Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This paper provides an overview of how CIFS (Common Internet File System) and NetApp storage
technologies interoperate. The users benefit from the added features provides by NetApp for CIFS
such as Storage Level Access Guard, NetApp Snapshot, and fsecurity which provide faster CIFS
ACL (Access Control Listing) updates, as well as Windows Server consolidation while maintaining
high availability with NetApp’s Active Active configuration. These features take advantage of the
robust storage management capabilities offered by NetApp storage.
This document is a collaborative effort to produce a consolidated working document, combining the
many years of experience and insight of NetApp Technical Reports into one comprehensive
document to be used with NetApp’s Demonstration Facility (NDF). The document may be used in
conjunction with the NDF following each chapter and selecting one of over thirty hands-on demos, or
following the last Appendix and setting up a similar environment to be able to go through each of the
chapters to learn a better understanding of how NetApp’s storage leverages CIFS beyond a file
sharing and authoring protocol.
TABLE OF CONTENTS
1 HANDS ON EXERCISES ........................................................................................................................... 6
1.1 DEMO SETUP ............................................................................................................................................. 6
1.2 AVAILABLE BATCH FILES ................................................................................................................................ 7
2 NETAPP MICROSOFT RELATIONSHIP ...................................................................................................... 8
2.1 OVERVIEW ................................................................................................................................................. 8
2.1.1 Microsoft Gold Partnership ............................................................................................................. 8
2.1.2 Microsoft Core Protocol Program ................................................................................................... 8
2.1.3 Microsoft TAM ................................................................................................................................ 9
2.1.4 Support and Escalation with NetApp and Microsoft....................................................................... 9
2.1.5 Compatibility Matrix ....................................................................................................................... 9
2.2 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................... 9
2.3 ASSUMPTIONS .......................................................................................................................................... 10
3 CIFS SETUP .......................................................................................................................................... 11
3.1 OVERVIEW ............................................................................................................................................... 11
3.2 NETAPP CIFS VERSUS A WINDOWS SERVER ................................................................................................... 12
3.3 BEST PRACTICES ........................................................................................................................................ 13
3.3.1 Create Both a Host (“A” Record) and Reverse Lookup Name in DNS ............................................ 13
3.3.2 CIFS with Microsoft Windows Internet Naming Service ............................................................... 15
3.3.3 Site Awareness .............................................................................................................................. 15
3.3.4 Network Time Protocol (NTP) ....................................................................................................... 15
3.3.5 Create a New Active Directory OU to Manage the NetApp Storage Objects ................................ 16
3.3.6 Mixed and Native Mode Domains ................................................................................................ 17
3.3.7 NIS Group Lookup ......................................................................................................................... 17
3.3.8 Creating a CIFS Share .................................................................................................................... 18
3.3.9 NetApp Snapshot and SnapRestore .............................................................................................. 19
3.3.10 What You Can Do with Snapshot Copies ....................................................................................... 19
3.4 DEMO ..................................................................................................................................................... 20
3.4.1 CIFS Shares .................................................................................................................................... 20
3.4.2 Join Active Directory from NetApp Storage as a Windows Member Server ................................. 21
3.4.3 Verifying Successful CIFS Installation ............................................................................................ 23
3.4.4 NetApp Storage Windows (NetBIOS) Name ................................................................................. 24
3.4.5 Manage the CIFS Shares from the CLI and Microsoft Management Console ............................... 25
3.4.6 Qtree Implementation .................................................................................................................. 26
3.4.7 Create Users’ Home Directories .................................................................................................... 28
3.5 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 32
4 SECURITY ............................................................................................................................................ 34
4.1 OVERVIEW ............................................................................................................................................... 34
4.1.1 Infrastructure Security .................................................................................................................. 34
4.1.2 File‐Level Security ......................................................................................................................... 35
4.1.1 Communication Security ............................................................................................................... 36
4.1.2 File Policy (FPolicy) ........................................................................................................................ 38
4.1.3 Role‐Based Access Control (RBAC) ................................................................................................ 38
4.2 MANAGING CIFS SECURITY WITH GROUPS (LOCAL AND GLOBAL) ..................................................................... 39
4.2.1 Domain Local Groups .................................................................................................................... 40
4.2.2 Global Groups ............................................................................................................................... 40
4.2.3 Universal Groups ........................................................................................................................... 40
2 CIFS – Demo.NetApp.com
4.2.4 Built‐In (Nondomain) Local Groups ............................................................................................... 41
4.2.4.1 Built‐In Local Groups on NetApp Storage ................................................................................................. 41
4.2.4.2 Guidelines for Creating Local Groups ....................................................................................................... 41
4.2.5 Local NetApp Storage Groups ....................................................................................................... 42
4.2.6 Multiple Protocol Access ............................................................................................................... 45
4.2.6.1 Effects of Changing an NTFS‐Only Storage System to a Multiprotocol System ........................................ 45
4.2.6.2 Effects of Changing a Multiprotocol Storage System to an NTFS‐Only System ........................................ 45
4.2.6.3 Effects of Changing the Storage System's Domain ................................................................................... 46
4.2.7 Security Group Recommendations ................................................................................................ 46
4.3 CIFS FILE SECURITY, AND USER MAPPING ...................................................................................................... 46
4.3.1 Antivirus Management ................................................................................................................. 48
4.3.2 Auditing ........................................................................................................................................ 49
4.3.3 Access‐Based Enumeration ........................................................................................................... 50
4.3.4 Secure Configuration of Data ONTAP ........................................................................................... 51
4.4 BEST PRACTICES ........................................................................................................................................ 51
4.4.1 Using FPolicy ................................................................................................................................. 51
File Screening Overview ................................................................................................................................ 52
4.4.2 Antivirus Scanning Best Practices ................................................................................................. 53
4.4.3 Cross‐Protocol File Access (CIFS and NFS) ..................................................................................... 53
4.4.4 CIFS Auditing ................................................................................................................................. 54
4.4.5 Converting Qtree Security Styles ................................................................................................... 54
4.4.6 NetApp Operations Manager: Report on Security, Performance, and Trends .............................. 55
4.4.7 Access‐Based Enumerations Limitations ....................................................................................... 55
4.5 DEMO ..................................................................................................................................................... 56
4.5.1 File Screening with FPolicy ............................................................................................................ 56
4.5.2 Storage‐Level Access Guard .......................................................................................................... 57
4.5.3 Useradmin CLI (Role Based Access Control) .................................................................................. 62
4.5.4 Antivirus Scanning ........................................................................................................................ 63
4.5.5 Live‐View Auditing ........................................................................................................................ 67
4.5.6 Access‐Based Enumeration (ABE) ................................................................................................. 71
4.5.7 Configuring SSH and SSL ............................................................................................................... 74
4.6 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 79
5 FILE SYSTEM RESOURCE MANAGER ..................................................................................................... 81
5.1 OVERVIEW ............................................................................................................................................... 81
5.1.1 Quota Management ..................................................................................................................... 81
5.2 BEST PRACTICES ........................................................................................................................................ 81
5.2.1 Quota ............................................................................................................................................ 81
5.3 DEMO ..................................................................................................................................................... 82
5.3.1 Native Quota Configuration .......................................................................................................... 82
5.3.2 Quota Management using Northern Storage Suite ...................................................................... 86
5.3.3 Quota Management using NTP Software ..................................................................................... 89
5.4 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 91
6 INTEGRATION WITH WINDOWS SERVICES ........................................................................................... 92
6.1 OVERVIEW ............................................................................................................................................... 92
6.2 BEST PRACTICES ........................................................................................................................................ 92
6.2.1 Configuring Offline Folders ........................................................................................................... 92
6.2.2 Configuring Folder Redirection (Symbolic Links) ........................................................................... 93
6.2.3 Group Policy Objects (GPOs) ......................................................................................................... 94
6.2.4 Managing User Roaming Profiles ................................................................................................. 95
6.3 DEMO ..................................................................................................................................................... 98
6.3.1 Group Policy Object Security Configuration .................................................................................. 98
4 CIFS – Demo.NetApp.com
APPENDIX D: CIFS NETAPP SIZING GUIDELINE ........................................................................................... 157
GENERAL NETAPP STORAGE SPECIFICATIONS ............................................................................................................ 158
BACKEND SIZING INFORMATION ............................................................................................................................. 160
CUSTOM SIZER SPECIFIC INFORMATION ................................................................................................................... 160
CIFS HOME DIRECTORY SPECIFIC INFORMATION ....................................................................................................... 160
APPENDIX E: CIFS RESOURCE LIMITS ......................................................................................................... 163
APPENDIX F: USING NOVELL’S EDIRECTORY FOR LDAP AUTHENTICATION ................................................. 165
APPENDIX G: COMMONLY USED ADMINISTRATIVE INTERFACES FOR DATA ONTAP ................................... 171
ADMINISTRATIVE APPLICATIONS FOR DATA ONTAP ................................................................................................... 171
NETAPP JAVA SHELL ............................................................................................................................................ 172
APPENDIX H: SUPPORTED GPO’S .............................................................................................................. 173
SUMMARY OF GPO FEATURES ............................................................................................................................... 173
APPENDIX I: CIFS PERFORMANCE COUNTERS ............................................................................................ 175
CIFS COUNTERS FOR PERFMON ................................................................................................................ 175
CIFS OPERATIONS ............................................................................................................................................... 176
CIFS STATISTICS .................................................................................................................................................. 179
CIFS DOMAIN .................................................................................................................................................... 182
VSCAN STATISTICS ............................................................................................................................................... 182
VSCAN SERVER STATISTICS .................................................................................................................................... 184
SMB SIGNING STATISTICS ..................................................................................................................................... 185
CONCLUSION ............................................................................................................................................ 187
The batch files are located on both the Windows 2003 Server (SERVER), and the Vista
workstation (CLIENT) at: C:\CIFSDEMO\Scripts
NOTE: The objective of each batch file allows you to jump to the finished exercise to show or
review what has been performed. The recommendation, as time permits, is to go throught the
exercises following the hands-on guide without using the batch files – this will enhance your
learning.
Preinstalled Software:
Vista: Sun™ Java v.1.5.0.04
Windows 2003: Sun™ Java v.1.5.0.04
DNS – both forward and reverse zones
Active Directory: demo.netapp.com
TimeSync Daemon (using Tardis200nt.exe)
OU=NetApp Storage created to place NetApp storage objects
OU=ldapusers created for user testing
NOTE: Unless otherwise stated in the hands-on demo, always use demo\administrator to log onto
SERVER (W2003), W2008 or CLIENT (Vista).
The batch files are meant to be run once, i.e. If you run CIFSJOIN.BAT in one secton, you do not
need to rerun the same batch file in another section. The batch files follow the order of the
document. If you wish to either rerun a batch file, or move to a section prior to the current section
you have completed, you will need to reset the virtual environment to the state before any scripts
where executed.
2.1 OVERVIEW
The TAM will open a case and track it through to resolution inside of Microsoft. This same
process is in place for cases opened by NetApp Customer Support. In conjunction with an OEM
Premier Support Agreement, NetApp is able to open a support case for NetApp or on behalf of a
customer with Microsoft and utilize the OEM TAM to track the case to resolution.
The primary focus of the Microsoft OEM TAM is on technical problem resolution between
Microsoft and NetApp, not between Microsoft and the customer
2.3 ASSUMPTIONS
This paper assumes that you are knowledgeable at the administrative level with Microsoft
Windows 2003 Server and Windows Server 2003 products and their features.
This paper also assumes that you are knowledgeable about NetApp storage system
administration. For detailed information about storage system administration, refer to the NetApp
Data ONTAP administration guides available at http://now.netapp.com.
Data ONTAP version 7.3.0, released July 24, 2008, is the version used in this document.
3.1 OVERVIEW
NetApp storage systems are commonly used to store an organization’s personal home directories
for a variety of compelling reasons. One significant benefit of having the CIFS home directories
on NetApp storage system is that it eases the administration of the storage system by creating
only one share that resolves the location of all the users’ home directories. Users are offered a
dynamic share with their matching directory name. From the CIFS client perspective, the home
directory works the same way as any other share to which the user can connect. Each user can
see and connect only to his or her home directory, not the home directories for other users.
Compared to the traditional method, in which administrators have to create one share per user,
the NetApp home directories feature uses fewer system resources and therefore improves overall
system performance.
CIFS Setup
The CIFS setup command invokes a utility that prompts you for information such as
authentication type, lookup services to be used, and so forth. In addition to performing initial CIFS
configuration, the CIFS setup command enables you to perform the following tasks:
• Assign or remove Windows Internet Naming Service (WINS) servers.
• Enter the storage system Active Directory site information, if it is not already configured.
• Join the storage system to a domain, change domains, or choose an alternate
authentication method.
• Automatically generate /etc/passwd and /etc/group files when NIS or LDAP is enabled.
To learn about using the CIFS setup program for initial CIFS configuration, including a list of the
information you need when running CIFS setup, refer to the Data ONTAP Software Setup Guide.
CIFS Authentication
Data ONTAP CIFS services support four styles of user authentication.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT® 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows workgroup authentication using the NetApp storage's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
3.3.1 Create Both a Host (“A” Record) and Reverse Lookup Name in
DNS
NetApp storage systems query Domain Name Service (DNS) servers to locate domain
controllers. Because the Active Directory service relies on DNS to resolve names and services to
IP addresses, the DNS servers that are used with storage systems in an Active Directory
environment must support service location (SRV) resource records (per RFC 2782). If DNS is not
enabled or is not configured correctly, Data ONTAP will not be able to find the service records it
needs to locate DCs, KDCs, LDAP servers, and KPASSWD servers, and so will not be able to
join the AD domain.
Note: DNS servers that support dynamic updates (per RFC 2136) are recommended by Microsoft
so that important changes to SRV records about domain controllers are automatically updated
and available to clients immediately.
Since DNS is so important to Active Directory you may want to determine if DNS has been
properly set up in the AD domain. Open the Microsoft DNS console. Verify that you have a DNS
domain with the same name as your corresponding Active Directory domain. See that within it
you have the four SRV record folders (child domains) (_msdcs/, _sites/, _tcp/ and _udp/).
1.
To adjust the DNS settings:
FAS1> options dns.domainname demo.netapp.com
FAS1> options dns.enable on
FAS1*> priv set advanced
FAS1*> rm /etc/rc
FAS1*> wrfile -a /etc/rc hostname FAS1
FAS1*> wrfile -a /etc/rc ifconfig ns0 `hostname`-ns0
FAS1*> wrfile -a /etc/rc route add default 192.168.10.1 1
FAS1*> wrfile -a /etc/rc routed on
FAS1*> wrfile -a /etc/rc options dns.domainname demo.netapp.com
FAS1*> wrfile -a /etc/rc options dns.enable on
FAS1*> wrfile -a /etc/rc options nis.enable off
FAS1*> rm /etc/resolv.conf
FAS1*> wrfile -a /etc/resolv.conf nameserver 192.168.10.101
FAS1*> wrfile -a /etc/resolv.conf nameserver 192.168.10.102
FAS1*> priv set
To check the configuration of DNS from the NetApp storage, from the CLI, type:
2.
