Data ONTAP 7.3 File Access and Protocols Management Guide
Copyright information
Trademark information
About this guide
Audience
Terminology
FilerView as an alternative to the command-line interface
Command, keyboard, and typographic conventions
Special messages
Introduction to file access management
File protocols that Data ONTAP supports
How Data ONTAP controls access to files
Authentication-based restrictions
File-based restrictions
File access using NFS
Exporting or unexporting file system paths
Editing the /etc/exports file
Using the exportfs command
Exporting file system paths
Exporting a file system path and adding a corresponding entry to the /etc/exports file
Exporting a file system path without adding a corresponding entry to the /etc/exports file
Exporting all file system paths specified in the /etc/exports file
Unexporting file system paths
Unexporting one file system path
Unexporting all file system paths
Synchronizing the currently exported file system paths with those specified in the /etc/exports file
Enabling and disabling fencing of one or more NFS clients from one or more file system paths
Displaying the actual file system path for an exported file system path
Displaying the export options for a file system path
Managing the access cache
Adding entries to the access cache
Removing entries from the access cache
Viewing access cache statistics
Optimizing access cache performance
Setting access cache timeout values
Enabling Kerberos v5 security services for NFS
Configuring Kerberos v5 security services for NFS to use an Active-Directory-based KDC
Configuring Kerberos v5 security services for NFS to use an Active-Directory-based KDC before configuring CIFS
Configuring Kerberos v5 security services for NFS to use an Active-Directory-based KDC after configuring CIFS
Configuring Kerberos v5 security services for NFS to use a UNIX-based KDC
Creating a principal and generating a keytab file
Enabling Kerberos v5 security services for NFS
Determining whether an NFS client supports Kerberos v5 security services
Debugging mounting problems
Displaying mount service statistics
Tracing mountd requests
Displaying NFS statistics
Enabling or disabling NFSv3
Supporting NFSv4 clients
About Data ONTAP support of NFSv4
Limitations of Data ONTAP support for NFSv4
How the pseudo-fs in NFSv4 affects mountpoints
Enabling or disabling NFSv4
Specifying the user ID domain for NFSv4
Managing NFSv4 ACLs
How NFSv4 ACLs work
Benefits of enabling NFSv4 ACLs
Compatibility between NFSv4 ACLs and Windows (NTFS) ACLs
Enabling and disabling NFSv4 ACLs
Setting or modifying an NFSv4 ACL
Viewing an NFSv4 ACL
Managing NFSv4 open delegations
How NFSv4 open delegations work
Enabling or disabling NFSv4 read open delegations
Enabling or disabling NFSv4 write open delegations
Displaying NFSv4 open delegation statistics
Displaying NFSv4 open delegation statistics for all clients
Displaying NFSv4 open delegation statistics for a specific client
Displaying NFSv4 open delegation statistics for a vFiler unit
Displaying NFSv4 open delegation statistics for a storage system
Configuring NFSv4 file and record locking
About NFSv4 file and record locking
Specifying the NFSv4 locking lease period
Specifying the NFSv4 locking grace period
Supporting PC-NFS clients
How the pcnfsd daemon works
Enabling or disabling the pcnfsd daemon
Creating PC-NFS user entries in the storage system's local files
Defining the umask for files and directories that PC-NFS users create
Supporting WebNFS clients
Enabling or disabling the WebNFS protocol
Setting a WebNFS root directory
Specifying the name of the WebNFS root directory
Enabling the WebNFS root directory
NFS over IPv6
Enabling or disabling NFS over IPv6
Textual representation of IPv6 addresses
File access using CIFS
Configuring CIFS on your storage system
Supported Windows clients and domain controllers
What the cifs setup command does
Setting up your system initially
Specifying WINS servers
Changing the storage system domain
Changing protocol modes
Effects of changing an NTFS-only storage system to a multiprotocol storage system
Effects of changing a multiprotocol storage system to an NTFS-only storage system
Specifying Windows user account names
Reconfiguring CIFS on your storage system
Configuring SMB on your storage system
Support for the original SMB protocol
Support for the SMB 2.0 protocol
Support for create contexts
Support for file system controls
