No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Basic Storage Service Configuration Guide for File

OceanStor V3 Series V300R006

This document is applicable to OceanStor 2200 V3, 2600 V3, 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18500 V3, and 18800 V3. It describes the basic storage services and explains how to configure and manage them.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a CIFS Homedir Share

Configuring a CIFS Homedir Share

Home Directory (Homedir for short) is a private directory that can save private data of users. You can configure a CIFS Homedir share either in a non-domain environment or an AD domain.

Configuration Process

Figure 3-15 shows the flowchart for configuring a CIFS Homedir share.

Figure 3-15 Flowchart for configuring a CIFS Homedir share

Checking the License File

Each value-added feature requires a license file for activation. Before configuring a value-added feature, ensure that its license file is valid for the feature.

Context

On DeviceManager, CIFS Homedir feature is displayed in Feature of CIFS Protocol.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > License Management.
  3. Check the active license files.

    • For V300R006C20 and earlier versions, perform the following steps to check the activated license file:
      1. In the navigation tree on the left, choose Active License.
      2. In the middle information pane, verify the information about active license files.
    • For V300R006C30 and later versions, you can view all activated license files in the function pane at the lower part of the License Management page.

Follow-up Procedure
  • If no license for the feature is available, apply for and import a license file. For details about how to apply for and import a license file, see the installation guide specific to your product model.
  • If the storage system generates an alarm indicating that the license has expired, obtain and import the license again.

Configuring a Network

Before configuring shared services, plan and configure a network properly for accessing and managing file services.

(Optional) Bonding Ethernet Ports

This section describes how to bond Ethernet ports on a same controller.

Prerequisites

Ethernet ports to be bonded are not configured with any IP addresses.

Context
  • Port bonding provides more bandwidth and link redundancy. Although ports are bonded, each host still transmits data through a single port and the total bandwidth can be increased only when there are multiple hosts. Determine whether to bond ports based on site requirements.
  • Port bonding on a storage system has the following restrictions:
    • Only Ethernet ports with the same rate (GE or 10GE) on a same controller can be bonded. A maximum of eight Ethernet ports can be bonded as a bond port.
    • Ethernet ports on a SmartIO interface module cannot be bonded if they are in cluster or FC mode or run FCoE service in FCoE/iSCSI mode.
    • The MTU of bonded SmartIO ports must be the same as that of the hosts.
    • Read-only users are unable to bond Ethernet ports.
    • A port can only be added to one bond port.
    • A member in a port group cannot be added to a bond port.
  • After Ethernet ports are bonded, MTU changes to the default value and you must set the link aggregation mode for the ports. On Huawei switches, you must set the ports to work in static LACP mode.

    The link aggregation modes vary with switch manufacturers. If a non-Huawei switch is used, contact technical support of the switch manufacturer for specific link aggregation configurations.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Bond Ports.
  3. Click Create.

    The Create Bond Port dialog box is displayed.

  4. Set the name, controller, interface module, and optional ports that can be bonded.

    1. Specify Name for the bond port.

      The name:

      • Contains only letters, digits, underscores (_), periods (.), and hyphens (-).
      • Contains 1 to 31 characters.
    2. From Controller, select the owning controller of the Ethernet ports to be bonded.
    3. Specify Interface Module.
    4. From the Optional port list, select the Ethernet ports you want to bond.
      NOTE:
      • Select at least two ports.
      • The port name format is controller enclosure ID.interface module ID.port ID.
    5. Click OK.

      The security alert dialog box is displayed.

  5. Confirm the bonding of the Ethernet ports.

    1. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
    2. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

(Optional) Creating a VLAN

Ethernet ports and bond ports on a storage system can be added into multiple independent VLANs. You can configure different services in different VLANs to ensure the security and reliability of service data.

Prerequisites

The Ethernet ports for which you want to create VLANs have not been assigned IP addresses or used for networking.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > VLAN.
  3. Click Create.

    The Create VLAN dialog box is displayed.

  4. Select the type of ports used to create VLANs from the Port Type drop-down list.

    Port Type can be Ethernet port or Bond port.

  5. In the port list, select the desired Ethernet port or bond port.
  6. In ID, enter the VLAN ID and click Add.

    NOTE:
    • The VLAN ID ranges from 1 to 4094. You can enter a single VLAN ID or VLAN IDs in batches in the format of "start ID-end ID".
    • To remove a VLAN ID, select it and click Remove.

  7. Click OK.

    The Execution Result dialog box is displayed, indicating that the operation succeeded.

  8. Click Close.
Creating a Logical Port

This section describes how to create a logical port for managing and accessing files based on Ethernet ports, bond ports, or VLANs.

Context

The logical ports are virtual ports that carry host services. A unique IP address is allocated to each logical port for carrying services.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Logical Ports.
  3. Click Create.

    The Create Logical Port dialog box is displayed.

  4. In the Create Logical Port dialog box, configure related parameters.

    Table 3-47 describes the related parameters.

    NOTE:

    GUIs may vary with product versions and models. The actual GUIs prevail.

    Table 3-47 Logical port parameters

    Parameter

    Description

    Value

    Name

    Name of the logical port.

    The name:

    • Must be unique.
    • Can contain only letters, digits, underscores (_), periods (.), and hyphens (-).
    • Must contain 1 to 31 characters.

    [Example]

    Lif01

    IP Address Type

    IP address type of the logical port, including IPv4 Address and IPv6 Address.

    [Example]

    IPv4 Address

    IPv4 Address

    IPv4 address of the logical port.

    [Example]

    192.168.50.16

    Subnet Mask

    IPv4 subnet mask of the logical port.

    [Example]

    255.255.255.0

    IPv4 Gateway

    IPv4 gateway of the logical port.

    [Example]

    192.168.50.1

    IPv6 Address

    IPv6 address of the logical port.

    [Example]

    fc00::1234

    Prefix

    IPv6 prefix length of the logical port.

    [Example]

    64

    IPv6 Gateway

    IPv6 gateway of the logical port.

    [Example]

    fc00::1

    Home Port

    Port to which the logical port belongs, including Ethernet port, Bond port, and VLAN.

    [Example]

    CTE0.A.IOM0.P0

    Failover Group

    Failover group name.

    NOTE:
    • If a failover group is specified, services on the failed home port will be taken over by a port in the specified failover group.
    • If no failover group is specified, services on the failed home port will be taken over by a port in the default failover group.

    [Example]

    System-defined

    IP Address Failover

    After IP address failover is enabled, services fail over to other normal ports within the failover group if the home port fails. In addition, the IP address used by services remains unchanged.

    NOTE:

    Shares of file systems do not support the multipathing mode. IP address failover is used to improve reliability of links.

