CIFS Hands-On Features for Demo.netapp - Free Download PDF Ebook

NETAPP DEMONSTRATION FACILITYCIFS Hands-On Features for demo.NetApp.com Linda Wu, Senior Manager, Product Management, WFS, NetApp Reena Gupta, Technical Marketing Engineer, WFS, NetApp Peter Henneberry, Global Systems Engineer, NetApp November 2008 | TR-3708i Abstract This paper provides an overview of how CIFS (Common Internet File System) and NetApp storage technologies interoperate. The users benefit from the added features provides by NetApp for CIFS such as Storage Level Access Guard, NetApp Snapshot, and fsecurity which provide faster CIFS ACL (Access Control Listing) updates, as well as Windows Server consolidation while maintaining high availability with NetApp’s Active Active configuration. These features take advantage of the robust storage management capabilities offered by NetApp storage. This document is a collaborative effort to produce a consolidated working document, combining the many years of experience and insight of NetApp Technical Reports into one comprehensive document to be used with NetApp’s Demonstration Facility (NDF). The document may be used in conjunction with the NDF following each chapter and selecting one of over thirty hands-on demos, or following the last Appendix and setting up a similar environment to be able to go through each of the chapters to learn a better understanding of how NetApp’s storage leverages CIFS beyond a file sharing and authoring protocol. TABLE OF CONTENTS 1 HANDS ON EXERCISES ........................................................................................................................... 6 1.1 1.2 2 DEMO SETUP ............................................................................................................................................ 6 . AVAILABLE BATCH FILES ................................................................................................................................ 7 NETAPP MICROSOFT RELATIONSHIP ...................................................................................................... 8 2.1 OVERVIEW ................................................................................................................................................. 8 2.1.1 Microsoft Gold Partnership ............................................................................................................. 8 2.1.2 Microsoft Core Protocol Program ................................................................................................... 8 2.1.3 Microsoft TAM ................................................................................................................................ 9 2.1.4 Support and Escalation with NetApp and Microsoft....................................................................... 9 2.1.5 Compatibility Matrix ....................................................................................................................... 9 2.2 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................... 9 2.3 ASSUMPTIONS .......................................................................................................................................... 10 3 CIFS SETUP .......................................................................................................................................... 11 3.1 OVERVIEW ............................................................................................................................................... 11 3.2 NETAPP CIFS VERSUS A WINDOWS SERVER ................................................................................................... 12 3.3 BEST PRACTICES ........................................................................................................................................ 13 3.3.1 Create Both a Host (“A” Record) and Reverse Lookup Name in DNS ............................................ 13 3.3.2 CIFS with Microsoft Windows Internet Naming Service ............................................................... 15 3.3.3 Site Awareness .............................................................................................................................. 15 3.3.4 Network Time Protocol (NTP) ....................................................................................................... 15 3.3.5 Create a New Active Directory OU to Manage the NetApp Storage Objects ................................ 16 3.3.6 Mixed and Native Mode Domains ................................................................................................ 17 3.3.7 NIS Group Lookup ......................................................................................................................... 17 3.3.8 Creating a CIFS Share .................................................................................................................... 18 3.3.9 NetApp Snapshot and SnapRestore .............................................................................................. 19 3.3.10 What You Can Do with Snapshot Copies ...................................................................................... 19 . 3.4 DEMO ..................................................................................................................................................... 20 3.4.1 CIFS Shares .................................................................................................................................... 20 3.4.2 Join Active Directory from NetApp Storage as a Windows Member Server ................................. 21 3.4.3 Verifying Successful CIFS Installation ............................................................................................ 23 3.4.4 NetApp Storage Windows (NetBIOS) Name ................................................................................. 24 3.4.5 Manage the CIFS Shares from the CLI and Microsoft Management Console ............................... 25 3.4.6 Qtree Implementation .................................................................................................................. 26 3.4.7 Create Users’ Home Directories .................................................................................................... 28 3.5 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 32 4 SECURITY ............................................................................................................................................ 34 4.1 OVERVIEW ............................................................................................................................................... 34 4.1.1 Infrastructure Security .................................................................................................................. 34 4.1.2 File‐Level Security ......................................................................................................................... 35 4.1.1 Communication Security ............................................................................................................... 36 4.1.2 File Policy (FPolicy) ........................................................................................................................ 38 4.1.3 Role‐Based Access Control (RBAC) ................................................................................................ 38 4.2 MANAGING CIFS SECURITY WITH GROUPS (LOCAL AND GLOBAL) ..................................................................... 39 4.2.1 Domain Local Groups .................................................................................................................... 40 4.2.2 Global Groups ............................................................................................................................... 40 4.2.3 Universal Groups .......................................................................................................................... 40 . 2 CIFS – Demo.NetApp.com 4.2.4 4.2.4.1 4.2.4.2 Built‐In (Nondomain) Local Groups .............................................................................................. 41 . Built‐In Local Groups on NetApp Storage ................................................................................................. 41 Guidelines for Creating Local Groups ....................................................................................................... 41 4.2.5 4.2.6 4.2.6.1 4.2.6.2 4.2.6.3 Local NetApp Storage Groups ....................................................................................................... 42 Multiple Protocol Access ............................................................................................................... 45 Effects of Changing an NTFS‐Only Storage System to a Multiprotocol System ........................................ 45 Effects of Changing a Multiprotocol Storage System to an NTFS‐Only System ........................................ 45 Effects of Changing the Storage System's Domain ................................................................................... 46 4.2.7 Security Group Recommendations ............................................................................................... 46 . 4.3 CIFS FILE SECURITY, AND USER MAPPING ...................................................................................................... 46 4.3.1 Antivirus Management ................................................................................................................. 48 4.3.2 Auditing ........................................................................................................................................ 49 4.3.3 Access‐Based Enumeration ........................................................................................................... 50 4.3.4 Secure Configuration of Data ONTAP ........................................................................................... 51 4.4 BEST PRACTICES ........................................................................................................................................ 51 4.4.1 Using FPolicy ................................................................................................................................. 51 File Screening Overview ................................................................................................................................ 52 4.4.2 Antivirus Scanning Best Practices ................................................................................................. 53 4.4.3 Cross‐Protocol File Access (CIFS and NFS) ..................................................................................... 53 4.4.4 CIFS Auditing ................................................................................................................................. 54 4.4.5 Converting Qtree Security Styles ................................................................................................... 54 4.4.6 NetApp Operations Manager: Report on Security, Performance, and Trends .............................. 55 4.4.7 Access‐Based Enumerations Limitations ...................................................................................... 55 . 4.5 DEMO ..................................................................................................................................................... 56 4.5.1 File Screening with FPolicy ............................................................................................................ 56 4.5.2 Storage‐Level Access Guard .......................................................................................................... 57 4.5.3 Useradmin CLI (Role Based Access Control) .................................................................................. 62 4.5.4 Antivirus Scanning ........................................................................................................................ 63 4.5.5 Live‐View Auditing ........................................................................................................................ 67 4.5.6 Access‐Based Enumeration (ABE) ................................................................................................. 71 4.5.7 Configuring SSH and SSL ............................................................................................................... 74 4.6 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 79 5 FILE SYSTEM RESOURCE MANAGER ..................................................................................................... 81 5.1 OVERVIEW ............................................................................................................................................... 81 5.1.1 Quota Management ..................................................................................................................... 81 5.2 BEST PRACTICES ........................................................................................................................................ 81 5.2.1 Quota ............................................................................................................................................ 81 5.3 DEMO ..................................................................................................................................................... 82 5.3.1 Native Quota Configuration ......................................................................................................... 82 . 5.3.2 Quota Management using Northern Storage Suite ...................................................................... 86 5.3.3 Quota Management using NTP Software ..................................................................................... 89 5.4 NETAPP TECHNICAL REPORT REFERENCE ............................................................................................. 91 6 INTEGRATION WITH WINDOWS SERVICES ........................................................................................... 92 6.1 OVERVIEW ............................................................................................................................................... 92 6.2 BEST PRACTICES ........................................................................................................................................ 92 6.2.1 Configuring Offline Folders ........................................................................................................... 92 6.2.2 Configuring Folder Redirection (Symbolic Links) ........................................................................... 93 6.2.3 Group Policy Objects (GPOs) ......................................................................................................... 94 6.2.4 Managing User Roaming Profiles ................................................................................................. 95 6.3 DEMO ..................................................................................................................................................... 98 6.3.1 Group Policy Object Security Configuration .................................................................................. 98 Page 3 of 187 CIFS – demo.NetApp.com ........................................ 9 TROUBLESHOOTING AND PACKET TRACES .......... 128 8............................................5 Options CIFS.................................................3 6.........................2 BEST PRACTICES .................................................... 103 LDAP Authentication Requires Clear Text Passwords .................................................................... 111 6.......................................................................................1 6.......................................................1 NetApp CIFS Sizing Tool Walk‐Through ...........................2 6...............1.....................................4 7 Integrating with DFS .............3......................................................................2 CIFS Sizing on NetApp Storage ..................................................................................... 102 Extending the RFC 2307 Schema .................... 127 8........... 138 9..............................................3 DEMO .........................................3..................................................1...........................................3........................................................................................................1................................................. 149 APPENDIX A: DOMAIN DISCOVERY .................1............................................................................................2 Data Migration: Server Consolidation to NetApp Storage ................4 NETAPP TECHNICAL REPORT REFERENCE ........... APPENDIX C: NETAPP CIFS ADVANCED OPTIONS ..........................1...................................................1............................................ 105 Testing Windows LDAP ..........................................................2 SLOW CIFS AUTHENTICATION ............2 6.............................................1.. 120 7...............................................1......... 7..................2 BEST PRACTICES .............................NetApp................................................................................................................................................................................ 131 9..............................................................................................................................................................oplocks....................................................................................4 6..................................................max mpx and Citrix ..............4 NETAPP TECHNICAL REPORT REFERENCE .................................. 142 10...3........................................................................................................... 115 FILE‐LEVEL MIGRATION ....................5 Integrating with Active Directory LDAP .............. 106 Manage NetApp Storage Users in LDAP Mode ................................................... 145 10...................................................................................................... 148 10....................................................5 SMB2 HIDDEN OPTIONS FOR TWEAKING PERFORMANCE .....2.......... 151 ...............................................opendelta ............................ 140 10...... 139 10 SIZING AND PERFORMANCE ...............................1................................. 140 10.....3 DEMO .......................................................................... 122 7..... 120 ...............3 MISCELLANEOUS TROUBLESHOOTING ...................................................................1.............conf File for LDAP .........2 Diagnostic Troubleshooting with PKTrace ..........................................1 VFM ‐ Enables non‐disruptive expansion and consolidation....1 SMB 2 Configuration .......................... 127 8......................... 123 7................................... 113 Integrating with VSS ........................................2....................2 BEST PRACTICES .......1 Migrating Files While Preserving Their ACLs ........1.............3..................2.............................................2.............................................................................................................3 6................................................................................1 OVERVIEW ..........................................1 High Availability with NetApp Active‐Active Clustering ..............3 DEMO ..............3...............................4 NETAPP CIFS SMB VARIABLES .................................. 119 7.........................................3 Tuning Windows CIFS Performance ............................ 127 8......1 CIFS Configuration Files ..4 Advanced oplocks Settings..............................................2...... 123 7................1 SMB 2 and Diagnostics ......................................3........................................................................................... 150 APPENDIX B: CIFS SIZING FLOWCHART .................................................................... 132 9....................... 137 9................................. 133 9.......................... 145 10.............................................1 OVERVIEW ................................ 129 8...........4 NETAPP TECHNICAL REPORT REFERENCE ....................................................1... 122 7.......3......................................3 Planning Data Migration .......................................................... 130 ............6 Options CIFS............. 128 8.................................. 148 10.....3......................................................................... 141 10.................................................................... 101 Editing the /etc/nsswitch..... 124 ................................................................................. 145 10............................................................................................... 7.... 128 8........................................................................................................................................................................ 119 7..............3.......... 152 4 CIFS – Demo........................................................2 Migrating Files with VFM .......4 Migrating Data .............................3...............................................6.............com ....................................................................... 126 8 FUTURE OF NETAPP CIFS ...............1........................3... 147 10..................................... 144 10.................................................................................................................... ... 165 APPENDIX G: COMMONLY USED ADMINISTRATIVE INTERFACES FOR DATA ONTAP .........................................................................................................................................................................................................................................NetApp........................................................................................................................................................................................................... 163 APPENDIX F: USING NOVELL’S EDIRECTORY FOR LDAP AUTHENTICATION ............................................................................................................................................................................................................APPENDIX D: CIFS NETAPP SIZING GUIDELINE ............................................................. 179 CIFS DOMAIN .................. 158 BACKEND SIZING INFORMATION ..................................................................................................................................................................................................... 173 SUMMARY OF GPO FEATURES ...................... 176 CIFS STATISTICS ..............................................................................................................................................................com ...................................................... 160 CIFS HOME DIRECTORY SPECIFIC INFORMATION ...................................................................................................... 160 APPENDIX E: CIFS RESOURCE LIMITS ...................................................................................................... 160 CUSTOM SIZER SPECIFIC INFORMATION ................................................................................................................................................................. 172 APPENDIX H: SUPPORTED GPO’S ............................................................................................................................. 173 APPENDIX I: CIFS PERFORMANCE COUNTERS ....................... 184 SMB SIGNING STATISTICS .................................................................................................... 171 ADMINISTRATIVE APPLICATIONS FOR DATA ONTAP ........ 182 VSCAN SERVER STATISTICS ......................................................................................... Page 5 of 187 CIFS – demo.............................................................................................................. 171 NETAPP JAVA SHELL .......................................................................................................................................................... 185 CONCLUSION ........................................................... 175 CIFS COUNTERS FOR PERFMON .................................................. 182 VSCAN STATISTICS ............. 157 GENERAL NETAPP STORAGE SPECIFICATIONS ....................................... 187 .............................. 175 CIFS OPERATIONS ................................................................................. 150 192.demo.netapp.168.168.10.demo.exe) OU=NetApp Storage created to place NetApp storage objects OU=ldapusers created for user testing User Administrator Wilma Fred Root Context demo. always use demo\administrator to log onto SERVER (W2003). and the Vista workstation (CLIENT) at: C:\CIFSDEMO\Scripts NOTE: The objective of each batch file allows you to jump to the finished exercise to show or review what has been performed.10.5 FAS2020 Preinstalled Software: Vista: Windows 2003: Version 32-bit platform.10.10. Enterprise 32-bit OES Data ONTAP 7. W2008 or CLIENT (Vista). Enterprise 64-bit platform. Page 6 of 187 CIFS – Demo.168.com\ldapusers\ demo.com\Users\ demo.com W2008.35 Sun™ Java v.com\ldapusers\ \ (NetApp local account) Group Domain Admins Remote Desktop Users Remote Desktop Users The password for all users is: netapp1 NOTE: Unless otherwise stated in the hands-on demo.1.1 HANDS ON EXERCISES When you see this: HANDS-ON EXERCISE: DNS Setup Prerequisite: <BATCH FILE(s) which must be run before proceeding with the Exercise> Either perform the follow steps.0.com IP 192.10.101 192.04 DNS – both forward and reverse zones Active Directory: demo. 1.168.5.netapp.netapp. as time permits.1.com FAS1.102 192. or to automate the task.com .1 DEMO SETUP Hardware Configuration: Hardware Windows Vista Windows 2003 Server Windows 2008 Server Novell NetWare 6.100 192.3. execute: <BATCH FILE> Performed from Vista.NetApp.5.netapp.netapp. The recommendation.168.netapp. W2003 or W2008 <which OS platform the work can be performed from> The batch files are located on both the Windows 2003 Server (SERVER).04 Sun™ Java v.netapp.workgroup W2003. Business edition 32-bit platform.0.com TimeSync Daemon (using Tardis200nt. is to go throught the exercises following the hands-on guide without using the batch files – this will enhance your learning.workgroup Bigred.0 DNS Vista.demo. CMD. Telnet FAS1). you will need to reset the virtual environment to the state before any scripts where executed. 59 Troubleshooting CIFS.e. use telnet (Start. 117 SSH Setup. 85 Roaming User Profile. 24 Network Time Protocol. CMD) For NetApp command line interface. use: Vista machine When SERVER> is specified. 16 Northern Storage Suite Quota Management. 133 Quotas. 71 Antivirus Scanning.2 AVAILABLE BATCH FILES NetBIOS Alias. 1. 93 Joining Active Directory. 14 File Screening. use the CMD. The batch files follow the order of the document. The batch files are meant to be run once. 131 Useradmin Command Line Interface. or move to a section prior to the current section you have completed.EXE tool (Start. 56 GPO . 89 PKTrace. use: BigRed For Windows command line interface. 74 SSL Setup. 124 Access-Based Enumeration. 62 Users’ Home Directories. 21 LDAP Authentication with Novell’s eDirectory. 100 GPO Security. 6. 63 CIFS Performance Counters. 98 Group Policy Object.BAT in one secton.Verify.com . 175 CIFS Sizing. 23 VFM for File Migration. 86.CONF.When FAS1> is specified. 114 DNS Setup. Run. i.NetApp. If you wish to either rerun a batch file. Run. 97 SnapRestore. 142 DFS. 102 LDAP Permissions. If you run CIFSJOIN. you do not need to rerun the same batch file in another section. A shortcut has been placed on the W2003 desktop. 68 Page 7 of 187 CIFS – demo. 165 LDAP NSSWITCH. 28 Verify Successful CIFS Installation. use: W2003 When NETWARE> is specified. use: NetApp Storage FAS 2020 When CLIENT> is specified. 78 Storage-Level Access Guard. 111 Live-View Auditing. 2.1.1 OVERVIEW 2. This is a part of the Microsoft efforts to be more open and standardize its protocols. • • • • NetApp is a Microsoft Gold Certified Partner.microsoft. Early in 2008.0 of its Windows iSCSI software initiator. NetApp has more iSCSI storage systems with the Windows logo than any other vendor. NetApp also has access to the Microsoft Interoperability Labs and participates in its Plugfest events to test the Microsoft Core Protocol Program (MCPP) protocol implementations. Customers not it the Microsoft Core Protocol Program will pay per case. file screening. or both.000 Microsoft partners. All NetApp Internet SCSI Small Computer System Interface (iSCSI) and Fibre Channel Protocol (FCP) storage systems with the Windows logo are fully supported by Microsoft. Out of 600. This means for Microsoft Core Protocol Program subscribers. 2. and Microsoft Multipath I/O (MPIO). This paper discusses how storage systems can be seamlessly integrated in enterprise-class Windows data centers to utilize services and features such as Active Directory.com .000 are Gold Certified. assuring support and interoperability of our Windows file serving (CIFS) products. These solutions are backed by a global customer support infrastructure that integrates Microsoft Premier Support. as a storage area network (SAN). NetApp storage systems are compatible with Microsoft® Windows® environments. and CIFS virus protection. Tight integration of licensed Windows protocols and complete compatibility with Windows OS enhancements as well as Microsoft applications are NetApp development priorities.1.mspx).NetApp. NetApp licenses Microsoft protocols under the Microsoft Core Protocol Program (www. submitting a defect or issue is covered as well as receiving priority response to open cases.com/about/legal/intellectualproperty/protocols/mcpp. Page 8 of 187 CIFS – Demo. Storage systems use the Microsoft industry-standard CIFS/SMB protocol and support native implementations of the Lightweight Directory Access Protocol (LDAP) and the Kerberos authentication protocol without requiring any additional software. Volume Shadow Copy Service (VSS). offline file cache. Data ONTAP optimizes file service by combining the WAFL® (Write Anywhere File Layout) file system and a microkernel design dedicated to network data access. In Windows file-serving environments. the Microsoft Core Protocol Program began evolving into an open access program.2 NETAPP MICROSOFT RELATIONSHIP NetApp® storage systems are storage appliances powered by NetApp Data ONTAP® software.2 Microsoft Core Protocol Program NetApp is a licensee of the Microsoft Core Protocol Program.1 Microsoft Gold Partnership NetApp is strategically committed to architecting storage solutions that are highly compatible with Microsoft technologies. storage systems look and act like Microsoft Windows member servers and can be monitored and administered using native Windows management components while providing highly available file service. This includes support for version 2. access-based enumeration. NetApp storage solutions support many Microsoft storage technologies. auditing. whether operating as network-attached storage (NAS). only 6. NetApp is able to open a support case for NetApp or on behalf of a customer with Microsoft and utilize the OEM TAM to track the case to resolution. 2. 3. This enables NetApp and Microsoft to work closely together to address enterprise customer support needs. obtain performance numbers. or operating system. Stress tests are also used to saturate different components of the NetApp product and the service pack.0 is one of the several products used by NetApp to confirm improvements. and compare data. It can be run against two targets.html Page 9 of 187 CIFS – demo.2 NETAPP TECHNICAL REPORT REFERENCE Microsoft and NetApp Escalation www.5 Compatibility Matrix Functional regression testing is carried out to verify that previously existing NetApp product functionality continues to operate as specified with the new service pack.com . for example. 4.725 test cases defined for functional and the stress testing.html#oem www. patch. a script used by the NetApp DPG group to create a CIFS data set with maximum CIFS coverage. As part of that support process. Windows API for testing all the Windows API calls. The TAM will open a case and track it through to resolution inside of Microsoft. The primary focus of the Microsoft OEM TAM is on technical problem resolution between Microsoft and NetApp. Reliability tests are run on the NetApp platform in order to test long-term reliability of the product with a new service pack.1. NetApp contracts a Microsoft OEM Technical Account Manager (TAM) focused on assuring interoperability between Microsoft and NetApp products. NetApp has approximately 1. not between Microsoft and the customer 2.2.1. including DIRS|FILES|STREAMS|SPARSE|ATTRS operations. This same process is in place for cases opened by NetApp Customer Support.pl.1.4 Support and Escalation with NetApp and Microsoft OEM Premier Support Agreement: NetApp and Microsoft have support agreements in place providing seamless 24x7 global support to NetApp customers. In conjunction with an OEM Premier Support Agreement. ZD Labs Netbench 7.com/us/solutions/solution-partners/global-alliance/microsoft-partnership. Several other tests include: 1. 2.netapp. and do functional regression testing. 2. The TAM assists with engineering challenges associated with the compatibility of prerelease product from either Microsoft or NetApp. Populate_data. Custom-built scripts for the regression testing and stress testing in a NetApp test environment.netapp.NetApp.3 Microsoft TAM NetApp solutions deployed within Microsoft environments are supported at various levels on a global 24x7 basis. NetApp storage and Microsoft Windows 2003 Server. Another industry standard program used is FSspec 2008.com/us/solutions/solution-partners/global-alliance/ms-support. refer to the NetApp Data ONTAP administration guides available at http://now.Configuring and using IOmeter for performance testing in an application environment www. This paper also assumes that you are knowledgeable about NetApp storage system administration. Data ONTAP version 7. For detailed information about storage system administration.com. is the version used in this document. 2008.3 ASSUMPTIONS This paper assumes that you are knowledgeable at the administrative level with Microsoft Windows 2003 Server and Windows Server 2003 products and their features.0. released July 24.NetApp. Page 10 of 187 CIFS – Demo.com/us/library/technical-reports/tr-3697.html 2.netapp.netapp.com .3. not the home directories for other users.4 and later releases are compatible with Windows Vista clients. Join the storage system to a domain. Users are offered a dynamic share with their matching directory name. CIFS Setup The CIFS setup command invokes a utility that prompts you for information such as authentication type. change domains. and so forth.com . Enter the storage system Active Directory site information. the NetApp home directories feature uses fewer system resources and therefore improves overall system performance. refer to the Data ONTAP Software Setup Guide. Automatically generate /etc/passwd and /etc/group files when NIS or LDAP is enabled. Page 11 of 187 CIFS – demo. Compared to the traditional method.2. the CIFS setup command enables you to perform the following tasks: • • • • Assign or remove Windows Internet Naming Service (WINS) servers. Each user can see and connect only to his or her home directory. CIFS Authentication Data ONTAP CIFS services support four styles of user authentication.NetApp. (1) Active Directory domain authentication (Active Directory domains only) (2) Windows NT® 4 domain authentication (Windows NT or Active Directory domains) (3) Windows workgroup authentication using the NetApp storage's local user accounts (4) /etc/passwd and/or NIS/LDAP authentication Compatibility with Windows Vista and Windows Server 2008 Data ONTAP 7. or choose an alternate authentication method. lookup services to be used. Windows Server 2008 clients. In addition to performing initial CIFS configuration. the home directory works the same way as any other share to which the user can connect. if it is not already configured. including a list of the information you need when running CIFS setup. and Windows Server 2008 domain controllers. From the CIFS client perspective.1 CIFS SETUP OVERVIEW NetApp storage systems are commonly used to store an organization’s personal home directories for a variety of compelling reasons. in which administrators have to create one share per user. One significant benefit of having the CIFS home directories on NetApp storage system is that it eases the administration of the storage system by creating only one share that resolves the location of all the users’ home directories. To learn about using the CIFS setup program for initial CIFS configuration.3 3. <site>.<fully qualified domain name> Preferred addresses are ordered as specified using the cifs prefdc command. application servers. but must be configured on the NetApp storage to point to the Active Directory NTP source. certificate servers.msdcs<fully qualified domain name> or ldap. Member servers typically function as the following types of servers: file servers.NetApp.msdcs. and then sorted within each of these categories: PREFERRED: IP address list entered using the cifs prefdc command. Data ONTAP simultaneously pings all addresses listed in both categories and waits one second for responses. Discovery for its first connection to a domain controller. • • Time synchronization is automatic between Active Directory servers.dc.dc. Prospective domain controller IP addresses are divided into the following three categories. and allow DC to be manually listed in the priority NetApp will use to contact the DC.Default-First-Site-Name. then categorized. and belongs to a domain._tcp. controllers that didn't reply but are located on the local subnet. As defined by Microsoft. or 2008 Server family. A member server is a computer that runs an operating system in the Windows 2000._tcp.com .2 • • NETAPP CIFS VERSUS A WINDOWS SERVER SMB authentication mechanism is the same. NetApp storage functions as a Windows member server for CIFS authentication and administration. from best to worst: Page 12 of 187 CIFS – Demo. Web servers. and all other controllers. DC discovery and ordering are NetApp’s own invention. and cached.<fully qualified domain name> OTHER: IP addresses returned by the DNS SRV record query: ldap. When CIFS is configured to join Active Directory. 2003. Controller connections are then attempted in the following order. FAVORED: IP addresses of servers identified by the following Windows AD site queries: ldap. database servers. in Active Directory server roles. all domain controller addresses are discovered at once. Data ONTAP uses any available domain controllers that appear in the cifs prefdc list._sites. If none of these “preferred” controllers is available._tcp.dc. and remote-access servers._sites. computers that function as servers within a domain can have one of two roles: member server or domain controller. and is not a domain controller.3. just as a Windows member server cannot be a KDC. “Favored” and “Other” categories are sorted according to the fastest response.msdcs. prioritized. Addresses are separated into three groups: controllers that replied. firewalls. NetApp CIFS protocols: o o o o • Kerberos NTLM v2 LDAP Not a Windows and Kerberos key distribution center (KDC). KDCs. the DNS servers that are used with storage systems in an Active Directory environment must support service location (SRV) resource records (per RFC 2782). and so will not be able to join the AD domain. Page 13 of 187 CIFS – demo.3.com . Because the Active Directory service relies on DNS to resolve names and services to IP addresses. Data ONTAP will not be able to find the service records it needs to locate DCs.3.NetApp.1 Create Both a Host (“A” Record) and Reverse Lookup Name in DNS NetApp storage systems query Domain Name Service (DNS) servers to locate domain controllers. If DNS is not enabled or is not configured correctly. LDAP servers. Note: DNS servers that support dynamic updates (per RFC 2136) are recommended by Microsoft so that important changes to SRV records about domain controllers are automatically updated and available to clients immediately.3 BEST PRACTICES 3. and KPASSWD servers. Then.enable on FAS1*> wrfile -a /etc/rc options nis.com FAS1*> wrfile -a /etc/rc options dns.com FAS1> options dns.Determining If DNS Is Set Up Properly in AD HANDS-ON EXERCISE: DNS Setup Prerequisite: none Performed from W2003 Either perform the follow steps.netapp. proceed to step #2 Since DNS is so important to Active Directory you may want to determine if DNS has been properly set up in the AD domain. Open the Microsoft DNS console.10.conf nameserver 192.168.netapp.NetApp. 1.168.domainname demo.100 FAS1*> getXXbyYY gethostbyname_r W2003 Page 14 of 187 CIFS – Demo.enable off FAS1*> rm /etc/resolv.enable on FAS1*> priv set advanced FAS1*> rm /etc/rc FAS1*> wrfile -a /etc/rc hostname FAS1 FAS1*> wrfile -a /etc/rc ifconfig ns0 `hostname`-ns0 FAS1*> wrfile -a /etc/rc route add default 192.domainname demo. FAS1> priv set advanced FAS1*> getXXbyYY gethostbyaddr_r 192. See that within it you have the four SRV record folders (child domains) (_msdcs/. _sites/. To adjust the DNS settings: FAS1> options dns. or Use getXXbyYY to verify forward and reverse lookups from the NetApp storage. or to automate the task.10. type: 2.168.168.com .10.BAT.conf FAS1*> wrfile -a /etc/resolv. FAS1> dns info.1 1 FAS1*> wrfile -a /etc/rc routed on FAS1*> wrfile -a /etc/rc options dns. execute: DNSSETUP. Verify that you have a DNS domain with the same name as your corresponding Active Directory domain. from the CLI.101 FAS1*> wrfile -a /etc/resolv.102 FAS1*> priv set To check the configuration of DNS from the NetApp storage. _tcp/ and _udp/).10.conf nameserver 192. 3. The Kerberos protocol requires that the time settings on the storage system and domain controller be nearly the same. NetApp storage systems are Active Directory site-aware.2 CIFS with Microsoft Windows Internet Naming Service The CIFS setup utility allows you to make your storage system accessible or inaccessible to systems using the Windows Internet Naming Service by specifying up to four Windows Internet Naming Service servers or by disabling the Windows Internet Naming Service. Page 15 of 187 CIFS – demo. 3. the best practice is to configure NetApp storage to use an NTP source.wins_servers option. 3. To add or change the Windows Internet Naming Service servers from the CLI. if time drifts more than 15 minutes from the NetApp storage and the authenticating DC.FAS1*> priv set Note: Customers may use the “Priv Set Advanced” or “Priv Set Diag” command when instructed to do so by NetApp Technical Support or NetApp Professional Services. A nondisruptive way to modify Windows Internet Naming Service servers is to enter a comma-separated list of Windows Internet Naming Service servers using the CIFS. Once CIFS is running. issue: FAS1> options cifs. the CIFS setup fails.3.com . or your existing two Windows Internet Naming Service servers are replaced by the server you intended to add.wins_servers <specify up to four IPv4 WINS servers> 3.NetApp. the advanced command set is not supported for a customers use in a production environment. Slower and less reliable wide area networks (WANs) are used between sites (locations) that are too far apart to be connected by LAN. storage systems attempt to communicate with a domain controller in the same site instead of selecting a domain controller at a different location. Therefore.3 Site Awareness Active Directory sites are used to logically represent an underlying physical network. To eliminate this problem. users will not be able to connect to their CIFS share(s). Note that this server list is not additive: if you are adding a third Windows Internet Naming Service server. running CIFS setup requires that you halt CIFS. Caution: If the time settings on the storage system and the domain controller are more than five minutes apart. However. It is important to place the storage system in the proper Active Directory site to use resources that are physically close to it. A site is a collection of networks connected at LAN speed. you must enter all three IP addresses in a comma-separated list.3.4 Network Time Protocol (NTP) Match the storage system’s time and time zone settings to the one on the domain controller. Otherwise. sched hourly Options timed.log off Options timed.servers W2003 (For this lab.max_skew 5m Options timed. To temporarily adjust the date and time with an NTP server.2 under “NetApp storage” for a list of the steps. Then. Page 16 of 187 CIFS – Demo.protontp Options timed.enable on Refer to the Data ONTAP system maintenance for detailed information on “timed” or from the console. from a CLI session. the NetApp storage object will be placed in the “Computer” Active Directory organizational unit (OU). For a detailed explaination of each step.com . W2003 or W2008 Either perform the follow steps. FAS1> FAS1> FAS1> FAS1> FAS1> FAS1> Options timed. FAS1> rdate W2003 3. Microsoft’s GPO best practice guide recommends creating an OU for a dedicated function.window 0s FAS1> Options timed. The reason is twofold: • • Active Directory group policy objects (GPOs) cannot be applied to the Computer OU.min_skew 0 Options timed. refer to the CIFS administration guide on precreating a NetApp object in Active Directory.HANDS-ON EXERCISE: Network Time Protocol Prerequisite: DNSSETUP.NetApp.3. Note: You can also precreate the NetApp object in the desired OU.5 Create a New Active Directory OU to Manage the NetApp Storage Objects When using the Web CIFS setup wizard (FIlerView®). The best practice is to create a new OU in Active Directory: create an OU called NetApp Storage and either create the object in this context or move existing NetApp storage objects to this OU. When running the setup from the CLI. Refer to section 3. in this case for the NetApp storage. execute: NTPTIME.BAT Performed from Vista.BAT . type: “man na_rdate” for detailed instructions. proceed to step #2 To configure NetApp storage for NTP time synchronization. type: 2. ‘W2003’ is the NTP Source) FAS1> Options timed. issue the following commands: 1.4. or to automate the task. you are presented with available OUs to place the NetApp storage object in. 0 backup domain controllers (BDCs) You want to slowly transfer your Windows NT 4 domains to native mode Active Directory (Windows 2000 Server native or Windows 2003 Server). For example. you can take your time with the upgrade and follow a methodical implementation plan.000 accounts vs. the mixed mode provides the functionality that lets Windows NT 4 BDCs continue to offer domain services. Because Windows 2000 Server mixed mode allows a domain controller to emulate a PDC.3. Windows 2003 introduced two additional nodes. 