Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Slides:



Advertisements
Similar presentations
Copyright © 2014 EMC Corporation. All Rights Reserved. Basic Network Configuration for File Upon completion of this module, you should be able to: Configure.
Advertisements

Copyright © 2014 EMC Corporation. All Rights Reserved. Linux Host Installation and Integration for Block Upon completion of this module, you should be.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Nassau Community College
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Copyright © 2014 EMC Corporation. All Rights Reserved. Data Mover Failover Upon completion of this module, you should be able to: Data Mover Failover Test.
Copyright © 2014 EMC Corporation. All Rights Reserved. Virtual Data Movers Upon completion of this module, you should be able to: Describe Virtual Data.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
IIS and PWS. What is IIS and PWS? Microsoft Internet Information Server (IIS) and Peer Web Services (PWS) enable Windows NT servers with the ability to.
Copyright © 2014 EMC Corporation. All Rights Reserved. Exporting NFS File Systems to UNIX/ESXi Upon completion of this module, you should be able to: Export.
Domain Name Services Oakton Community College CIS 238.
Understanding Active Directory
Network File System (NFS) in AIX System COSC513 Operation Systems Instructor: Prof. Anvari Yuan Ma SID:
1 Chapter Overview Understanding Windows Name Resolution Using WINS.
Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Understanding Active Directory
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Networking Features Upon completion of this module, you should be able to: Discuss and configure VNX networking features This module continues the discussion.
Implementing Dynamic Host Configuration Protocol
Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:
AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)
Overview of Active Directory Domain Services Lesson 1.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
5 Copyright © 2008, Oracle. All rights reserved. Configuring the Oracle Network Environment.
Name Resolution Domain Name System.
Implementing Dynamic Host Configuration Protocol
Module 2: Implementing DNS to Support Active Directory
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
MIGRATING FROM MICROSOFT EXCHANGE SERVER AND OTHER MAIL SYSTEMS Appendix B.
COMP1321 Digital Infrastructure Richard Henson February 2014.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Copyright © 2014 EMC Corporation. All Rights Reserved. SnapView Snapshot Upon completion of this module, you should be able to: Describe SnapView Snapshot.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.
Copyright © 2014 EMC Corporation. All Rights Reserved. Managing Host Access to Storage Upon completion of this module, you should be able to: Explain Access.
Configuring Name Resolution and Additional Services Lesson 12.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Module 3: Managing a Microsoft ® Windows ® Small Business Server Environment.
Module 2: Allocating IP Addressing by Using Dynamic Host Configuration Protocol (DHCP)
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 6 Resolving Network Host Names.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam
OVERVIEW OF ACTIVE DIRECTORY
Linux Operations and Administration
Introduction to Active Directory
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
Eric Liu – Remote Proactive
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
COMP1321 Digital Infrastructure Richard Henson March 2016.
Overview of Active Directory Domain Services Lesson 1.
Essential Services Lesson 5. Objectives Naming Resolution In today’s networks, you assign logical addresses, such as with IP addressing. Unfortunately,
19 Copyright © 2008, Oracle. All rights reserved. Security.
Overview of Active Directory Domain Services
Active Directory Administration
Overview Multimedia: The Role of WINS in the Network Infrastructure
Presentation transcript:

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server to a Windows Domain Export a file system as a CIFS Share Describe UserMapper Basics This module covers how to provide CIFS storage access to a VNX system. Configuring CIFS Configuring CIFS

Module 12: Configuring CIFS Lesson 1: Overview of Configuring VNX for CIFS During this lesson the following topics are covered: Preparing for CIFS Creating a CIFS server Creating a CIFS share This lesson provides an overview of preparing for, and configuring CIFS on a VNX system. Configuring CIFS Configuring CIFS

Preparing for CIFS Configure IP networking Configure Network Services Interface addressing Routing Configure Network Services DNS – Dynamic DNS recommended NTP Configure Virtual Data Mover Best practice for CIFS Configure a file system Provides file storage space Virtual Data Mover DataFS /Sales cge-1-0 192.168.65.12 Configuring CIFS is a multi-step process with an end result of having the VNX system storage available for access via its CIFS server and shares to users on the Microsoft network. There are several configuration tasks done on the VNX to prepare for the CIFS configuration. The first step is to make the VNX available on the network by configuring Data Mover IP networking. This done by creating an interface and assigning its IP addressing. Network routing is also configured to provide connectivity across networks. The next task is to configure network services on the Data Mover. The DNS service is required for Windows Active Directory. It is a recommended best practice to use Dynamic DNS for the CIFS environment. The NTP service should also be configured to maintain time synchronization within the Windows network. Windows Active Directory utilizes Kerberos authentication which is time sensitive. The next step is to configure a Virtual Data Mover on the Data Mover. Although it is possible to configure a CIFS server on a physical Data Mover, it is a best practice to configure the CIFS server on a Virtual Data Mover. A final preparation task is to configure a file system for the Virtual Data Mover. The file system will provide the file storage space and be made available to users via a CIFS share. Configuring CIFS Configuring CIFS

