
ƒ NOTE the group and user names and the permissions for the group or user.
ƒ Click the OK button.
In this example, the Everyone system group has full control for permissions including Modify, Read &
Execute, Read, Write, and Special Permissions.

8 - 31 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Access-Based
Enumeration

© 2010 NetApp, Inc. All rights reserved.

ACCESS-BASED ENUMERATION

8 - 32 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Access-Based Enumeration
ƒ Share permissions conventionally allow users to view
shared folders or files regardless of whether the users
have access to them
– Causes security risk
ƒ Administrators can protect sensitive information using
the Access-Based Enumeration (ABE) option
cifs shares -change share
[-accessbasedenum | -noaccessbasedenum]
– May be set with -add switch when creating shares
– No ABE is the default

© 2010 NetApp, Inc. All rights reserved.

ACCESS-BASED ENUMERATION
Conventional share properties allow you to specify which users (individually or in groups) have permission to
view or modify shared resources. However, they do not allow you to control whether shared folders or files
are visible to users who do not have permission to access them. This could pose problems, if the names of
shared folders or files describe sensitive information, such as the names of customers or new products under
development.
Access-Based Enumeration (ABE) extends share properties to include the enumeration of shared resources.
When ABE is enabled on a CIFS share, users who do not have permission to access a shared folder or file
underneath it (whether through individual or group permission restrictions) do not see that shared resource
displayed in their environment. ABE therefore enables you to filter the display of shared resources based on
user access rights.
ABE for a CIFS share on a NetApp storage system can be managed by the CIFS shares option [–
accessbasedenum | -noaccessbasedenum].

8 - 33 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Access-Based Enumeration (Cont.)

Without ABE

With ABE

© 2010 NetApp, Inc. All rights reserved.

ACCESS-BASED ENUMERATION (CONT.)

The two figures illustrate how ABE affects the Data ONTAP directory listing. In the first figure, all the
folders under the share “customer data” are visible to the user, even though the user does not have access to
some of the folders containing sensitive information. In the bottom figure, after enabling ABE on this share,
users can see only the folders to which they have access.

8 - 34 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

8 - 35 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ Create and manage local users for a storage system
ƒ Identify how to create a local group and make a local
user a member of that group
ƒ Use the command-line interface, NetApp System
Manager or Microsoft tools to add, delete, and modify
access permissions of shares
ƒ Use Microsoft tools to add, delete, and modify access
permissions of files and folders

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

8 - 36 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Exercise
Module 8: CIFS Access Control
Estimated Time: 30 minutes

EXERCISE
Please refer to your Exercise Guide for more instruction.

8 - 37 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ What is the purpose of a local administrator

account on a storage system, and why does
cifs setup recommend creating one?
ƒ What does it mean when a storage system is
configured for multiprotocol access?
ƒ What command adds local users and groups
to the storage system?

© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

8 - 38 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Access Control
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Domains
Module 9
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

CIFS DOMAINS

9-1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Terminate the CIFS service to prepare for
CIFS domain configuration
ƒ Reconfigure the CIFS service for a Windows®
domain
ƒ Identify the resulting files
ƒ Create domain users and add the domain
users to a local storage system group
ƒ Set up Preferred Domain Controllers (DCs)

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

9-2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Reconfiguring CIFS
Using cifs setup

© 2010 NetApp, Inc. All rights reserved.

RECONFIGURING CIFS USING CIFS SETUP

9-3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Reconfiguring CIFS

ƒ To reconfigure CIFS on a storage system:

1. Disconnect users and stop CIFS service:
ƒ cifs terminate
2. Reconfigure CIFS service:
ƒ cifs setup
ƒ CIFS server restarts with the new
configuration
ƒ Next we will investigate reconfiguring a
storage system for an Active Directory
domain

© 2010 NetApp, Inc. All rights reserved.

RECONFIGURING CIFS
To reconfigure CIFS on a storage system:
ƒ Disconnect users and stop CIFS service:
– cifs terminate
ƒ Reconfigure CIFS service:
– cifs setup
The storage system automatically attempts to restart the CIFS service with the new CIFS configuration.

9-4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD

(1) Active Directory domain authentication

(Active Directory domains only)
(2) Windows NT 4 domain authentication
(Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using
the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP
authentication

Selection (1-4)? [1]:

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD

This is an example of the administrator configuring the storage system for an Active Directory (AD) domain.

9-5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
What is the name of the Active Directory
domain? []: development.netappu.com

In Active Directory-based domains, it is essential

that the filer's time match the domain's internal
time so that the Kerberos-based authentication
system works correctly.
If the time difference between the filer and the
domain controllers is more than 5 minutes, CIFS
authentication will fail. Time services currently
are not configured on this filer.

Would you like to configure time services? [y]:

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

AD uses a time-based key mechanism. It is important for the domain controller and the storage system to be
in sync by five (5) minutes or less.

9-6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
CIFS Setup will configure basic time services. To continue, you
must specify one or more time servers. Specify values as a
comma or space separated list of server names or IPv4
addresses. In Active Directory-based domains, you can also
specify the fully qualified domain name of the domain being
joined (for example:(“DEVELOPMENT.NETAPPU.COM") and time
services will use those domain controllers as time servers.

Enter the time server host(s) and/or address(es)

[DEVELOPMENT.NETAPPU.COM]:10.254.134.2

NOTE: The IP address is for the domain controller or a time server

Would you like to specify additional time servers? [n]:

Wed Jun 21 16:28:22 GMT [rc:ALERT]: timed: time daemon started

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

The IP address is for the domain controller or a time server. It is best to enter the IP address of the main (root)
domain controller for the domain.
The timed daemon allows the storage system to synchronize its time with external resources.
You need to configure the following:
ƒ options timed.max_skew 30m
ƒ options timed.protontp
ƒ options timed.sched hourly
ƒ options timed.servers [server_ip_or_name,…]
ƒ options timed.enable on
ƒ options timed.log on

9-7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
In order to create an Active Directory machine account for the
filer, you must supply the name and password of a Windows
account with sufficient privileges to add computers to the
DEVELOPMENT.NETAPPU.COM domain.

Enter the name of the Windows user

[[email protected]]:

[This Windows user is the domain administrator or any other account with privileges to
add computer accounts to the domain.]

Password for [email protected]:

CIFS -Logged in as [email protected].

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

This Windows user is the domain account administrator that has privileges to join (add) the storage system to
the domain controller.

9-8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
The user that you specified has permission to
create the filer's machine account in several (4)
containers. Please choose where you would like
this account to be created.
NOTE: CN means
(1) CN=computers
common name
(2) OU=Domain Controllers
(3) OU=Additional_OU
(4) OU=sub_Additional_OU,OU=Additional_OU
(5) None of the above
Selection (1-5)? [1]: 1

The storage system is being registered

in active computer as a computer
under the default OU

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

The container list displays Organizational Units (OUs) in which you have permission to create computer
accounts. The list reflects your AD domain structure and may contain customized OUs.

9-9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
Wed Jun 21 16:29:23 GMT [wafl.quota.sec.change:notice]:
security style for /vol/vol0/ changed from unix to ntfs

CIFS - Starting SMB protocol...

It is highly recommended that you create the local

administrator account (system\administrator) for this
filer. This account allows access to CIFS from Windows
when domain controllers are not accessible.

Do you want to create the system\administrator account?

[y]:

Enter the new password for system\administrator:

Retype the password:

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

The local administrator account has privileges to administer CIFS on the storage system even if the domain
controller is down. The local administration can set up local users on the storage system with the useradmin
user add command.

9 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI cifs setup: AD (Cont.)
Currently, the user “system\administrator" and members
of the group “DEVELOPMENT\Domain Admins" have permission
to administer CIFS on this filer. You may specify an
additional user or group to be added to the filer's
"BUILTIN\Administrators" group, thus giving them
administrative privileges as well.
Would you like to specify a user or group that can
administer CIFS? [n]:

Wed Jun 21 16:30:18 GMT

[nbt.nbns.registrationComplete:info]: NBT: All CIFS name
registrations have completed for the local server.
Welcome to the DEVELOPMENT.NETAPPU.COM (DEVELOPMENT)
Active Directory(R) domain.
CIFS local server is running.

© 2010 NetApp, Inc. All rights reserved.

CLI CIFS SETUP: AD (CONT.)

9 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Reconfiguring CIFS
Using NetApp System
Manager

© 2010 NetApp, Inc. All rights reserved.

RECONFIGURING CIFS USING NETAPP SYSTEM MANAGER

9 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup

Prior to setting
up CIFS, verify
DNS

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP

9 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup (Cont.)

To configure
CIFS

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP (CONT.)

9 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup (Cont.)

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP (CONT.)

9 - 15 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup (Cont.)

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP (CONT.)