FAS1> dns info, or
Use getXXbyYY to verify forward and reverse lookups from the NetApp storage.
FAS1> priv set advanced
FAS1*> getXXbyYY gethostbyaddr_r 192.168.10.100
FAS1*> getXXbyYY gethostbyname_r W2003
Note: Customers may use the “Priv Set Advanced” or “Priv Set Diag” command when instructed
to do so by NetApp Technical Support or NetApp Professional Services. Otherwise, the
advanced command set is not supported for a customers use in a production environment.
To configure NetApp storage for NTP time synchronization, from a CLI session, issue the
following commands:
1.
FAS1> Options timed.log off
FAS1> Options timed.max_skew 5m
FAS1> Options timed.min_skew 0
FAS1> Options timed.protontp
FAS1> Options timed.sched hourly
FAS1> Options timed.servers W2003
(For this lab, ‘W2003’ is the NTP Source)
FAS1> Options timed.window 0s
FAS1> Options timed.enable on
Refer to the Data ONTAP system maintenance for detailed information on “timed” or from the
console, type: “man na_rdate” for detailed instructions.
To temporarily adjust the date and time with an NTP server, type:
2.
FAS1> rdate W2003
Due to the limitations imposed by Windows 2000 Server mixed mode, your organization should
consider going to native mode (2000 or 2003). There are many reasons to stay in mixed mode
before going directly to native. One important reason is that during your migration to AD, the
mixed mode provides the functionality that lets Windows NT 4 BDCs continue to offer domain
services. Because Windows 2000 Server mixed mode allows a domain controller to emulate a
PDC, mixed mode enables you to deploy a Windows Server 2000 or 2003 Active Directory
domain controller in a Windows NT 4 domain or in a new domain. For example, you might want to
upgrade your existing Windows NT 4 DCs to Windows Server 2003 over some period of time.
Then, when all DCs have been upgraded, you have the option of switching to native mode at your
convenience. Since each DC continues to interoperate with the others, you can take your time
with the upgrade and follow a methodical implementation plan.
You can store up to 255 Snapshot copies at one time on each volume, and up to 200 Snapshot
copies for each aggregate.
You can specify the percentage of disk space that Snapshot copies can occupy. The default
setting is 20% of the total (both used and unused) space on the disk. For a full explanation of how
Snapshot copies consume disk space, see Understanding Snapshot disk consumption.
Snapshot files carry the same permissions and inode numbers as the original files, keeping the
integrity of the security system intact. Inodes are data structures that hold information (including
permissions information) about files on the storage system. There is an inode for each file, and a
file is uniquely identified by the file system on which it resides and its inode number on that
system.
CIFS and NFS volume Snapshot copies enable end users to do the following:
• Recover older versions or sets of files that were accidentally changed or deleted
• Restore their own files without needing a system administrator to restore files from
tape
For a complete listing of NetApp Snapshot and SnapRestore® functions, refer to Chapter 2,
Snapshot management in the NetApp Data Protection Online Backup and Recovery Guide.
Listing Shares
To list all shares and their access control lists, use the command “CIFS shares” with no
arguments. To list a single share and its access control list, use the command “CIFS shares
sharename” where sharename is the name of the share.
Sharename Name of the new share; clients use this name to access the
share
Path Full path name of the directory on the NetApp storage that
corresponds to the root of the new share
-f Suppress confirmation dialogs, if any.
Description of the new share. CIFS clients see this
description when browsing the NetApp storage's shares. If
-comment description the description includes spaces, it must be enclosed in
double quotation marks. If you do not specify a description,
the description is blank.
Maximum number of simultaneous connections to the new
-maxusersuserlimit share. userlimit must be a positive integer. If you do not
specify a number, the NetApp storage does not impose a
limit on the number of connections to the share.
Name of the group to which files to be created in the share
-forcegroupgroupname belong. The groupname is the name of a group in the UNIX
group database.
Allow clients to follow symbolic links to destinations on this
- NetApp storage but outside of the current share. Do not
nosymlink_strict_security check that the client is authenticated to the symbolic link's
destination.
Allow clients to follow absolute symbolic links outside of this
share, subject to Windows NT security. This feature requires
-widelink an entry in the /etc/symlink.translations file and it requires
that the client supports Microsoft's Distributed File System
(DFS).
File mode creation mask for shares in qtrees with UNIX or
-umask mask set mixed security styles. The mask is an octal value which
determines the initial permissions setting of a newly created
file.
-novscan Do not perform a virus scan when clients open files on this
share.
First, make sure the domain controllers are not hidden, use the following command on each
Windows 200x Server:
SERVER> net config server /hidden:no
The following checklist provides the steps that should be followed to install NetApp storage into
an Active Directory domain. It’s outside the scope of this paper to explain each step in detail.
However, information and guidance on joining NetApp storage to an Active Directory domain are
in the guide “Best Practices for File Installation in an Active Directory Domain.”
Verify AD join with NetApp CIFS. To verify that CIFS setup has successfully joined the NetApp
storage to your Active Directory domain, type the following on the NetApp storage command line:
FAS1> cifs domaininfo, or
FAS1> cifs sessions, or
FAS1> priv set advanced
FAS1*> registry walk auth
FAS1*> priv set
You should see the following items in the output listed below:
• A successful registration into a Windows 2000 domain,
including the domain name
• A list of Windows Internet Naming Service servers (if
defined)
• A currently selected domain controller for Kerberos
authentication
Note: The “successful registration into a Windows 2000 domain” tag does not change if the
domain controller is Windows 2003 or 2008.
Note: You can enter up to 200 NetBIOS aliases in the file, using either ASCII or Unicode
characters. Each name can be no longer than 15 characters. If you are installing a NetApp
cluster, the host name must be unique for each NetApp storage in the cluster.
If you need to add a NetBIOS alias to the NetApp storage:
1. Edit /etc/cifs_nbalias.cfg
2. If CIFS is already running on the NetApp storage, map a drive to \\FAS1\C$ to
\etc\cifs_nbalias.cfg, otherwise
Follow the steps to create a new cifs_nbalias.cfg file:
a. FAS1> priv set advanced
b. FAS1*> java netapp.cmds.jsh
c. FAS1*> rdfile /etc/cifs_nbalias.cfg
d. FAS1*> cp /etc/cifs_nbalias.cfg
/etc/cifs_nbalias.cfg.original
e. FAS1*> wrfile /etc/cifs_nbalias.cfg
<Add one NetBIOS name per line>
FOOBAR
Note: When creating a name for the NetApp storage in an Active Directory domain the NetBIOS
name you select will be appended with the DNS name.
3.4.5 Manage the CIFS Shares from the CLI and Microsoft
Management Console
A Microsoft Windows administrator can create and manage a share on a storage system by using
the Microsoft Computer and Users Microsoft Management Console snap-in or by using the CLI
command ‘useradmin’ covered in section 4.2.5.
Creating a Qtree
To create a qtree, complete the following step.
FAS1> qtree create path
path is the path name of the qtree. If path does not begin with a slash (/), the qtree is created in
the root volume.
Note: If you want to create the qtree in a volume other than the root volume, include the volume in
the name.
The following steps will create the aggregate, volumes and shares which will be used for the
users home directories. These steps are included in the SHARESETUP.BAT file, and are
included here for your reference.
If the CIFS.home_dir_namestyle option is domain, you can create home directories by editing the
/etc/CIFS_homedir.cfg, creating the directories, and setting the permissions on the directories.
Steps
1. From the Windows machine, map a drive to the NetApp storage C$ share, i.e.
2. We will create a home directory for both Wilma and Fred in the HOMEDIR volume
3. The folders for Wilma and Fred need to be created in the HOMEDIR volume.
/vol/HOMEDIR/%u%
This will make Fred Flintstone the owner of the /vol/HOMEDIR/Fred directory and Wilma
Flintstone the owner of the /vol/HOMEDIR/Wilma directory.
4. Load the new CIFS homedir configuration into the storage system.
5. Make sure that the CIFS homedir domain name style is working by entering the following
command:
Additonal Options
FAS1> options cifs.home_dirs_public_for_admins (default: on)
Allows Administrator to access other’s home directories
4.1 OVERVIEW
NetApp storage is designed to be capable of operating in both UNIX and CIFS networking
environments. One of the goals of the storage design is to allow pure UNIX and pure CIFS sites
to work transparently in "native" mode without the worry of other client types. Whenever possible,
using only native security for NetApp storage clients results in an easier administration job.
However, many sites have a need for multiprotocol support, which often introduces the need for
both client types to be able to access the same files.
The NetApp approach is to simultaneously support multiple security models. One concept that is
common to all security models is the notion of a user, which makes that an intuitive choice for
bridging the different models. When a user wants to access a file which has "nonnative" security
the user's mapped identity is used to validate the access.
User security on NetApp storage is divided into three categories.
The security style used for client communication can be set at a volume or qtree level. Most
administrators will choose to designate specific sections of a NetApp storage volume as an NTFS
qtree, a UNIX qtree, or a mixed qtree. (A qtree is simply a designated subtree within a NetApp
storage volume.) Placing similar types of data in separate qtrees, volumes, or flexible volumes
will make security configuration simpler. The security style determines what permissions are
applied to files and directories in that qtree, volume, or flexible volume. For any given file or
directory, one (and only one) security style is in effect at a time.
• The NTFS security style is based on ACLs. To a Windows client, this security model
behaves exactly like an NTFS file system on a Windows file server and is more natural
for Windows users.
• The UNIX security style is based on UNIX permissions. To an NFS client, this security
model behaves exactly like a UNIX NFS server and is more natural for UNIX users. It
should be noted that the default security type set on a new volume or qtree is UNIX by
default. The default security style on newly created volumes can be changed by setting
the following NetApp storage option:
FAS1> options wafl.default_security_style unix
Kerberos Communication
The Kerberos server, or Kerberos Key Distribution Center (KDC) service, stores and retrieves
information about security principles in the Active Directory. Unlike the NTLM model, Active
Directory clients that want to establish a session with another computer, such as a storage system,
contact a KDC directly to obtain their session credentials.
Using Kerberos, clients (users) contact the KDC service that runs on Windows 2000, Windows
2003, or Windows 2008 domain controllers. The client asks for the admission to the TGT (Ticket
Granting Ticket) for the domain. This is an authentication service exchange between the Kerberos
SSP and the KDC on the user’s domain (KRB_AS_REQ and KRB_AS_REP). The result is a TGT
that the client can use to request session keys to services.
The client uses the TGT to ask for admission to the NetApp storage system’s domain. This is a
TGS exchange between the Kerberos SSP on the computer and the KDC for the computer’s
account domain. The result is a session ticket that the client can present when requesting access
to the system services on the computer. Clients then pass the authenticator and encrypted session
ticket to the storage system.
SSH Communication
Secure Shell is a security protocol for logging into a remote server. SSH provides an encrypted
session for transferring files and executing server programs. Also serving as a secure
client/server connection for applications such as database access and e-mail, SSH allows SSH
clients to log into the NetApp storage without being prompted for a password, which is useful for
running scripts and scheduled jobs.
The “cli” option grants the specified role the ability to execute one or more Data ONTAP
command line interface (CLI) commands.
• cli-* grants the specified role the capability to execute all supported CLI commands.
• cli-cmd* gives the specified role the capability to execute all commands associated with
the CLI command cmd.
Note: Users with CLI capability also require at least one login capability to execute CLI
commands.
Note: Groups created in Active Directory should be global groups most of the time, especially for
user accounts.
Again, best practice dictates not creating local groups and just using the defaults. With respect to
the NetApp storage you can use its local administrator group to add other members of the domain
to it for administration purposes or for applications that require nondomain authentication
(SnapDrive®, SnapManager® for Exchange, and so on). When a Windows NT workstation or
standalone server or NetApp storage becomes a member of a domain, that domain's primary
global groups (the users group and the administrators group) are automatically added to the local
groups of the computer or NetApp storage that joins the domain. This is done by design but is not
necessary.
Local users and groups is an important security feature because you can limit the ability of users
and groups to perform certain actions by assigning them rights and permissions. For instance,
you might want to authorize a user to perform certain actions on a computer, such as backing up
files and folders. You could place a global group of users with backup duties inside the default
local “Backup Operators” group on the NetApp storage. This would give that set of users the right
to back up and restore files on the local system regardless of the permissions on the individual
files.
“user add” and “user modify” are used to add and modify administrative users. The user
name can be up to 32 characters long. The user name can contain any alphanumeric character, a
space, or a punctuation character that is not one of:" * + , / : ; < = > ? [ ].
The -g requirement for add specifies which groups contain this user. A user inherits all the
privileges of the groups he is in. This option completely replaces this user's current groups with
the new ones.
The -c option specifies a comment about the user. Comments about the user should be no longer
than 128 characters and should not contain the character “:” (colon).
When you add a user, you will be prompted to create the user's password and then verify it. A
password is case-sensitive and defaults with the following restrictions:
• It must be at least 8 characters long (default, but can be changed).
• It must contain at least two alphabetic characters.*
• It must contain at least one digit.*
* If the setting of the security.passwd.rules.enable option is off, then the restrictions will not be
enforced.
Capabilities
There are four categories of capabilities: login-*, cli-*, api-*, and security-*.
The “*” character is used similar to a wildcard, with a couple of restrictions: It must be used at the
end of the capability. It must be used alone or in conjunction with one of the categories. If used
with cli-, It must be used with the full name of the CLI command.
The login-* category includes logging in using login_telnet, login-console, login-rsh, login-ssh, and
login-http-admin.
The cli-* category includes all of the commands that can be run after a user is logged in with
telnet, console, rsh, or ssh. The format for this is cli-<command>*, which means allow all the
commands and subcommands. (cli-<command> just means the command and NO
subcommands.) The capability for a specific command, like exportfs, would have the following
syntax: cli-exportfs* This means allow command line accesses to the exportfs command and all
of its subcommands. cli-export* might look valid but is NOT allowed.
The api-* type includes all of the Data ONTAP API calls. These commands are only available
using login-httpadmin, so in general, any api-* command must also include this login. The format
for this is api-<ontap-api-command> which means allow a specific command/subcommand. Here,
it is possible to list only subcommands, like api-system-get-info or a command and its
subcommands, like api-systemget-*, or even api-system-*.
• If ACLs already exist on the storage system root directory (/etc) and on files in the /etc
directory, the ACLs remain unchanged. Otherwise, these ACLs are created such that the
BUILTIN\Administrators group has full control; any in the /etc/http directory are assigned
"Everyone Read.”
