NetAppCIFS文件共享創(chuàng)建

License準(zhǔn)備

CIFS 是需要License的，但奇怪的是沒有License，你還是可以創(chuàng)建shares，但是訪問不了。 不像NFS等別的功能，沒有license，第一步就提示你做不了。

netapptest1> license show -type CIFS

license show: "CIFS" is an unrecognized license type, skipping.

Serial Number: 4079432-74-8

Owner: netapptest1

Package          Type   Description          Expiration

----------------- ------- --------------------- --------------------            

CIFS             license CIFS License         -

Data ONTAP 支持以下幾種CIFS驗(yàn)證方法：

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication ( Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer’s local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

一般來說，如果沒有AD的話，采用第三種，否則第一種。運(yùn)行cifs setup命令，如果CIFS已經(jīng)在運(yùn)行，則需要運(yùn)行cifs terminate停掉當(dāng)前CIFS服務(wù)。不能在線修改CIFS。

選擇1使用Active Directory domain認(rèn)證配置向?qū)В?/font>

創(chuàng)建方法

還是運(yùn)行cifs setup命令。我們需要注意和準(zhǔn)備好的是：

1）WINS信息，這是可選的；

2）時(shí)間服務(wù)器，如果時(shí)間差超過5分鐘，Kerberos認(rèn)證就可能通不過；

3）Windows域及管理員帳戶信息；

4) DNS要提前配置好。

etapptest1> cifs setup   

This process will enable CIFS access to the filer from a Windows(R) system.

Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the Windows-style workgroup

        'WORKGROUP'.

Do you want to continue and change the current filer account information? [n]: y

        Your filer does not have WINS configured and is visible only to

        clients on the same subnet.

Do you want to make the system visible via WINS? [n]: y

        You can enter up to 4 IPv4 WINS server addresses.

IPv4 address(es) of your WINS name server(s) []: 192.168.0.130

Would you like to specify additional WINS name servers? [n]:

        This filer is currently configured as an NTFS-only filer.

Would you like to reconfigure this filer to be a multiprotocol filer? [n]:

        The default name for this CIFS server is 'NETAPPTEST1'.

Would you like to change this name? [n]:

        Data ONTAP CIFS services support four styles of user authentication.

        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer's local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1

What is the name of the Active Directory domain? [vmware-test.com]: vmware-test.com

        In Active Directory-based domains, it is essential that the filer's

        time match the domain's internal time so that the Kerberos-based

        authentication system works correctly. If the time difference between

        the filer and the domain controllers is more than 5 minutes,

        authentication will fail. Time services are currently not configured

        on this filer.

Would you like to configure time services? [y]: y

        CIFS Setup will configure basic time services. To continue, you must

        specify one or more time servers. Specify values as a comma or space

        separated list of server names or IPv4 addresses. In Active

        Directory-based domains, you can also specify the fully qualified

        domain name of the domain being joined (for example:

        "VMWARE-TEST.COM"), and time services will use those domain

        controllers as time servers.

Enter the time server host(s) and/or address(es) [VMWARE-TEST.COM]: 192.168.0.130

Would you like to specify additional time servers? [n]:

1 entry was deleted.

        In order to create an Active Directory machine account for the filer,

        you must supply the name and password of a Windows account with

        sufficient privileges to add computers to the VMWARE-TEST.COM domain.

Enter the name of the Windows user [Administrator@VMWARE-TEST.COM]: administrator

Password for administrator:

CIFS - Logged in as administrator@VMWARE-TEST.COM.

        An account that matches the name 'NETAPPTEST1' already exists in

        Active Directory: 'cn=netapptest1,cn=computers,dc=vmware-test,dc=com'.

        This is normal if you are re-running CIFS Setup. You may continue by

        using this account or changing the name of this CIFS server.

Do you want to re-use this machine account? [y]: y

CIFS - Starting SMB protocol...

        Currently the user "NETAPPTEST1\administrator" and members of the

        group "VMWARE-TEST\Domain Admins" have permission to administer CIFS

        on this filer. You may specify an additional user or group to be added

        to the filer's "BUILTIN\Administrators" group, thus giving them

        administrative privileges as well.

Would you like to specify a user or group that can administer CIFS? [n]:

Welcome to the VMWARE-TEST.COM (VMWARE-TEST) Active Directory(R) domain.

CIFS local server is running.

當(dāng)前域控制的信息：（這些信息其實(shí)通過DNS獲得的)

etapptest1> cifs domaininfo

NetBIOS Domain:                        VMWARE-TEST

Windows Domain Name:                   vmware-test.com

Domain Controller Functionality:       Windows 2003

Domain Functionality:                  Windows 2000

Forest Functionality:                 Windows 2000

Filer AD Site:                         Default-First-Site-Name

Current Connected DCs:                 \\DOMAIN-SERVER

Total DC addresses found:              1

Preferred Addresses:

                                        None

Favored Addresses:

                                        192.168.0.130  DOMAIN-SERVER   PDCOther Addresses:

                                        None

Connected AD LDAP Server:              \\domain-server.vmware-test.com

Preferred Addresses:

                                        None

Favored Addresses:

                                        192.168.0.130  

                                         domain-server.vmware-test.comOther Addresses:

                                        None

訪問方法

可以使用域中的任何一個(gè)用戶訪問。當(dāng)然之前創(chuàng)建的本地用戶仍然可以訪問。

我們可以查看當(dāng)前有哪些用戶在訪問CIFS：

netapptest1> cifs sessions

Server Registers as 'NETAPPTEST1' in Windows domain 'VMWARE-TEST'

Root volume language is not set. Use vol lang.

WINS Server: 192.168.0.130

Selected domain controller \\DOMAIN-SERVER for authentication

====================================================

PC IP(PC Name) (user)          #shares  #files

192.168.0.130(DOMAIN-SERVER) (VMWARE-TEST\administrator - pcuser)

                                      1       0

192.168.0.200(DTC1F0FFA71982F) (NETAPPTEST1\administrator - pcuser)

創(chuàng)建CIFS share

有2種方法可以創(chuàng)建：

1）通過Windows MMC來創(chuàng)建

2）通過命令行或圖形界面來創(chuàng)建

通過Windows MMC來創(chuàng)建CIFS share：

通過命令行創(chuàng)建CIFS share

netapptest1> cifs shares -add Website /vol/FlexVol01 -comment "Website for Wordpress"

netapptest1>

netapptest1>

netapptest1> cifs shares

Name        Mount Point                      Description

----        -----------                      -----------

ETC$        /etc                            Remote Administration

                        BUILTIN\Administrators / Full Control

HOME        /vol/vol0/home                   Default Share

                        everyone / Full Control

C$          /                                Remote Administration

                        BUILTIN\Administrators / Full Control

Website     /vol/FlexVol01                   Website for Wordpress

                        everyone / Full Control

權(quán)限設(shè)定

CIFS 的權(quán)限是由兩層控制的， share level和 File level (就是在windows中創(chuàng)建的)；

絕大部分的客戶都是把share level設(shè)置為everyone/ Full control,而在windows中進(jìn)行權(quán)限的控制的。 因?yàn)?/font>AD中的授權(quán)是比較細(xì)致的。

除非客戶有很高的安全考慮， 才會(huì)在2個(gè)level中都進(jìn)行權(quán)限的控制的。 而且2層的權(quán)限設(shè)定管理起來會(huì)比較繁瑣， 因?yàn)槿我庖粚拥臋?quán)限不足都會(huì)導(dǎo)致訪問失敗。