    [Example]

    Enable

    Failback Mode

    Mode in which services fail back to the home port after the home port is recovered. The mode can be Manual or Automatic.

    NOTE:
    • If Failback Mode is Manual, you need to ensure that the link to the home port is normal before the failback. Services will manually fail back to the home port only when the link to the home port keeps normal for over five minutes.
    • If Failback Mode is Automatic, ensure that the link to the home port is normal before the failback. Services will automatically fail back to the home port only when the link to the home port keeps normal for over five minutes.

    [Example]

    Automatic

    Activate Now

    To activate the logical port immediately.

    [Example]

    Enable

    Role

    Roles of the logical ports, including:

    • Management: The port is used by a super administrator to log in to the system for management.
    • Service: The port is used by a super administrator to access services such as CIFS shares.
    • Management+Service: The port is used by a super administrator to log in to the system to manage the system and access services.

    [Example]

    Service

    Dynamic DNS

    When dynamic DNS is enabled, the DNS service will automatically and periodically update the IP address configured for the logical port.

    [Example]

    Enable

    Listen DNS Query Request

    After this function is enabled, external NEs can access the DNS service provided by the storage system by using the IP address of this logical port.

    NOTE:

    This parameter applies to V300R006C10 and later versions.

    [Example]

    Disabled

    DNS Zone

    Name of the DNS zone.

    NOTE:
    • If you do not specify this parameter, the logical port will not used for DNS-based load balancing.
    • Only the logical ports whose Role is Service or Management+Service can be added to a DNS zone. The logical ports whose Role is Management cannot be added to a DNS zone.
    • One logical port can be associated with only one DNS zone. One DNS zone can be associated with multiple logical ports.
    • A DNS zone can be associated with both IPv4 and IPv6 logical ports.
    • The load balancing effect varies with the distribution of logical ports associated with a DNS zone. To obtain a better load balancing effect, ensure that logical ports associated with a DNS zone are evenly distributed among controllers.
    • This parameter applies to V300R006C10 and later versions.

    [Example]

    None

  5. Click OK.

    The Success dialog box is displayed, indicating that the logical port has been successfully created.

  6. Click OK.
(Optional) Configuring DNS-based Load Balancing Parameters (Applicable to V300R006C10 and Later Versions)

The DNS-based load balancing feature can detect loads on various IP addresses on a storage system in real time and use a proper IP address as the DNS response to achieve load balancing among IP addresses.

Context

Working principle:

  1. When a host accesses the NAS service of a storage system using a domain name, the host first sends a DNS request to the built-in DNS server and the DNS server obtains the IP address according to the domain name.
  2. If the domain name contains multiple IP addresses, the storage system selects the IP address with a light load as the DNS response based on the configured load balancing policy and returns the DNS response to the host.
  3. After receiving the DNS response, the host sends a service request to the destination IP address.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS-based Load Balancing.

    Table 3-48 lists parameters related to DNS-based load balancing.
    Table 3-48 DNS-based load balancing parameters

    Parameter

    Description

    Value

    DNS-based Load Balancing

    Enables or disables DNS-based load balancing.

    NOTE:
    • When enabling the DNS-based load balancing function, you are advised to disable the GNS forwarding function. This function affects DNS-based load balancing.
    • After the DNS-based load balancing function is disabled, the domain name resolution service is unavailable and file systems cannot use the function.
    • This parameter can be set only in the system view, not in the vStore view. The setting takes effect for the entire storage system.

    [Example]

    Enabled

    Load Balancing Policy

    Specifies a DNS-based load balancing policy. The following load balancing policies are available:

    • Weighted round robin: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the performance data. Under the same domain name, IP addresses that are required to process loads have the same probability to be selected to process client services.
    • CPU usage: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the CPU usage of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Bandwidth usage: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the total bandwidth usage of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Open connections: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the NAS connections of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Overall load: When a client uses a domain name to initiate an access request, the storage system selects a node to process the client's service request based on the comprehensive load. The comprehensive node load is calculated based on the CPU usage, bandwidth usage, and number of NAS connections. Less loaded nodes are more likely to be selected.
    NOTE:

    This parameter can be set only in the system view, not in the vStore view. The setting takes effect for the entire storage system.

    [Example]

    Weighted round robin

  3. Configure a DNS zone.

    A DNS zone contains IP addresses of a group of logical ports. A host can use the name of a DNS zone to access shared services provided by a storage system. Services can be evenly distributed to logical ports.

    NOTE:

    Only the logical ports whose Role is Service or Management+Service can be added to a DNS zone. The logical ports whose Role is Management cannot be added to a DNS zone.

    1. Add a DNS zone.
      1. Click Add.
      2. The Add DNS Zone dialog box is displayed. In Domain Name, type the domain name of the DNS zone you want to add and click OK.
      NOTE:

      The domain name complexity requirements are as follows:

      • The domain name can contain 1 to 255 characters and consists of multiple labels separated by periods (.).
      • A label can contain 1 to 63 characters including letters, digits, hyphens (-), and underscores (_), and must start and end with a letter or a digit.
      • The domain name must be unique.
    2. Remove a DNS zone.
      1. In the DNS zones that are displayed, select a DNS zone you want to remove.
      2. Click Remove.
    3. Modify a DNS zone.
      1. In the DNS zones that are displayed, select a DNS zone you want to modify.
      2. Click Modify.
      3. The Modify DNS Zone dialog box is displayed. In Domain Name, type the domain name of the DNS zone you want to modify and click OK.
    4. View a DNS zone.
      1. In DNS Zone, type a keyword and click Search.
      2. In DNS Zone, the DNS zone names relevant to the keyword will be displayed.
    NOTE:

    You can select a DNS zone to modify or remove it.

  4. Click Save.

    The Warning dialog box is displayed.

  5. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
  6. Click OK.

    The Execution Result page is displayed.

  7. On the Execution Result page, confirm the modification and click Close. The DNS zone configuration is complete.
Follow-up Procedure

After associating logical ports with a DNS zone, configuring logical ports to listen to DNS requests, setting a DNS-based load balancing policy, and enabling DNS-based load balancing, you need to configure DNS server addresses on clients. For details about how to configure and use DNS-based load balancing, see How Can I Configure and Use DNS-based Load Balancing?

(Optional) Managing the Routes of a Logical Port

When configuring share access, ensure that the logical port can ping the IP addresses of the domain controller, DNS server, and clients. If the ping test fails, add routes from the IP address of the logical port to the network segment of the domain controller, DNS server, or clients.

Prerequisites

The logical port has been assigned an IP address.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Logical Ports.
  3. Select the logical port for which you want to add a route and click Route Management.

