This document presents the configuration and working of NetApp filer in a DSfW environment.
For this exercise, let’s select a very simple environment that consists of a single domain DSfW forest.
The setup details are as follows:
- A OES2 SP3 server running DSfW forest with a single domain
(Refer to the DSfW Administration Guide for details on forest and domain)
- A NetApp filer
- A Windows XP workstation joined to the DSfW domain
- A DSfW user
Pictorially, the setup looks as follows:
DSfW domain provisioning
DSfW is Domain Services for Windows, a product shipped with the OES platform starting from OES2 SP1. Refer to the DSfW Administration Guide mentioned below for DSfW installation and provisioning.
Let’s take the simplest scenario, ‘Installing a Forest Root Domain’ option in ‘Installing DSfW in a Non-Name-Mapped Setup’ section 6.2.1. Follow section 6.2.1 and chapter 7 ‘Provisioning Domain Services for Windows’ to complete the DSfW installation and provisioning. Please note, the DSfW domain/forest configuration is complete only after operations in chapter 7 are completed. After doing this, chapter 8 can be run to verify the provisioning status.
Active Directory domain authentication setup on NetApp filer
In this section let’s look at the Active Directory domain authentication setup on the NetApp filer. In simple terms it is joining the NetApp filer to the DSfW domain.
NetApp works in a domain mode. The command to perform the cifs configuration on the NetApp box is ‘cifs setup’.
The DNS resolver configuration points to the DSfW DC. A sample output is as follows:
nfs-netapp-2> dns info ...snip... Default domain: GMC3.COM Search domains: GMC3.COM
Below is the verbatim of a ‘cifs setup’ run.
nfs-netapp-2> cifs setup This process will enable CIFS access to the filer from a Windows(R) system. Use "?" for help at any prompt and Ctrl-C to exit without committing changes. This filer is currently a member of the Active Directory domain 'USA.EDU'. Do you want to continue and change the current filer account information? [n]: y Your filer is currently visible to all systems using WINS. The WINS name server currently configured is: [ 192.168.28.20 ]. (1) Keep the current WINS configuration (2) Change the current WINS name server address(es) (3) Disable WINS Selection (1-3)? : This filer is currently configured as an NTFS-only filer. Would you like to reconfigure this filer to be a multiprotocol filer? [n]: The default name for this CIFS server is 'NFS-NETAPP-2'. Would you like to change this name? [n]: Data ONTAP CIFS services support four styles of user authentication. Choose the one from the list below that best suits your situation. (1) Active Directory domain authentication (Active Directory domains only) (2) Windows NT 4 domain authentication (Windows NT or Active Directory domains) (3) Windows Workgroup authentication using the filer's local user accounts (4) /etc/passwd and/or NIS/LDAP authentication Selection (1-4)? : 1 What is the name of the Active Directory domain? [USA.EDU]: gmc3.com In order to create an Active Directory machine account for the filer, you must supply the name and password of a Windows account with sufficient privileges to add computers to the GMC3.COM domain. Enter the name of the Windows user [Administrator@GMC3.COM]: Password for Administrator@GMC3.COM: CIFS - Logged in as Administrator@GMC3.COM. Setup was unable to retrieve a list of joinable containers (organizational units) from Active Directory, therefore a list of selectable options cannot be provided. Please enter the distinguished name of the container that you would like the filer to join below. There is no need to add the domain name portion, 'dc=gmc3,dc=com', of the distinguished name. Enter the name of the organizational unit [CN=Computers]: CIFS - Starting SMB protocol... Welcome to the GMC3.COM (GMC3) Active Directory(R) domain. CIFS local server is running. nfs-netapp-2>
Joining a Windows workstation to DSfW domain
Join the Windows XP workstation to the DSfW domain. The below link has the required details for the join operation.
After joining the Windows workstation, login as the DSfW user (rocky) via domain logon.