• ACLs on other files and directories remain unchanged.
• The security style of all volumes, except read-only volumes, is changed to NTFS.
• If the /etc directory is a qtree, its security style is changed to NTFS.
• Security style for all other qtrees remains unchanged.
If you have only a single domain structure, obviously you would simply use global groups (maybe
domain local) and not necessarily universal groups.
In general, object permissions should be assigned to domain local groups, whereas user and
computer accounts should be placed in global groups. Then these global groups can be (not
necessarily) placed or nested in domain local groups to gain access to network resources. Note,
however, that in order to place the global group in a domain local group, you will need to be
running a native mode domain.
Ordinarily, if you are going to use domain local groups, you will use the built-in defaults and
maybe create new ones if your environment requires it. The default ones should satisfy most of
your requirements. One example might be a global group of users that have higher security
requirements. You would add this global group to the domain local “Administrators” group.
UID to CIFS Cred (NFS Request for File with NTFS-Style Security)
Lookup numeric UID in /etc/passwd or NIS
yielding UNAME
Lookup UNAME in /etc/usermap.cfg
yielding NTDOMAIN and NTNAME
If NTNAME is null ("")
access is denied
Note that in the last lookup step NTDOMAIN might be wildcarded, in which case NTNAME is
looked for in all trusted domains (or in the domains listed in the CIFS.search_domains).
As can be seen, the default actions are adequate in many situations. However, there are
situations where it is useful to be able to customize the mapping process with entries in the
usermap.cfg file. Examples of this are where the user names are not the same in both client
types, or where access must be controlled based on the client's IP address, or where the default
domain mapping is not adequate.
Basic Usage
The usermap file consists of a series of entries that specify a pattern to match and a replacement
to use when a match is found. Entries in the usermap.cfg file are one per line with this basic
syntax:
NT_account direction UNIX_account
The "NT_account" is the name of a Windows NT domain account, "direction" is either:
"==" meaning bidirectional mapping
"<=" meaning mapping from UNIX to Windows NT only
"=>" meaning mapping from Windows NT to UNIX only
or blank, which is the same as "=="
"UNIX_account" is the name of an entry found in the UNIX password database. "*" can be used
to indicate wildcard entries. The pattern matches are done in the order they appear in the file.
Here are some simple example entries:
These examples show several different ways the usermap.cfg file can be used to customize
the mapping process. For a full description of all the details of setting up the
/etc/usermap.cfg file, including restricting access based on client's IP address.
Note that it is possible to set up maps that result in confusing, but technically correct, behavior.
To avoid that, you should try to follow these guidelines:
• Keep user names identical for both clients whenever possible. That avoids having to
create individual entries in the map file.
• Mapping Windows NT user "Tom S" to UNIX user "tjs" and UNIX user "tjs" to Windows
NT user "bill" will confuse everyone mightily. Avoid such maps.
• It is usually inadvisable to use IP qualifiers to map users differently. For example, if UNIX
user "tjs" from UHOST1 maps to Windows NT user "Tom S" but "tjs" coming from
UHOST2 maps to Windows NT user "Smith" things can get very confusing. Stick with
using IP qualifiers to restrict access only.
NetApp integrates with third-party products for auditing support including Symantec™, NIE, and
Varonis.
The following types of events are logged and displayed when auditing is enabled:
• Network logon
• Unsuccessful network logon
• Network logoff
• Windows file access
• UNIX file access
• Unsuccessful file access
• Lost record event
• Clear audit log event
NFS Auditing
NFS auditing refers to auditing access events for files and directories only from UNIX clients that
access data on the storage system using the NFS protocol.
CIFS must be licensed and enabled on the storage system before enabling NFS auditing. Event
auditing is turned off by default. To identify events for auditing, you must enable individual options
and enable auditing.
Refer to Section 4 of Auditing Quick Start Guide at http://media.netapp.com/documents/tr-
3595.pdf for detailed information.
CIFS Auditing
CIFS must be licensed and enabled on the storage system before enabling CIFS auditing.
The cifs audit save command saves the audit records stored internally by CIFS to a Windows NT
OS–formatted file readable by the Windows NT Event Viewer application. The name of the file to
which records are saved is specified by the cifs.audit.saveas option. If the file exists, it
will not be overwritten unless the -f option is specified to force the save.
Data ONTAP has many security-related options that should be properly set in a secure storage
environment. Many of these options allow compliance with corporate security policies. NetApp
strongly recommends that you use secure administration methods for Data ONTAP and that you
disable any unsecure administrative protocols.
Client access to a secure storage system is vitally important. NetApp recommends the use of
secure authentication and authorization in addition to the various protocol-dependent methods of
secure data transfer.
You use file screening policies to specify files or directories with restrictions to be placed on them.
Upon receiving a file operation request (such as open, write, create, or rename), Data ONTAP
checks its file screening policies before permitting the operation.
• You can enable or disable file screening by setting the fpolicy.enable option to on or off,
respectively.
• You can create a file policy using the fpolicy create command.
• You can enable a specific file policy using the fpolicy enable command.
• You can disable a specific file policy using the fpolicy disable command.
• You can delete a file policy using the fpolicy destroy command.
• You can display information for a specific file policy or all file policies by entering the
appropriate command.
• You can use the fpolicy options command to require files to be screened before they can
be accessed.
• You can enable the file policy with Data ONTAP default lists or you can specify lists of file
extensions to include or exclude.
The file policy specifies which files to screen using a list of file extensions to include for screening
or to exclude from screening. From the command line, you can display or change the list of
included and excluded file extensions.
The file policy can optionally specify a list of volumes on the storage system in which screening
will take place or which will be excluded from screening. From the command line, you can display
or change the list of included and excluded volumes.
You can manage file screening servers by displaying file screening server status, designating
secondary file screening servers, disabling the connection to a file screening server, and enabling
native file blocking.
• The UNIX security style is based on UNIX permissions. To an NFS client, this security
model behaves exactly like a UNIX NFS server and is more natural for UNIX users. It
should be noted that the default security type set on a new volume or qtree is UNIX by
default. The default security style on newly created volumes can be changed by setting the
following NetApp storage option:
FAS1> options wafl.default_security_style unix
• The mixed security style is determined on a file-by-file basis (not qtree). Files created by
Windows users get Windows NT ACLs, and files created by UNIX users get UNIX
permissions. A file's security style may be changed from one style to another by NFS set
attribute (i.e., chown, chmod) or Windows NT set ACL (i.e., Security tab in Explorer)
requests, assuming that the requestor has the appropriate permissions. This style is ideal
System administrators should determine the dominant security style for a given qtree (or volume)
using the following scenarios:
1. If a qtree (or volume) will be predominantly accessed by NFS clients, select the UNIX
security style. Windows clients will still have access to this qtree/volume using the user
mapping process for Windows NT to UNIX.
2. If a qtree (or volume) will be predominantly accessed by Windows clients, select the
NTFS security style. UNIX clients will still have access to this qtree/volume using the user
mapping process for UNIX to Windows NT.
3. If a volume or qtree is to be accessed by both NFS and Windows clients and each of the
clients need full control over file access security, select the mixed style.
• Users who are administrators will be able to see every file and folder in a share even with
ABE enabled and even when they have Deny ACE on these items.
• ABE does not apply to users who can log on interactively to the server, regardless of
whether they are administrators or not. This means ABE isn't really suitable for Terminal
Services environments.
ABE is built into Windows Vista and 2008 Server platforms and is enabled by default and needs
absolutely no configuration on those platforms. Therefore, a folder shared on a Vista machine will
only show its contents to users who have permissions to access items within it.
File Screening
Enabling Native File Blocking
HANDS-ON EXERCISE: File Screening
4.
SERVER> net use T: \\FAS1\DATA
SERVER> Copy C:\CIFSDEMO\MP3\*.* T:\
You can use the FPolicy options command to designate a list of secondary servers to be used
when the primary file screening server is unavailable.
This command configures a set of IP addresses. Any FPolicy server connecting from one of these
IP addresses is classified by the storage system as a secondary server. Any FPolicy server not
classified as a secondary is considered a primary server. The storage system never uses any
secondary server as long as a primary server is available. If all primary servers are unavailable,
the storage system uses any secondary servers connected to the storage system, until a primary
server becomes available again.
For CIFS share level reporting, use "cifs shares."
For file level reporting, use "fsecurity show" (requires Data ONTAP 7.2.2 or above).
BEHAVIOR
• Storage-Level Access Guard security applies to all files and/or directories in a
storage object, but is not inherited or propagated by them. If you view the security
settings on a file or directory, you do not see the Storage-Level Access Guard
security. It’s applied at the storage object level and stored in the metadata, used to
determine the effective permissions.
• Volumes and qtrees are independent storage objects; Storage-Level Access Guard
permissions are not inherited from a volume to any qtrees underneath.
• Access to a file or directory in Data ONTAP is determined by the combined effect of
both the native permissions applied to files and/or directories and the Storage-Level
Access Guard permissions set on qtrees and/or volumes. For CIFS/NFS client
access, three levels of security checks are performed to determine effective
permissions. The checks are performed in this order:
1) Storage-Level Access Guard permissions
2) CIFS share or NFS export-level permissions
3) NTFS file/folder access control lists (ACLs) or UNIX mode bits
CONFIGURATION
HANDS-ON EXERCISE: Storage-Level Access Guard
VISTA> logoff
10) Map Pebbles’ to the Data volume
SERVER> From the desktop, double click on the DEMO.MSC shortcut.
This will allow you to remotely connect to the VISTA workstation.
On the left colume of the MSC, expand ‘Remote Desktop’. Double-
click on ‘Connect as Pebbles’
Once connect, click start, run, cmd.
VISTA> net use t: \\FAS1\data
11) Create a text file at the root of the DATA volume
12) VISTA> Logoff Pebbles
13) Map Wilma to the Data volume
14) SERVER> From the desktop, double click on the DEMO.MSC shortcut.
This will allow you to remotely connect to the VISTA workstation.
15) On the left colume of the MSC, expand ‘Remote Desktop’. Double-
click on ‘Connect as Wilma’
16) Once connect, click start, run, cmd.
17) VISTA> net use t: \\FAS1\data
18) Have Wilma open the text file Pebbles’ created – you should be successful. Now, have
Wilma create a new text file – you should have no success.
19) VISTA> Logoff Wilma
20) To display the Storage Level Access Guard permissions:
FAS1> fsecurity show /vol/DATA
21) To remove an active fsecurity Storage-Level Access Guard policy, type:
FAS1> fsecurity cancel <all> or <Job #>
Benefit: No more dependency on managing the folder based ACLs from a client side. Data
ONTAP has the built in tool now called “fsecurity.” Also gives additional layer of security called
Storage-Level Access Guard.
Unix security:
uid: 0 (root)
gid: 0 (daemon)
mode: 0777 (rwxrwxrwx)
Notes:
• Storage-Level Access Guard Security descriptor must be removed before a qtree can
be deleted.
• Volume root is qtree id 0; Storage-Level Access Guard is not inherited from volume
root to other qtrees.
• “Secedit.exe”: A Windows client application for constructing security settings for the
“fsecurity apply” command, provided on an as-needed basis to customers from
http://now.netapp.com/NOW/download/tools/secedit/.
This creates two roles, one which can rsh into the NetApp storage and run the help command,
and another which is allowed to log in using any login method and run any snmp command. The
"snmp_admins" group is allowed to log into the NetApp storage and run the help command using
telnet, rsh, etc, and run snmp commands. The user "Dino" inherits these capabilities from the
group.
3.
FAS1> useradmin user modify Dino -g "Guests"
FAS1> useradmin user list Dino
The scanner registers with the Storage Appliance. At the NetApp console each time the Windows
machine reboots, you will see a message similar to:
[vscan.server.connecting.successful:info]: CIFS: Vscan server \\W2003
registered with the storage unit successfully.
Troubleshooting: If you do not see a message similar to this, on the Windows Server, click
Program -> Network Associates -> VirusScan Console. Right click “Network Appliance AV
Scanner” and select enable.
For this exercise, you will not see the message as the Telnet session to the NetApp storage
closes each time the Windows machine reboots.
If VirusScan is running and configured correctly, when you try to save the file, VirusScan will
detect the virus. If VirusScan is not running, start it and scan the directory that contains
EICAR.COM. When your software scans this file, it will report finding the EICAR test file.
• If the file is written to, the file could contain a virus, for this reason, the file is again
scanned when closed.
• If the scanner is updated, updated DAT files contain new viruses to check for. In this case
if the Storage Appliance receives an RPC from the scanner that it has been updated, the
Storage Appliance will remove the OK flag for all files.
VSCAN commands
• vscan help
Print list of vscan commands.
• vscan extensions
Displays the current list of extensions to scan and not to scan.
VSCAN on/off
The vscan on/off will enable and disable the vscan option.
Caution: If you turn vscan on, and there are no scanners registered with the NetApp storage,
NetApp storage will not allow access to the file(s) that have the listed extension(s) unless the
mandatory_scan is set to off.
VSCAN options
FAS1> vscan options
vscan options timeout: 10 sec
vscan options abort_timeout: 10000 sec
vscan options mandatory_scan: on
vscan options client_msgbox: off
Timeout displays the current virus scan timeout value in seconds. This value determines how long
the Storage Appliance will wait for the scanning client to perform a virus scan request. The
timeout value may be reset to a default value provided by NetApp. It is also possible to set the
timeout.
Mandatory_scan displays the current setting for the mandatory_scan option. If set to "on,” then
access to files will be denied if a virus scan cannot be performed, for example, because no
scanners are available. If this option is set to "off" then access to files is allowed if it is not
possible to scan the file. NetApp Professional Services recommends customers set this to off.
VSCAN scanners
Logon/logoff events
FAS1> options cifs.audit.logon_events.enable on
Timestamp extension:
FAS1> options cifs.audit.autosave.file.extension timestamp
Format: base name of event file YYYYMMDDHHMMSS.evt
Static Display
To view the external event log (.evt file) saved on the storage system, complete the following
steps:
1. SERVER> Start Event Viewer from Administrative Tools or from Microsoft Management
Console.
2. From the Action menu, select Open Log File. Select the event log file saved on the
storage system.
Note: Do not try to open the event log by selecting Select Computer from the Log menu and
double-clicking the storage system name. If you do, Event Viewer displays the error message
"The RPC server is unavailable," because Data ONTAP does not communicate with Event
Viewer with RPC calls unless Live View is enabled.
The EVT2TXT Converter tool converts a standard Microsoft type event (.evt) file to a text (.txt) file
format. This tool is available from the NOW site:
http://now.netapp.com/NOW/download/tools/evt2text.
The tool has also been copied to C:\CIFSDEMO\EVT2TEXT for your convenience. Refer to the
C:\CIFSDEMO\EVT2TEXT\README.txt file for details on how to use the tool.
