Qtree can be exported out using NFS or can be shared out using CIFS or both. Any volume which will have CIFS qtrees, should have a hidden share created for the whole volume itself. This will enable management of all CIFS qtrees within that volume from your workstation. On your workstation, just open main volume share, and you can set security/share permissions etc for qtrees in that volume.
In order for the filer to serve out CIFS shares, the filer must have been registered in active directory. Create a machine account for filer in desired domain, and join the domain when prompted by entering domain administrator credentials.
CIFS Set up:
Before proceeding, make sure the time on filer is set to the time of AD. Set this using “date -u 201004301331” (30-Apr-2010 @ 13:31)
netapp1> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use “?” for help at any prompt and Ctrl-C to exit without committing changes.
Your filer does not have WINS configured and is visible only to
clients on the same subnet.
Do you want to make the system visible via WINS? [n]:
A filer can be configured for multiprotocol access, or as an NTFS-only
filer. Since multiple protocols are currently licensed on this filer,
we recommend that you configure this filer as a multiprotocol filer
(1) Multiprotocol filer
(2) NTFS-only filer
Selection (1-2)? [1]:
CIFS requires local /etc/passwd and /etc/group files and default files
will be created. The default passwd file contains entries for ‘root’,
‘pcuser’, and ‘nobody’.
Enter the password for the root user []:
Retype the password:
The default name for this CIFS server is ‘netapp1’.
Would you like to change this name? [n]:
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer’s local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [1]:
What is the name of the Active Directory domain? [ADDOAMAIN]: ADDOMAIN
In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the ADDOMAIN domain.
Enter the name of the Windows user [Administrator@ADDOMAIN]: domainadmin
Password for domainadmin:
CIFS – Logged in as domainadmin@ADDOMAIN.
The user that you specified has permission to create the filer’s
machine account in many (260) containers. Please choose the method
that you want to use to specify the container that will hold this
account.
(1) Choose from the entire list
(2) Choose from a subset of containers by specifying a search filter
Selection (1-2)? [1]:
(1) OU=Servers,OU=LON,OU=Office Management
(2) OU=Service Accounts,OU=Users,OU=LON,OU=Office Management
(3) OU=Privileged Accounts,OU=Users,OU=LON,OU=Office Management
(4) OU=Users,OU=LDF,OU=LON,OU=Resources
(5) OU=Users,OU=UDF,OU=LON,OU=Resources
(6) OU=Users,OU=HR,OU=LON,OU=Resources
(7) OU=Users,OU=BO,OU=LON,OU=Resources
(8) OU=Users,OU=IBD,OU=LON,OU=Resources
(9) OU=Service Accounts,OU=LDF,OU=LON,OU=Resources
(10) OU=Service Accounts,OU=UDF,OU=LON,OU=Resources
(11) OU=Service Accounts,OU=HR,OU=LON,OU=Resources
(12) OU=Service Accounts,OU=BO,OU=LON,OU=Resources
(13) OU=Service Accounts,OU=IBD,OU=LON,OU=Resources
(14) OU=Groups,OU=LDF,OU=LON,OU=Resources
(15) OU=Groups,OU=UDF,OU=LON,OU=Resources
(16) OU=Groups,OU=HR,OU=LON,OU=Resources
(17) OU=Groups,OU=BO,OU=LON,OU=Resources
(18) OU=Groups,OU=IBD,OU=LON,OU=Resources
(19) OU=Printers,OU=LDF,OU=LON,OU=Resources
(20) OU=Printers,OU=UDF,OU=LON,OU=Resources
(n) see next 20
Selection (1-261, n)? [n]: 1
CIFS – Starting SMB protocol…
It is highly recommended that you create the local administrator
account (netapp1\administrator) for this filer. This account
allows access to CIFS from Windows when domain controllers are not
accessible.
Do you want to create the netapp1\administrator account? [y]:
Enter the new password for netapp1\administrator:
Retype the password:
Currently the user “netapp1\administrator” and members of the
group “EUROPE\Domain Admins” have permission to administer CIFS on
this filer. You may specify an additional user or group to be added to
the filer’s “BUILTIN\Administrators” group, thus giving them
administrative privileges as well.
Would you like to specify a user or group that can administer CIFS? [n]:
Welcome to the ADDOMAIN (EUROPE) Active Directory(R) domain.
CIFS local server is running.
netapp1>
To create CIFS share from CLI:
1. Create volume and then qtree
2. Create share on volume and set up its security – this is so that we can see all the directories (qtree) underneath in that volume
netapp1> cifs shares -add adm_testvol$ /vol/testvol
The share name ‘adm_testvol$’ will not be accessible by some MS-DOS workstations
netapp1> cifs access -delete adm_testvol$ everyone
1 share(s) have been successfully modified
netapp1> cifs access adm_testvol$ Administrators “full control”
1 share(s) have been successfully modified
3. Change type to NTFS
netapp1> qtree security /vol/testvol/testqtree ntfs
qtree: Changing the security style of qtree /vol/testvol/testqtree will
change the visibility of existing Windows security descriptors (a.k.a. ACLs).
This may affect the disk space usage values in the quota data base.
Turn quotas off and then on to recompute disk space usage.
4. Create share on qtree and set up its security
netapp1> cifs shares -add testqtree$ /vol/testvol/testqtree
The share name ‘testqtree$’ will not be accessible by some MS-DOS workstations
5. Change access privilege of share
netapp1> cifs access testqtree$ everyone change
1 share(s) have been successfully modified
netapp1> cifs access testqtree$ Administrators “full control”
1 share(s) have been successfully modified
Home Directory and /etc/cifs_homedir.cfg:
/etc/cifs_homedir.cfg file contains the path to home directories for users which are being access using CIFS. If two paths are mentioned for single user, priority will be given to the path which appears first in the list.
To check the home directory for a user:
netapp1> cifs homedir showuser testuser
User name CIFS homedir path
————————————————–
testuser /vol/homes_1/testuser
netapp1>
CIFS on Vfiler:
Before you can run CIFS shares command on vfiler running on physical filer, you will have to get the context of the vfiler from physical filer.
netapp1> priv set advanced
netapp1*> vfiler context test_vfiler
test_vfiler@netapp1*>
No comments yet.