    The Route Management dialog box is displayed.

  4. Configure the route information for the logical port.

    1. Click Add.

      The Add Route dialog box is displayed.

    The default IP addresses of the internal heartbeat on a dual-controller storage system are 127.127.127.10 and 127.127.127.11, and those on a four-controller storage system are 127.127.127.10, 127.127.127.11, 127.127.127.12, and 127.127.127.13. Therefore, the destination address cannot fall within the 127.127.127.XXX segment. Besides, the IP address of the gateway cannot be 127.127.127.10, 127.127.127.11, 127.127.127.12, or 127.127.127.13. Otherwise, routing will fail. (Internal heartbeat links are established between controllers for these controllers to detect each other's working status. You do not need to separately connect cables. In addition, internal heartbeat IP addresses have been assigned before delivery, and you cannot change these IP addresses).

    1. In Type, select the type of the route to be added.

      Possible values are Default route, Host route, and Network segment route.

    2. Set Destination Address.
      • If IP Address is an IPv4 address, set Destination Address to the IPv4 address or network segment of the application server's service network port or that of the other storage system's logical port.
      • If IP Address is an IPv6 address, set Destination Address to the IPv6 address or network segment of the application server's service network port or that of the other storage system's logical port.
    3. Set Destination Mask (IPv4) or Prefix (IPv6).
      • Destination Mask specifies the subnet mask of the IPv4 address for the service network port on the application server or storage device.
      • Prefix specifies the prefix of the IPv6 address for application server's service network port or that of the other storage system's logical port.
    4. In Gateway, enter the gateway for the IP address of the local storage system's logical port.

  5. Click OK. The route information is added to the route list.

    The security alert dialog box is displayed.

  6. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
  7. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

    NOTE:

    To remove a route, select it and click Remove.

  8. Click Close.

Setting the CIFS Service (Applicable to V300R006C00)

Before creating a CIFS share, enable and configure the CIFS service.

Prerequisites

The license for the CIFS protocol has been imported and activated.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > CIFS Service.
  3. In CIFS Service, select Enable.
  4. Configure CIFS service parameters.

    1. Configure parameters described in Table 3-49 based on site conditions.

      Table 3-49 CIFS service parameters

      Parameter

      Description

      Setting

      Authentication Mode

      Authentication mode for accessing a CIFS share.

      • Local authentication: Applies to scenarios where a local authentication user accesses a CIFS share in a non-domain environment.
      • Domain authentication: Applies to scenarios where a domain user accesses a CIFS share in an AD domain.
      • Global authentication: Local authentication is used first. If local authentication fails, domain authentication is used.

      [Default value]

      Global authentication

      Performance Settings

      You can configure performance parameters to improve the CIFS share access efficiency.

      • Oplock: Opportunistic locking (Oplock) is a mechanism used to adjust cache policies of clients, improving performance and network utilization. It is not advised to enable Oplock in the following scenarios:
        • High data integrity is required. If Oplock is enabled, data in the local cache on a client may be lost when your network is interrupted or your client breaks down. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur.
        • Multiple clients access the same file. If Oplock is enabled, the system performance will be adversely affected.
      • Notify: After this function is enabled, a client's operations on a directory, such as adding a sub-directory, adding a file, modifying the directory, and modifying a file, can be detected by other clients that are accessing this directory or its parent directory.

      [Default value]

      Enabled

      Security Settings

      After the guest service is enabled, users can access shared directories without user names or passwords. Besides, users have the same permission as the Everyone local authentication group.

      NOTE:

      After this function is enabled, unauthorized users can access shared directories as a guest user, which may cause information security issues. You are advised to disable this function.

      [Default value]

      Disabled

      Access Settings

      After ABSE (access based share enumeration) is enabled, only the CIFS shares that a user has permission to access are displayed when the user views the CIFS share information.

      NOTE:
      • It takes 10 to 20 minutes to load the CIFS share permission information after the storage system is powered on. During this period, this function does not take effect.
      • You are advised to enable this function. If this function is disabled, users can find all shares (including the shares for which the users do not have access permission), which may cause security threats to other shares.

      [Default value]

      Disabled

      Signature Settings

      You can set signatures to enhance CIFS share access security.

      • Signature: This function is available for a client that employs SMB 1.0. After this option is selected, the system supports the signature function. For a client that employs an SMB later than SMB 1.0, the system supports the signature function by default. Whether to use the signature function also depends on the registry settings of clients. If the registry settings are not modified as required, the signature function is not used by default.
      • Signature enforcement: After this option is selected, the storage system must adopt the signature function no matter the signature function is enabled by clients or not.
      NOTE:

      If the signature function is disabled, the storage system may encounter man-in-the-middle (MITM) attacks, resulting in security risks.

      [Default value]

      Disabled

      Homedir

      A Homedir share provides specific users with directories exclusively shared to them.

      • File system: file system that is shared in CIFS Homedir mode (mandatory)
      • Quota Tree: level-1 directory of a file system (optional)
      NOTE:

      After Homedir is enabled, a user can directly access the directory (the directory is the same as the user name) under a specified file system directory.

      [Default value]

      Disabled

    2. Click Save.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

Setting the CIFS Service (Applicable to V300R006C10 and Later Versions)

Before creating a share, enable and configure the CIFS service.

Prerequisites

The license for the CIFS protocol has been imported and activated.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > CIFS Service.
  3. In CIFS Service, select Enable.
  4. Configure CIFS service parameters.

    1. Configure parameters described in Table 3-50 based on site conditions.

      Table 3-50 CIFS service parameters

      Parameter

      Description

      Setting

      Authentication Mode

      Authentication mode for accessing a CIFS share.

      • Local authentication: Applies to scenarios where a local authentication user accesses a CIFS share in a non-domain environment.
      • Domain authentication: Applies to scenarios where a domain user accesses a CIFS share in an AD domain.
      • Global authentication: Local authentication is used first. If local authentication fails, domain authentication is used.

      [Default value]

      Global authentication

      Performance Settings

      You can configure performance parameters to improve the CIFS share access efficiency.

      • Oplock: Opportunistic locking (Oplock) is a mechanism used to adjust cache policies of clients, improving performance and network utilization. It is not advised to enable Oplock in the following scenarios:
        • High data integrity is required. If Oplock is enabled, data in the local cache on a client may be lost when your network is interrupted or your client breaks down. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur.
        • Multiple clients access the same file. If Oplock is enabled, the system performance will be adversely affected.
      • Notify: After this function is enabled, a client's operations on a directory, such as adding a sub-directory, adding a file, modifying the directory, and modifying a file, can be detected by other clients that are accessing this directory or its parent directory.