Note: The ABEUI.msi package, which can be downloaded from Microsoft’s Web site must first be
installed on all Windows 2003 servers prior to R2, which will use the abecmd tool, as well as all
DFS servers.
First of all, you must set up your regular file shares as you normally would. You must set the
permissions on the share, and the NTFS permissions on the file system. Take note of the NTFS
permissions - you will need these later. These will indicate who gets to see the share once the
configuration is complete.
4. We have two users which were previously created in Active Directory, Fred and Wilma.
SSH Setup
HANDS-ON EXERCISE: SSH Setup
Either perform the follow steps, or to automate
Prerequisite: CIFSRUN.BAT the task, execute: SSHSETUP.BAT. Then,
proceed to step #10
Performed from W2003
1.
FAS1> secureadmin setup ssh
SSH server supports both ssh 1.x and ssh 2.0 protocols.
SSH server needs two RSA keys to support ssh1.x protocol. The host key is generated and
saved to file /etc/sshd/ssh_host_key during setup. The server key is regenerated every
hour when SSH server is running.
SSH server needs a RSA host key and a DSA host key to support ssh 2.0 protocol.
SSH Setup will now ask you for the sizes of the host and server keys.
Note: Accept the defaults when it comes to selecting key size.
For SSH1.0 protocol, key sizes must be between 384 and 2048 bits.
For SSH2.0 protocol, key sizes must be between 768 and 2048 bits.
The size of the host and server keys must differ by at least 128 bits.
Please enter the size of host key for ssh1.x protocol [768] :
Please enter the size of server key for ssh1.x protocol [512] :
Please enter the size of host keys for ssh2.0 protocol [768] :
Is this correct? [yes]
FAS1> Wed Oct 25 05:59:56 GMT [rc:info]: SSH Setup: SSH Setup is done.
Host keys are stored in /etc/sshd/ssh_host_key,
/etc/sshd/ssh_host_rsa_key and /etc/sshd/ssh_host_dsa_key.
Make sure your host is able to send commands to the NetApp storage. RSH is the easiest
method.
a. Add your host and user name to the /etc/hosts.equiv file
For example, if we wanted to allow the Administrator using the host: W2003,
FAS1> priv set advanced
FAS1*> wrfile –a /etc/hosts.equiv W2003 Administrator
FAS1*> priv set
or
b. Use the option rsh –l to specify the user and password for RSH access
If it works, you are ready to configure SSH, otherwise refer to the NetApp storage console for the
error message, and take appropriate steps as described in the Troubleshooting section of this
document.
Do not forget to remove the hosts.equiv entry once you have tested, and switch:
FAS1> options httpd.admin.hostsequiv.enable off
Configure SSH
Using an Internet search engine such as Google, download both plink.exe and puttygen.exe for
testing. (Both of these tools have been downloaded and placed in the folder
C:\CIFSDEMO\plink.)
The first time you use plink, you will be asked if you agree with the license, select Y for yes.
Here you can see the NetApp storage has accepted the connection and is now prompting for a
password.
Next, generate keys by using puttygen.exe. Be sure you DO NOT enter a passphrase when
generating the keys.
4. SERVER> C:\CIFSDEMO\plink\puttygen.exe
5. Select SSH-2 RSA radio button.
6. Accept the 1024 default for key size; the key size on the host does not have to match that
of the NetApp storage, but it does need to be larger.
7. Click Generate and you will be prompted to move your mouse in the key area.
8. Once the Keys have been generated, select save public key and save private key. Save
them to the directory C:\CIFSDEMO\plink.
Public key name = rsa_pub_key
Private key name = rsa_priv_key.ppk
Create an authorized_keys file. As a general rule the authorized_keys file is very sensitive; it
does not want any line breaks. Do not edit this file with notepad; instead use wordpad or textpad.
When you open the public key file generated by puttygen it will look like this.
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20070119"
AAAAB3NzaC1yc2EAAAABJQAAAIEAyQ8pESW3f2dRNNtnioOTPD0dyTVfW1TcIrFY
1aC/qMHH2AK9A5Kjd9dUBq7YudjakUiwZKvB7rucg7FaMbOZDqf/HvqdJf3Zem99
LaolDWBpGJRNqe8zmdWWnU/SXV9weWjsx6W+JeT9Urhfp/hbgidI8D6HxyJO/028
1Yro2XM=
---- END SSH2 PUBLIC KEY ----
You need to strip all line breaks and extra text from this file to look like this. Note: After “ssh-rsa”
there should be a space and then the key.
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAyQ8pESW3f2dRNNtnioOTPD0dyTVfW1TcIrFY1aC/qMH
H2AK9A5Kjd9dUBq7YudjakUiwZKvB7rucg7FaMbOZDqf/HvqdJf3Zem99LaolDWBpGJRNqe
8zmdWWnU/SXV9weWjsx6W+JeT9Urhfp/hbgidI8D6HxyJO/0281Yro2XM=
Notice that ssh-rsa is appended to the beginning of the file. Save this file as authorized_keys; do
not overwrite the original public key.
If you are doing this from a Windows host you will not be able to create the .ssh folder. Instead,
create /etc/sshd/root/ssh.
Copy the authorized_keys file into this directory; once copied use the mv command on the
NetApp storage to rename the ssh directory:
FAS1> priv set advanced
FAS1*> mv /etc/sshd/<username>/ssh /etc/sshd/<username>/.ssh
FAS1*> priv set
SERVER> c:\CIFSDEMO\plink\plink.exe -v –i
c:\CIFSDEMO\plink\rsa_priv_key.ppk root@FAS1 ?
The first time you use plink, you will be asked if you agree with the license, select Y for yes.
The -v flag is used to give a verbose output regarding the connection negotiation. This can be
removed from future commands once you are satisfied; it is a useful flag when trying to
troubleshoot the connection.
http://now.netapp.com/NOW/knowledge/docs/olio/guides/avmatrix.shtml
(Requires NOW account)
LDAP
http://media.netapp.com/documents/tr-3458.pdf
Unified Windows and UNIX Authentication Using Microsoft Active Directory Kerberos – May 2006
http://media.netapp.com/documents/tr-3457.pdf
5.1 OVERVIEW
This chapter provides practical guidelines for implementing quotas on NetApp storage. The
chapter outlines deploying native Data ONTAP quotas. The advantage of native quota
management is it is works in a multiprotocol environment. Usage can be tracked irregardless if a
UNIX user manipulates data or a Windows user manipulates data.
5.2.1 Quota
Value of using third-party quota manage software to manage NetApp storage quotas:
The NetApp storage quota management functionality has the current limitations:
• Only one quota (hard or soft) is allowed to be place at the volume root.
• Only one threshold message allowed which is not customizable.
NetApp quotas can only be placed on qtrees, volumes and users; and you’re limited in the
amount of thresholds and reporting you can perform.
NTP and NSS software allows for as many volumes, share or directory level quotas as you
desire.
With third-party tools:
• Quotas may be overlapping; (example: you can place a 100GB limit on the volume root
and then 100MB user home directory limits on all subfolders)
• You’re allowed as many thresholds as you want; you can notify the user at 75%, 80%,
85%, 90%, 95% 100%; Overdraft, etc…
• Both third-party tools have a report module which can generate canned or custom reports
(example: You may run a Usage by User report to determine how much space your users
are consuming.)
5.3 DEMO
With no arguments, the quota command indicates the quota status (on, off, disabled, and so on)
for each volume. This form of the command is deprecated - use the quota status command
instead. The following list describes how to use the various quota commands:
FAS1> quota on <volume>
Activates quotas in the specified volume based on the contents of /etc/quotas. When quotas are
first turned on, NetApp storage scans the file system to determine current file and space usage
for each user and group with a quota. This might take several minutes during which quotas are
This adjusts currently active quotas in the specified volume to reflect changes in the /etc/quotas
file. For instance, if you edit an entry in /etc/quotas to increase a user's quota, quota resize will
cause the change to take effect. The volume name may be omitted if the system has only one
volume. quota resize can be used only when quotas are already on. Because it does not rescan
the file system to compute usage, quota resize is faster than turning quotas off and then on again.
quota resize will apply all updated entries in /etc/quotas; however, it will generally ignore newly
added entries. A newly added entry will only take effect if the corresponding user or group has an
active quota as a result of updating a file subject to default quotas.
FAS1> quota allow volume
Prints the quota status (on, off, disabled, and so on) for the specified volume. If no volume name
is specified, the quota status for all volumes in the system is printed.
FAS1> quota report
Prints the current file and space consumption for each user or group with a quota and for each
qtree. With a path argument, quota report displays information about all quotas that apply to the
file. Space consumption and disk limits are rounded up and reported in multiples of 4 Kbytes.
The formatting options are defined as:
-q
If this option is given, the quota target's ID is displayed in a numeric form. No lookup of
the name associated with the target ID is done. For UNIX user IDs and group IDs, the ID
is displayed as a number. For Windows IDs, the textual form of the SID is displayed.
-s
If this option is given, the soft limit values are printed in the output along with the hard
limits.
-v
If this option is given, the name of the vFiler controller is included in the quota report
output. It is only valid if MultiStore® is licensed.
-u
If a quota target consists of multiple IDs, the first ID is listed on the first line of the quota
report for that entry. The other IDs are listed on the lines following the first line, one ID
per line. Each ID is followed by its original quota specifier, if any. Without this option, only
one ID is displayed for quota targets with multiple IDs.
-x
If a quota target consists of multiple IDs, all IDs are listed on the first line of the quota
report for that entry. They are listed as a comma separated list. Each column of the report
output will be separated by a tab character. The threshold column will also be included.
quota logmsg
Allows the user to specify a time interval for a volume during which quota messages for
that volume will be disabled. With no arguments, the quota logmsg command displays
the current interval settings.
This will be for a user’s volume called DATA, allowing quotas to have a soft limit of 150MB for
each user, and a hard limit of 175MB per user.
You can use the Quota report function to report on individual users, groups or volumes.
Support Qtree quota and user quota (soft and hard limit).
Enhanced quota notification and reporting in available in NetApp Operations Manager.
** System Manager is the replacement for FilerView. Currently, System Manager 1.0 runs in a
Windows environment only. This includes:
Windows XP, Windows Vista, Windows 2003, and Windows 2008
System Manager implements an MMC plug-in so it depends on MMC 3.0 and .NET 2.0.
The System Manager software will:
• Discover unprovisioned NetApp storage using SNMP
• Perform basic controller setup (DNS, NIS, Networking, AutoSupport, SNMP, Security,
Date/Time/Time Zone)
Install this on the Windows 2003 Server. Modifications must be made to install on Windows
2008, which are outside the scope of this lab.
Installation
1. If you have not already installed the Microsoft SQL Server Desktop Edition for VFM, install
MSDE now with the following switches:
SERVER> C:\CIFSDEMO\Northern\MSDE\setup SECURITYMODE=SQL
SAPWD=netapp1
Note: A reboot IS required before proceeding with the installation of Northern Software.
2. Following the reboot, login and on the tool bar (bottom right side of desktop), right click SQL
Server Agent. Select “Open SQL Server Service Manager.” Under Services, select “SQL
Server Agent.” Click Start. Check Auto-start service when OS starts. Close the dialogue.
3. Execute Northern Software Suite setup:
SERVER> C:\CIFSDEMO\Northern\setup
4. At the “Welcome to the Northern Storage Suite” dialogue, click Next
5. Choose Evaluation Installation, click Next
6. Choose NAS Evaluation, click Next
7. On the License Agreement dialogue, click Yes
8. On the Choose Destination Location, click Next
Configuration
1. Start NSS by clicking Start -> All Programs -> NORTHERN -> Storage Suite -> Northern
Storage Suite
2. If prompted to accept the “Northern Certified Software, choose Install.
3. Click Config (Top right), Host Management (Left side, third menu item)
4. Click Add, Next, and select NetApp Managed Host
Note: There is a bug in this version of the software – you will need to click NetApp Managed
Host, then click on EMC, and then back to NetApp Managed Host – this is to enable the Next
button, otherwise the Next button is not selectable.
5. Select the Host where NSS is installed (W2003). (This is NOT the NetApp storage)
6. Select Northern Storage Report, click Next x2
7. On the properties of the Scan Dialogue, select to repeat the scan every 5 minutes. Click Next
x3, followed by Finish.
Note: In a production environment, you would normally set the scan to be at a higher level
than this. In a lab environment we want to ensure the changes we make can be reported
upon much sooner.
8. On the top right, click the left square. (It should read Home: Dashboard under the square
when you move the mouse over the square.)
9. Click User Interaction (left side)
10. Under Status, click Change Server
11. Select the server where NSS is installed (DEMO -> W2003)
12. On the top right, click the middle (orange square) It should read Quota under the square
when you move the mouse over the square.
13. On the left panel, click File System Quotas
14. Under the middle pane, expand the NT Servers list and select the NetApp storage (FAS1).
Right click and select ‘Add NetApp Filer’
15. A NetApp Configuration Wizard will begin, click Next
16. A dialogue will open, asking which Quota Server server – use the default of W2003, click
Next
17. A dialogue will open, asking Do you wish to add additional Filers, click Next
18. A dialogue will open, asking the type of connection. Use HTTP user name: root, password:
netapp1, click Next, Finish, then Close
Installation
1. SERVER> C:\CIFSDEMO\NTP\setup.exe
2. Choose Yes to install Smart Policy Manager
3. On the Welcome to NTP, click Next
4. Check, “I accept the terms of the license agreement,” click Next
5. Accept the default location, click Next
6. Accept the default features, click Next
7. For the service account, use:
Service: DEMO\Administrator
Password: netapp1
Confirm: netapp1
8. Accept the default location for the Smart Policy Database, click Next
9. Choose, First Time Installation, click Next
10. Organization Info:
Organization: NDF
Location: San-Diego <- Do not change this name, as it matches the AD site.
11. On the Start copying file dialogue, click Next
12. Uncheck, “Yes, I want to view the readme file,” click Finish
13. On the Welcome to the NTP Software Installation, click Next
14. Check, “I accept the terms of the license agreement,” click Next
15. Accept the default Destination Location, click Next
16. Accept the default features, click Next
17. User Information:
Company Name: NDF
Check Install Evaluation Version, click Next
18. On the Account Type, choose “Specify an account to use,” click Next
19. Service account, use:
Configuration
1. SERVER> All Programs -> NTP Software QFS for NAS -> NTP Software QFS for NAS
Admin
2. Maximize Quota & File Sentinal dialogue
3. Expand San-Diego, fas1, Quota & File Sentinal
4. Right click Disk Quota Policies, select New -> Folder Policy using Shares
5. New Quota Share Policy:
a. Policy Name: Books Quota
b. Description: Historical Data
6. Click the Quota Tab
a. Absolute Quota limit of 50 MB
b. Under Quota Limit Properties, enable Deny Write, select 100%
7. Click the Shares Tab
a. Click Add, type BOOKS
b. Click OK
8. Map Wilma to the BOOKS share
SERVER> From the desktop, double click on the DEMO.MSC shortcut.
