License準備
CIFS 是需要License的,但奇怪的是沒有License,你還是可以建立shares,但是通路不了。 不像NFS等别的功能,沒有license,第一步就提示你做不了。
netapptest1&gt; license <b>show</b> -<b>type</b> CIFS
license <b>show</b>: &quot;CIFS&quot; is an unrecognized license type, skipping.
Serial Number: <b>4079432</b>-<b>74</b>-<b>8</b>
Owner: netapptest1
Package Type Description Expiration
----------------- ------- --------------------- --------------------
CIFS license CIFS License -
Data ONTAP 支援以下幾種CIFS驗證方法:
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication ( Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer’s local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
一般來說,如果沒有AD的話,采用第三種,否則第一種。運作cifs setup指令,如果CIFS已經在運作,則需要運作cifs terminate停掉目前CIFS服務。不能線上修改CIFS。
選擇1使用Active Directory domain 認證配置向導;
建立方法
還是運作cifs setup指令。我們需要注意和準備好的是:
1)WINS資訊,這是可選的;
2)時間伺服器,如果時間差超過5分鐘,Kerberos認證就可能通不過;
3)Windows域及管理者帳戶資訊;
4) DNS要提前配置好。
etapptest1&gt; cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use &quot;?&quot; for help at any prompt and Ctrl-C to exit without committing changes.
This filer is currently a member of the Windows-style workgroup
'WORKGROUP'.
Do you want to continue and change the current filer account information? [n]: y
Your filer does not have WINS configured and is visible only to
clients on the same subnet.
Do you want to make the system visible via WINS? [n]: y
You can enter up to 4 IPv4 WINS server addresses.
IPv4 address(es) of your WINS name server(s) []: 192.168.0.130
Would you like to specify additional WINS name servers? [n]:
This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
The default name for this CIFS server is 'NETAPPTEST1'.
Would you like to change this name? [n]:
Choose the one from the list below that best suits your situation.
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
Selection (1-4)? [1]: 1
What is the name of the Active Directory domain? [vmware-test.com]: vmware-test.com
In Active Directory-based domains, it is essential that the filer's
time match the domain's internal time so that the Kerberos-based
authentication system works correctly. If the time difference between
the filer and the domain controllers is more than 5 minutes,
authentication will fail. Time services are currently not configured
on this filer.
Would you like to configure time services? [y]: y
CIFS Setup will configure basic time services. To continue, you must
specify one or more time servers. Specify values as a comma or space
separated list of server names or IPv4 addresses. In Active
Directory-based domains, you can also specify the fully qualified
domain name of the domain being joined (for example:
&quot;VMWARE-TEST.COM&quot;), and time services will use those domain
controllers as time servers.
Enter the time server host(s) and/or address(es) [VMWARE-TEST.COM]: 192.168.0.130
Would you like to specify additional time servers? [n]:
1 entry was deleted.
In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the VMWARE-TEST.COM domain.
Enter the name of the Windows user [[email protected]]: administrator
Password for administrator:
CIFS - Logged in as [email protected].
An account that matches the name 'NETAPPTEST1' already exists in
Active Directory: 'cn=netapptest1,cn=computers,dc=vmware-test,dc=com'.
This is normal if you are re-running CIFS Setup. You may continue by
using this account or changing the name of this CIFS server.
Do you want to re-use this machine account? [y]: y
CIFS - Starting SMB protocol...
Currently the user &quot;NETAPPTEST1\administrator&quot; and members of the
group &quot;VMWARE-TEST\Domain Admins&quot; have permission to administer CIFS
on this filer. You may specify an additional user or group to be added
to the filer's &quot;BUILTIN\Administrators&quot; group, thus giving them
administrative privileges as well.
Would you like to specify a user or group that can administer CIFS? [n]:
Welcome to the VMWARE-TEST.COM (VMWARE-TEST) Active Directory(R) domain.
CIFS local server is running.
目前域控制的資訊:(這些資訊其實通過DNS獲得的)
etapptest1&gt; cifs domaininfo
NetBIOS Domain: VMWARE-TEST
Windows Domain Name: vmware-test.com
Domain Controller Functionality: Windows 2003
Domain Functionality: Windows 2000
Forest Functionality: Windows 2000
Filer AD Site: Default-First-Site-Name
Current Connected DCs: \\DOMAIN-SERVER
Total DC addresses found: 1
Preferred Addresses:
None
Favored Addresses:
192.168.0.130 DOMAIN-SERVER PDCOther Addresses:
Connected AD LDAP Server: \\domain-server.vmware-test.com
192.168.0.130
domain-server.vmware-test.comOther Addresses:
通路方法
可以使用域中的任何一個使用者通路。當然之前建立的本地使用者仍然可以通路。
<a href="http://s3.51cto.com/wyfs02/M01/96/9B/wKiom1kjxsey5jqIAABL0efp0PA286.jpg"></a>
我們可以檢視目前有哪些使用者在通路CIFS:
netapptest1&gt; cifs sessions
Server Registers as 'NETAPPTEST1' in Windows domain 'VMWARE-TEST'
Root volume language is not set. Use vol lang.
WINS Server: 192.168.0.130
Selected domain controller \\DOMAIN-SERVER for authentication
====================================================
PC IP(PC Name) (user) #shares #files
192.168.0.130(DOMAIN-SERVER) (VMWARE-TEST\administrator - pcuser)
1 0
192.168.0.200(DTC1F0FFA71982F) (NETAPPTEST1\administrator - pcuser)
建立CIFS share
有2種方法可以建立:
1)通過Windows MMC來建立
2)通過指令行或圖形界面來建立
通過Windows MMC來建立CIFS share:
<a href="http://s3.51cto.com/wyfs02/M01/96/9C/wKioL1kjxsjhvNItAAA7D8O6xOI625.jpg"></a>
通過指令行建立CIFS share
netapptest1&gt; cifs shares -add Website /vol/FlexVol01 -comment &quot;Website for Wordpress&quot;
netapptest1&gt;
netapptest1&gt; cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
BUILTIN\Administrators / Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
Website /vol/FlexVol01 Website for Wordpress
權限設定
CIFS 的權限是由兩層控制的, share level 和 File level (就是在windows 中建立的);
絕大部分的客戶都是把share level設定為everyone/ Full control, 而在windows 中進行權限的控制的。 因為AD 中的授權是比較細緻的。
除非客戶有很高的安全考慮, 才會在2個level 中都進行權限的控制的。 而且2層的權限設定管理起來會比較繁瑣, 因為任意一層的權限不足都會導緻通路失敗。
本文轉自 川流資訊 51CTO部落格,原文連結:http://blog.51cto.com/tech4fei/1928532