Browsing the computer’s container in the domain partition of the eDirectory tree, will show the last two objects created as a result of the above two operations.
lin-gmc:~ # ldapsearch -b "cn=computers,dc=gmc3,dc=com" -s one dn -LLL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=QWERT-XP1,cn=Computers,dc=gmc3,dc=com dn: cn=WIN2K3-2,cn=Computers,dc=gmc3,dc=com dn: cn=XPCLIENT,cn=Computers,dc=gmc3,dc=com dn: cn=NFS-NETAPP-2,cn=Computers,dc=gmc3,dc=com
DSfW User Management
We are now ready with the DSfW environment. We will need some users and maybe groups for this exercise. User management in DSfW can be done through iManager or MMC. There is a command line approach to it that I am going to present here.
The command line tool for user/group management in DSfW is ‘pgo’. The tool is located at /opt/novell/xad/sbin/
Setup the environment to run this tool:
$ export SASL_PATH=/opt/novell/xad/lib/sasl2 # change lib to lib64 for X86_64 environment $ kinit administrator # the domain administrator $ pgo -t user –add rocky # there are 2 hyphes for the add option
The above set of commands create a DSfW user ‘rocky’.
The Final Step
In this last step, we will see the working of the whole setup. In a typical scenario, the NetApp filer will host some CIFS shares. Domain Users will map to the CIFS shares from their desktops, using their domain identity.
Now let’s create a CIFS share on the NetApp filer.
nfs-netapp-2> qtree status Volume Tree Style Oplocks Status -------- -------- ----- -------- --------- vol0 ntfs enabled normal vol0 test1 unix enabled normal vol0 testnss unix enabled normal vol3 ntfs enabled normal vol1 ntfs enabled normal vol4 ntfs enabled normal newvol1 ntfs enabled normal newvol1 newvol1 unix enabled normal vol2 ntfs enabled normal vol5dsfw ntfs enabled normal MPVOl2 ntfs enabled normal VOLUME_30GB ntfs enabled normal
The above command will list volume information on the NetApp filer. Let’s select one volume for our CIFS share. Selecting ‘vol4’ for this exercise. Note: the security style on ‘vol4’ is ‘ntfs’.
nfs-netapp-2> cifs shares -add nshare /vol/vol4 nfs-netapp-2> cifs shares Name Mount Point Description ---- ----------- ----------- ETC$ /etc Remote Administration ** no access ** HOME /vol/vol0/home Default Share everyone / Full Control C$ / Remote Administration ** no access ** nshare /vol/vol4 everyone / Full Control nfs-netapp-2>
We have created a CIFS share ‘nshare’ (NetApp share). By default everyone has full control on this share. Let’s restrict this just to the domain user ‘rocky’ created earlier. Below are the commands to manage the access rights on the CIFS share.
nfs-netapp-2> cifs access -delete nshare everyone nfs-netapp-2> cifs lookup rocky SID = S-1-5-21-494855465-201376168-299812962-1122 nfs-netapp-2> cifs access nshare rocky "read" nfs-netapp-2> cifs shares Name Mount Point Description ---- ----------- ----------- ETC$ /etc Remote Administration ** no access ** HOME /vol/vol0/home Default Share everyone / Full Control C$ / Remote Administration ** no access ** nshare /vol/vol4 GMC3\rocky / Read
We can see from the above output, that the ‘everyone’ rights is revoked and domain user ‘rocky’ has just read rights. Note: the rights are of NTFS style.
Now let’s map the CIFS share from a windows workstation that we have logged in as domain user ‘rocky’.
Mapping the NetApp CIFS share to ‘Z:’ drive
Accessing the ‘Z:’ drive and reading file named ‘welcome’.
Folder creation fails as domain user ‘rocky’ has ‘read’ rights only on the CIFS shares.
Commands to grant additional rights on CIFS share to domain user ‘rocky’.
nfs-netapp-2> cifs access nshare rocky "full control" nfs-netapp-2> cifs shares nshare Name Mount Point Description ---- ----------- ----------- nshare /vol/vol4 GMC3\rocky / Full Control
Folder creation successful after granting appropriate rights!