3. Whenever you enable NIS lookups using the nis.com .7 NIS Group Lookup If you use Network Information Service (NIS) for group lookup services.x.3. it is strongly recommended that you also enable caching using the Page 17 of 187 CIFS – demo.NetApp. Windows Server 2003 interim and Windows Server 2003 (also known as Windows 2003 Server native). Windows 2000 Server Modes Windows 2000 Server mixed mode makes Active Directory function like a Windows NT primary domain controller (PDC). you might want to upgrade your existing Windows NT 4 DCs to Windows Server 2003 over some period of time. These domains can emulate Windows NT or pre-Active Directory domain environments for legacy computers simultaneously with Active Directory. to support different deployment scenarios. There are many reasons to stay in mixed mode before going directly to native. NetApp recommends that you consider implementing a native design and remain in mixed mode (or interim mode for Windows 2003) only as a stopgap until you can migrate your entire legacy domain. One important reason is that during your migration to AD.3. mixed and native. A NetApp device can be joined to and operate within an Active Directory whether in mixed. your organization should consider going to native mode (2000 or 2003). disabling NIS group caching can cause severe degradation in performance. or pure Windows 2003 Server mode. Use Windows 2000 Server mixed mode when one of the following is true: • • You have a mixture of Windows 2000 and Windows 2003 domain controllers as well as Windows NT 4.enable option. mixed mode enables you to deploy a Windows Server 2000 or 2003 Active Directory domain controller in a Windows NT 4 domain or in a new domain. Then. when all DCs have been upgraded. Since each DC continues to interoperate with the others. 3 to 10 million for AD) Due to the limitations imposed by Windows 2000 Server mixed mode. the terms mixed and native have been superseded by raise function level. Windows 2000 Server introduced two Active Directory modes. and Me). you have the option of switching to native mode at your convenience. interim. native. 98. The limitations of a Windows 2000 Server are: • • • No support for universal groups No support for group policies (only system policies) Active directory database is limited to 40MB (24. 95. In Windows 2003 Server.6 Mixed and Native Mode Domains The terms mixed and native mode refer to domain functional levels in Windows 2000 Server. which enables cross-communication and interoperability with Windows NT domains and directly supports Windows legacy clients (Windows 3. Share naming conventions for Data ONTAP are the same as for Windows.NetApp. For example. mktng. In addition. FAS1:> cifs shares -add SHARE1 /u/eng –file_umask 775 –dir_umask 777 Page 18 of 187 CIFS – Demo. it probably makes sense to map to the root of each volume and add full NTFS permissions for the domain administrators. Failure to enable these two options together could lead to timeouts as CIFS clients attempt authentication.8 Creating a CIFS Share After a CIFS-enabled NetApp storage is configured. starting with the C:\vol\vol_name prefix. but no data is shared yet. 3. such as ADMIN$ and IPC$. D$ for /vol/vol1 …). browse. and certain share names."/new volume/mount here").enable option. proj). One example might be setting the permissions on these shares to allow only domain administrators access to the root of each volume in case qtrees need to be changed (security type) or deleted. The directory path name can be up to 255 characters long. A CIFS share is a named access point in a volume that enables CIFS clients to view. To make it easier to create subsequent shares on NetApp storage volumes in the Microsoft Management Console it is recommended that you create a default “hidden” share at the root of each volume on the NetApp storage so administrators can browse for them and create additional shares from there. For instance a share on /vol/vol3 would have a path specified as C:\vol\vol3. and share names are not case-sensitive. share names ending with the $ character are hidden shares. it is preferable to have default hidden shares that exist at the root of each volume on NetApp storage (for example. apart from the three default administrative shared (C$. Check the NOW™ (NetApp on the Web). For more information about configuring NIS. Its directory path is /u/eng. HOME. If there is a space in the path name. the entire string must be quoted (for example.3.com . site for the resource constraint. CAD. the storage is viewable on the Windows network.group_update. a NetApp CIFS share must be created. machine accounts have access to a newly created share. The number of CIFS shares allowed to be created per NetApp storage is based on the system memory and is different for each platform. All shares created on the NetApp storage have paths that begin with C: with the actual volume name appended. Having a hidden share at the root of each volume allows quick and straightforward access to each volume in case any Windows or storage administration is needed. For organizations that prefer to separate storage administrative duties from general Windows administrative duties.nis. design. C$ for /vol/vol0. To share data. In the Path field of the New Share window be sure to type the complete path name of the folder or qtree. ETC$). engr. CIFS shares can be created either using the Windows Computer Management Microsoft Management Console or by using the cifs shares command in Data ONTAP. The share name must be unique for the server. C: is ignored by the NetApp storage. The flexibility to use the Microsoft Management Console allows Windows administrators to use tools they are familiar with. UNIX mode bits are explicitly set as 775 on files and 777 on directories. Choose share names that reflect the type of data this share will contain or groups that will have access to it (for example. When creating a share you must provide the complete path name of an existing folder or qtree to be shared and the name of the share used by users when they connect to the share. see the Network Management Guide. are reserved. and manipulate files on NetApp storage. Note: By default. acct. The following example creates a CIFS share named SHARE1. CIFS and NFS volume Snapshot copies enable end users to do the following: • • Recover older versions or sets of files that were accidentally changed or deleted Restore their own files without needing a system administrator to restore files from tape For a complete listing of NetApp Snapshot and SnapRestore® functions. guaranteeing a consistent recovery point Create a clone of a FlexVol volume* Replicate the Snapshot to a DR site Snapshot copies enable system administrators to perform the following tasks: Note: See the Storage Management Guide for information about cloning a FlexVol volume. You can specify the percentage of disk space that Snapshot copies can occupy. a FlexVol® volume. 1 weekly You can store up to 255 Snapshot copies at one time on each volume. keeping the integrity of the security system intact.com .10 • • • • What You Can Do with Snapshot Copies Create near-instantaneous backups For CIFS and NFS.3. Page 19 of 187 CIFS – demo.3.9 NetApp Snapshot and SnapRestore A Snapshot™ copy is a frozen. and up to 200 Snapshot copies for each aggregate. 3. The default setting is 20% of the total (both used and unused) space on the disk. and a file is uniquely identified by the file system on which it resides and its inode number on that system. There is an inode for each file. 2 nightly. Snapshot copies are your first line of defense for backing up and restoring data. refer to Chapter 2. Snapshot management in the NetApp Data Protection Online Backup and Recovery Guide.NetApp. Snapshot files carry the same permissions and inode numbers as the original files. see Understanding Snapshot disk consumption. Snapshot copies can also be created and deleted manually. read-only image of a traditional volume. For a full explanation of how Snapshot copies consume disk space. NetApp quiesces the data before each Snapshot. or an aggregate that reflects the state of the file system at the time the Snapshot copy was created.3. Inodes are data structures that hold information (including permissions information) about files on the storage system. NetApp storage default schedule for each Volume Snapshot is: 6 daily. Data ONTAP maintains a configurable Snapshot schedule that creates and deletes Snapshot copies automatically for each volume. or displays a total summary of the shares.4 DEMO 3.translations file and it requires that the client supports Microsoft's Distributed File System (DFS). if any.com . If the description includes spaces. The groupname is the name of a group in the UNIX group database. deletes a share. File mode creation mask for shares in qtrees with UNIX or mixed security styles.4.1 CIFS Shares CIFS shares displays one or more shares. Maximum number of simultaneous connections to the new share. clients use this name to access the share Full path name of the directory on the NetApp storage that corresponds to the root of the new share Suppress confirmation dialogs. To create a new share. the NetApp storage does not impose a limit on the number of connections to the share. use the -add option: CIFS shares -add sharename path Sharename Path -f Name of the new share. use the command “CIFS shares” with no arguments. Description of the new share. Listing Shares To list all shares and their access control lists. If you do not specify a description. the description is blank. Do not check that the client is authenticated to the symbolic link's destination. This feature requires an entry in the /etc/symlink. Allow clients to follow symbolic links to destinations on this NetApp storage but outside of the current share.3. -comment description -maxusersuserlimit -forcegroupgroupname nosymlink_strict_security -widelink -umask mask set -novscan Page 20 of 187 CIFS – Demo. use the command “CIFS shares sharename” where sharename is the name of the share. Allow clients to follow absolute symbolic links outside of this share. creates a share. it must be enclosed in double quotation marks. Name of the group to which files to be created in the share belong. edits a specified share.NetApp. userlimit must be a positive integer. The mask is an octal value which determines the initial permissions setting of a newly created file. subject to Windows NT security. If you do not specify a number. To list a single share and its access control list. CIFS clients see this description when browsing the NetApp storage's shares. Do not perform a virus scan when clients open files on this share. -novscanread -no_caching Do not perform a virus scan when clients open files on this share for read access. one with oplocks disabled for safe database access and one with oplocks enabled for client-side caching. Then. execute: CIFSJOIN. database applications such as Microsoft Access are vulnerable to corruption when oplocks are enabled.4.3 – Verifying Successful CIFS Installation First. This is the default initial property for all shares.BAT.com . An advantage of shares is that a single path can be shared multiple times. The actual caching behavior depends upon the Windows client. if a path named /dept/finance contains both a database and other types of files. This specifies that Snapshot copies can be viewed and traversed by clients.” Page 21 of 187 CIFS – demo. It’s outside the scope of this paper to explain each step in detail. This specifies that the share can be browsed by Windows clients. Allow Windows clients to cache programs on this share. However.2 Join Active Directory from NetApp Storage as a Windows Member Server HANDS-ON EXERCISE: Joining Active Directory Prerequisite: DNSSETUP. with each share having different properties. Allow Windows clients to cache user documents on this share. you can create two shares to it. For instance.4.BAT Performed from W2003 or W2008 Either perform the follow steps. make sure the domain controllers are not hidden. also known as client-side caching. The actual caching behavior depends upon the Windows client. This specifies that the share uses opportunistic locks. In particular. however. some applications do not work well when oplocks are enabled. Disallow Windows clients from caching any files on this share. information and guidance on joining NetApp storage to an Active Directory domain are in the guide “Best Practices for File Installation in an Active Directory Domain.BAT. -auto_document_caching -auto_program_caching Oplocks Browsable Showsnapshot 3. or to automate the task. Oplocks are enabled on shares by default. proceed to section 3. use the following command on each Windows 200x Server: SERVER> net config server /hidden:no The following checklist provides the steps that should be followed to install NetApp storage into an Active Directory domain.NetApp. NTPTIME. Page 22 of 187 CIFS – Demo. you can type IPCONFIG /ALL 7.domainname demo.NetApp. Answer the questions with the information provided in the previous steps. ‘NetApp storage’ is used for the OU in this document. If not.com . and choose New > Computer. In the Active Directory tree. If using Windows Internet Naming Service (WINS).enable on 7.com website. the default site is used. Programs. rightclick. Otherwise precreate the NetApp storage object in the correct OU so that the FilerView CIFS wizard will not place the object in the Computers OU. 2. and display found sites to select from during the CLI setup.NetApp. Set time services on the NetApp storage and perform a manual synchronization. (Click Start. Get NetApp storage Windows (NetBIOS) name: FAS1> hostname 4. FAS1> cifs setup Select the option to join Active Directory (option 1). retrieve the server address(es).) 2. From the Windows Console. Check version of Data ONTAP and update if necessary: FAS1> version 3. (Click Start.timed: FAS1> rdate W2003 (Refer to steps in section 2. The domain name is displayed. Administrative Tools. If you use the CIFS Wizard. NetApp storage will determine this automatically.3. c. 4. b. a. 5. select ‘Raise Domain Functional Level’ The GUI will display the current domain functional level. Verify the licenses on the NetApp storage: FAS1> license Verify that both a CIFS and NFS license have been installed. 6. Programs. Right click the domain name. Retrieve Active Directory domain name.) 5.) 3. (Click Start. In the Active Directory Users and Computers View menu. download an evaluation license from the NOW. we will use the site: San-Diego From NetApp Storage 1.com FAS1> options dns. locate the OU for your NetApp storage. Retrieve DNS name server IP address. Programs. Make sure you have domain administrator privileges in Active Directory. From the CLI. Enter the NetApp storage name (FAS1). Determine mixed or native mode Active Directory domain style. Administrative Tools. You should have both Forward and Reverse Lookup Zones configured.5 to schedule automatic time synchronization. Active Directory Sites and Services.netapp. Set options. For this lab. Active Directory Users and Computers. Active Directory Users and Computers. Make sure DNS is configured properly for Active Directory support. Configure DNS on the NetApp storage: FAS1> options dns. Retrieve NetApp storage account location in AD.From Windows Domain Controller 1. and the NetApp storage host “A” recorded added. make sure that the Advanced Features menu item is checked. 6. Determine which Microsoft sites are defined. and provide the opportunity to raise the level. Administrative Tools. make sure that the following check boxes are enabled: "Change Password" and "Write Public Information. g. or FAS1> priv set advanced FAS1*> registry walk auth FAS1*> priv set You should see the following items in the output listed below: • • • A successful registration into a Windows 2000 domain." enter the NetApp storage name you specified in step C. Select the user or group that will add the NetApp storage to the domain. Right-click the computer account you just created and choose Properties from the pop-up menu. f.d.3 Verifying Successful CIFS Installation HANDS-ON EXERCISE: Verify Successful CIFS Installation Prerequisite: CIFSJOIN.BAT Performed from Vista. At the prompt "Please enter the new hostname. or to automate the task.NetApp. type the following on the NetApp storage command line: FAS1> cifs domaininfo.” i. Specify the name of the NetApp storage administrator account to be allowed to "add this computer to the domain. In the Permissions list. Page 23 of 187 CIFS – demo. Note: For additional information. To verify that CIFS setup has successfully joined the NetApp storage to your Active Directory domain.4. h.com . from the CLI issue: FAS1> man na_cifs_setup 3. Run cifs setup. Click the Security tab. or FAS1> cifs sessions. including the domain name A list of Windows Internet Naming Service servers (if defined) A currently selected domain controller for Kerberos authentication Note: The “successful registration into a Windows 2000 domain” tag does not change if the domain controller is Windows 2003 or 2008. .“ e. execute: none Verify AD join with NetApp CIFS. W2003 or W2008 Either perform the follow steps. If you are installing a NetApp cluster. links.NetApp. FAS1*> cp /etc/cifs_nbalias. For more information about NetBIOS aliases.BAT Performed from Vista. Note: You can enter up to 200 NetBIOS aliases in the file. map a drive to \\FAS1\C$ to \etc\cifs_nbalias. Then.4. and embedded paths intact. FAS1*> wrfile /etc/cifs_nbalias. otherwise Follow the steps to create a new cifs_nbalias. using either ASCII or Unicode characters. It is recommended that you keep the same name of the NetApp storage for both UNIX® and Windows environments for ease of administration. FAS1*> rdfile /etc/cifs_nbalias. FAS1> priv set advanced b. NetApp recommends that you eventually create a DFS global namespace to mitigate the use of NetBIOS aliasing.com/NOW/knowledge/docs/ontap/ontap_index. The primary benefit of this feature is that it allows an organization to retain legacy Windows server names after physically retiring the legacy server.cfg. execute: BIOSFOO.netapp. proceed to step # 3 If you need to add a NetBIOS alias to the NetApp storage: 1. FAS1*> java netapp.com .original e.cfg.3. W2003 or W2008 Either perform the follow steps. see the Data ONTAP File Access and Protocols Management Guide at http://now. the host name must be unique for each NetApp storage in the cluster.cfg d.cfg file: a.shtml. Each name can be no longer than 15 characters.BAT.cfg <Add one NetBIOS name per line> FOOBAR Ctrl+C to end file Page 24 of 187 CIFS – Demo.cfg 2. This feature can make migrating data an easy process because retaining legacy names within an environment maintains existing desktop shortcuts.4 NetApp Storage Windows (NetBIOS) Name NetBIOS aliasing is a feature in Data ONTAP that allows administrators to configure NetApp storage in such a way as to broadcast and register multiple NetBIOS names within a domain. If CIFS is already running on the NetApp storage. HANDS-ON EXERCISE: NetBIOS Alias Prerequisite: CIFSRUN. Edit /etc/cifs_nbalias. or to automate the task.jsh c.cmds.cfg /etc/cifs_nbalias. Use the NetBIOS aliasing option when there are no share name conflicts and you have a small number of Windows servers whose names you still want to retain for client access purposes. FAS1*> exit h. you can view the contents with the command. Add users to or remove them from a local group d. choose “Connect to another computer. Create a local group on the storage system c.4. On your Windows server. then enter the following command: mmc 2. go to the Microsoft Management Console. choose Run from the Start menu.cfg g. From the Action menu. FAS1*> priv set 3. 7. Management options available: a. Connecting Microsoft Management Console to the Storage System You can connect the Microsoft Management Console to the NetApp storage system using the Microsoft Management Console menu commands. select Computer Management. The Another Computer box appears. Manage the CIFS sessions on the storage system Page 25 of 187 CIFS – demo.2. 3. Create a share on the storage system b.NetApp. FAS1> cifs nbalias load 4. FAS1*> rdfile /etc/cifs_nbalias. On the left panel. For example.5. Steps: 1.” 4. 5. Type the name of the storage system or click Browse to browse for the storage system.A message will display stating: “read: error reading standard input: Interrupted system call” After you create the file. 6. 3. Click OK.com . f.5 Manage the CIFS Shares from the CLI and Microsoft Management Console A Microsoft Windows administrator can create and manage a share on a storage system by using the Microsoft Computer and Users Microsoft Management Console snap-in or by using the CLI command ‘useradmin’ covered in section 4. FAS1> cifs nbalias Note: When creating a name for the NetApp storage in an Active Directory domain the NetBIOS name you select will be appended with the DNS name. NetApp. Creating a Qtree To create a qtree. you use NTFS-style security if the members of the project use Windows files and applications. which is 4.com .995 qtrees. Only qtrees support quota management. If another project uses CIFS oplocks. Back up and restore all the project files as a unit. Another project in another qtree can use UNIX files and applications. qtrees are similar to flexible volumes. are supported per volume.6 Qtree Implementation Within a volume you have the option of creating qtrees to provide another level of logical file systems. you can set CIFS oplocks to Off on that project qtree. without affecting other projects. In general. For example. Use quotas to limit the disk space and number of files available to a project qtree so that the project does not use up resources that other projects and users need. or groups of users.995 virtually independent file systems. You can create a qtree to assign user. such as one maintaining a database. Page 26 of 187 CIFS – Demo. A maximum of 4. and a third project can use Windows as well as UNIX files. Setting up a qtree for a project provides you with the following capabilities: Set the security style of the project without affecting the security style of other projects. the qtree is created in the root volume. set CIFS oplocks (opportunistic locks) as appropriate to the project.3. Qtrees support a sophisticated file and space quota system that you can use to apply soft or hard space usage limits on individual users. Note: If you want to create the qtree in a volume other than the root volume. However. For example. it can be in another qtree that has oplocks set to On. If path does not begin with a slash (/). they have the following differences: • • • Snapshot copies can be enabled or disabled for individual flexible volumes.4. Using Qtrees for Projects One way to group files is to set up a qtree for a project. If the project uses Windows. include the volume in the name.or workgroup-based soft or hard usage quotas to limit the amount of storage space that a specified user or group of users can use on the qtree to which they have access. Qtrees do not support space reservations or space guarantees. if one project uses a database that requires no CIFS oplocks. FAS1> qtree create path path is the path name of the qtree. complete the following step. but not for individual qtrees. com . Page 27 of 187 CIFS – demo. complete the following step. FAS1> qtree status [-i] [path] The -i option includes the qtree ID number in the display. and SnapMirror® status for all volumes and qtrees on the NetApp storage. FAS1> qtree stats [ -z ] [ path ] The -z option clears the counter for the designated qtree. or clears all counters if no qtree is specified. or for a specified volume. oplocks attribute.Determining the Status of Qtrees To find the security style.NetApp. BAT.BAT Performed from W2003 Either perform the follow steps.com .BAT. volumes and shares which will be used for the users home directories. or to automate the task.NetApp.BAT file.3. proceed to step #7 The following steps will create the aggregate. SHARESETUP. FAS1> aggr create CIFSDEMO -t raid_dp 5 FAS1> vol create DATA CIFSDEMO 1g FAS1> vol create HOMEDIR CIFSDEMO 1g FAS1> vol create BOOKS CIFSDEMO 1g FAS1> vol create PROFILE CIFSDEMO 1g FAS1> vol create REDIRECT CIFSDEMO 1g FAS1> snap reserve DATA 0 FAS1> snap reserve HOMEDIR 0 FAS1> snap reserve BOOKS 0 FAS1> snap reserve PROFILE 0 FAS1> snap reserve REDIRECT 0 FAS1> vol options DATA create_ucode on FAS1> vol options HOMEDIR create_ucode on FAS1> vol options BOOKS create_ucode on FAS1> vol options PROFILE create_ucode on FAS1> vol options REDIRECT create_ucode on FAS1> vol options DATA convert_ucode on FAS1> vol options HOMEDIR convert_ucode on FAS1> vol options BOOKS convert_ucode on FAS1> vol options PROFILE convert_ucode on FAS1> vol options REDIRECT convert_ucode on Page 28 of 187 CIFS – Demo. execute: HOMEDIR.7 Create Users’ Home Directories Creating directories in a home directory path (domain-naming style): HANDS-ON EXERCISE: Users’ Home Directories Prerequisite: CIFSRUN. and are included here for your reference.4. Then. These steps are included in the SHARESETUP. F" "Everyone:F.com .F" /SPEC B /Q SERVER> cscript C:\CIFSDEMO\xcacls.F" /SPEC B /Q Page 29 of 187 CIFS – demo.NetApp.FAS1> snap sched DATA 0 0 0 FAS1> snap sched HOMEDIR 0 0 0 FAS1> snap sched BOOKS 0 0 0 FAS1> snap sched PROFILE 0 0 0 FAS1> snap sched REDIRECT 0 0 0 FAS1> vol options DATA guarantee none FAS1> vol options HOMEDIR guarantee none FAS1> vol options BOOKS guarantee none FAS1> vol options PROFILE guarantee none FAS1> vol options REDIRECT guarantee none FAS1> cifs shares -add DATA /vol/DATA FAS1> cifs shares -add HOMEDIR /vol/HOMEDIR FAS1> cifs shares -add BOOKS /vol/BOOKS FAS1> cifs shares -add PROFILE /vol/PROFILE FAS1> cifs shares -add REDIRECT /vol/REDIRECT FAS1> options wafl.vbs n:\ /g "demo\Administrator:F.F" "Everyone:F.default_security_style ntfs FAS1> qtree security /vol/DATA mixed FAS1> qtree security /vol/HOMEDIR mixed FAS1> qtree security /vol/BOOKS mixed FAS1> qtree security /vol/PROFILE mixed FAS1> qtree security /vol/REDIRECT mixed SERVER> net use u: \\FAS1\data /persistent:no SERVER> net use v: \\FAS1\homedir SERVER> mkdir u:\TEMPLATES SERVER> mkdir v:\Fred SERVER> mkdir v:\Wilma SERVER> net use u: /delete /yes SERVER> net use v: /delete /yes REM The following section sets the permissions on each share SERVER> cscript C:\CIFSDEMO\xcacls.vbs m:\ /g "demo\Administrator:F. If there is more than one path.exe. For example. CIFS Home Directories work like this The sysadmin specifies one or more paths to be used by the NetApp storage to resolve the location of user CIFS homedirs. then Fred has no CIFS homedir. If the directory /vol/HOMEDIR/Fred exists.com . add: /vol/HOMEDIR/ (We will use a volume called HOMEDIR to store the home directory for each user.SERVER> cscript C:\CIFSDEMO\xcacls. map a drive to the NetApp storage C$ share. i.F" "Everyone:F.F" "Everyone:F. What a CIFS homedir looks like to the user When a user browses to the NetApp storage in a GUI they will see a share with their name on it.cfg. there are a couple of ways to go. We will create a home directory for both Wilma and Fred in the HOMEDIR volume Use Notepad.F" /SPEC B /Q SERVER> cscript C:\CIFSDEMO\xcacls.vbs p:\ /g "demo\Administrator:F.e.F" /SPEC B /Q SERVER> cscript C:\CIFSDEMO\xcacls. The CIFS homedir shares are visible only to their users. The folders for Wilma and Fred need to be created in the HOMEDIR volume. Make each user the owner of his or her home directory. user Fred will see a share “Fred”. /vol/HOMEDIR. Now user “Fred” connects to the NetApp storage. you can create home directories by editing the /etc/CIFS_homedir. Suppose there is one path. But that would be time consuming and puts stress on the NetApp storage. The method used by many customers is to make use of the NetApp storage CIFS Home Directory feature. the NetApp storage checks them in sequence and assigns the user CIFS homedir as soon as it finds a match on the directory name. If the CIFS. If it does not exist. Neither of them will see the other's homedir share.F" "Everyone:F. From the Windows machine.NetApp.vbs o:\ /g "demo\Administrator:F.F" /SPEC B /Q Why Use CIFS HOMEDIR: If you are a SysAdmin with a large number of users and you want each of them to have a home directory. User Wilma will see a share called “Wilma”. and edit: T:\etc\CIFS_homedir. SERVER> net use T: \\FAS1\c$ 2.) 3.cfg. If you list out the NetApp storage shares you will not see “Fred” or “Wilma”.home_dir_namestyle option is domain. and setting the permissions on the directories.vbs q:\ /g "demo\Administrator:F. Steps 1. Page 30 of 187 CIFS – Demo. creating the directories. You can create a separate share for each of your users.cfg In the CIFS_homedir. then that is Fred’ homedir. and you will see a drive Z: connected to FAS1\<user name> Log off the Vista machine. For example. This will allow you to remotely connect to the VISTA workstation.com . 3. select “Connect. 4. Testing the home directory mapping with Fred or Wilma SERVER> From the desktop. Example of a share named: HOMEDIR on vol0: /vol/HOMEDIR/%u% This will make Fred Flintstone the owner of the /vol/HOMEDIR/Fred directory and Wilma Flintstone the owner of the /vol/HOMEDIR/Wilma directory. In the “User Folder” section. select Properties. When completed.” Assign a drive letter.NetApp. Load the new CIFS homedir configuration into the storage system. Right-click.MSC shortcut. 5. Select the desired user(s). disconnect drive T: SERVER> net use T: /delete /yes 7. On the left colume of the MSC. for example. Doubleclick on either ‘Connect as Fred’ or ‘Connect as Wilma’ Once connect. 4. double click on the DEMO. Select the Profile tab. Active Directory Users and Computers. enter one of the following commands: FAS1> cifs homedir showuser Fred FAS1> cifs homedir showuser Wilma 6. Administrative Tools.home_dirs_public_for_admin described above. You can use the wildcard option.home_dirs_public (hidden option. default: off) Like the cifs. expand ‘Remote Desktop’.home_dirs_public_for_admins (default: on) Allows Administrator to access other’s home directories FAS1> options cifs. Make sure that the CIFS homedir domain name style is working by entering the following command: FAS1> cifs homedir showuser <user_name> For example. but it applies to all users FAS1> options cifs. launch Explorer. Additonal Options FAS1> options cifs. and the path to the users’ home directory.1. Z. 2. SERVER> Select Programs. enter the following command: FAS1> cifs homedir load -f 5.home_dir_namestyle (see the next section) Page 31 of 187 CIFS – demo. use a pair of double quotes ("") as the argument. In most environments it is best to pick the domain and security style (UNIX or NTFS) and set that for the qtree where the users’ home directories reside. Mixed security could be used here. Consider using cifs.2 http://now.home_dir_namestyle to specify how the name portion of the path to a user's home directory is determined.netapp.html#c_oc_accs_limits_for_the_FA S6000_series_storage_systems Page 32 of 187 CIFS – Demo. The following options are: • • Set this option to ntname if a user's Windows login name is to be used. • • • 3.cfg.netapp. To set this option to the default value (a null string).com/documents/tr-3367. Set this option to mapped when the user's UNIX name is used.shtml Sizing of CIFS-Based Home Directories – April 2007 http://media. which acts like ntname with the exception that symlinks are followed in any direction. The UNIX name is obtained by mapping the user's Windows login name using the file /etc/usermap. However.Considerations for Heterogeneous Home Directory Environments Data within users’ home directories is generally not shared out for other users’ access. rely on the NetApp storage’s user mapping process to grant permissions to files within the user’s individual home directory.pdf (Internal) File Access and Protocol Management Guide – Data ONTAP 7. The default value for this option is the null string. If any nonnative access is required.netapp.com/NOW/knowledge/docs/olio/guides/ntsp.NetApp.com/NOW/knowledge/docs/ontap/rel724/html/ontap/filesag/accessing/concept/ c_oc_accs_limits_for_the_FAS6000_series_storage_systems. Set this option to domain when the user's name includes both the user's domain and Windows login name separated by a slash.netapp. and the NetApp storage will append a dollar sign to the user's name when enumerating the home directory share name. users must append a dollar sign to their user names when connecting to the NetApp storage.com .pdf CIFS Support Matrix http://now. except for possibly the same owner’s nonnative access. but it’s generally not advised unless the user has complete understanding and control over the data (from a permissions perspective).5 NETAPP TECHNICAL REPORT REFERENCE NetApp Storage Systems in a Microsoft Windows Environment – June 2008 http://media.com Maximum Number of CIFS Shares per NetApp Storage http://now. Set this option to hidden when a user's Windows login name is used.netapp.com/documents/tr-3564. com . Page 33 of 187 CIFS – demo. The prefixed names are used to distinguish storage system man pages from other man pages and sometimes appear in the NAME field of the man page.Data ONTAP Man Pages You can use the Data ONTAP manual (man) pages to access technical information. or services. • • • By entering the following command at the storage system command line: FAS1> man command_or_file_name By clicking the manual pages button on the main Data ONTAP navigational page in the FilerView user interface By using the Commands: Manual Page Reference. Volumes 1 and 2 (which can be downloaded or ordered through the NOW site) Note: All Data ONTAP man pages are stored in the storage system in files whose names are prefixed with the string "na_" to distinguish them from client man pages. They are grouped into sections according to standard UNIX naming conventions.NetApp. but the prefixes are not part of the command. file. 4 4.1 SECURITY OVERVIEW NetApp storage is designed to be capable of operating in both UNIX and CIFS networking environments. One of the goals of the storage design is to allow pure UNIX and pure CIFS sites to work transparently in "native" mode without the worry of other client types. Whenever possible, using only native security for NetApp storage clients results in an easier administration job. However, many sites have a need for multiprotocol support, which often introduces the need for both client types to be able to access the same files. The NetApp approach is to simultaneously support multiple security models. One concept that is common to all security models is the notion of a user, which makes that an intuitive choice for bridging the different models. When a user wants to access a file which has "nonnative" security the user's mapped identity is used to validate the access. User security on NetApp storage is divided into three categories. 4.1.1 Infrastructure Security Security engineering functions to provide preventative actions and solutions to interruptions to business functions resulting from known risks and incidents. The definition of a security disaster, then, is any breach that causes an extended disruption of business functions. A security disaster has low probability of happening due to the use of layered security measures. Some high-level security requirements are given below: Performance: Consistent and predictable performance measured and revealed with the introduction of perimeter or layer security when compared with documented and later measured application response time. Resiliency: Security solutions shall not change the availability of authorized data delivery. The solution should be resilient if high availability is required. Application performance should be maintained according to SLA during as-built security component layer outage. Systems should be designed and managed so that in the event of breakdown or compromise the least possible damage and inconvenience is caused. Scalability: The system should scale as business expands to add new functionality and applications without significant investment, redesign, or downtime. Accountability: Security solution shall be securely designed, monitored, and audited to protect NetApp’s intellectual property and systems. Security system should secure against random and determined attacks that aim to degrade NetApp communications and applications. All significant system and process events should be traceable to the originator. An independent expert has the ability to verify that the system conforms to the security policy. Systems must be able to record security related events in a tamper-proof audit log. Exceptions: Policy exceptions should always have senior management approval and be recorded for audit trail. During emergency and maintenance, controls must only be bypassed in predetermined and secure ways. Procedures and controls to minimize the level of risk during exceptions caused by maintenance or incident management. Security Automation: Simple, fast, and reliable automatic controls should be used when possible rather than administrator management dependent on human schedule and vigilant. Page 34 of 187 CIFS – Demo.NetApp.com Layered Defense: Controls should follow defense in depth or layered such that if one layer of control should fail, there is another different type of control at the next layer that will prevent a security breach. Controls should still be effective even if an opponent knows of their existence and mode of operations. 4.1.2 File-Level Security Customers are becoming more concerned about the higher threat of intellectual property theft, and much of that threat comes from internal sources that already have some level of access to the systems. Domain administrators (and users that map to root) have traditionally been able to reset security permissions in any way they choose. This potentially gives an administrator the ability to take ownership of a file or directory and remove permission constraints against them, and potentially remove auditing settings as well. Storage administrators would like to have the ability to set a minimum level of security or auditing that cannot be revoked from a client, even by an administrator. NetApp’s new level of security, named Storage-Level Access Guard, is designed to be set on a storage object, currently a qtree or a volume. With this feature in place, any storage object can contain up to three pieces of security: NTFS, UNIX, and NFSv4 security (Normal file-level security) Applies to the directory representing the storage object; this is the same security that you would otherwise set from the appropriate client. Storage-Level Access Guard file security Applies to every file within the storage object, and may only be set using tools provided by NetApp. This will not affect access to or auditing of directories in any way. Storage-Level Access Guard directory security Applies to every directory within the storage object, and may only be set using tools provided by NetApp. This will not affect access to or auditing of files in any way. The fact that there are two Storage-Level Access Guard security descriptors is an internal design detail. They will look like a single security descriptor in the definition file. The security style used for client communication can be set at a volume or qtree level. Most administrators will choose to designate specific sections of a NetApp storage volume as an NTFS qtree, a UNIX qtree, or a mixed qtree. (A qtree is simply a designated subtree within a NetApp storage volume.) Placing similar types of data in separate qtrees, volumes, or flexible volumes will make security configuration simpler. The security style determines what permissions are applied to files and directories in that qtree, volume, or flexible volume. For any given file or directory, one (and only one) security style is in effect at a time. • The NTFS security style is based on ACLs. To a Windows client, this security model behaves exactly like an NTFS file system on a Windows file server and is more natural for Windows users. The UNIX security style is based on UNIX permissions. To an NFS client, this security model behaves exactly like a UNIX NFS server and is more natural for UNIX users. It should be noted that the default security type set on a new volume or qtree is UNIX by default. The default security style on newly created volumes can be changed by setting the following NetApp storage option: FAS1> options wafl.default_security_style unix • Page 35 of 187 CIFS – demo.NetApp.com • The mixed security style is determined on a file-by-file basis (not qtree). Files created by Windows users get Windows NT ACLs, and files created by UNIX users get UNIX permissions. A file's security style may be changed from one style to another by NFS set attribute (i.e., chown, chmod) or Windows NT set ACL (i.e., Security tab in Explorer) requests, assuming that the requestor has the appropriate permissions. This style is ideal for users who actively use both Windows and UNIX and want access to both styles of security. 4.1.1 Communication Security NetApp storage systems can operate in Windows workgroup mode or Windows domain mode. Workgroup authentication allows local Windows client access and does not rely on a domain controller. In domain authentication, the client negotiates the highest possible security level when a connection to the storage system is established. There are two primary levels of security that can be chosen: • • Basic security, based on such as Windows NT LAN Manager (NTLM) or NTLMv2 Extended security using Windows 2000 Kerberos implementation By default, Windows Vista, Windows 2003, Windows XP, and Windows 2000 computers that are part of an Active Directory domain try to use Kerberos authentication first and then NTLM-based authentication. Windows NT 4.0, Windows NT 3.x, and Windows 95/98 clients always authenticate using NTLM-based authentication. Data ONTAP includes native implementations of the NTLM and Kerberos protocols and thus provides full support for the Active Directory and legacy authentication methods. Kerberos Communication The Kerberos server, or Kerberos Key Distribution Center (KDC) service, stores and retrieves information about security principles in the Active Directory. Unlike the NTLM model, Active Directory clients that want to establish a session with another computer, such as a storage system, contact a KDC directly to obtain their session credentials. Using Kerberos, clients (users) contact the KDC service that runs on Windows 2000, Windows 2003, or Windows 2008 domain controllers. The client asks for the admission to the TGT (Ticket Granting Ticket) for the domain. This is an authentication service exchange between the Kerberos SSP and the KDC on the user’s domain (KRB_AS_REQ and KRB_AS_REP). The result is a TGT that the client can use to request session keys to services. The client uses the TGT to ask for admission to the NetApp storage system’s domain. This is a TGS exchange between the Kerberos SSP on the computer and the KDC for the computer’s account domain. The result is a session ticket that the client can present when requesting access to the system services on the computer. Clients then pass the authenticator and encrypted session ticket to the storage system. Windows NT LAN Manager Communication Using NTLM, the NetApp storage system contacts the Windows NT 4.0 or Windows 2000 mixedmode domain controller to verify a user’s supplied credentials, consisting of username, challenge sent to the client, and response received from the client. The domain controller retrieves the user’s password from the Security Account Manager database and uses it to encrypt the challenge. The domain controller then compares that encrypted challenge with the response computed by the Page 36 of 187 CIFS – Demo.NetApp.com Depending on your network and your storage system implementation. the performance impact of SMB signing can vary widely and can be verified only through testing in your network environment.” It is not possible to configure the storage system to require SMB signing communications from clients.enable on. you can disable SMB signing on any of your Windows clients that do not require protection against replay attacks.” SMB signing is disabled by default on the storage system for performance reasons. SSH Communication Secure Shell is a security protocol for logging into a remote server. There are five levels to negotiate the challenge/response through the “option cifs. When SMB signing is enabled. Kerberos Level 5: accept Kerberos only SMB Signing Support Data ONTAP supports Server Message Block (SMB) signing when requested by the client. and the storage system allows the user to access the file system based on the access permissions. NTLMv2 session security. Minimum Session Security for NTLM Communication Session security for NTLM authentication determines which challenge/response authentication protocol is used for net logons. NTLMv2. When SMB signing is enabled on the storage system. NTLM. Kerberos Level 3: accept NTLMv2 session security. If you require SMB protection for some of your Windows clients. If these are identical. turn the options cifs. Kerberos (default) Level 2: accept NTLM. which is useful for running scripts and scheduled jobs. SMB signing helps to make sure that network traffic between the storage system and the client has not been compromised by preventing “man in the middle” attacks. Then the domain controller sends the response back to the storage system for successful authentication. the NTLM authentication is successful.0. SSH allows SSH clients to log into the NetApp storage without being prompted for a password. NTLMv2. LDAP signing and sealing are supported on NetApp storage systems.client. NTLMv2 session security. which is the equivalent of the Microsoft network server policy “Digitally sign communications (always). although the amount of network traffic does not change. Kerberos Level 4: accept NTLMv2.signing. NTLMv2. it is the equivalent of the Microsoft network server policy “Digitally sign communications (if client agrees).LMCompatibilityLevel <level>”: Level 1: accept LM. SSH provides an encrypted session for transferring files and executing server programs. Sealing is the encryption of all the LDAP traffic. all CIFS communications to and from Windows clients incur a significant impact on performance. which affects both the clients and the server (the storage system running Data ONTAP). and if SMB signing is causing performance issues. The performance degradation shows as increased CPU usage on both the client and the server. To enable it.1. Most Windows clients negotiate SMB signing by default if it is enabled on the server.com . LDAP Signing and Sealing Support Signing Lightweight Directory Access Protocol (LDAP) traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. Beginning with Data ONTAP 7. Page 37 of 187 CIFS – demo.NetApp. Also serving as a secure client/server connection for applications such as database access and e-mail. the policy name and whether that file policy is active.2 File Policy (FPolicy) The NetApp FPolicy feature allows you to create file policies that specify file operation permissions according to file type. Job Definition File Format The job definition file. such as . and specifies the types of files you want to screen. Users are assigned to groups based on their job functions.3 Role-Based Access Control (RBAC) Role-based access controls is a method for managing the set of actions that a user or administrator may perform in a computing environment. rename. The storage system maintains a set of properties for a file policy. Native file blocking provides simple denial of restricted file types.NetApp. The file screening software runs on a client that functions as a file screening server. only the system administrator should be allowed to add new user accounts to the system. For example. • Using native file blocking. You can set these properties for a file policy using storage system console commands. File screening in Data ONTAP can be enabled in two ways: • Using third-party file screening software.com . or roles: administrators and nonadministrators. Role-based access controls solve this management problem by allowing you to define sets of capabilities (roles) that are not assigned to any particular user. from being stored on the storage system. and each group is granted the set of roles required to perform those functions.jpg and . the only configuration required for an individual administrator is to make sure that that administrator is a member of the appropriate groups. File screening software provides flexible control and filtering of file content. create.security_target_object_path.security_definition security_type: 1 = NTFS security security_level: 0 = file/directory-level security.1. For example. that administrator will inherit all the correct capabilities because of the group membership and the roles assigned to those groups. there are other actions that should be managed for security reasons. and delete.mpg files. you can restrict certain file types. The Data ONTAP file screening policy is set on the storage system. which is used for providing security descriptors and paths. In addition to file access. Page 38 of 187 CIFS – Demo. From this it becomes clear that the users who access a system fall into at least two categories. for example. A file policy determines how the storage system handles requests from individual client systems for operations such as open. 1 = storage-level security propagation_mode: (Ignored for storage-level security) 4. can be in either UTF8 or Unicode file format representing an entire job with one or more subtasks.propagation_mo de.security_level. The security definition format is defined as follows: security_type. Note: For optimal performance. The file screening software runs natively on the storage system.4. it is strongly recommended that the FPolicy server be configured on the same subnet as the storage system.1. Using this method. including. 