Configuring CIFS: CIFS Server Start the CIFS service Runs on physical Data Mover Create a CIFS server on VDM Uses an available interface for network communications CIFS server binds to interface name Join CIFS server to the Windows Domain CIFS server created in domain OU EMC Celerra CIFS Virtual Data Mover CIFS Server VNX_CIFS01 cge-1-0 192.168.65.12 DataFS /Sales OU EMC Celerra VNX_CIFS01 With the Data Mover networking, network services, Virtual Data Mover and File system in place on the VNX, now the CIFS specific configurations can be done. The first CIFS specific task is to start the CIFS service. The service runs on the physical Data Mover and is not started by default. With the service started on the Data Mover, its configured interfaces will now communicate on the Windows network via the CIFS protocol. The next step is to create the VNX CIFS server. A CIFS server is a “logical” file server that utilizes the CIFS protocol to transfer files to and from CIFS clients. To follow best practices, create the CIFS server on the prepared VDM. This allows the CIFS server to be portable to other physical Data Movers. The CIFS server uses an available interface to communicate with in the network. The next step is to join the CIFS server to the Windows domain. By default, the join operation creates an Organizational Unit named EMC Celerra within the Windows Active Directory domain and the CIFS server is contained within it. Configuring CIFS Configuring CIFS

Configuring CIFS: Storage Create CIFS share From prepared file system CIFS server makes share available on network to clients CIFS is now configured on VNX CIFS server is available to Microsoft network File storage available to CIFS clients though the CIFS share CIFS Virtual Data Mover CIFS Server VNX_CIFS01 cge-1-0 192.168.65.12 DataFS /Sales OU EMC Celerra VNX_CIFS01 /DataFS/Sales shared as Sales_data Sales_data The final step of configuring CIFS is to make file storage available on the network to Windows clients. A CIFS share is created using the prepared file system. The share is made available to the CIFS server which then makes it available on the network to the CIFS clients. CIFS is now configured on the VNX. The steps taken have made a CIFS server that is available on the network and joined to the Active directory domain. The VNX file system is providing file storage to CIFS clients though the CIFS share. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 1: Summary During this lesson the following topics were covered: Preparing for CIFS Creating a CIFS server Creating a CIFS share This lesson covered an overview of preparing for, and configuring CIFS on a VNX system. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 2: Create and Join a CIFS Server to a Windows Domain During this lesson the following topics are covered: Starting CIFS Creating a CIFS Server Joining a CIFS Server to the domain Verifying CIFS server status This lesson demonstrates how to create and join a CIFS server into the domain. Configuring CIFS Configuring CIFS

CIFS Management in Unisphere Storage > Shared Folders > CIFS To manage CIFS in Unisphere, use the listed navigation to get to the main CIFS management pane. The pane features tabs for configuring, monitoring and managing CIFS on the VNX. Configuring CIFS Configuring CIFS

Starting CIFS Storage > Shared Folders > CIFS Tasks tree > Configure CIFS link Before creating any CIFS servers, start the CIFS service to activate the protocol for each physical Data Mover. Once the service is started, it cannot be stopped without adversely impacting CIFS client access. With the main CIFS management page open, on the right side Tasks tree File Storage section, select the Configure CIFS link. Check the CIFS Service Started checkbox to start the service. The window also displays the Unicode setting which is enabled by default. Unicode is the Universal Character Set supported in the VNX for File. Also available from the Configure CIFS window is the WINS Servers field to configure WINS. WINS is a legacy Microsoft naming service for Windows NT or legacy NetBIOS applications but is not needed for Active Directory. Click OK or Apply to invoke the configuration. Configuring CIFS Configuring CIFS

Create a CIFS Server Storage > Shared Folders > CIFS > CIFS Servers tab > Create Once the CIFS service is started on the Data Mover, a CIFS server can be created. From the main CIFS management pane, select the CIFS Server tab and click Create. This opens the Create CIFS Server configuration dialogue window. The window has several sections for creating and configuring a CIFS server. The first section has a dropdown to select the Data Mover that will hold the CIFS server. The Data Movers can be Physical or Virtual Data Movers. The best practice is to create the CIFS server on a Virtual Data Mover, as the example illustrates. The Server Type section defines the behavior of the CIFS server. There are three types available; Active Directory Domain, Windows NT4 Domain, and Standalone (local login) servers. The dialogue windows will display different fields corresponding to the type of server selected. The in the example, the Active Directory Domain type is selected. It is the most common type of CIFS server used in Windows environments today. The screen shown has fields for Computer Name, Aliases and NetBIOS Name. The slide illustrates creating a CIFS server with a Computer Name of: VNX_CIFS01. Next is the Domain section, which has fields for the Windows Domain, a checkbox option for joining the domain, credential fields for a Domain user with the rights to add computers into the domain and the Organizational Unit that the CIFS server will be added into. The default organizational unit (OU) for a Data Mover’s CIFS server is Computers:EMC Celerra. The next section is for enabling local users on the CIFS server and setting a local Admin password. The final step is to select an interface for the CIFS server. If no interface is specified, the associated CIFS server uses all unassigned interfaces on that Data Mover. This configuration is known as the default CIFS server. The example illustrates an interface being specified for the CIFS server. Click OK or Apply to invoke the configuration. Configuring CIFS Configuring CIFS

