NetApp CIFS文件共享创建 本文档适用于7-mode操作系统为DATA ONTAP 8.2.7。

License准备

CIFS 是需要License的，但奇怪的是没有License，你还是可以创建shares，但是访问不了。 不像NFS等别的功能，没有license，第一步就提示你做不了。

netapptest1&amp;gt; license <b>show</b> -<b>type</b> CIFS

license <b>show</b>: &amp;quot;CIFS&amp;quot; is an unrecognized license type, skipping.

Serial Number: <b>4079432</b>-<b>74</b>-<b>8</b>

Owner: netapptest1

Package           Type    Description           Expiration

----------------- ------- --------------------- --------------------            

CIFS              license CIFS License          -

Data ONTAP 支持以下几种CIFS验证方法：

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication ( Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer’s local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

一般来说，如果没有AD的话，采用第三种，否则第一种。运行cifs setup命令，如果CIFS已经在运行，则需要运行cifs terminate停掉当前CIFS服务。不能在线修改CIFS。

选择1使用Active Directory domain 认证配置向导；

创建方法

还是运行cifs setup命令。我们需要注意和准备好的是：

1）WINS信息，这是可选的；

2）时间服务器，如果时间差超过5分钟，Kerberos认证就可能通不过；

3）Windows域及管理员帐户信息；

4) DNS要提前配置好。

etapptest1&amp;gt; cifs setup   

This process will enable CIFS access to the filer from a Windows(R) system.

Use &amp;quot;?&amp;quot; for help at any prompt and Ctrl-C to exit without committing changes.

        This filer is currently a member of the Windows-style workgroup

        'WORKGROUP'.

Do you want to continue and change the current filer account information? [n]: y

        Your filer does not have WINS configured and is visible only to

        clients on the same subnet.

Do you want to make the system visible via WINS? [n]: y

        You can enter up to 4 IPv4 WINS server addresses.

IPv4 address(es) of your WINS name server(s) []: 192.168.0.130

Would you like to specify additional WINS name servers? [n]:

        This filer is currently configured as an NTFS-only filer.

Would you like to reconfigure this filer to be a multiprotocol filer? [n]:

        The default name for this CIFS server is 'NETAPPTEST1'.

Would you like to change this name? [n]:

        Choose the one from the list below that best suits your situation.

(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer's local user accounts

Selection (1-4)? [1]: 1

What is the name of the Active Directory domain? [vmware-test.com]: vmware-test.com

        In Active Directory-based domains, it is essential that the filer's

        time match the domain's internal time so that the Kerberos-based

        authentication system works correctly. If the time difference between

        the filer and the domain controllers is more than 5 minutes,

        authentication will fail. Time services are currently not configured

        on this filer.

Would you like to configure time services? [y]: y

        CIFS Setup will configure basic time services. To continue, you must

        specify one or more time servers. Specify values as a comma or space

        separated list of server names or IPv4 addresses. In Active

        Directory-based domains, you can also specify the fully qualified

        domain name of the domain being joined (for example:

        &amp;quot;VMWARE-TEST.COM&amp;quot;), and time services will use those domain

        controllers as time servers.

Enter the time server host(s) and/or address(es) [VMWARE-TEST.COM]: 192.168.0.130

Would you like to specify additional time servers? [n]:

1 entry was deleted.

        In order to create an Active Directory machine account for the filer,

        you must supply the name and password of a Windows account with

        sufficient privileges to add computers to the VMWARE-TEST.COM domain.

Enter the name of the Windows user [[email protected]]: administrator

Password for administrator:

CIFS - Logged in as [email protected].

        An account that matches the name 'NETAPPTEST1' already exists in

        Active Directory: 'cn=netapptest1,cn=computers,dc=vmware-test,dc=com'.

        This is normal if you are re-running CIFS Setup. You may continue by

        using this account or changing the name of this CIFS server.

Do you want to re-use this machine account? [y]: y

CIFS - Starting SMB protocol...

        Currently the user &amp;quot;NETAPPTEST1\administrator&amp;quot; and members of the

        group &amp;quot;VMWARE-TEST\Domain Admins&amp;quot; have permission to administer CIFS

        on this filer. You may specify an additional user or group to be added

        to the filer's &amp;quot;BUILTIN\Administrators&amp;quot; group, thus giving them

        administrative privileges as well.

Would you like to specify a user or group that can administer CIFS? [n]:

Welcome to the VMWARE-TEST.COM (VMWARE-TEST) Active Directory(R) domain.

CIFS local server is running.

当前域控制的信息：（这些信息其实通过DNS获得的)

etapptest1&amp;gt; cifs domaininfo

NetBIOS Domain:                         VMWARE-TEST

Windows Domain Name:                    vmware-test.com

Domain Controller Functionality:        Windows 2003

Domain Functionality:                   Windows 2000

Forest Functionality:                   Windows 2000

Filer AD Site:                          Default-First-Site-Name

Current Connected DCs:                  \\DOMAIN-SERVER

Total DC addresses found:               1

Preferred Addresses:

                                        None

Favored Addresses:

                                        192.168.0.130   DOMAIN-SERVER    PDCOther Addresses:

Connected AD LDAP Server:               \\domain-server.vmware-test.com

                                        192.168.0.130  

                                         domain-server.vmware-test.comOther Addresses:

访问方法

可以使用域中的任何一个用户访问。当然之前创建的本地用户仍然可以访问。

<a href="http://s3.51cto.com/wyfs02/M01/96/9B/wKiom1kjxsey5jqIAABL0efp0PA286.jpg"></a>

我们可以查看当前有哪些用户在访问CIFS：

netapptest1&amp;gt; cifs sessions

Server Registers as 'NETAPPTEST1' in Windows domain 'VMWARE-TEST'

Root volume language is not set. Use vol lang.

WINS Server: 192.168.0.130

Selected domain controller \\DOMAIN-SERVER for authentication

====================================================

PC IP(PC Name) (user)           #shares   #files

192.168.0.130(DOMAIN-SERVER) (VMWARE-TEST\administrator - pcuser)

                                      1         0

192.168.0.200(DTC1F0FFA71982F) (NETAPPTEST1\administrator - pcuser)

创建CIFS share

有2种方法可以创建：

1）通过Windows MMC来创建

2）通过命令行或图形界面来创建

通过Windows MMC来创建CIFS share：

<a href="http://s3.51cto.com/wyfs02/M01/96/9C/wKioL1kjxsjhvNItAAA7D8O6xOI625.jpg"></a>

通过命令行创建CIFS share

netapptest1&amp;gt; cifs shares -add Website /vol/FlexVol01 -comment &amp;quot;Website for Wordpress&amp;quot;

netapptest1&amp;gt;

netapptest1&amp;gt; cifs shares

Name         Mount Point                       Description

----         -----------                       -----------

ETC$         /etc                              Remote Administration

                        BUILTIN\Administrators / Full Control

HOME         /vol/vol0/home                    Default Share

                        everyone / Full Control

C$           /                                 Remote Administration

Website      /vol/FlexVol01                    Website for Wordpress

权限设定

CIFS 的权限是由两层控制的， share level 和 File level (就是在windows 中创建的)；

绝大部分的客户都是把share level设置为everyone/ Full control, 而在windows 中进行权限的控制的。 因为AD 中的授权是比较细致的。

除非客户有很高的安全考虑， 才会在2个level 中都进行权限的控制的。  而且2层的权限设定管理起来会比较繁琐， 因为任意一层的权限不足都会导致访问失败。

本文转自 川流信息 51CTO博客，原文链接:http://blog.51cto.com/tech4fei/1928532