4. These are the groups you use to grant permissions to resources. Putting It All Together Users are members of groups. For example. naming a group MrktInfo if the people in it are given access to marketing information).In Data ONTAP 7G. and each role grants a set of capabilities. For instance. cli-cmd* gives the specified role the capability to execute all commands associated with the CLI command cmd. you can use the useradmin role add or useradmin role modify commands to define and modify the capabilities of roles that can be assigned to a group. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually.com . They also remove the complexity of giving the same set of privileges again and again to new users when they are inducted into a specific set of rules. It’s also recommended that you give each group a name that describes the group’s function or purpose (for example.2 MANAGING CIFS SECURITY WITH GROUPS (LOCAL AND GLOBAL) Groups are used to organize individual user or computer accounts. Mainly they are used for security purposes. grant the group appropriate permissions to the share. Because users and domain users must be members of groups. if you want to grant users permissions to a network share. and finally create users and domain users. then create groups and assign roles to them. users are added or modified with the useradmin user add or useradmin user modify commands. For example: FAS1> useradmin role add myrole -a cli-vol* This would give a group with the role “myrole” access to all commands in the VOL subset. Note: Users with CLI capability also require at least one login capability to execute CLI commands. Best practices dictate that most of your security administration should be done using groups. The groups we are mainly interested in are the “security” groups. The “cli” option grants the specified role the ability to execute one or more Data ONTAP command line interface (CLI) commands. and because groups must be assigned one or more roles. groups have one or more roles. Windows 2000 Server and above provide the following three domain security group types: • • • Domain local groups Global groups Universal groups Page 39 of 187 CIFS – demo. you would create a group. providing them with appropriate group membership.NetApp. and then add the users (or other groups) as members of that group. All configuration for role-based access controls occurs using the useradmin command provided by Data ONTAP. • • cli-* grants the specified role the capability to execute all supported CLI commands. the best sequence for configuration tasks is to create the roles first. In this way Data ONTAP allows you to create flexible security policies that match your organizational needs. They can include only user and other group accounts in the same domain.2. and global groups from any domain. Assigning resources is done by placing global groups within local groups on Windows NT workstations or standalone servers. especially if there is only one Active Directory domain.000-member limit. Universal groups can contain user accounts. Though it is possible to create universal groups in the Active Page 40 of 187 CIFS – Demo. Global groups cannot contain local groups or other global groups and are not assigned to local resources. The benefit of using global groups is that you can. Domain local groups are useful in a multiple domain where you add a global group to a domain local group so you can access resources in another domain: "parent and child domains. which can simplify administration immensely.1 Domain Local Groups Do not confuse this type of group with regular “built-in local groups” (ones that reside locally on a Windows member server or NetApp storage). the members in the group can be from any domain (although this is not used much since domain local groups are not visible outside their own domain).2. They are typically used to grant permission to resources in that domain only. Use domain local groups when you want to grant permissions to resources that exist within a specific domain.4. The effect is a blend of the two that gives you the desired security and an easier administration model.2. Note: Groups created in Active Directory should be global groups most of the time. Global groups are most often used to organize users who share similar network access requirements. only native mode." 4. Universal security groups are not available in mixed mode. They can be used to assign permissions to related resources in multiple domains. assign users to a global group. but more importantly allows you to apply “most restrictive” and “most inclusive” nesting strategies to make administering resources easier.2 Global Groups These groups can grant permissions to objects located in many domains.com . There is no limit to the level of nesting that can be applied. on the domain level. universal groups. backup) will drill down only so far. The appealing thing about global groups is that they can be nested (only if your AD domain is in native mode. An example of this is a situation where all members of an organization need access to the same resource such as employee information. The major difference is universal groups can contain user and group accounts from any trusted domain in the forest.NetApp. It is highly recommended that you implement global groups to contain users in a particular domain. Nesting allows a global group to contain other global groups. an administrator can change the domain user global group (for example. and yet most will need access to office phone numbers and e-mail addresses. Using nested groups in Windows 2000 Server or above alleviates the old 5. Simply create two global groups with different access rights and members and then nest them. salary grade). especially for user accounts. For environments with multiple domains you would still employ global groups but include them in universal groups. but tracing permissions can become problematic and some applications (for example. and they are visible to all trusted domains as well. In other words.3 Universal Groups Universal groups are similar to global groups. However. Not all members will have authority to view all employee information (for example. 4. however). These groups can reside only inside a single domain (cannot cross domains) and only on domain controllers. and add the entire group to a local group already on a local computer. when a new hire comes in) without having to reset any permissions on a local workstation or server. Global groups are group accounts at the domain level used to organize domain users. This option will be deprecated in a future release when the NetApp storage will always include the above memberships. However. Page 41 of 187 CIFS – demo. you cannot add local users and groups to a global group.2 Guidelines for Creating Local Groups The following are guidelines for creating local user groups and their limitations compared to global user groups: • • Use local groups on computers that do not belong to a domain (for example.Directory with any domain structure. In later versions of Data ONTAP you will be able to add users with the Microsoft Server Manager Microsoft Management Console snap-in. this makes them very inflexible. Members of a local group can be given access to files and resources. Use local groups to assign permissions to resources residing on the computer (or NetApp storage) on which the local group is created. The default is on.2.universal_nested_groups.2. the NetApp storage does not include membership in nested groups or membership in universal groups from other domains in the forest.enable on | off When cifs.4 Built-In (Nondomain) Local Groups These groups are not the same as domain local groups. 4.4. You should not create your own local groups on member servers or the NetApp storage.2. Note: A maximum of 97 users are allowed to be defined per NetApp storage. This option is pertinent to all NFS clients accessing a file or directory with Windows security and does not affect CIFS clients. Instead you should employ global groups because they use fewer resources. 4. affecting all new NFS connections thereafter. Use local groups only on the computer on which they are created. Note: All group memberships are retrieved from Active Directory only when (a) user and NetApp storage are in the same domain tree or (b) user's domain tree has a two-way transitive trust with the NetApp storage's domain tree. members of BUILTIN\Power Users can manipulate shares. This restriction was put in place by Microsoft. For example.com .universal_nested_groups. and global groups to local groups. Membership in certain well-known local groups confers special privileges on the NetApp storage. By default the NetApp storage includes membership in nested groups and membership in universal groups from other domains in the forest. it is generally not required or recommended for single domain structures. Using the following option controls this behavior: FAS1> options cifs. To add local users to the NetApp storage.NetApp. but have no other administrative capabilities. 4. global users. a workgroup).enable is off. It will make future migrations and server consolidations more difficult with transferring the proper security (SIDs) of the local group. it is not necessary to restart the CIFS. You can add local users.1 Built-In Local Groups on NetApp Storage You can define a local group on the NetApp storage that consists of users or global groups from any trusted domains. Changes to the option take effect immediately.4. you must use the NetApp storage useradmin command. A local group is a collection of user accounts on a computer. The following definitions apply: user An authenticated person who can be placed into one or more groups. This would give that set of users the right to back up and restore files on the local system regardless of the permissions on the individual files. best practice dictates not creating local groups and just using the defaults. you might want to authorize a user to perform certain actions on a computer. These users can only use their administrative capabilities using the ONTAP API RPC interface and cannot login using any other mechanism. domainuser A nonlocal user who belongs to a Windows domain and is authenticated by the domain. Local groups do not appear in the Active Directory service. This prevents you from centralizing group administration. and so on).user. capability The privilege granted to execute commands or take other specified actions. and you must administer them separately for each computer. Local groups cannot belong to any other group. SnapManager® for Exchange.2. Page 42 of 187 CIFS – Demo. You cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory. do not use local groups on computers or NetApp storage that are part of a domain. For each category of access grantee -. role A collection of capabilities.• • • • • Although local groups are available on member servers and NetApp storage.5 Local NetApp Storage Groups The useradmin command is used to control NetApp storage access privileges. With respect to the NetApp storage you can use its local administrator group to add other members of the domain to it for administration purposes or for applications that require nondomain authentication (SnapDrive®. which is the reason you went with a domain structure in the first place. group A collection of users and domain users that can be granted one or more roles. that domain's primary global groups (the users group and the administrators group) are automatically added to the local groups of the computer or NetApp storage that joins the domain. such as backing up files and folders. When a Windows NT workstation or standalone server or NetApp storage becomes a member of a domain. Local users and groups is an important security feature because you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. For instance. Again. You can assign permissions to local groups to access only the resources on the computer on which you create the local groups.privileges can be added or listed.com . This is done by design but is not necessary. This type of user can only be put into groups if CIFS has been set up. You could place a global group of users with backup duties inside the default local “Backup Operators” group on the NetApp storage. 4. group and role -.NetApp. . Specifying a user name displays full information about that user. The -c option specifies a comment about the user.api-snmpget-next Page 43 of 187 CIFS – demo.* * If the setting of the security.group2.. Comments about the user should be no longer than 128 characters and should not contain the character “:” (colon).com .USAGE FAS1> useradmin user add login_name [-c comments] -g group1[. FAS1> useradmin user list [login_name ] [-g group_name ] Useradmin user list displays all nonroot users if no user name is provided. The -g requirement for add specifies which groups contain this user.* It must contain at least one digit. a space. / : .group2. The user name can be up to 32 characters long.. < = > ? [ ]..passwd. then the restrictions will not be enforced..rules. When you add a user. you will be prompted to create the user's password and then verify it. The -g groupname option displays all of the users in a particular group.groupN] FAS1> useradmin user modify login_name [-c comments] [-g group1.. It must contain at least two alphabetic characters.. or a punctuation character that is not one of:" * + . The user entries will each be printed in list format as follows: Name: Barney Info: This is a comment for Barney Rubble Groups: audit A single user extended format will be printed as follows: Name: Barney Info: This is a comment for Barney Rubble Groups: audit Full Name: Rid: 131343 Allowed Capabilities: login-http-admin.. A user inherits all the privileges of the groups he is in. The user name can contain any alphanumeric character.enable option is off.groupN] “user add” and “user modify” are used to add and modify administrative users.NetApp. This option completely replaces this user's current groups with the new ones. A password is case-sensitive and defaults with the following restrictions: • • • It must be at least 8 characters long (default.api-snmp-get. but can be changed). and login-http-admin. like api-systemget-*. (cli-<command> just means the command and NO subcommands.NetApp. The Groups field displays all of the groups this user is associated with. if any. "fred" can log in using http and call the API functions snmp-get and snmp-get-next. The login-* category includes logging in using login_telnet. and security-*. entered for the user. The format for this is cli-<command>*. login-console. security-load-lclgroups which is necessary to run the useradmindomainuser load command. only root and members of the Administrators group have this capability. It must be used alone or in conjunction with one of the categories. If a capability is Allowed. rsh. It must be used with the full name of the CLI command. like api-system-get-info or a command and its subcommands. only root and members of the Administrators group have this capability. console. By default. By default. Here. which means allow all the commands and subcommands. The format for this is api-<ontap-api-command> which means allow a specific command/subcommand. would have the following syntax: cli-exportfs* This means allow command line accesses to the exportfs command and all of its subcommands. The Allowed Capabilities field indicates this user's privileges. then the user can only use this capability. only root and members of the Administrators group have this capability. This value is generated automatically by Data ONTAP when the user record is created.) The capability for a specific command. or even api-system-*. The Rid is a unique integer associated with each user. security-priv-advanced which is necessary to run advanced commands that are not used for normal administration. so in general. • • Page 44 of 187 CIFS – Demo. like exportfs. cli-*. Capabilities There are four categories of capabilities: login-*. This command changes all group membership.com . Please talk to a NetApp representative before using advanced commands. any api-* command must also include this login. In this case. The cli-* category includes all of the commands that can be run after a user is logged in with telnet. The api-* type includes all of the Data ONTAP API calls. cli-export* might look valid but is NOT allowed. The security-* type currently only has a couple of elements: • security-passwd-change-others which is used specifically to control if a user can change another user's password without knowing their previous password. By default. login-rsh. api-*. or ssh. with a couple of restrictions: It must be used at the end of the capability.The Info field is the comment (or the Windows NT user description). If used with cli-. The “*” character is used similar to a wildcard. login-ssh. These commands are only available using login-httpadmin. The Full Name field might exist if the user account was added using tools based on Windows. it is possible to list only subcommands. 2. Otherwise. UNIX permissions are mapped to hard-coded SIDs (referred to as Perm SIDs). Security style for all other qtrees remains unchanged.1 Effects of Changing an NTFS-Only Storage System to a Multiprotocol System Although you can change the storage system from NTFS-only to multiprotocol using CIFS setup. Enhanced Multiprotocol Support • • • • • Better support for UNIX permissions management in mixed security environments. you can achieve the same effects more easily by simply setting the wafl.2 Effects of Changing a Multiprotocol Storage System to an NTFSOnly System The following list describes the effects of changing a multiprotocol storage system to an NTFSonly storage system: • If ACLs already exist on the storage system root directory (/etc) and on files in the /etc directory. its default security is unix. When you create a volume. The following list describes the effects of changing an NTFS-only storage system to a multiprotocol system: • • • • Existing ACLs remain unchanged. these ACLs are created such that the BUILTIN\Administrators group has full control.4. The security style of all volumes and qtrees remains unchanged. CIFS – demo. its security style is changed to NTFS. Replaces the SecureShare® access tool to manage UNIX permission from Windows side. the ACLs remain unchanged.” ACLs on other files and directories remain unchanged.com • • • • Page 45 of 187 . If the /etc directory is a qtree. the CIFS.NetApp.2. except read-only volumes. The security style of all volumes. 4. You can gain access if the ACL for the root volume allows full control for the Windows user that maps to root.6. You can also gain access by setting the cifs.default_security_style option is set to unix. Allows user to view and set UNIX permissions from the security tab in Windows Explorer.preserve_unix_security option is enabled on the NetApp storage.2.nfs_root_ignore_acl option to on. you might be denied access to the root volume when you connect from UNIX as root. The wafl. Setting separate umasks for directories and files using dir_umask or file_umask with the command cifs shares -add or cifs shares –change.6 Multiple Protocol Access 4. provided. any in the /etc/http directory are assigned "Everyone Read.default_security_style option to unix. is changed to NTFS. Note: Because the security style of the root volume remains NTFS after you change the storage system to multiprotocol.6. 4. always involves checking a user mapping file called /etc/usermap.3 CIFS File Security. Ordinarily.2. that in order to place the global group in a domain local group. obviously you would simply use global groups (maybe domain local) and not necessarily universal groups.cfg yielding NTDOMAIN and NTNAME If NTNAME is null ("") access is denied Page 46 of 187 CIFS – Demo. Data ONTAP updates the membership of the BUILTIN\Administrators group to reflect the new domain. If you have only a single domain structure.3 Effects of Changing the Storage System's Domain After you change the storage system's domain. or a UNIX cred from a Windows account. It is important to note that it is not always necessary to have any entries in the usermap file. but it also must be used carefully because it is possible to create confusing scenarios.6. however.7 Security Group Recommendations Microsoft recommends the following procedure for granting permissions across multiple domains: 1.NetApp. and User Mapping The process of creating a CIFS cred from a UID. Add the global groups as members of the universal group. Create a universal group and grant the appropriate permissions. Then these global groups can be (not necessarily) placed or nested in domain local groups to gain access to network resources.default_security_style option is set to NTFS. One example might be a global group of users that have higher security requirements. here are the steps for creating nonnative creds: UID to CIFS Cred (NFS Request for File with NTFS-Style Security) Lookup numeric UID in /etc/passwd or NIS yielding UNAME Lookup UNAME in /etc/usermap. if you are going to use domain local groups. For reference.2. The default actions that take place when creating creds are adequate for many (if not most) situations. Create a global group in each domain. 4. you will use the built-in defaults and maybe create new ones if your environment requires it. whereas user and computer accounts should be placed in global groups. its default security style is NTFS.cfg. The user mapping process allows a lot of flexibility. The wafl. you will need to be running a native mode domain. object permissions should be assigned to domain local groups. The default ones should satisfy most of your requirements. 4. 3. You would add this global group to the domain local “Administrators” group. In general.com . Note. 2. and add the appropriate users as members. This change assures that the new domain's Administrators group can manage the storage system even if the new domain is not a trusted domain of the old domain.• • When you create a volume or qtree. or where the default domain mapping is not adequate.com . NTNAME to UNIX Cred (Performed Whenever CIFS Clients Log In) Lookup NTDOMAIN+NTNAME in usermap.cfg yielding UNAME If UNAME is null ("") access is denied If NTDOMAIN+NTNAME is not matched in usermap.default_unix_user If wafl. "direction" is either: "==" meaning bidirectional mapping "<=" meaning mapping from UNIX to Windows NT only "=>" meaning mapping from Windows NT to UNIX only or blank.cfg file are one per line with this basic syntax: NT_account direction UNIX_account The "NT_account" is the name of a Windows NT domain account. the default actions are adequate in many situations. Here are some simple example entries: Page 47 of 187 CIFS – demo. try LDAP usermapping If LDAP usermap option is NOT enabled or LDAP usermapping failed set UID to wafl.cfg file.If UNAME is not matched in usermap.cfg set UNAME to lowercased NTNAME Lookup UNAME in UNIX password database yielding UID + GROUP_IDs if UNAME not found If LDAP usermap option is enabled. Examples of this are where the user names are not the same in both client types.cfg If LDAP usermap option is enabled. which is the same as "==" "UNIX_account" is the name of an entry found in the UNIX password database. However. try LDAP usermapping If LDAP usermap option is NOT enabled or LDAP usermapping failed set NTNAME equal to UNAME Lookup NTNAME in NTDOMAIN yielding NT_SID + GROUP_MEMBERSHIP_SIDs If NTNAME not found set NTNAME to wafl. or where access must be controlled based on the client's IP address. there are situations where it is useful to be able to customize the mapping process with entries in the usermap.NetApp. Entries in the usermap.search_domains). The pattern matches are done in the order they appear in the file.default_nt_user Note that in the last lookup step NTDOMAIN might be wildcarded. "*" can be used to indicate wildcard entries. in which case NTNAME is looked for in all trusted domains (or in the domains listed in the CIFS. Basic Usage The usermap file consists of a series of entries that specify a pattern to match and a replacement to use when a match is found.nt_priv_map_to_root option is set AND NT_GROUPS includes BUILTIN\Administrator set UID to 0 (root) As can be seen. On-access virus scanning means that a file is scanned before a CIFS client is allowed to open it. AV Compatibility Matrix on the NOW site: http://now. including restricting access based on client's IP address. The ability to perform byte-range reads streamlines the scanning process.com . These examples show several different ways the usermap. NetApp has partnered with Symantec.cfg file.netapp.NetApp. resulting in quicker file access. It is usually inadvisable to use IP qualifiers to map users differently. Data ONTAP sends the Windows client a request to scan the file.1 Antivirus Management CIFS virus protection is a Data ONTAP feature that allows a virus-scanning computer running compliant antivirus applications to provide on-access virus scanning of files on a storage system. Trend Micro 5.3. To avoid that. behavior.62 and above uses async scanning. Trend Micro. Stick with using IP qualifiers to restrict access only. Sophos. McAfee. # assuming unix user 'nobody' exists but has no privs engr\Tom => "" # disallow NT login by engr\Tom uguest <= * # all unix names not yet matched map to NT user 'uguest' *\root => "" # disallow NT logins using the name 'root' # from all domains. Whenever a file of any of the types that you specify is opened or changed on the storage system. but no unix privs. For example. Mapping Windows NT user "Tom S" to UNIX user "tjs" and UNIX user "tjs" to Windows NT user "bill" will confuse everyone mightily. CIFS provides a secure. 4. Note that it is possible to set up maps that result in confusing. The Data ONTAP virus-scanning process can scan multiple storage systems from a single Windows client. The virus-scanning application watches for requests from the storage system. Avoid such maps. you should try to follow these guidelines: • • • Keep user names identical for both clients whenever possible. For a full description of all the details of setting up the /etc/usermap.com/NOW/knowledge/docs/olio/guides/avmatrix. authenticated connection and supports byte-range reads.cfg file can be used to customize the mapping process.# Sample usermap.cfg entries "Bob Garj" == bobg # NTNAME not same as UNAME mktg\Roy => nobody # allow mktg\Roy to login. this means the file is committed to the client before the vscan request is over. if UNIX user "tjs" from UHOST1 maps to Windows NT user "Tom S" but "tjs" coming from UHOST2 maps to Windows NT user "Smith" things can get very confusing. That avoids having to create individual entries in the map file. The NetApp antivirus solution uses an authenticated CIFS connection and RPCs to communicate with the antivirus scanning servers. but technically correct. and Computer Associates to deliver integrated antivirus solutions.shtml Page 48 of 187 CIFS – Demo. Note: From Data ONTAP 7.2 onward. 3.4.2 Auditing Event Log and Audit policy settings are applied differently to storage systems than to Windows systems because the underlying logging and auditing technologies are different.saveas option.pdf. Refer to Section 4 of Auditing Quick Start Guide at http://media. and Varonis. If the file exists. or refer to Section 3 of Auditing Quick Start Guide at http://media. it will not be overwritten unless the -f option is specified to force the save. Audit/Logging Enhancements in Data ONTAP 7.pdf for detailed information.1 and Above • • Full Support for NFS Audit Conversion of evt to txt format o Page 49 of 187 EvtToText utility produces text-format output CIFS – demo. The name of the file to which records are saved is specified by the cifs.com . Event Log and Audit GPOs are applied to storage systems by mapping and setting corresponding Data ONTAP options.NetApp.netapp.com/documents/tr-3595. The cifs audit save command saves the audit records stored internally by CIFS to a Windows NT OS–formatted file readable by the Windows NT Event Viewer application. Event auditing is turned off by default. For more information. CIFS Auditing CIFS must be licensed and enabled on the storage system before enabling CIFS auditing. The effect of mapping these options is similar but not identical to Event Log and Audit Policy settings. NIE. To identify events for auditing.audit. see Event Log and Audit Policy Mapping in the Data ONTAP administration manual. The following types of events are logged and displayed when auditing is enabled: • • • • • • • • Network logon Unsuccessful network logon Network logoff Windows file access UNIX file access Unsuccessful file access Lost record event Clear audit log event NFS Auditing NFS auditing refers to auditing access events for files and directories only from UNIX clients that access data on the storage system using the NFS protocol. NetApp integrates with third-party products for auditing support including Symantec™.com/documents/tr3595. CIFS must be licensed and enabled on the storage system before enabling NFS auditing.netapp. you must enable individual options and enable auditing.2. 567. For more information on configuring Live View. This feature allows administrators to control the display of folders and other shared resources according to a user's access rights. 612. auditing precedence over performance in order to capture accurate information.3. However. 635. providing automatic backup to prevent newer events from overwriting older ones. if the names of shared folders or files describe sensitive information. 637. 630. This could pose problems. and has no affect on NFS mountpoints. whether through individual or group permission restrictions. you must manage the EVT event log yourself. The Live View feature also manages the log file. • • Live View: Real-Time Display of Event Log file In Data ONTAP 7. This feature allows the user to use the Microsoft Event Viewer (a Microsoft Management Console snap-in) and connect to a storage system to retrieve the security audit records in real time.evt file now reflects the timestamp of the first record in the file. runs of “read”) Versions based on Windows executable and Linux available Streamlined the audit captures. 560. Page 50 of 187 CIFS – Demo.com . Note: To use the Live View feature. Therefore Event Viewer can display only the most recently saved version of the log file contents.NetApp. a new feature called Live View was added to CIFS auditing. depending on how you manage the file. they do not allow you to control whether shared folders or files are visible to users who do not have permission to access them. When ABE is enabled on a CIFS share.evt file that covers a time period of interest. the EVT event log file is automatically saved and refreshed every minute. see Configuring Live View in the Administration guide. 624. Added more Windows events IDs 517. providing a continuous up-to-date view in Event Viewer of the 5.000 most recent audit events.2 and later releases provide storage system support for Access Based Enumeration. ABE is a CIFS function.3 Access-Based Enumeration Data ONTAP 7. ABE therefore enables you to filter the display of shared resources based on user access rights. The name of the audit log . When the Live View feature is enabled. either manually or by setting up automatic saving. Added account management event auditing for NetApp storage local group and users. a shared resource security feature introduced in Microsoft Windows Server 2003 Service Pack 1. your Windows client must be Windows 2000 or later. 563. Access-Based Enumeration extends share properties to include the enumeration of shared resources. Conventional share properties allow you to specify which users (individually or in groups) have permission to view or modify shared resources. users who do not have permission to access a shared folder or file underneath it. 4. This allows administrators to quickly locate the . If you do not enable Live View.2. such as the names of customers or new products under development. 638. Note: This feature required NetApp CIFS to be joined to an Active Directory domain running Windows 2003 SP1 or higher. They also do not see that shared resource displayed in their environment.o o • • Collapses some events into higher-level events (for example. 4. Client access to a secure storage system is vitally important. NetApp strongly recommends that you use secure administration methods for Data ONTAP and that you disable any unsecure administrative protocols.4. Many of these options allow compliance with corporate security policies.4 BEST PRACTICES 4. FPolicy implementation requires a server with file screening software that is supported by Data ONTAP.3.4. • The following limitations apply to FPolicy: • Policies are applied to NFS and CIFS files only. policies will not be applied to files accessed by clients using other protocols.4 Secure Configuration of Data ONTAP Before designing or installing a NetApp storage system. Page 51 of 187 CIFS – demo. This is even more important when the storage system is being put into an existing network environment that was not designed with a storage system in mind.com/partners. you must also have NFS licensed and running. from physical cabling to protocols to current policies.1 Using FPolicy • FPolicy requires CIFS to be licensed and running. You can check for client file screening software on the NetApp Partners Web page at www.netapp. you should perform a complete network assessment. A good network assessment looks at all parts of the proposed storage system. The goal of the assessment is to provide detailed documentation to the design phase of the storage system. If you are using third-party screening software. These licenses are required regardless of whether you are using thirdparty screening software or native file blocking. • • • • Interfaces Serves and data Protocols Existing access Secure Storage Design • • • • • Physical access Management access Logical design Protocol considerations Client access Data ONTAP has many security-related options that should be properly set in a secure storage environment.NetApp. File screening server.com . To apply file policies to NFS files. NetApp recommends the use of secure authentication and authorization in addition to the various protocol-dependent methods of secure data transfer. even in NFS-exclusive environments. Data ONTAP checks its file screening policies before permitting the operation.NetApp. Native File Blocking. The enforcement is based solely on the file extension. You can delete a file policy using the fpolicy destroy command. Using CLI. Names for screening policies and policy types can have up to 80 characters. you can display or change the list of included and excluded file extensions. Page 52 of 187 CIFS – Demo. you can display or change the list of included and excluded volumes for screening. From the command line. You can use the fpolicy options command to require files to be screened before they can be accessed.com . File Screening Overview • • • • • • • • File screening operations are set on a specified volume using the “fpolicy vol” command. You can disable a specific file policy using the fpolicy disable command. Works for vFiler storage as well. Simple denial of restricted file types defined by the policies created on the NetApp storage. You can display information for a specific file policy or all file policies by entering the appropriate command. write. • • • • • • • • You can enable or disable file screening by setting the fpolicy. You use file screening policies to specify files or directories with restrictions to be placed on them. You can enable the file policy with Data ONTAP default lists or you can specify lists of file extensions to include or exclude. respectively. create. Upon receiving a file operation request (such as open. or rename). Screening by File Extension The file policy specifies which files to screen using a list of file extensions to include for screening or to exclude from screening.• • You can create and use up to 20 file screening policies at one time. “fpolicy monitor” command used for setting the list of monitored operations for native file blocking. You can enable a specific file policy using the fpolicy enable command. You can create a file policy using the fpolicy create command. not file contents.enable option to on or off. File screening software runs natively on the NetApp storage. chown. volumes. Instead. 4. The UNIX security style is based on UNIX permissions. Security tab in Explorer) requests. From the command line. 4.e. It should be noted that the default security type set on a new volume or qtree is UNIX by default. To an NFS client.com . (A qtree is simply a designated subtree within a NetApp storage volume.. Managing File Screening Servers You can manage file screening servers by displaying file screening server status.. For any given file or directory. and enabling native file blocking. this security model behaves exactly like an NTFS file system on a Windows NT file server and is more natural for Windows users. Dedicate the AV scanner server for antivirus scanning and do not use this server for other jobs such as backup. chmod) or Windows NT set ACL (i. this security model behaves exactly like a UNIX NFS server and is more natural for UNIX users.e. To a Windows client. choose a “Pod design. Most administrators will choose to designate specific sections of the NetApp storage volume as an NTFS qtree. Avoid large AV scanning farms with too many NetApp storage systems served by too many AV scanner servers. or flexible volume.) Placing similar types of data in separate qtrees. and files created by UNIX users get UNIX permissions.default_security_style unix The mixed security style is determined on a file-by-file basis (not qtree).4.Screening by Volume The file policy can optionally specify a list of volumes on the storage system in which screening will take place or which will be excluded from screening. Refer to page 5 of the Antivirus sizing Internal TR-3617i for further details. or a mixed qtree. The security style determines what permissions are applied to files and directories in that qtree. designating secondary file screening servers. you can display or change the list of included and excluded volumes.” 3. 2. • The NTFS security style is based on ACLs.4. Antivirus scanners typically do not require high-end servers. Files created by Windows users get Windows NT ACLs. 2GB of RAM and a fast NIC with a 3 GHZ Xeon dual processor should work fine. one (and only one) security style is in effect at a time. This style is ideal • • Page 53 of 187 CIFS – demo.NetApp. A file's security style may be changed from one style to another by NFS set attribute (i.3 Cross-Protocol File Access (CIFS and NFS) The CIFS security style can be set at a volume or qtree level. 4. disabling the connection to a file screening server. The default security style on newly created volumes can be changed by setting the following NetApp storage option: FAS1> options wafl. volume. As a rule of thumb. Connect the AV scanner server using NetApp storage over the IP address and not the NetApp Storage NetBIOS name. or flexible volumes will make security configuration simpler. assuming that the requestor has the appropriate permissions.2 Antivirus Scanning Best Practices 1. a UNIX qtree. 4.NetApp. Thus Windows NT requests will still be handled as nonnative requests. 3. The files themselves are not converted to Windows NT style files. This is a large point of confusion since most administrators incorrectly assume that “mixed security” must be chosen to allow both UNIX and Windows clients access to data. In many cases there is no need to support access to the same files from both clients.5 Converting Qtree Security Styles The security model for any qtree (or volume) can be changed using the qtree command. adds some extra info and stores it. UNIX clients will still have access to this qtree/volume using the user mapping process for UNIX to Windows NT. The owner(s) of these files can now set ACL on them. If a volume or qtree is to be accessed by both NFS and Windows clients and each of the clients need full control over file access security. Essentially auditing has two distinct sections.4 CIFS Auditing When you turn on auditing for NetApp storage.com . 4. both UNIX and Windows clients will have access to the same data. When a UNIX qtree is converted to an NTFS qtree. Windows clients will still have access to this qtree/volume using the user mapping process for Windows NT to UNIX. not who can access. select the NTFS security style. System administrators should determine the dominant security style for a given qtree (or volume) using the following scenarios: 1. Which Security Type Should I Select? The first thing to realize is that regardless of which security style you choose. The second section is the ALF section which is a Daemon which basically collects all the data from the audit queue. In this way each client type sees a native view of security for their files. All this is done in WAFL. and in such cases it is not necessary to worry about multiprotocol issues. The section basically determines whether the action on that file performed by a certain user should be audited. select the UNIX security style. If a qtree (or volume) will be predominantly accessed by NFS clients. If the check finds that this access should be audited then an entry is placed in the queue. therefore turn on only the events you wish to audit rather than every event. select the mixed style. This can be accomplished on a single NetApp storage by creating separate volumes or qtrees with UNIX or NTFS qtree types. The syntax is: qtree security qtree [unix|ntfs|mixed].exe (Windows 2000 Resource kit) can do this automatically by Page 54 of 187 CIFS – Demo. so they still retain their UNIX permissions. It really boils down to who can apply security to a file. The security style is the security scheme in effect for a file or directory. The performance impact will be relative to the number/type of events being monitored. not who can access a file. which controls who has access.for users who actively use both Windows and UNIX and want access to both styles of security. one section covers checking the file SACL every time an operation is performed on the that file. If a qtree (or volume) will be predominantly accessed by Windows clients. a performance hit will occur as you are turning on an extra feature. converting the files to Windows NT style. then exporting or sharing those directories to their respective clients. 2.4. 4. A Windows utility such as cacls. shares are advertised as NTFS instead of FAT. 4. If an NTFS or mixed qtree is changed to UNIX. and Trends NetApp Operations Manager (formerly DataFabric® Manager) delivers comprehensive monitoring and management for NetApp storage. Operations Manager provides alerts. Therefore. for maximum availability and reduced total cost of ownership (TCO). and costs.6 NetApp Operations Manager: Report on Security. Page 55 of 187 CIFS – demo. Also provides detailed performance monitoring.NetApp. ABE is built into Windows Vista and 2008 Server platforms and is enabled by default and needs absolutely no configuration on those platforms. a folder shared on a Vista machine will only show its contents to users who have permissions to access items within it. Automated configuration management reduces manual effort and assures adherence to corporate standards. When an NTFS qtree is converted to a UNIX qtree. complexity. Storage chargeback based on either allocated or used capacity. data characterization.com . Operations Manager overview: • • • • • • Operations Manager automatically discovers and monitors NetApp storage infrastructure. converting the files to UNIX-style files. By virtue of running a chown or chmod on a file will delete any existing Windows NT ACL on a file. and storage utilization reports. From a central point of control. Performance.allowing ACL editing from within a Windows command shell. performance management according to line of business. These files can now have UNIX permissions set on them. trending. the permissions used will revert to a minimally permissive set such that the allowed permissions will be at least as strict as the ACL. It enables management of multiple systems from a single console. the ACLs will still be present. The ACLs are not actually deleted. Changing the qtree type should not be undertaken lightly since it has the potential to allow inadvertent changes to the underlying security. and any Windows NT ACLs in the qtree are simply ignored. regardless of whether they are administrators or not. 4. This can be useful for scripting large-scale security changes. and configuration tools to keep your storage infrastructure in line with business requirements. This means ABE isn't really suitable for Terminal Services environments. so if the qtree is converted back to NTFS. shares are advertised as FAT instead of NTFS. This can be done using the chown command as root to change the existing owner and chmod command to set UNIX security attributes (rwx) on the file.4. Operations Manager generates infrastructure reports in relation to capacity utilization. Detailed asset management reports provide information for improved resource and capacity utilization. It might be easier to write a script that runs as root and chowns and chmods each file. helping reduce manual effort. Centralized Asset management. reports.7 Access-Based Enumerations Limitations • • Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items. 