      [Default value]

      Enabled

      Security Settings

      After the guest service is enabled, users can access shared directories without user names or passwords. Besides, users have the same permission as the Everyone local authentication group.

      NOTE:

      After this function is enabled, unauthorized users can access shared directories as a guest user, which may cause information security issues. You are advised to disable this function.

      [Default value]

      Disabled

      Access Settings

      After ABSE (access based share enumeration) is enabled, only the CIFS shares that a user has permission to access are displayed when the user views the CIFS share information.

      NOTE:
      • It takes 10 to 20 minutes to load the CIFS share permission information after the storage system is powered on. During this period, this function does not take effect.
      • You are advised to enable this function. If this function is disabled, users can find all shares (including the shares for which the users do not have access permission), which may cause security threats to other shares.

      [Default value]

      Disabled

      Signature Settings

      You can set signatures to enhance CIFS share access security.

      • Signature: This function is available for a client that employs SMB 1.0. After this option is selected, the system supports the signature function. For a client that employs an SMB later than SMB 1.0, the system supports the signature function by default. Whether to use the signature function also depends on the registry settings of clients. If the registry settings are not modified as required, the signature function is not used by default.
      • Signature enforcement: After this option is selected, the storage system must adopt the signature function no matter the signature function is enabled by clients or not.
      NOTE:

      If the signature function is disabled, the storage system may encounter man-in-the-middle (MITM) attacks, resulting in security risks.

      [Default value]

      Disabled

    2. Click Save.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

Configuring a Local Authentication User (Group)

In a non-domain environment, you must configure a local authentication user (group). The storage system enables you to allocate different CIFS share access permissions to different users (groups).

(Optional) Creating a Local Authentication User Group

This section describes how to create a local authentication user group. Local authentication user groups help you control the share access permissions of local authentication users.

Context

The following four local authentication user groups are automatically created and cannot be deleted:

  • default_group: default user group. When the group members access shared file systems, they must be authenticated to obtain their permissions.
  • Administrators: administrator group.
    • For V300R006C50 and earlier versions, when the group members access shared file systems, they do not need to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
    • For V300R006C60 and later versions, you can run the change service cifs administrators_privileg=? command to change the permissions of members in the Administrators group. For details about the command, see the command reference specific to your product model. The values of administrators_privileg are described as follows:
      • admin (default value): When the group members access shared file systems, they do not need to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
      • default_group: The group members have the same permissions as those in the default user group.
      • owner: The group members have the permissions to query and set file/directory ACLs and change file/directory owners. When the group members access shared file systems, they need to be authenticated by directory/file level NT ACLs, but do not need to be authenticated by share level ACLs.

      Modified permissions take effect only after users are re-authenticated on clients.

      NOTE:
      • Access control list (ACL): a collection of permissions that are authorized to users or user groups to operate shared files. ACL permissions involve ACL permission storage and ACL permission authentication. When a user accesses a share, the system checks the permissions of the user and determines whether the user can write or read the share based on the ACL permissions. Each ACL permission is stored as an Access Control Entry (ACE). After CIFS shares are mounted to a Windows client, the client sends NT ACLs to a server (a storage system that provides CIFS shares).
      • For V300R006C60 and later versions, you can run the show service cifs command and check the administrator group permissions in the returned Administrators Privilege field. Alternatively, you can choose Provisioning > User Authentication > Local Authentication User Group on DeviceManager and check permissions in Description for Administrators.
  • AntivirusGroup: antivirus user group. The group members can use third-party antivirus software to scan for shared file systems. They have administrator permissions.
  • Backup Operators: backup user group. The group members can use third-party backup software to back up and recover shared file systems. They do not have administrator permissions.
Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > User Authentication > Local Authentication User Group.
  3. Click Create.

    The Local Authentication User Group dialog box is displayed.

  4. Specify User Group Name.

    NOTE:

    For V300R006C00, a user group name:

    • Must contain 1 to 32 characters.
    • Cannot contain space, double quotation mark ("), slash (/), backslash (\), square brackets ([]), larger than sign (>), less than sign (<), plus (+), colon (:), semicolon (;), comma (,), question mark (?), asterisk (*), vertical bar (|), equal mark (=), at sign (@), or end with a period (.).
    • Can contain case-insensitive letters. Therefore, you cannot create both aa and AA user groups.
    • Cannot be the same as the name of a local authentication user.

    For V300R006C10 and later versions, a user group name:

    • Cannot contain the quotation mark ("), slash (/), backslash (\), square brackets ([]), less than sign (<), larger than sign (>), plus sign (+), colon (:), semicolon (;), comma (,), question mark (?), asterisk (*), vertical bar (|), equal sign (=), at sign (@), or end with a period (.). Spaces at the beginning and end of a user group name are not displayed.
    • Can contain case-insensitive letters. Therefore, you cannot create both aa and AA user groups.
    • Cannot be the same as the name of a local authentication user.
    • Must contain 1 to 63 characters.

  5. Optional: Specify Description.
  6. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

  7. Click OK.
Creating a Local Authentication User

This section describes how to create a local authentication user. For applications that use local authentication, local user accounts are used to access a share. You can add a local user to a user group and access a share as the user group.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > User Authentication.
  3. Click the Local Authentication User tab.
  4. Click Create.

    The Local Authentication User dialog box is displayed.

  5. Specify Username.

    A user name:

    • Cannot contain space, double quotation mark ("), slash (/), backslash (\), square brackets ([]), less than sign (<), larger than sign (>), plus (+), colon (:), semicolon (;), comma (,), question mark (?), asterisk (*), vertical bar (|), equal mark (=), at sign (@), or end with a period (.).
    • Can contain case-insensitive letters. Therefore, you cannot create both aaaaaaaa and AAAAAAAA users.
    • Cannot be the same as the name of a local authentication user group.
    • Must contain 8 to 32 characters by default.
    NOTE:

    You can modify the minimum length of user name by choosing More > Set Security Policies.

  6. Specify Password.

    By default, a password:

    • Contains 8 to 16 characters.
    • Contains special characters, including !"#$%&'()*+,-./:;<=>?@[\]^`{_|}~ and space.
    • Contains any two types of the uppercase letters, lowercase letters, and digits.
    • Cannot contain three consecutive same characters.
    • Differs from the user name or the reverse of the user name.
    NOTE:

    Click More and choose Set Security Policies to set a security policy for the password of a local authentication user. If Password Validity Period (days) is not selected, your password will never expire. For the security purpose, you are advised to select Password Validity Period (days) and set a validity period. After the password expires, you cannot access shares, but you can set a password again or modify the password security policy.