This will allow you to remotely connect to the VISTA workstation.
On the left colume of the MSC, expand ‘Remote Desktop’. Double-
click on ‘Connect as Wilma’
Once connect, click Start, Run and type CMD.exe
9. VISTA> Net use T: \\FAS1\BOOKS
10. VISTA> Copy C:\CIFSDEMO\McAfee\*.* T:\
6.1 OVERVIEW
NetApp file services solutions simplify the growing complexity and reduce costs of storing and
serving files in organizations by almost 40%. NetApp’s solution integrates with customer’s
existing Active Directory, so they can consolidate with little effort. Migrate and manage their
Windows files with Virtual File Manager with little to no disruption. And take advantage of a wide
portfolio of certified solutions: Offline folders, group policy objects, roaming profiles and more.
The folders that are made available offline are synchronized to the Windows local disk.
Synchronization occurs when network connectivity to a specific storage system share is restored.
To enable the Offline Folders options on a Windows client, in Windows Explorer, select Folder
Options from the Tools menu. To force this feature on a specific file or folder, right-click the
selected network drive or subfolder and select Make Available Offline. For more information, see
the Microsoft TechNet article: “Make a file or folder available offline.”
1. On the Windows server, open the Active Directory Users and Computers tree.
2. Right-click the Organization Unit (OU) that contains the users desired (ldapusers).
Remember a GPO cannot be applied to the default Computers OU.
3. Select the Group Policy tab, and select New.
4. Enter a name for the new GPO, i.e. Folder Redirect
5. Highlight the new GPO and select Edit. This opens the Group Policy Object Editor.
6. Expand User Configuration > Windows Settings > Folder Redirection.
7. Under Folder Redirection, select the folder that you want to redirect, we will use Desktop
for this lab, and then click Properties.
8. Click the Target tab, and then in the Settings box, select Basic - Redirect everyone’s
folder to the same location.
9. Under Target folder location, select Create a folder for each user under the root path.
10. In the Root Path box, type a Universal Naming Convention (UNC) path, For this example
we will use \\FAS1\redirect and then click OK.
11. In the Properties dialog box for the special folder, click OK.
12. Close the Group Policy Editor and the OU Properties dialog box.
The user name and folder name are appended to the UNC path automatically.
Note: If you allow Folder Redirection to create the redirected folders on a specified network, the
folders that are created in this way have proper permissions assigned to them. If you create the
folders manually, you must make sure that permissions are properly assigned.
Testing the Folder Redirect GPO will be performed at the end of this chapter.
GPO support can be easily enabled on a NetApp storage system with the CLI. The option is:
FAS1> options cifs.gpo.enable on | off
Make sure that CIFS is licensed and configured on the storage system and that it is already
associated with an Organizational Unit (OU).
When GPOs have been enabled on a storage system and specified in the Active Directory
domain, startup and shutdown scripts are applied to a group of systems in the following way:
• When CIFS starts on a storage system, it retrieves GPOs from the domain controller--
including startup and shutdown scripts--and runs the retrieved startup scripts. Scripts are
limited to a maximum of 4k.
• The storage system accesses the scripts from the Domain Controller's sysvol directory
and saves these files locally in the /etc/ad directory.
Note: Although the storage system periodically retrieves updates to the startup and shutdown
scripts, startup scripts are not applied until the next time CIFS restarts.
Managing GPOs
To display GPOs that are currently in effect for the storage system and the results of those
GPOs, use the cifs gpresult [ -r | -v | -d] command, which simulates the output of
the Windows 2000, XP, Vista gpresult.exe /force command.
All GPOs are verified every 90 minutes. By default, Data ONTAP queries Active Directory for
changes to GPOs. If the GPO version numbers recorded in Active Directory are higher than those
on the storage system, Data ONTAP retrieves and applies the new GPOs. If the version numbers
are the same, GPOs on the storage system are not updated.
By default, computer Group Policy is updated in the background every 90 minutes, with a random
offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is
always updated when the system starts. If you select 0 minutes, the computer tries to update
Group Policy every 7 seconds. However, because updates might interfere with users' work and
increase network traffic, very short update intervals are not appropriate for most installations.
A random offset has been added to the refresh interval to prevent all clients from requesting
Group Policy at the same time. The range of the random offset is from 0 to 1440 minutes (24
hours). The random offset prohibits all of the servers from polling the domain controllers at the
same time.
Security Settings GPOs are refreshed every 16 hours. Data ONTAP retrieves and applies
Security Setting GPOs every 16 hours, whether or not these GPOs have changed.
All GPOs can be updated on demand with a Data ONTAP command ”cifs gpupdate.”
For this example, we will use an existing share on the NetApp storage where user profiles will be
stored. The share is called, “Profile”, and we will use it for Wilma Flintstone.
1. Give all users Full Control permissions to the share (this is the default).
2. Open the Active Directory Users and Computers snap-in and navigate to the OU called,
ldapusers.
3. Right-click on the user Wilma Flintstone, and select Properties from the menu
4. Click the Profile tab.
5. For the Profile Path:, type \\FAS1\Profile\%username%
The variable %username% will automatically create the Profile for the select user(s).
1. A CIFS share has been created for you, as well as two users. In the example we will use:
Share: DATA, located at /vol/DATA
Active Directory User: Wilma, password: netapp1
Active Directory User: Fred, password: netapp1
Organization Unit where the NetApp Storage is located: NetApp Storage
2. On the Windows server, open the Active Directory Users and Computers MMC.
3. Right-click the Organization Unit (OU) NetApp Storage, and select Properties. Remember
a GPO cannot be applied to the default Computers OU.
4. Select the Group Policy tab, and select New.
5. Enter a name for the new GPO, i.e. CIFS DATA access.
6. Highlight the new GPO and select Edit. This opens the Group Policy Object Editor.
7. Expand Computer Configuration > Windows Settings > Security Settings.
8. Right-click File System and select “Add File.” This opens the "Add a file or folder" dialog box.
Note: Do not select the option to browse the local server's drives.
9. In the Folder field, enter the storage system path on which to apply the GPO (/vol/DATA)
and click OK. Result: The Database Security window opens.
10. In the Database Security window, set the permissions you want and click OK. Result: The
Add Object window opens. Add:
Wilma Flintstone, and give full control.
Fred Flintstone, and give the default of read, execute and list permissions.
Click OK
11. In the Add Object dialogue, accept the default settings, and click OK. Result: The Group
Policy Editor displays the new object name.
12. Close the Group Policy Editor and the OU Properties dialog box.
Note: The format of target file or directory names must be recognized by Data ONTAP and must
be in absolute or relative form.
When an absolute pathname is supplied, Data ONTAP applies File System security
settings to the specified target file or files within the target directories. In this example, the
settings are applied to the /home directory in the storage system root volume.
When a relative pathname is supplied (any pathname that does not begin with /vol),
Data ONTAP applies File System security settings to any target file or directory
containing the specified element. This is a convenient way to apply settings to multiple
parallel targets in a single storage system; in this example, the settings are applied to all
vFiler units with /home directories.
In case the NetApp storage belongs to another site, cifs resetdc should correct the site entry.
There should be a rule based on subnets to determine the current site for the NetApp storage. If
the rule does not exist, then a CIFS terminate followed by CIFS setup will give an option to
choose the site for the NetApp storage. The option to choose a site is shown only if there are
multiple sites configured.
When multiple sites are present and the NetApp storage is unable to choose its site based on
rules, then during CIFS setup, it will present the option to choose a site to associate with the
NetApp storage. If there is only one site, and its site name has been changed from the default of:
Default-First-Site. The follow message will be displayed:
[cifs.gpo.processing.ldap:warning]: CIFS GPO LDAP: Filer tries to
search for GPO list. Error code: 32: No such object
On the storage system, enter the following command to retrieve and apply the new GPO:
Note: If you do not explicitly apply the new GPO with the cifs update command, the storage
system applies the new GPO the next time it queries the Active Directory server (that is, within 90
minutes).
None
Displays information about the GPOs currently applicable to the storage system, including
name, version and location.
-r
Displays the results of applying current GPOs to the storage system.
-v
Generates a verbose display, including information about applicable GPOs and the results of
applying them.
-d
Dumps the output from cifs gpresult -v to the file /etc/ad/gpresult_timestamp file.
Map a drive to the data share with the user name Wilma:
By supporting this Policy, administrators will be able to define access permissions on DACLs and
audit settings on SACLs for the file system objects that exist in NetApp storage through Active
Directory.
For Example, on NetApp storage where the customer stores source code for application installs,
they could limit full control to source code administrators and read/execute rights to software
installers. This allows them to give local admin rights to people in order to support the hardware
After you create the file, you may view the contents with the command
Although in Windows Server 2003 R2, the Active Directory schema is already extended with an
RFC2307-compliant schema, the Windows Services for UNIX must still be installed to support the
Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of
UNIX attributes for users, groups and computers.
Since LDAP authentication transmits unencrypted passwords, Windows clients require a registry
edit to enable them to send passwords without encryption. Clients that are not properly
configured to send clear text passwords to the storage system will be denied access and display
an error message similar to the following:
The SMB redirector does not send an unencrypted password unless you add a registry entry to
enable unencrypted passwords.
RESOLUTION
Windows Vista, Windows 2003, Windows XP and Windows 2000 clients
• In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters, add a REG_DWORD value called EnablePlainTextPassword and set it to 1.
OR
• Run Local Security Policy (under Administrative Tools). Under Security Settings->Local
Policies->Security Options, enable Microsoft network client: Send unencrypted password
to third-party SMB servers (for Windows 2003 and XP) or, Send unencrypted password
to third-party SMB servers (for Windows 2000).
Windows NT clients
• In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\parameters, add
a REG_DWORD value called EnablePlainTextPassword and set it to 1.
Windows 98 clients
• In HKLM\System\CurrentControlSet\Services\VxD\VNETSUP, change
EnablePlainTextPassword to 1.
OR
Note: This step must also occur on all Windows domain controllers used for LDAP
authentication.
NOTE: For NetWare eDirectory LDAP browsing, the Host name will be
BigRed.demo.netapp.com, leave the Base DN blank, and enable Anonymous
bind. For the balance of the settings, use the options specified for AD.
NOTE: The following LDAP settings have been placed in the LDAPWINSCHEMA.BAT. You may
execute the batch file instead of manually typing these commands.
Use “GetXXbyYY” to test that LDAP is functioning correctly on the NetApp storage. The syntax
for getXXbyYY is in the next section.
Once testing is complete, return the NetApp storage back to standard administration with:
FAS1*> priv set
You can authenticate Windows clients through an LDAP server. To enable authentication of
Windows clients only through an LDAP server, complete the following operations.
FAS1> cifs terminate –t 0
FAS1> cifs setup
Specify NIS/LDAP as the authentication method (option 4) to be used for CIFS
clients on the NetApp storage.
Configure for Mixed authentication, and not NTFS.
Any Workgroup name may be used, as LDAP does not use a Workgroup name.
Make sure that all CIFS shares have “mixed” security selected; you cannot use only NTFS with
LDAP authentication. New shares should be created. If you have existing shares which was
used with Active Directory, former users and groups will now be listed as unknown SIDs.
Permissions must be assigned at the share level and file/folder level by Groups. Individual user
names cannot be used with LDAP.
Using Computer Management to add a user, group or change permissions on a NetApp storage
share might fail with "The credentials supplied conflict with an existing set of credentials" or “The
following error occurred while reading the list of shares for Windows clients: Error 5: Access is
denied.”
First make sure you have no existing connections to the NetApp storage
SERVER> Net use * /delete /yes
Next, create a NetApp storage BUILTIN account which will match the name and password of the
account you are using on the Windows machine. I.E. if your Windows account is Administrator
with a password of netapp1, then from the NetApp storage CLI, type:
FAS1> useradmin user list administrator
If you do not already have a local administrator account follow the next two steps to
create one.
FAS1> options security.passwd.rules.minimum 7
FAS1> useradmin user add administrator –n “Local Admin” –g
administrators
Once you press enter, you will be prompted twice for the password you wish to associate to this
account.
Next, to allow the local administrator to connect to NetApp storage default shares, we need to
assign the permission.
FAS1> cifs access c$ builtin\administrator full control
Before Data ONTAP 7, NetApp only supported syntax 1, which implies that Data ONTAP LDAP
search does not search for the embedded group membership.
With Data ONTAP 7 and above, Syntax3 is also supported, which gives Data ONTAP LDAP
feature the following advantage:
When the customer maps uniqueMember to the Windows member attribute, he can effectively
unify Windows and UNIX group membership. This has the large advantage that Windows and
UNIX group membership automatically synchronized.
The customer does not have to keep two membership lists in sync.
A member can be added to a group using the Microsoft Management Console.
You can use nested groups.
Limitations:
Maximum number of UNIX groups is limited to 32 per user.
When setting ldap.rfc2307bis.enable option to “on” for RFC2307bis support, only the first root in
the search string is searched To enable this feature, on the NetApp storage:
FAS1> options ldap.rfc2307bis.enable on
DFS VFM
Client MMC Rich Client
Ease of Use Limited (only slightly better Fully supports drag-and-drop,
than old client, very limited 1-to-many operations
drag-and-drop support)
Integrated Logical-Physical No Yes
Namespace backup/restore No Yes
Must script command line Integrated UI
tools
Automate creation of DFS No Yes
Consolidation Root via wizard
DFS R2 VFM
Open file handling Only when file is closed Yes
Replication style Last-writer wins Master-slave
Replicate to shared cluster No Yes
storage
Graphical View of replication No Yes
topology
Installing DFS
HANDS-ON EXERCISE: DFS
1. From the Windows Server, Click Start, point to Programs, point to Administrative
Tools, and then click Distributed File System.
2. Right-click Distributed File System in the left pane, and click New Root. The Create
New DFS Root wizard appears, then click Next.
3. Make sure that Create a domain DFS root is selected, and then click Next.
4. Select the host domain for the DFS root; in our example, this is demo.netapp.com,
and then click Next.
5. For the Server name, use W2003,demo.netapp.com. Click Next.
6. For the example we will call our DFS root name MASTER, and in the comments field,
type: Demo NetApp Data. Click Next. For the Folder to Share, type: C:\DFSROOT.
Click Next.
7. If the specified folder does not exist, you are asked if you want to create it. Click Yes
to continue.
8. Click Finish to create the DFS root. After the Create New DFS Root wizard has
completed, you are ready to administer your DFS root.
At this point, you have an empty DFS root in Active Directory. For this share to be interesting to
users, you need to publish nonlocal shares in the DFS namespace.