4. ABE does not apply to users who can log on interactively to the server. 1 File Screening with FPolicy File Screening Enabling Native File Blocking HANDS-ON EXERCISE: File Screening Prerequisite: CIFSRUN. execute: FPBLOCK. W2003 or W2008 Either perform the follow steps. Make sure that the new policy is enabled. They might see a message indicating that the operation cannot be completed or that access is denied. SHARESETUP.5. the operation fails. Set the operations and protocols monitored by the policy using the fpolicy monitor command. 1. Enable the profile.BAT.5 DEMO 4. proceed to step #4 You can enable file screening to use native file blocking. Then.NetApp.nfs –f create. or to automate the task. Create a file policy. also specify the rename option. 4.com .4. Enter the following command: FAS1> fpolicy monitor set mp3blocker -p cifs.* T:\ Page 56 of 187 CIFS – Demo. to make sure that an MP3 file is not copied onto the storage system with a different extension and renamed.rename 3. enter the following commands: FAS1> fpolicy create mp3blocker screen FAS1> fpolicy ext inc set mp3blocker mp3 FAS1> fpolicy options mp3blocker required on 2. Example: Specify the create option to prevent creation of MP3 files. Example: To create a policy to prevent CIFS users from placing MP3 files on the storage system. In addition. SERVER> net use T: \\FAS1\DATA SERVER> Copy C:\CIFSDEMO\MP3\*.BAT.BAT Performed from Vista. -f forces it because there are no screening servers: FAS1> fpolicy enable mp3blocker -f When a user tries to create or rename a file with an MP3 extension. Enter the following command: FAS1> fpolicy servers show PolicyName Data ONTAP returns the status of the file screening server(s) for the policy you specified. IPaddr..SERVER> net use T: /delete /yes Display the profile: FAS1> fpolicy show mp3blocker To undo the FPolicy settings: FAS1> fpolicy disable mp3blocker FAS1> fpolicy destroy mp3blocker Designating Secondary File Screening Servers You can use the FPolicy options command to designate a list of secondary servers to be used when the primary file screening server is unavailable.NetApp. use "fsecurity show" (requires Data ONTAP 7. use "cifs shares. Export (NFS) and share (CIFS) security: Applies to client accesses to a given NFS export or CIFS share..2 or above).2. Can be managed by CIFS and NFS clients with administrative privileges. Page 57 of 187 CIFS – demo. If all primary servers are unavailable. The storage system never uses any secondary server as long as a primary server is available. the storage system uses any secondary servers connected to the storage system.2 Storage-Level Access Guard Storage-Level Access Guard security provides a third type of security layer for a storage object: • • • • NTFS.com .. Any FPolicy server connecting from one of these IP addresses is classified by the storage system as a secondary server. For CIFS share level reporting. and NFSv4 security (native file-level security): Exists on any directory or file that represents a storage object.] This command configures a set of IP addresses. Any FPolicy server not classified as a secondary is considered a primary server. until a primary server becomes available again. This is the same security that you can set from a client.5. Storage-Level Access Guard: o Applies to all accesses from all protocols to the storage object to which the Storage-Level Access Guard has been applied. UNIX." For file level reporting. 4. Enter the following command: FAS1> fpolicy options PolicyName secondary_servers IPaddr[. BEHAVIOR • Storage-Level Access Guard security applies to all files and/or directories in a storage object. even if Storage-Level Access Guard denies access to the object. used to determine the effective permissions. It is designed to be modified by storage administrators only. which precedes the share/export permission and the Windows ACLs or UNIX mode bits. The checks are performed in this order: 1) 2) 3) Storage-Level Access Guard permissions CIFS share or NFS export-level permissions NTFS file/folder access control lists (ACLs) or UNIX mode bits • • All accesses must pass all levels of security checks. • • • Page 58 of 187 CIFS – Demo. For CIFS/NFS client access. File security: o Applies to every file in the storage object. where CIFS is not enabled.NetApp. • Directory security: o Applies to every directory in the storage object. only NTFS style access permissions are supported for Storage-Level Access Guard. Does not affect access to or auditing of directories.o • Applies to all the files and/or all the directories in a storage object. you do not see the Storage-Level Access Guard security. It doesn’t apply to an environment that is UNIX only. the UNIX user must be mapped to a Windows user in a NetApp system. Volumes and qtrees are independent storage objects. Storage-Level Access Guard permissions are not inherited from a volume to any qtrees underneath. If you view the security settings on a file or directory. if a UNIX user does not map to a Windows user in this situation. exceptional access is allowed to these servers to screen the files and folders. but is not inherited or propagated by them. • Storage-level security cannot be revoked from a client. Access to a file or directory in Data ONTAP is determined by the combined effect of both the native permissions applied to files and/or directories and the Storage-Level Access Guard permissions set on qtrees and/or volumes. but it can be applied to a UNIX security volume/qtree as well. It’s applied at the storage object level and stored in the metadata. three levels of security checks are performed to determine effective permissions. Qtree SnapMirror® does not propagate the Storage-Level Access Guard security descriptor with the data replication.com . A qtree cannot be deleted unless Storage-Level Access Guard is removed from it. although settings are maintained separately for files versus directories. In other words. For a UNIX user to perform a security check on a qtree or volume where Storage-Level Access Guard has been applied. the NTFS style Storage-Level Access Guard will be ignored. NetApp recommends volume SnapMirror for replicating Storage-Level Access Guard security. Does not affect access to or auditing of files. volume SnapMirror does. Note: At this time. Special dispensation for virus scanners and FPolicy servers. even by a system (Windows or UNIX) administrator. using either a text editor or Storage Security Editor Tool (secedit. OK 5. There are no specific requirements for the name and location of this file. SERVER> Net use T: \\FAS1\DATA SERVER> Move C:\CIFSDEMO\security-base. copy it to a location on the storage system.sec T:\data\templates Page 59 of 187 CIFS – demo.exe (C:\CIFSDEMO\secedit. Click Add. a Windows tool provided by NetApp. type: demo\Pebbles. full name: Pebbles Flintstone. CONFIGURATION HANDS-ON EXERCISE: Storage-Level Access Guard Prerequisite: CIFSRUN. 3) 4) 5) Click ‘Save Unicode. 12.sec’ 2) After creating the job definition file. SHARESETUP. Click Add. and VISTA Either perform the follow steps.• • Special dispensation also applies to MultiStore environment for the storage objects owned by the virtual storage systems. but we do not want to replace permissions which have been setup on other volumes.exe). specify the DATA volume (/vol/DATA). Click Add. password: netapp1 2. specify full control 7. follow these steps: 1) Create a job definition file.BAT Performed from W2003. execute: SLAG. For Administrator permissions. specify full control 9. OK 6.BAT.exe) 3.exe Rename ‘Untitled’ to ‘security-base.BAT. Create a user in the ‘ldapusers’ context called Pebbles. or to automate the task. 11. From a Windows machine. type: demo\Administrator 8. 4. Storage-Level Access Guard security checks have a small performance impact. For Pebbles’ permissions. Then. SERVER> Start Active Directory Users and Computers GUI 1. launch secedit.’ and say YES to overwrites Close secedit. The job definition file is a Unicode text file that contains various pieces of information such as security descriptors and paths. For the path. proceed to step #7 To apply Storage-Level Access Guard to a storage object. Change the option to ‘Apply to File/Directory’ NOTE: Normally you would select ‘Apply to Storage’ so that the permissions you set apply to all of FAS1. Click OK 10.com .NetApp. This will allow you to remotely connect to the VISTA workstation.sec -v 8) Check the status of the job that is running or the history of 15 jobs at once. click start.NetApp. Doubleclick on ‘Connect as Administrator’ Once connect. cmd. double click on the DEMO. expand ‘Remote Desktop’. have Wilma create a new text file – you should have no success. it will also show job #s. Doubleclick on ‘Connect as Pebbles’ Once connect. expand ‘Remote Desktop’. double click on the DEMO. We will add Pebbles to both the Domain Controller as well as the VISTA local group. cmd. Doubleclick on ‘Connect as Wilma’ Once connect.MSC shortcut.6) 7) SERVER> Net use T: /delete /yes Use the fsecurity apply command on the NetApp storage system console to validate and apply the security definitions. On the left colume of the MSC. VISTA> net use t: \\FAS1\data Create a text file at the root of the DATA volume VISTA> Logoff Pebbles Map Wilma to the Data volume SERVER> From the desktop. you can also execute: FAS1> fsecurity status <job number> 9) Grant Pebbles the right to logon to the Vista machine via terminal services. by using the fsecurity status command. cmd. VISTA> net use t: \\FAS1\data Have Wilma open the text file Pebbles’ created – you should be successful.com . On the left colume of the MSC. click start. This will allow you to remotely connect to the VISTA workstation. Remote Desktop Users. This will allow you to remotely connect to the VISTA workstation. VISTA> net localgroup “Remote Desktop Users” demo\Pebbles /add VISTA> logoff 10) Map Pebbles’ to the Data volume SERVER> From the desktop. Now. SERVER> net localgroup “Remote Desktop Users” demo\Pebbles /add SERVER> From the desktop. This command creates a job that runs in the background on the storage system. run. expand ‘Remote Desktop’. double click on the DEMO. run. click start. type: FAS1> fsecurity cancel <all> or <Job #> Page 60 of 187 CIFS – Demo. run. Once you execute the fsecurity status. VISTA> Logoff Wilma To display the Storage Level Access Guard permissions: FAS1> fsecurity show /vol/DATA 11) 12) 13) 14) 15) 16) 17) 18) 19) 20) 21) To remove an active fsecurity Storage-Level Access Guard policy.MSC shortcut. For more detail.MSC shortcut. FAS1> fsecurity apply /vol/DATA/TEMPLATES/security-base. On the left colume of the MSC. Once the job is complete. This interface resembles the Security tab you find in Windows Explorer. Data ONTAP supports an additional layer of security which applies to an entire storage object (volume or qtree) and which cannot be overridden. Data ONTAP has the built in tool now called “fsecurity. and will generate a correctly formatted file. This level of security cannot be revoked from a client. Once the file is generated.1. Page 61 of 187 CIFS – demo. it is copied to a location on the NetApp storage.2. the results can be viewed from the console.Note: This will cancel jobs which have a status of “working” but does not clear job history. fsecurity on-box permission utility: • Customers requested for the ability to view and set the security on the files/directories on the NetApp storage itself (in Data ONTAP 7. a console command validates and applies the Storage-Level Access Guard security by creating a job that runs on the NetApp storage in the background. even by an administrator. they must first generate the job definition file. This new additional layer of security is called Storage-Level Access Guard security. applicable to a storage object. • • • • • Benefit: No more dependency on managing the folder based ACLs from a client side. How Will It Work? Storage-Level Access Guard Security is comprised of several components. Files and directories within the volume or qtree will not inherit the security set using Storage-Level Access Guard.” Also gives additional layer of security called Storage-Level Access Guard. for NTFS ACLs only). including the following: • • • Data ONTAP console command Job definition files Windows client interface When an administrator decides that they want to apply Storage-Level Access guard security to a storage object. This job can be monitored and cancelled as desired. “fsecurity” command allows the storage admins to apply the security over huge directories directly on the NetApp storage. Customers might also use the Windows client interface to generate the files. allowing customers to write scripts that generate them. hence avoid the permissions issues inherent with going over the wire. The file format will be open. From there. This is a Unicode text file that contains various pieces of information such as security descriptors and paths.com .NetApp. “fsecurity” command can also be leveraged by provisioning scripts to set the security. It's important to keep in mind that Storage-Level Access Guard security is not managed or even visible directly from a client. proceed to step #2 Creating a User Who Only Administers SNMP 1.0x10000000 .minimum 7 (This changes the minimum password length from the default of 8 to 7 characters) Page 62 of 187 CIFS – Demo.Everyone .rules.Example of fsecurity command: FAS1> fsecurity show /vol/DATA The output will look similar to the following: [/vol/r2 .netapp.com . execute: CLIUSER. Volume root is qtree id 0.5. 4.com/NOW/download/tools/secedit/.0x001f01ff (Full Control) Allow .NetApp. Storage-Level Access Guard is not inherited from volume root to other qtrees.3 Useradmin CLI (Role Based Access Control) HANDS-ON EXERCISE: Useradmin Command Line Interface Prerequisite: none Performed from Vista. W2003 or W2008 Either perform the follow steps. “Secedit. provided on an as-needed basis to customers from http://now.Directory (inum 64)] Security style: NTFS Effective style: NTFS Unix security: uid: 0 (root) gid: 0 (daemon) mode: 0777 (rwxrwxrwx) NTFS security descriptor: Owner: BUILTIN\Administrators Group: BUILTIN\Administrators DACL: Allow .OI|CI|IO Notes: • • • Storage-Level Access Guard Security descriptor must be removed before a qtree can be deleted.BAT. FAS1> options security.passwd.Everyone .exe”: A Windows client application for constructing security settings for the “fsecurity apply” command. Then. or to automate the task. and another which is allowed to log in using any login method and run any snmp command. Then.BAT Performed from W2003 Either perform the follow steps. 3. The "snmp_admins" group is allowed to log into the NetApp storage and run the help command using telnet.com . and run snmp commands. which will revoke all privileges.MSC open.1. The following command places a user into a group with no capabilities. If a user is in a group with the capabilities: "cli-*" and "login-*. The user "Dino" inherits these capabilities from the group.cli-snmp*. or to automate the task.NetApp.exe 2.apisnmp-* FAS1> useradmin group add snmp_admins -r rsh_help.snmp_commands FAS1> useradmin user add Dino -g snmp_admins 2. SERVER> C:\CIFSDEMO\Anti-Virus\McAFEE\setup.cli-help* FAS1> useradmin role add snmp_commands -a login-*. close it or setup will timeout. Creating/Modifying a User Without Console Access This is a common issue that arises for appliances running in Windows domains. A user without console access cannot execute any NetApp storage CLI commands.BAT.” then that user has console access. To see if a user has access.4 Antivirus Scanning HANDS-ON EXERCISE: Antivirus Scanning Prerequisite: CIFSRUN. Page 63 of 187 CIFS – demo. rsh. FAS1> useradmin user list FAS1> useradmin group list snmp_admins This creates two roles. one which can rsh into the NetApp storage and run the help command. then click Next. 3. FAS1> useradmin user modify Dino -g "Guests" FAS1> useradmin user list Dino 4. If you have the desktop shortcut of DEMO.FAS1> useradmin role add rsh_help -a login-rsh. list the user and check the Allowed Capabilities.5. Read the license. execute: ANTIVIRUS. proceed to step #2 Installation of McAfee Antivirus for NetApp Version 7.0 1. These local users should be placed in local groups (or even no groups at all) that do not have any roles which contain these capabilities. etc. click Program -> Network Associates -> VirusScan Console.” followed by OK. Scanner will ping the Storage Appliance from time to time to detect and recover from reboots/takeovers.35). Right click “Network Appliance AV Scanner” and select enable. 10.168. 12. then save the file with the name EICAR. Several scanners can register with the Storage Appliance. The scanner registers with the Storage Appliance. you will not see the message as the Telnet session to the NetApp storage closes each time the Windows machine reboots. 5.server. 13. At the NetApp storage. to enable scanning. 9. and click Finish. Add NetApp storage name – click Add.successful:info]: CIFS: Vscan server \\W2003 registered with the storage unit successfully.NetApp. Select Yes to reboot the server when prompted. Uncheck both Update Now and Run Scan. Click Install. click Next. For this exercise. Enter domain name <demo\Administrator> and password (netapp1) for the Administrator account. enter a password (netapp1) (x2). A single scanner can scan multiple Storage Appliances. To Test Your Installation Type the following line into its own file.com . Troubleshooting: If you do not see a message similar to this.10. followed by Next. followed by Next. use the IP address and not NetBIOS name (192.4.connecting. Click “I accept the terms in the License agreement. on the Windows Server. 11. On Security Configuration. Click Yes to accept the Registry Key Change. 6. click Next. type: FAS1> vscan • • • • Scanner waits for requests to come from the NetApp appliance. At the NetApp console each time the Windows machine reboots. 7. Select Custom installation. 8. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Page 64 of 187 CIFS – Demo. for performance and reliability (recommended). Accept the default Product Configuration. Leave Alert Manager unchecked. click Next. type: FAS1> vscan on For the status of the scanner.COM. you will see a message similar to: [vscan. VSCAN commands • vscan help Print list of vscan commands. In this case if the Storage Appliance receives an RPC from the scanner that it has been updated.COM If VirusScan is running and configured correctly. for this reason. start it and scan the directory that contains EICAR.NetApp. the Storage Appliance will remove the OK flag for all files. updated DAT files contain new viruses to check for. the file could contain a virus.COM. • vscan extensions include set txt Sets the list of files to scan to only files with the txt extensions. when you try to save the file. the Storage Appliance marks it "OK" and does not scan it again. Virus Scanning Process Once a file is successfully scanned. When your software scans this file.com . If the scanner is updated. VirusScan will detect the virus. • vscan extensions Displays the current list of extensions to scan and not to scan. it will report finding the EICAR test file. Two exceptions exist: • • If the file is written to. save the file as C:\EICAR. This might result in slower CIFS access for future opens.TXT Edit the file so that the two separate lines become one line (just like the above example). • vscan extensions include add mp3 Adds mp3 to the include list to scan. Page 65 of 187 CIFS – demo. • vscan extensions exclude add wmv Adds wmv to the files not to be scanned list. the file is again scanned when closed.Or SERVER> Notepad C:\CIFSDEMO\AVTEST. If VirusScan is not running. VSCAN on/off The vscan on/off will enable and disable the vscan option. If this option is set to "off" then access to files is allowed if it is not possible to scan the file. for example. because no scanners are available. VSCAN options FAS1> vscan vscan vscan vscan vscan options options timeout: options abort_timeout: options mandatory_scan: options client_msgbox: 10 sec 10000 sec on off Timeout displays the current virus scan timeout value in seconds. If set to "on.com . NetApp Professional Services recommends customers set this to off.” then access to files will be denied if a virus scan cannot be performed. Mandatory_scan displays the current setting for the mandatory_scan option. It is also possible to set the timeout.• vscan ext reset Resets the list of extensions to scan to the default values. • vscan options timeout set 15 Sets the timeout value to 15 seconds. This value determines how long the Storage Appliance will wait for the scanning client to perform a virus scan request.100 \\W2003 Connect time (dd:hh:mm) 00:00:01 0 Reqs Fails 0 Page 66 of 187 CIFS – Demo. NetApp storage will not allow access to the file(s) that have the listed extension(s) unless the mandatory_scan is set to off.NetApp. Caution: If you turn vscan on.168. VSCAN scanners FAS1> vscan scanners Virus scanners (IP and Name) 192.10. and there are no scanners registered with the NetApp storage. The timeout value may be reset to a default value provided by NetApp. • Page 67 of 187 CIFS – demo. you must enable individual options and enable auditing.com .vscan For additional information. the client will get a clear explanation why file access has failed: FAS1> vscan options client_msgbox [on | off] MsgBoxes are throttled in case you encounter a virus storm.NetApp. The file or directory to be audited must be in a mixed or NTFS volume or qtree. Virus Scan Options for CIFS shares cifs shares -add <sharename> <path> – novscan – novscanread Example: FAS1> cifs shares –add data /vol/DATA –novscan FAS1> cifs shares –change <sharename> – novscanread | vscanread – vscan | novscan Example: FAS1> cifs shares –change DATA .Client Message Box With the MsgBox set to on. The NetApp storage will send no more than 5 vscan MsgBoxes every 30 seconds. To identify events for auditing. You cannot audit CIFS events for a file or directory in a UNIX volume or qtree unless Storage-Level Access Guard is enabled. Event auditing is turned off by default. refer to FAS1> man na_vscan 4.5 Live-View Auditing Prerequisites for CIFS auditing: • • CIFS must be licensed and enabled on the storage system before auditing can be enabled.5. enable on Account management events FAS1> options cifs.evt.file_access_events. File access events FAS1> options cifs.enable on Either perform the follow steps. Page 68 of 187 CIFS – Demo.BAT Performed from Vista.audit. or to automate the task. NetApp recommends that you set SACLs by applying Storage-Level Access Guard security as explained in section 4. and that specific subfolder or file will be skipped from auditing. Audit events can be saved manually by using the cifs audit save command or by enabling automatic saving.audit. Note: SACLs can also be set on the volume or qtree directly by using the Windows Explorer GUI.logon_events. whereas SACLs applied through the Storage-Level Access Guard on the volume or qtree cannot be changed by the users at the child object level. edit. /etc/log/cifsaudit. similar to an individual file or directory.com . • Note: Be sure to select only the events that you need to audit.enable on Logon/logoff events FAS1> options cifs. SAVING AUDIT EVENTS Audit event information is stored in an internal log file. you can set SACLs in two ways: • Using the Windows Explorer GUI: Select the file or directory for which you want to enable auditing access. Right-click the file or directory and select Properties.audit.audit. Select the Security tab and click Advanced. or remove the auditing options you want. if you have SACLs applied to the child objects of that volume or qtree.NetApp. because selecting too many audit options might affect system performance. the external event log is /etc/log/adtlog. then any user who has the privilege to modify the SACLs at those levels can unset the settings.enable on Enable CIFS audit FAS1> cifs audit start FAS1> options cifs.7. By default.4. On Volumes and Qtrees To audit access events on all files and directories within a volume or qtree.4. The only caution would be. Select the Auditing tab.7. W2003 or W2008 You must specify the file access events to record. Configure the following options in Data ONTAP for CIFS auditing.Configuration HANDS-ON EXERCISE: Live-View Auditing Prerequisite: CIFSRUN. or Using the fsecurity permission command.alf. Add. execute: none On Individual Files and Directories To audit access events on individual files and directories. as explained in section 4.account_mgmt_events. file.limit value value is a number from 0 to 999.enable on FAS1> options cifs.evt Maximum Number of Automatically Saved Event Files FAS1> options cifs. use 640k Automatic Saving Based on a Time Interval The default time interval is one day.audit.audit. minutes (m).autosave. Automatically Saved Event File Extensions Each time the internal log file is automatically saved to the external event file. or gigabytes (g).audit.autosave. Page 69 of 187 CIFS – demo.file.Automatic Saving Based on Size of the Internal Log File The default size threshold for the internal log file is 75%.autosave.evt.autosave.NetApp.onsize.enable on FAS1> options cifs. eventlog1.ontime.autosave. You can specify the size threshold as a percentage (%). suffix is the unit of measure. so that whenever the internal log file is 75% full.audit.threshold Nsuffix N is the value of the size threshold. Timestamp extension: FAS1> options cifs.audit. or days (d).autosave. suffix is the unit of measure. hours (h).file. Counter extensions: FAS1> options cifs. an extension is added to the base name of the event file.audit. megabytes (m).extension timestamp Format: base name of event file YYYYMMDDHHMMSS.extension counter Examples: eventlog.onsize.ontime. FAS1> options cifs.com .evt.audit. FAS1> options cifs. the contents are automatically saved to the external event file.evt and so on. You can specify the time interval as seconds (s).interval Nsuffix N is the value of the time interval. As an example for this lab.autosave. eventlog2. kilobytes (k). To enable or disable Live View on your storage system.000 events). The right side of the application is populated with the latest audit events captured on the storage system (up to 5.txt file for details on how to use the tool.NetApp. From the Action menu.txt) file format. SERVER> Start Event Viewer from Administrative Tools or from Microsoft Management Console. Select the event log file saved on the storage system. Static Display To view the external event log (. select the Security entry. Event Viewer displays the error message "The RPC server is unavailable. Page 70 of 187 CIFS – Demo. complete the following steps: 1.audit. 3. Note: Do not try to open the event log by selecting Select Computer from the Log menu and double-clicking the storage system name. Enter the name of the storage system you want to audit (FAS1) and click OK. SERVER> Start Event Viewer from Administrative Tools or from Microsoft Management Console." because Data ONTAP does not communicate with Event Viewer with RPC calls unless Live View is enabled.com .evt file) saved on the storage system. This tool is available from the NOW site: http://now. If you do. complete the following steps: 1. From the Action menu. 2. CONVERTING A EVENT LOG TO A TEXT FILE The EVT2TXT Converter tool converts a standard Microsoft type event (.DISPLAYING AUDIT EVENTS Real-Time Display: Live View To view the event logs from the storage system in real time from the Windows client. select Open Log File. Refer to the C:\CIFSDEMO\EVT2TEXT\README.enable on 2.liveview. The tool has also been copied to C:\CIFSDEMO\EVT2TEXT for your convenience.evt) file to a text (.netapp.com/NOW/download/tools/evt2text. On the left side of the application. select Connect to Another Computer. set FAS1> options cifs. 4. msi package. Take note of the NTFS permissions .BAT Performed from W2003. as well as all DFS servers. which can be downloaded from Microsoft’s Web site must first be installed on all Windows 2003 servers prior to R2.4. and VISTA First of all. SERVER> Net use T: \\FAS1\DATA 2. Page 71 of 187 CIFS – demo. At the root of the share. SERVER> MKDIR T:\SOFTWARE\FilerView SERVER> MKDIR T:\SOFTWARE\SnapManager SERVER> MKDIR T:\SOFTWARE\NDA 4. These will indicate who gets to see the share once the configuration is complete. The syntax for abecmd. which will use the abecmd tool. SERVER> MKDIR T:\SOFTWARE 3. 1. SnapManager.5.6 Access-Based Enumeration (ABE) ABE (Access-Based Enumeration) for a CIFS share on a NetApp storage system can be managed by: FAS1> cifs shares <sharename> option [–accessbasedenum | noaccessbasedenum] NetApp storage systems require CLI (no FilerView support) to enable ABE on CIFS shares. and the NTFS permissions on the file system. The cmd tool from Microsoft (abecmd. execute: ABESETUP. and NDA.exe) provides the capability to enable/disable ABE on shares located on NetApp storage controllers from a Windows server. you must set up your regular file shares as you normally would. Then. proceed to step #17 . We will use a share called DATA. Underneath \SOFTWARE.BAT.com Either perform the follow steps.NetApp. There is no option on the NetApp storage system to enable or disable ABE on all shares. SHARESETUP. make a folder called \Software. Access-Based Enumeration Example HANDS-ON EXERCISE: Access-Based Enumeration Prerequisite: CIFSRUN.you will need these later. We have two users which were previously created in Active Directory. Fred and Wilma. located at /vol/DATA. create three directories: FilerView.BAT.exe is: SERVER> abecmd [/enable | /disable] [/server <servername>] {/all | <sharename>} To enable ABE on a particular share use: SERVER> abecmd /enable /server FAS1 <share name> Note: The ABEUI. You must set the permissions on the share. or to automate the task. MSC shortcut. 15. VISTA> net use T: \\FAS1\data 9.NetApp. On the left colume of the MSC.com . This will allow you to remotely connect to the VISTA workstation. 10. go to drive T:. 12. expand ‘Remote Desktop’. Open the SOFTWARE folder. click start. cmd. cmd. expand ‘Remote Desktop’. Map Fred to the DATA share SERVER> From the desktop. double click on the DEMO. double click on the DEMO. 11. SERVER> From the desktop.MSC shortcut. run. as she was given permission. select properties on each of the folders specified and assign the following permissions.5. VISTA> net use T: \\FAS1\data 14. run. VISTA> Logoff Wilma 19. Connect Wilma. This will allow you to remotely connect to the VISTA workstation. Fred will see all three sub-folders even though he doesn’t have access rights to the NDA folder. SERVER> From the desktop. Reconnect Fred to the DATA share. Verify this by clicking on each sub-folder. 18. Wilma can still access all three folders. double click on the DEMO. Read Extended Attributes (Traverse). Doubleclick on ‘Connect as Wilma’ Once connect. Doubleclick on ‘Connect as Fred’ Once connect. click start. Verify Wilma has access to each folder by clicking on each folders name 16. Disconnect from drive T: SERVER> Net use T: /delete /yes 7. Notice Wilma can also see all folders.MSC shortcut. Page 72 of 187 CIFS – Demo. On the left colume of the MSC. Create Folder: \FilerView \SnapManager \NDA Assign Fred Full Control Full control No access Assign Wilma Full Control Full Control Requires the following as a minimum: List Folder /Read Data. Open the SOFTWARE folder. This will allow you to remotely connect to the VISTA workstation. run. VISTA> Logoff Fred 13. Doubleclick on ‘Connect as Fred’ Once connect. Read Attributes. Read Permissions 6. cmd. On the left colume of the MSC. click start. expand ‘Remote Desktop’. SERVER> Start Explorer. Enable Access Based Enumeration FAS1> cifs shares –change data –accessbasedenum 17. 8. access based enum supported everyone / Full Control Description ----------- Page 73 of 187 CIFS – demo...VISTA> net use t: \\FAS1\data 20. VISTA> Logoff Fred Enable/Disable ABE Through the NetApp Storage CLI To enable ABE on an existing share: FAS1> cifs shares -change <sharename> -accessbasedenum To disable ABE on an existing share: FAS1> cifs shares -change <sharename> -noaccessbasedenum To create a share with ABE enabled: FAS1> cifs shares -add <sharename> <path> -accessbasedenum The console output when a share has ABE enabled: FAS1> cifs shares data Name ---data Mount Point ----------/vol/data .com . 21. Notice Fred now can only see the folders he has access to.NetApp. proceed to step #10 1. Note: Accept the defaults when it comes to selecting key size.NetApp. SSH server needs a RSA host key and a DSA host key to support ssh 2.x protocol [768] : Please enter the size of server key for ssh1.x protocol. For SSH1. Then. SSH server needs two RSA keys to support ssh1. key sizes must be between 384 and 2048 bits. key sizes must be between 768 and 2048 bits. or to automate the task.7 Configuring SSH and SSL Configure SecureAdmin™ to enable SSH2: Usage: secureadmin setup [-f] ssh secureadmin setup [-f] [-q] ssl secureadmin addcert ssl [path to CA signed cert] secureadmin enable all|ssh|ssh1|ssh2|ssl secureadmin disable all|ssh|ssh1|ssh2|ssl secureadmin status secureadmin version SSH Setup HANDS-ON EXERCISE: SSH Setup Prerequisite: CIFSRUN.0 protocol. SSH Setup will now ask you for the sizes of the host and server keys.0 protocol [768] : Is this correct? [yes] Page 74 of 187 CIFS – Demo.com . For SSH2.BAT. The size of the host and server keys must differ by at least 128 bits. Please enter the size of host key for ssh1.x and ssh 2. execute: SSHSETUP. FAS1> secureadmin setup ssh SSH server supports both ssh 1.0 protocols.x protocol [512] : Please enter the size of host keys for ssh2.BAT Performed from W2003 Either perform the follow steps. The server key is regenerated every hour when SSH server is running.5. The host key is generated and saved to file /etc/sshd/ssh_host_key during setup.0 protocol.4.0 protocol. if we wanted to allow the Administrator using the host: W2003.exe for testing. otherwise refer to the NetApp storage console for the error message. a. and take appropriate steps as described in the Troubleshooting section of this document. FAS1> secureadmin enable ssh2 Make sure your host is able to send commands to the NetApp storage.enable off Configure SSH Using an Internet search engine such as Google. Use the option rsh –l to specify the user and password for RSH access Test SSH with: 3.admin. Enable the ssh2 protocol: 2. Add your host and user name to the /etc/hosts.Setup will now generate the host keys in the background.equiv W2003 Administrator FAS1*> priv set or b. SERVER> rsh FAS1 ? SERVER> rsh FAS1 -l root:netapp1 ? If it works. you can start SSH server with command secureadmin enable ssh. and switch: FAS1> options httpd. /etc/sshd/ssh_host_rsa_key and /etc/sshd/ssh_host_dsa_key.equiv entry once you have tested.exe and puttygen. download both plink.hostsequiv. FAS1> priv set advanced FAS1*> wrfile –a /etc/hosts. A syslog message will be generated when Setup is complete.equiv file For example. FAS1> Wed Oct 25 05:59:56 GMT [rc:info]: SSH Setup: SSH Setup is done. (Both of these tools have been downloaded and placed in the folder C:\CIFSDEMO\plink. Do not forget to remove the hosts. you are ready to configure SSH.) Page 75 of 187 CIFS – demo.NetApp. It will take a few minutes.com . RSH is the easiest method. Host keys are stored in /etc/sshd/ssh_host_key. After Setup is finished. Once the Keys have been generated. Page 76 of 187 CIFS – Demo.NetApp. 4.exe. ---. Next.exe root@FAS1 ? The first time you use plink.ppk Create an authorized_keys file. 7.BEGIN SSH2 PUBLIC KEY ---Comment: "rsa-key-20070119" AAAAB3NzaC1yc2EAAAABJQAAAIEAyQ8pESW3f2dRNNtnioOTPD0dyTVfW1TcIrFY 1aC/qMHH2AK9A5Kjd9dUBq7YudjakUiwZKvB7rucg7FaMbOZDqf/HvqdJf3Zem99 LaolDWBpGJRNqe8zmdWWnU/SXV9weWjsx6W+JeT9Urhfp/hbgidI8D6HxyJO/028 1Yro2XM= ---. ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAyQ8pESW3f2dRNNtnioOTPD0dyTVfW1TcIrFY1aC/qMH H2AK9A5Kjd9dUBq7YudjakUiwZKvB7rucg7FaMbOZDqf/HvqdJf3Zem99LaolDWBpGJRNqe 8zmdWWnU/SXV9weWjsx6W+JeT9Urhfp/hbgidI8D6HxyJO/0281Yro2XM= Notice that ssh-rsa is appended to the beginning of the file. you will be asked if you agree with the license. When you open the public key file generated by puttygen it will look like this.exe 5. generate keys by using puttygen. As a general rule the authorized_keys file is very sensitive. Be sure you DO NOT enter a passphrase when generating the keys. SERVER> C:\CIFSDEMO\plink\puttygen. instead use wordpad or textpad. it does not want any line breaks. 8. but it does need to be larger. Accept the 1024 default for key size. Click Generate and you will be prompted to move your mouse in the key area. Note: After “ssh-rsa” there should be a space and then the key. select Y for yes. Select SSH-2 RSA radio button. 6. Public key name = rsa_pub_key Private key name = rsa_priv_key. Save this file as authorized_keys. Do not edit this file with notepad. the key size on the host does not have to match that of the NetApp storage. select save public key and save private key.SERVER> C:\CIFSDEMO\plink\plink. do not overwrite the original public key.com .END SSH2 PUBLIC KEY ---- You need to strip all line breaks and extra text from this file to look like this. Save them to the directory C:\CIFSDEMO\plink. Here you can see the NetApp storage has accepted the connection and is now prompting for a password. you will be asked if you agree with the license. If you planned to use a different login name. you create a directory structure with the appropriate name. If you are doing this from a Windows host you will not be able to create the . a drive will be mapped to the NetApp storage. as the key will be used by the user:root. Managing SSL for SecureAdmin You can manage the SSL portion of SecureAdmin in the following ways: • • • Set up and start SSL. SERVER> net use T: \\FAS1\C$ Create the following directory structure on the NetApp storage: /etc/sshd/root/. on the host: 10. so that you will be able to create a directory structure and place a file in the directory. 9. Reinitialize SSL.exe -v –i c:\CIFSDEMO\plink\rsa_priv_key. Page 77 of 187 CIFS – demo. create /etc/sshd/root/ssh. Copy the authorized_keys file into this directory.NetApp.ssh folder. Instead.ppk root@FAS1 ? The first time you use plink.ssh FAS1*> priv set SERVER> net use T: /delete /yes Run plink. Disable and enable SSL. This can be removed from future commands once you are satisfied. it is a useful flag when trying to troubleshoot the connection. The following command should be typed as one line SERVER> c:\CIFSDEMO\plink\plink.exe.com .ssh We use the name root. The -v flag is used to give a verbose output regarding the connection negotiation. select Y for yes.Next. once copied use the mv command on the NetApp storage to rename the ssh directory: FAS1> priv set advanced FAS1*> mv /etc/sshd/<username>/ssh /etc/sshd/<username>/. 2. because the browser has no way of verifying the signer of the certificate. or to automate the task. to the certificate authority.com . The advantage of a certificate-authority signed certificate is that it verifies to the browser that the system is the system to which the client intended to connect. but they are less secure than certificate-authority signed certificates. 1. SecureAdmin allows two types of certificates: • Self-signed certificate A certificate generated by Data ONTAP. Then. copy the signed certificate into a temporary location on the storage system. proceed to step #1 under Testing your Certificate Prerequisite: CIFSRUN. /etc/keymgr/key. Install the certificate by entering the following command: Page 78 of 187 CIFS – Demo.pem file by making a copy. Enter the following command: FAS1> secureadmin setup ssl Enter information when Data ONTAP prompts you: (To use the default settings. • Certificate-authority signed certificate A certificate-authority signed certificate is a self-signed certificate that is sent to a certificate authority to be signed. SETTING UP AND STARTING SSL HANDS-ON EXERCISE: SSL Setup Either perform the follow steps. Send the certificate signing request.BAT. 3. secureadmin.NetApp.pem. 4.) Data ONTAP generates one file and places it in three locations: /etc/keymgr/cert. Back up the secureadmin. execute: SSLSETUP. and /etc/keymgr/csr Installing a Certificate-Authority-Signed Certificate (This section is presented at a high level. press Enter at each of the prompts. When the certificate authority returns the signed certificate. Self-signed certificates can be used as is. This means the system could be spoofed by an unauthorized server.BAT Performed from W2003 To set up SSL. complete the following steps. complete the following steps. as it is outside the scope of this document) To install a certificate-authority-signed certificate.SSL uses a certificate to provide a secure connection between the storage system and a Web browser. shtml (Requires NOW account) LDAP http://media.netapp.hostsequiv. 1.pdf http://now. Note: These steps can verify either a self-signed certificate or a certificate-authority-signed certificate. Start your Web browser.com/documents/tr-3458.pdf Unified Windows and UNIX Authentication Using Microsoft Active Directory Kerberos – May 2006 http://media. This message appears as the NetApp storage certificate has not been imported into the trusted certificates of your web browser.com/documents/tr-3107.com/documents/tr-3457.netapp.enable on Testing Your Certificate To verify that your certificate is installed correctly. complete the following steps.netapp.FAS1> secureadmin addcert ssl <directory_path> 5.NETAPP.COM/DOCUMENTS/TR-3617i Antivirus Scanning Best Practices Guide – April 2006 http://media. 2. Disable SSL by entering the following command: FAS1> secureadmin disable ssl 6.6 NETAPP TECHNICAL REPORT REFERENCE Antivirus Sizing Guide – October 2007 HTTP://MEDIA. When prompted.NetApp.com/NOW/knowledge/docs/olio/guides/avmatrix. Enable SSL by entering the following command: FAS1> secureadmin enable ssl FAS1> options httpd.com .admin.pdf Auditing Quick Start Guide – May 2008 Page 79 of 187 CIFS – demo.netapp. enter the username <root> and password <netapp1> 4. Enter the following URL: https://FAS1/na_admin Click ‘Continue to this website’. com/documents/tr-3381.netapp.Administer NetApp storage access controls.netapp.pdf CIFS Best Practices with a NetApp Filer – March 2005 http://media.netapp.com/documents/tr-3599.netapp.pdf Bulk Security Guard Quick Start – May 2008 http://media.com .com/documents/tr-3358.com/documents/tr-3490.pdf Best Practices for Secure Configuration of Data ONTAP 7G – May 2008 http://media. Storage-Level Access Guard Quick Start Guide – May 2008 http://media.pdf Page 80 of 187 CIFS – Demo.NetApp.pdf Multiprotocol Data Access: NFS.pdf Role Based Access Controls in Data ONTAP – October 2004 http://media.com/documents/tr-3595.netapp.com/documents/tr-3597.http://media.netapp.netapp.com/documents/tr-3596. CIFS and HTTP – 2005 http://media.com/documents/tr-3649.pdf Reallocate Best Practice Guide – July 2007 http://media.pdf Refer to man na_useradmin .netapp. 2.1. Overdraft. 5.1 Quota Value of using third-party quota manage software to manage NetApp storage quotas: The NetApp storage quota management functionality has the current limitations: • • Only one quota (hard or soft) is allowed to be place at the volume root. you can notify the user at 75%.1 Quota Management Partner integration with Quota/SRM includes products from NTP Software®. and Intermine®. 5.) Page 81 of 187 CIFS – demo. The chapter outlines deploying native Data ONTAP quotas.com .5 5. Use quotas to control disk space usage. 85%. 90%. The advantage of native quota management is it is works in a multiprotocol environment. and volume based. With third-party tools: • • • Quotas may be overlapping. (example: you can place a 100GB limit on the volume root and then 100MB user home directory limits on all subfolders) You’re allowed as many thresholds as you want. NetApp quotas can only be placed on qtrees. Only one threshold message allowed which is not customizable. volumes and users.1 FILE SYSTEM RESOURCE MANAGER OVERVIEW This chapter provides practical guidelines for implementing quotas on NetApp storage. Northern Software Suite®. etc… Both third-party tools have a report module which can generate canned or custom reports (example: You may run a Usage by User report to determine how much space your users are consuming. Always set a default quota on the volume. and you’re limited in the amount of thresholds and reporting you can perform. user based. Usage can be tracked irregardless if a UNIX user manipulates data or a Windows user manipulates data. share or directory level quotas as you desire. Veritas®. 80%. 