  7. In Confirm Password, enter the password again.
  8. Select Primary Group.

    The Select Primary Group dialog box is displayed.

    NOTE:

    The primary group to which users belong controls the users' permission for CIFS shares. A user must and can only belong to one primary group.

  9. Select the user group to which the user belongs and click OK.
  10. (Optional) Select Secondary Group.

    The Select Secondary Group dialog box is displayed.

    NOTE:

    A local authentication user must belong to a primary group but not to a secondary group.

  11. Click Add.

    The Select User Group dialog box is displayed.

  12. Select one or multiple secondary groups which the user belongs to and click OK.

    The Select Secondary Group dialog box is displayed.

  13. Click OK.

    The Local Authentication User dialog box is displayed.

  14. Optional: Specify Description.
  15. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

  16. Click OK

Adding a Storage System to an AD Domain

After a storage system is added to an AD domain, domain users can access CIFS shares that are allocated to the domain. This section describes how to add a storage system to an AD domain.

Preparing AD Domain Configuration Data
Why AD Domains?

In Windows shared mode, every device that provides shares is an independent node. The account and permission information about users allowed to access shares are stored on each node. As a result, the information maintenance is complex and uncontrollable.

If an AD domain is used, however, the domain controller manages all the user configuration information and authenticates the access to the domain. The domain controller incorporates a database that stores information about the domain account, password, and nodes in the domain. A user can access all the shared content in the domain after passing the authentication by the domain controller.

Working Principles
Figure 3-16 Network diagram of AD domain server authentication
  1. The DNS server provides a full domain name (123.com for example) for the AD domain.
  2. The storage system is added into the AD domain and provides share services.
  3. Users can access shares after logging in to hosts in the AD domain using domain accounts.
Data Preparation

Collect Domain Administrator Username, Password, Full Domain Name, Organization Unit (optional), and System Name. For details about how to obtain the data, see Configuring AD Domain Authentication Parameters.

Connecting a Storage System to a DNS Server (Applicable to V300R006C50 and Earlier)

After a storage system is connected to a DNS server, you can access the storage system through an IP address or domain name.

Prerequisites
  • A DNS server has been configured and is running properly.
  • Port 53 for the TCP/UDP protocol between the storage system and the DNS server is enabled.
Context
  • A DNS server resolves host names in a domain.
  • If you want to configure a standby DNS server, ensure that the domain names of the active and standby DNS servers are consistent.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS Service.

  3. Set the DNS server information.

    1. Specify Active DNS IP Address.
    2. Optional: Specify Standby DNS IP Address 1.
    3. Optional: Specify Standby DNS IP Address 2.
    NOTE:
    • Configure the standby DNS IP address 1 and then the standby DNS IP address 2.
    • You can click Test to test the IP address availability.
    • You can click Test All to test the connection between the DNS server and storage system.

  4. Click Save.

    The Success dialog box is displayed, indicating that the operation succeeded.

  5. Click OK.
Connecting a Storage System to a DNS Server (Applicable to V300R006C60 and Later Versions)

After a storage system is connected to a DNS server, you can access the storage system through an IP address or domain name.

Prerequisites
  • A DNS server has been configured and is running properly.
  • Port 53 for the TCP/UDP protocol between the storage system and the DNS server is enabled.
Context
  • A DNS server resolves host names in a domain.
  • If you want to configure a standby DNS server, ensure that the domain names of the active and standby DNS servers are consistent.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS Service.

  3. Configure IP addresses for the DNS service.

    1. Set Active DNS IP Address.
    2. Optional: Set Standby DNS IP Address 1.
    3. Optional: Set Standby DNS IP Address 2.
      NOTE:

      Please configure the standby DNS IP address 1 first and then the standby DNS IP address 2.

    4. Optional: Test the connection between the DNS server and storage system.
      • You can click Test of each DNS IP address to test its availability.
      • You can click Test All to test the connection between the DNS server and storage system.

  4. Optional: Configure domain names for the DNS service.

    NOTE:
    • Before configuring domain names, set at least one DNS IP address.
    • Domain names are used in sequence. A maximum of six domain names are supported.
    • Adding a domain name
      1. Click Add.

        The Add Domain Name dialog box is displayed.

      2. Set the domain name.
        NOTE:

        A domain name must meet the following requirements:

        • Be case-insensitive and unique.
        • Contains 1 to 255 characters, including letters, digits, periods (.), underscores (_), and hyphens (-).
        • Each label separated by a period (.) contains a maximum of 63 characters and must start and end with a letter or digit.
      3. Click OK.
    • Modifying a domain name
      1. Select the domain name that you want to modify, and click Modify.

        The Modify Domain Name dialog box is displayed.

      2. Set the domain name.
        NOTE:

        A domain name must meet the following requirements:

        • Be case-insensitive and unique.
        • Contains 1 to 255 characters, including letters, digits, periods (.), underscores (_), and hyphens (-).
        • Each label separated by a period (.) contains a maximum of 63 characters and must start and end with a letter or digit.
    • Removing a domain name

      Select the domain name that you want to remove, and click Remove.

    • Moving up a domain name

      Select the domain name that you want to move up, and click Up.

    • Moving down a domain name

      Select the domain name that you want to move down, and click Down.

  5. Click Save.

    The Success dialog box is displayed, indicating that the operation succeeded.

  6. Click OK.
Configuring AD Domain Authentication Parameters

After a storage system is added to an AD domain, the AD server can authenticate CIFS clients when they try to access shared resources. The administrator can manage the share access permissions and quotas of domain users. If the storage system is not added to an AD domain, domain users cannot use share services provided by the storage system.