Microsoft's VSS works by using three pieces a requester, writer and provider. The requester is
your traditional backup solution. Requesters send collection inquiries to the application you want
to protect. This application must understand the collection inquiry sent to it by the requester and
needs a writer designed to support the application data and data types. The writer is written by
the application developers, not the backup vendor, to assure the most stable and consistent
recoveries.
Enhanced backup using VSS-aware backup software can greatly enhance the quality of your
backups. Backing up the snapshots assures that there are no open file conflicts which can result
in incomplete backups.
Volume Shadow Copy Service supports creation of single point-in-time shadow copies—also
known as snapshots—of single or multiple volumes without impacting production server
performance. Used for managing data, from Direct Attached Storage (DAS) to Storage Area
Networks (SANs), Volume Shadow Copy Service coordinates with business applications, backup
applications, and storage hardware to enable application-aware data management. Volume
Shadow Copy Service also supports backups of open files.
NetApp works with Microsoft’s VSS on both the storage level as well as on the application level.
On the storage level, a LUN is presented to the Windows server, and managed through NetApp’s
SnapDrive software which provides dynamic volume resizing, reporting and integration with
Wndows VSS APIs to be able to create a quiesced Snapshot copy of a volume, no matter of its
size, almost instantaneously.
On the application level, NetApp has several SnapManager products which work with NetApp
SnapDrive and Microsoft’s VSS specific to the application to provide the same level of ease and
time saving. NetApp currently offers:
• SnapManager for Microsoft Exchange
• SnapManager for Microsoft SQL Server
• SnapManager for Microsoft SharePoint®
• SnapManager for Oracle®
• SnapManager for SAP®
• SnapManager for Lotus Domino®
Just as quickly as the Snapshot copy is created, both the SnapManager and the SnapDrive
product provide the ability to rapidly restore the data back to a previous point in time, usually in
just seconds.
If you wish to restore the entire folder, just select a parent folder, or select the properties of the
Share name, allowing you to navigate to the folder to be restored.
This setting turns off the ~snapshot directory from appearing to CIFS and NFS regardless of the
above setting. This is the default behavior.
FAS1> options cifs.showsnapshot off
When you turns off the ability to access Snapshot copies using the previous versions feature, the
volume/share might need to be remounted before these settings come into effect.
FAS1> options cifs.ms_snapshot_mode off
Multiprotocol Namespace
Allow access to a namespace from both NFS and CIFS clients. The administrator can
choose whether to have the CIFS namespace replicate the NFS namespace, or visa
versa. In either case, they are synchronized periodically. For CIFS, manages Windows
DFS and allows the NetApp storage to be configured as a target leaf-node in DFS.
Data Backup
Back up data on NetApp storage that participate in the namespace and backup the
logical structure of the namespace targeting the data.
Reporting
Create and publish reports for groups of storage objects they are interested in.
Understanding how much data and how many files need to be migrated will give you some idea
of how much time will be required to perform the migration. Consider also that it will take a
greater amount of time to migrate a larger number of smaller files than a smaller number of larger
files. Having this information can be useful when planning how much time an administrator will
need to prepare for in the data transfer portion of the migration. The speed and available
bandwidth on the existing network will also limit the amount of data that can be migrated within a
certain time period. Consider using private, out-of-band Gigabit networks or Gigabit crossover
links for data migration purposes. In addition to the time required for migration, other factors that
affect migration administration and complexity are the number of Windows servers to be
consolidated, number of shares, host/share name contention, home directories, and explicitly
mapped network drives from clients and applications.
NetApp recommends using the Microsoft recommended method of assigning rights to file
systems, that is UGLR.
Users belong to ... Global groups, which belong to ... Local groups, which are assigned access to
... Resources.
The problem is that Local groups have a nonglobal SIDs between machines. That is, each
NetApp storage assigns its own local SIDs to local groups in its /etc/lclgroups.cfg on the root
volume. That SID gets moved with the ACL data to the destination, but the destination machine
can't resolve its membership with its local groups.
1) The supported method is using securecopy which will retain the SIDS during migration.
Refer to the HDMNAS Decision Tree Matrix for further information:
http://ps-web.corp.netapp.com/cv/nsdatamigration.htm (Internal)
2) The unsupported method is to copy over filersid.cfg and lclgroups.cfg from the old
NetApp storage to the new and reboot. Both storage units cannot have CIFS running at
the same time due to conflicting SIDs. The advantage here is you can use SnapMirror for
the data migration. The downside is there is a lot more risk if you don’t know what you’re
doing.
One of the most commonly used Microsoft tools for data migration is Microsoft's cacls.exe,
xcacls.exe and the later xcacls.vbs. Using the VBS is significantly faster than using the EXE.
http://support.microsoft.com/kb/318754 (old)
http://support.microsoft.com/kb/825751 (current)
Migration Options:
• Include or exclude subfolders
• Delete orphaned files
• Allow loss of security and alternate file streams
• Selectable criteria for file transfers including inclusion and exclusion lists.
• Configurable retries for failures during transfer of a file
• Threshold for continual failures
• Event Log details
• Script execution before and after replication to provide solutions such as e-mail
notifications, cleanup, zip or unzip files and posting event log entries
• Optional differential replication only transmits blocks of changed data
Best Practices
• Migration does not require Windows DFS namespace, but DFS provides the layer to
allow future storage changes to remain transparent to users.
• Each migration task is run as a thread
o Can speed up migration by combining with Replication
o By default, 20 threads available
• Turn off vscan during bulk migration
• Don’t setup overlapping replication / migration jobs
Installing VFM
1. The account which will be used for VFM requires “Logon as a service” be enabled. This step
has already been performed as a reboot is required to active the change.
2. If you have not already installed the Microsoft SQL Server Desktop Edition from the Northern
Storage Suite lab exercise, install MSDE now with the following switches:
SERVER> C:\CIFSDEMO\Northern\MSDE\setup SECURITYMODE=SQL
SAPWD=netapp1
Note: A reboot IS required before proceeding with the installation of VFM.
3. Following the reboot, login and on the tool bar (bottom right side of desktop), right click SQL
Server Agent. Select “Open SQL Server Service Manager.” Under Services, select “SQL
Server Agent.” Click Start. Check Auto-start service when OS starts. Close the dialogue.
SERVER> C:\CIFSDEMO\VFM\VFMInstall.exe
4. Welcome to the NetApp VFM 6.1.1 Installation Wizard, click Next
5. On the Accept License Agreement dialogue, click, "I accept the license agreement", click
Next
6. On the NetApp VFM 6.1.1 Release Notes dialogue, click Next
7. On the Compnenent Selection dialgoue, accept the default and click Next
8. On the Destination Lcoation dialogue, accpet the default and click Next
9. On the Application Data Storage dialogue, accept the default and click Next
10. Enter the License Information, followed by Next
Serial Number: NETAPP_VFM_DEMO_14_NOT_FOR_PRODUCTION_USE_10232008
License Type: Evaluation
Activation Number: VFME1-1BL06-LV8E7-TNI6A-UYZ2H
Configure VFM
Integration of a NetApp Storage System with a UNIX Based LDAP Server – April 2006
http://media.netapp.com/documents/tr-3464.pdf
8.1 OVERVIEW
Microsoft launched an initiative in 1996 to rename SMB (Server Message Block) to Common
Internet File System (CIFS), and added more features, including support for symbolic links, hard
links, larger file sizes, and an initial attempt at supporting direct connections over TCP port 445
without all the NetBIOS trimmings (a largely experimental effort that required further refinement).
Whenever files are copied between Windows systems, the SMB protocol is used. Version 1 of this
protocol, which is still in use today, was developed 15 years ago and was introduced with
Windows 3.11 for Workgroups. Since the fastest networks in use at the time generally offered a
maximum transfer rate of 10 Mb/s, the protocol has become out of date. Indeed, with Gigabit
Ethernet interfaces now a common feature even on budget motherboards.
With Windows Vista (released in 2006), Microsoft introduced Server Message Block 2.0.
Durable Handles:
Durable Handles are the file handles that persist across SMB 2.0 sessions. They are designed to
prevent data loss caused by short network outages - by absorbing writes cached on the client on
a different SMB 2.0 session. When a client opens a file, it specifies if it needs the file handle to be
durable. If the current connection goes away, the client would try to use the durable handle on a
different connection if it is still valid on the server. The server on it's part issues a durable handle
only if it supports the functionality. Upon session disconnection, the server makes the handles
available for reclaim by the same user on a different a connection.
8.3 DEMO
Microsoft claims that: with its improved TCP stack, just upgrading clients to Windows Vista can
yield throughput and time-to-completion improvements of up to 2.5X over Windows XP. Complete
migration servers to Longhorn, to also take advantage of the enhanced SMB2, can yield
throughput and time-to-completion improvements of up to 3.5X over Windows XP/Windows
Server 2003.
The version of SMB used for file sharing is determined during the SMB session negotiation. If
both the client and server support SMB 2.0, then SMB 2.0 is selected during the initial
negotiation. Otherwise SMB 1.0 preserving backward compatibility. The table below shows the
version of SMB that will be used in different client/server scenarios:
Both SMB 1.0 and 2.0 are enabled by default on Windows Vista and Windows Server 2008. In
some testing and troubleshooting scenarios it might be necessary to disable either SMB 1.0 or
SMB 2.0. However, it should be noted that this is not a recommended practice. To disable SMB
1.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems (accessing
the network resources), run the following commands:
To disable SMB 2.0 for Windows Vista or Windows Server 2008 systems that are
the “client” systems run the following commands:
To enable back SMB 2.0 for Windows Vista or Windows Server 2008 systems that
are the “client” systems run the following commands:
To disable SMB 1.0 on a Windows Vista or Windows Server 2008 system that is acting as the
“server” system (hosting the network resources), a registry modification is required. Navigate to
the HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters key. If there is no
REG_DWORD value named Smb1, you will need to create it. This value does not exist by
default. Once the value is created, set the value to 0 to disable SMB 1.0 or 1 to enable SMB 1.0.
Finally, to disable SMB 2.0 on Windows Vista or Windows Server 2008 systems that are acting as
the “server,” navigate to the registry key listed above. Instead of creating the Smb1
REG_DWORD value, you would create a REG_DWORD value called Smb2. Set the value to 0 to
disable SMB 2.0 and 1 to enable SMB 2.0.
Command
New option "cifs.smb2.enable" to enable/disable this feature. When this option is disabled
NetApp storage will not accept any new SMB 2.0 sessions but the existing sessions will not be
terminated.
New option "cifs.smb2.signing.required" to enforce signing on all SMB 2.0 sessions.
New option "cifs.smb2.client.enable" to enable/disable SMB 2.0 client capability on
NetApp storage. When this option is enabled, NetApp storage initiated connections to Windows
servers will use SMB 2.0 protocol. In case the Windows server does not support SMB 2.0
protocol then NetApp storage will fall back to using SMB. If a session had been established over
SMB 2.0 and later this option is disabled, existing sessions will not be terminated, NetApp storage
will continue to use SMB 2.0 for the existing sessions but no new sessions will attempt to use
SMB 2.0.
New option "cifs.smb2.durable_handle.enable" to enable/disable the durable handle
functionality for SMB 2.0 clients. If this option is enabled, the open files from a client are
preserved when the client gets disconnected from the NetApp storage. These open files can be
reclaimed when the client reconnects to the NetApp storage.
New option "cifs.smb2.durable_handle.timeout" to configure the duration in seconds for
which NetApp storage will preserve the durable handle after a temporary network failure. This
timer has a default value of 16 minutes, but its value could be changed by system policy to any
range between 5 seconds and infinite (4,294,967,295 seconds)
“cifs sessions” command will take a new option, ‘-p’. This option filters the sessions on the
basis of protocol version used. When -p option is used with 'smb' as the argument, only SMB 1.0
sessions are displayed. When -p option is used with 'smb2' as the argument, only SMB 2.0
sessions are displayed. When -p option is not used, both SMB 1.0 and SMB 2.0 sessions are
displayed. The -p option can be used along with -c and -s options
Change the max number of outstanding requests sent by a client without receiving a response.
cifs.smb2.max_credits_granted
• For CIFS AD Domain status (Windows 2000 and later) one should not be using "cifs
testdc" but
FAS1> cifs domaininfo
Manually Editable:
o cifs_nbalias.cfg
o cifs_homedir.cfg
o usermap.cfg
Each of the subcommands must be followed by an interface name or the word "all." A small
exception to this is that "pktt status -v" is equivalent to "pktt status all -v.” The available interface
names can be found using "ifconfig -a" or "pktt status."
pktt start
The "start" subcommand is used to start tracing, (or restart if it has been paused). The
packet trace data is stored in "tcpdump" format in a circular buffer in memory. The flags
that can optionally be supplied are as follows:
-d dir
This specifies the path to an existing directory in which the trace data file will be written.
The file will always have the name "<interface>.trc" where "<interface>" is the interface
name (for example, e4, fa3, and so on). If this option is missing, the trace data will only
be collected in memory, and after the buffer fills, new packets will replace existing
packets. However, it is always possible to dump the contents of the buffer at any time
using the "pktt dump" command. One thing to be aware of when writing trace data to disk
is that if the file system cannot keep up with the network traffic you might not log all
packets. This will show up in the "dropped" counts when looking at status. Along with
this, you should remember that logging all traffic may generate a heavy write load on the
-s size
This allows you to set a maximum size of the trace file. If you don't specify this the file
can grow to 32GB, so set it to a reasonable value if you think there is a chance you might
forget you have left the trace going. This parameter is only useful in conjunction with the
"-d" option. After the maximum size has been reached, packets continue to be logged to
the buffer, but not to disk.
-mpklen
This sets the length at which packets will be truncated. The default is 1500 bytes, which
results in full packets for Ethernet. Note that in 5.3 the default of 1500 is incorrect for
Ethernet. You must override with "-m 1514" to get the full packets. It is sometimes useful
to limit the data stored when every byte of the packet is not critical. However, for many
debugging tasks it is useful to have the entire packet. In the case where the packet size
can be larger than 1500 you might want to specify a larger maximum. However, many of
the decoders refuse to deal with packets larger than 1500 bytes so you should only
specify a larger value if that seems critical to finding the problem.
-bbsize
This sets the buffer size, which may be specified as a number with an optional trailing “k”
or “m” multiplier. The default is 32K, which should be large enough to find "packet of
death" bugs and similar problems. You should use a value of at least 128K when using
the -d option. The value may range from 8K to 128M, but only in the most exceptional
cases would it be necessary to increase the size beyond 1-2M. In cases where the
network is very busy and it is not practical to log all the traffic to disk you might need to
use a larger buffer.
WARNING! Do not specify a value larger than 3MB. You might hang the system console
or cause WAFL to run out of memory.
-iipaddr [-iipaddr] ?