95% 100%.NetApp.2 BEST PRACTICES 5. NTP and NSS software allows for as many volumes. NetApp quotas may be reported on qtree based. A quota can also restrict the total space and files used in a qtree. the quota command indicates the quota status (on. NOT the IP address of the NetApp storage In case of problems connecting NTP and NetApp storage. A request that would cause the number of blocks or files in a qtree to exceed the qtree's limit fails with an ``out of disk space” error. NetApp storage scans the file system to determine current file and space usage for each user and group with a quota.3 DEMO 5. or the usage of users and groups within a qtree.1 Native Quota Configuration A quota limits the amount of disk space and the number of files that a particular user or group can consume. tree quotas. NTP doesn’t support more than one quota server to connect with NetApp storage for load balancing or redundancy. however. This form of the command is deprecated .NTP Software NTP Installation and configuration • When upgrading the current NTP version. and so on) for each volume. Check ‘Event Viewer’ to diagnose and troubleshoot NTP issues as the NTP log messages are well defined with less complexity. User and group quotas do not apply to the root user or to the Windows Administrator account. thereby providing no dynamic update of changes. check the user credentials which is the most common issue.use the quota status command instead. do apply even to root and the Windows Administrator account.com . For further information on the format of the /etc/quotas file. This is as there are possibilities of version mismatch between the other software components (within NTP). NTP accepts NetBIOS name only. This might take several minutes during which quotas are Page 82 of 187 CIFS – Demo. This is because the NTP architecture fetches info from the NetApp storage only when the service is started. • 5. refer to FAS1> man na_quotas With no arguments. When quotas are first turned on. disabled. and the /etc/quotas file describes the quotas to impose. off. The quota command controls quotas.NetApp. All quotas are established on a per-volume basis. • • • NTP Post installation • NTP Software QFS for NAS Admin Reports doesn’t update the NetApp storage volume information in real time. The following list describes how to use the various quota commands: FAS1> quota on <volume> Activates quotas in the specified volume based on the contents of /etc/quotas. It needs a service restart to obtain the latest info from the NetApp storage.3. A request that would cause a user or group to exceed an applicable quota fails with a ``disk quota exceeded” error. This helps to arrive at the solution quickly. it is better to reinstall the whole package instead of upgrading. not in effect, although the file system is still accessible. Executing quota with no arguments during this period indicates that quotas are initializing and reports how much of the initialization process has completed. When run with the -w option, quota on will not return until NetApp storage has finished scanning the /etc/quotas file and any errors will be printed to the console. When run without the -w option, quota on will return immediately and any errors will be reported through EMS. FAS1> quota off <volume> turns quotas off on the specified volume. The volume name may be omitted if the system has only one volume. FAS1> quota resize volume This adjusts currently active quotas in the specified volume to reflect changes in the /etc/quotas file. For instance, if you edit an entry in /etc/quotas to increase a user's quota, quota resize will cause the change to take effect. The volume name may be omitted if the system has only one volume. quota resize can be used only when quotas are already on. Because it does not rescan the file system to compute usage, quota resize is faster than turning quotas off and then on again. quota resize will apply all updated entries in /etc/quotas; however, it will generally ignore newly added entries. A newly added entry will only take effect if the corresponding user or group has an active quota as a result of updating a file subject to default quotas. FAS1> quota allow volume Enables quotas on the specified volume. FAS1> quota disallow <volume> Disables quotas on the specified volume. FAS1> quota status [ volume ] Prints the quota status (on, off, disabled, and so on) for the specified volume. If no volume name is specified, the quota status for all volumes in the system is printed. FAS1> quota report Prints the current file and space consumption for each user or group with a quota and for each qtree. With a path argument, quota report displays information about all quotas that apply to the file. Space consumption and disk limits are rounded up and reported in multiples of 4 Kbytes. The formatting options are defined as: -q If this option is given, the quota target's ID is displayed in a numeric form. No lookup of the name associated with the target ID is done. For UNIX user IDs and group IDs, the ID is displayed as a number. For Windows IDs, the textual form of the SID is displayed. -s If this option is given, the soft limit values are printed in the output along with the hard limits. Page 83 of 187 CIFS – demo.NetApp.com -t If this option is given, the warning threshold of the quota entry is included in the quota report output. If this option is omitted, the warning threshold is not included. This option is ignored if the -x option is used. -v If this option is given, the name of the vFiler controller is included in the quota report output. It is only valid if MultiStore® is licensed. -u If a quota target consists of multiple IDs, the first ID is listed on the first line of the quota report for that entry. The other IDs are listed on the lines following the first line, one ID per line. Each ID is followed by its original quota specifier, if any. Without this option, only one ID is displayed for quota targets with multiple IDs. -x If a quota target consists of multiple IDs, all IDs are listed on the first line of the quota report for that entry. They are listed as a comma separated list. Each column of the report output will be separated by a tab character. The threshold column will also be included. quota logmsg Allows the user to specify a time interval for a volume during which quota messages for that volume will be disabled. With no arguments, the quota logmsg command displays the current interval settings. Page 84 of 187 CIFS – Demo.NetApp.com Configuring Quotas on a User’s Volume Background: HANDS-ON EXERCISE: Quotas Prerequisite: CIFSRUN.BAT Performed from Vista, W2003 or W2008 Either perform the follow steps, or to automate the task, execute: QUOTA.BAT. Then, proceed to step #10 This will be for a user’s volume called DATA, allowing quotas to have a soft limit of 150MB for each user, and a hard limit of 175MB per user. From NetApp FilerView**: 1. Select Volumes, Quotas, Add. 2. Select User. 3. Select “data” for the volume, and check to make this the default quota for this volume, followed by Next. 4. For “Disk space soft limit,” use 150MB. 5. For “Disk space hard limit,” use 175MB. 6. Click Next. 7. Commit followed by close. 8. From Quota, Manage, check “data” volume. 9. Click On, followed by OK. 10. From the console: FAS1> quota report You can use the Quota report function to report on individual users, groups or volumes. Support Qtree quota and user quota (soft and hard limit). Enhanced quota notification and reporting in available in NetApp Operations Manager. ** System Manager is the replacement for FilerView. Currently, System Manager 1.0 runs in a Windows environment only. This includes: Windows XP, Windows Vista, Windows 2003, and Windows 2008 System Manager implements an MMC plug-in so it depends on MMC 3.0 and .NET 2.0. The System Manager software will: • • Discover unprovisioned NetApp storage using SNMP Perform basic controller setup (DNS, NIS, Networking, AutoSupport, SNMP, Security, Date/Time/Time Zone) Page 85 of 187 CIFS – demo.NetApp.com On the Choose Destination Location. SHARESETUP. Then. under Installation Install this on the Windows 2003 Server. proceed to step #2. execute: QUOTANSS. Choose NAS Evaluation.• • • • • Perform aggr. Check Auto-start service when OS starts.exe 5.” Under Services.2 Quota Management using Northern Storage Suite (www. click Next Page 86 of 187 CIFS – Demo. Modifications must be made to install on Windows 2008. Following the reboot.BAT. This online help will also include task based instructions. Close the dialogue. login and on the tool bar (bottom right side of desktop).” Click Start. At the “Welcome to the Northern Storage Suite” dialogue. system health tray) via SNMP Will have ONLINE HELP support. or to automate the task. click Next 7. interpretive advice. Execute Northern Software Suite setup: SERVER> C:\CIFSDEMO\Northern\setup 4.NetApp. right click SQL Server Agent. which are outside the scope of this lab. The software will be available from the NetApp NOW software download pages. If you have not already installed the Microsoft SQL Server Desktop Edition for VFM.com . volume and lun provisioning along with CIFS server and share provisioning (ACL shares too) Perform host discovery (hosts running sw initiator) Provide igroup and host connections Provide improved monitoring and health diagnostics (ie. status dashboard.BAT. On the License Agreement dialogue. A copy of the beta software is located at: C:\CIFSDEMO\SETUP\System_Manager.3. install MSDE now with the following switches: SERVER> C:\CIFSDEMO\Northern\MSDE\setup SECURITYMODE=SQL SAPWD=netapp1 Note: A reboot IS required before proceeding with the installation of Northern Software. 3. 2. Installation 1. Select “Open SQL Server Service Manager. click Next 5. targeted for release in the February 2009 time frame. The application will also have a Quick Start/Setup Guide.net) HANDS-ON EXERCISE: Northern Storage Suite Quota Management Prerequisite: CIFSRUN. select “SQL Server Agent. Choose Evaluation Installation. click Next 6.Northern.BAT Performed from W2003 and Vista Either perform the follow steps. click Yes 8. Select Northern Storage Report.NetApp. you would normally set the scan to be at a higher level than this. click Change Server 11. A NetApp Configuration Wizard will begin. A dialogue will open. asking which Quota Server server – use the default of W2003. Click User Interaction (left side) 10. On the top right. and select NetApp Managed Host Note: There is a bug in this version of the software – you will need to click NetApp Managed Host. followed by Finish. then click on EMC.) 9. On the left panel. expand the NT Servers list and select the NetApp storage (FAS1). click Next 17. Confirm Password: netapp1. asking Do you wish to add additional Filers. Start Copying Files dialogue. otherwise the Next button is not selectable. 5. 8. click Next. 13. Click Config (Top right). click Next 13. password: netapp1. and then back to NetApp Managed Host – this is to enable the Next button. A dialogue will open. Finish. Next. On the top right. click the middle (orange square) It should read Quota under the square when you move the mouse over the square. click File System Quotas 14. Enter Account: DEMO\Administrator.9. (It should read Home: Dashboard under the square when you move the mouse over the square. click the left square. asking the type of connection.com . A dialogue will open. Account: sa. click Next 16. In a lab environment we want to ensure the changes we make can be reported upon much sooner. 3. (This is NOT the NetApp storage) 6. Enter Server: W2003. Under the middle pane. Start NSS by clicking Start -> All Programs -> NORTHERN -> Storage Suite -> Northern Storage Suite 2. Confirm Password: netapp1 12. Check ‘Create a database for Northern Storage Suite’s usage statisticas. Host Management (Left side. Right click and select ‘Add NetApp Filer’ 15. Password: netapp1. then Close Page 87 of 187 CIFS – demo. Click Next x3. Click Add. click Next 18. Select the server where NSS is installed (DEMO -> W2003) 12. Under Status. On the properties of the Scan Dialogue. Note: In a production environment. Select the Host where NSS is installed (W2003). select to repeat the scan every 5 minutes. click Next 10. click Next 11. Finish Configuration 1. Use HTTP user name: root. third menu item) 4. click Next x2 7. If prompted to accept the “Northern Certified Software. choose Install. Password: netapp1. Select User. Click Next again. Select add Quota. Next 24. click the Users button in the top left-hand banner. click Level 1 which will enable additional options.NetApp. select Popup. in Popup Receiver. type: demo\wilma. In the Storage Portal Client. click on ‘Connect as Wilma’ Once connect. 3. followed by Apply and Close. Choose: Start -> All Programs > NORTHERN > Storage Suite > Components -> Storage Portal. 4. double click on the DEMO. Run and type CMD. followed by Next 31. The next screen shows the host server where NSS is installed (W2003). Next 25. click GO 5.exe 33. expand ‘Shares’ 20. type: %User. Select Next to leave the default to apply the quota to the entire share 27. expand the Users container and add Wilma. Under Threshold Settings. click Start. then Next 29. The user’s Storage Portal Page appears. Return to the NSS Internet Explorer windows and notice the % used bar. 21. click Next 26. then Next 28.* T:\ 35. This will allow you to remotely connect to the VISTA workstation.19. Click the browse [Elipse] button. VISTA> Net use T: \\FAS1\BOOKS 34. in the Path type: \\FAS1\BOOKS. If prompted to accept the “Northern Certified Software. Next 30. for Level 2 and 3. VISTA> Net use T: /delete /yes 36. Select NetApp. Select the BOOKS share.MSC shortcut. Double- VIEWING END-USER PAGES IN STORAGE PORTAL 1. for User. Under the NetApp Storage name. Under User Notification. Next 23. On the left colume of the MSC. Change the size to 50 MB. Page 88 of 187 CIFS – Demo. A wizard will begin.com . choose Install. click Next 22. 2. On the Users page. In the User Settings. and remove Everyone. Log off the Vista machine 37. VISTA> Copy C:\CIFSDEMO\NORTHERN\*. Map Wilma to the BOOKS share SERVER> From the desktop. click OK. Right click and select ‘Add Quota or Template’. expand ‘Remote Desktop’. Minimize NSS Internet Explorer window 32. Then.exe 2.” click Finish 13. or to automate the task. On the Start copying file dialogue. Choose Yes to install Smart Policy Manager 3. Accept the default location. Accept the default features. SERVER> C:\CIFSDEMO\NTP\setup. User Information: Company Name: NDF Check Install Evaluation Version. click Next 16. click Next 12. First Time Installation. SHARESETUP. click Next 9. click Next 18. On the Welcome to the NTP Software Installation.com) HANDS-ON EXERCISE: Northern Storage Suite Quota Management Prerequisite: CIFSRUN. under Installation Install this on the Windows 2003 Server. as it matches the AD site. click Next 10. Organization Info: Organization: NDF Location: San-Diego <. click Next 14.” click Next 5. On the Welcome to NTP.BAT. execute: QUOTANTP.” click Next 15. Accept the default features.BAT Performed from W2003 and Vista Either perform the follow steps.NTPSoftware. For the service account. Check. click Next 6. Service account. “I accept the terms of the license agreement.5. click Next 17. Installation 1.3. On the Account Type. click Next 4. Check. 11.3 Quota Management using NTP Software (www. choose “Specify an account to use.” click Next 19.Do not change this name.com . Choose. proceed to step #2.NetApp. Accept the default Destination Location. “I accept the terms of the license agreement. use: Service: DEMO\Administrator Password: netapp1 Confirm: netapp1 8. use: Page 89 of 187 CIFS – demo. Uncheck. I want to view the readme file. click Next 7. Accept the default location for the Smart Policy Database.BAT. “Yes. exe 9. double click on the DEMO. Quota & File Sentinal 4. Click OK 8.com . Uncheck. Click the Quota Tab a. uncheck. Click the Shares Tab a. On the Start Copying File dialogue. Absolute Quota limit of 50 MB b. Use the default for “Select program Folder. Map Wilma to the BOOKS share SERVER> From the desktop.Service: DEMO\Administrator Password: netapp1 Confirm: netapp1 20. On the left colume of the MSC. “Yes. click Start.* T:\ Page 90 of 187 CIFS – Demo. Doubleclick on ‘Connect as Wilma’ Once connect. Click Add.MSC shortcut.” click Finish 26. FAS1> fpolicy create NTPSoftware_QFS screen Configuration 1. This will allow you to remotely connect to the VISTA workstation.NetApp. Description: Historical Data 6. Run and type CMD. type BOOKS b. click Next 22. expand ‘Remote Desktop’. I want to view the readme file. enable Deny Write. select 100% 7. VISTA> Net use T: \\FAS1\BOOKS 10. select New -> Folder Policy using Shares 5. SERVER> All Programs -> NTP Software QFS for NAS -> NTP Software QFS for NAS Admin 2. fas1. New Quota Share Policy: a. QFS connector: NetBIOS name: FAS1 NetBIOS name of your hosting Filer: <leave blank> 25. On the Email Notification dialogue. VISTA> Copy C:\CIFSDEMO\McAfee\*.” click Next 21. We do want email notification enabled. Under Quota Limit Properties. Policy Name: Books Quota b.” click Finish 23. “Yes. Click Next to gather NAS device information 24. Right click Disk Quota Policies. Expand San-Diego. Maximize Quota & File Sentinal dialogue 3. NetApp.netapp.11.com/documents/tr-3425. expand BOOKS.com . VISTA> Net use T: /delete /yes 12.pdf Page 91 of 187 CIFS – demo.4 NETAPP TECHNICAL REPORT REFERENCE Quota Use Guide for NetApp Storage Systems – October 2005 (Includes QFS information) http://media. 5. On the right side of the dialogue. Log off the Vista machine 13. and you will see the % of individual usage. Quota & File Sentinal. fas1. Click Books Quota 15. Expand San-Diego. Return to the Quota & File Sentinal 14. Disk Quota Policies. group policy objects.0. 6. Migrate and manage their Windows files with Virtual File Manager with little to no disruption. The behavior seen with Windows 2008 native mode and incompatible Data ONTAP versions is an inability to authenticate with Kerberos key and the "unable to acquire NetApp storage credentials. 2003. To force this feature on a specific file or folder. NetApp’s solution integrates with customer’s existing Active Directory.4 or higher. For the Kerberos ticket cache. Windows 2008 runs CIFS version 2. as the ticket expiry kind of information is mentioned on the ticket itself and when the ticket expires.2 BEST PRACTICES When connecting to a Windows 2008 Domain. roaming profiles and more.” Page 92 of 187 CIFS – Demo. You may also specify whether Windows user documents and programs are automatically cached on a share or whether the files must be manually selected for caching. 6.6 6. see the Microsoft TechNet article: “Make a file or folder available offline. The problem arises when you have a native Windows 2008 domain and NetApp storages with earlier versions of Data ONTAP. Use the following CIFS shares options to manage client-side caching: FAS1> cifs shares (–change or –add) <share name> [-no_caching | . select Folder Options from the Tools menu. so they can consolidate with little effort. right-click the selected network drive or subfolder and select Make Available Offline. in Windows Explorer. no issue should arise if the NetApp Storage is using Data ONTAP 7.com .auto_document_caching | -auto_program_caching] The folders that are made available offline are synchronized to the Windows local disk. which is what the upgraded DATA ONTAP versions fix (inclusion of CIFS 2. and keeping a Windows 2003 domain in the loop keeps CIFS 1.2. the NetApp storage will ask the client to come back with a valid session ticket again and the whole authentication process will be repeated. Synchronization occurs when network connectivity to a specific storage system share is restored. XP. Manual caching is enabled by default for new shares. and Vista clients. And take advantage of a wide portfolio of certified solutions: Offline folders." very similar to the behavior seen with a time skew greater than 5 minutes.x active. which allows files to be cached for offline use on Windows 2000. or client-side caching.1 INTEGRATION WITH WINDOWS SERVICES OVERVIEW NetApp file services solutions simplify the growing complexity and reduce costs of storing and serving files in organizations by almost 40%.0).2. with an existing 2003 DC. For more information. To enable the Offline Folders options on a Windows client.1 Configuring Offline Folders Offline Folders (Client-Side Caching) NetApp storage systems support the Microsoft Offline Folders feature.NetApp. there is no local cache maintained on the NetApp storage. Under Target folder location. execute: none 1.2. Remember a GPO cannot be applied to the default Computers OU. Note: If you allow Folder Redirection to create the redirected folders on a specified network. Folder redirection can be set manually by the user. select the folder that you want to redirect. SHARESETUP. i.BAT. we will use Desktop for this lab. Select the Group Policy tab. Configuring Folder Redirection through a GPO HANDS-ON EXERCISE: Group Policy Object Prerequisite: CIFSRUN. 10. 3. Right-click the Organization Unit (OU) that contains the users desired (ldapusers). Click the Target tab.6.Redirect everyone’s folder to the same location. 2. 7. 6. 12. and select New.NetApp. On the Windows server. type a Universal Naming Convention (UNC) path. If you create the folders manually.com . In the Root Path box. This opens the Group Policy Object Editor. you must make sure that permissions are properly assigned.BAT Performed from W2003 Either perform the follow steps.2 Configuring Folder Redirection (Symbolic Links) NetApp storage systems support Microsoft folder redirection.e. or be set through a GPO configuration on the Windows server. 11. Folder Redirect 5. or to automate the task. click OK. Under Folder Redirection. and then in the Settings box. 8. The user name and folder name are appended to the UNC path automatically. the folders that are created in this way have proper permissions assigned to them. Enter a name for the new GPO. one of the key components of Microsoft IntelliMirror technology. Expand User Configuration > Windows Settings > Folder Redirection. For this example we will use \\FAS1\redirect and then click OK. In the Properties dialog box for the special folder. Close the Group Policy Editor and the OU Properties dialog box. Page 93 of 187 CIFS – demo. This option is intended only for organizations that have already deployed home directories and that want to maintain compatibility with their existing home directory environment. select Basic . Highlight the new GPO and select Edit. 9. select Create a folder for each user under the root path. open the Active Directory Users and Computers tree. 4. and then click Properties. Selecting Advanced redirection allows you to apply the redirection to users that belong in a specified security group. account policies. Settings that you control with GPOs include environmental settings. When GPOs have been enabled on a storage system and specified in the Active Directory domain. A GPO is a set of rules that are applicable to users and computers in an Active Directory environment and defined centrally for ease of administration and increased security.com . NetApp storage systems fully support GPOs that apply to users and users computers.txt Page 94 of 187 CIFS – Demo. Scripts are limited to a maximum of 4k. GPO support is included in NetApp storage systems. folder redirection. startup and shutdown scripts are applied to a group of systems in the following way: • • When CIFS starts on a storage system. group policy objects (GPOs) may be applied to users. Startup scripts: /etc/ad/startup. security settings. The option is: FAS1> options cifs. Testing the Folder Redirect GPO will be performed at the end of this chapter. the storage system is able to recognize and process a certain set of GPOs.enable on | off Make sure that CIFS is licensed and configured on the storage system and that it is already associated with an Organizational Unit (OU). Although few GPOs are applicable to a NetApp storage system.NetApp.3 GPO support can be easily enabled on a NetApp storage system with the CLI.4. and servers in the domain.2.txt Shutdown scripts: /etc/ad/shutdown. computers. The following GPOs are currently supported: • • • • • • • • • Startup and shutdown scripts The GPO refresh time interval for computer File System Security settings Restricted Group Security Event Log support Auditing support User Rights Assignment GPO refresh time interval random offset Refer to Appendix G for additional supported GPOs in Data ONTAP 7. user rights assignment. The storage system accesses the scripts from the Domain Controller's sysvol directory and saves these files locally in the /etc/ad directory. script assignment. and software distribution. Beginning with Data ONTAP version 6. it retrieves GPOs from the domain controller-including startup and shutdown scripts--and runs the retrieved startup scripts.gpo. 6.3 Group Policy Objects (GPOs) To enable additional management in Active Directory. GPOs on the storage system are not updated. All GPOs are verified every 90 minutes. In addition to background updates. A random offset has been added to the refresh interval to prevent all clients from requesting Group Policy at the same time. and then logs off both workstations. The random offset prohibits all of the servers from polling the domain controllers at the same time.NetApp. Data ONTAP retrieves and applies the new GPOs. very short update intervals are not appropriate for most installations. CIFS executes the last retrieved shutdown script. which simulates the output of the Windows 2000. “The Cache Option for Offline Files Must Be Disabled on Roaming User Profile Shares.” 6. If the version numbers are the same. By default. By default.• During a CIFS shutdown.” FRS does not provide distributed file locking. If you select 0 minutes. “Support for DFS-Based Shares for Offline Files. refer to Microsoft Knowledge Base article 262845. Vista gpresult.com . Data ONTAP retrieves and applies Security Setting GPOs every 16 hours. with a random offset of 0 to 30 minutes. use the cifs gpresult [ -r | -v | -d] command. Managing GPOs To display GPOs that are currently in effect for the storage system and the results of those GPOs. If the collaboration is such that end users are not writing to the same files simultaneously. the lack of distributed locking might cause one user's update to override another user's update. Note: Although the storage system periodically retrieves updates to the startup and shutdown scripts. Security Settings GPOs are refreshed every 16 hours. because updates might interfere with users' work and increase network traffic.4 Managing User Roaming Profiles Windows profiles are stored in the user's My Documents directory. Roaming profiles should not be enabled for Offline Files. Depending on the update patterns of users.exe /force command. For more information. computer Group Policy is updated in the background every 90 minutes. Enabling Offline Files on DFS link targets is supported only on client computers running Windows XP Windows Server 2003 and Windows Vista. refer to Microsoft Knowledge Base article 287566. the computer tries to update Group Policy every 7 seconds. Group Policy for the computer is always updated when the system starts.2. All GPOs can be updated on demand with a Data ONTAP command ”cifs gpupdate. XP. this most likely would not be an issue. If the GPO version numbers recorded in Active Directory are higher than those on the storage system. However. makes changes to the same file on different targets.” Roaming profiles that are replicated using FRS to multiple link targets might lead to data loss (due to FRS conflict resolution) if a user logs into multiple workstations. For more information. startup scripts are not applied until the next time CIFS restarts. whether or not these GPOs have changed. Data ONTAP queries Active Directory for changes to GPOs. Page 95 of 187 CIFS – demo. The range of the random offset is from 0 to 1440 minutes (24 hours). Windows files are stored in the user's My Documents directory. com .NetApp.Page 96 of 187 CIFS – Demo. and select Properties from the menu 4. Offline Folders.Configuring a Roaming User Profile HANDS-ON EXERCISE: Roaming User Profile Prerequisite: CIFSRUN. For the Profile Path:. and we will use it for Wilma Flintstone. If storing Roaming Profiles on the same NetApp storage as redirected folders that have caching enabled. Things to remember with User Profiles: • • Do not use Encrypted File System (EFS) with Roaming User Profiles. Offline Folders considers the whole server to be unavailable until the offline cache is manually synchronized. ldapusers. for the best experience you should make sure that you leave the default setting of synchronizing Offline Files at logoff enabled. If a user’s disk quotas are set too low. 3.NetApp. 1. we will use an existing share on the NetApp storage where user profiles will be stored. Right-click on the user Wilma Flintstone.BAT. The share is called. Open the Active Directory Users and Computers snap-in and navigate to the OU called. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a user’s profile. The temporary profile is created in the user’s context as part of the synchronization process. 2. When a share is unavailable. so it debits his or her quota. Do not use offline folders on roaming profile shares. Click the Profile tab. type \\FAS1\Profile\%username% The variable %username% will automatically create the Profile for the select user(s). • • • Page 97 of 187 CIFS – demo.com . 5. For this example. Make sure that Offline Folders are set to synchronize at logon and logoff. execute: none You can configure a roaming profile by using the following procedure.BAT Performed from W2003 Either perform the follow steps. If you are using Offline Folders in conjunction with Folder Redirection and roaming user profiles. Give all users Full Control permissions to the share (this is the default). “Profile”. or the File Replication Service (FRS). Roaming profiles are not synchronized with the NetApp storage while Offline Folders considers the NetApp storage to be unavailable. SHARESETUP. or to automate the task. roaming profile synchronization might fail. Enter a name for the new GPO. Note: The format of target file or directory names must be recognized by Data ONTAP and must be in absolute or relative form.BAT. 10. This opens the Group Policy Object Editor. Click OK 11. execute: none Page 98 of 187 CIFS – Demo. execute and list permissions. Add: Wilma Flintstone.” This opens the "Add a file or folder" dialog box. In the example we will use: Share: DATA. 5. SHARESETUP.3 DEMO 6. and click OK. Note: Do not select the option to browse the local server's drives. In the Folder field. 3.com .3. set the permissions you want and click OK. Highlight the new GPO and select Edit. W2003 To create a File System security GPO. accept the default settings. Expand Computer Configuration > Windows Settings > Security Settings. 6. In the Database Security window. located at /vol/DATA Active Directory User: Wilma. Either perform the follow steps. Remember a GPO cannot be applied to the default Computers OU. Right-click the Organization Unit (OU) NetApp Storage.gpo. On the NetApp storage.1 Group Policy Object Security Configuration HANDS-ON EXERCISE: GPO Security Prerequisite: CIFSRUN. enter the storage system path on which to apply the GPO (/vol/DATA) and click OK. Close the Group Policy Editor and the OU Properties dialog box. password: netapp1 Organization Unit where the NetApp Storage is located: NetApp Storage 2. and give the default of read. CIFS DATA access. Right-click File System and select “Add File.NetApp. Result: The Add Object window opens.enable on 1. 7. 12. and give full control.BAT Performed from Vista. issue the following command: FAS1> options cifs. 4. A CIFS share has been created for you. complete the following steps. password: netapp1 Active Directory User: Fred.6.e. 9. In the Add Object dialogue. On the Windows server. or to automate the task. and select New. and select Properties. Result: The Group Policy Editor displays the new object name. Select the Group Policy tab. as well as two users. Fred Flintstone. 8. i. Result: The Database Security window opens. open the Active Directory Users and Computers MMC. it will present the option to choose a site to associate with the NetApp storage. including information about applicable GPOs and the results of applying them. This is a convenient way to apply settings to multiple parallel targets in a single storage system. None Displays information about the GPOs currently applicable to the storage system. then during CIFS setup. -d Dumps the output from cifs gpresult -v to the file /etc/ad/gpresult_timestamp file. Data ONTAP applies File System security settings to any target file or directory containing the specified element.com . In this example. enter the following command to retrieve and apply the new GPO: FAS1> cifs gpupdate Note: If you do not explicitly apply the new GPO with the cifs update command. /vol/vol0/DATA When an absolute pathname is supplied. and its site name has been changed from the default of: Default-First-Site. -v Generates a verbose display. Data ONTAP applies File System security settings to the specified target file or files within the target directories. • Relative pathname—for example. -r Displays the results of applying current GPOs to the storage system. the settings are applied to the /home directory in the storage system root volume. The cifs gpresult command takes the following options. Error code: 32: No such object On the storage system. cifs resetdc should correct the site entry.processing. /DATA When a relative pathname is supplied (any pathname that does not begin with /vol). The follow message will be displayed: [cifs. Page 99 of 187 CIFS – demo.• Absolute pathname—for example. in this example. the settings are applied to all vFiler units with /home directories. version and location. There should be a rule based on subnets to determine the current site for the NetApp storage.NetApp. the storage system applies the new GPO the next time it queries the Active Directory server (that is. In case the NetApp storage belongs to another site. then a CIFS terminate followed by CIFS setup will give an option to choose the site for the NetApp storage. If there is only one site. within 90 minutes). If the rule does not exist. When multiple sites are present and the NetApp storage is unable to choose its site based on rules. The option to choose a site is shown only if there are multiple sites configured.gpo.ldap:warning]: CIFS GPO LDAP: Filer tries to search for GPO list. including name. Run and type CMD.BAT. Follow lab exercise in sections 6. VISTA> Net use T: \\FAS1\DATA 9.exe 8.exe 4. and you should be denied access. 10.NetApp. expand ‘Remote Desktop’. On the left colume of the MSC. you will see a sub-folder for each user who has logged onto the Vista machine. SERVER> Net use U: \\FAS1\PROFILE 13. For Example. SERVER> Net use T: \\FAS1\REDIRECT 12. Log off the Vista machine 11. they could limit full control to source code administrators and read/execute rights to software installers. double click on the DEMO. SERVER> gpupdate /force 2. Run and type CMD. on NetApp storage where the customer stores source code for application installs. click Start. and you should be able to read the contents. execute: none By supporting this Policy. On the left colume of the MSC.2.4 and 6. Copy several files to the T: share 6. This will allow you to remotely connect to the VISTA workstation.3. SERVER> From the desktop.2.1 Performed from W2003 and Vista Map a drive to the data share with the user name Wilma: 1. or to automate the task.Verify the GPO Works HANDS-ON EXERCISE: GPO .MSC shortcut. expand ‘Remote Desktop’. FAS1> cifs gpupdate 3. Double-click on ‘Connect as Wilma’ Once connect.MSC shortcut. double click on the DEMO. VISTA> Net use T: \\FAS1\DATA 5. 6. SERVER> From the desktop. Open a file.com . Double-click on ‘Connect as Fred’ Once connect. Now try to delete one of the files.2. SERVER> Net use * /delete /yes Either perform the follow steps. This allows them to give local admin rights to people in order to support the hardware Page 100 of 187 CIFS – Demo. click Start. 14. This will allow you to remotely connect to the VISTA workstation. administrators will be able to define access permissions on DACLs and audit settings on SACLs for the file system objects that exist in NetApp storage through Active Directory. Open Windows Explorer. Log off the Vista machine 7.Verify Prerequisite: CIFSRUN. 6.sun.com/2007/12/28/end-of-support-for-netscape-web-browsers/ iPlanet / SUN – www.novell.com Specifying the General Search Base and Scope The LDAP base is the distinguished name of the LDAP tree in which user information is stored.openldap.NetApp.netapp. we have created the following structure: • • • Active Directory domain: demo.com The context for users. groups and passwords will be restricted to: ldapusers. file access authorization.base option value. and user lookup and mapping services between NFS and CIFS.demo.org/ Windows Active Directory Novell eDirectory/Novell Directory Services (NDS) – www. In this exercise.com OpenLDAP .www. For the steps to use Novell’s eDirectory for LDAP authentication.netscape.com .without giving them the ability to change security settings on directories.2 Integrating with Active Directory LDAP Using LDAP Services Data ONTAP supports LDAP for authentication. 2007) http://blog.3. refer to Appendix F. NetApp LDAP Servers Supported Data ONTAP LDAP support includes the following types of LDAP servers: • • • • • Netscape (support ended December 28. All lookup requests sent to the LDAP server will be limited to the search base and scope specified by the ldap.netapp. unless further restricted by a more specific base and scope lookup value. Ultimately the power to ACL directories then stays with the people who can edit the policies.com The administrative account is located in the default Users domain OU Page 101 of 187 CIFS – demo. you may view the contents with the command FAS1*> FAS1*> FAS1*> FAS1*> rdfile /etc/usermap.1 Editing the /etc/nsswitch. To accomplish this.jsh FAS1*> cp /etc/nsswitch.CONF Either perform the follow steps. Then.conf exit priv set Page 102 of 187 CIFS – Demo.conf file as follows 1.conf /etc/nsswitch.cfg demo\* == * After you create the file. execute: LDAPNSS.BAT Modify the /etc/nsswitch. FAS1> priv set advanced FAS1*> java netapp.6.BAT.NetApp. you will need to switch the NetApp storage back to AD authentication. under Enabling or Disabling LDAP Prerequisite: none Performed from W2003 Resetting the Environment If you wish to proceed to other exercises once you complete the LDAP AD lab.conf passwd: ldap files nis netgroup: ldap files nis group: ldap files nis hosts: files dns nis shadow: files nis Ctrl+C to end file A message will display stating: “read: error reading standard input: Interrupted system call” FAS1*> wrfile –a /etc/usermap.3. execute the CIFSRERUN.conf File for LDAP HANDS-ON EXERCISE: LDAP NSSWITCH.cmds.2.BAT SERVER> C:\CIFSDEMO\SCRIPTS\CIFSRERUN. proceed to step #2.com .conf.cfg rdfile /etc/nsswitch. or to automate the task.original FAS1*> wrfile /etc/nsswitch. On “Security Settings” page.microsoft. 6. 6. Verify that every associated UNIX user name has an entry in the LDAP database. 8. The installation will take an average of 4 minutes to complete. click Next. To enable or disable LDAP on your NetApp storage.2. On the Welcome screen. When prompted click Finish. the Windows Services for UNIX must still be installed to support the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users. 5. the Active Directory schema is already extended with an RFC2307-compliant schema.com . Accept the default information for User name /Organization and click Next. Accept the default on the next “User Name Mapping” dialog and click Next.3. simply restart the setup. click Next.enable on LDAP Authorization for NFS File Access from Windows Clients On the NetApp storage to be accessed.com/windows/sfu/: 1. On “User Name Mapping. This is accomplished by installing "Windows Services for UNIX" from Microsoft (use version 3. Page 103 of 187 CIFS – demo. Note: If an error occurres which suspends installation.Enabling or Disabling LDAP 2. Check “I accept the license agreement” and click Next. i. Data ONTAP supports LDAP servers that comply with RFC 2307. Choose Standard Installation. 2.e. it is necessary to extend the LDAP schema from AD with the UNIX attributes.cfg file.exe. 4.2 Extending the RFC 2307 Schema By default.” accept the default and click Next. and choose Yes to reboot.5 setup program (C:\CIFSDEMO\LDAP\unix\setup. 7. which specifies a Network Information Service (NIS)-style schema.NetApp.exe). NIS server could not start.5) www. click Next. 10. 9. FAS1> options ldap. In Windows Server versions prior to Windows 2003 R2. groups and computers. verify that every CIFS user who needs to access UNIX files is mapped to an associated UNIX user name in the usermap. leave both options unchecked. complete the following step. SERVER> Launch the UNIX 3. 3. Although in Windows Server 2003 R2. You can replace the default values of LDAP options with your custom attribute names to configure Data ONTAP to query your custom (not RFC 2307-compliant) schema. Right click HR.NetApp. Create a group called HR. select the UNIX Attributes tab: Under the Members section. and select Properties. click Add Select both Fred and Wilma. click Add. 7.com . 2. select the UNIX tab. Right click Wilma. Select the UNIX Attributes tab: NIS Domain: DEMO GID (Group ID): 100 6. Right click Fred. OK Click OK Page 104 of 187 CIFS – Demo. Navigate to the ldapusers context. add Fred and Wilma 5. Steps to assign GID’s: 1. Right click HR. Select the Members tab. select the UNIX Attributes tab: Select NIS Domain DEMO UID: 201 Click OK 9. and select Properties. Click OK. as well as a Primary Group Name/GID assigned. 3. then assign the following: • • Unique UID assigned Primary Group Name/GID assigned Groups must be assigned a GID before a User can be assigned the GID of a group. select the UNIX Attributes tab: Select NIS Domain: DEMO UID: 200 Click OK 8.Note: Every user who needs to have LDAP authentication must have a unique UID assigned. and select Properties. with the following settings: Group scope: Global Group type: Security Click OK 4. Both of these are assigned by selecting the User properties in Microsoft Management Console. Open Active Directory Users and Computers. and select Properties. add a REG_DWORD value called EnablePlainTextPassword and set it to 1.NetApp. A reboot is required following the change.inf and click install. RESOLUTION Windows Vista. OR • Run Local Security Policy (under Administrative Tools). The SMB redirector does not send an unencrypted password unless you add a registry entry to enable unencrypted passwords. Send unencrypted password to third-party SMB servers (for Windows 2000).2. add a REG_DWORD value called EnablePlainTextPassword and set it to 1. Windows 98 clients • In HKLM\System\CurrentControlSet\Services\VxD\VNETSUP. You may execute the batch file instead of manually changing the registry. enable Microsoft network client: Send unencrypted password to third-party SMB servers (for Windows 2003 and XP) or. Windows NT clients • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\parameters. Windows XP and Windows 2000 clients • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para meters. right click \tools\mtsutil\Ptxt_on.3. If the following error message occurs. Windows clients require a registry edit to enable them to send passwords without encryption.com . change EnablePlainTextPassword to 1.3 LDAP Authentication Requires Clear Text Passwords NOTE: The registry settings have been placed in the LDAPWINSETUP. Since LDAP authentication transmits unencrypted passwords.BAT.6. OR • On the Windows 98 CD. Page 105 of 187 CIFS – demo. Under Security Settings->Local Policies->Security Options. Clients that are not properly configured to send clear text passwords to the storage system will be denied access and display an error message similar to the following: System error 1240 has occurred or The account is not authorized to login from this station. Windows 2003. click on the Connection tab. SERVER> C:\CIFSDEMO\LDAP\LDAPBrowser\lbe. By default Windows sets the policy to “NTVLM2 responses only. leave the Base DN blank.com . Now navigate to the Users folder. 6. but any additional OUs created will always be referenced with OU. 3.DC=netapp. The specified network password is not correct. Navigate to the ldapusers folder. click New. 1. Host: W2003.demo.DC=demo. followed by Connect 5. the Host name will be BigRed.netapp.” Navigate to the policy "Network Security: LAN Manager authentication level" and open it.netapp.DC=netapp.4 Testing Windows LDAP Prior to removing the NetApp storage from the Active Directory domain.demo. you should see the default context you specified.DC=com Password: netapp1 Click SAVE.netapp.NetApp. and enable Anonymous bind.msc.com. For name. Active Directory uses CN for the default context. On the left column.DC=com SSL: Off Anonymous bind: Off User DN: CN=Administrator." • • • • Open the Run command and type “secpol. For the balance of the settings. Page 106 of 187 CIFS – Demo.2. Notice this folder’s context is OU.CN=Users."System error 86 has occurred. 4.” Note: This step must also occur on all Windows domain controllers used for LDAP authentication.bat 2.” Click on "Local Policies" --> “Security Options. 6. exit the LDAP browser.com. After a few moments a Java screen will show the default connection Session List.com Port: 389 Version: 3 Base DN: DC=demo.3. NOTE: For NetWare eDirectory LDAP browsing. When finished exploring. type: demo. this context is CN. we will test the LDAP configuration on the Windows domain controller.” Change this to “LM and NTLM – use NTLMV2 session security if negotiated. use the options specified for AD. nssmap.servers.base.gidNumber msSFU30GidNumber FAS1> options ldap.nssmap.loginShell msSFU30LoginShell FAS1> options ldap.dc=netapp.dc=com" FAS1> options ldap.nisNetgroupTriple FAS1> options ldap. You may execute the batch file instead of manually typing these commands.uidNumber msSFU30uidNumber FAS1> options ldap.objectClass.NetApp.posixGroup Group FAS1> options ldap.group "ou=ldapusers.dc=netapp.attribute.attribute.nssmap.com .netgroupname cn FAS1> options ldap.Custom LDAP Schema Options in Data ONTAP Make the appropriate LDAP changes: NOTE: The following LDAP settings have been placed in the LDAPWINSCHEMA.port 389 FAS1> options ldap.dc=com" FAS1> options ldap.attribute.nssmap.dc=demo.windowsaccount Windowsaccount Page 107 of 187 CIFS – demo.cn=Users.dc=com" FAS1> options ldap.dc=netapp.gecos name FAS1> options ldap.userPassword msSFUPassword FAS1> options ldap.dc=demo.attribute.passwd netapp1 FAS1> options ldap.nssmap.memberUid msSFU30MemberUid FAS1> options ldap.dc=netapp.homeDirectory msSFU30HomeDirectory FAS1> options ldap.servers FAS1> options ldap.usermap.memberNisNetgroup memberNisNetgroup FAS1> options ldap.nssmap.dc=com" FAS1> options ldap.dc=demo.dc=com" FAS1> options ldap.attribute.ADdomain "dc=demo.attribute.attribute.dc=netapp.nssmap.attribute.groupname cn FAS1> options ldap.netgroup "ou=ldapusers.usermap.nssmap.objectClass.nisNetgroup nisNetgroup FAS1> options ldap.nssmap.preferred FAS1> options ldap.attribute.attribute.unixaccount Unixaccount FAS1> options ldap.nssmap.base.passwd "ou=ldapusers.attribute.nssmap.ssl.posixAccount User FAS1> options ldap.enable on FAS1> options ldap.dc=netapp.nssmap.minimum_bind_level anonymous FAS1> options ldap. FAS1> options ldap.base.base "ou=ldapusers.dc=demo.enable off FAS1> options ldap.attribute.attribute.nssmap.nssmap.nssmap.uid sAMAccountName FAS1> options ldap.BAT.dc=demo.name "cn=Administrator.attribute.objectClass.dc=com" FAS1> options ldap. return the NetApp storage back to standard administration with: FAS1*> priv set Page 108 of 187 CIFS – Demo.100 FAS1> getXXbyYY getpwbyname_r Fred produces something like pw_name = Fred pw_passwd = {{******}} pw_uid = 201.com aliases: addresses: 192. FAS1> getXXbyYY gethostbyname_r demo.com . pw_gid = 100 pw_gecos = Fred Flintstone pw_dir = /home/fred pw_shell = /bin/sh Once testing is complete.netapp.base FAS1> options ldap.10.FAS1> options ldap.NetApp. FAS1> reboot Testing LDAP Communications FAS1> priv set advanced Use “GetXXbyYY” to test that LDAP is functioning correctly on the NetApp storage.usermap.enable off Verify each setting was correctly changed by typing: FAS1> options ldap A reboot of the NetApp storage is required before continuing.usermap.com produces: name: demo.netapp. The syntax for getXXbyYY is in the next section.168. getXXbyYY getgrbyname group_name Given a group name. getXXbyYY getpwbyuid_r user_id_number Given a user ID number. prints information on that host by resolving the hostname. returns group information on that group. getXXbyYY getspwbyname_r user_name Given a user name. NIS/NIS+.getXXbyYY: Advanced Name Resolution Test Commands getXXbyYY gethostbyname_r host_name Given a host's name. This information is derived from NIS/NIS+ and the NetApp storage's /etc/group file. getXXbyYY netgrp netgroup_name client_name Given a netgroup name and a client name. getXXbyYY getgrlist user_name Given a user name. and the NetApp storage's /etc/hosts file. This information is derived from NIS/NIS+ and the NetApp storage's /etc/group file. This information is derived from NIS/NIS+ and the NetApp storage's /etc/group and /etc/passwd files. returns password information on that user. returns password information on that user. This information is derived from DNS.com . returns the group ID of every group which includes that user. Page 109 of 187 CIFS – demo.NetApp. getXXbyYY getgrbygid group_id_number Given a group ID number returns group information on that group. getXXbyYY gethostbyaddr_r inet_address Given a host's IP address. This information is derived from NIS/NIS+ and the NetApp storage's /etc/shadow file. prints whether client is a member of netgroup. This information is derived from NIS/NIS+ and the NetApp storage's /etc/passwd file. This information is derived from NIS/NIS+ and the NetApp storage's /etc/netgroup file. returns shadow password information on that user. getXXbyYY getpwbyname_r user_name Given a user name. This information is derived from NIS/NIS+ and the NetApp storage's /etc/shadow file. prints information on that host by reverse resolving the hostname. NetApp. Individual user names cannot be used with LDAP. Make sure that all CIFS shares have “mixed” security selected. You can authenticate Windows clients through an LDAP server. Permissions must be assigned at the share level and file/folder level by Groups. Configure for Mixed authentication. To enable authentication of Windows clients only through an LDAP server. New shares should be created.LDAP-Based Windows Client Authentication Note: This is an optional step. as LDAP does not use a Workgroup name. Any Workgroup name may be used. as the previous section on troubleshooting demonstrates that LDAP is communicating correctly.com . If you have existing shares which was used with Active Directory. former users and groups will now be listed as unknown SIDs. and not NTFS. you cannot use only NTFS with LDAP authentication. FAS1> cifs terminate –t 0 FAS1> cifs setup Specify NIS/LDAP as the authentication method (option 4) to be used for CIFS clients on the NetApp storage. Page 110 of 187 CIFS – Demo. complete the following operations. 