When to enable the SMB 2.0 protocol
Enabling or disabling the SMB 2.0 protocol
Enabling or disabling SMB 2.0 durable handles
Specifying the SMB 2.0 durable handle timeout value
SMB signing
How client SMB signing policies affect communications with the storage system
Performance impact of SMB signing
Enabling or disabling the original SMB protocol signing
Enabling or disabling the requirement that clients sign SMB 2.0 messages
Enabling or disabling the storage system's SMB 2.0 protocol client capability
Managing shares
Creating a share
Share naming conventions
Creating a share from the MMC on a Windows client
Connecting the MMC to the storage system
Running the "Share a Folder" wizard
Creating a share from the Data ONTAP command line
About the forcegroup option
Displaying and changing the properties of a share
Displaying and changing the properties of a share from the MMC on a Windows client
Displaying the properties of a share from the Data ONTAP command line
Changing the properties of a share from the Data ONTAP command line
Enabling or disabling boundary checking for symbolic links from a share
Enabling or disabling wide symbolic links from a share
Specifying permissions for newly created files and directories in a share
Enabling or disabling browsing
Enabling or disabling virus scanning
Enabling or disabling caching
Setting client-side caching properties for a share
Enabling or disabling access-based enumeration
About access-based enumeration
Deleting a share
Deleting a share from the MMC
Deleting a share from the Data ONTAP command line
Managing access control lists
About share-level ACLs
Displaying and changing a share-level ACL
Adding a user or group to a share-level ACL from the MMC on a Windows client
Displaying and changing a share-level ACL from the MMC on a Windows client
Removing a user or group from a share-level ACL using the MMC on a Windows client
Changing a share-level ACL from the Data ONTAP command line
Removing a user or group from a share-level ACL using the Data ONTAP command line
Specifying whether NFSv3 and NFSv4 clients display Windows ACL permissions based on minimum or maximum access
Displaying and changing a file-level ACL
Specifying how group IDs work with share-level ACLs
Managing home directories
About home directories on the storage system
How Data ONTAP matches a directory with a user
How symbolic links work with home directories
Specifying home directory paths
Displaying the list of home directory paths
Specifying the naming style of home directories
Creating directories in a home directory path (domain-naming style)
Creating directories in a home directory path (non-domain-naming style)
Creating subdirectories in home directories when a home directory path extension is used
Syntax for specifying a home directory using a UNC name
Enabling users to access other users’ home directories
Accessing your CIFS home directory using a share alias
Enabling or disabling wide symbolic links from a share
Disabling home directories
Managing local users and groups
Managing local users
When you should create local user accounts
Displaying the storage system's authentication method
Limitations of local user accounts
Adding, displaying, and removing local user accounts
Managing local groups
Adding, displaying, and removing local groups from the Data ONTAP command line
Adding a local group from the MMC on a Windows client
Adding users to a local group from the MMC on a Windows client
Removing a local group using the MMC on a Windows client
How SnapMirror works with local groups
Applying Group Policy Objects
Requirements for using GPOs with storage systems
Associating the storage system with an OU
Enabling or disabling GPO support on a storage system
Managing GPOs on the storage system
Creating File System security GPOs
Displaying current GPOs and their effects
Updating GPO settings
Troubleshooting GPO update problems
About startup and shutdown scripts on a storage system
About the /etc/ad directory
Configuration requirements for Data ONTAP pathnames
Improving client performance with oplocks
Write cache data loss considerations when using oplocks
Enabling or disabling oplocks on the storage system
Enabling or disabling oplocks on a qtree
Changing the delay time for sending oplock breaks
Managing authentication and network services
Understanding authentication issues
About UNIX authentication
About Windows workgroup authentication