9 - 16 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup (Cont.)

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP (CONT.)

9 - 17 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 System Manager: CIFS Setup (Cont.)

CIFS services
configuration

© 2010 NetApp, Inc. All rights reserved.

SYSTEM MANAGER: CIFS SETUP (CONT.)

9 - 18 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Results

© 2010 NetApp, Inc. All rights reserved.

RESULTS

9 - 19 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Results

Additional files created in domain environment:

ƒ /etc/filersid.cfg
– Contains the storage system SID
ƒ /etc/cifssec.cfg
– Contains the Windows domain SID

NOTE: These files are not readable; do not edit the files

© 2010 NetApp, Inc. All rights reserved.

RESULTS
The /etc/filersid.cfg file is created in a domain environment and contains the storage system security ID
(SID).
The /etc/cifssec.cfg file contains the Windows domain controller account information.
NOTE: These files are not readable; do not edit the files.

9 - 20 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 lclgroups.cfg Changes
ƒ Domain administrators are added to lclgroups.cfg:
system> rdfile /etc/lclgroups.cfg
[ "Replicators" 552 ( "not supported" ) ]
[ "Backup Operators" 551 ( "Members can bypass
file security to backup files" ) ]
[ "Power Users" 547 ( "Members that can share
directories" ) ]
[ "Guests" 546 ("Users granted Guest Access") ]
[ "Users" 545 ( "Ordinary Users" ) ]
[ "Administrators" 544 ( "Members can fully
administer the filer" ) ]
Local Administrator
S-1-5-21-265246955-68147109-1151652928-500
S-1-5-21-3723512375-496415379-1150184651-512
Domain Admins Group

ƒ Remember to use cifs lookup to resolve SIDs

© 2010 NetApp, Inc. All rights reserved.

LCLGROUPS.CFG CHANGES

9 - 21 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Domain-Specific Commands

After configuring the storage system for a

domain environment, do the following:
ƒ Display your domain information:
– cifs domaininfo
ƒ Test the storage system connection using
NetBIOS over TCP/IP if used:
– When CIFS has been successfully started and is
operational:
ƒ cifs testdc
– When the CIFS subsystem is not running:
ƒ cifs testdc
[WINSsvrIPaddress]domainname
[storage_sys_name]
© 2010 NetApp, Inc. All rights reserved.

DOMAIN-SPECIFIC COMMANDS

9 - 22 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: cifs domaininfo Command

ƒ Example output from the cifs domaininfo

command:
system> cifs domaininfo
NetBios Domain: DEVELOPMENT
Windows 2000 Domain Name: Development.netappu.com
Type: Windows 2000
Filer AD Site: none

© 2010 NetApp, Inc. All rights reserved.

CLI: CIFS DOMAININFO COMMAND

9 - 23 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: cifs domaininfo Command (Cont.)

ƒ Example output from the cifs domaininfo

command (cont.):

Current Connected DCs: \\WIN2K3

Total DC addresses found: 2
Preferred Addresses: None
Favored Addresses: None
Other Addresses: 10.0.0.5 WIN2K3 PDC

Connected AD LDAP Server: \\win2k3.netapp.com

Preferred Addresses: None
Favored Addresses: None
Other Addresses: 10.0.0.5 win2k3.netapp.com
10.0.0.6 win2k3-2.netapp.com

© 2010 NetApp, Inc. All rights reserved.

CLI: CIFS DOMAININFO COMMAND (CONT.)

9 - 24 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: cifs testdc Command
ƒ The following example is output from the cifs testdc
command on a storage system in a domain
system> cifs testdc
Using Established configuration
B Mode = Uses broadcast
Current Mode of NBT is B Mode for name registration and
Netbios scope "" resolution
Registered names...
system < 0> Broadcast These three names
system < 3> Broadcast correspond to the
system <20> Broadcast Workstation,
GRUMPY < 0> Broadcast Server, and
GRUMPY < 3> Broadcast Messenger services,
GRUMPY <20> Broadcast respectively
HAPPY < 0> Broadcast
HAPPY < 3> Broadcast
HAPPY <20> Broadcast

© 2010 NetApp, Inc. All rights reserved.

CLI: CIFS TESTDC COMMAND

For more information about NetBIOS over TCP/IP, see chapter 11 of TCP/IP Fundamentals for Microsoft®
Windows: www.microsoft.com/downloads/details.aspx?familyid=c76296fd-61c9-4079-a0bb-
582bca4a846f&displaylang=en.

9 - 25 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CLI: cifs testdc Command (Cont.)
Output from the cifs testdc command (cont.):
SNEEZY < 0> Broadcast
SNEEZY < 3> Broadcast
SNEEZY <20> Broadcast
DEVELOPMENT < 0> Broadcast

Testing all Primary Domain Controllers

found 1 unique addresses

found PDC WIN2K3 at 10.0.0.5

Testing all Domain Controllers

found 1 unique addresses

found DC WIN2K3 at 10.0.0.5

© 2010 NetApp, Inc. All rights reserved.

CLI: CIFS TESTDC COMMAND (CONT.)

9 - 26 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Preferred DCs

© 2010 NetApp, Inc. All rights reserved.

PREFERRED DCS

9 - 27 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Preferred DCs
ƒ Microsoft Active Directory members use a mechanism
called “site awareness” to discover their closest
domain controllers within AD
ƒ A site is a physical, geographical, or subnet boundary
of the network
ƒ Storage system administrators accept the default and
have cifs.site_awareness.enable turned on
ƒ Storage system administrators can override this default
mechanism by setting preferences for other domain
controllers
system> options cifs.site_awareness.enable off

© 2010 NetApp, Inc. All rights reserved.

PREFERRED DCS
Site awareness, also called site discovery, is the process of automatically discovering the preferred domain
controller. By default, a storage system is configured with cifs.site_awareness.enable turned on. A
storage administrator can override this default mechanism by turning the cifs.site_awareness.enable
option to off and setting preferred domain controllers using the cifs prefdc command.

9 - 28 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Configuring prefdc List

The cifs prefdc command configures and displays

CIFS preferred domain controller information
ƒ To display the preferred domain controller list:
system> cifs prefdc print [domain]
ƒ To add a preferred domain controller list:
system> cifs prefdc add domain address [address]
ƒ To delete a preferred domain controller list:
system> cifs prefdc delete domain
ƒ Example:
system> cifs prefdc print
No preferred domain controllers configured.
Domain controllers will be automatically
discovered.

© 2010 NetApp, Inc. All rights reserved.

CONFIGURING PREFDC LIST

The cifs prefdc command configures and displays CIFS preferred domain controller information.
To display the preferred domain controller list:
ƒ cifs prefdc print [domain]
To add a preferred domain controller list:
ƒ cifs prefdc add domain address [address…]
To delete a preferred domain controller list:
ƒ cifs prefdc delete domain
In the following example, there are no preferred domain controllers configured and domain controllers will be
automatically discovered.
system> cifs prefdc print
No preferred Domain Controllers configured.
DCs will be automatically discovered.

9 - 29 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 DC Ping Ordering

Best!
Specified
Preferred by the Admin

Determined
Favored by DC Ping
Ordering

Other

Worst!

© 2010 NetApp, Inc. All rights reserved.

DC PING ORDERING
Most Windows server environments have multiple domain controllers. A NetApp® storage system contacts a
domain controller in the following order:
ƒ Preferred: Any domain controller(s) configured as preferred with the cifs prefdc command
ƒ Favored: Any domain controller(s) that is determined by site awareness rules to be readily accessible
ƒ Other: Any other domain controller(s) that is reachable
NOTE: DC ping occurs every time the CIFS service starts, every time cifs prefdc is executed, and every
four hours.

9 - 30 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Domain Users

© 2010 NetApp, Inc. All rights reserved.

DOMAINS USERS

9 - 31 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Domain User

ƒ Domain user is:

– Created in a domain
– Authenticated by the domain
– Created with the Active Directory Users and
Computers tool

© 2010 NetApp, Inc. All rights reserved.

DOMAIN USER
A domain user is a non-local user who belongs to a Windows domain and is authenticated by the domain.
This type of user also can be placed into storage system groups to grant them capabilities on the storage
system. On the Windows workstation, you can create a domain user with the Active Directory Users and
Computers tool. The Windows Active Directory Users and Computers tool allows management of users,
groups, organizational units, and all other Active Directory objects. You can administer and publish
information in the directory.

9 - 32 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 W2k8R2: Remote Administration Tools
ƒ Within Windows Server 2008 R2, administrators must
added the Remote Administration Tools to remotely
administrate Active Directory
– Same as the AdminPack for Windows Server 2003

NOTE:
Reboot required

© 2010 NetApp, Inc. All rights reserved.