6.3.2.5 Manage NetApp Storage Users in LDAP Mode HANDS-ON EXERCISE: LDAP Permissions Prerequisite: none Performed from W2003 and VISTA Either perform the follow steps, or to automate the task, execute: none Using Computer Management to add a user, group or change permissions on a NetApp storage share might fail with "The credentials supplied conflict with an existing set of credentials" or “The following error occurred while reading the list of shares for Windows clients: Error 5: Access is denied.” First make sure you have no existing connections to the NetApp storage SERVER> Net use * /delete /yes Next, create a NetApp storage BUILTIN account which will match the name and password of the account you are using on the Windows machine. I.E. if your Windows account is Administrator with a password of netapp1, then from the NetApp storage CLI, type: FAS1> useradmin user list administrator If you do not already have a local administrator account follow the next two steps to create one. FAS1> options security.passwd.rules.minimum 7 FAS1> useradmin user add administrator –n “Local Admin” –g administrators Once you press enter, you will be prompted twice for the password you wish to associate to this account. Next, to allow the local administrator to connect to NetApp storage default shares, we need to assign the permission. FAS1> cifs access c$ builtin\administrator full control SERVER> Net use T: \\FAS1\C$ Use ‘Computer Management’ to manage the NetApp storage. When completed, disconnect the mapped drive: SERVER> Net use T: /delete /yes NOTE: The management must be performed from a Windows server, and not a Windows Professional, XP or Vista workstation or the Error 5: Access is denied message will continue when attempting to modify permissions. Page 111 of 187 CIFS – demo.NetApp.com Testing User Shared Access Using LDAP Authentication From a Windows workstation which has had the registry change to allow clear-text passwords, we will map a drive to the BOOKS share with the user name Wilma: 1. SERVER> From the desktop, double click on the DEMO.MSC shortcut. This will allow you to remotely connect to the VISTA workstation. On the left colume of the MSC, expand ‘Remote Desktop’. Double-click on ‘Connect as Wilma’ Once connect, click Start, Run and type CMD.exe 2. VISTA> Net use T: \\FAS1\BOOKS 3. Copy several files to the T: share 4. VISTA> Net use T: /delete /yes 5. Log off the Vista machine Enabling LDAP Nested Groups Currently, there are five common ways to represent group memberships in LDAP per RFC2307bis specification. 1. posixGroup with memberUid with uidSyntax 2. posixGroup with uniqueMember with uniqueMemberSyntax 3. groupOfUniqueNames with uniqueMember with uniqueMemberSyntax (uniqueMember takes DN+(optional)ID syntax) 4. groupOfNames with member with DNSyntax 5. organizationalRole with roleOccupant and DNSyntax Before Data ONTAP 7, NetApp only supported syntax 1, which implies that Data ONTAP LDAP search does not search for the embedded group membership. With Data ONTAP 7 and above, Syntax3 is also supported, which gives Data ONTAP LDAP feature the following advantage: When the customer maps uniqueMember to the Windows member attribute, he can effectively unify Windows and UNIX group membership. This has the large advantage that Windows and UNIX group membership automatically synchronized. The customer does not have to keep two membership lists in sync. A member can be added to a group using the Microsoft Management Console. You can use nested groups. Limitations: Maximum number of UNIX groups is limited to 32 per user. When setting ldap.rfc2307bis.enable option to “on” for RFC2307bis support, only the first root in the search string is searched To enable this feature, on the NetApp storage: FAS1> options ldap.rfc2307bis.enable on Page 112 of 187 CIFS – Demo.NetApp.com FAS1> options ldap.nssmap.attribute.uniqueMember Member FAS1> options ldap.nssmap.objectClass.groupOfUniqueNames Group 6.3.3 Integrating with DFS Distributed File System (DFS) is a technology supported by Microsoft, Novell, and UNIX that enables administrators to build a single namespace consisting of multiple shares on different servers. DFS is to files what DNS is to networking, providing the ability to organize network shares and load share, as well as increase data availability. For Microsoft, DFS is a strategic component that has been included in all Windows Server products since Windows NT 4.0. DFS roots appear as a network share and can be hosted on Windows servers. These roots contain DFS links that reference targets (shares or directories) where data reside. DFS clients are included in Windows 98, ME, Windows NT 4, 2000, XP Pro, and Vista. Native management tools for DFS include the Microsoft Management Console snapin (dfsgui.msc), dfscmd.exe, dfsutil.exe. Shares on NetApp storage can be the target of DFS links referred to as “leaf nodes,” but cannot host DFS roots. Beginning with version 5.0 of NetApp VFM in combination with the Data ONTAP “wide link” feature, the DFS namespace of an existing DFS root can be synchronized to a share on a NetApp storage as a wide link, such that users can access the global namespace (DFS root) from the NetApp storage rather than accessing it from a Windows server. This eliminates the need to maintain Windows servers for the purpose of hosting the DFS root (global namespace infrastructure), thereby saving hardware and administration costs. DFS Client Ease of Use MMC Limited (only slightly better than old client, very limited drag-and-drop support) No No Must script command line tools Automate creation of DFS Consolidation Root via wizard No VFM Rich Client Fully supports drag-and-drop, 1-to-many operations Yes Yes Integrated UI Yes Integrated Logical-Physical Namespace backup/restore DFS R2 Open file handling Replication style Replicate to shared cluster storage Graphical View of replication topology Only when file is closed Last-writer wins No No VFM Yes Master-slave Yes Yes Page 113 of 187 CIFS – demo.NetApp.com com.com . you are ready to administer your DFS root. Click Start. use W2003. type: C:\DFSROOT. Make sure that Create a domain DFS root is selected. If the specified folder does not exist. 7.BAT.BAT. From the Windows Server. 6. For the Folder to Share. 2. for files and directories Yes Yes Installing DFS HANDS-ON EXERCISE: DFS Prerequisite: CIFSRUN. At this point. type: Demo NetApp Data. After the Create New DFS Root wizard has completed. this is demo.NetApp. and then click Next. Click Next. you need to publish nonlocal shares in the DFS namespace. Page 114 of 187 CIFS – Demo. The Create New DFS Root wizard appears. To Publish Non-Local Shares 1. in our example. For the example we will call our DFS root name MASTER. Right-click Distributed File System in the left pane. or to automate the task. point to Programs. Click Next. 8. Select the host domain for the DFS root. you have an empty DFS root in Active Directory. in section Test Drive DFS 1.Local group processing Auditing of actions and operations NetApp storage integration No No No Yes.com.netapp.demo. and in the comments field. Then.BAT Performed from W2003 Either perform the follow steps. point to Administrative Tools. 2. SHARESETUP.netapp. and click New Root. Right-click your DFS Root name (left side) and then click New DFS Link. For this share to be interesting to users. For the Server name. 5. 3. Click Finish to create the DFS root. then click Next. and then click Next. Specify: Link name: Literature Locate: \\FAS1\books Comment: Literature from the 19th Century Click OK. execute: DFSSETUP. proceed to step #2. you are asked if you want to create it. Click Yes to continue. Click Next. and then click Distributed File System. 4. or shadow copy. click Run.netapp.3. Then type: SERVER> Net use <drive letter>: \\<your domain name>\<DFS root name> 2. type cmd into the Open box. if they accidentally delete a file or choose Save when they meant Save As.com\MASTER To Access the DFS Root Using Windows Explorer Click Start. click Run. and type \\demo. The requester is your traditional backup solution. Click the DFS tab in Windows Explorer to view. Requesters send collection inquiries to the application you want to protect. they can negotiate the individual junctions by using the following commands. lets your users restore files for themselves—for example. The first is a snapshot—think of it as a short-term backup—of all the files on an NTFS volume. SERVER> Net use T: /delete /yes 6.com . 3. Test Drive DFS Any user of Windows logged on to your domain can now access the DFS. Assuming they have proper access privileges.netapp. the command would be: SERVER> Net use T: \\demo. Click OK. not the backup vendor. Click Start. In the example used in the document. Microsoft's VSS works by using three pieces a requester. Enhanced backup using VSS-aware backup software can greatly enhance the quality of your backups. 1.The time-out value is the number of nonuse seconds that individual clients have to cache the referral. and click OK.NetApp. Page 115 of 187 CIFS – demo. to assure the most stable and consistent recoveries. This application must understand the collection inquiry sent to it by the requester and needs a writer designed to support the application data and data types. writer and provider. after which they must retrieve a fresh referral from one of the hosting DFS servers. This snapshot. The second feature is VSS's ability to back up files that are currently open or locked by an application such as Microsoft SQL Server or Microsoft Exchange. The writer is written by the application developers.com\MASTER in the Open box. Backing up the snapshots assures that there are no open file conflicts which can result in incomplete backups.4 Integrating with VSS Volume Shadow Copy Service (VSS) offers two features that can save you time and peace of mind. msi. and managed through NetApp’s SnapDrive software which provides dynamic volume resizing.NetApp. Viewing the properties of the file or folder will present users with the folder or file history—a list of read-only. NetApp works with Microsoft’s VSS on both the storage level as well as on the application level. When users view a network folder hosted on NetApp storage. usually in just seconds. both the SnapManager and the SnapDrive product provide the ability to rapidly restore the data back to a previous point in time. which are located on the Previous Versions tab. on which Shadow Copies of Shared Folders is a native function. NetApp currently offers: • • • • • • SnapManager for Microsoft Exchange SnapManager for Microsoft SQL Server SnapManager for Microsoft SharePoint® SnapManager for Oracle® SnapManager for SAP® SnapManager for Lotus Domino® Just as quickly as the Snapshot copy is created. Used for managing data.com . How the Client User Interface Works Shadow copies can be accessed by computers running any version of Windows 98 or newer. Note: Both Windows 98 and Windows 2000 Professional will require the Shadow Copies of Shared Folders client be installed – search Microsoft’s site for ShadowCopyClient. and storage hardware to enable application-aware data management. On the storage level. from Direct Attached Storage (DAS) to Storage Area Networks (SANs). almost instantaneously. reporting and integration with Wndows VSS APIs to be able to create a quiesced Snapshot copy of a volume. Volume Shadow Copy Service also supports backups of open files. NetApp has several SnapManager products which work with NetApp SnapDrive and Microsoft’s VSS specific to the application to provide the same level of ease and time saving. no matter of its size. point-in-time copies of the file or folder contents that users can Page 116 of 187 CIFS – Demo. including: • • • Accidental deletion or overwrite by a user Corruption of a user’s file A virus that has affected a system component Volume Shadow Copy Service supports creation of single point-in-time shadow copies—also known as snapshots—of single or multiple volumes without impacting production server performance. Volume Shadow Copy Service coordinates with business applications. or Restore.A highly effective alternative to traditional tape-based protection is to make point-in-time shadow copies. Users access shadow copies with Windows Explorer and by selecting one of three options— View. Use of point-in-time shadow copies with Active Directory configurations allows rapid recovery from a number of specific system problems. backup applications. On the application level. The Shadow Copies of Shared Folders client pack installs a Previous Versions tab in the Properties dialog box of files and folders on network shares. a LUN is presented to the Windows server. Copy. they can ask to see all old versions of a file or directory. Recovering a Deleted File HANDS-ON EXERCISE: SnapRestore Prerequisite: CIFSRUN. Select the version of the folder that contains the file before it was deleted.pdf had been deleted via the batch file. the file to the desktop or to the original location (J:\). Notice you have three options: View. a maximum of 255 Snapshot copies per volume are supported. Users can view files in the folder history.BAT Performed from Vista Either perform the follow steps. just select a parent folder. Your goal is to recover the file. and select Properties from the menu. which display as Shadow Copies. Recovery of Files or Folders End users should be notified regarding how frequently shadow copies of the selected volume will be made. 5. Page 117 of 187 CIFS – demo.then open and explore like any other file or folder.com .pdf). but when Shadow Copies are accessed from NetApp storage.BAT. Click View. use the following procedure: 1. Drag and drop. Select the Previous Versions tab. When Shadow Copies are made with Windows Servers. SERVER> Net Use J: /delete /yes If you wish to restore the entire folder. SNAPNOW. 6. 2. SHARESETUP. copy files from the folder history.NetApp. SERVER> Open Explorer. or to automate the task. Right-click the root of J:\. 7. Navigate to the share in which the deleted file had been stored. execute: none To recover a deleted file. J:\Setup. and so on. 4. View the folder and select the file that will be recovered (setup. navigate to J:\ 3. allowing you to navigate to the folder to be restored. or cut and paste. Copy and Restore. or select the properties of the Share name. there is a maximum limit of 64 shadow copies.BAT. the volume/share might need to be remounted before these settings come into effect.showsnapshot off When you turns off the ability to access Snapshot copies using the previous versions feature.Previous Version Tab On the Users desktop.com . the previous version tab can be enabled or disabled for viewing NetApp Snapshot copies. From a CLI session.NetApp. FAS1> options cifs. to remove the . This is the default behavior. FAS1> options cifs.snapshot or ~snapshot directory from appearing issue: FAS1> vol options <volumename> nosnapdir on This setting turns off the ~snapshot directory from appearing to CIFS and NFS regardless of the above setting.ms_snapshot_mode off Page 118 of 187 CIFS – Demo. In either case. and add them automatically to a namespace using administrator-defined policies. and qtrees. migration and storage load-balancing policies. managing. volumes. implements a sophisticated DFS (Distributed File System) management. an OEMed product produced by Brocade. You can automatically run repeated data copy operations before running the final copy and cut over users to the new location. Page 119 of 187 CIFS – demo.com .1 Migrating Files While Preserving Their ACLs VFM® (Virtual File Manager™). and replication solution for your DFS infrastructure. You control when the migration operation moves from one phase to another (initial. and failover to the secondary storage device in case the data in the namespace becomes unavailable. The administrator can choose whether to have the CIFS namespace replicate the NFS namespace. archiving. The feature is available for archival migration. Virtualize User Home Directories Add users' home directories to a namespace and update Active Directory so that users will access their home directories through the namespace. Multiprotocol Namespace Allow access to a namespace from both NFS and CIFS clients. For CIFS. they are synchronized periodically. and final phases).7 FILE-LEVEL MIGRATION 7.1. Reporting Create and publish reports for groups of storage objects they are interested in. While not required to implement or manage your DFS infrastructure (with or without NetApp storage) VFM can aid significantly in creating. manages Windows DFS and allows the NetApp storage to be configured as a target leaf-node in DFS. it enables you to stage the data migration operation. Some of the other features VFM provides are: Namespace Management Locate and identify existing and newly created shares. Data Backup Back up data on NetApp storage that participate in the namespace and backup the logical structure of the namespace targeting the data. incremental.NetApp. or visa versa. Make Data Highly Available Periodically replicate the data referenced by the namespace to a secondary storage device. migration. For a migration. and monitoring your DFS infrastructure. These policies typically filter the objects to be added based upon search string or permission based criteria. Make sure you have a rollback scenario to rely on if things don’t go as planned. 2. 3. home directories. no matter how complex or simple.NetApp. In addition to the time required for migration. while causing as little disruption as possible. and explicitly mapped network drives from clients and applications. Having this information can be useful when planning how much time an administrator will need to prepare for in the data transfer portion of the migration.3 Planning Data Migration Your migration strategy should include an analysis of the following: • • • • • Number of Windows file servers that will be consolidated Amount of data to be migrated (number of files. installing new NetApp storage. size of files) User/group ownership and file. moving from Windows NT domain to Active and upgrading your network.1. Having a premigration strategy can help administrators avoid many common mistakes. OLE links (Microsoft Word. Windows NT 4 to Active Directory Migration Tools The following is a list of the most commonly used tools • • • ADMT 2. should be to minimize the end-user impact during migration. Consider using private. or other embedded Universal Naming Convention (UNC) paths that directly access mapped drive letters Understanding how much data and how many files need to be migrated will give you some idea of how much time will be required to perform the migration. Migrate the data. other factors that affect migration administration and complexity are the number of Windows servers to be consolidated. Create or establish the new consolidated infrastructure by installing new servers. desktop shortcuts/links. 7. number of shares. including home directory shares User logon scripts. Consider also that it will take a greater amount of time to migrate a larger number of smaller files than a smaller number of larger files. you will need to use a migration tool such as ADMT (resources kit). The following three steps help you achieve the objective: 1. 7. CIFS setup will destroy the original. Excel).0 Aelita – Aelita Domain Migration Wizard BindView – BindView by Admin for Windows Migration Page 120 of 187 CIFS – Demo. out-of-band Gigabit networks or Gigabit crossover links for data migration purposes. The objective should be to provide a migration that satisfies your organization’s consolidation objectives.1. Create a plan for your organization’s migration and consolidation. The speed and available bandwidth on the existing network will also limit the amount of data that can be migrated within a certain time period.com . and create a new one in the new domain.Note: If you need to preserve the File SID.and directory-level ACLs Host and file share naming conventions. host/share name contention.0 – Active Directory Migration Tool (ADMT) 2.2 Data Migration: Server Consolidation to NetApp Storage Your primary goal when implementing a consolidation project. 9.com .cfg> Page 121 of 187 CIFS – demo. Tape is regarded as an archive medium. That SID gets moved with the ACL data to the destination. but the destination machine can't resolve its membership with its local groups. VFM from NetApp. that is UGLR.. The problem is that Local groups have a nonglobal SIDs between machines. 10. NTSEC Software from Pedestal Software. and the integrity of it cannot be guaranteed. Hyena will quickly copy all of the groups to the destination NetApp storage while keeping the SIDs the same.Although backing up to a tape and restoring from it could be considered a valid migration. 5. NDMPcopy and Volcop – refer to Data ONTAP Documentation for best-practices. Global groups. Scopy.NetApp.FILEACL is a Windows command-line tool that allows an administrator to change.Many useful tools and utilities for doing simple domain migrations including subinacl.Used mainly for migrating local groups from one NetApp storage to the other. it is highly discouraged. FILEACL V2. That is. Microsoft 2003 Resource Kit .8. 2.• • NetIQ – NetIQ Domain Migration Administrator Microsoft – The Microsoft Windows Server 2003 Resource Kit Data Migration Tools 1. Users belong to . copy the localgroups. replace. which belong to ..0 and Windows 2003 Resource Kits or from the Microsoft Web site. Resources. 3.cfg file from the source to the destination and run the following to import all the local groups: FAS1> useradmin domainuser load <fullpath to localgroups. 11. Hyena .cfg on the root volume. 12. This method requires more manual administration and is more prone to error.exe to check and find and replace ACLs if necessary. and RoboCopy . Rainfinity Rainstorage for Windows Storage Consolidation Solution.0. and test modes before committing. sample syntax of commands. Small Wonders Secure Copy from ScriptLogic. NetApp recommends using the Microsoft recommended method of assigning rights to file systems.1 . which are assigned access to . and manipulate ACLs on NTFS volumes (or qtrees for the NetApp storage). each NetApp storage assigns its own local SIDs to local groups in its /etc/lclgroups. Quest Consolidator from Quest Software. Xcopy. NetIQ Server Consolidator from NetIQ. Local groups. 4. Backup/Restore from Tape .. qtree SnapMirror. 8. SnapMirror. 7.. 6. Import Local Groups into other NetApp Storage If you are migrating local groups from NetApp storage to NetApp storage...utilities that are freely available from the Windows NT 4. 7.microsoft. use WAFL Credential Cache (WCC).exe. The downside is there is a lot more risk if you don’t know what you’re doing. The advantage here is you can use SnapMirror for the data migration.corp.com/kb/318754 (old) http://support.1/nt5/enus/xcacls. refer to FAS1> man na_cifs_sidcache Page 122 of 187 CIFS – Demo.exe.00. WCC won't clear the SIDcache.com/kb/825751 (current) The VBscript version here: http://download.exe and the later xcacls. but that is a mapping of the SID to the username (cosmetic) so we don't need to go back to a DC to display that name properly.NetApp. You could set the timeout to 1 or 0 or some low number so it expires quickly.cfg and lclgroups. recommendations. or as suggested. So this is fine as long as those local groups are not used for file level security permissions.netapp.htm (Internal) 2) The unsupported method is to copy over filersid. wcc -x will flush the credential cache immediately.0. and tools for data migration to a NetApp storage.1. Using the VBS is significantly faster than using the EXE. http://support. You can also specify account names to delete if needed.microsoft. If the user did use the local NetApp groups on file level security you have two options.This will create local groups with the same name but a different SID.cfg from the old NetApp storage to the new and reboot.4 Migrating Data Refer to the internal Windows NT to Active Directory Domain and Data Migration with NetApp storage (TR3380) for specific guidance. The group SID is dependent on the NetApp storage SID. 1) The supported method is using securecopy which will retain the SIDS during migration. For more information. disable it.vbs.com/cv/nsdatamigration. in most situations this shouldn’t be required.com .2 BEST PRACTICES When renaming user accounts with home directories. Both storage units cannot have CIFS running at the same time due to conflicting SIDs.microsoft.com/download/win2000platform/webpacks/1. Refer to the HDMNAS Decision Tree Matrix for further information: http://ps-web. xcacls. 7. One of the most commonly used Microsoft tools for data migration is Microsoft's cacls. NetApp. VFM enables one-step data migration between storage devices to optimize capacity and achieve server consolidation even when devices are from different vendors and are geographically dispersed.3 DEMO 7. zip or unzip files and posting event log entries Optional differential replication only transmits blocks of changed data Best Practices • • Migration does not require Windows DFS namespace. and VFM storage policies significantly reduce operator activities during the consolidation. Each migration task is run as a thread o o • • Can speed up migration by combining with Replication By default. because VFM automatically and transparently redirects users to the files in their new locations.3. 20 threads available Turn off vscan during bulk migration Don’t setup overlapping replication / migration jobs Page 123 of 187 CIFS – demo. cleanup.7. you can perform multiple simultaneous consolidation jobs and reconfigure file storage without affecting how users access the files. The global namespace masks physical changes from users during consolidation. but DFS provides the layer to allow future storage changes to remain transparent to users. you can use VFM data movement features to quickly and easily consolidate or expand storage resources.1 VFM . Configurable retries for failures during transfer of a file Threshold for continual failures Event Log details Script execution before and after replication to provide solutions such as e-mail notifications.Enables non-disruptive expansion and consolidation VFM enables you to seamlessly consolidate data from multiple heterogeneous file servers across heterogeneous file storage platforms. By first deploying a global namespace. By using VFM. Migration Options: • • • • • • • • • Include or exclude subfolders Delete orphaned files Allow loss of security and alternate file streams Selectable criteria for file transfers including inclusion and exclusion lists.com . accept the default and click Next 8.” Click Start. proceed to step #3 Installing VFM 1. On the Application Data Storage dialogue. Check Auto-start service when OS starts.exe 4. accpet the default and click Next 9. This step has already been performed as a reboot is required to active the change.BAT.NetApp. The account which will be used for VFM requires “Logon as a service” be enabled.3.2 Migrating Files with VFM HANDS-ON EXERCISE: VFM for File Migration Prerequisite: CIFSRUN. On the NetApp VFM 6.BAT.1.com . login and on the tool bar (bottom right side of desktop). SERVER> C:\CIFSDEMO\VFM\VFMInstall. right click SQL Server Agent. click Next 7. Close the dialogue. If you have not already installed the Microsoft SQL Server Desktop Edition from the Northern Storage Suite lab exercise. accept the default and click Next 10. SHARESETUP.7. 2. Following the reboot. 3. DFSSETUP. click Next 6.1 Release Notes dialogue. Select “Open SQL Server Service Manager.1.BAT Performed from W2003 Either perform the follow steps. followed by Next Serial Number: NETAPP_VFM_DEMO_14_NOT_FOR_PRODUCTION_USE_10232008 License Type: Evaluation Activation Number: VFME1-1BL06-LV8E7-TNI6A-UYZ2H Page 124 of 187 CIFS – Demo. click Next 5. On the Destination Lcoation dialogue. On the Compnenent Selection dialgoue. "I accept the license agreement". Enter the License Information. click. Then. install MSDE now with the following switches: SERVER> C:\CIFSDEMO\Northern\MSDE\setup SECURITYMODE=SQL SAPWD=netapp1 Note: A reboot IS required before proceeding with the installation of VFM. or to automate the task.” Under Services.1 Installation Wizard. select “SQL Server Agent.BAT. On the Accept License Agreement dialogue. Welcome to the NetApp VFM 6. execute: VFMSETUP. NetApp.htm” ”*.netapp.htm and *.com Double click C$ Double click CIFSDEMO Click Northern. On the NetApp VFM Service Account Credential. For the Login ID. On the Microsoft SQL Server Name: localhost. Click + to expand the System Options. enter the Username: root. 15.com\MASTER 4. 15. NetApp VFM Setup Completed screen will appear. Click Tools (on the menu bar). Click Remote Shell.com . use sa. click Replication Filters. reporting and integration with DFS. passowrd use netapp1. click Next 17.com\MASTER\Literature followed by tab 11. 9.mp3 files were not replicated. and for password use netapp1. select demo. 14. click Next 13.mp3” and click OK. On the left side. 12. click Next 14. select Microsoft SQL Server authentication. click Next 12. 7. Use SX for the Database Name. To add the target. W2003> Open VFM console (Use the Desktop shortcut) 3. and password: netapp1. On the Connect using. Click Browse to browse for the source link located at \\W2003. A dialogue will open Displaying Existing DFS Root’s. FAS1> options cifs. In the Exclude Files field type: ”*. 8. then click OPEN 10.show_snapshot off 2. Right-click the Replication Policies and choose New Replication Policy. Expand DEMO. On the right side under Shell Credentials. Verify that the *. 13. Highlight the policy you created and choose Start Replication Now.netapp. Expand the Admin View (left side) and expand the Data Movement Policies folder. then type: \\demo. 5.demo. Look at the TR recommended in the following section to guide you through other VFM configurations. Page 125 of 187 CIFS – demo. select Options.11. Name the policy Software Distribution. accept th create a desktop shortcut. On the Desktop Shortcut Configration. click Add. click Next 16.com\c$\CIFSDEMO\Northern Double click Physical Resources Double click Microsoft Windows Networks Double click DEMO Double click Domain Controllers Double click W2003. Accept to use an existing Microsoft SQL Server instance.netapp. for domain\Username use: demo\administator. click Finish Configure VFM 1.Demo. Click OK 6.netapp. Click Next on the Review Installation Settings dialogue 18. netapp.pdf Integration of a NetApp Storage System with a UNIX Based LDAP Server – April 2006 http://media.com/documents/tr-3661.com .7.netapp.netapp.pdf Page 126 of 187 CIFS – Demo.netapp.com/documents/tr-3684.pdf Unified Windows and UNIX Authentication – November 2006 http://media.4 NETAPP TECHNICAL REPORT REFERENCE Virtual File Manager Best Practices – March 2008 http://media.pdf Virtual File Manager Best Practices – June 2008 http://media.pdf Best Practices for Secure Configuration of Data ONTAP 7G – May 2008 http://media.netapp.NetApp.com/documents/tr-3464.com/documents/tr-3458.com/documents/tr-3649. Quality of Service guarantees from the server for the number of requests that can be outstanding against a server at any specified time.0. CIFS – demo.com • • • • • • • • • Page 127 of 187 . This includes increasing the number of concurrent open file handles on the server. Improved throughput across networks that have disparate characteristics.1. as well as the number of shares and user sessions that servers may maintain.0. including support for symbolic links. which significantly reduces the number of round-trips the client needs to make to the server. SMB2 includes support for symbolic links. SMB2 uses 32 or 64 bits for many of these. and the number of shares that a server can share out. a common complaint against SMB 1. SMB2 introduces the notion of "durable file handles": these allow a connection to an SMB server to survive brief network-outages. such as might occur in a wireless network. but Microsoft clients rarely use AndX. Increases the restrictive constants within the protocol design to allow for scalability. which can provide better performance with large filetransfers.1 FUTURE OF NETAPP CIFS OVERVIEW Microsoft launched an initiative in 1996 to rename SMB (Server Message Block) to Common Internet File System (CIFS). which is still in use today. without having to construct a new session. the protocol has become out of date. Indeed. using the SHA256 hash algorithm instead of MD5 for signing. and an initial attempt at supporting direct connections over TCP port 445 without all the NetBIOS trimmings (a largely experimental effort that required further refinement). SMB 2. improving performance as a result. the SMB protocol is used. SMB1 also has a compounding mechanism — known as AndX — to compound multiple actions. Version 1 of this protocol. Whenever files are copied between Windows systems. • • SMB2 supports larger buffer-sizes. with Gigabit Ethernet interfaces now a common feature even on budget motherboards. Since the fastest networks in use at the time generally offered a maximum transfer rate of 10 Mb/s.NetApp. Microsoft introduced Server Message Block 2. Stronger end-to-end data integrity protection. and 16 bytes in the case of file-handles. among other things.8 8. Examples include an increase in the number of concurrent open file handles on the server and the number of file shares that a server can have. This reduces the number of packets sent between an SMB client and server. The SMB 1 protocol often uses 16-bit sizes. hard links. 8.0 improves prior versions of SMB for Windows by adding the ability to compound multiple actions into a single request. larger file sizes. so we never need to worry about the protocol itself being the limiting factor for scalability. was developed 15 years ago and was introduced with Windows 3. SMB 2. Higher scalability of the number of files that a client may open simultaneously. and added more features. With Windows Vista (released in 2006).11 for Workgroups. Support for sending multiple SMB commands within the same packet.1 SMB 2 and Diagnostics Microsoft introduced a new version of the SMB.0 greatly grows the restrictive constants in the protocol. can yield throughput and time-to-completion improvements of up to 3. both the server and the client need to support SMP 2.2 BEST PRACTICES SMB 2.1 SMB 2 Configuration Copying from \\Server Share: A Classic Application for the SMB Protocol In specifying and creating version 2. SMB2 on the Internet In order for the protocol to be used.3.0 session. Microsoft claims that: with its improved TCP stack. which in turn means more files can be open at the same time. Besides. December 2008. meaning that more requests can be sent using fewer packets. more connections can be kept alive simultaneously. improving the quality of the connection. Otherwise SMB 1. to also take advantage of the enhanced SMB2.o o o o o Client may request credits for simultaneous operations Server should grant credits based on available resources Server can adjust client-granted credits in responses More credits allow more parallel operations Server sends an interim response for a request that could block for a long time Durable Handles: Durable Handles are the file handles that persist across SMB 2. then SMB 2.5X over Windows XP. If both the client and server support SMB 2. Microsoft has brought the protocol up to date.by absorbing writes cached on the client on a different SMB 2. Windows Vista already uses SMB 2. They are designed to prevent data loss caused by short network outages .0.3 DEMO 8.0.NetApp.1.5X over Windows XP/Windows Server 2003.0 sessions. The server on it's part issues a durable handle only if it supports the functionality. The version of SMB used for file sharing is determined during the SMB session negotiation. Upon session disconnection. the client would try to use the durable handle on a different connection if it is still valid on the server.com .0 of SMB. The protocol is chosen automatically when a file transfer is initiated without requiring any additional settings by the user. The table below shows the version of SMB that will be used in different client/server scenarios: Page 128 of 187 CIFS – Demo. Bandwidth Comparison: SMB1 vs.0 is selected during the initial negotiation.0 and can thus benefit from the higher performance.3. Effectively. Complete migration servers to Longhorn. just upgrading clients to Windows Vista can yield throughput and time-to-completion improvements of up to 2.0 preserving backward compatibility. the server makes the handles available for reclaim by the same user on a different a connection. When a client opens a file. If the current connection goes away.0 will ship in Data ONTAP 7. 8. Among its benefits is that it can combine several requests in one data packet. it specifies if it needs the file handle to be durable. 8. this reduces the overhead and consequently improves data throughput. smb2.1 and above) Options – – – – Page 129 of 187 cifs.required (default vaule will be “off”) cifs.0 on Windows Vista or Windows Server 2008 systems that are acting as the “server. you will need to create it. To disable SMB 1.NetApp. To disable SMB 1. to disable SMB 2.smb2.Currently Microsoft supports SMB 2. a registry modification is required.smb2.smb2. 8.enable (default vaule will be “off”) cifs. However.” navigate to the registry key listed above. Finally.durable_handle.client. set the value to 0 to disable SMB 1.enable (default vaule will be “on”) CIFS – demo. earlier versions of Windows support only SMB 1. Both SMB 1.0.0.0 or SMB 2.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems run the following commands: sc config lanmanworkstation depend= bowser/mrxsmb10/nsi sc config mrxsmb20 start= disabled Note: there's an extra " " (space) after the "=" sign. Instead of creating the Smb1 REG_DWORD value. you would create a REG_DWORD value called Smb2.0 or 1 to enable SMB 1. Once the value is created.4 NETAPP CIFS SMB VARIABLES (Available in Data ONTAP 7.com .0 for Windows Vista or Windows Server 2008 systems that are the “client” systems (accessing the network resources).0 on a Windows Vista or Windows Server 2008 system that is acting as the “server” system (hosting the network resources). run the following commands: To disable SMB 2. it should be noted that this is not a recommended practice. In some testing and troubleshooting scenarios it might be necessary to disable either SMB 1.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems run the following commands: sc config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc config mrxsmb20 start= auto Note: there's an extra " " (space) after the "=" sign. If there is no REG_DWORD value named Smb1.0. Navigate to the HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters key.0.0 and 2.0 are enabled by default on Windows Vista and Windows Server 2008.enable (default vaule will be “off”) cifs. To enable back SMB 2. This value does not exist by default.0 on Windows 2008 and Vista. Set the value to 0 to disable SMB 2.0 and 1 to enable SMB 2.3.signing. – Command – cifs.smb2.0 client capability on NetApp storage.durable_handle.max_write_size cifs.enable" to enable/disable this feature.smb2. This option filters the sessions on the basis of protocol version used.1 and above) Change negotiated buffer sizes cifs.timeout (default vaule will be 16 minutes) cifs sessions –p [smb|smb2] New option "cifs.0 and SMB 2. the open files from a client are preserved when the client gets disconnected from the NetApp storage.smb2. but its value could be changed by system policy to any range between 5 seconds and infinite (4. NetApp storage will continue to use SMB 2.required" to enforce signing on all SMB 2.durable_handle. This timer has a default value of 16 minutes. only SMB 1. both SMB 1.smb2.max_read_size cifs.0 sessions but the existing sessions will not be terminated.0 sessions are displayed. When -p option is used with 'smb' as the argument.0 for the existing sessions but no new sessions will attempt to use SMB 2. When -p option is used with 'smb2' as the argument.com . ‘-p’.smb2.enable" to enable/disable the durable handle functionality for SMB 2. The -p option can be used along with -c and -s options 8.0 sessions are displayed.smb2.0 and later this option is disabled.0 sessions are displayed. If this option is enabled.enable" to enable/disable SMB 2.0 protocol.max_transact_size Change the max number of outstanding requests sent by a client without receiving a response. When -p option is not used.smb2. existing sessions will not be terminated.967.0 sessions.5 SMB2 HIDDEN OPTIONS FOR TWEAKING PERFORMANCE (Available in Data ONTAP 7. cifs.294. In case the Windows server does not support SMB 2.signing. When this option is enabled. New option "cifs.smb2.NetApp.smb2.295 seconds) “cifs sessions” command will take a new option. only SMB 2.durable_handle.0 clients. NetApp storage initiated connections to Windows servers will use SMB 2. These open files can be reclaimed when the client reconnects to the NetApp storage.max_credits_granted Page 130 of 187 CIFS – Demo. New option "cifs.timeout" to configure the duration in seconds for which NetApp storage will preserve the durable handle after a temporary network failure.3. If a session had been established over SMB 2. New option "cifs.0 protocol then NetApp storage will fall back to using SMB.client.0. When this option is disabled NetApp storage will not accept any new SMB 2.smb2. New option "cifs. After CIFS Setup. or to automate the task. to force a domain rediscovery. execute: none HANDS-ON EXERCISE: Troubleshooting CIFS Prerequisite: CIFSRUN.NetApp. W2003 or W2008 • For CIFS AD Domain status (Windows 2000 and later) one should not be using "cifs testdc" but FAS1> cifs domaininfo • • All DCs addresses are discovered at once.com .9 TROUBLESHOOTING AND PACKET TRACES Either perform the follow steps.BAT Performed from Vista. type: FAS1> cifs reset dc • CIFS Cached in the registry: FAS1> Priv set advanced FAS1*> registry walk auth FAS1*> options cifs.trace_dc_connection <on or off> • Stop CIFS service: FAS1> cifs terminate • Stop CIFS on particular volume: FAS1> cifs terminate –v <volume> • Start CIFS service: FAS1> cifs restart • Start CIFS on particular volume: FAS1> cifs restart –v <volume> • Test domain response using Packet INterrupt Groper (PING): FAS1> ping –s <IP or DNS> Page 131 of 187 CIFS – demo. cfg cifsconfig_share. Do df -i to see if you are running out of inodes. do df to see if the volume is full. If it is a network issue. ping of NetApp storage.1. statit. messages. SMB_hist. From statit output if it is one volume that is having an issue check for disk fragmentation.com . and general CIFS info).cfg krb* Page 132 of 187 CIFS – Demo. especially for oplock break timeouts. Check cifs stat to see if the Max Multiplex value is near the cifs. dump. Nonzero numbers indicate oplock break timeouts. Common situations where this might need to be increased are when the NetApp storage is being used by a Windows Terminal Server or any other kind of server that might have many users opening new connections to the NetApp storage.cfg cifssec. This can cause performance issues especially when you are copying multiple small files. which cause performance problems. If the slowness only happens at certain times of the day. check if the times coincide with other heavy activity like SnapMirror. netstat -in for any I/O errors or collisions. Check the value of OpLkBkNoBreakAck in CIFS stat. Check if they have antivirus application running on the client.1 CIFS Configuration Files Internal (editing is not supported): o o o o o cifsconfig_setup.max_mpx option value. Use perfstat to gather data and analyze CIFS performance (note information from ifstat. Snapshot copies.Gathering More Information What remote diagnostics/scripts should be run to gather troubleshooting information? • • • • • • • • • • • • Use "sysstat -x 1" to determine how many CIFS ops/s and how much CPU is being utilized. On the NetApp storage if it is one volume having an issue. Try the netdiag -dv command to test NetApp storage side duplex mismatch. • • • 9. CIFS stat. check ifstat -a.NetApp. If it is a gigabit issue check to see if the flow control is set to FULL on the NetApp storage and the switch. backups. A network trace using pktt might be necessary to determine what is being sent/received over the network. NetApp Internal Knowledge base article ntapcs4193 describes the issue further.cfg filersid. and so on on the NetApp storage. Check /etc/messages for any abnormal messages. Client troubleshooting may include review of event logs. test using a different NetApp storage or Windows server. and after the buffer fills. the trace data will only be collected in memory. If this option is missing. it is always possible to dump the contents of the buffer at any time using the "pktt dump" command.cfg 9.] [-v] pktt pause <interface>|all pktt dump <interface>|all [-d dir] pktt stop <interface>|all pktt status [<interface>|all] [-v] Each of the subcommands must be followed by an interface name or the word "all. you should remember that logging all traffic may generate a heavy write load on the Page 133 of 187 CIFS – demo. execute: none Collect a Network Trace with pktt FAS1> pktt start <interface>|all [-d dir] [-s size] [-m pklen] [b bsize] [-iipaddr . One thing to be aware of when writing trace data to disk is that if the file system cannot keep up with the network traffic you might not log all packets. This will show up in the "dropped" counts when looking at status. (or restart if it has been paused). The file will always have the name "<interface>. e4." pktt start The "start" subcommand is used to start tracing.NetApp. The packet trace data is stored in "tcpdump" format in a circular buffer in memory.o o filersid.cfg cifs_homedir. W2003 or W2008 Either perform the follow steps." A small exception to this is that "pktt status -v" is equivalent to "pktt status all -v.. Along with this.com . The flags that can optionally be supplied are as follows: -d dir This specifies the path to an existing directory in which the trace data file will be written. or to automate the task..cfg usermap. fa3.trc" where "<interface>" is the interface name (for example.cfg lclgroups. new packets will replace existing packets. However.” The available interface names can be found using "ifconfig -a" or "pktt status.1. and so on).cfg Manually Editable: o o o cifs_nbalias.2 Diagnostic Troubleshooting with PKTrace HANDS-ON EXERCISE: PKTrace Prerequisite: none Performed from Vista. In cases where the network is very busy and it is not practical to log all the traffic to disk you might need to use a larger buffer. All traffic will be logged to a 32K circular buffer. The default is 1500 bytes. -bbsize This sets the buffer size. However. It is sometimes useful to limit the data stored when every byte of the packet is not critical. for many debugging tasks it is useful to have the entire packet. You should use a value of at least 128K when using the -d option. if tracing had been suspended previously it would be restarted. The value may range from 8K to 128M. In the case where the packet size can be larger than 1500 you might want to specify a larger maximum. Page 134 of 187 CIFS – Demo. The default is 32K.com . (But not too large! See below. which causes only traffic to or from any of those IP addresses to be logged. packets continue to be logged to the buffer. which results in full packets for Ethernet. Up to four IP address may be specified. arp/rarp) traffic. but not to disk.NetApp storage which might bog it down. -mpklen This sets the length at which packets will be truncated. You should set -b 128k or larger. This will prevent logging of any non-IP (for example. Note that the default value of the -b flag is too small when logging to disk if there is much traffic. This parameter is only useful in conjunction with the "-d" option. but only in the most exceptional cases would it be necessary to increase the size beyond 1-2M.) -s size This allows you to set a maximum size of the trace file. However. so set it to a reasonable value if you think there is a chance you might forget you have left the trace going. If possible.NetApp. You must override with "-m 1514" to get the full packets. which may be specified as a number with an optional trailing “k” or “m” multiplier.3 the default of 1500 is incorrect for Ethernet. -v This causes "pktt status -v" information to be displayed as tracing starts. use the IP filter to reduce the amount of data to log. Note that in 5. many of the decoders refuse to deal with packets larger than 1500 bytes so you should only specify a larger value if that seems critical to finding the problem. If you don't specify this the file can grow to 32GB. WARNING! Do not specify a value larger than 3MB. Or. which should be large enough to find "packet of death" bugs and similar problems. Examples of "pktt start" pktt start e0 This will start capturing network traffic from the "e0" interface. You might hang the system console or cause WAFL to run out of memory. -iipaddr [-iipaddr] ? This allows limited filtering capability. After the maximum size has been reached. writing to a file called "/fa3.trc that is less than or equal to max_file_size[k|m].” storing the traces into the file "/home/el10.pktt start fa3 -d / -s 100m -b 128k This starts capturing traffic on the "fa3" interface. This action is not confirmed. Use "pktt start" without any options to restart a paused interface. If any unwritten data is in the trace buffer it will be flushed to disk. the trace data will be lost. If a file by that name already exists it will be overwritten. pktt status This can be used to display the buffer and file status of an existing trace.com . pktt start el10 -d /home -m 10k -b 1m -i ehost1 -i ehost2 This starts capturing traffic to and from the hosts "ehost1" and "ehost2. pktt dump The "dump" subcommand causes the contents of the packet trace buffer to be written to a file.trc. The name of the file is always <interface>. in a 1MB buffer. pktt pause The "pause" subcommand is used to temporarily stop capturing traffic from one or all interfaces. with a 128K buffer. The file will be stored in the directory dir after capturing network data seen between the appliance and the client interface client_IP_or_hostname. otherwise it will be written to the root directory of the root volume.4. pktt start all -b 128k -i 172. so be careful when using this command. If any unwritten data is in the trace buffer it will be flushed to disk. Using "pktt status -v" will give you full tracing status for all interfaces.1 All interfaces will start capturing traffic to and from the specified IP address. Page 135 of 187 CIFS – demo. or all interfaces.trc" which will be allowed to grow to a maximum size of 100MB. If the "-d [dir]" option is used the file will be written to that directory.trc and the contents are in "tcpdump" format.20. An example of the pktt command usage is: FAS1> pktt start all -b 128k -d /dir -s max_file_size[k|m] -m mtu_size -iclient_IP_or_hostname This will create a packet trace file called interface. Collect pktt data from the appliance. pktt stop This causes all tracing to stop on the named interface.” Up to 10K of each packet will be stored. If you have not dumped the trace data and you were not tracing to a disk file.NetApp. This is a quick way to look at traffic if you're not sure which interface to use but you want to see the packets from one or more IP addresses. NetApp.com .Page 136 of 187 CIFS – Demo. i. so any software capable of manipulating these files (for example. tcpdump. 