CIFS Server Status CIFS Server Properties: Displays status with the domain The status of the CIFS server can be seen from the main CIFS page on the CIFS Servers tab. The CIFS Server Properties page displays its status with the domain. In the example shown, the CIFS server has been joined to the domain. When creating a CIFS server it is useful to check its properties to confirm that ithe CIFS server has been joined to the domain. Unsuccessful joins are commonly caused by time synchronization with Kerberos, or they could be related to Data Mover routing configurations. The CIFS Server Properties page can also be used to modify the specific CIFS server configuration, such as unjoining it from the domain or changing its interfaces. Configuring CIFS Configuring CIFS

CIFS Servers in the Windows Environment CIFS server in Active Directory The CIFS server should also be seen within the Windows environment. It should be seen within Active Directory as a Computer in the EMC Celerra OU as shown. Additionally, it should be present within Dynamic DNS as shown. It can be helpful to verify the CIFS server within Active Directory and DNS should any join or operational issues arise. CIFS server in Dynamic DNS Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 2: Summary During this lesson the following topics were covered: Starting CIFS Creating a CIFS Server Joining a CIFS Server to the domain Verifying CIFS server status This lesson demonstrated how to create and join a CIFS server into the domain. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 3: File System Access via CIFS During this lesson the following topics are covered: Exporting a file system as a CIFS share Creating a top-level file system share Creating shares using Windows tools This lesson focuses on making a file system available to a CIFS client. It covers creating a top-level file system share and using Windows tools to create shares on the VNX. Configuring CIFS Configuring CIFS

/DataFS/Engineering shared as Designs /DataFS/Sales shared as Sales CIFS Shares Exporting a file system pathname as a CIFS share Provide a “share” name CIFS Server File System /DataFS/shared as hidden share Top$ DataFS lost+found .etc Engineering /DataFS/Engineering shared as Designs Once the CIFS server is visible, the Data Mover’s file systems must be specifically exported for the CIFS protocol in order to be available to the Microsoft network. In addition to specifying the protocol, a share name must be provided. The slide illustrates CIFS Shares created from a file system’s data structure and made available through a CIFS server. The top level of the file system along with two lower-level directories have been exported as CIFS shares. The pathname of the file system data structure is specifically exported and is given a share name. A share name ending in $ creates a share that is hidden. It is common practice to hide top-level shares from users and to make lower-level shares available to users. This allows administrators to access the top-level share and create the needed directory structures for creating additional shares for the users and organizations. Additionally, it has the benefit of keeping the file system’s lost+found and .etc directories hidden from users. Structural Designs Sales /DataFS/Sales shared as Sales West Sales Configuring CIFS Configuring CIFS

Exporting a File System as a CIFS Share: Unisphere Storage > Shared Folders > CIFS > Shares tab Create To export a file system for CIFS, in Unisphere navigate to the main CIFS management pane and select the Shares tab. The first step for creating a CIFS share is to select the Data Mover from the dropdown list that the CIFS server and file system are configured on. In the CIFS Share Name field, a share name must be input. The share name will be the name of the share that the CIFS server presents to the network. It does not have to be the same name as the file system pathname that is exported. Next, select the desired File System from the dropdown list. Only file systems that are mounted to the selected Data Mover will be displayed. Next, select the file system Path name to export. When creating an initial share on a file system, the only pathname available will be to the top-level of the file system. The field only accepts pathnames that exist and it will not create any structure that does not already exist. Finally, select a CIFS Server for the share. There are optional share User Limit and Comment fields available. Click OK to invoke the configuration. The example illustrates a share being created using a Virtual Data Mover VDM01, having a share name of Top$ on the file system DataFS sharing the top-level of the file system from the VNX_CIFS01 CIFS server. Configuring CIFS Configuring CIFS