W2K8R2: REMOTE ADMINISTRATION TOOLS

9 - 33 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Creating a Domain User

Right-click the
Users folder and
select New

© 2010 NetApp, Inc. All rights reserved.

CREATING A DOMAIN USER

To create a domain user with the Active Directory Users and Computers Tool, perform the following steps:
1. To open the tool from your Windows workstation, go to Start > Control Panel> Administrative Tools >
Active Directory Users and Computers.
2. To add a new domain user, right-click the Users folder and choose New > User
3. In the New Object – User window, type the name of the user in the First name, Last name, and Full name
text boxes.
In this example, user_jdoe (for Jane Doe) is typed in the First name text box and repeated in the Full name
text box.
4. In the User logon name text box, type the user logon of user_jdoe to add the domain user Jane Doe.
5. Click the Next button.
6. In the password window, type the password for Jane Doe and confirm the password.
7. Mark the Password never expires check box for this example.
8. Click the Next button.
9. Click the Finish button to complete adding user_jdoe to the domain.

9 - 34 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Local User Authentication
When the storage system is using CIFS Domain
authentication:
ƒ Local user authentication is still possible
ƒ Additional MMC functionality is available
– Users:
ƒ Displays a current list of local users only
ƒ Cannot create, delete, or view properties of local users
ƒ Cannot administer passwords
– Groups:
ƒ Can display, create, and delete a group, and add or delete
users in the group
ƒ Cannot add or modify roles (and hence, capabilities) for the
group

© 2010 NetApp, Inc. All rights reserved.

LOCAL USER AUTHENTICATION

9 - 35 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Adding Domain Users to Groups

Assign a Windows domain user to a custom or

predefined local group
ƒ CLI: useradmin domainuser
– Syntax
system> useradmin domainuser add user
-g group | Administrators |
"Backup Operators“ | Guests |
"Power Users“ | Users
– To add an existing Windows domain user to a group:
system> useradmin domainuser add user –g group
– To list Windows domain users in a group:
system> useradmin domainuser list –g group
ƒ Computer Management (MMC)

© 2010 NetApp, Inc. All rights reserved.

ADDING DOMAIN USERS TO GROUPS

9 - 36 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Groups

Right-click Type the Group name

Groups folder

Click the Add button

to add members

Choose New Group….

© 2010 NetApp, Inc. All rights reserved.

MMC: GROUPS
As an example with the Windows Computer Management GUI, in the Groups folder, add a new group
Helpers2 and add local user Jane to the group by performing the following steps:
1. Go to System Tools > Local Users and Groups > Groups.
2. Right-click the Groups folder and choose New Group.
3. In the New Groups window, in the Group name text box, type the group name Helpers2.
4. Click the Add button to add members to the new group.

9 - 37 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Groups (Cont.)

Click the Create button, and

then click the Close button

Type the domain user

© 2010 NetApp, Inc. All rights reserved.

MMC: GROUPS (CONT.)

(The following continues the adding of a new local group.)
5. In the Select User, Computers, or Groups window, add the domain user.
6. Click the OK button. The New Group window displays the domain user as a member of a local storage
system group.
7. In the New Group window, click the Create button, and then click the Close button.

9 - 38 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 MMC: Groups (Cont.)

Note that the new group

Helpers2 has been added.

© 2010 NetApp, Inc. All rights reserved.

MMC: GROUPS (CONT.)

(The following continues the adding of a new local group.)
8. Note that in the Computer Management GUI, the new group Helpers2 has been added.

9 - 39 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

9 - 40 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ Terminate the CIFS service to prepare for
CIFS domain configuration
ƒ Reconfigure the CIFS service for a Windows
domain
ƒ Identify the resulting files
ƒ Create domain users and add the domain
users to a local storage system group
ƒ Set up Preferred Domain Controllers (DCs)

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

9 - 41 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Exercise
Module 9: CIFS Domains
Estimated Time: 60 minutes

EXERCISE
Please refer to your Exercise Guide for more instruction.

9 - 42 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ For which objects can you create shares?

ƒ What are three methods used to manage CIFS
shares?
ƒ CIFS Kerberos-based authentication fails if the
time difference between the storage system
and the domain controller is more than how
many minutes?
ƒ Which command or commands allow you to
configure the preferred domain controllers?

© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

9 - 43 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: CIFS Domains
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NAS Multiprotocol
Module 10
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

NAS MULTIPROTOCOL

10 - 1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Determine and verify user mappings for CIFS
users accessing UNIX® and MIXED volumes
and qtrees
ƒ Determine and verify user mappings for UNIX
users accessing NTFS and MIXED volumes
and qtrees

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

10 - 2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NAS Multiprotocol

© 2010 NetApp, Inc. All rights reserved.

NAS MULTIPROTOCOL

10 - 3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Multiprotocol

ƒ Volumes and qtrees can have either:

– NTFS-style ACL permissions
– UNIX-style permissions
ƒ Having UNIX-style permissions does not
prevent Windows® (CIFS) users from
accessing a volume or qtree if multiprotocol is
correctly configured
ƒ Having NTFS-style ACL permissions does not
prevent UNIX (NFS) users from accessing a
volume or qtree if multiprotocol is correctly
configured

© 2010 NetApp, Inc. All rights reserved.

MULTIPROTOCOL
The following describes the three qtree security styles:
ƒ NTFS
– For CIFS clients, security is handled using Windows NTFS ACLs.
– For NFS clients, the NFS username is mapped to a Windows username which is then associated with a
Windows security identifier (SID) and its groups. These mapped credentials are used to determine file access
based on the NFTS ACL.
ƒ UNIX
– Just like UNIX, files and directories have UNIX permissions.
– For CIFS client, the Windows username is mapped to a UNIX username. This mapped account is then used to
determine file access based on the UNIX security.
ƒ Mixed
– Both NTFS and UNIX security is allowed. A file or directory can have either NTFS ACLs or UNIX
permissions.
– For NTFS ACLs and NFS clients, the NFS username is mapped to a Windows username and its associated
groups. These mapped credentials are used to determine file access based on the NFTS ACL.
– For UNIX permissions and CIFS clients, the Windows username is mapped to a NFS userThese mapped
credentials are used to determine file access based on the UNIX security.
– The default file security style is the style most recently used to set permissions on that file.

10 - 4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Security Style Interaction
For a Windows user to
access:
ƒ An NTFS-style volume
or qtree
– Windows user is Windows Host
tested against NTFS-
style ACLs Windows UNIX
User ID
ƒ A UNIX-style volume or User

qtree
– Windows user must
NTFS UNIX
be mapped to a UNIX
user (and associated
UNIX group)

© 2010 NetApp, Inc. All rights reserved.

SECURITY STYLE INTERACTION

NOTE: There is always a user mapping (UNIX user -> NTFS user) whether the chosen security style is
NTFS or multiprotocol. Even when a Windows client user is accessing data through an NTFS qtree on a
storage system with NTFS security style, a user mapping occurs for the Windows client user. Both NTFS and
UNIX users are always mapped.

10 - 5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Windows-to-UNIX User Resolution

Windows
authenticated
Domain
authenticated
Unauthenticated
Windows
Domain
Controller

Windows
Authentication authenticated
Authenticate by
/etc/regist
ry Unauthenticated

Storage System

© 2010 NetApp, Inc. All rights reserved.

WINDOWS-TO-UNIX USER RESOLUTION

When a CIFS user attempts to access a volume or qtree that has UNIX permissions, the user is authenticated
with the method by which the CIFS server has previously been configured. If the storage system has been
configured for domain authentication, the storage system passes the credentials to the domain controller for
proper authentication. The credentials are either authenticated or not. If the storage system has been
configured for workgroup authentication, then the storage system will authenticate the user by way of the
/etc/registry.

10 - 6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Windows-to-UNIX User Resolution (Cont.)

Windows If not Check

authenticated verified wafl.default_unix_user

Check mapping Verify UNIX user by

If mapping exists,
/etc/usermap.cfg /etc/passwd,
try mapped user
Domain\user => UNIX name NIS or LDAP
If no mapping,
try Windows user

If mapped to ‘ ‘

Invalid user Unauthenticated User accepted

user

© 2010 NetApp, Inc. All rights reserved.

WINDOWS-TO-UNIX USER RESOLUTION (CONT.)

A Windows authenticated user then is looked up in the /etc/usermap.cfg file. Three possibilities are available.
The user may be mapped to a UNIX user, not mapped at all, or mapped to an empty string. If the user is
mapped, then the mapped UNIX user is passed to verification. If the user is not mapped, then the
authenticated CIFS user’s name is tried for UNIX verification with all letters lowercased. If the user is
mapped to an empty string “ ”, then the user is invalid.

