NetApp CIFS文件共享創建

License準備

CIFS 是需要License的，但奇怪的是沒有License，你還是可以創建shares，但是訪問不了。 不像NFS等別的功能，沒有license，第一步就提示你做不了。

netapptest1> license show -type CIFS

license show: "CIFS" is an unrecognized license type, skipping.

Serial Number: 4079432-74-8

Owner: netapptest1

Package           Type    Description           Expiration

----------------- ------- --------------------- --------------------            

CIFS              license CIFS License          -

Data ONTAP 支持以下幾種CIFS驗證方法：

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication ( Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer’s local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

一般來說，如果沒有AD的話，采用第三種，否則第一種。運行cifs setup命令，如果CIFS已經在運行，則需要運行cifs terminate停掉當前CIFS服務。不能在線修改CIFS。

選擇1使用Active Directory domain 認證配置向導；

創建方法

還是運行cifs setup命令。我們需要注意和準備好的是：

1）WINS信息，這是可選的；

2）時間服務器，如果時間差超過5分鐘，Kerberos認證就可能通不過；

3）Windows域及管理員帳戶信息；

4) DNS要提前配置好。

etapptest1> cifs setup   

This process will enable CIFS access to the filer from a Windows(R) system.

Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the Windows-style workgroup

        'WORKGROUP'.

Do you want to continue and change the current filer account information? [n]: y

        Your filer does not have WINS configured and is visible only to

        clients on the same subnet.

Do you want to make the system visible via WINS? [n]: y

        You can enter up to 4 IPv4 WINS server addresses.

IPv4 address(es) of your WINS name server(s) []: 192.168.0.130

Would you like to specify additional WINS name servers? [n]:

        This filer is currently configured as an NTFS-only filer.

Would you like to reconfigure this filer to be a multiprotocol filer? [n]:

        The default name for this CIFS server is 'NETAPPTEST1'.

Would you like to change this name? [n]:

        Data ONTAP CIFS services support four styles of user authentication.

        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer's local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1

What is the name of the Active Directory domain? [vmware-test.com]: vmware-test.com

        In Active Directory-based domains, it is essential that the filer's

        time match the domain's internal time so that the Kerberos-based

        authentication system works correctly. If the time difference between

        the filer and the domain controllers is more than 5 minutes,

        authentication will fail. Time services are currently not configured

        on this filer.

Would you like to configure time services? [y]: y

        CIFS Setup will configure basic time services. To continue, you must

        specify one or more time servers. Specify values as a comma or space

        separated list of server names or IPv4 addresses. In Active

        Directory-based domains, you can also specify the fully qualified

        domain name of the domain being joined (for example:

        "VMWARE-TEST.COM"), and time services will use those domain

        controllers as time servers.

Enter the time server host(s) and/or address(es) [VMWARE-TEST.COM]: 192.168.0.130

Would you like to specify additional time servers? [n]:

1 entry was deleted.

        In order to create an Active Directory machine account for the filer,

        you must supply the name and password of a Windows account with

        sufficient privileges to add computers to the VMWARE-TEST.COM domain.

Enter the name of the Windows user [Administrator@VMWARE-TEST.COM]: administrator

Password for administrator:

CIFS - Logged in as administrator@VMWARE-TEST.COM.

        An account that matches the name 'NETAPPTEST1' already exists in

        Active Directory: 'cn=netapptest1,cn=computers,dc=vmware-test,dc=com'.

        This is normal if you are re-running CIFS Setup. You may continue by

        using this account or changing the name of this CIFS server.

Do you want to re-use this machine account? [y]: y

CIFS - Starting SMB protocol...

        Currently the user "NETAPPTEST1\administrator" and members of the

        group "VMWARE-TEST\Domain Admins" have permission to administer CIFS

        on this filer. You may specify an additional user or group to be added

        to the filer's "BUILTIN\Administrators" group, thus giving them

        administrative privileges as well.

Would you like to specify a user or group that can administer CIFS? [n]:

Welcome to the VMWARE-TEST.COM (VMWARE-TEST) Active Directory(R) domain.

CIFS local server is running.

當前域控制的信息：（這些信息其實通過DNS獲得的)

etapptest1> cifs domaininfo

NetBIOS Domain:                         VMWARE-TEST

Windows Domain Name:                    vmware-test.com

Domain Controller Functionality:        Windows 2003

Domain Functionality:                   Windows 2000

Forest Functionality:                   Windows 2000

Filer AD Site:                          Default-First-Site-Name

Current Connected DCs:                  \\DOMAIN-SERVER

Total DC addresses found:               1

Preferred Addresses:

                                        None

Favored Addresses:

                                        192.168.0.130   DOMAIN-SERVER    PDCOther Addresses:

                                        None

Connected AD LDAP Server:               \\domain-server.vmware-test.com

Preferred Addresses:

                                        None

Favored Addresses:

                                        192.168.0.130  

                                         domain-server.vmware-test.comOther Addresses:

                                        None

訪問方法

可以使用域中的任何一個用戶訪問。當然之前創建的本地用戶仍然可以訪問。

我們可以查看當前有哪些用戶在訪問CIFS：

netapptest1> cifs sessions

Server Registers as 'NETAPPTEST1' in Windows domain 'VMWARE-TEST'

Root volume language is not set. Use vol lang.

WINS Server: 192.168.0.130

Selected domain controller \\DOMAIN-SERVER for authentication

====================================================

PC IP(PC Name) (user)           #shares   #files

192.168.0.130(DOMAIN-SERVER) (VMWARE-TEST\administrator - pcuser)

                                      1         0

192.168.0.200(DTC1F0FFA71982F) (NETAPPTEST1\administrator - pcuser)

創建CIFS share

有2種方法可以創建：

1）通過Windows MMC來創建

2）通過命令行或圖形界面來創建

通過Windows MMC來創建CIFS share：

通過命令行創建CIFS share

netapptest1> cifs shares -add Website /vol/FlexVol01 -comment "Website for Wordpress"

netapptest1>

netapptest1>

netapptest1> cifs shares

Name         Mount Point                       Description

----         -----------                       -----------

ETC$         /etc                              Remote Administration

                        BUILTIN\Administrators / Full Control

HOME         /vol/vol0/home                    Default Share

                        everyone / Full Control

C$           /                                 Remote Administration

                        BUILTIN\Administrators / Full Control

Website      /vol/FlexVol01                    Website for Wordpress

                        everyone / Full Control

權限設定

CIFS 的權限是由兩層控制的， share level 和 File level (就是在windows 中創建的)；

絕大部分的客戶都是把share level設置為everyone/ Full control, 而在windows 中進行權限的控制的。 因為AD 中的授權是比較細致的。

除非客戶有很高的安全考慮， 才會在2個level 中都進行權限的控制的。  而且2層的權限設定管理起來會比較繁瑣， 因為任意一層的權限不足都會導致訪問失敗。