Exporting a File System as a CIFS Share: Windows Initial top-level share created with Unisphere must be in place! Computer Management > select CIFS Server System Tools > Shared Folders > Share > New Share VNX also supports using Microsoft management tools for creating shares. An initial top-level share on the file system created with Unisphere must exist on the VNX prior to using the Microsoft interface for share creation. This is due to the permissions at the top-level of the file system. Shares can be created on the VNX using Microsoft’s Computer Management tool, which is available from Administrative Tools on most Windows systems. To create VNX shares the user must have Domain Administrator rights. With Computer Management launched, connect to the VNX CIFS Server. Once connected, a new share can be created by expanding the System Tools > Shared Folders tree. Select Share and right-click for the New Share option. A Wizard for creating a share launches. Using the wizard, the operator is able to browse to the desired VNX CIFS server shared file system and create a folder within that file system for sharing. The operator can name the share and set its permissions using the Wizard. Configuring CIFS Configuring CIFS

Unisphere Display of CIFS Shares VNX shares created with Microsoft tools displayed in Unisphere When VNX shares are created using Microsoft tools, the shares are displayed in Unisphere. The example shown here displays the Sales_data share that was created using Microsoft’s Computer Management tool. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 3: Summary During this lesson the following topics were covered: Exporting a file system as a CIFS share Creating a top-level file system share Creating shares using Windows tools This lesson covered making a file system available to a CIFS client. It covered creating a top-level file system share and using Windows tools to create shares on the VNX. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 4: CIFS Operational Considerations During this lesson the following topics are covered: Stopping/restarting the CIFS service Modifying CIFS server interfaces Moving a VDM with a CIFS server CIFS restrictions with VDM This lesson focuses on several operational concerns for CIFS. It details CIFS server configuration changes and operational restrictions when using CIFS with VDMS. Configuring CIFS Configuring CIFS

CIFS Servers Interface Considerations Interface “stealing” is: Possible between CIFS Servers on the same Physical Data Mover Possible between CIFS Servers on the same Virtual Data Mover Not possible between CIFS Servers on different Data Movers (Physical or Virtual) Interfaces are not changed for Default CIFS Servers Default CIFS Servers automatically use interfaces that are not currently used by any other CIFS Servers When a CIFS Server interface is disabled CIFS shares that are connected through this interface will no longer be accessible Shares need to be reconnected through new interface A CIFS Server interface can be changed using the Unisphere GUI. This functionality is provided on the CIFS Server properties page. The considerations in modifying a CIFS Server interface are as follows: Interface stealing: Is possible between CIFS Servers hosted on the same Physical Data Mover Is possible between CIFS Servers hosted on the same Virtual Data Mover Is not possible between CIFS servers hosted on different Data Movers (Physical or Vrtual) An Interface for the Default CIFS Server cannot be changed. The Default CIFS Server automatically uses interfaces that are not currently used by any other CIFS Servers. If the interface of a CIFS Server is disabled, the CIFS shares that are connected through this interface will no longer be accessible. The shares need to be reconnected through a new interface. Configuring CIFS Configuring CIFS

Stealing CIFS Server Interface Assigning an already used Interface to a CIFS server: New CIFS Server VNX_CIFS02 being configured It is possible to assign an interface to a CIFS server that is already in use by another CIFS server. This is termed as “interface stealing”. In the slide, the CIFS Server VNX_CIFS02 is being configured. The Data Mover has an existing CIFS server VNX_CIFS01 that is using the 192.168.65.8 interface. When that interface is assigned to the new CIFS Server VNX_CIFS02, a warning message appears. The warning displays the message: The interface is already in use by another CIFS server. Click OK to use it for the new server instead (the existing server will no longer be accessible on this interface). Interface already in use by VNX_CIFS01 Configuring CIFS Configuring CIFS

Start/Stop the CIFS Service Stop and Restart CIFS service after Changes WINS settings for legacy NT4 domains Other CIFS related changes See Configuring and Managing CIFS on VNX Stopping CIFS service stops all CIFS servers On physical Data Mover and its VDMs CIFS The CIFS service must be stopped and restarted for any changes in the configuration to take effect, such as a WINs server configuration. Please refer to the product document Configuring and Managing CIFS on VNX for other setting requiring CIFS service restarts. It is very important to know that stopping the CIFS service on the physical Data Mover will stop all CIFS servers configured on the physical Data Mover. Any VDMs that are loaded onto the physical Data Mover will also have its CIFS servers stopped. The data served by the CIFS servers will be unavailable to the users until the CIFS service is started again. Configuring CIFS Configuring CIFS