VERIFICATION
The storage system will attempt to verify a UNIX user by employing the mechanism as stated in the
/etc/nsswitch.conf file. These mechanisms are using /etc/passwd, NIS, and/or LDAP. If verification is
unsuccessful, then the option wafl.default_unix_user is tried as a generic user account. A typical
default UNIX user is “pcuser” with UID =65534 and GID=65534, which is stored in /etc/passwd file by
default. If verification is successful, the CIFS user is properly associated with a UNIX account. If verification
is unsuccessful, the CIFS user is invalid.

WINDOWS ADMINISTRATOR
The Windows Administrator user is a special case. The administrator is mapped to the UNIX user name
“root” with UID=0 and GID= if the wafl.nt_admin_priv_map_to_root option is set “on.”

10 - 7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Windows-to-UNIX User Resolution (Cont.)

Unauthenticated
or invalid user

Guest account configured Verify

Try
UNIX user by Guest user
options guest
Yes user /etc/passwd, accepted
cifs.guest_account NIS or LDAP

No

Unauthenticated
Guest user
or Invalid user
rejected
rejected

© 2010 NetApp, Inc. All rights reserved.

WINDOWS-TO-UNIX USER RESOLUTION (CONT.)

Unauthenticated or invalid users still may be allowed access to the resource if options
cifs.guest_account is configured. NOTE: Windows guest account is not a default, unlike in the
Windows operating system. It must be specifically set.
The guest account then is passed to the storage system for UNIX verification that is specified by the
/etc/nsswitch.conf file.

10 - 8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 UNIX User Access to Files
ƒ For a UNIX user to
access:
– A UNIX-security style
volume or qtree
ƒ The UNIX user is tested
UNIX Host
against the UNIX files
permissions
– An NTFS-security style UNIX Windows
volume or qtree: User User ID
ƒ The UNIX user and
group must be mapped
to a Windows user (and UNIX NTFS
associated Windows
groups)

© 2010 NetApp, Inc. All rights reserved.

UNIX USER ACCESS TO FILES

This section explains the default mechanism (/etc/usermap.cfg) for mapping UNIX user names to Windows
accounts. This mapping can also be accomplished by using LDAP, Active Directory, or NIS servers as
described in www.netapp.com/library/tr/3458.pdf.

10 - 9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 UNIX-to-Windows User Resolution

UID to UNIX user

name successful

UID
and GID Resolves UID to
# cd /mnt/home UNIX user name by
# ls /etc/passwd,
NIS, or LDAP
Storage System

UID to UNIX user

name failed

NOTE: UNIX UID (and GID) were assigned at user login

when user name and password were authenticated

© 2010 NetApp, Inc. All rights reserved.

UNIX-TO-WINDOWS USER RESOLUTION

For the sake of this example, we are assuming that NFS v2 or v3 is being used. When an NFS user attempts to
access a volume or qtree that has NTFS ACLs, the user’s UID is passed from the client to the storage system,
where the storage system attempts to resolve the user’s name by the normal UNIX methods as defined in
/etc/nsswitch.conf.

10 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 UNIX-to-Windows User Resolution (Cont.)

UID to UNIX user If not Check

name successful verified wafl.default_nt_user

Look for mapped Windows

Verify Windows user
user in If mapping exists,
by local storage
/etc/usermap.cfg try mapped user
system or domain
Domain\user <= UNIX name
If no mapping,
try UNIX user

If mapped to ‘ ‘

Invalid user Unauthenticated User accepted

user

© 2010 NetApp, Inc. All rights reserved.

UNIX-TO-WINDOWS USER RESOLUTION (CONT.)

A valid user name is then looked up in the /etc/usermap.cfg file. Three possibilities are available. The user
may be mapped to a Windows user, not mapped at all, or mapped to an empty string. If the user is mapped,
then the mapped Windows user is passed to verification. If the user is not mapped, then the UNIX user’s
name is tried for CIFS verification. If the user is mapped to an empty string “ ”, then the user is automatically
invalid.

VERIFICATION
The storage system will attempt to verify a Windows user by using the mechanism as configured by the CIFS
server. These mechanisms are either using the local accounts defined in the /etc/registry or passing
verification to a domain controller. If verification is unsuccessful, then the option wafl.default_nt_user
is tried as a generic user account. There is no default setting for this value, so it must be configured. If
verification is successful, the NFS user is properly associated with a Windows account. If verification is
unsuccessful, the NFS user is invalid.

10 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 UNIX-to-Windows User Resolution (Cont.)

UID to UNIX
Invalid
user name
user
unauthenticated
rejected
or Invalid user

© 2010 NetApp, Inc. All rights reserved.

UNIX-TO-WINDOWS USER RESOLUTION (CONT.)

Unlike in the Windows-to-UNIX resolution, there is no guest user account for NFS users. If the user is
invalid, the user is rejected.

10 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Security Styles

Security Styles
Hosts that can CIFS Client NFS Client
Security Style change Security/ Access Access
Permissions Determined by Determined by
UNIX
permissions
UNIX
unix NFS clients (Windows user permissions
names mapped
to UNIX account)
NFS and CIFS Depends on the last client to set
mixed
clients security settings (permissions)
Windows NTFS
ACLs
Windows NTFS (UNIX user
ntfs CIFS clients
ACLs names mapped
to Windows
account)
© 2010 NetApp, Inc. All rights reserved.

SECURITY STYLES
NOTE: A CIFS user can access the file without disrupting UNIX permissions by using one of the following
techniques:
ƒ Prior to Data ONTAP® 7.2, the CIFS user must have a Windows add-on from the NOW™ site called the
SecureShare®.
ƒ With Data ONTAP 7.2 and later, the CIFS user can manage security directly with
cifs.preserve_unix_security.
For more information, please see the CIFS Administration on Data ONTAP courses.

10 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Setting Security Styles

ƒ To set a security style for a volume:

system> qtree security /vol/vol0 ntfs
ƒ To set a security style for a qtree:
system> qtree security /vol/vol0/q1 ntfs
ƒ Changing a security resets all security
permissions within a volume or qtree to default
– NTFS: Everyone has read-write access
– UNIX: Has user/group/world having rwx
drwxrwxrwx 2 root root 4096 cifs_tree1

© 2010 NetApp, Inc. All rights reserved.

SETTING SECURITY STYLES

10 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Verify Mappings

ƒ A Windows-to-UNIX user mapping is kept as

part of the CIFS session credential
– A fresh Windows-to-UNIX user mapping is
required only when a new CIFS session is
established for a user
– Use cifs session -s command to verify
mapping

© 2010 NetApp, Inc. All rights reserved.

VERIFY MAPPINGS

10 - 15 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Multiprotocol Options

ƒ A CIFS user can access the file without

disrupting UNIX permissions
ƒ A CIFS user might then attempt to set security
restrictions on a file or folder
– Prior to Data ONTAP 7.2, the CIFS user must
have an add-on from the NOW site called the
SecureShare file locking system
– Data ONTAP 7.2 and later, the CIFS user can
manage security directly with
cifs.preserve_unix_security

© 2010 NetApp, Inc. All rights reserved.

MULTIPROTOCOL OPTIONS

10 - 16 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Preserving UNIX Permissions

ƒ The cifs.preserve_unix_security
option preserves UNIX permissions as files
are edited and saved by Windows
applications that perform the following steps:
1. Read the security properties of the file.
2. Create a new temporary file.
3. Apply those properties to the temporary file.
4. Rename temporary file with original file name.
ƒ Windows clients that perform a security query
receive a constructed ACL that exactly
represents the UNIX permissions

© 2010 NetApp, Inc. All rights reserved.

PRESERVING UNIX PERMISSIONS

Enabling the cifs.preserve_unix_security option preserves UNIX permissions as files are edited and
saved by Windows applications that perform the following steps:
ƒ Read the security properties of the file.
ƒ Create a new temporary file.
ƒ Apply those properties to the temporary file.
ƒ Give the temporary file the original file name.
Windows clients that perform a security query receive a constructed ACL that exactly represents the UNIX
permissions.

10 - 17 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Preserving UNIX Permissions (Cont.)

ƒ Thecifs.preserve_unix_securityoption
allows manipulation of UNIX permissions by
using the Security tab on a Windows client
– When enabled, UNIX qtrees appear as NTFS
volumes
– The default for this option is “off”

NOTE: You cannot change the owner and group from the Windows
Security tab

© 2010 NetApp, Inc. All rights reserved.

PRESERVING UNIX PERMISSIONS (CONT.)

Enabling the cifs.preserve_unix_security option also allows you to manipulate the UNIX
permissions by using the Security tab on a Windows client, or using any application that can query and set
Windows ACLs.
When enabled, UNIX qtrees appear as NTFS volumes. The default for this option is off.
NOTE: You cannot change the owner and group from the Windows Security tab.