Prerequisites
  • An AD domain has been set up.
  • The storage system has been connected to a DNS server.
  • The time of the AD domain server and DNS server have been synchronized with the storage system. The time difference must be no larger than 5 minutes.
  • Between the storage system and AD domain environment, the following ports are enabled: ports 88 (TCP/UDP), 389 (TCP/UDP), 445 (TCP), and 464 (TCP/UDP).
NOTE:
  • The 2000, 5000, and 6000 series storage systems can be connected to AD domain servers and DNS servers through management network ports or service network ports (logical ports). If a storage system communicates with an AD domain server and DNS server through a management network port, the management network port of each controller must be connected properly to the AD domain server and DNS server. If a storage system communicates with the AD domain server and DNS server through a service network port, the service network port of each controller under each vStore must be connected properly to the AD domain server and DNS server. It is recommended that storage systems use service network ports to connect to an AD domain server.
  • For 6000 and 6000F series storage systems, every two controllers share one management network port. When a management network port is used to connect to an AD domain server and DNS server, only one controller can be connected to the AD domain server and DNS server. Therefore, it is not advised to connect a 6000 or 6000F storage system to an AD domain server and DNS server through a management network port.
  • The 18000 series storage systems can be connected to AD domain servers and DNS servers through service network ports (logical ports) only. It requires that all the controllers can communicate with the AD domain server and DNS server.
  • AD domain servers support primary/secondary domains, parent/child domains, active/standby domains, or trust domains.
Precautions
  • Before adding a storage system to an AD domain, ensure that the primary controller of the storage system has connected to a DNS server and an AD domain server. If it has not, enable the AD domain forwarding function and connect a service port of the storage system to a DNS server and an AD domain server.
NOTE:
  • Run the show controller general command to query information about all controllers. The controller whose Role is Master is the primary controller of a storage system.
  • Run the change domain ad_config controller_forwarding_enable=yes command to enable the AD domain forwarding function. For details, see the command reference specific to your product model.
  • If Overwrite System Name is enabled, a newly entered system name will overwrite the same system name already existed on the AD domain server if any.
  • A simple password may cause security risks. A complex password is recommended, for example, a password containing uppercase letters, lowercase letters, digits, and special characters.
  • You are advised to use physical isolation and end-to-end encryption to ensure security of data transfer between clients and AD domain servers.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > Domain Authentication.
  3. In the AD Domain Settings area, configure the AD domain authentication parameters.

    Table 3-51 describes the related parameters.

    Table 3-51 AD domain authentication parameters

    Parameter

    Description

    Value

    Domain Administrator Username

    User name for an administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 63 characters.

    [Example]

    test123

    [How to Obtain]

    Contact the AD domain controller administrator.

    Password

    Password for the administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 127 characters.

    [Example]

    !QAZ2wsx

    [How to Obtain]

    Contact the AD domain controller administrator.

    Full Domain Name

    Full domain name of the AD domain server.

    NOTE:

    Click Test to verify the full domain name.

    [Rule]

    Contains 1 to 127 characters.

    [Example]

    abc.com

    [How to Obtain]

    Contact the AD domain controller administrator.

    Organization Unit

    A type of directory objects in a domain. These objects include users, computers, and printers. After an object is added to a domain, it will be a member in the organization unit. If you do not enter anything, the storage system is added to organization unit as Computers by default.

    If the type of organization units of a domain controller is container, enter cn=xxx,dc=abc,dc=com. Otherwise, enter ou=xxx,dc=abc,dc=com.

    [Example]

    ou=xxx,dc=abc,dc=com

    [How to Obtain]

    1. On the Windows AD domain server, open Active Directory Users and Computers or ADSI Edit.
    2. Select the directory on the left, right-click the directory, and choose Properties.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the organization unit.

    System Name

    Name of the storage system in the AD domain. After the storage system is added to the domain, a client can use the name to access the storage system.

    [Rule]

    The system name:

    • Must contain 1 to 15 characters.
    • Can contain letters, digits, and hyphens (-).
    • Must not contain only digits.

    [Example]

    systemname

    Overwrite System Name

    After this option is selected, a newly entered system name will overwrite the same system name already existed on the domain control server if any.

    [Example]

    Enable

    Domain Status

    Displays whether storage system has been added to a domain.

    [Example]

    Exited domain

  4. Click Join Domain.
Follow-up Procedure

If you want to remove a storage system from a domain, perform the following operations:

  1. In AD Domain Settings, input Domain Administrator Username and Password.
  2. Click Exit domain.

    The Success dialog box is displayed, indicating that the operation succeeded.

  3. Click OK.

Creating a Homedir Share (Applicable to V300R006C00)

This section describes how to create a Homedir share.

Prerequisites

A file system has been created.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > CIFS Service.
  3. In CIFS Service, verify that Enable is selected.
  4. In Homedir, select Enable.
  5. In File System, select the file system for which you want to create a Homedir share.

    NOTE:

    If you want to create a Homedir share for a quota tree in the file system, select the quota tree in Quota Tree.

  6. Click Save.

    The Success dialog box is displayed.

  7. Click OK.

Creating a CIFS Homedir Share (Applicable to V300R006C10 and Later Versions)

This section describes how to create a CIFS Homedir share.

Prerequisites
  • The CIFS service is enabled.
  • In a non-domain environment, the CIFS Homedir authentication mode is configured as local authentication or global authentication.
  • In an AD domain environment, the CIFS Homedir authentication mode is configured as domain authentication or global authentication.
Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Share > CIFS Homedir.
  3. Click Create.

    The Create CIFS Homedir Share Wizard dialog box is displayed.

    NOTE:

    GUIs may vary with product versions and models. The actual GUIs prevail.

  4. Set CIFS Homedir parameters.

    1. On the CIFS Homedir setting page, set required parameters.

      Table 3-52 describes the related parameters.

      Table 3-52 Parameters for creating a CIFS Homedir share

      Parameter

      Description

      Value

      Share Name

      Name used by a user for accessing the shared resources.

      [Value range]

      A share name:

      • Can contain letters of any language.
      • Can contain 1 to 80 characters.
      • Cannot contain special characters "/\[]:|<>+;,?*=.
      • Cannot be the name reserved by the system: ipc$, autohome, ~ and print$.

      [Example]

      share_for_user1

      Relative Directory

      Path of a user's relative directory

      [Value range]

      A relative directory:

      • Must contain 1 to 255 characters.
      • Cannot contain special characters including \:*?"<>|
      • Can contain %d, %w, and %u. %d indicates a domain name, %w indicates a user name, and %u indicates a UNIX name after being mapped. For example, if the relative path is home_%d/%w, the Homedir directory of user usera in domain china is home_china/usera/.

      [Example]

      home_%d/%w

      Description

      Description of the created CIFS Homedir share.

      [Value range]

      The description can be left blank or contain up to 255 characters.

      [Example]

      Share for user 1.

      Oplock

      Opportunistic locking (Oplock) is a mechanism used to adjust cache policies of clients, improving performance and network utilization.

      This function is not recommended in the following scenarios:

      • Scenarios that have high requirements for data integrity: Local cache loss will occur if your network is interrupted or your client breaks down after Oplock is enabled. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur.
      • Scenarios where multiple clients access the same file: If Oplock is enabled, the system performance will be adversely affected.

      [Default value]

      Enabled

      Notify

      After this function is enabled, a client's operations on a directory, such as adding a sub-directory, adding a file, modifying the directory, and modifying a file, can be detected by other clients that are accessing this directory or its parent directory.