Moving a VDM with a CIFS Server Target physical Data Mover must have interface with same name CIFS server binds to interface name Name resolution: Different IP addresses Dynamic DNS updates Client DNS cache flush Same IP address Down inactive interface When moving a VDM containing a CIFS server to another physical Data Mover, the target physical Data Mover must have the same interface naming to support the CIFS server. This is because the CIFS server binds to the interface name. There are name resolution issues that need to be considered after the move. If the target interface has different IP addressing, when the VDM loads onto the target, the CIFS server will send an update to DNS for its name and IP address. The CIFS server record within DNS will be updated if dynamic DNS is used. For clients that had a session established to the CIFS server befor the move, the session will have to be re-established. The client’s DNS cache will maintain the original name and IP address pairing for several minutes. To re-establish a session to the CIFS server, the user will have to wait till the client DNS cache expires or manually perform a flush of its DNS cache. If the target interface is using the same IP address, to avoid having duplicate IP addresses on the network, the inactive Data Mover interface will have to be manually “downed”. This requires manual intervention by the VNX administrator, adding another few steps to the process of a VDM move operation. Configuring CIFS Configuring CIFS

CIFS Restrictions with VDMs VDM containing a CIFS server cannot be loaded onto physical Data Mover with a “default CIFS server Default CIFS servers use all available interfaces VDM CIFS server cannot provide antivirus functionality Antivirus functionality is provided by “global” CIFS server from physical Data Mover Refer to Configuring Virtual Data Movers on VNX document for other restrictions Virtual Data Mover CIFS Server There are some restrictions to be aware of when using VDMs containing CIFS servers. A VDM containing a CIFS server cannot be loaded onto a physical Data Mover having a “default CIFS server. A “default” CIFS server uses all available interfaces on the physical Data Mover. Therefore no interfaces would be available for a CIFS server contained within a VDM. Another VDM CIFS server restriction relates to antivirus functionality. The antivirus solution requires a “global” CIFS server created at the physical level. A CIFS server contained within a VDM cannot be a “global” CIFS server that provides the antivirus functionality. There are several other restrictions for VMD CIFS server that relate to command line interface configuration. Please refer to the Configuring Virtual Data Movers on VNX document for a complete list. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 4: Summary During this lesson the following topics were covered: Stopping/restarting the CIFS service Modifying CIFS server interfaces Moving a VDM with a CIFS server CIFS restrictions with VDM This lesson covered several operational concerns for CIFS. It detailed CIFS server configuration changes and operational restrictions when using CIFS with VDMS. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 5: Usermapper During this lesson the following topics are covered: Explain Usermapper basic operations Explain Usermapper configuration This lesson provides an overview of a Virtual Data Mover (VDM) and lists the differences between a Physical Data Mover and a VDM. Configuring CIFS Configuring CIFS

User Mapping with VNX Method for uniquely identifying users and groups accessing the VNX with file access protocols (CIFS and NFS) Windows SIDs UNIX/Linux UIDs and GIDs VNX requires UIDs and GIDs UxFS based file system file and directory permissions Mapping required for CIFS only & mixed CIFS/NFS environments User/Group SIDs UID/GID Mapping method User mapping with VNX is needed to uniquely identify users and groups from Windows and UNIX/Linux environments that access the VNX with their respective file access protocols. Windows environments use Security Identifiers (SIDs) for identifying users and groups. UNIX and Linux environments have User Identifiers (UIDs) and Group Identifiers (GIDs) to identify users and groups. The VNX file system is UxFS based and uses UNIX/Linux UIDs and GIDs. When Windows users access the VNX, the user and group SIDs need to be mapped to UIDs and GIDs and are applied to the users’ data on the VNX file system. The user mapping provides this correlation of Windows SIDs to UNIX/Linux UIDs and GIDs. User mapping is required in a CIFS only user environment and in mixed CIFS and NFS user environment. User mapping is not required for NFS only user environments, the VNX uses the UIDs and GIDs provided natively with NFS access. UID/GID VNX FS UID/GID Windows CIFS UNIX/Linux NFS Configuring CIFS Configuring CIFS

User Mapping Methods Variety of methods available Supporting various user environments Internal and external to VNX Mapping Method User Environment Location Enabled By Usermapper CIFS only VNX Data Mover default Microsoft IdMU CIFS and NFS Windows AD nsswitch.conf (LDAP) Microsoft SFU OpenLDAP/ iPlanet UNIX/Linux LDAP server VNX UNIX User Management CIFS ADMap parameter NIS NIS server Data Mover network settings Local Files Data Mover passwd/group files ntxmap ntxmap.conf Mapping method There are a number of user mapping methods available to VNX for use in supporting different user environments. Some mapping methods are internal to the VNX and some are from external systems within the user environment. The focus of this module is on the Usermapper mapping method. The other mapping methods are listed in the table here to provide a list of user mapping on the VNX. In general, when a CIFS user with SIDs accesses a VNX CIFS server, the user mapping method provides corresponding user and group UIDs and GIDs to the Windows user and group SIDs. For further details consult the document “Configuring VNX User Mapping” from the VNX series documentation. Usermapper: This mapping method is used in a CIFS-only user environment and is provided by default from Data Mover 2 on all VNX systems. Configuring CIFS Configuring CIFS