10 - 18 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 File Permissions with Mapped UNIX User

UNIX credentials are used

when evaluating access
requests by comparing
Windows credentials against
the file or folder’s permissions

© 2010 NetApp, Inc. All rights reserved.

FILE PERMISSIONS WITH MAPPED UNIX USER

In this example, a Windows user is accessing a UNIX file. The Security tab in the file Properties window
displays the user’s mapped UNIX credentials.
The UNIX credentials are used when evaluating the user’s access requests by comparing the user’s credentials
against the file or folder’s UNIX access permissions.

10 - 19 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 WAFL Credential
Cache

© 2010 NetApp, Inc. All rights reserved.

10 - 20 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 WAFL Credential Cache
ƒ The WAFL® Credential Cache (WCC)
– Caches user mappings for the UNIX UIDs and GIDs
to Windows SIDs for users and groups
– Use the wcc command to manage the cache
ƒ The wcc –u unixname command
– Displays the Windows user mappings for the UNIX
account
ƒ The wcc –s ntname command
– Displays the UNIX user mappings for the Windows
account
ƒ Timeout value for WCC
– options wafl.wcc_minutes_valid 20
Default value
© 2010 NetApp, Inc. All rights reserved.

WAFL CREDENTIAL CACHE

The WAFL Credential Cache (WCC) contains the cached user mappings for the UNIX user identities (UIDs
and GIDs) to Windows identities (SIDs for users and groups). After a UNIX-to-Windows user mapping is
performed (including group membership), the results are stored in the WCC.
A Windows-to-UNIX user mapping is not stored in the WCC, but instead is kept as part of the CIFS session
credential. A fresh Windows-to-UNIX user mapping is required only when a new CIFS session is established
for a user.
The wcc command does not look in the WCC, but performs a current user mapping operation and displays the
results. This command is useful for troubleshooting user mapping issues.
The wcc –s ntname command, where ntname can be a Windows user name or SID, displays the current
user mappings for the Windows account.

10 - 21 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 wcc Command (root)
system> wcc -u root
(NT - UNIX) account name(s):(system\administrator -
root)
***************
UNIX uid = 0
user is a member of group daemon (1)
user is a member of group daemon (1)

NT membership
system\administrator
BUILTIN\Administrators
User is also a member of Everyone,
Network Users, Authenticated Users
***************

© 2010 NetApp, Inc. All rights reserved.

WCC COMMAND (ROOT)

10 - 22 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 wcc Command (Local Administrator)
system> wcc -s administrator
(NT - UNIX) account name(s):(DEVSLU10-F1\administrator -
pcuser)
***************
UNIX uid = 65534

NT membership
DEVSLU10-F1\administrator
BUILTIN\Administrators
User is also a member of Everyone,
Network Users,
Authenticated Users
***************

© 2010 NetApp, Inc. All rights reserved.

WCC COMMAND (LOCAL ADMINISTRATOR)

The following example displays the user mapping for a local administrator.
system> wcc -s administrator
(NT - UNIX) account name(s):
(system\administrator - pcuser)
***************
UNIX uid = 65534
NT membership system\administrator
BUILTIN\Administrators
User is also a member of Everyone, Network Users, Authenticated Users
***************

10 - 23 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 wcc Command (Domain Administrator)
system> wcc -s development\administrator
(NT - UNIX) account name(s): (DEVELOPMENT\Administrator
- pcuser)
***************
UNIX uid = 65534
NT membership
DEVELOPMENT\Administrator
DEVELOPMENT\Group Policy Creator Owners
DEVELOPMENT\Domain Users
DEVELOPMENT\Domain Admins
DEVELOPMENT\Enterprise Admins
DEVELOPMENT\Schema Admins
DEVELOPMENT\Debugger Users
BUILTIN\Users
BUILTIN\Administrators
User is also a member of Everyone, Network
Users,
Authenticated Users
***************

© 2010 NetApp, Inc. All rights reserved.

WCC COMMAND (DOMAIN ADMINISTRATOR)

The following example displays the user mapping for a domain administrator.
system> wcc -s
Development\administrator(NT - UNIX)
account name(s): (DEVELOPMENT\Administrator - pcuser)
***************
UNIX uid = 65534
NT membership DEVELOPMENT\Administrator
DEVELOPMENT\Group Policy Creator
Owners DEVELOPMENT\Domain Users
DEVELOPMENT\Domain Admins
DEVELOPMENT\Enterprise Admins
DEVELOPMENT\Schema Admins
DEVELOPMENT\Debugger Users
BUILTIN\Users
BUILTIN\Administrators
User is also a member of Everyone, Network Users, Authenticated Users
***************

10 - 24 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

10 - 25 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ Determine and verify user mappings for CIFS
users accessing UNIX and MIXED volumes
and qtrees
ƒ Determine and verify user mappings for UNIX
users accessing NTFS and MIXED volumes
and qtrees

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

10 - 26 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Exercise
Module 10: NAS Multiprotocol
Estimated Time: 30 minutes

PLEASE REFER TO YOUR EXERCISE GUIDE FOR MORE INSTRUCTION.

10 - 27 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ A UNIX user cannot ever access a file with a

Windows ACL but a Windows user can access
a file with UNIX permissions. True or false?
ƒ Windows users are only associated and
resolved to a UNIX user if the Windows user is
attempting to access a file with UNIX
permissions. True or false?
ƒ Which file is used to associate Windows users
and UNIX users?
ƒ Which command allows administrators to
display a cached UNIX user’s mapping to a
given Windows user?
© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

10 - 28 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Multiprotocol
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NAS
Troubleshooting
Module 11
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

NAS TROUBLESHOOTING

11 - 1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Locate options and configuration files that can be
misconfigured on the storage system
ƒ Test for Domain Name System (DNS) resolution on
both the storage system and the client
ƒ Use client-side tools to test the client configuration
ƒ Use storage system and client tools to isolate network
system blockages
ƒ Recognize typical error messages and list commands
to identify the source of the error messages

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

11 - 2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Troubleshooting Overview

ƒ Initial Configuration
License Configure Export or Mount or
NFS or NFS or Share Map
CIFS CIFS Resources Resources

ƒ Problems arise on:

– Storage systems
– Clients
– The network
– Infrastructure support
ƒ DNS servers
ƒ NIS servers
ƒ LDAP servers
© 2010 NetApp, Inc. All rights reserved.

TROUBLESHOOTING OVERVIEW

11 - 3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NFS Troubleshooting:
Storage System

© 2010 NetApp, Inc. All rights reserved.

NFS TROUBLESHOOTING: STORAGE SYSTEM

11 - 4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NFS Storage System Configuration

ƒ Verify NFS service

– NFS licensed
– NFS properly configured
– Interfaces properly configured
ƒ Verify exports
– exportfs -v
– /etc/exports

© 2010 NetApp, Inc. All rights reserved.

NFS STORAGE SYSTEM CONFIGURATION

11 - 5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NFS Troubleshooting:
Client

© 2010 NetApp, Inc. All rights reserved.

NFS TROUBLESHOOTING: CLIENT

11 - 6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Client Troubleshooting Tools

ƒ ping, dig, host, getent

ƒ ypwhich, ypcat, domainname
ƒ showmount –e|-a
ƒ /etc/init.d/autofs start|stop
ƒ nfsstat –m
ƒ Check:
– /etc/nsswitch.conf
– /etc/vfstab or /etc/fstab
– /etc/resolv.conf
– /etc/mtab

© 2010 NetApp, Inc. All rights reserved.

CLIENT TROUBLESHOOTING TOOLS

dig (domain information groper) is used to gather information from the Domain Name System (DNS)
servers.
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses
and vice versa.
getent gets a list of entries from the administrative databases, for example:
ƒ # getentpasswd or
ƒ # getent hosts v210-inst
ypwhich returns the name of the NIS server that supplies the NIS name services to the NIS client.
ypcatmapname prints the values of all keys from the NIS database specified by map name.
domainname shows or sets the system NIS domain name.
showmount queries the mount daemon on a remote host for information about the state of the NFS server on
that machine.
Autofs controls the operation of the automount daemons.
Nfsstat displays statistical information about the NFS and remote procedure call interfaces to the kernel.
Verify:
ƒ nsswitch.conf is using the name services that you think it is
ƒ vfstab or fstab, as appropriate, is controlling the mounts as intended
ƒ resolv.conf points to valid name servers
mtab shows the mount parameters you expect.

11 - 7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 UNIX Networking Configuration Files

Main network settings and their file locations

Settings HP-UX Solaris Suse Linux Red Hat Linux

IP Mapping /etc/hosts /etc/hosts or /etc/sysconfig/ /etc/hosts
/etc/inet/ipnodes network/config
DNS Domain and /etc/resolv.conf /etc/resolv.conf /etc/resolv.conf /etc/resolv.conf
Name Servers
Interface’s Network /etc/rc.confg.d/ /etc/hostname /etc/hosts network-scripts/ifcfg-
Address netconf interfacename
Hostname /etc/rc.confg.d/ /etc/nodename /etc/HOSTNAME /etc/sysconfig/
netconf network
Default Route /etc/rc.confg.d/ /etc/defaultrouter /etc/sysconfig/ network-scripts/ifcfg-
netconf network/routes interfacename

© 2010 NetApp, Inc. All rights reserved.