About Kerberos authentication
Setting the storage system's minimum security level
Preventing Kerberos passive replay attacks
Selecting domain controllers and LDAP servers
Understanding the domain controller discovery process
Specifying a list of preferred domain controllers and LDAP servers
Deleting servers from the prefdc list
Troubleshooting domain controller connections
Displaying a list of preferred domain controllers and LDAP servers
Reestablishing the storage system connection with a domain
Using null sessions to access storage in non-Kerberos environments
How the storage system provides null session access
Granting null users access to file system shares
Using machine accounts to access storage in Kerberos environments
Preventing machine accounts from accessing data
Creating NetBIOS aliases for the storage system
Creating NetBIOS aliases from the command line
Creating NetBIOS aliases in the /etc/cifs_nbalias.cfg file
Displaying the list of NetBIOS aliases
Disabling NetBIOS over TCP
Monitoring CIFS activity
Different ways to specify a user
Displaying a summary of session information
Timing out idle sessions
Tracking statistics
Viewing specific statistics
Saving and reusing statistics queries
CIFS resource limitations
Managing CIFS services
Disconnecting selected clients using the MMC
Disconnecting a selected user from the command line
Disabling CIFS for the entire storage system
Specifying which users receive CIFS shutdown messages
Restarting CIFS service
Sending a message to all users on a storage system
Displaying and changing the description of the storage system
Changing the computer account password of the storage system
About file management using Windows administrative tools
Troubleshooting access control problems
Adding permission tracing filters
Removing permission tracing filters
Displaying permission tracing filters
Finding out why Data ONTAP allowed or denied access
Using FPolicy
Introduction to FPolicy
What FPolicy is
How FPolicy works
FPolicy work flowchart
FPolicy in the storage environment
What the multiple server configuration feature is
Limitations of FPolicy
Uses of FPolicy within Data ONTAP
What native file blocking is
How to use native file blocking
Configuring native file blocking
Events monitored through CIFS
Events Monitored through NFS
How to work with FPolicy
How to set up FPolicy
Enabling the FPolicy feature
Disabling the FPolicy feature
Creating a file policy
Enabling the file policy
Specifying mandatory file screening
Displaying information for a file policy
Displaying information for all file policies
Disabling a file policy
Destroying a file policy
Stopping server screening for disconnected CIFS requests
Setting a limit on simultaneous screening of CIFS requests
Setting server timeout
Setting request screening timeout
Events screened for NFS and CIFS clients
What a file or directory event is
What file open request monitoring is
Configuring FPolicy to monitor file open operations through the CLI
Configuring FPolicy to monitor file open operations through ONTAPI
Registering FPolicy for monitoring file open requests
What file create request monitoring is
Configuring FPolicy to monitor file create operations through the CLI
Configuring FPolicy to monitor file create operations through ONTAPI
Registering FPolicy for monitoring file create requests
What file close request monitoring is
Configuring FPolicy to monitor file close operations through the CLI
Configuring FPolicy to monitor file close operations through ONTAPI
Registering FPolicy for monitoring file close requests
What file rename request monitoring is
Configuring FPolicy to monitor file rename operations through the CLI
Configuring FPolicy to monitor file rename operations through ONTAPI
Registering FPolicy to monitor file rename requests
What file delete request monitoring is
Configuring FPolicy to monitor file delete operations through CLI
Configuring FPolicy to monitor file delete operations through ONTAPI
Registering FPolicy for monitoring file delete requests
What file write request monitoring is
Configuring FPolicy to monitor file write operations through the CLI
Configuring FPolicy to monitor file write operations through ONTAPI
Registering FPolicy to monitor file write requests
What file read request monitoring is
Configuring FPolicy to monitor file read operations through the CLI
Configuring FPolicy to monitor file read operations through ONTAPI