User Mapping and Secure Mapping Secmap records (caches) SID to UID/GID mappings provided by user mapping methods Does not generate mappings Used for resolving subsequent user mapping Is persistent mapping Present on all physical and virtual Data Movers Mapping entries displayed with CLI only Secure mapping, also known as secmap or secmap cache, augments user mapping on the VNX. Secmap effectively listens to mapping sources and records the mapping information provided. It is important to know that secmap does not generate user mappings – it simply records the mapping information that a mapping source provides. Once a mapping source has provided initial user and group mappings, any subsequent access by the user or group will get its mapping information from secmap. Secmap is designed to improve response time for a subsequent mapping request of a user or group that has already been mapped. Secmap holds the mapping information in a binary database. The mapping information is retained though system reboots and power cycles. Secmap is present on all production Data Movers, both physical Data Movers and virtual Data Movers. The Secmap mapping entries are displayed using the command line interface only. The entries are not displayed in the Unisphere interface. Mapping method Data Mover Data Mover Secmap Secmap Configuring CIFS Configuring CIFS

User Mapping Search Order ntxmap 3 No Yes Start secmap NIS LDAP Active Directory Usermapper Local user & group files Was the user added? End Usermapper generates UID or GID and ads it to its database User is authenticated The access to CIFS share is allowed An error is generated Yes No 1 # /.etc/nsswitch.conf : # passwd: files ldap nis group: files ldap nis hosts: dns nis files netgroup: files nis 2 Default mapping search order 1 nsswitch.conf 2 ntxmap 3 The Data Mover follows a search order for user mapping. Only enabled mapping methods are searched. The default search order is shown and is described below: The Data Mover first determines if it has a mapping for the SID on the secmap. Failing on finds the user on the secmap. The Data Mover checks its local user and group files. If no mapping is found and NIS is configured the Data Mover queries NIS for an UID or GID. If the Data Mover does not receive the mapping from NIS, and LDAP–based directory services is configured the Data Mover queries LDAP. If no map is found it checks the Active Directory. When Active Directory cannot resolve the ID mapping, the Data Mover queries the Usermapper. The default mapping order is affected if there is an nsswitch.conf file present on the Data Mover. The file can have definitions for the order of search for users (passwd) and groups. Possible entries are files, NIS, and/or LDAP. The mapping search order for files, NIS and LDAP will be the order that is defined in the nsswitch.conf file if it is present. When ntxmap is enabled, the mapping mechanism first refers to the ntxmap rules before using secmap. The mapping provided by ntxmap replaces any previous secmap cache for a user, which was created by another user mapping method. Any existing entry in secmap for this user either gets updated with the new information, or a new ntxmap mapping is cached. Secmap is queried for ntxmap users only if the ntxmap.conf file is unavailable, empty, or unable to provide a mapping. Configuring CIFS Configuring CIFS

Usermapper Overview A user mapping method which runs on a VNX for File Mapping method used for CIFS-only user environments Automatically generates UIDs/GIDs for Windows user/group SIDs Database maintains mappings UID and GID values start at 32768 and increase Custom ranges can be configured in usrmap.cfg file (not recommended) Data Mover Data Mover The Usermapper service is a mapping method which runs on a Data Mover in the VNX and is used in CIFS-only user environments. Usermapper automatically generates UIDs and GIDs for Windows domain user and group SIDs and maintains the mapping in a database. The generated UID and GID values start at 32768 and increment for each new user and group being mapped. Custom UID and GID ranges can be configured with a usrmap.cfg file. Custom ranges are not recommended. Contact EMC support for use of custom ranges. Usermapper Service Secmap Secmap Configuring CIFS Configuring CIFS

Usermapper Roles Primary Usermapper Secondary Usermapper One per VNX environment Generates user mappings By default runs on Data Mover 2 Secondary Usermapper One per each additional VNX Queries Primary Usermapper for mapping Usermapper client All other VNX Data Movers Query Primary/Secondary for user mappings Data Mover 2 Data Mover 3 Primary Usermapper Secmap Secmap Data Mover 2 Data Mover 3 Secondary Usermapper Secmap Secmap There are different Usermapper roles used for single or multiple VNX environments. The Usermapper roles are Primary, Secondary and client. The Primary and Secondary roles must run on physical Data Movers. Physical or virtual Data Movers can have the client role. Standby Data Movers do not have Usermapper roles. The Primary Usermapper generates user mappings and is defined by default to run on Data Mover 2 on every VNX for File. Only one Primary Usermapper is used within a VNX environment that employs Usermapper. All additional VNXs within the environment will be configured with a Data Mover having the Secondary Usermapper role. The additional VNXs will require the default Primary Usermapper for Data Mover 2 to be changed to the Secondary Usermapper role. A Secondary Usermapper does not generate user mappings but rather queries the Primary Usermapper for the mappings. A Usermapper client is Data Mover that has neither the Primary or Secondary Usermapper role. Usermapper clients query Primary/Secondary Usermappers within their VNX for user mappings. Data Mover 2 Data Mover 3 Primary/ Secondary Usermapper Client Secmap Secmap Configuring CIFS Configuring CIFS