UNIX NETWORKING CONFIGURATION FILES

To automatically configure networking at boot time in UNIX®, you need to:
ƒ Set up the networking hardware
ƒ Configure name resolution
ƒ Activate the machine’s NIC
ƒ Specify any routing settings
ƒ IP address and netmask
At boot time, the system executes a number of startup scripts files. You usually specify network settings in
these files to ensure a standard automatic configuration of the system.
Different versions of UNIX use different files to initialize the settings for networking properties such as
interfaces, domain names, and IP address mappings.
For a cross-referenced list of tasks mapped to the commands for various Linux or UNIX systems see:
http://bhami.com/rosetta.html.

11 - 8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Mount Process

ƒ Client resolves name to IP

ƒ Remote procedure calls
– Ports must be open on clients and storage
systems
ƒ portmap TCP 111
ƒ nfsd TCP 2049 Verify with rpcinfo
ƒ mountd TCP 4046
ƒ Storage system looks at exports in memory
– Who can access this path?
– Performs reverse name lookup
– Grants or denies access
– From the client, showmount -e
© 2010 NetApp, Inc. All rights reserved.

MOUNT PROCESS
The mount command verifies that the mountpoint is a full pathname and then passes arguments and options to
/usr/lib/fs/nfs/mount, which takes control of the process as follows:
ƒ mount opens /etc/mnttab and verifies that the file system was not already mounted.
ƒ mount parses the argument storage system:/vol/volname/path into host storage system and remote
directory /vol/volname/path.
ƒ mount calls the storage system rpcbind to get the port number of the storage system’s mountd.
ƒ mount calls the storage system mountd daemon and passes it to /vol/volname/path, requesting it to send a
file handle for that path.
ƒ The storage system’s mountd daemon handles the client's mount requests. If the directory
/vol/volname/path is available to the client, the mountd daemon does a NFS_GETFH system call on
/vol/volname/path to get the file handle, and then it sends it to the client's mount process.
/usr/lib/fs/nfs/mount does a regular mount system call with the file handle and the mountpoint directory.
ƒ The client kernel looks up the given mountpoint directory. If OK, it binds the file handle to the hierarchy
in a mount record.
ƒ The client kernel looks up the directory /vol/volname/path on the storage system.
ƒ The client kernel does a statvfs call to the storage system NFS server nfsd.
ƒ The mount system call.
ƒ Mount opens /etc/mnttab and adds an appropriate entry to the end with the mounted file system and
mountpoint directory information.

11 - 9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Mounting Options

ƒ UNIX clients can mount either:

– Soft
ƒ Clients try to mount export a few times and then
return an error
– Hard
ƒ Clients will continue to send out mount requests
indefinitely until the server responds
ƒ An example of a hard mount with reasonable
defaults:
mount –o
rw,bg,vers=3,tcp,timeo=600,
rsize=32768,wsize=32768,hard,intr…

© 2010 NetApp, Inc. All rights reserved.

MOUNTING OPTIONS
The following options are used for NFS mounts:
ƒ Hard or soft: specifies whether the program using a file by way of an NFS connection should stop and
wait for the server to come back online if the host serving the exported file system is unavailable (hard),
or if it should report an error (soft).
If hard is specified, the user cannot terminate the process waiting for the NFS communication to resume
unless the intr option is also specified. If they have mounted file systems with the hard option, they continue
to send out mount requests indefinitely until the server responds. If soft is specified, the user can set an
additional timeo=<value> option, where <value> specifies the number of seconds to pass before the error
is reported.
Mount Option Examples
On older Linux® systems, if you do not specify any mount options, the Linux mount command (or the
Automounter) automatically chooses these defaults:
mount –o rw,fg,vers=2,udp,rsize=4096,wsize=4096,hard,intr, timeo=7,retrans=5
These default settings are designed to make NFS work right out of the box in most environments. Almost
every NFS server supports NFS v2 over UDP. Rsize and wsize are relatively small because some network
environments fragment large UDP packets, which can hurt performance if there is a chance that fragments can
be lost. The remote procedure call retransmit timeout is set to 0.7 seconds by default to accommodate slow
servers and networks. The example on the slide is reasonable mount options. Bg option causes the mount
attempts to be run in the background. In fact, on many newer Linux distributions, these are the default mount
options.

11 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: Stale NFS File Handle

Error code 70: Stale file handle

ƒ What would you do?
ƒ Resolution tips:
– Check connectivity to the storage system
(server)
– Check mountpoint
– Check client vfstab or fstab as relevant
– Check showmount –e filerx from client
– Check exportfs from command line of the
storage system
– Check storage system /etc/exports file
© 2010 NetApp, Inc. All rights reserved.

PROBLEM: STALE NFS FILE HANDLE

Sample Error Messages - NFS Error 70
The probable cause of this problem is that a file or directory that was opened by an NFS client was either
removed or replaced on the NFS file server. To determine possible cause(s) of stale file handles after an NFS
server reboot, check for the following:
ƒ Remove “qtree security” lines in the /etc/rc file, if they exist. Qtree security entries are not required, and
if you manually change a qtree security to NFS or MIXED, and a reboot causes the security to become
NT file system (NTFS) again, stale file handles may occur.
ƒ Check for IP address changes. Did existing mounts work through all interfaces? Did machines with the
failed existing mounts have working mounts to other mountpoints?
ƒ Check if the exportfs list changed. It is possible to make command-line additions through exportfs for a
qtree to have its own mountpoint, but not add the entry to the /etc/exports file making the change
persistent.
Possible Solution
For this scenario, there is currently a workaround:
If you experience a stale file handle while editing a file, write the file to a local file system instead. Try
remounting the file system. If problems persist, consult your NFS client support to determine if you should
shut down the NFS client processes that access stale file handles or, as a last resort, reboot the NFS client.
If the stale file handle number = 20, an opened file or directory has been destroyed or re-created. You can
resolve the problem by unmounting and remounting the file system.

11 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: No Space Left on Disk

No space left on disk error

ƒ What would you do?
ƒ Resolution tips:
– Check df for available disk space
– Check for Snapshot™ copy overruns
– Check quota report for exceeded quotas

© 2010 NetApp, Inc. All rights reserved.

PROBLEM: NO SPACE LEFT ON DISK

11 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Troubleshooting:
Storage System

© 2010 NetApp, Inc. All rights reserved.

CIFS TROUBLESHOOTING: STORAGE SYSTEM

11 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Troubleshooting Checklist

ƒ Verify the following:

– CIFS service is licensed on the storage system
– What CIFS configuration are you working with?
ƒ Windows® workgroup
ƒ Non-Windows workgroup
ƒ Windows domain

© 2010 NetApp, Inc. All rights reserved.

CIFS TROUBLESHOOTING CHECKLIST

11 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: DC Connectivity

ƒ Problem: Communication from storage

system to domain controller fails or trust
across multiple domains fails
– Perform the following steps:
a) system> cifs domaininfo
– This provides information about domain and known
domain controllers
– If you receive an error and want more verbose output,
then go to Step b)

© 2010 NetApp, Inc. All rights reserved.

PROBLEM: DC CONNECTIVITY
ƒ Potential Issue: “Communication from storage system to domain controller fails or trust across multiple
domains fails.”
ƒ Perform the following steps:
ƒ a) system> cifs domaininfo
This provides information about domain and known domain controllers.
If you receive an error and want a more verbose output, then go to Step b).

11 - 15 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: DC Connectivity (Cont.)
b) Set the following option on:
system> options cifs.trace_dc_connection on
– When this option is on, the storage system logs all DC
address discovery and connection activities
c) system> cifs resetdc
–
This command tells the storage system to disconnect
from the domain controller and then establish a new
CIFS connection with the DC (The steps are being
logged with the cifs_trace_dc_connection
option)
d) Check the trace output on the console or logged output in
/etc/messages file to find the problem

© 2010 NetApp, Inc. All rights reserved.

PROBLEM: DC CONNECTIVITY (CONT.)

ƒ b) Set the following option on:
system> options cifs.trace_dc_connection on
When this option is on, the storage system logs all DC address discovery and connection activities.
ƒ c) system> cifs resetdc
This command tells the storage system to disconnect from the domain controller and then establish a new
CIFS connection with the DC. (The steps are being logged with the cifs_trace_dc_connection option.)
ƒ d) Check the trace output on the console or logged output in /etc/messages file to find the problem.
The following is sample output from running the cifs resetdc command with the
cifs.trace_dc_connection option set on.
system> options cifs.trace_dc_connection on
system> cifs resetdc

11 - 16 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 CIFS Troubleshooting:
Client

© 2010 NetApp, Inc. All rights reserved.