Registering FPolicy to monitor file read requests
What link request monitoring is (for NFS only)
Configuring FPolicy to monitor file link operations through the CLI
Configuring FPolicy to monitor file link operations through ONTAPI
Registering FPolicy to monitor file link requests
What symlink (symbolic link) request monitoring is (for NFS only)
Configuring FPolicy to monitor file symlink operations through the CLI
Configuring FPolicy to monitor file symlink operations through ONTAPI
Registering FPolicy to monitor file symlink requests
What directory delete request monitoring is
Configuring FPolicy to monitor directory delete operations through the CLI
Configuring FPolicy to monitor directory delete operations through ONTAPI
Registering FPolicy to monitor directory delete requests
What directory rename request monitoring is
Configuring FPolicy to monitor directory rename operations through CLI
Configuring FPolicy to monitor directory rename operations through ONTAPI
Registering FPolicy to monitor directory rename requests
What directory create request monitoring is
Configure FPolicy to monitor directory create operations through the CLI
Configuring FPolicy to monitor directory create operations through ONTAPI
Registering FPolicy to monitor directory create requests
What file lookup request monitoring is (for NFS only)
Configuring FPolicy to monitor file lookup operations through the CLI
Configuring FPolicy to monitor file lookup operations through ONTAPI
Registering FPolicy to monitor file lookup requests
What getattr request monitoring is (for NFS only)
Configuring FPolicy to monitor get attributes operations through CLI
Configuring FPolicy to monitor get attributes operations through ONTAPI
Registering FPolicy to monitor get attributes requests
What setattr request monitoring is
Configuring FPolicy to monitor set attributes operations through the CLI
Configuring FPolicy to monitor set attributes operations through ONTAP
Registering FPolicy to monitor set attributes requests
What screening by volume is
Wildcard information for screening with volumes
How to display the list of volumes
Displaying volumes using the show command
Displaying volumes using the eval command
How to add volumes to the list
Adding volumes to the include list
Adding volumes to the exclude list
How to remove volumes from the list
Removing volumes from the include list
Removing volumes from the exclude list
How to specify or replace a list of volumes
Setting the include volumes list
Setting the exclude volumes list
How to reset the volumes in a list
Resetting the include volumes list
Resetting the exclude volumes list
What screening by extension is
Wildcard information for screening with extensions
How to display the list of extensions
Displaying the list of extension in the include list
Displaying the list of extension in the exclude list
How to add extensions to the list
Adding extensions to the include list
Adding extensions to the exclude list
How to remove extensions from the list
Removing extensions from the include list
Removing extensions from an exclude list
How to set or replace a list of extensions
Setting the include extensions list
Setting the exclude extensions list
How to reset the extensions in the list
Resetting the include extensions list
Resetting the exclude extensions list
How to manage the file screening server
Displaying the file screening server information
Disabling the connection
What secondary servers are
Assigning secondary servers list
Removing all secondary servers
How to monitor operations using FPolicy
Adding operations to the monitor list
Removing operations from the monitor list
Setting or replacing the list of monitored operations
What the different CLI commands are
FAQs, error messages, warning messages, and keywords
Frequently asked questions (FAQs)
General FAQs
Access rights and permissions FAQs
Performance FAQs
File screening FAQs
FPolicy server FAQs
Error messages
Warning messages
Keywords list for screening operations
CIFS over IPv6
Enabling or disabling CIFS over IPv6
Listing IPv4 or IPv6 CIFS sessions
Listing cumulative IPv4 or IPv6 CIFS sessions
File sharing between NFS and CIFS
About NFS and CIFS file naming
Length of file names
Characters a file name can use
Case-sensitivity of a file name
Creating lowercase file names
How Data ONTAP creates file names
Controlling the display of dot files from CIFS clients
Enabling file name character translation between UNIX and Windows