      [Default value]

      Enabled

      Offline Cache Mode

      Mode in which files to be accessed are cached to local clients so that the files can be operated offline. The following offline cache modes are supported:

      • Manual

        Specified files and programs in the shared directory can be cached to local clients and operated offline.

      • Documents

        If a user accesses the shared directory and opens a file or program in the shared directory, the file or program is automatically cached to a local client so that users can operate it offline. Files and programs that can be operated offline are saved in the clients' cache and synchronized with those in the shared directory until the cache is full or users delete them. Files and programs that have not been opened cannot be cached locally.

      • Programs

        Performance is optimized based on the Documents mode. If an executable file (EXE or DLL) in the shared directory is executed by a local client, the file is automatically cached to the client. If the client needs to run the executable file online or offline next time, it accesses the cached file instead of that in the shared directory.

      • None

        Files and programs in the shared directory cannot be cached to local clients. Therefore, these files and programs cannot be operated offline. This mode prevents the offline file function of clients from creating duplicates of files in the shared directory.

      NOTE:

      The client's offline file function must be enabled for files and programs to be cached automatically.

      [Default value]

      Manual

      CA

      This option is provided by the SMB3.0 continuous availability function, only applied to shares for Hyper-V. It works with Oplock. If you want to enable this function, ensure that Oplock is enabled.

      [Default value]

      Disabled

      Security Restriction

      After this function is enabled, only the added IP addresses can be used to access the shared directories. After this function is disabled, all IP addresses can be used to access the shared directories.

      [Default value]

      Disabled

      Create Default ACL

      This function creates a default ACL (full control rights to everyone; applied to the current directory, its subdirectories, and files in them) for a shared CIFS Homedir root directory if the directory has no ACL. You can change the default ACL in follow-up operations. If you want to retain the UNIX MODE rights, disable this function.

      [Default value]

      Enabled

      File Name Extension Filtering

      After this function is enabled, the types of files that users access on a CIFS Homedir share are controlled.

      NOTE:

      SMB2 and SMB3 support file name extension filtering while SMB1 does not.

      [Default value]

      Disabled

      ABE

      After this function is enabled, files and folders that users have no access permission are not displayed.

      NOTE:

      SMB2 and SMB3 support ABE while SMB1 does not.

      [Default value]

      Disabled

      Show Previous Versions

      After this function is enabled, clients can show and roll back historical versions.

      NOTE:

      This parameter applies to V300R006C10 and later versions.

      [Default value]

      Enabled

      Show Snapshot

      If this function is enabled, clients can show and traverse snapshot directories.

      NOTE:

      This parameter applies to V300R006C10 and later versions.

      [Default value]

      Enabled

      Audit Log

      After this function is enabled, the system can record audit logs of a shared directory. The audit log items include Open, Create, Read, Write, Close, Delete, Rename, Obtain properties, Set properties, Obtain security properties, Set security properties, Obtain extension properties, and Set extension properties. After the audit function is enabled, by default, the system records Create, Write, Delete, and Rename operations of the shared directory.

      NOTE:

      Before configuring this function, choose Settings > Monitor Settings > Audit Log Settings, and enable the Audit Log Settings function.

      [Default value]

      Disabled

    2. Click Next.

      The Set Permissions page is displayed.

  5. Set access permissions for users or user groups accessing the CIFS Homedir share.

    1. In Users/User Groups area, click Add.

      The Add User/User Group dialog box is displayed.

    2. In User/User Group, select the user type or user group type.

      The values include: Everyone, Local authentication user, Local authentication user group, Domain user, and Domain user group.

      • If you select Everyone, click Add.
      NOTE:

      Everyone indicates that every user has the permission to access the CIFS Homedir share.

      • If you select Local authentication user or Local authentication user group, click Find. In the displayed Find Local Authentication User or Find Local Authentication User Group dialog box, select the user or user group you want to add. Click OK.
      • If the desired local authentication user or user group does not exist, click Create to create one.
      • If you select Domain user or Domain user group, specify Name and click Add.
      NOTE:

      The name format is Domain name\Domain user name or Domain name\Domain user group name.

    3. Specify Permission Level.

      Table 3-53 provides details about the permissions.

      Table 3-53 Description of CIFS Homedir share permissions

      Operation

      Forbidden

      Read-Only

      Read and Write

      Full Control

      Viewing files and subdirectories

      Not allowed

      Allowed

      Allowed

      Allowed

      Viewing the contents of files

      Not allowed

      Allowed

      Allowed

      Allowed

      Running executable files

      Not allowed

      Allowed

      Allowed

      Allowed

      Adding files or subdirectories

      Not allowed

      N/A

      Allowed

      Allowed

      Modifying the contents of files

      Not allowed

      N/A

      Allowed

      Allowed

      Deleting files and subdirectories

      Not allowed

      N/A

      Allowed

      Allowed

      Renaming

      Not allowed

      N/A

      Allowed

      Allowed

      Changing the ACL of files or directories

      Not allowed

      N/A

      N/A

      Allowed

      NOTE:
      • Priorities of permission levels in descending order are Forbidden > Full control > Read and write > Read-only. The permission with the highest priority prevails. When a user's access permission is extended, the new permission takes effect immediately. For example, if a user's original access permission is Read-only but the user is added to a user group with Full control permission later, the user's access permission changes to Full control and it does not need to be re-authenticated to access the CIFS Homedir share.
      • For V300R006C50 and earlier versions, if a local authentication user's primary group is the Administrators group, it does not need to be authenticated by share level ACLs or directory/file level NT ACLs when accessing shared file systems. It can operate any file in any share with administrator permissions.
      • For V300R006C60 and later versions, you can run the change service cifs administrators_privileg=? command to change the permissions of members in the Administrators group. For details about the command, see the command reference of your specific product model. The values of administrators_privileg can be admin (default value), default_group, and owner.
        If a local authentication user's primary group is the Administrators group, you can change the local authentication user's permissions by modifying administrators_privileg. The values of administrators_privileg are described as follows:
        • admin: When the group members access shared file systems, they do not to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
        • default_group: The group members have the same permissions as those in the default user group.
        • owner: The group members have the permissions to query and set file/directory ACLs and change file/directory owners. When the group members access shared file systems, they need to be authenticated by directory/file level NT ACLs, but do not need to be authenticated by share level ACLs.

        Modified permissions take effect only after users are re-authenticated on clients.

        You can run the show service cifs command and check the administrator group permissions in the returned Administrators Privilege field.

    4. Click OK.

      The selected user or user group is added to the Users/User Groups list.

    5. Click Next.

  6. Add a mapping rule of file system paths to the CIFS Homedir share.

    A mapping rule consists of user names, file systems, quota trees, priorities, and AutoCreate. Only users matching the mapping rule can access the Homedir directory.
    1. In Mapping Rule List, click Add.