CIFS TROUBLESHOOTING: CLIENT

11 - 17 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Client Troubleshooting

ƒ Most Windows client troubleshooting involves

either:
– Network communication issues (discussed later)
– Infrastructure issues (discussed later)
ƒ Other issues might also arise within Windows
regarding which tracing and debuggers can be
used:
– Windows user and kernel debuggers (windbg)
– Time Traveling Tracing
– ETW Tracing
– Windows Resource Kit and Sysinternals
© 2010 NetApp, Inc. All rights reserved.

CLIENT TROUBLESHOOTING
Windows user/kernel debuggers (windbg) is the most common debugger in use for customer issues.
Time traveling tracing can identify hard to find issues. Time traveling tracing traces a program’s flow and
then is analyzed internal at Microsoft®. This tool is currently available only through Microsoft’s support.
Event Tracing for Windows (ETW) provides a mechanism to monitor, log, and troubleshoot SMB.
Sysinternals and Windows Resource Kit are available at http://technet.microsoft.com.
There is an excellent presentation by Hongwei Sun, a Microsoft Escalation Engineer, which was given at the
2009 File Sharing Windows Protocols Plug-fest. The presentation can be found at:
http://channel9.msdn.com/posts/Darryl/Troubleshooting-Windows-SMBSMB2-Issues/.

11 - 18 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: Client Communication

ƒ Potential Issue: “Network failed or is slow.”

– Check the following:
system> ifstat
system> netdiag
system> ping
C:\> tracert
ƒ Potential Issue: Firewall prevents
communications between storage system
and DC
– If using SMB over TCP/IP
ƒ Windows 2000 Server and later
– Requires TCP port 445

© 2010 NetApp, Inc. All rights reserved.

PROBLEM: CLIENT COMMUNICATION

In a domain environment, a Windows client user requests user session authentication with the storage system.
Potential Issue: “Network failed or is slow.”
Check the following:
ƒ system > ifstat
The ifstat command displays statistics about packets received and sent on all or a specified network
interface.
ƒ system > netdiag
The netdiag command analyzes the statistics continuously gathered by the network protocol code,
performs various tests (if required), displays the results of analysis, and suggests remedial actions if
problems are encountered.
ƒ system > ping
The ping command sends ICMP ECHO_REQUEST packets to a network hosts to elicit an ICMP
ECHO_RESPONSE from the specified host or gateway.
ƒ C:\ > tracert
The Windows tracert command visually displays a network packet being sent and received and the
number of hops required for the packet to reach its destination.

11 - 19 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Problem: Network Connectivity

ƒ Problem: Windows client cannot ‘find’ the

storage system
– If using DNS, try pinging the storage system by
name
C:\> ping system_name
– Have routes been configured correctly?

© 2010 NetApp, Inc. All rights reserved.

PROBLEM: NETWORK CONNECTIVITY

11 - 20 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NAS Troubleshooting:
Network

© 2010 NetApp, Inc. All rights reserved.

NAS TROUBLESHOOTING: NETWORK

11 - 21 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Network

ƒ The “cleaner” the better

– Matched parameters all the way through
– Not saturated (no Quality of Service in Ethernet)
– Auto versus half or full duplex
ƒ Use TCP instead of UDP
– TCP is acknowledged
– UDP is not acknowledged
ƒ Are there firewalls (network or client) in the
way?
– Remember remote procedure call ports should
not be blocked
© 2010 NetApp, Inc. All rights reserved.

NETWORK
Data ONTAP® 7.2.1 and later introduced a new multi-threaded mount process. Clients that are still mounting
the file systems from the storage system using UDP cannot benefit from the new multi-threaded mount
processing. UDP requests still use single-threaded operations. Clients mounting with TCP benefit greatly
from this enhancement.

11 - 22 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Packet Traces
ƒ Overview
– Data ONTAP utility for packet capture
– Captures data for further analysis by support personnel
ƒ Syntax
– pktt start <if>|all [-d dir] [-m pklen] [-b
bsize] [-i ipaddr –i ….]
ƒ Starts packet tracing
– pktt dump [<if>|all [-d dir]] | [<if> [-f
file]]
ƒ Writes data from memory to file (disk)
– pktt stop <if>|all
ƒ Stops packet tracing
ƒ Optional commands
– pktt pause <if>|all
– pktt status [<if>|all] [-v]
– pktt delete [filename.trc]+
– pktt list
© 2010 NetApp, Inc. All rights reserved.

PACKET TRACES

PKTT DUMP
The dump subcommand causes the contents of the packet trace buffer to be written to a file. If the “-d [dir]”
option is used, the file will be written to that directory, otherwise it will be written to the root directory of the
root volume. The name of the file is always .trc and the contents are in “tcpdump” format. If a file by that
name already exists it will be overwritten.

PKTT STOP
This causes all tracing to stop on the named interface or all interfaces. If any unwritten data is in the trace
buffer it will be flushed to disk. If you have not dumped the trace data, and you were not tracing to a disk file,
the trace data will be lost. This action is not confirmed, so be careful when using this command.

PKTT STATUS
This can be used to display the buffer and file status of an existing trace. Using pktt status -v will give
you full tracing status for all interfaces. This can be used to display the buffer and file status of an existing
trace. Using pktt status -v will give you full tracing status for all interfaces.

11 - 23 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Reading Packet Traces

ƒ Pktt trace saved in tcpdump format

– Reference www.tcpdump.org
ƒ Use a tcpdump-compliant program to review
the packet trace, such as Wireshark
(www.wireshark.org/)
ƒ Alternatively, convert pktt trace to Netmon-
compliant format using
– “capconv” utility—reference
http://now.netapp.com/NOW/download/tools/capconv/
– Netmon-compliant packet analyzers such as Windows Netmon

© 2010 NetApp, Inc. All rights reserved.

READING PACKET TRACES

11 - 24 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 NAS Troubleshooting:
Infrastructure Support

© 2010 NetApp, Inc. All rights reserved.

NAS TROUBLESHOOTING: INFRASTRUCTURE SUPPORT

11 - 25 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Problem: Hostname-to-IP Resolution

ƒ Cannot resolve hostnames to IP addresses

– Look at:
ƒ nsswitch.conf
ƒ hosts file
ƒ resolv.conf
ƒ On the storage system, DNS or NIS options
ƒ Changing the order of DNS or NIS servers
ƒ Consider circumventing DNS or NIS by
temporarily entering hosts into the hosts file
– Remember:
ƒ Data ONTAP caches NIS maps in slave mode
ƒ Data ONTAP caches DNS
© 2010 NetApp, Inc. All rights reserved.

PROBLEM: HOSTNAME-TO-IP RESOLUTION

Name resolution is critical to a working NFS system. Make sure both the storage system and host can resolve
names – and that they get the same results.
The nsswitch.conf file is the place to start when troubleshooting name-resolution issues. Make sure that you
are using the name services you intend to be using. If that file is correct, move to the services listed; files =
/etc/hosts, DNS = /etc/resolv.conf, NIS = domainname, and ypwhich for starters.
Remember, there are several options in Data ONTAP used to configure and manage DNS:
Option:
dns.cache.enable is used to enable/disable DNS name resolution caching.
dns.domainname is the storage system DNS domain name.
dns.enable is used to - enable or disable DNS name resolution.
dns.update.enable is used to dynamically update the storage system ‘A’ record (CIFS).
dns.update.ttl is the time-to-live for a dynamically inserted ‘A’ record.
One troubleshooting method when managing name-resolution problems is to enter hostnames or addresses in
the /etc/hosts file of the storage system or host, thereby eliminating external name resolution services. This is
not a fix, but a workaround to assist in fault isolation.
Remember that NIS maps in slave mode are cache as well as DNS. You can flush the DNS cache at any time
by entering the dns flush command.

11 - 26 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

11 - 27 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Summary

In this module, you should have learned to:

ƒ Locate options and configuration files that can be
misconfigured on the storage system
ƒ Test for Domain Name System (DNS) resolution on
both the storage system and the client
ƒ Use client-side tools to test the client configuration
ƒ Use storage system and client tools to isolate network
system blockages
ƒ Recognize typical error messages and list commands
to identify the source of the error messages

© 2010 NetApp, Inc. All rights reserved.

MODULE SUMMARY

11 - 28 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Exercise
Module 11: NAS Troubleshooting
Estimated Time: 0 minutes

EXERCISE
Please refer to your Exercise Guide for more instruction.