This allows limited filtering capability. Up to four IP address may be specified, which
causes only traffic to or from any of those IP addresses to be logged. This will prevent
logging of any non-IP (for example, arp/rarp) traffic.
-v
This causes "pktt status -v" information to be displayed as tracing starts.
pktt pause
The "pause" subcommand is used to temporarily stop capturing traffic from one or all interfaces. If
any unwritten data is in the trace buffer it will be flushed to disk. Use "pktt start" without any
options to restart a paused interface.
pktt dump
The "dump" subcommand causes the contents of the packet trace buffer to be written to a file. If
the "-d [dir]" option is used the file will be written to that directory, otherwise it will be written to the
root directory of the root volume. The name of the file is always <interface>.trc and the contents
are in "tcpdump" format. If a file by that name already exists it will be overwritten.
pktt stop
This causes all tracing to stop on the named interface, or all interfaces. If any unwritten data is in
the trace buffer it will be flushed to disk. If you have not dumped the trace data and you were not
tracing to a disk file, the trace data will be lost. This action is not confirmed, so be careful when
using this command.
pktt status
This can be used to display the buffer and file status of an existing trace. Using "pktt status -v" will
give you full tracing status for all interfaces.
Collect pktt data from the appliance. An example of the pktt command usage is:
FAS1> pktt start all -b 128k -d /dir -s max_file_size[k|m] -m
mtu_size -iclient_IP_or_hostname
This will create a packet trace file called interface.trc that is less than or equal to
max_file_size[k|m]. The file will be stored in the directory dir after capturing network data seen
between the appliance and the client interface client_IP_or_hostname.
• Gather:
o pktt filtered for client and DCs (NIS, LDAP)
o FAS1> cifs DOMAININFO <domain>
o FAS1> cifs STAT output
o FAS1> cifs SESSIONS –t
o Size estimate for /etc/lclgroups.cfg
The following commands can help you find the offender, if you didn’t want to log the individual off
with the previous command.
CLIENT> rsh FAS1 -l root:netapp1 netstat -an | findstr "\.22
\.23 "
This gives you the IP address of the machine that is connected over port 22 (ssh) or 23 (telnet).
Once you have the IP address, you can then find out the HOST name by issuing the following
string.
10.1 OVERVIEW
Sizing of CIFS home directories has always been a complex task as there are numerous factors
that need to be considered while carrying out a sizing exercise. There are no industry-standard
workload and benchmarks for CIFS home directory deployments. Work load analysis and
benchmarks have been carried out based on different customers' data.
Active-Active Configuration
An active-active configuration is two storage systems (nodes) whose controllers are connected to
each other either directly or through switches.
You can configure the active-active pair so that they share access to a common set of disks,
subnets, and tape drives, or you can configure them to have two distinct sets of storage, each
owned by one of the controllers.
The nodes are connected to each other through a cluster adapter or an NVRAM adapter, which
allows one node to serve data to the disks of its failed partner node. Each node continually
monitors its partner, mirroring the data for each other’s nonvolatile RAM (NVRAM).
• Fault tolerance
When one node fails or becomes impaired a takeover occurs, and the partner node
continues to serve the failed node’s data.
When you halt one node and allow takeover, the partner node continues to serve data for
the halted node while you upgrade the node you halted.
For more information about nondisruptive software upgrades, see the Data ONTAP
Upgrade Guide.
When you halt one node and allow takeover, the partner node continues to serve data for
the halted node while you replace or repair hardware in the node you halted.
Concurrency % (10, 20, 30, 40, 50, 60, 70, 80, 90 or 100%)
Home Directory Size/User (GB)
Each home directory deployment is unique in the way it has been deployed, users supported, the
number of concurrent users, roaming profiles, disk and network traffic, presence of Citrix
environment, antivirus scanners, use of multiple protocols, and so on. The inherent complexity of
this architecture makes it extremely difficult to size and deploy to the desired levels.
Client-Side Issues
Make sure that the Windows server is optimized for proper network throughput:
1. Set window size - Large window size increases the number of messages that can be in
flight. The maximum window size that is supported on the NetApp storage is 64,240.
Increasing this on both the NetApp storage and clients can dramatically improve
performance for large transfers. Use the following option on the NetApp storage
options cifs.tcp_window_size to 64240. The window size on the client is
controlled by adding the registry value (DWORD)
\\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp
WindowSize and setting it 64240 (0xFAF0 in hex).
2. Consider hardware and OS dependencies - CIFS performance is quite sensitive to client
performance (mostly due to opportunistic locking). Therefore, in general, the faster the
clients are, the better the overall performance. Also, the larger the client memory the
better the performance.
3. Make sure oplocks are turned on for the Windows clients. This is usually turned ON by
default (unless someone explicitly set it off). The registry entry that controls oplocks is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Par
ameters\UseOpportunisticLocking.
1. Oplocks should be enabled: Make sure that cifs.oplocks.enable is ON. (In certain
database environments this cannot be set to ON for other reasons.)
2. Changing the open delta setting. Under certain workloads setting cifs.oplocks.opendelta
to 0 can improve CIFS throughput performance by 3-5%. If setting this value to 0 results
in client disconnects reset it back to 8 (which the default value).
3. If the workload being tested is random in nature set minra to ON. If it is more sequential
set minra to OFF.
4. For workloads that are purely sequential increasing wafl_read_ahead to 18 chunks from
default value of 3 chunks can help (by using "setflag wafl_read_ahead 18").
5. Setting “vol options <volume> no_atime_update ON” can improve CPU
performance if accurate access times are not important.
Common Problems
1. Duplex mismatches: Make sure that the duplex settings match on the NetApp storage,
the switch, and the clients.
2. Redirector breakages: If a very heavy load is placed on the CIFS client, the redirector can
potentially break the session. Certain fixes have gone into recent Data ONTAP releases
that fix this problem but this problem does occur occasionally. If this happens the best
solution is to reduce the load on the client and redistribute this to other clients. One way
to check whether this is happening is to monitor the “current commands” counter under
the redirector object on the client side using Windows NT performance monitor.
Following are some of the other features provided by NetApp storage with CIFS:
• Deleting existing shares
• Changing the settings of existing shares
• CIFS home directories
• For a count of all the shares, use:
FAS1> cifs shares -t
For a complete listing of all CIFS options, from the NetApp storage console, type:
“man na_cifs” or “man na_cifs_access” (The man commands are case-sensitive.)
10.3 DEMO
The following are the steps described to size accurately for the deployment required:
Assumptions:
Degradation on failover: yes
User Type: Medium Concurrency %: 50
Step 3 – Narrow down storage systems that would support the required number and type
of concurrent users
The NetApp CIFS sizer show that the FAS3040c and series beyond support the user
requirements.
FAS3040c:
At 80% CPU utilization, users supported: 6250
At 60% CPU utilization, users supported: (6250*60)/80 = 4687.50
Clearly a FAS3040c can support more than 4635 users with CPU utilization of less than 60%.
This clearly fits the customer's requirements.
Another way to find out which storage appliance would support the requirement would be to
calculate the users supported at 60% utilization by each of the platforms, then compare with the
concurrent users required by the customers and identify which platforms would suit the
customer's needs.
Active/Active Controller Configuration Overview and Best Practices Guidelines – January 2007
HTTP://MEDIA.NETAPP.COM/DOCUMENTS/TR-3450 (Internal)
Step 2
Find out:
CPU utilization
Kahuna utilization
# of concurrent users
Step 4
Step 5
Stop
Note: NetApp’s Operations Manager provides the feature to capture, compare and set optional
settings, on all NetApp Storage.
cifs.audit.enable
When this option is on, CIFS audit events may be generated for file access or for logon and
logoff. For file access events to be generated, the option cifs.audit.file_access_events.enable
must also be selected. For logon and logoff events to be generated, the option
cifs.audit.logon_events.enable must also be selected. This option default is off.
cifs.audit.file_access_events.enable
When both this option and the cifs.audit.enable option are selected, file access events will be
audited when a file is accessed by an account for an operation and the file has a system access
control list (SACL) entry that matches the access. If no SACL entry matches the access, no event
will be generated. The default is on.
cifs.audit.logon_events.enable
When both this option and the cifs.audit.enable option are on, logon and logoff events will be
generated. Logon and logoff events reflect CIFS session connects and disconnects, respectively.
The default is on.
cifs.audit.logsize
Specifies the maximum event log file size. The default is 524288. The minimum is 524288 and
maximum is 68719476736.
cifs.audit.saveas
Specifies the active event log file. The file must be in an existing directory in a network share. The
default log file is /etc/log/adtlog.evt.
cifs.bypass_traverse_checking
When on (the default), directories in the path to a file are not required to have the X (traverse)
permission. This option does not apply in UNIX qtrees.
cifs.guest_account
Enables a user to get access to the NetApp storage provided that either the NetApp storage uses
a domain controller for authentication and the user is not in a trusted domain, or the NetApp
storage uses the /etc/passwd file or the NIS password database for authentication and the user
has no entry in the /etc/passwd file or the NIS password database. If this option is set to the name
of an account in the password database, users logging into the NetApp storage will be assigned
to the guest account if their names are not listed in the password database (when using
/etc/passwd file or NIS) or if the user is not from a trusted domain (when using a domain
controller). The configured user name will be used for the UNIX user ID, group ID, and group set
of the specified account. If the option is a null string, guest access is disabled. The default value
for this option is a null string.
cifs.homedirs_public_for_admin
This specifies whether members of the NetApp storage's Built-in\Administrators group can
connect to the CIFS home directories of other users. If no argument is supplied, the current value
of this option is displayed. If this option is set to on, an administrator can connect to the CIFS
home directory of user username by specifying the share ~username (tilde username). This can
be useful when setting a user profile to map the user's CIFS home directory on the NetApp
storage. Windows 2000 Active Directory does not allow a system administrator to set a user's
cifs.idle_timeout
Specifies the amount of idle time in seconds before the NetApp storage disconnects a session.
An idle session is a session in which a user does not have any files opened on the NetApp
storage. The value of this option ranges from 600 to 4,000,000 (effectively infinite). The default is
1800.
cifs.max_mpx
Controls how many simultaneous operations the NetApp storage reports that it can process. An
operation is each I/O the client believes is pending on the NetApp storage, including outstanding
change notify operations. This value defaults to 50, but there are many situations where this
number needs to be increased (for example, clients such as Windows Terminal Server or IIS
might require that this number be increased to avoid errors and performance delays).
This option is used when responding to client connection requests to tell the client the maximum
number of outstanding requests the server will accept. There are a number of considerations
regarding this option:
The approved values for this parameter are 126, 253, and 1124. The most accurate way to
determine which number to use is to measure the Redirector Current Commands statistic on the
client with Windows NT perfmon and to increase the number until Current Commands does not
hit the negotiated limit. For more information see Microsoft Knowledge Base articles Q191370
and Q232890.
• Use the only approved values as discussed in Microsoft Knowledge Base article
Q232890.
• This value affects allocations in the clients. Use the smallest value necessary for correct
behavior.
Windows Terminal Server or Citrix. These applications multiplex many CIFS sessions on a single
TCP connection. That greatly increases the number of outstanding requests that the client would
like to send. In most cases, we recommend a value of 1124 for cifs.max_mpx when using
Windows Terminal Server or Citrix.
Change Notify requests. Certain applications do many Change Notify requests and each one of
these counts as a pending operation for the client. If the total number of pending Change Notify
requests exceeds the max_mpx value, the applications will either fail or go into a very CPU-
intensive mode, issuing QueryFileInfo requests for all the objects that they would normally
monitor using Change Notify. Applications that typically do this are Visual C++ and IIS.
Determining whether you need to increase max_mpx. If a client has a large number of change
notifications pending and it runs out of max_mpx slots, it can cause application and/or
performance problems. Starting with the Data ONTAP 6.5 release, the number of change
notifications pending can be seen using the -c option with the cifs sessions command.
cifs.nfs_root_ignore_acl
When on, ACLs will not affect root access from NFS. The option defaults to off.
cifs.per_client_stats.enable
Turning this option on causes the NetApp storage to start gathering statistics on a per-client
basis. This allows use of the CIFS top command, as well as the -u and -h options of cifs stat.
Administrators should be aware that there is overhead associated with collecting the per-client
stats. This overhead might noticeably affect NetApp storage performance. If the option is turned
off, any existing per-client statistics are discarded. The value may be changed at any time without
restarting CIFS. The default value of this option is off.
cifs.perm_check_ro_del_ok
Windows NT delete rules do not allow you to delete a file with the DOS read-only bit set.
However, a number of multiprotocol applications require UNIX delete semantics (w-x permissions
in parent directory without regard to the file's permissions). This option controls this behavior. By
default it is off, which yields Windows NT behavior.
cifs.perm_check_use_gid
This option affects security checking for Windows clients of files with UNIX security where the
requester is not the file owner. In all cases Windows client requests are checked against the
share-level ACL, then if the requester is the owner, the "user" permissions are used to determine
the access.
If the requester is not the owner and if perm_check_use_gid is on it means files with UNIX
security are checked using normal UNIX rules, i.e., if the requester is a member of the file's
owning group the "group" permissions are used, otherwise the "other" permissions are used.
If the requester is not the owner and if perm_check_use_gid is off, files with UNIX security style
are checked in a way that works better when controlling access using share-level ACLs. In that
case the requester's desired access is checked against the file's "group" permissions, and the
"other" permissions are ignored. In effect, the "group" permissions are used as if the Windows
client were always a member of the file's owning group, and the "other" permissions are never
used.
The default setting is on for new installations. For existing installations, this has the opposite
effect of the old "PC-mode" installation setting.
If you do not plan to use share-level ACLs to control access to UNIX security style files (for
example, in a UNIX qtree), you might wish to change this setting to on.
cifs.restrict_anonymous.enable
Controls the ability of nonauthenticated sessions to enumerate shares and groups. The default is
off.
cifs.scopeid
NetBIOS scope IDs allow the system administrator to create small workgroups out of a network
by partitioning the NetBIOS name space; only clients with the same NetBIOS scope ID as the
NetApp storage will be able to use the NetApp storage as a CIFS server. The default scope ID is
a null string, but if the NetApp storage is to run in a NetBIOS scope other than the default one, its
scope ID must be set to the scope ID of that scope. The scope ID can be changed only when cifs
is not running.
cifs.search_domains
Specifies a list of domains that trust each other to search for a mapped account. The argument
for the option is a comma-separated list that is searched in order. The default value for this option
is the null string. If this option is set to a null string, all domains are searched. You use this option
to control searches if you used an asterisk for a domain name in the usermap.cfg file.
cifs.show_snapshot
By default this option is FALSE. The snapshot directory ~snapshot is no longer shown at the root
of a share. This is a change in behavior from previous versions. Setting this to TRUE will restore
the old behavior. On Windows NT 4 or Windows 95 clients, the user can access Snapshot copies
by entering \\NetApp storage\share\.Snapshot (or ~Snapshot) in the Start->Run menu. Snapshot
copies can also be accessed lower in the share by providing a path to a lower directory. Snapshot
copies can be accessed through DOS on any system by changing to the ~Snapshot directory.