2. Enter pktt stop all. The “capconv” utility is used to convert the PKTT file to Netmon format. map the drive using CIFS or NFS.netapp. 3. gather: o o o Pktt with client. 5.2 • • • • • SLOW CIFS AUTHENTICATION Slow or overloaded Domain Controller Wrong Domain Controller Massive amounts of authentication traffic Poor NIS or LDAP performance.cfg • For CIFS mapping failures. Turn options CIFS.trc.trc file will be created for each appliance interface. DC (NIS and LDAP) Output of wcc –s and wcc –u for troublesome user. Reproduce the network related problem. 4. and LDAP servers • Page 137 of 187 For NTLM failures. see http://now. To fetch the trace file from the NetApp storage. 9. NIS group caching Large group memberships in CIFS credentials Items to look at: • Gather: o o o o o pktt filtered for client and DCs (NIS. For more information. tcpview. and then download the file. contact NetApp Technical Support. Once the data is extracted.trc files are in tcpdump format.com .trace_login on.NetApp. use a Netmon format compatible network packet analyzer (such as Windows Netmon and Ethereal) to analyze the packet trace. Note: The .Working with a Packet Trace 1. Pktt during wcc commands above. LDAP) FAS1> cifs DOMAININFO <domain> FAS1> cifs STAT output FAS1> cifs SESSIONS –t Size estimate for /etc/lclgroups.e. NIS. gather: CIFS – demo.com/NOW/download/tools/capconv/. Start the packet trace by executing the customized command from the previous step. An interface. ethereal) can open a file generated with pktt. filtered for DC. For assistance in reading the packet trace. This stops the capturing and flushes the data to the file /dir/interface. you can then find out the HOST name by issuing the following string. Once you have the IP address. You can log the individual off with the following command: CLIENT> rsh FAS1 -l root:netapp1 logout telnet The following commands can help you find the offender.10.10. CLIENT> nbtstat -A <IP-ADDR> i. CLIENT> nbtstat -A 192.168. if you didn’t want to log the individual off with the previous command.101 Example of nbtstat output: Local Area Connection 9: Node IpAddress: [192.22 \.com .trace_login on Output of CIFS DOMAININFO 9.e. it can be a hassle when you need to log in for an emergency and someone is already logged in.101] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------W2008 W2008 WORKGROUP <00> <20> <00> UNIQUE UNIQUE GROUP Registered Registered Registered MAC Address = 00-0C-29-97-71-29 Page 138 of 187 CIFS – Demo.conf file to log to a remote server that has a more configurable syslogd. here are two options: Using RSH to Log Out an Active NetApp Telnet User/Session Since Data ONTAP only allows a single user to login at a time through telnet or SSH. Utilize Snapshot copies and go back to the normal six weeks from the snap schedules.NetApp. To retain more than the normal six weeks of /etc/messages files. DC (NIS and LDAP) Console output during failure with options CIFS. CLIENT> rsh FAS1 -l root:netapp1 netstat -an | findstr "\.3 • • MISCELLANEOUS TROUBLESHOOTING You can configure the syslog.23 " This gives you the IP address of the machine that is connected over port 22 (ssh) or 23 (telnet).168.o o o pktt with client. com/documents/tr-3649.4 NETAPP TECHNICAL REPORT REFERENCE Best Practices for Secure Configuration of Data ONTAP 7G – May 2008 http://media.netapp.9.pdf Page 139 of 187 CIFS – demo.NetApp.com . com . Method 3: Sizing at a preexisting NetApp deployment where detailed CIFS information can be collected Additional Performance Factors That Affect Sizing (These are built into the NetApp CIFS sizer) • No degradation on failover requirement When sizing with clusters many customers require no performance degradation when a cluster failover occurs. closeX.0. Operations such as openX.0. directory operations (for example.1 OVERVIEW Sizing of CIFS home directories has always been a complex task as there are numerous factors that need to be considered while carrying out a sizing exercise.2. • SMB signing SMB signing is not supported in pre-7. Sizing Affects Performance In typical home directory environments. Turning on SMB signing in 7. to size properly for such deployments. • SnapMirror To account for the SnapMirror CPU impact. To size for these scenarios you need to account for at least 50% headroom in CPU.NetApp. increase the concurrent user count by 20% to 30% and size for that many number of users. Work load analysis and benchmarks have been carried out based on different customers' data. the cost of all the other operations in the mix has to be taken into account. Depending upon the level of information about the traffic available.0. query_file_info). whereas in 7. Note: If SnapMirror activity can be scheduled to happen during nonpeak hours then you need not worry about any extra overheads. getattr. and other operations are also present in significant proportions. attribute operations (for example. There are no industry-standard workload and benchmarks for CIFS home directory deployments. read and write operations form only a small part of the overall traffic.1 releases.2–7.1 the CPU overhead is about 23%.10 SIZING AND PERFORMANCE 10. Page 140 of 187 CIFS – Demo. find_first2 and Windows NT Trans Notify).5. • Virus Scanning 10% overhead should be added to the sizing calculation based on the virus scanning rates to be in the range of 50-100 files per second (which is what NetApp observed in many real-life deployments). Since operations other than Read and Write form a significant proportion of the CIFS operations observed at typical home directory deployments.1 adds a CPU overhead of about 40%. query_path_info. we suggest the following three sizing methodologies: • • • Method 1: Sizing using predefined user models to be used when very little information is known about the customer deployment Method 2: Sizing for existing third-party CIFS deployment where it is possible to collect some workload information. Active-Active Configuration An active-active configuration is two storage systems (nodes) whose controllers are connected to each other either directly or through switches. Each node continually monitors its partner. Once the failover operation completes. subnets. and easy to use. the takeover controller will immediately resume data service for the failed NetApp storage. Installed on a pair of NetApp storage controllers.com . Data integrity is assured during the transfer. minimizing management overhead and reducing operator error. The entire failover process is automatic. which allows one node to serve data to the disks of its failed partner node. and assuring that data is always available and readily accessible is absolutely essential. each owned by one of the controllers. or e-commerce application that has stringent uptime requirements. Clustered failover administration tasks are simple. If it detects a failure. Loss of data service could lead to lost productivity. You can configure the active-active pair so that they share access to a common set of disks.999% data availability. intuitive. Automatic and Manual Failover and Giveback NetApp clustered failover constantly monitors the health of the clustered storage.10. The data service of the takeover controller is never impacted and is fully available during the entire failover operation. workgroup. NetApp clustered failover assures data availability by transferring the data service of an unavailable storage controller to the other controller in the cluster. The takeover controller maintains this dual data-serving mode until an administrator initiates action to restore data service to its original state. and tape drives. Page 141 of 187 CIFS – demo. it automatically initiates a failover operation to transfer the data service to its partner controller.1.1 High Availability with NetApp Active-Active Clustering In today’s competitive environment. NetApp clustered failover can benefit any enterprise. Benefits of Active-Active Configuration Configuring storage systems in an active-active configuration provides the following benefits: • Fault tolerance When one node fails or becomes impaired a takeover occurs.NetApp. The nodes are connected to each other through a cluster adapter or an NVRAM adapter. Delivering greater than 99. with no manual intervention required at any point. or you can configure them to have two distinct sets of storage. mirroring the data for each other’s nonvolatile RAM (NVRAM). data is the key asset of many businesses. Organizations with a data availability strategy that relies on a single hardware device risk losing data access if that device goes offline. revenue. and the partner node continues to serve the failed node’s data. NetApp clustered failover delivers a robust and highly available data service for business-critical environments. and even customer loyalty. Note: CIFS is session oriented. In order to have transparent failover for a CIFS client during CFO, SMB 2.0 must be enabled and be used for both the NetApp storage and the client. (Refer to section 8.1.1 on SMB 2.0). Otherwise, when a clustered failover occurs, all CIFS sessions on the failed node are terminated. The CIFS client will certainly notice, but whether a user will notice depends on how abstracted the user is from the CIFS session. For example, is the user's application is cluster aware, and will it automatically try to reestablish the session and pick up where it left off? Or does it complain of error? • Nondisruptive software upgrades When you halt one node and allow takeover, the partner node continues to serve data for the halted node while you upgrade the node you halted. For more information about nondisruptive software upgrades, see the Data ONTAP Upgrade Guide. • Nondisruptive hardware maintenance When you halt one node and allow takeover, the partner node continues to serve data for the halted node while you replace or repair hardware in the node you halted. 10.1.2 CIFS Sizing on NetApp Storage The NetApp CIFS sizer is located at http://perf-build.lab.netapp.com/CIFSSizer/CIFSizer.jsp (internal access only). HANDS-ON EXERCISE: CIFS Sizing Prerequisite: none Performed from Vista, W2003 or W2008 Either perform the follow steps, or to automate the task, execute: none NetApp CIFS Home Directory Sizer Version 3.8.4 Refer to Appendix C for explanations of each field. Section 1 of Sizer: CIFS Home Directory Sizer FAQs General Information Customer Name: Location: Region: SE/CSE/PSE(s): Field Specialist: Requester E-Mail: Notes: Sizing Request Identifier: Page 142 of 187 CIFS – Demo.NetApp.com Vantive # (if applicable): Section 2 of Sizer: General NetApp Storage Specifications Data ONTAP Version: (7.0.x, 7.1.x, 7.2.x or 7.3) Local Cluster: Failed-Over Performance: NetApp storage Platform: Max # of Clusters (optional): CPU Headroom: Min # of Clusters (optional): Section 3 of Sizer: Backend Specifications Preferred Drive Type: Capacity Reserve: RAID group Size: 16 (default) RAID Type: RAID-DP® or RAID 4 Map to Full Shelves: Yes/No Section 4 of Sizer: HomeDir Specifications Sizing Options: Fresh Install or Migration from third party or Upgrading existing NetApp Virus Scanning: Disabled/Enabled SnapMirror: Disabled/Enabled SMB Signing: Disabled/Enabled Section 5 of Sizer: User Profiles in Target System # of Profiles (1 – 10) User Type: Light, low, medium or heavy Desired # of Users: Concurrency % (10, 20, 30, 40, 50, 60, 70, 80, 90 or 100%) Home Directory Size/User (GB) Each home directory deployment is unique in the way it has been deployed, users supported, the number of concurrent users, roaming profiles, disk and network traffic, presence of Citrix environment, antivirus scanners, use of multiple protocols, and so on. The inherent complexity of this architecture makes it extremely difficult to size and deploy to the desired levels. Page 143 of 187 CIFS – demo.NetApp.com 10.1.3 Tuning Windows CIFS Performance The following are the performance tuning guidelines for both the NetApp storage and Windows clients which might help in improving overall CIFS performance. The actual benefit of each setting varies depending on the workload and many other system parameters. Note that the issues covered here are related mainly to CIFS, though some of them might be relevant to NFS too. Client-Side Issues Make sure that the Windows server is optimized for proper network throughput: 1. Set window size - Large window size increases the number of messages that can be in flight. The maximum window size that is supported on the NetApp storage is 64,240. Increasing this on both the NetApp storage and clients can dramatically improve performance for large transfers. Use the following option on the NetApp storage options cifs.tcp_window_size to 64240. The window size on the client is controlled by adding the registry value (DWORD) \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp WindowSize and setting it 64240 (0xFAF0 in hex). 2. Consider hardware and OS dependencies - CIFS performance is quite sensitive to client performance (mostly due to opportunistic locking). Therefore, in general, the faster the clients are, the better the overall performance. Also, the larger the client memory the better the performance. 3. Make sure oplocks are turned on for the Windows clients. This is usually turned ON by default (unless someone explicitly set it off). The registry entry that controls oplocks is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Par ameters\UseOpportunisticLocking. NetApp Storage-Side Issues 1. Oplocks should be enabled: Make sure that cifs.oplocks.enable is ON. (In certain database environments this cannot be set to ON for other reasons.) 2. Changing the open delta setting. Under certain workloads setting cifs.oplocks.opendelta to 0 can improve CIFS throughput performance by 3-5%. If setting this value to 0 results in client disconnects reset it back to 8 (which the default value). 3. If the workload being tested is random in nature set minra to ON. If it is more sequential set minra to OFF. 4. For workloads that are purely sequential increasing wafl_read_ahead to 18 chunks from default value of 3 chunks can help (by using "setflag wafl_read_ahead 18"). 5. Setting “vol options <volume> no_atime_update ON” can improve CPU performance if accurate access times are not important. Common Problems Common problems that are typically reported as performance problems are: 1. Duplex mismatches: Make sure that the duplex settings match on the NetApp storage, the switch, and the clients. 2. Redirector breakages: If a very heavy load is placed on the CIFS client, the redirector can potentially break the session. Certain fixes have gone into recent Data ONTAP releases that fix this problem but this problem does occur occasionally. If this happens the best solution is to reduce the load on the client and redistribute this to other clients. One way to check whether this is happening is to monitor the “current commands” counter under the redirector object on the client side using Windows NT performance monitor. Page 144 of 187 CIFS – Demo.NetApp.com oplocks.enable option back to On.enable option has the following effects: • • If you set the CIFS. For example. The units of this option are in milliseconds.oplocks. The default is 8 milliseconds. In most cases. for example. 10. the NetApp storage will make sure that at least 8 milliseconds have elapsed after receiving or responding to an open-file request before it sends an oplock break on that session.max_mpx when using Windows Terminal Server or Citrix. This option should not be set higher than 35 milliseconds without consulting NetApp Customer Support. there are many situations where this number needs to be increased.enable option to Off.opendelta This option defines the length of artificial delay before sending an opportunistic lock break request to a client that has recently sent the NetApp storage an open request.com . Also if set too low. 40.htm (internal).oplocks. If you set the CIFS. That greatly increases the number of outstanding requests that the client would like to send. On back-to-back configurations using Gigabit cards. it can have adverse affects on Windows services. Recommended increments from the default: 20.oplocks.1. flow control mismatches could show up as network performance problems. Setting the CIFS.max mpx and Citrix This option is used when responding to client connection requests to tell the client the maximum number of outstanding requests the server will accept. Also see http://web. 10.netapp. .enable option enables and disables CIFS oplocks for the entire storage system. The goal is to try to find the lowest opendelta value that eliminates most or all of the nonresponsive oplock breaks. Changes to the option take effect immediately. all CIFS oplocks on all volumes and qtrees on the storage system are turned off. it is not necessary to restart anything.1.1. 10. and the individual setting for each qtree and volume takes effect. . setting this to 0 can cause a Windows 2003 Web server to crash. when opendelta is 8. CIFS oplocks are enabled for the storage system.3. Page 145 of 187 CIFS – demo. Shouldn't need to go above 100.5 Options CIFS.NetApp.6 Options CIFS. However. The OpLkBkNoBreakAck statistic reported by CIFS stat keeps track of the number of nonresponsive oplock break occurrences.4 Advanced oplocks Settings The CIFS. • Windows Terminal Server or Citrix boxes multiplex many CIFS sessions on a single TCP connection. There are a number of considerations regarding this option: The default value of 50 is the same as Windows servers use.oplocks. NetApp recommends a value of 1124 for CIFS. 30. This is done to work around a bug in Microsoft Windows clients that can cause the client to ignore an oplock break request if it is received at a certain time.com/engineering/performance/projects/perf-tuning/CIFS/tuning. from the NetApp storage console. but we have seen problems clear up when max_mpx is increased. NetApp recommend staying with the values recommended above as they are known to work with a large number of customers with varying client types.com/kb/810886/. Following are some of the other features provided by NetApp storage with CIFS: • • • • Deleting existing shares Changing the settings of existing shares CIFS home directories For a count of all the shares.microsoft. the number of simultaneous. active requests is the lesser of these two values. the applications will either fail or go into a very CPUintensive mode.) Page 146 of 187 CIFS – Demo. Each one of these counts as a pending operation for the client.271148 and http://support. This client parameter is called MaxCmds. use: FAS1> cifs shares -t For a complete listing of all CIFS options. The number of change notifications pending can be seen using the "-c" option with the "CIFS sessions" command. For a particular client and server pair. if a client has a large number of change notifications pending and it runs out of max_mpx slots it can cause application problems and/or performance problems. Windows clients have a value that controls the maximum number of outstanding requests they will attempt.com . Unfortunately the exact symptoms are poorly characterized at the moment. type: “man na_cifs” or “man na_cifs_access” (The man commands are case-sensitive. regardless of how many the server says it can handle.aspx?scid=kb. issuing QueryFileInfo requests for all the objects that they would normally monitor using Change Notify. Applications that do this are Visual C++ and IIS.com/default. If the total number of pending Change Notify requests exceeds the max_mpx value. It is called MaxMpxCt.NetApp.EN-US. • Windows servers have an option corresponding to CIFS. When trying to determine whether or not we need to increase max_mpx. Applications such as SQL Server™ might encounter problems if the max_mpx value is exceeded under heavy loads.microsoft. No problems have been seen when using very large values of max_mpx. The actual number of outstanding requests is the minimum of those two values. The maximum number of simultaneous. The maximum number of requests that a client supports is determined by the MaxCmds registry value. The maximum number of requests that a server supports is determined by the MaxMpxCt registry value.• Certain applications do many Change Notify requests. active requests between an SMB client and the server is determined when a client/server session is negotiated. See http://support.max_mpx in the Windows registry. you might get a hard coded limit of 50 for MaxCmds. Due to bugs in the Microsoft clients. However. In Citrix setups set the cifs. 3. An inconsistent configuration is often the cause of failover problems (NetApp Operations Manager will report and recommend optimal settings for both controllers). Make sure that each node has sufficient resources to adequately support the workload of both nodes during takeover mode. 4. b. The Kahuna domain could become a bottleneck. CIFS.max_mpx value to 1124 by default. Use VIFs (virtual interfaces) to provide redundancy and improve availability of network communication. 6. c. Page 147 of 187 CIFS – demo. Schedule weekly WAFL Reallocate to optimize block layout. 3. Spread files over different NetApp storages and over different volumes owned by each NetApp storage.NetApp.2 has a separate CIFS domain this can provide up to 15% improvement in performance in Kahuna limited scenarios for certain workloads. For more information see Microsoft Knowledge Base articles Q191370 and Q232890. consider testing the takeover and giveback times to make sure that they fall within your requirements. Clients like Windows terminal server or IIS are examples of setups where this value can be increased. 2.” CIFS Home Directory Deployment Best Practices 1. to reduce ChangeNotify overheads it is better to: a. Refer to “man na_reallocate. 1. If Kahuna domain utilization limits the overall performance. The approved values for this parameter are 126.2 BEST PRACTICES Using best practices when deploying active-active configurations: Review this list of configuration tips to make sure you are using best practices to make sure your active-active configuration is robust and operational. 253.com . The most accurate way to determine which number to use is to measure the Redirector Current Commands statistic on the client with Windows NT perfmon and to increase the number until Current Commands does not hit the negotiated limit. Spread files over different vFiler™ controllers and over different volumes owned by the vFiler controller. When adding traditional or FlexVol volumes to an active-active configuration. Higher numbers of traditional and FlexVol volumes on your system can affect takeover and giveback times. 2. Test the failover capability routinely (for example. Maintain consistent configuration between the two nodes. and 1124. during planned maintenance) to assure proper configuration. Wafl and Snapmirror all run in the Kahuna domain (versions of Data ONTAP prior to 7. Spread files over different volumes. 4.max_mpx (set to be 50) can sometimes result in improvements in overall performance. Increasing the default value of cifs.10. Data ONTAP 7. which allows no overlap of their processing. upgrade to a newer Data ONTAP release should be considered. 5. In environments with a large number of open files.2). At present. He needs a backup infrastructure which would take place during nonpeak hours (nights and weekends).NetApp. It is important to note that turning on Kerberos reply cache has significant performance impact. The customer is not sure about the number of concurrent users. Number of concurrent users = Total users * Concurrency % Number of Concurrent Users: (Assuming 50%) 10.300 * 50% = 5150 Step 2 – Account for headroom required for other activities Antivirus: not needed Page 148 of 187 CIFS – Demo.1 Case Study NetApp CIFS Sizing Tool Walk-Through A customer needs to consolidate all his clients and deploy a CIFS-based home directory solution. Max. number of open files and so on).3.300 Concurrent/active users: Not known CPU Utilization: 60% High Availability: Needed Sizing Overhead Information: Antivirus: Not Present SnapMirror: Needed. the customer does not have antivirus scanning in the deployment.000 logins per hour) turning on this feature has a 15% CPU overhead.com .3 DEMO 10. number of open TCP connections on any platform. 6. The total storage capacity is 6TB. If this feature is to be supported.netapp. The following are the steps described to size accurately for the deployment required: Step 1 – Gather relevant information Total number of users: 10.300 users total. He has 10. 10. As the data he has is critical he needs a high-availability solution. As he is expected to deploy more applications in the near future. To know the limit of various CIFS resources (for example. On a medium enterprise system with 3 new logins per second (approx.5. please make sure that you size with sufficient headroom.com/w/CIFS_resource_limits (Internal) or refer to Appendix D 10. off peak hours Total Storage Capacity: 6TB Assumptions: Degradation on failover: yes User Type: Medium Concurrency %: 50 Compute the number of concurrent users. the CPU utilization should not be more than 60% at its peak. refer to the following link: http://wikid. Max. the customer requires a headroom of 40% (60% CPU utilization).1098760. In this case. This clearly fits the customer's requirements.4 NETAPP TECHNICAL REPORT REFERENCE High File-Count Environment Best Practices – January 2007 HTTP://MEDIA.NETAPP. users supported: 6250 At 60% CPU utilization. Step 3 – Narrow down storage systems that would support the required number and type of concurrent users The NetApp CIFS sizer show that the FAS3040c and series beyond support the user requirements.com/Knowledgebase/solutionarea.NetApp.COM/DOCUMENTS/TR-3537 (Internal) Active/Active Controller Configuration Overview and Best Practices Guidelines – January 2007 HTTP://MEDIA.asp?id=3. FAS3040c: At 80% CPU utilization. Any requests which need a headroom other than 20% would result in a change in the users supported.0.COM/DOCUMENTS/TR-3450 (Internal) CIFS Performance Tuning in Data ONTAP https://now. 10. users supported: (6250*60)/80 = 4687.netapp. we are not taking SnapMirror into account. then compare with the concurrent users required by the customers and identify which platforms would suit the customer's needs.com .2570911 (Internal) Page 149 of 187 CIFS – demo.50 Clearly a FAS3040c can support more than 4635 users with CPU utilization of less than 60%. Another way to find out which storage appliance would support the requirement would be to calculate the users supported at 60% utilization by each of the platforms.NETAPP.Reduce the value for concurrent users by 10% and resize number of concurrent users: 5150 – (5150 * 10%) = 4635 SnapMirror: As this is going to be used during off-peak hours. NetApp.com . APPENDIX A: DOMAIN DISCOVERY Page 150 of 187 CIFS – Demo. Possible problems need to be addressed first Is CPU/Kahuna < 1.APPENDIX B: CIFS SIZING FLOWCHART Step 1 Start Collect Perfstat/CIFS DCT during peak traffic Step 2 Find out: CPU utilization Kahuna utilization # of concurrent users Is CPU % < 30 ? Yes NetApp storage too lightly loaded. SMB Signing.2 Yes Based on the CPU and Kahuna Headroom. KRB reply cache and so on Step 4 Need to size for other platforms Yes Refer to the platform scaling table to estimate the # of users supported on other platforms No Step 5 Determine the # of disks Stop Page 151 of 187 CIFS – demo. AV scanning. # of concurrent users that can be supported = # of users currently supported * scaling factor Step 3 Adjust max # of users to account for headroom for peaks.com .NetApp. SnapMirror. determine the factor by Max. an administrator can connect to the CIFS home directory of user username by specifying the share ~username (tilde username). cifs. or the NetApp storage uses the /etc/passwd file or the NIS password database for authentication and the user has no entry in the /etc/passwd file or the NIS password database. guest access is disabled. compare and set optional settings. cifs.audit.enable When both this option and the cifs.guest_account Enables a user to get access to the NetApp storage provided that either the NetApp storage uses a domain controller for authentication and the user is not in a trusted domain. cifs. users logging into the NetApp storage will be assigned to the guest account if their names are not listed in the password database (when using /etc/passwd file or NIS) or if the user is not from a trusted domain (when using a domain controller). cifs. If no argument is supplied.audit. directories in the path to a file are not required to have the X (traverse) permission.enable When both this option and the cifs. Windows 2000 Active Directory does not allow a system administrator to set a user's Page 152 of 187 CIFS – Demo. The minimum is 524288 and maximum is 68719476736. The default log file is /etc/log/adtlog. If this option is set to on.bypass_traverse_checking When on (the default). Note: NetApp’s Operations Manager provides the feature to capture. file access events will be audited when a file is accessed by an account for an operation and the file has a system access control list (SACL) entry that matches the access.audit.audit.logon_events.NetApp. For file access events to be generated. cifs. The default is on.audit. If no SACL entry matches the access. The default is 524288. If the option is a null string. This can be useful when setting a user profile to map the user's CIFS home directory on the NetApp storage. If this option is set to the name of an account in the password database. The default is on.file_access_events.audit.enable option are on.APPENDIX C: NETAPP CIFS ADVANCED OPTIONS Commonly used CIFS options and some recommended settings and guidance for each one.enable must also be selected. cifs. cifs.homedirs_public_for_admin This specifies whether members of the NetApp storage's Built-in\Administrators group can connect to the CIFS home directories of other users. For logon and logoff events to be generated. on all NetApp Storage. The file must be in an existing directory in a network share.evt.file_access_events. the option cifs.saveas Specifies the active event log file. and group set of the specified account. logon and logoff events will be generated.enable When this option is on. no event will be generated. The configured user name will be used for the UNIX user ID. respectively. The default value for this option is a null string.audit.logsize Specifies the maximum event log file size.audit.enable option are selected. the current value of this option is displayed.com . This option default is off. CIFS audit events may be generated for file access or for logon and logoff. group ID. the option cifs.enable must also be selected.logon_events. Logon and logoff events reflect CIFS session connects and disconnects. This option does not apply in UNIX qtrees. cifs.audit. the number of change notifications pending can be seen using the -c option with the cifs sessions command. This value defaults to 50. Starting with the Data ONTAP 6. cifs. An operation is each I/O the client believes is pending on the NetApp storage.max_mpx Controls how many simultaneous operations the NetApp storage reports that it can process. This value affects allocations in the clients. For more information see Microsoft Knowledge Base articles Q191370 and Q232890. There are a number of considerations regarding this option: The approved values for this parameter are 126. The most accurate way to determine which number to use is to measure the Redirector Current Commands statistic on the client with Windows NT perfmon and to increase the number until Current Commands does not hit the negotiated limit. If a client has a large number of change notifications pending and it runs out of max_mpx slots. This option is used when responding to client connection requests to tell the client the maximum number of outstanding requests the server will accept. including outstanding change notify operations. Page 153 of 187 CIFS – demo.NetApp.000. clients such as Windows Terminal Server or IIS might require that this number be increased to avoid errors and performance delays). Use the only approved values as discussed in Microsoft Knowledge Base article Q232890. • • • This number should be changed only while CIFS is terminated. 253.idle_timeout Specifies the amount of idle time in seconds before the NetApp storage disconnects a session. and 1124. It is called MaxMpxCt. we recommend a value of 1124 for cifs.000 (effectively infinite).max_mpx when using Windows Terminal Server or Citrix.com . the applications will either fail or go into a very CPUintensive mode. but there are many situations where this number needs to be increased (for example. In most cases. An idle session is a session in which a user does not have any files opened on the NetApp storage. Windows Terminal Server or Citrix. Applications that typically do this are Visual C++ and IIS. These applications multiplex many CIFS sessions on a single TCP connection. it can cause application and/or performance problems. Certain applications do many Change Notify requests and each one of these counts as a pending operation for the client. If the total number of pending Change Notify requests exceeds the max_mpx value. Determining whether you need to increase max_mpx.profile to a nonexistent share.5 release. The default is on. The default is 1800. The value of this option ranges from 600 to 4. Windows servers have an option corresponding to cifs. issuing QueryFileInfo requests for all the objects that they would normally monitor using Change Notify.max_mpx in the Windows registry. Use the smallest value necessary for correct behavior. cifs. That greatly increases the number of outstanding requests that the client would like to send. Change Notify requests. and normally a user's CIFS home directory can be accessed only by that user and not by the administrator. then if the requester is the owner. Pre-xp also allows access to Snapshot copies from Windows 2000 Shadow Copy clients.. This overhead might noticeably affect NetApp storage performance. This allows use of the CIFS top command. you might wish to change this setting to on.perm_check_ro_del_ok Windows NT delete rules do not allow you to delete a file with the DOS read-only bit set. i. Note that the downlevel pre-xp mode should be used only if Windows 2000 Snapshot copy access is required as it might introduce a very slight performance hit when there is a heavy load on the NetApp storage and very long pathnames are in use. Valid values for this option are off.cifs. the "group" permissions are used as if the Windows client were always a member of the file's owning group. a number of multiprotocol applications require UNIX delete semantics (w-x permissions in parent directory without regard to the file's permissions).com .nfs_root_ignore_acl When on. The default is off. In that case the requester's desired access is checked against the file's "group" permissions. which yields Windows NT behavior. in a UNIX qtree). The default setting is on for new installations. Administrators should be aware that there is overhead associated with collecting the per-client stats. and the "other" permissions are never used. off disables Snapshot access from all Windows Shadow Copy clients. this has the opposite effect of the old "PC-mode" installation setting. The default value of this option is off. If the requester is not the owner and if perm_check_use_gid is on it means files with UNIX security are checked using normal UNIX rules. In effect. xp allows access to Snapshot copies from Windows XP and later Shadow Copy clients only. as well as the -u and -h options of cifs stat. However.perm_check_use_gid This option affects security checking for Windows clients of files with UNIX security where the requester is not the file owner. This option controls this behavior. In all cases Windows client requests are checked against the share-level ACL. and the "other" permissions are ignored. If you do not plan to use share-level ACLs to control access to UNIX security style files (for example. the "user" permissions are used to determine the access.per_client_stats.enable Turning this option on causes the NetApp storage to start gathering statistics on a per-client basis. cifs.enable Controls the ability of nonauthenticated sessions to enumerate shares and groups. otherwise the "other" permissions are used. pre-xp and xp. cifs. The option defaults to off.restrict_anonymous. if the requester is a member of the file's owning group the "group" permissions are used. By default it is off. ACLs will not affect root access from NFS.NetApp. files with UNIX security style are checked in a way that works better when controlling access using share-level ACLs.e. cifs.ms_snapshot_mode This option specifies the mode for Snapshot access from a Microsoft Shadow Copy client. cifs. any existing per-client statistics are discarded. cifs. Page 154 of 187 CIFS – Demo. The value may be changed at any time without restarting CIFS. For existing installations. If the option is turned off. If the requester is not the owner and if perm_check_use_gid is off. cifs. cifs. cifs. The value 0 results in never sending such broadcast messages. but if the NetApp storage is to run in a NetBIOS scope other than the default one. This options controls whether CIFS will cache SID-to-name translation information that it has received from the domain controllers.lifetime By default this option is 1440. The value 2 causes the messages to be sent to all open connections. This option controls whether CIFS will attempt to “fold” files on close with previous snapshot versions of themselves to minimize disk usage. the user can access Snapshot copies by entering \\NetApp storage\share\. which is 24 hours specified in minutes.snapshot_file_folding.sidcache. Snapshot copies can be accessed through DOS on any system by changing to the ~Snapshot directory. all domains are searched. its scope ID must be set to the scope ID of that scope. On Windows NT 4 or Windows 95 clients. This option is specified in minutes.NetApp.com . which is the default behavior.enable By default this option is TRUE.enable By default this option is FALSE. if any. The scope ID can be changed only when cifs is not running.show_snapshot By default this option is FALSE. The NetApp storage must compare block contents when folding a file. only clients with the same NetBIOS scope ID as the NetApp storage will be able to use the NetApp storage as a CIFS server. cifs. The option controls how long a SID-to-name cache entry is used before it becomes stale. The SID-to-name mapping functions in the NetApp storage will query the appropriate domain controller to update the cached mapping when it is needed but has become stale. This is a change in behavior from previous versions.sidcache. so there is a performance vs. The default value for this option is the null string. and the version of the file in the latest Snapshot. This option can be set to control this behavior.cfg file. The argument for the option is a comma-separated list that is searched in order.save_case This will force all created file names to lowercase for better compatibility between 16-bit applications and certain UNIX tools. Page 155 of 187 CIFS – demo. cifs. space utilization tradeoff to consider with this option. Setting this to TRUE will restore the old behavior. Disk space is saved by sharing unchanged file blocks between the active version of the file.shutdown_msg_level Normally a message is broadcast to all clients when cifs is terminating. cifs. Note: When this option is TRUE it can confuse programs like FastFind that don't know about Snapshot copies. Snapshot copies can also be accessed lower in the share by providing a path to a lower directory. The default is on.scopeid NetBIOS scope IDs allow the system administrator to create small workgroups out of a network by partitioning the NetBIOS name space. You use this option to control searches if you used an asterisk for a domain name in the usermap.cifs.search_domains Specifies a list of domains that trust each other to search for a mapped account. cifs. The value 1 results in sending broadcast messages only to sessions that have open files. The default scope ID is a null string. The snapshot directory ~snapshot is no longer shown at the root of a share.Snapshot (or ~Snapshot) in the Start->Run menu. If this option is set to a null string. The CIFS client can cache the widelink path referral for the time-to-live time period.com . the NetApp storage returns both a path referral and a time-to-live value.widelink.cycleguard option (on by default).trace_dc_connection When cifs. The password change occurs at approximately 1:00 a. This can be used to diagnose access problems on the NetApp storage. For Windows 2000 domains with multiple DCs. the NetApp storage follows the link with the proviso that the ultimate target turns out to reside within the originating share (thus assuring that the client has access permission to the target).symlinks.symlinks. cifs. Users should use caution when changing this option.cifs.trace_dc_connection is on (the default is off). on Sunday mornings. This option has no effect on NetApp storage installed in domains earlier than Windows 2000. With this option set to off.weekly_W2K_password_change This option affects only NetApp storage installed in Windows 2000 domains. eliminates the possibility of traversing directories cyclically during the process of following symbolic links.NetApp. the NetApp storage logs all domain controller address discovery and connection activities. This