Character restrictions
Clearing a character mapping from a volume
About file locking between protocols
About read-only bits
Deleting files with the read-only bit set
Managing UNIX credentials for CIFS clients
How CIFS users obtain UNIX credentials
Ensuring that only intended CIFS users receive UNIX credentials
Specifying entries in the /etc/usermap.cfg file
About the IP_qualifier field
About the Windows_name field
About the Direction field
About the UNIX_name field
How Data ONTAP interprets domain names in /etc/usermap.cfg
Examples of usermap.cfg entries
Guidelines for mapping user names
Recommended entries for increased security
Verifying NFS clients
Mapping a Windows account to root
Mapping UNIX names to UIDs and GIDs
Enabling or disabling the default UNIX user account
Enabling or disabling the Windows guest user account
Managing the SID-to-name map cache
Enabling or disabling the SID-to-name map cache
Changing the lifetime of SID-to-name mapping entries
Clearing all or part of the SID-to-name map cache
Using LDAP services
Configuring LDAP services
Specifying the general search base and scope
Specifying the search base and scope values for user lookups
Specifying LDAP servers
Specifying preferred LDAP servers
Enabling or disabling LDAP
Enabling or disabling SSL for LDAP traffic
Installing a root certificate for SSL for LDAP traffic
Adding the ldap entry to the /etc/nsswitch.conf file
Specifying the administrative user name
Specifying the administrative password
Enabling the centralized administration of administrative users
Specifying the LDAP port
LDAP server option precedence
Managing client authentication and authorization
Enabling LDAP-based UNIX client authentication
Enabling LDAP-based Windows client authentication
Enabling LDAP authorization for NFS file access from Windows clients
Enabling LDAP authorization for NTFS or mixed file system access from UNIX clients
Managing LDAP user-mapping services
Specifying base and scope values for user-mapping
Managing Active Directory LDAP servers
Using Active Directory LDAP servers
Requirements for Active Directory LDAP servers
Enabling Active Directory LDAP lookup services
Monitoring Active Directory LDAP server connections
Troubleshooting Active Directory LDAP server connections
About Active Directory LDAP server connection pooling and selection
Do not use the ldap.servers and ldap.preferred.servers options with Active Directory servers
Managing LDAP schema
About the default schema
Modifying the custom schema options to match your LDAP schema
Enabling Storage-Level Access Guard using the fsecurity command
About the fsecurity command
Generating and editing the job definition file
Managing the job definition file with the secedit utility
Managing the job definition file with a text editor
Specifying job definition file elements
Creating a security job and applying it to the storage object
Checking the status of or canceling a security job
Displaying the security settings on files and directories
Removing the Storage-Level Access Guard
Auditing system access events
About auditing
Events that Data ONTAP can audit
Configuring system event auditing
Setting SACLs
Configuring Data ONTAP for CIFS auditing
Configuring Data ONTAP for NFS auditing
Specifying NFS audit events
How the filter file controls NFS audit events
Enabling NFS auditing
Configuring Live View
Saving and clearing audit events
Where Data ONTAP logs audit event information
Size and format of the internal and external log files
How Data ONTAP updates the event log
Saving audit events to the event log manually
Specifying when automatic saves occur
Enabling automatic saves based on internal log file size
Enabling automatic saves based on a time interval
Specifying counter extensions
Specifying timestamp extensions
Specifying the maximum number of automatically saved files
Specifying the maximum size of the cifsaudit.alf file
SNMP traps for auditing events
Clearing the cifsaudit.alf file
Viewing and understanding event detail displays
Ways to view and display audit events
Viewing real-time audit events with Live View
Viewing static event log files
Windows file access detail displays
UNIX file access detail displays
Unsuccessful file access and lost record event detail displays
Controlling CIFS access to symbolic links
Enabling CIFS clients to follow symbolic links
Specifying how CIFS clients interact with symbolic links
