License准备
CIFS 是需要License的,但奇怪的是没有License,你还是可以创建shares,但是访问不了。 不像NFS等别的功能,没有license,第一步就提示你做不了。
netapptest1&gt; license <b>show</b> -<b>type</b> CIFS
license <b>show</b>: &quot;CIFS&quot; is an unrecognized license type, skipping.
Serial Number: <b>4079432</b>-<b>74</b>-<b>8</b>
Owner: netapptest1
Package Type Description Expiration
----------------- ------- --------------------- --------------------
CIFS license CIFS License -
Data ONTAP 支持以下几种CIFS验证方法:
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication ( Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer’s local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
一般来说,如果没有AD的话,采用第三种,否则第一种。运行cifs setup命令,如果CIFS已经在运行,则需要运行cifs terminate停掉当前CIFS服务。不能在线修改CIFS。
选择1使用Active Directory domain 认证配置向导;
创建方法
还是运行cifs setup命令。我们需要注意和准备好的是:
1)WINS信息,这是可选的;
2)时间服务器,如果时间差超过5分钟,Kerberos认证就可能通不过;
3)Windows域及管理员帐户信息;
4) DNS要提前配置好。
etapptest1&gt; cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use &quot;?&quot; for help at any prompt and Ctrl-C to exit without committing changes.
This filer is currently a member of the Windows-style workgroup
'WORKGROUP'.
Do you want to continue and change the current filer account information? [n]: y
Your filer does not have WINS configured and is visible only to
clients on the same subnet.
Do you want to make the system visible via WINS? [n]: y
You can enter up to 4 IPv4 WINS server addresses.
IPv4 address(es) of your WINS name server(s) []: 192.168.0.130
Would you like to specify additional WINS name servers? [n]:
This filer is currently configured as an NTFS-only filer.
Would you like to reconfigure this filer to be a multiprotocol filer? [n]:
The default name for this CIFS server is 'NETAPPTEST1'.
Would you like to change this name? [n]:
Choose the one from the list below that best suits your situation.
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
Selection (1-4)? [1]: 1
What is the name of the Active Directory domain? [vmware-test.com]: vmware-test.com
In Active Directory-based domains, it is essential that the filer's
time match the domain's internal time so that the Kerberos-based
authentication system works correctly. If the time difference between
the filer and the domain controllers is more than 5 minutes,
authentication will fail. Time services are currently not configured
on this filer.
Would you like to configure time services? [y]: y
CIFS Setup will configure basic time services. To continue, you must
specify one or more time servers. Specify values as a comma or space
separated list of server names or IPv4 addresses. In Active
Directory-based domains, you can also specify the fully qualified
domain name of the domain being joined (for example:
&quot;VMWARE-TEST.COM&quot;), and time services will use those domain
controllers as time servers.
Enter the time server host(s) and/or address(es) [VMWARE-TEST.COM]: 192.168.0.130
Would you like to specify additional time servers? [n]:
1 entry was deleted.
In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the VMWARE-TEST.COM domain.
Enter the name of the Windows user [[email protected]]: administrator
Password for administrator:
CIFS - Logged in as [email protected].
An account that matches the name 'NETAPPTEST1' already exists in
Active Directory: 'cn=netapptest1,cn=computers,dc=vmware-test,dc=com'.
This is normal if you are re-running CIFS Setup. You may continue by
using this account or changing the name of this CIFS server.
Do you want to re-use this machine account? [y]: y
CIFS - Starting SMB protocol...
Currently the user &quot;NETAPPTEST1\administrator&quot; and members of the
group &quot;VMWARE-TEST\Domain Admins&quot; have permission to administer CIFS
on this filer. You may specify an additional user or group to be added
to the filer's &quot;BUILTIN\Administrators&quot; group, thus giving them
administrative privileges as well.
Would you like to specify a user or group that can administer CIFS? [n]:
Welcome to the VMWARE-TEST.COM (VMWARE-TEST) Active Directory(R) domain.
CIFS local server is running.
当前域控制的信息:(这些信息其实通过DNS获得的)
etapptest1&gt; cifs domaininfo
NetBIOS Domain: VMWARE-TEST
Windows Domain Name: vmware-test.com
Domain Controller Functionality: Windows 2003
Domain Functionality: Windows 2000
Forest Functionality: Windows 2000
Filer AD Site: Default-First-Site-Name
Current Connected DCs: \\DOMAIN-SERVER
Total DC addresses found: 1
Preferred Addresses:
None
Favored Addresses:
192.168.0.130 DOMAIN-SERVER PDCOther Addresses:
Connected AD LDAP Server: \\domain-server.vmware-test.com
192.168.0.130
domain-server.vmware-test.comOther Addresses:
访问方法
可以使用域中的任何一个用户访问。当然之前创建的本地用户仍然可以访问。
<a href="http://s3.51cto.com/wyfs02/M01/96/9B/wKiom1kjxsey5jqIAABL0efp0PA286.jpg"></a>
我们可以查看当前有哪些用户在访问CIFS:
netapptest1&gt; cifs sessions
Server Registers as 'NETAPPTEST1' in Windows domain 'VMWARE-TEST'
Root volume language is not set. Use vol lang.
WINS Server: 192.168.0.130
Selected domain controller \\DOMAIN-SERVER for authentication
====================================================
PC IP(PC Name) (user) #shares #files
192.168.0.130(DOMAIN-SERVER) (VMWARE-TEST\administrator - pcuser)
1 0
192.168.0.200(DTC1F0FFA71982F) (NETAPPTEST1\administrator - pcuser)
创建CIFS share
有2种方法可以创建:
1)通过Windows MMC来创建
2)通过命令行或图形界面来创建
通过Windows MMC来创建CIFS share:
<a href="http://s3.51cto.com/wyfs02/M01/96/9C/wKioL1kjxsjhvNItAAA7D8O6xOI625.jpg"></a>
通过命令行创建CIFS share
netapptest1&gt; cifs shares -add Website /vol/FlexVol01 -comment &quot;Website for Wordpress&quot;
netapptest1&gt;
netapptest1&gt; cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote Administration
BUILTIN\Administrators / Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote Administration
Website /vol/FlexVol01 Website for Wordpress
权限设定
CIFS 的权限是由两层控制的, share level 和 File level (就是在windows 中创建的);
绝大部分的客户都是把share level设置为everyone/ Full control, 而在windows 中进行权限的控制的。 因为AD 中的授权是比较细致的。
除非客户有很高的安全考虑, 才会在2个level 中都进行权限的控制的。 而且2层的权限设定管理起来会比较繁琐, 因为任意一层的权限不足都会导致访问失败。
本文转自 川流信息 51CTO博客,原文链接:http://blog.51cto.com/tech4fei/1928532