Note: When this option is TRUE it can confuse programs like FastFind that don't know about
Snapshot copies.
cifs.shutdown_msg_level
Normally a message is broadcast to all clients when cifs is terminating. This option can be set to
control this behavior. The value 0 results in never sending such broadcast messages. The value
1 results in sending broadcast messages only to sessions that have open files. The value 2
causes the messages to be sent to all open connections, which is the default behavior.
cifs.sidcache.enable
By default this option is TRUE. This options controls whether CIFS will cache SID-to-name
translation information that it has received from the domain controllers.
cifs.sidcache.lifetime
By default this option is 1440, which is 24 hours specified in minutes. The option controls how
long a SID-to-name cache entry is used before it becomes stale. The SID-to-name mapping
functions in the NetApp storage will query the appropriate domain controller to update the cached
mapping when it is needed but has become stale. This option is specified in minutes.
cifs.snapshot_file_folding.enable
By default this option is FALSE. This option controls whether CIFS will attempt to “fold” files on
close with previous snapshot versions of themselves to minimize disk usage. Disk space is saved
by sharing unchanged file blocks between the active version of the file, and the version of the file
in the latest Snapshot, if any. The NetApp storage must compare block contents when folding a
file, so there is a performance vs. space utilization tradeoff to consider with this option.
With this option set to off, many standard Windows apps (such as Find in Windows 95 and
Windows NT 4.0) will not operate correctly when a symlink points to a parent directory. This is
because they do not understand symbolic links and will repeatedly loop on them. Users should
use caution when changing this option.
cifs.symlinks.enable
When cifs.symlinks.enable is on (the default), if the object being accessed by a CIFS client is a
symbolic link (whether absolute or relative), the NetApp storage follows the link with the proviso
that the ultimate target turns out to reside within the originating share (thus assuring that the client
has access permission to the target).
cifs.trace_dc_connection
When cifs.trace_dc_connection is on (the default is off), the NetApp storage logs all domain
controller address discovery and connection activities. This can be used to diagnose DC
connection problems on the NetApp storage.
cifs.trace_login
When cifs.trace_login is on (the default is off), the NetApp storage logs all login-related activities.
This can be used to diagnose access problems on the NetApp storage.
cifs.weekly_W2K_password_change
This option affects only NetApp storage installed in Windows 2000 domains. When on, this option
causes the NetApp storage to change its domain password once a week, as is current practice
for the NetApp storage in Windows NT 4 domains. The password change occurs at approximately
1:00 a.m. on Sunday mornings. For Windows 2000 domains with multiple DCs, a password
change might inhibit CIFS connections for a short time while the new password is propagated
among the DCs. The default for this option is off. This option has no effect on NetApp storage
installed in domains earlier than Windows 2000.
cifs.widelink.ttl
When a CIFS client accesses a wide symbolic link (widelink), the NetApp storage returns both a
path referral and a time-to-live value. The CIFS client can cache the widelink path referral for the
time-to-live time period. This option allows the system administrator to set the value which the
NetApp storage returns for time-to-live.
Customer name is a required field. This name will be used to track this request (in combination
with some date information).
This field is primarily for customers who have multiple sites. List the specific site where the
configuration will be installed.
List all SEs, CSEs, and PSEs involved with the sizing/sales/deployment of the sized system.
If you are working with a Field Specialist, list the name here.
This field is intended to help identify individual sizing requests submitted during the sizing
exercise for a particular opportunity/customer. This field becomes part of the "Subject" line of the
email containing the configuration suggested and can help in sorting /arranging /searching for
various configurations.
Describe the customer situation or any information that is potentially useful when reviewing the
inputs or outputs. Describe any unusual configuration or setup requirements. Be creative.
If this sizing is associated with a customer case in any way list the case # here for cross-
reference.
This field allows the sizing to be restricted to a sub-set of all possible platforms. If "Any" is
selected, all platforms will be considered. If one or more platforms are selected, then just those
platforms will be considered as valid configurations.
This field allows the sizing to be limited to a maximum number of heads (or clusters). For
instance, if the customer is specifically interested in only single head cluster solutions, please
select 1 (one) for input. All valid configurations will contain exactly one cluster head.
This field allows the sizing to be started from a minimum number of heads (or clusters). Can be
used if the situation, for some reasons other than sizing considerations, dictates a certain
minimum number of heads or clusters OR can be used simply to explore various "what-if"
scenarios with more heads than the sizer suggests.
Sizing Option
Application Defaults
In this option application's default parameters are changed if "Competitive" Mode is chosen. The
parameters changed are:
This field allows the customer to specify how much headroom (or CPU idle %) is requested under
normal load circumstances. A headroom selection of 30% means that all valid configurations will
have projected maximum CPU utilization of 70% or less. Note that this is approximate and that
many variables can impact the actual deployed CPU utilization. Think of this as a general
approximation of CPU usage, not a hard projection.
This field specifies whether or not NetApp storage clusters should be sized or not. If "No" is
selected, then all valid configurations will be single head NetApp storages (or multiple single head
NetApp storages). If "Yes" is selected, then all valid configurations will be clustered solutions only
(or multiple clustered solutions). Typically, the decision to cluster or not is a customer business
decision based on the availability requirements of the application environment.
If the local cluster option is selected, the customer must decide what expectations exist during a
failover scenario when only one head is operational. There are two choices:
The impact this setting has on sizing is simple: if no degradation is expected, then both heads in
the cluster must operate below 50% CPU utilization during normal mode. The "CPU Headroom"
value selected above then applies to the 50% utilization target.
This value is currently not used in sizing calculations. This field specifies whether or not a
MetroCluster solution is required. If "No" is selected then the sizing occurs based on the NetApp
storage cluster or not setting. If "Yes" is selected, then the sizing occurs for clusters only,
assuming that each cluster pair is split over the metro interface.
If the MetroCluster option is selected, the customer must decide what expectations exist during a
failover scenario when only one head is operational. There are two choices:
The impact this setting has on sizing is simple: if no degradation is expected, then both heads in
the cluster must operate below 50% CPU utilization during normal mode. The "CPU Headroom"
value selected above then applies to the 50% utilization target.
Capacity Reserve is the extra capacity that needs to added during the sizing process for growth
purposes. It is expressed as a % of "Data Size GB (usable)."
Age of System
A simple parameter that takes into account the effect of aging on system behavior. This
parameter controls the expected fragmentation level of the system that is being sized. Be careful
of sizings that are done using this parameter as not all systems that are X% full having the same
level of fragmentation. This should be used only as an indicator of likely performance.
This parameter provides a way to specify a common Volume type for all the workloads. The
meaning of various options are:
• "Per Workload" -- Specify the Vol Type field for each workload individually (thereby
providing a way for different workloads to have different Vol Types).
• "Trad" -- The Vol Type will be traditional volumes for all the workload(s).
• "Flex" -- The Vol Type will be flexible volumes for all the workload(s).
• "Any" -- Sizing will be performed for both "Flex" and "Trad" Vol types for all the
workload(s).
These fields determine the amount of metadata reads and writes generated. They denote the
amount of space actively accessed by the users. The worst case can be the whole file space, or
database size and so on, depending upon the application. Usually, it will be much lower than that.
If you are unable to figure out the active space, use the whole file space (for worst case).
Desired NetApp storage latency for random reads. This is an optional parameter (default value is
20 ms) and should be between 10 ms and 40 ms.
This option lets you size with Virus Scanning Enabled or Disabled. Please refer to the CIFS guide
for more details.
SnapMirror
This option lets you size with SnapMirror Enabled or Disabled. Please refer to the CIFS guide for
more details.
SMB Signing
This option lets you size with SMB Signing Enabled or Disabled. Please refer to the CIFS guide
for more details.
User Type
A user type for this sizing method is categorized as a Light, Medium or Heavy User Type.
Desired # of Users
Concurrency Percentage
This is the percentage of desired users expected to be concurrently using the target deployment.
Number of Servers
This is the number of existing servers from which we extract KB In per second and KB Out per
second information.
Current Platform
This is the current NetApp Platform you have and want to upgrade from.
This is the CPU% observed in the current deployment. This number is not more than 100%.
Memory Utilization
This is an output value that shows the memory utilization that the system is experiencing. If you
have to choose a specific system it is always better to choose one with the lowest memory
utilization.
• Systems with low memory utilization correspond to ones with diskops/host_ops < 1.5.
These systems are highlighted with green color.
• Systems with medium memory utilization correspond to ones with diskops/host_ops >=
1.5 and < 1.75. These systems are highlighted with yellow color.
• Systems with high memory utilization correspond to ones with diskops/host_ops >=
1.75. These systems are highlighted with red color.
This value indicates the memory utilization of the system. It is a number typically between 1 and
2.
• A value of 1 implies that each incoming read operation to the NetApp storage translates
to only one disk read operation. In other words, all the metadata needed for the incoming
read operations to the NetApp storage are already cached in NetApp storage memory.
• A value of 2 indicates that each incoming read operation to the NetApp storage translates
to two disk read operations. First to read the metadata for the data block(s) and then
second to read the actual data block(s). In other words, no metadata caching.
Description
Limit Description
Max Share
The maximum number of open connections to CIFS shares.
Connections
Max Open Files The maximum number of open CIFS file handles.
The maximum number of open locks, including both share and byte-
Max Locks
range locks.
Limits
FAS6000 Series
FAS3000 Series
FAS2000 Series
FAS200 Series
Or
Use iManager to assign the UNIX UID and GID to both the users and groups.
5. On the properties of the eDirectory “LDAP Group – BIGRED”, turn off “Require TLS for
simple binds with password.”
Once you have logged in, to continue with this exercise, from the menu bar, on the bottom far
right, right click the N, select “Novell Login.”
User: admin
Password: netapp1
Click the Advanced button
Tree: NETAPP
Context: USERS.SUNNYVALE.CA
This appendix assumes you are familiar with using Novell’s ConsoleOne, a shortcut for
ConsoleOne has been placed on your desktop.
1. Select LDAP authentication (Option 4), with multimode rather than NTFS.
2. If you have run the LDAPEDIR.BAT, move to step #3, otherwise, Modify the
/etc/nsswitch.conf file to make sure passwd, group and netgroup all say “ldap nis files”:
FAS1> priv set advanced
FAS1*> java netapp.cmds.jsh
FAS1*> cp /etc/nsswitch.conf /etc/nsswitch.conf.original
FAS1*> wrfile /etc/nsswitch.conf
From the Master Replica eDirectory Server (BIGRED), extended the schema with the NetApp
RFC2307 files (rfc2307-usergroup.sch and rfc2307-nis.sch).
NETWARE> dsrepair –a
Select Advanced options menu,
Global schema operations, authenticate with user:
admin.users.sunnyvale.ca, password:netapp1
Select Post NetWare 5 schema update. Respond with Yes, I’m sure. When this
completes press ESC.
Select Optional Schema Enhancements. Respond with Ues, I’m sure. When this
completes press ESC until you are at the main menu.
Select to Run ‘Unattended full repair’, when this complets press ESC until you
exit the DSRepair program.
Ensure both users and the group have been assigned UNIX UID and GID. From
ConsoleOne, select the Login Methods tab, and assign passwords for both users, using
all three options:
NDS Password – used for eDirectory, and is mandatory
Enhanced Password – used for Kerberos key ticket exchange
Simple Password – used for LDAP
For LDAP testing, refer to section 6.3.2.4, getXXbyYY: Advanced Name Resolution Test
Commands.
Once you have success with LDAP communication, configure the NetApp storage CIFS
shares with user or Group access based on eDirectory accounts. For this example,
We will assign the group SysOp full control to the share C$, and change the Default
Security Style from ntfs to mixed.
SERVER> From FilerView, select CIFS -> Configure -> Security, Use Group ID
Permissions, set to “Yes.”
i.e.
SERVER> Net use T: \\FAS1\C$ /user:Betty netapp1
To capture data from NetApp storage, under available servers, type \\FAS1 followed by TAB
which will cause the available counters to update to the specific ones which are supported by
NetApp.
The follow tables listed in this Appendix provides both the available counter names and a
description of what each counter would capture.
CIFS OPERATIONS
set_file_info_ops Set File Information operations (SMB Code = 0x32, SubCode = 0x08).
find_first_ops Begin search for file operations (SMB Code = 0x32, SubCode = 0x01).
total_ops Total number of SMB operations since NetApp storage was started.
dfs_refer_ops Get DFS referral operations (SMB Code = 0x32, SubCode = 0x10).
CIFS STATISTICS
max_fid_tree_cnt High water mark for number of FIDs attached to one tree.
max_search_tree_cnt High water mark for number of searches attached to one tree.
max_core_search_tree_cnt High water mark for number of core searches attached to one tree.
max_open_file_cnt High water mark for number of open files and directories.
no_break_ack_95_cnt Number of Oplock Break ACK before timeout from Win95 clients.
alf_qlength* High water mark for no. of auditing log worker threads.
rpc_qlength* High water mark for no. of SMB RPC worker threads.
CIFS DOMAIN
Total time spent waiting for lsa requests to be used as a base counter
lsa_latency_base
for lsa average latency calculation.
Total time spent waiting for samr requests to be used as a base counter
samr_latency_base
for samr average latency calculation.
VSCAN STATISTICS
scanrequest_timeout_inquiries Count of status RPCs issued for requests which timed out.
scanrequests_noscan No scan for file access that would normally cause a scan.
Counter
Description
Name
Total time spent calculating security signatures for incoming CIFS requests in
time_in
milliseconds.
Total time spent calculating security signatures for outgoing CIFS requests in
time_out
milliseconds.
© 2008 NetApp. All rights reserved. Specifications are subject to change without notice. NetApp,
the NetApp logo, Go further, faster, DataFabric, Data ONTAP, FilerView, FlexVol, MultiStore,
NOW, ONTAPI, RAID-DP, SecureAdmin, SecureShare, SnapDrive, SnapManager, SnapMirror,
SnapRestore, Snapshot, vFiler, VFM, Virtual File Manager, and WAFL are trademarks or
registered trademarks of NetApp, Inc. in the United States and/or other countries. Microsoft,
Windows, Windows NT, and SharePoint are registered trademarks and SQL Server is a
trademark of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. Java and
Sun are trademarks of Sun Microsystems, Inc. Oracle is a registered trademark of Oracle
Corporation. Symantec is a trademark of Symantec Corporation or its affiliates in the U.S. and
other countries. SAP is a registered trademark of SAP AG. UNIX is a registered trademark of The
Open Group. All other brands or products are trademarks or registered trademarks of their
respective holders and should be treated as such.