Why you should avoid symbolic links to files
About Map entries
About Widelink entries
About disabling share boundary checking for symbolic links
Redirecting absolute symbolic links
Creating Map entries
Creating Widelink entries
How the storage system uses Map and Widelink entries
Optimizing NFS directory access for CIFS clients
Creating Unicode-formatted directories
Converting to Unicode format
Preventing CIFS clients from creating uppercase file names
Accessing CIFS files from NFS clients
Adding mapping entries to the WAFL credential cache
Deleting mapping entries from the WAFL credential cache
Setting how long mapping entries are valid
Monitoring WAFL credential cache statistics
Managing mapping inconsistencies
Tracing CIFS logins
Tracing domain controller connections
Giving CIFS clients implicit permission to run .dll and .exe files even when they lack UNIX "execute" permissions
File access using FTP
Enabling or disabling the FTP server
Specifying the FTP authentication style
Limitations of the NTLM authentication style
Enabling or disabling the bypassing of FTP traverse checking
Managing anonymous FTP access
Enabling or disabling anonymous FTP access
Specifying the user name for anonymous FTP users
Specifying the home directory for anonymous FTP users
Restricting FTP access
Blocking specific FTP users
Restricting FTP users to a specific directory
Restricting FTP users to their home directories or a default directory
Managing FTP log files
How the FTP server manages its log files
The /etc/log/ftp.xfer log file format
The /etc/log/ftp.cmd log file format
Viewing an FTP log file
Specifying the maximum number of FTP log files
Specifying the maximum size of the current FTP log files
Viewing SNMP traps that the FTP server generates
SNMP traps that the FTP server generates
Starting and configuring SNMP on the storage system
Viewing SNMP traps on a UNIX client
Viewing FTP statistics
Resetting FTP statistics
Specifying the maximum number of FTP connections
Setting the FTP connection threshold
Specifying the TCP window size for FTP operations
Enabling or disabling FTP file locking
Specifying the FTP idle timeout value
FTP over IPv6
Enabling or disabling FTP over IPv6
Listing FTP connections over IPv4 and IPv6
File access using HTTP
Managing Data ONTAP's built-in HTTP server
Enabling or disabling Data ONTAP's built-in HTTP server
Enabling or disabling the bypassing of HTTP traverse checking
Specifying the root directory for Data ONTAP's built-in HTTP server
Specifying the maximum size of the log file for Data ONTAP's built-in HTTP server
Testing Data ONTAP's built-in HTTP server
Specifying how Data ONTAP's built-in HTTP server maps MIME content types to file name extensions
Specifying how Data ONTAP's built-in HTTP server translates HTTP requests
How Data ONTAP's built-in HTTP server translations file works
Adding a map rule
Adding a redirect rule
Adding a pass rule
Adding a fail rule
Configuring MIME Content-Type values
Maintaining security for Data ONTAP's built-in HTTP server
Using HTTP options to restrict access
Using an HTTP virtual firewall
Protecting Web pages
Basic authentication
NTLM authentication
Editing the /etc/httpd.access file
Creating and editing the httpd.passwd file
Creating and editing the httpd.group file
Using virtual hosting
Mapping virtual host addresses
Displaying statistics for Data ONTAP's built-in HTTP server
Request statistics
Detailed statistics
Error statistics
Service statistics
Timeout statistics
Resetting statistics for Data ONTAP's built-in HTTP server
Viewing connection information for Data ONTAP's built-in HTTP server
Changing the /etc/log/httpd.log file format
Purchasing and connecting a third-party HTTP server to your storage system
HTTP and HTTPS over IPv6
Enabling or disabling HTTP and HTTPS over IPv6
Listing HTTP connections over IPv4 or IPv6
File access using WebDAV
Understanding WebDAV
Managing Data ONTAP's built-in WebDAV server
Enabling or disabling Data ONTAP's built-in WebDAV server
Pointing a WebDAV client to a home directory
Purchasing and connecting a third-party WebDAV server to your storage system
CIFS resource limits by system memory
Limits for the FAS60xx storage systems
Limits for the FAS30xx and FAS31xx storage systems
Limits for the FAS900 series storage systems
Limits for the FAS200 series storage systems
Limits for R200 storage systems
Event log and audit policy mapping
Event Log mapping values
Audit mapping values
Glossary