11 - 29 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Check Your Understanding

ƒ When troubleshooting a NAS protocol on the

storage system, what is one of the first steps
you should do to verify the appropriate service
is available?
ƒ How do you configure the order of the
hostname-to-IP resolution mechanism on the
storage system?
ƒ Which command is used to capture network
packet traces on the storage system?
ƒ What third-party application can be used to
read the native packet traces created on the
storage system?
© 2010 NetApp, Inc. All rights reserved.

CHECK YOUR UNDERSTANDING

11 - 30 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: NAS Troubleshooting
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 SAN Overview
Module 12
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode

SAN OVERVIEW

12 - 1 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Module Objectives

By the end of this module, you should be able to:

ƒ Describe the differences between network-attached
storage (NAS) and storage area network (SAN)
ƒ List the methods to implement a SAN environment
ƒ Define logical unit number, initiator, and target
ƒ Describe ports, worldwide node names, and worldwide
port names
ƒ List the basic steps to implement a SAN

© 2010 NetApp, Inc. All rights reserved.

MODULE OBJECTIVES

12 - 2 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 SAN Introduction

© 2010 NetApp, Inc. All rights reserved.

SAN INTRODUCTION

12 - 3 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 SAN Versus NAS

NFS iSCSI
Corporate CIFS
LAN
FCoE
FC

NAS SAN

NetApp®
FAS
© 2010 NetApp, Inc. All rights reserved.

SAN VERSUS NAS

Operating systems and applications request data either at the block level or the file level. Network-attached
storage (NAS) provides file-level access to data on a storage system. Access is by way of a network, using
Data ONTAP® services such as CIFS and NFS. Storage area networks (SANs) provide block-level access to
data on a storage system. SAN solutions can be any mixture of iSCSI or Fibre Channel (FC) protocols. When
both SAN and NAS storage are present on the same storage system, it is referred to as “unified storage.”

12 - 4 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 SCSI

ƒ SAN uses Small Computer System Interface

(SCSI) protocol over a distance
ƒ SCSI features:
– Block-level access
– Efficiency
– Lower overhead
– Resiliency

© 2010 NetApp, Inc. All rights reserved.

SCSI
Small Computer System Interface (SCSI) is a set of standards that define commands, protocols, and interfaces
used to transmit data. SCSI allows low-level “block” access to data in units of 512-byte blocks. This is highly
efficient and has low overhead compared to NAS or “file” level access. SCSI has a high level of resiliency
that makes it perfect for an enterprise-level protocol.

12 - 5 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 SCSI on Host and Controller
Host
Application
File System
SCSI Driver

SCSI Adapter
Direct-Attached Devices
Fibre Channel
SAN Services
WAFL®

Controller

Direct-Attached Storage
© 2010 NetApp, Inc. All rights reserved.

SCSI ON HOST AND CONTROLLER

Traditionally, storage is attached to a local machine. SCSI is used for transmitting data between a host and
peripheral devices either through SCSI adapters or other adapters that communicate using SCSI commands.

12 - 6 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Logical Unit
Host
Application
File System
SCSI Driver

The logical unit

is accessed by a
Direct-Attached Devices Logical Unit
Number (LUN)
SAN Services
WAFL

Controller
The virtual disk
LUN is a single file on
the server
© 2010 NetApp, Inc. All rights reserved.

LOGICAL UNIT

12 - 7 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Terms

© 2010 NetApp, Inc. All rights reserved.

TERMS

12 - 8 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Initiator and Target
Host
Application
File System
SCSI Driver

Initiator

Target

SAN Services
WAFL

Controller

LUN

© 2010 NetApp, Inc. All rights reserved.

INITIATOR AND TARGET

Initiators, including Windows® and UNIX®-type hosts, are consumers or clients within a SCSI relationship.
Targets, including NetApp controllers and storage arrays, present data as logical units and are the servers
within a SCSI relationship.

12 - 9 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 SAN Types
ƒ A SAN may be implemented using either:
– Fibre Channel (FC)
ƒ Referred to as FC SAN
ƒ Uses Fibre Channel Protocol to communicate
Physical Data FC Frame SCSI

ƒ Uses Fibre Channel over Ethernet (FCoE) to communicate

Ethernet FCoE FC Frame SCSI

– Internet Protocol (IP)

ƒ Referred to as IP SAN
ƒ Uses Internet SCSI (iSCSI) to communicate

Ethernet IP TCP iSCSI SCSI

© 2010 NetApp, Inc. All rights reserved.

SAN TYPES
LUNs on a NetApp storage system can be accessed through either a Fibre Channel (FC SAN) fabric using
Fibre Channel Protocol or an Ethernet network using the Fibre Channel over Ethernet (FCoE) or Internet
SCSI (iSCSI) protocols. In all cases, the transport portals (FC, FCoE or iSCSI) carry encapsulated SCSI
commands as the data transport mechanism.
iSCSI is an IETF standard found here: www.ietf.org/rfc/rfc3720.txt?number=3720.

12 - 10 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

University - Do Not Distribute

 Ports

Application
Initiator File System
TCP/IP Driver iSCSI Driver SCSI Driver FC Driver

Ethernet Port Fibre Channel Port or

Converged Network Adapter (CNA)

SAN Services
Target TCP/IP Driver iSCSI Driver FC Driver
WAFL

IP LUN FC
SAN SAN
© 2010 NetApp, Inc. All rights reserved.

PORTS
Data is communicated over ports. In an IP SAN, the data is communicated by way of Ethernet ports. In an FC
SAN, the data is communicated over Fibre Channel ports.

12 - 11 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Node and Port Names in Fibre Channel

Application
Initiator File System
SCSI Driver

20:00:00:2b:34:26:a6:56 21:00:00:2b:34:26:a6:56

Worldwide Node Name (WWNN) Worldwide Port Name (WWPN)

50:0a:09:80:86:f7:c7:86 50:0a:09:81:86:f7:c7:86

SAN Services
Target WAFL

IP LUN FC
SAN SAN
© 2010 NetApp, Inc. All rights reserved.

NODE AND PRT NAMES IN FIBRE CHANNEL

In FC SAN, a worldwide node name (WWNN) describes a machine while a worldwide port name (WWPN)
describes a physical port attached to that machine.
The FC specification for the naming of nodes and ports on those nodes can be fairly complicated. Each device
is given a globally unique WWNN and an associated WWPN for each port on the node. WWNNs and
WWPNs are 64-bit names made up of 16 hexadecimal digits grouped together in twos with a colon separating
each pair (for example, 21:00:00:2b:34:26:a6:54).
The first number in the address defines what the other numbers in the address represent, according to the FC
specification. The first number is generally a 1, 2, or 5. In the example of QLogic® initiator host bus adapters
(HBAs), the first number is generally a 2. For Emulex® initiator HBAs, the first number is generally a 1.
Finally, a NetApp storage system is assigned with a 5.

12 - 12 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Node and Portals in iSCSI

Application
Initiator File System
SCSI Driver

Local Network Connection iqn.1999-04.com.a:host

Portals Worldwide Node Name (WWNN)

Target Portal Group (TPG) iqn.1998-02.com.netapp:ss1

SAN Services
Target WAFL

IP LUN FC
SAN SAN
© 2010 NetApp, Inc. All rights reserved.

NODE AND PORTALS IN ISCSI

In IP SAN, the worldwide node name (WWNN) describes a machine while the portal describes a physical
port. Each iSCSI node must have a node name. There are two possible node name formats.

IQN-TYPE DESIGNATOR
ISCSI Qualified Name or IQN node name is conventionally “iqn.yyyy-mm.backward_naming_authority:
unique_device_name.” This is the most popular node name format and is the default used by a NetApp
storage system. The components of the logical name are the following:
ƒ Type designator, IQN, followed by a period (.)
ƒ The date when the naming authority acquired the domain name, followed by a period
ƒ The name of the naming authority, optionally followed by a colon (:)
ƒ A unique device name

EUI-TYPE DESIGNATOR
The Extended Unique Identifier or EUI node name is “eui.nnnnnnnnnnnnnnnn.” The components of the
logical name are the following:
The type designator itself, “eui,” followed by a period (.)
Sixteen hexadecimal digits
Example: “eui.123456789ABCDEF0”

12 - 13 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute

 Connectivity Between Initiator and Target

Application
Initiator File System
SCSI Driver

Directly connected
Connected through
a switch
SAN Services
Target WAFL

IP LUN FC
SAN SAN
© 2010 NetApp, Inc. All rights reserved.

CONNECTIVITY BETWEEN INITIATOR AND TARGET

12 - 14 Accelerated NCDA Boot Camp Data ONTAP 8.0 7-Mode: SAN Overview
© 2010 NetApp, Inc. This material is intended for training use only. Not authorized for reproduction purpose.

NetApp University - Do Not Distribute