Primary Usermapper Operations Multiple VNXs: one Primary, two Secondary Usermappers User1 accesses DM2 on VNX1 Primary Usermapper generates & records UID for user1 SID Secmap records mapping VNX3 Data Mover 2 Sec. Usermapper Secmap VNX2 Data Mover 2 Sec. Usermapper Secmap VNX1 Data Mover 2 In this and the next several slides the mapping operations of Usermapper will be described. The operations will be illustrated for the Usermapper roles within a multi-VNX environment. The scenario environment includes operations of a single Primary Usermapper on one VNX and two Secondary Usermappers on two additional VNXs. The operations of a client usermapper will also be described. For simplicity, the slides just illustrate the cumulative mapping of several windows user SIDs to UIDs. The mapping of group SIDs to GIDs are not shown but are conceptually the same as the user SID to UID mapping. This slide illustrates the mapping operation of Windows User1 in the first access to a VNX Data Mover that has the Primary Usermapper role. The Windows user access includes the user SID. The Data Mover’s Primary Usermapper generates a UID for the user SID and records this SID to UID mapping in its Usermapper database. The Data Mover’s Secmap also records the mapping in its database and its recorded mapping will be used to provide the mapping for any subsequent User1 access to the Data Mover. User1 SID Primary Usermapper 1 User1 SID: UID 32768 2 Secmap User1 SID: UID 32768 3 User1 Configuring CIFS Configuring CIFS

Secondary Usermapper Operations Multiple VNXs: one Primary, two Secondary Usermappers User2 accesses DM2 on VNX2 Secondary queries Primary for mapping Primary generates & records UID for user2 SID Secmap on VNX1 DM2 records mapping Primary replies with mapping Secondary records User2 mapping Secmap on VNX2 DM2 records mapping VNX3 Data Mover 2 Sec. Usermapper Secmap VNX2 Mapping Query VNX1 Data Mover 2 Data Mover 2 This slide builds upon the previous slide to show the cumulative mapping contained in the Primary Usermapper database. In this example Windows User2 accesses a Data Mover on the second VNX that has a Secondary Usermapper role. To provide a UID mapping for the user SID, the Secondary Usermappoer sends a mapping query to the Primary Usermapper which is on Data Mover 2 on VNX1. That Data Mover does not have a mapping entry in its Secmap so the Primary Usermapper must generate a mapping for this new user. A mapping is generated and stored in the Primary Usermapper database for the new user and its Secmap records the mapping in its database. The Primary Usermapper then replies to the Secondary Usermapper query on VNX2. The mapping entry is stored in the Secondary Usermapper database and the Data Mover Secmap database. User2 SID 2 Sec. Usermapper Primary Usermapper 6 1 User2 SID: UID 32769 User1 SID: UID 32768 Mapping reply 5 User2 SID: UID 32769 3 Secmap Secmap 7 User2 SID: UID 32769 User1 SID: UID 32768 User2 SID: UID 32769 4 User2 Configuring CIFS Configuring CIFS

Secondary Usermapper Operations (Continued) Multiple VNXs: one Primary, two Secondary Usermappers User3 accesses DM2 on VNX3 Secondary queries Primary for mapping Primary generates & records UID for user3 SID Secmap on VNX1 DM2 records mapping Primary replies with mapping Secondary records User3 mapping Secmap on VNX2 DM2 records mapping VNX2 Data Mover 2 Sec. Usermapper User2 SID: UID 32769 Secmap User2 SID: UID 32769 VNX3 Mapping Query VNX1 Data Mover 2 Data Mover 2 This slide builds upon the previous slides to show the cumulative mapping contained in the Primary and Secondary Usermapper databases. In this example Windows User3 accesses Data Mover 2 on VNX3 which has a Secondary Usermapper. The operations are similar to the previous slide. A mapping query from the Secondary Usermapper to the Primary Usermapper is made. The new user mapping is generated and recorded in the same manner. Notice now that the Primary Usermapper has mapping entries for all the users and both Secondary Usermappers each have a entry for a different single user. User3 SID 2 Sec. Usermapper Primary Usermapper 6 1 User3 SID: UID 32770 User1 SID: UID 32768 Mapping reply 5 User2 SID: UID 32769 User3 SID: UID 32770 3 Secmap Secmap 7 User3 SID: UID 32770 User1 SID: UID 32768 User2 SID: UID 32769 User3 SID: UID 32770 4 User3 Configuring CIFS Configuring CIFS