option allows the system administrator to set the value which the NetApp storage returns for time-to-live. as is current practice for the NetApp storage in Windows NT 4 domains.trace_login is on (the default is off). This can be used to diagnose DC connection problems on the NetApp storage. if the target of the symlink resolves to a directory that is directly above the symlink's parent directory.symlinks. cifs.symlinks. The default for this option is off. the NetApp storage logs all login-related activities.m. cifs. cifs.trace_login When cifs. if the object being accessed by a CIFS client is a symbolic link (whether absolute or relative). it is disallowed.ttl When a CIFS client accesses a wide symbolic link (widelink). Page 156 of 187 CIFS – Demo. When on. This is because they do not understand symbolic links and will repeatedly loop on them.enable When cifs.enable is on (the default). cifs.cycleguard The cifs.0) will not operate correctly when a symlink points to a parent directory. With this option set to on. many standard Windows apps (such as Find in Windows 95 and Windows NT 4. this option causes the NetApp storage to change its domain password once a week. a password change might inhibit CIFS connections for a short time while the new password is propagated among the DCs. This name will be used to track this request (in combination with some date information). Field Specialist (Info Only) If you are working with a Field Specialist. Region (Info Only) Simply select the appropriate NetApp sales region. List the specific site where the configuration will be installed. Vantive # (If Applicable) (Info Only) If this sizing is associated with a customer case in any way list the case # here for crossreference. CSEs.com .APPENDIX D: CIFS NETAPP SIZING GUIDELINE General Information Customer Name (Required) Customer name is a required field. Data ONTAP Version (Impacts Sizing) Page 157 of 187 CIFS – demo.NetApp. Location (Info Only) This field is primarily for customers who have multiple sites. The email address listed will receive an email of the sizing output AND any future emails regarding this particular sizing. Describe any unusual configuration or setup requirements. and PSEs involved with the sizing/sales/deployment of the sized system. Sizing Request Identifier (Info Only) This field is intended to help identify individual sizing requests submitted during the sizing exercise for a particular opportunity/customer. SE/CSE/PSE(s) (Info Only) List all SEs. Be creative. Notes (Info Only) Describe the customer situation or any information that is potentially useful when reviewing the inputs or outputs. This field becomes part of the "Subject" line of the email containing the configuration suggested and can help in sorting /arranging /searching for various configurations. Requester E-Mail (Required) This field is required for two reasons • • Used as part of the request tracking and history mechanism. list the name here. Competitive .In this case. Min # of Heads (Impacts Sizing) This field allows the sizing to be started from a minimum number of heads (or clusters). Generation . all platforms will be considered. dictates a certain minimum number of heads or clusters OR can be used simply to explore various "what-if" scenarios with more heads than the sizer suggests. Can be used if the situation. All valid configurations will contain exactly one cluster head. Application Defaults In this option application's default parameters are changed if "Competitive" Mode is chosen.NetApp. Drive Perf Curves This options allows user to do sizing using following disk curves: • • • Prev.Sizing is done using performance characteristics of older generation of disks. drive performance characteristics assume full stroking. If "Any" is selected. Sizing Option This option allows the user to choose the sizing method. Regular . drive performance characteristics assume mild short stroking. if the customer is specifically interested in only single head cluster solutions. Map the planned version to one of the listed options. For instance. Max # of Heads (Impacts Sizing) This field allows the sizing to be limited to a maximum number of heads (or clusters). please select 1 (one) for input. for some reasons other than sizing considerations.com . If one or more platforms are selected. then just those platforms will be considered as valid configurations.In this case. The parameters changed are: Values in Regular Sizing Mode 30% 1 No 100% Values in Competitive Sizing Mode 20% 1. GENERAL NETAPP STORAGE SPECIFICATIONS NetApp Storage Platform (Impacts Sizing) This field allows the sizing to be restricted to a sub-set of all possible platforms.Select the Data ONTAP version to be used in the installation.25 Yes 90% Parameters CPU Headroom Single Instance Ratio NTFS hard link Concurrent Users Page 158 of 187 CIFS – Demo. Local Cluster (Impacts Sizing) This field specifies whether or not NetApp storage clusters should be sized or not. then both heads in the cluster must operate below 50% CPU utilization during normal mode.NetApp. MetroCluster (Impacts Sizing .37 CPU Headroom (Impacts Sizing) This field allows the customer to specify how much headroom (or CPU idle %) is requested under normal load circumstances. not a hard projection. then all valid configurations will be clustered solutions only (or multiple clustered solutions). Failed-Over Performance (Impacts Sizing .Deleted Item/Mbox Cache Read and Write working set size as a % of database size Fractional Space Reserve Cache Factor 15% 100% 1 0.8 0. the customer must decide what expectations exist during a failover scenario when only one head is operational. then the sizing occurs for clusters only. Think of this as a general approximation of CPU usage.. Performance degradation is expected and tolerable during the failover scenario. assuming that each cluster pair is split over the metro interface. This field specifies whether or not a MetroCluster solution is required.Not available currently) If the MetroCluster option is selected.Not available currently) This value is currently not used in sizing calculations. A headroom selection of 30% means that all valid configurations will have projected maximum CPU utilization of 70% or less. The "CPU Headroom" value selected above then applies to the 50% utilization target. If "No" is selected. the customer must decide what expectations exist during a failover scenario when only one head is operational. Failed-Over Performance (Impacts Sizing) If the local cluster option is selected. There are two choices: • • Performance is expected to be the same as normal operation (no performance degradation). If "No" is selected then the sizing occurs based on the NetApp storage cluster or not setting. the decision to cluster or not is a customer business decision based on the availability requirements of the application environment. Typically. The impact this setting has on sizing is simple: if no degradation is expected. There are two choices: Page 159 of 187 CIFS – demo. If "Yes" is selected. then all valid configurations will be single head NetApp storages (or multiple single head NetApp storages).33 10% 85% 0.com . If "Yes" is selected. Note that this is approximate and that many variables can impact the actual deployed CPU utilization. then both heads in the cluster must operate below 50% CPU utilization during normal mode. The impact this setting has on sizing is simple: if no degradation is expected. If you are unable to figure out the active space. Performance degradation is expected and tolerable during the failover scenario. This is an optional parameter (default value is 20 ms) and should be between 10 ms and 40 ms. "Any" -.The Vol Type will be flexible volumes for all the workload(s). "Trad" -. use the whole file space (for worst case).• • Performance is expected to be the same as normal operation (no performance degradation).com .The Vol Type will be traditional volumes for all the workload(s).NetApp. The worst case can be the whole file space. The meaning of various options are: • • • • "Per Workload" -. It is expressed as a % of "Data Size GB (usable). Vol Type (optional) This parameter provides a way to specify a common Volume type for all the workloads. depending upon the application. Random Read Latency (ms) Desired NetApp storage latency for random reads. The "CPU Headroom" value selected above then applies to the 50% utilization target. CUSTOM SIZER SPECIFIC INFORMATION Random Read/Write Working Set Size (Impacts Sizing) These fields determine the amount of metadata reads and writes generated. it will be much lower than that. This parameter controls the expected fragmentation level of the system that is being sized.Sizing will be performed for both "Flex" and "Trad" Vol types for all the workload(s). Be careful of sizings that are done using this parameter as not all systems that are X% full having the same level of fragmentation." Age of System A simple parameter that takes into account the effect of aging on system behavior.Specify the Vol Type field for each workload individually (thereby providing a way for different workloads to have different Vol Types). Usually. CIFS HOME DIRECTORY SPECIFIC INFORMATION Page 160 of 187 CIFS – Demo. This should be used only as an indicator of likely performance. They denote the amount of space actively accessed by the users. or database size and so on. "Flex" -. BACKEND SIZING INFORMATION Capacity Reserve Capacity Reserve is the extra capacity that needs to added during the sizing process for growth purposes. Current Platform This is the current NetApp Platform you have and want to upgrade from. SnapMirror This option lets you size with SnapMirror Enabled or Disabled. Home Directory Sizer in GB per User This is the space allocated per user in GB on the target deployment. Please refer to the CIFS guide for more details.NetApp. SMB Signing This option lets you size with SMB Signing Enabled or Disabled. Page 161 of 187 CIFS – demo. Medium or Heavy User Type. User Type A user type for this sizing method is categorized as a Light. This number is not more than 100%.com . Please refer to the CIFS guide for more details. Concurrency Percentage This is the percentage of desired users expected to be concurrently using the target deployment. Please refer to the CIFS guide for more details. Desired # of Users This is the number of users expected to be supported on the target deployment. Observed CPU Percentage This is the CPU% observed in the current deployment.Virus Scanning This option lets you size with Virus Scanning Enabled or Disabled. Number of Servers This is the number of existing servers from which we extract KB In per second and KB Out per second information. A value of 2 indicates that each incoming read operation to the NetApp storage translates to two disk read operations. Memory Utilization This is an output value that shows the memory utilization that the system is experiencing.Number of Drives in Existing Set Up This is the existing number of drives in the current NetApp Deployment. First to read the metadata for the data block(s) and then second to read the actual data block(s). Disk Read Ops/Host Read Op This value indicates the memory utilization of the system. It is a number typically between 1 and 2. • • A value of 1 implies that each incoming read operation to the NetApp storage translates to only one disk read operation. no metadata caching.75. These systems are highlighted with yellow color.75. Page 162 of 187 CIFS – Demo.NetApp. all the metadata needed for the incoming read operations to the NetApp storage are already cached in NetApp storage memory.5 and < 1. • • • Systems with low memory utilization correspond to ones with diskops/host_ops < 1. These systems are highlighted with green color.com . In other words. Systems with medium memory utilization correspond to ones with diskops/host_ops >= 1. These systems are highlighted with red color. If you have to choose a specific system it is always better to choose one with the lowest memory utilization.5. Systems with high memory utilization correspond to ones with diskops/host_ops >= 1. In other words. These limits vary depending on the hardware platform.000 Max Open Files Max Locked Files Max Locks 1.000 2.APPENDIX E: CIFS RESOURCE LIMITS This describes the theoretical limits that exist for certain CIFS data structures.608 4. In practice.corp. these limits depend on how much memory is generally available.233.netapp.com . The maximum number of open locks.116. The maximum number of directories shared using CIFS.000 96.116.920.000 192.000 192. The maximum number of open connections to CIFS shares.com/twiki/pub/Perfweb/TechLibrary/FileServingSizingGuide-2004.NetApp.000 1. please refer to: Home Directory Capacity Planning Guide – December 2004 http://perf-web. so your mileage will vary.920. The maximum number of open CIFS file handles.000 384.000 2. For real world sizing.216 Max Share Connections 384.608 4. Limits FAS6000 Series FAS6000 Series Limit Max Connections Max Shares FAS6030 (16GB) FAS6070 (32GB) 96.pdf (Internal) Description Limit Max Connections Max Shares Max Share Connections Max Open Files Max Locked Files Max Locks Description The maximum number of open CIFS TCP connections.233. The maximum number of locked files. including both share and byterange locks.216 FAS3000 Series Page 163 of 187 CIFS – demo. 608 4.000 256.672 Page 164 of 187 CIFS – Demo.536 1.344 FAS200 Series FAS200 Series Limit Max Connections Max Shares FAS250 (512MB) FAS270 (1024MB) 6.144 96.000 292.202.072 2.000 192.200 26.000 64.000 1.672 585.688 Max Share Connections 52.400 108.000 1.672 585.200 12.000 292.400 13.000 1.411.822.411.233.000 64.000 601.800 544.822.280.000 Max Open Files Max Locked Files Max Locks 640.000 705.336 276.000 1.411.800 Max Open Files Max Locked Files Max Locks 264.000 256.344 1.800 Max Open Files Max Locked Files Max Locks 124.000 2.280.800 264.000 1.FAS3000 Series Limit Max Connections Max Shares FAS3020 (2GB) FAS3040 (4GB) FAS3050 (4GB) FAS3070 (8GB) 32.072 FAS2000 Series FAS2000 Series Limit Max Connections Max Shares FAS2020 (1GB) FAS2050 (2GB) 13.200 26.072 2.000 138.000 128.144 64.116.NetApp.400 52.200 54.400 27.344 Max Share Connections 24.000 384.000 128.920.216 Max Share Connections 128.com . BAT required on W2003 Performed from: W2003 Either perform the follow steps. or Novell’s Virtual Office for self-administration. assign UNIX User Identification Number (UID) and UNIX Group Identification Number (GID) to your Users and Groups Or Use iManager to assign the UNIX UID and GID to both the users and groups. Novell Remote Manager. . From Novell ConsoleOne.o=CA 3. 2.ou=SUNNYVALE. Refer to “Novell Native File Access Protocols Installation and Administration Guide” for detailed steps. ou=USERS.ou=SUNNYVALE. or 11. 10. Page 165 of 187 CIFS – demo.5.com . select the UNIX Profile tab. or to automate the task.x. Users may use iManager. Install Novell Native File Access Protocol. section ‘Preparing the NetApp storage’ Stage 1: Preparing eDirectory NetApp supports Novell’s eDirectory versions 6. proceed to stage #2.x for LDAP authentication on NetApp storage (Novell eDirectory running on NetWare 6.NetApp. For NetWare.cfg with the correct CIFS context search i.8. configure the CIFS search context: NETWARE> sys:\etc\cifsctxs. use Novell’s Identity Manager or Novell’s Account Manager.o=CA ou=SERVERS. 4. or 2003 Server.e.3 to 8. Windows 2000. execute: LDAPEDIR. Create simple passwords for your users.x.BAT. Suse Linux® OES 9. The following 5 steps have already been performed.APPENDIX F: USING NOVELL’S EDIRECTORY FOR LDAP AUTHENTICATION HANDS-ON EXERCISE: LDAP Authentication with Novell’s eDirectory Prerequisite: NWSETUP. 1.0).7. Then. To automate the process for large customers. to continue with this exercise.NetApp. If you are not using the Home Directory mapping.Note: Both the UNIX UID and UNIX GID to the User and Group accounts must be set.” Stage 2: Preparing the NetApp Storage Once the Novell NetWare 32-bit client has been installed on the W2003. which appears when you log in. select “Novell Login.CA Page 166 of 187 CIFS – Demo. password: netapp1 c.SUNNYVALE. Check the box for “Workstation only” b. 5. on the bottom far right. This is to warn you that IP load balancing is not supported with the Novell client.com . On the properties of the eDirectory “LDAP Group – BIGRED”. as illustrated in the above figure. Click OK d. from the menu bar. right click the N.” User: Password: admin netapp1 Click the Advanced button Tree: Context: NETAPP USERS. as well as a simple password for each user you wish to authenticate to eDirectory (LDAP) to access the NetApp storage. and the machine has been rebooted. Type your Username: administrator. to log back into Windows: a. Disregard the service control manager error message. turn off “Require TLS for simple binds with password. Once you have logged in. place a forward slash in the field. conf file to make sure passwd. otherwise.ou=SUNNYVALE.jsh FAS1*> cp /etc/nsswitch.conf FAS1*> exit FAS1*> priv set Page 167 of 187 CIFS – demo.conf. If you have run the LDAPEDIR.o=CA Servers reside = ou=SERVERS. with multimode rather than NTFS.com . Preparing CIFS for eDirectory authentication on NetApp storage: FAS1> cifs terminate –t 0 FAS1> cifs setup 1. 2.conf passwd: ldap files nis netgroup: ldap files nis group: ldap files nis hosts: files dns nis shadow: files nis Ctrl+C to end file A message will display stating: “read: error reading standard input: Interrupted system call” After you create the file.ou=USERS.102 Novell’s eDirectory tree is designed as follows for this demonstration: Tree = NETAPP Users reside = ou=USERS.ou=SUNNYVALE.BAT.o=CA This appendix assumes you are familiar with using Novell’s ConsoleOne. you may view the contents with the command: FAS1*> rdfile /etc/nsswitch.cmds.168.10. move to step #3. a shortcut for ConsoleOne has been placed on your desktop.ou=SUNNYVALE.Server: 192.original FAS1*> wrfile /etc/nsswitch.NetApp. group and netgroup all say “ldap nis files”: FAS1> priv set advanced FAS1*> java netapp. Modify the /etc/nsswitch. Select LDAP authentication (Option 4).conf /etc/nsswitch.o=CA The Novell NetWare server name = bigred Administrator = cn=admin. SERVER> Please use freecon2006 to connect to the NetWare console.sch and rfc2307-nis.com . password:netapp1 Press F3.netapp. a copy of remote console (freecon2006. Select to Run ‘Unattended full repair’. to verify each setting was correctly changed. Global schema operations. Configure the NetApp storage for DNS name resolution (FilerView. when this complets press ESC until you exit the DSRepair program. From the Master Replica eDirectory Server (BIGRED). I’m sure. select to Return to the previous menu.exe) has been placed in C:\CIFSDEMO\Novell\. You must be able to resolve the FQDN of the LDAP server.users. Select Optional Schema Enhancements. and type the path to the schema files (SYS:\Schema) When the schema import completes.NetApp. Respond with Ues. Once completed. When this completes press ESC.sunnyvale. When this completes press ESC until you are at the main menu. Set the Correct LDAP Options on the NetApp Storage Make the appropriate changes. Network.demo. bigred. Respond with Yes.users. I’m sure. password:netapp1 Select Post NetWare 5 schema update. then exit.sunnyvale. NETWARE> nwconfig Select Directory options Extend Schema. extended the schema with the NetApp RFC2307 files (rfc2307-usergroup. Configure Host Name Resolution). Please install the software using the default settings.sch). NETWARE> dsrepair –a Select Advanced options menu.ca. type: FAS1> options ldap Page 168 of 187 CIFS – Demo. authenticate with user: admin. authenticate with user: admin.4.ca.com Stage 3: Extending the Schema on eDirectory To simplify the connection to the NetWare console. ssl.servers.NOTE: The following LDAP settings have been placed in the LDAPNWSCHEMA.attribute.netgroupname cn FAS1> options ldap.posixGroup posixGroup FAS1> options ldap.users.usermap. You may execute the batch file instead of manually typing the following commands.attribute.windowsaccount Windowsaccount FAS1> options ldap.attribute.nssmap.nssmap.base "ou=users.passwd netapp1 FAS1> options ldap.attribute.netgroup "ou=users.minimum_bind_level anonymous FAS1> options ldap.ou=sunnyvale.attribute.nssmap.attribute.base.loginShell loginShell FAS1> options ldap.nisNetgroupTriple nisNetgroupTriple FAS1> options ldap.o=ca" FAS1> options ldap.nssmap.nisNetgroup nisNetgroup FAS1> options ldap.unixaccount Unixaccount FAS1> options ldap.uidNumber uidNumber FAS1> options ldap.gecos gecos FAS1> options ldap.attribute.group "ou=users.passwd "ou=users.groupname cn FAS1> options ldap.userPassword userPassword FAS1> options ldap.objectClass.o=ca" FAS1> options ldap.nssmap.nssmap.com .preferred bigred FAS1> options ldap.gidNumber gidNumber FAS1> options ldap.base FAS1> options ldap. FAS1> options ldap.o=ca" FAS1> options ldap.nssmap.enable off Page 169 of 187 CIFS – demo.usermap.homeDirectory homeDirectory FAS1> options ldap.base.attribute.uid uid FAS1> options ldap.nssmap.attribute.memberUid memberUid FAS1> options ldap.attribute.port 389 FAS1> options ldap.ou=sunnyvale.nssmap.base.memberNisNetgroup memberNisNetgroup FAS1> options ldap.nssmap.BAT.objectClass.nssmap.NetApp.attribute.ADdomain "o=ca" FAS1> options ldap.objectClass.enable on FAS1> options ldap.nssmap.attribute.o=ca" FAS1> options ldap.usermap.attribute.nssmap.sunnyvale.nssmap.posixAccount posixAccount FAS1> options ldap.ou=sunnyvale.usermap.nssmap.name admin.ca FAS1> options ldap.ou=sunnyvale.enable off FAS1> options ldap.attribute.servers bigred FAS1> options ldap. For this example. and assign passwords for both users. Once you have success with LDAP communication. using all three options: NDS Password – used for eDirectory.CA SERVER> Use ConsoleOne.CA SERVER> Use ConsoleOne. set to “Yes. We will assign the group SysOp full control to the share C$.NetApp.com . create a group called: SysOp in the following context = USERS. From ConsoleOne. select CIFS -> Configure -> Security. FAS1> cifs access C$ -g SysOp full control FAS1> options wafl.2.SUNNYVALE. refer to section 6.Stage 4: Testing LDAP Communications SERVER> Use ConsoleOne. Use Group ID Permissions.4.e.SUNNYVALE.default_security_style mixed SERVER> From FilerView.SUNNYVALE. create two users: Betty in the following context = USERS. and is mandatory Enhanced Password – used for Kerberos key ticket exchange Simple Password – used for LDAP For LDAP testing. configure the NetApp storage CIFS shares with user or Group access based on eDirectory accounts. Ensure both users and the group have been assigned UNIX UID and GID. i. add both Betty and Barnie to the SysOp group.CA Barnie in the following context = USERS. select the Login Methods tab.” Test connectivity for both Betty to the C$ share. SERVER> Net use T: \\FAS1\C$ /user:Betty netapp1 Page 170 of 187 CIFS – Demo.3. and change the Default Security Style from ntfs to mixed. getXXbyYY: Advanced Name Resolution Test Commands. com/engineering/design-depot/appliancemgmt/zephyr/ Page 171 of 187 CIFS – demo. Java. SnapManager Manage Data ONTAP SDK for 3rd parties (C. and Perl) Data ONTAP Developer writes API code and docs in one place in the Data ONTAP source tree RSH SSH Telnet Serial console RLM Test CLI command.netapp.com . which works on most browsers Instructions for installation: http://web.netapp. Autosupport HTTP/HTTPS Vscan/FPolicy RPC (Windows authentication) ZAPI o o o Data ONTAP APIs (ONTAPI™) are used internally by FilerView.com/engineering/design-depot/appliance-mgmt/filerview/faq/ (Internal) • • • • NetApp Operations Manager SnapManager SnapDrive Host-side CLI (Command Line Interface) o o o o o o • • • • • • SNMP Syslog.NetApp. Operations Manager and interstorage communication.e. http://web. provisioning: o o o o o o o http://<NetApp storage>/na_admin Storage system At-A-Glance Documentation Manual Pages Submit a support case Written in HTML and Javascript.APPENDIX G: COMMONLY USED ADMINISTRATIVE INTERFACES FOR DATA ONTAP ADMINISTRATIVE APPLICATIONS FOR DATA ONTAP • FilerView. i. remove.cmds. Copy the source file to the destination file.NETAPP JAVA SHELL To load the Java Shell: FAS1> priv set advanced FAS1*> java netapp. If “&” is specified.. no wild card support. Commands to copy.. Print the current working directory. Report memory heap usage. Print the contents of the specified file.NetApp. If a package name isn't used.cmds is assumed. Print a stack traceback of all Java threads on the console. If the -l flag is used a longer listing of each file is produced. Page 172 of 187 CIFS – Demo. The directory specified may be either absolute or relative.db. “/” is used if no directory is specified. along with the ability to execute any Data ONTAP built-in command. List all the Java threads executing in the Java Virtual Machine.jsh To Exit the Java Shell: FAS1*> exit FAS1*> priv set Supports file system tree traversal and basic file utilities similar to the UNIX shell. Remove the files specified.com . Print a report of the Java heap on the console (prof kernels only). and create a copy in /etc/java/jit. Execute the given Java application. You better hope the contents are ASCII friendly. and list files are available. netapp. Execute any of the builtin Data ONTAP commands (hostname and so on) and wait for completion. In addition. Append to the systems notion of CLASSPATH. Print a report of all the Java monitors on the console. Run the garbage collector. don't wait for the application to complete. move. List the contents of the current directory.] cp src_file dest_file mv src_file dest_file ps [-l] Gc classpath [extra_path] syspath [extra_path] Threads Monitors Heap [DATA ONTAP command] Syncdb java_application [&] Change the current directory to that specified. Sync the Jivetech JIT database. Change the “local” classpath used to load classes in a separate name space. cd [directory] Pwd ls [-l] cat file rm file [file2 . the Java shell can execute any Java application specified on the command line. Rename the source file to the destination file. Sorry. and Domain Admins.NetApp.4 o GPO is introduced .1 o GPO support is official o GPO Event Log support Maximum application log size (Not Applicable) Maximum-security log size Maximum system log size (N/A) Restrict guest access to application log (N/A) Restrict guest access to security log Restrict guest access to system log (N/A) Retain application log (N/A) Retain security log Retain system log (N/A) Retention method for application log (N/A) Retention method for security log Retention method for system log (N/A) o GPO Auditing support Audit account logon events Audit account management (N/A) Audit directory service access Audit logon events Audit object access Audit policy change (N/A) Audit privilege use (N/A) Audit process tracking (N/A) Audit system events (N/A) Data ONTAP 7. APPENDIX H: SUPPORTED GPO’S SUMMARY OF GPO FEATURES • Data ONTAP 6.0 o GPO is remained as a hidden feature o GPO File System security policy. You can later add any groups that you consider sensitive or privileged to the Restricted Groups security list. Print Operators. the Power Users group is automatically part of Restricted Groups. However. to cover for him while he is on vacation. with no ACL propagation implemented Data ONTAP 7. no one remembers to remove Charles • • • • Page 173 of 187 CIFS – demo. For example. Assume it contains two users: Alice and Bob. such as Administrators. since it is a default Windows 2000 group.as a hidden feature o Startup and Shutdown scripts o GPO refresh time interval for computer Data ONTAP 7.1 o GPO is remained as a hidden feature o A seperate GPO security policy framework o A complete GPO File System security policy support Data ONTAP 7.2 o Restricted Group Restricted Groups automatically provides security memberships for default Windows 2000 groups that have predefined capabilities. Server Operators.com . Power Users.0. through the Active Directory Users and Computers snap-in. Bob adds Charles to the group. Since only Alice and Bob are listed in the Restricted Groups node for Power Users. these situations can add up. such as: Disable background refresh of Group Policy GPOs to consider in the Future o Customized NetApp GPOs o Implementation of Active Directory GPO in generic LDAP • • Page 174 of 187 CIFS – Demo. In actual deployments.2. Configuring security through Restricted Groups can prevent this situation. over time.NetApp.1 o User Rights Assignment Take ownership of files or other objects o GPO refresh time interval random offset GPOs in the roadmap o Most of GPO Security policies. Charles is removed from the group automatically. members who should no longer have these rights. • Data ONTAP 7. when Group Policy settings are applied. resulting in extra members in various groups.com .from the group when Bob comes back from vacation. such as: Local Policies User Rights Assignment Access this computer from the network Backup files and directories Bypass traverse checking Deny access to this computer from the network EMC Virus Checking Generate security audits Increase quotas Manage auditing and security log Restore files and directories Security Options Digitally sign client communication (always) Digitally sign server communication (always) Kerberos Maximum tolerance for computer clock synchronization (clock skew) Maximum lifetime for user ticket o Other applicable registry settings. exe). The follow tables listed in this Appendix provides both the available counter names and a description of what each counter would capture. On the right pane. HANDS-ON EXERCISE: CIFS Performance Counters Prerequisite: CIFSRUN. W2003 or W2008 Either perform the follow steps. start Performance Monitor (cmd. from the menu bar. Read operations count as a percentage of total CIFS operations. perfmon. or to automate the task. For realtime capture. type \\FAS1 followed by TAB which will cause the available counters to update to the specific ones which are supported by NetApp.BAT Performed from Vista. Page 175 of 187 CIFS – demo. on the left pane. from a Windows Server 2003 or above. execute: none To capture data from NetApp storage. under available servers. Then click the + to add Counters.APPENDIX I: CIFS PERFORMANCE COUNTERS To track CIFS performance. click the X to delete existing Counters.com . CIFS COUNTERS FOR PERFMON Counter Name cifs_get_attr_ops_pct cifs_read_ops_pct Description GetAttr operations count as a percentage of total CIFS operations.NetApp. select Performance Monitor. com . Query NTAP Extended Attribute operations (SMB Code = 0x32. SubCode = 0x08). Directory operations count as a percentage of total CIFS operations. Query FS Information operations (SMB Code = 0x32. Set Information2 operations (SMB Code = 0x22). SubCode = 0x05. Total observed CIFS operations to be used as a base counter for CIFS average latency calculation.cifs_write_ops_pct cifs_lock_ops_pct cifs_open_close_ops_pct cifs_directory_ops_pct cifs_other_ops_pct cifs_latency cifs_latency_base Write operations count as a percentage of total CIFS operations. Open/Close operations count as a percentage of total CIFS operations. SubCode = 0x05). CIFS OPERATIONS Counter Name get_attr_ops set_attr_ops get_attr_ext_ops set_attr_ext_ops query_fs_info_ops Description Query Information operations (SMB Code = 0x08). Lock operations count as a percentage of total CIFS operations. Other operations count as a percentage of total CIFS operations. Set Path Information operations (SMB Code = 0x32. SubCode = 0x03). Query Path Information operations (SMB Code = 0x32. SubCode = 0x06). Info = 0x04). Query Disk Information operations (SMB Code = 0x80). query_path_info_ops set_path_info_ops query_file_info_ops set_file_info_ops query_disk_info_ops get_ntap_ext_attr_ops set_ntap_ext_attr_ops Page 176 of 187 CIFS – Demo. Query Information2 operations (SMB Code = 0x23). Query File Information operations (SMB Code = 0x32.NetApp. Set File Information operations (SMB Code = 0x32. Average latency for CIFS operations in milliseconds. Set NTAP Extended Attribute operations (SMB Code = 0x32. SubCode = 0x07). Set Information operations (SMB Code = 0x09). OpenAndX operations (SMB Code = 0x2D). WriteAndX operations (SMB Code = 0x2F). Close operations (SMB Code = 0x04). Check Directory operations (SMB Code = 0x10). Write Raw operations (SMB Code = 0x1D). read_ops readx_ops read_raw_ops write_ops writex_ops write_raw_ops queued_write_raw_ops flush_ops open_ops create_ops close_ops open_ext_ops openx_ops nt_create_ops nt_trans_create_ops create_dir_ops delete_dir_ops check_dir_ops delete_ops rename_ops nt_rename_ops seek_ops transact_ops find_first_ops Read operations (SMB Code = 0x0A). Transact operations (SMB Code = 0x25). Create operations (SMB Code = 0x03). SubCode = 0x01). Create Directory operations (SMB Code = 0x00). ReadAndX operations (SMB Code = 0x2E). Queued Write Raw operations (SMB code = 0x1D). Rename operations (SMB Code = 0x07). NTCreateAndX operations (SMB Code = 0xA2). Page 177 of 187 CIFS – demo.com . Flush operations (SMB Code = 0x05). Delete operations (SMB Code = 0x06).SubCode = 0x06. Seek operations (SMB Code = 0x12). Open operations (SMB Code = 0x02). Delete Directory operations (SMB Code = 0x01). SubCode = 0x00). NT Rename operations (SMB Code = 0xA5). Info = 0x02).NetApp. Read Raw operations (SMB Code = 0x1A). SubCode = 0x01). Write operations (SMB Code = 0x0B). NTTransactCreate operations (SMB Code = 0x25. Begin search for file operations (SMB Code = 0x32. Create with extended attributes operations (SMB Code = 0x32. SubCode = 0x06). Non supported SMB operations. Start directory watch operations (SMB Code = 0x25. Session setup operations (SMB Code = 0x73). Lock Byte Range operations (SMB Code = 0x0C). Set Security Descriptor operations (SMB Code = 0x25. Unrecognized SMB command code. SubCode = 0x0D). FindClose2 operations (SMB Code = 0x34). SubCode = 0x04). Tree Connect operations (SMB Code = 0x70). Create Directory with extended attributes operations (SMB Code = 0x32. Query Security Descriptor operations (SMB Code = 0x25. Unlock Byte Range operations (SMB Code = 0x0D).NetApp. Report DFS inconsistency operations (SMB Code = 0x32. create_dir_ext_ops search_ops find_close_ops nt_trans_notify_ops lock_byte_range_ops unlock_byte_range_ops lockx_ops lock_read_ops write_unlock_ops negotiate_ops sess_setup_ops sess_logoff_ops set_sec_ops query_sec_ops reject_ops no_support_ops total_ops dfs_refer_ops dfs_report_ops echo_ops tree_conn_ops Page 178 of 187 CIFS – Demo.com . Write and Unlock operations (SMB Code = 0x14). Negotiate operations (SMB Code = 0x72). Session logoff operations (SMB Code = 0x74). Lock and Read operations (SMB Code = 0x13). Get DFS referral operations (SMB Code = 0x32. Total number of SMB operations since NetApp storage was started. SubCode = 0x10). Search operations (SMB Code = 0x81). SubCode = 0x02). SubCode = 0x11). SubCode = 0x03). LockingAndX operations (SMB Code = 0x24).find_next_ops Resume search for files operations (SMB Code = 0x32. Echo operations (SMB Code = 0x2B). Page 179 of 187 CIFS – demo. High water mark for number of shares. Number of current shares. High water mark for number of trees attached to a session. Number of currently connected users on the NetApp storage. High water mark for number of simultaneous messages attached to a session. Number of times a 'null' or 'blank' user was successfully mapped. Number of session terminations initiated by both client and NetApp storage. High water mark for number of sessions. Number of logon on the NetApp storage. Number of sessions with signature signing. Number of sessions with more than one user. CIFS STATISTICS Counter Name curr_sess_cnt max_sess_cnt multi_user_sess_cnt sig_sess_cnt client_disc_sess_cnt filer_disc_sess_cnt dup_disc_sess_cnt max_cred_sess_cnt max_tree_sess_cnt max_msg_sess_cnt curr_conn_user_cnt logon_cnt map_null_user_cnt uid_hash_alloc_cnt curr_share_cnt max_share_cnt curr_tree_cnt Description Number of current sessions. Number of session terminations initiated by client side.com . High water mark for number of credentials attached to a session.NetApp. Number of times a new hash table for UIDs is allocated.tree_conn_and_disc_ops Tree Connect with a tree Disconnect operations (SMB Code = 0x70) tree_disc_ops ioctl_ops cancel_ops Tree Disconnect operations (SMB Code = 0x71). Number of current trees. Device IOCTL operations (SMB Code = 0x25. Number of session terminations initiated by NetApp storage side. SubCode = 0x02). Cancel operations (SMB Code = 0xA4). max_tree_cnt max_fid_tree_cnt max_search_tree_cnt max_core_search_tree_cnt tid_hash_alloc_cnt curr_open_file_cnt max_open_file_cnt curr_open_dir_cnt max_open_dir_cnt curr_watch_dir_cnt max_watch_dir_cnt fid_hash_alloc_cnt fold_attempt_cnt High water mark for number of trees. Number of times a new hash table for FIDs is allocated. Number of times an entry can't be added to the queue of files awaiting folding due to its length limit. fold_rename_cnt fold_rename_failure_cnt fold_overflow_cnt fold_duplicate_cnt fold_wafl_too_busy_cnt curr_lock_cnt max_lock_cnt x_or_batch_to_l2_cnt x_or_batch_to_none_cnt Page 180 of 187 CIFS – Demo. Number of currently open files and directories. High water mark for number of open directories. Number of times an entry in the queue of files awaiting folding has to be renamed. Number of currently allocated locks.NetApp. High water mark for number of searches attached to one tree. High water mark for number of FIDs attached to one tree. Number of times a new hash table for TIDs is allocated. Number of OpLock Break from exclusive or batch to level 2. High water mark for number of allocated locks. High water mark for number of watched directories. Number of times an attempt to find a rename match on the queue of files awaiting folding fails. Number of times an attempt is made to fold a file with the version in a snapshot. Number of times when an entry can't be added to the queue of files awaiting folding due to a duplicate. Number of currently watched directories. High water mark for number of open files and directories. Number of OpLock Break from exclusive or batch to none.com . Number of times the maximum limit of WAFL concurrent folds has been reached. Number of currently open directories. High water mark for number of core searches attached to one tree. l2_to_none_cnt no_break_ack_cnt no_break_ack_95_cnt no_break_ack_nt_cnt ignored_ack_cnt delayed_break_cnt pdc_auth_cnt curr_cred_cnt max_cred_cnt max_sid_cred_cnt built_lgrp_cnt user_lgrp_cnt sid_lgrp_cnt curr_mem_ctrl_blk_cnt* max_mem_ctrl_blk_cnt* wait_mem_ctrl_blk_cnt* Number of OpLock Break from level 2 to none. late). of VSCAN worker threads. Number of times a request for memory control block can not be granted. High water mark for no. Number of Oplock Break ACK before timeout from Win95 clients. High water mark for no. Number of authentication requests to Domain Controllers. Number of times waiting for the memory buffer to be allocated. Number of OpLock Break ACK before timeout. The most group SIDs found on one credential. exhaust_mem_ctrl_blk_cnt* wait_mem_buf_cnt auth_qlength* block_qlength* timer_qlength* alf_qlength* rpc_qlength* offload_qlength* Page 181 of 187 CIFS – demo. High water mark for number of allocated credentials.NetApp. Number of times waiting for the memory control block to be allocated.g. Number of built-in local groups. of queued authentication requests. Number of currently active credentials. Number of current memory control blocks. of auditing log worker threads. Number of Oplock Break ACK before timeout from NT clients. Number of Oplock Break which must be delayed. High water mark for number of memory control blocks. High water mark for no. High water mark for no. Number of defined SIDs for local groups. High water mark for no. of timer worker threads. Number of Oplock Break ACK ignored (e. High water mark for no.com . of blocking worker threads. Number of user-defined local groups. of SMB RPC worker threads. Average latency for samr (security account manager RPC service) operations in milliseconds. CIFS DOMAIN Counter Name netlogon_latency netlogon_latency_base Description Average latency for netlogon operations in milliseconds. Average latency for lsa (local security authority) operations in milliseconds. trans_pipe_broken_error_cnt Count of transaction errors due to the 'broken pipe' condition.NetApp. Count of transaction errors due to the 'busy pipe' condition. Count of read errors due to the 'busy pipe' condition. lsa_latency lsa_latency_base samr_latency samr_latency_base VSCAN STATISTICS Counter Name scanrequests_total scanfailures_total Description Count of scan requests issued. read_pipe_broken_error_cnt Count of read errors due to the 'broken pipe' condition. Count of times a large buffer is used for header alignment. Count of times a small buffer is used for header alignment. Total time spent waiting for samr requests to be used as a base counter for samr average latency calculation.copy_align_cnt small_buffer_align_cnt large_buffer_align_cnt read_pipe_busy_error_cnt write_pipe_busy_error_cnt trans_pipe_busy_error_cnt Count of times a buffer is copied for header alignment. write_pipe_broken_error_cnt Count of write errors due to the 'broken pipe' condition. Page 182 of 187 CIFS – Demo. Count of scan requests which did not successfully conclude. Total time spent waiting for netlogon requests to be used as a base counter for netlogon average latency calculation. Count of write errors due to the 'busy pipe' condition. Total time spent waiting for lsa requests to be used as a base counter for lsa average latency calculation.com . Count of disconnections initiated by vscan server. Count of scan requests in progress. Age of oldest request in progress. Client request denied because no scan could be performed. Most simultaneous scan requests delayed because all vscan servers are busy. scanrequests_already scanrequests_already_reset scanrequests_duplicate scanrequests_noscan scanrequests_noscan_deny scanrequests_throttled_max scanrequests_throttled_total scanrequests_throttled_again disconnect_by_vscanserver disconnect_by_filer scantime_total scantime_count scanrequests_current scanrequests_oldest scanrequests_throttled_current scanrequests_throttled_oldest scantime_avg_latency scantime_latency_base Page 183 of 187 CIFS – demo.virus_detections_total scanrequests_needed_total scanrequest_timeout_inquiries request_timeout_inquiries_unique Count of scan completions which reported viruses. Average latency for virus scans in milliseconds. Count of status RPCs issued for requests which timed out. Count of scans avoided because file is marked already scanned. Base counter for vscan scantime latency calculation. Count of virus scans for scan_time_total. Count of client accesses which might cause a virus scan. Total time spent for virus scans in milliseconds. Total scan requests delayed because all vscan servers are busy.com . No scan for file access that would normally cause a scan. Count of files whose already scanned status was cleared. Count of disconnections initiated by NetApp storage. Total scan requests returned to the delay list a second time because all vscan servers are busy. Active scan requests delayed because all vscan servers are busy. Count of files accessed while a scan was already in progress. Age of oldest active scan request delayed because all vscan servers are busy.NetApp. Count of requests with at least one status RPCs issued for timeout. latency_base scanrequests_total_server scanfailures_total_server virus_detections_total_server scanrequest_timeout_inquiries_server scanrequests_max_server scanrequests_current_server scanrequests_oldest_server scantime_total_server scantime_count_server scantime_avg_latency_server scantime_latency_base_server vscan_ops_server_latency vscan_ops_server_latency_base Page 184 of 187 CIFS – Demo. Count of status RPCs issued for requests which timed out. Count of virus scans for scan_time_total. Count of scan requests which did not successfully conclude.com . Age of oldest request in progress to this vscan server.scanrequests_started scanrequests_completed scanrequest_timeout_abort virus_detections_total Rate of scan requests issued by the NetApp storage. Count of requests which timed out. Count of scan completions which reported viruses. Base counter for scantime latency calculation. VSCAN SERVER STATISTICS Counter Name avg_latency Description Average latency for virus scan operations in milliseconds. Count of scan requests in progress to this vscan server. Rate of scan completions received from the vscan server. Total time spent waiting for virus scan requests to be used as a base counter for vscan average latency calculation. Count of scan completions which reported viruses. Average latency for virus scans in milliseconds. Total time spent for virus scans in milliseconds.NetApp. Average latency for virus scan operations in milliseconds. Most simultaneous scan requests to this vscan server. Total time spent waiting for virus scan requests to be used as a base counter for vscan average latency calculation. Count of scan request RPCs issued to the vscan server. Rate of scan requests issued to the vscan server. Rate of scan completions received from the vscan server. Total time spent calculating security signatures for incoming CIFS requests in milliseconds.com . time_out Page 185 of 187 CIFS – demo. Base counter for scantime latency calculation. SMB SIGNING STATISTICS Counter Name conn_time time_in Description Total time of a connection to the NetApp storage in milliseconds.NetApp. Count of requests which timed out. Total time spent calculating security signatures for outgoing CIFS requests in milliseconds.vscan_server_latency vscan_server_latency_base scanrequests_timeout_abort_server scancompletions_from_server_rate scanrequests_to_server_rate Average latency for virus scans in milliseconds. NetApp.Page 186 of 187 CIFS – Demo.com . and SharePoint are registered trademarks and SQL Server is a trademark of Microsoft Corporation. UNIX is a registered trademark of The Open Group. SnapManager. and WAFL are trademarks or registered trademarks of NetApp. Inc. and other countries. The storage systems support a broad range of Windows client types and client features. faster. SAP is a registered trademark of SAP AG.CONCLUSION NetApp storage systems are built on the principles of simplicity. Java and Sun are trademarks of Sun Microsystems. dramatically simplify the file-serving environment. the storage systems better protect information assets. vFiler. and increase overall corporate productivity. As result. Virtual File Manager. SnapRestore. RAID-DP. FlexVol. FilerView. Microsoft. high data availability. and easy integration with the existing environment. Specifications are subject to change without notice. and allow administrators to continue to utilize the native Microsoft administration tools with which they are familiar. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. SnapDrive. Inc. Windows.NetApp. Page 187 of 187 CIFS – demo. NetApp. in the United States and/or other countries. MultiStore. Data ONTAP.S. All rights reserved. Oracle is a registered trademark of Oracle Corporation.com . SecureShare. VFM. Snapshot. DataFabric. Go further. SnapMirror. Symantec is a trademark of Symantec Corporation or its affiliates in the U. SecureAdmin. Linux is a registered trademark of Linus Torvalds. fully leverage the management and authentication framework provided by Active Directory. © 2008 NetApp. scalability. the NetApp logo. NOW. Windows NT. ONTAPI.