Usermapper Client Operations Multiple VNXs: one Primary, two Secondary Usermappers User4 accesses DM3 on VNX1 Client broadcasts to Usermapper service for mapping DM2 Primary generates & records UID for User4 SID DM2 secmap records mapping Primary replies with mapping DM3 secmap records mapping VNX3 Data Mover 2 Sec. Usermapper User3 SID: UID 32770 Secmap VNX2 Data Mover 2 User3 SID: UID 32770 Sec. Usermapper User2 SID: UID 32769 Mapping broadcast Secmap User2 SID: UID 32769 VNX1 Data Mover 3 Data Mover 2 This slide builds upon the previous slides to show the cumulative mapping contained in the Primary and Secondary Usermapper databases. In this example Windows User4 accesses Data Mover 3 which is a Usermapper client on VNX1. The client sends a mapping broadcast over the VNX internal network to locate a Data Mover running Usermapper, either Primary or Secondary. In this case the VNX has a Data Mover that is running a Primary Usermapper. A mapping is generated and recorded on Data Mover 2. A mapping reply for the new user is sent to the client and recorded in Secmap on Data Mover 2. Notice that in this multi-VNX environment with a single Primary Usermapper and two Secondary Usermappers – that the entries in each Usermapper database is different. Only the Primary Usermapper database holds mapping entries for all the Windows users. The Secondary Usermapper databases hold entries for only the users that accessed their VNXs. User4 SID 2 Primary Usermapper Usermapper Client User1 SID: UID 32768 1 User2 SID: UID 32769 User1 SID: UID 32768 Mapping reply 5 User3 SID: UID 32770 User4 SID: UID 32771 3 Secmap Secmap 6 User4 SID: UID 32771 User1 SID: UID 32768 User1 SID: UID 32768 User1 SID: UID 32768 User2 SID: UID 32769 User3 SID: UID 32770 User4 SID: UID 32771 4 User4 Configuring CIFS Configuring CIFS

Viewing the Usermapper Configuration Storage > Shared Folders > CIFS > Usermappers tab You can verify the status of the Usermapper service on any Data Mover in your VNX cabinet by viewing the contents of the Usermapper tab in Unisphere. In the example shown server_2 is is running the Primary Usermapper role and server_4 is is running as a Usermapper client. On server_5 the CIFS service is not running therefore it has no Usermapper service. Also server_3 is a Standby Data Mover in this system and is not displayed in the Usermapper tab. Configuring CIFS Configuring CIFS

Usermapper Database Backup Storage > Shared Folders > CIFS > Usermappers tab Backups used to update Secondary database If promoting to Primary EMC recommends that you do not modify Usermapper database entries. It is possible to backup the Usermapper database from the Properties page of the Primary Usermapper Data Mover. There are two links in the Usermapper Properties page for downloading the user information and the group information from the database. Using these download links it is possible to backup the information to the system that is running Unisphere. If the Primary Usermapper is not available, a Secondary can be promoted to the Primary role. The backup of the Primary Usermapper database can be used to update the Secondary Usermapper database prior to its promotion. EMC recommends that you do not change the Usermapper database mapping entries. Changes made to the database entries will not be consistent with the Data Mover Secmap mapping entries. Configuring CIFS Configuring CIFS

Managing Usermapper Roles Storage > Shared Folders > CIFS > Usermappers tab It is possible to manage the Usermapper role for a Data Mover from its Properties page. In this example the Primary Usermapper Data mover was selected and is being changed to the Secondary Usermapper role. When changing to a Secondary role, the IP address of the Primary Usermapper Data Mover must be entered. Any existing mappings in the Data Mover’s Usermapper database will be removed. Configuring CIFS Configuring CIFS

Managing Usermapper Roles (continued) Storage > Shared Folders > CIFS > Usermappers tab In this example the selected Data Mover is being changed to the Primary Usermapper role. When a Data Mover is changed to the Primary Usermapper role, the page provides for importing the user and group mapping files as well as any custom Usermapper configuration file. These files will need to be available to the system that is running Unisphere and are selected using the Browse option. Configuring CIFS Configuring CIFS

Configuring CIFS Lesson 5: Summary During this lesson the following topics were covered: Usermapper basic operations Usermapper configuration This lesson covered an overview of a Virtual Data Mover (VDM) and lists the differences between a Physical Data Mover and a VDM. Configuring CIFS Configuring CIFS

Summary Key points covered in this module: Preparation is key to CIFS implementation. Identify key network resources: Interface addressing Routing DNS NTP VDM CIFS server cannot provide antivirus functionality Usermapper provides unique IDs for users and groups from Windows environments that access the This module covered how to provide CIFS storage access to a VNX system. Configuring CIFS Configuring CIFS

Configuring CIFS Configuring CIFS