      The Add CIFS Homedir Mapping Rule dialog box is displayed.

    2. Specify Username.
      NOTE:

      A user name:

      • Contains 1 to 255 characters.
      • Can be a common or domain user name. A domain user name is in the format of domain name\user name, for example, china\user001. Only one backslash (\) is allowed. The domain name must be a NetBIOS name.
      • Can contain one wildcard character * at the end of the user name. For example, china\* indicates all users in the china domain.
      • Must not contain any spaces or special characters including "/[]<>+:;,?=|, or end with a period (.).
    3. In File System, select the file system for which you want to create a mapping rule.
      • In the file system list, select a file system and click OK.
      • If your desired file system does not exist, click Create to create one. After the file system is created, select the file system and click OK.
    4. Optional: In Quota Tree, select a quota tree.
      • In the quota tree list of the file system, select a quota tree and click OK.
      • If your desired quota tree does not exist, click Create to create one.
    5. Optional: In Directory, enter an accessible directory.
    6. Check Share Path.

      The share path of a file system consists of the values of File System, Quota Tree and Directory.

    7. In Priority, set the priority of the mapping rule.
      • The value ranges from 1 to 1024.
      • Mappings rules are sorted by priority in descending order. If two mapping rules have the same priority, the one that is created earlier is placed in the front. Users match mapping rules in sequence.
    8. Determine whether to enable AutoCreate.
      • If AutoCreate is enabled but no relative directory exists under the CIFS Homedir share path, the system will automatically create a relative directory.
      • AutoCreate is enabled by default. You can disable it. If AutoCreate is disabled and the relative directory does not exist, users fail to match this rule and will match the next one.
    9. Click OK.

      A security alert dialog box is displayed.

    10. Confirm the information in the dialog box, select I have read and understand the consequences associated with performing this operation, and click OK.
      • The created mapping rules are displayed in the mapping rule list.
      • You can modify the priority of the mapping rule and determine whether to enable AutoCreate.
    11. Click Next.

  7. (Optional) Set a security restriction.

    This parameter is valid only after security restriction is enabled.
    1. In the Accessible IP Address/Address Segment area, click Add.

      The Add IP Address or IP Address Segment dialog box is displayed.

    2. Specify IP Address/Address Segment.
      NOTE:
      • An IP address segment is in the format of IP address/mask, for example, 192.168.1.100/16. The IPv4 mask ranges from 1 to 32, and the IPv6 mask ranges from 1 to 128. A mixture of IPv4 and IPv6 address segments is not supported.
      • The value of IP Address/Address Segment can be a single IPv4 or IPv6 address, for example, 192.168.1.100, or an IP address segment, for example, 192.168.1.100/16 or 192.168.1.10 to 192.168.1.11/30.
      • A maximum of 32 IP addresses and IP address segments can be added.
    3. Click OK.

      The added IP addresses or IP address segments are displayed in the list.

    4. Click Next.

  8. (Optional) Set file name extension filtering rules.

    The rule can be set only after the file name extension filtering function is enabled.
    NOTE:

    File name extension filtering rules are valid only for the current share.

    1. In File Name Extension Filtering Rule, click Add.

      The Add File Name Extension Filtering Rule dialog box is displayed.

    2. In File Name Extension, specify the file name extension (file type) to be filtered.
      NOTE:
      • A file name extension can contain 1 to 127 visible ASCII characters, including only digits, letters, space, and special characters (!\"#$%&\'()*+\,-.\/\:;\<=\>?@[\\]^_`{\|}~). It can contain a wildcard character * at the end. For example, the file name extension can be txt, TXT, T?X, or Tx*.
      • The maximum number of filtering items supported by a share is 128.
      • The maximum number of filtering items supported by a storage system is 120,000.
      • It is recommended that one share have a maximum of seven file name extension filtering rules, and one file name extension contain 1 to 32 characters (excluding wildcards). The recommended configurations minimize any adverse impact on CIFS Homedir service performance. If the recommended configurations are not used, CIFS Homedir performance may deteriorate significantly.
      • When configuring a file name extension filtering rule, ensure that the rule does not affect the storage of temporary files that may be generated when application software is running. For example, some application software may generate files with the .tmp file name extension. In this case, add the .tmp extension to the file name extension filtering rule. For details about specific temporary file name extension of application software, contact the relevant software vendor.
    3. Select a permission rule from the Rule Type drop-down list.
      NOTE:
      • Denied only: Users do not have permission to access files with the specified extension.
      • Allowed only: Users have permission to access files with the specified extension.
    4. Click OK.

      The added file name extension filtering rule is displayed in the list.

    5. Click Next.

  9. On the Summary page, confirm the CIFS Homedir information and click Finish.
  10. On the Execution Result page, view the execution result and click Close.

    You can view the created share in the CIFS Homedir share list.

Accessing a Homedir Share (Applicable to V300R006C00)

This section describes how to access Homedir shares. Homedir shares allow users to access shared directories named after their user names.

Procedure
  1. Open Map network drive on a Windows client.

    The following uses a Windows Server 2012 client as an example.

    Open File Explorer and choose Computer > Map network drive > Map network drive.

    NOTE:

    GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

  2. In the displayed Map Network Drive dialog box, configure the network folder you want to map.

    • In Drive, specify the drive letter for the connection.
    • In Folder, specify the folder that you want to connect to. Select Connect using different credentials and click Finish.

      The folder is in the format of \\logical ip address\username.

      Wherein, logical ip address indicates the logical IP address of the storage system, and username indicates the user name of the Homedir share.

      NOTE:
      • To query the IP address of a logical port, choose Provisioning > Port > Logical Ports on DeviceManager.
      • If you use a domain authentication user, enter the domain user name in the ~Domain name~Domain user name format.
      • If you use a local authentication user, enter the user name of the local authentication user.

  3. In Windows Security, enter the user name and password for accessing the Homedir share.

    • In a domain, enter the domain user name in the Domain name/Domain user name format and the corresponding password.
    NOTE:

    After Homedir shares are allocated to domain users, do not modify the domain user information. Otherwise, the CIFS shares cannot be accessed.

    • In a non-domain environment, enter the user name and password of the local authentication user.

  4. Click OK.
Follow-up Procedure

To disconnect from a share, run the command net use [DeviceName] /del in the Windows CLI. DeviceName indicates the disk drive that needs to be disconnected, such as z:.

If the information about a local authentication user or domain user is changed (for example, the user is forbidden, the password is changed or expires, the relationship is changed, or the user is deleted) when a client accesses a CIFS shared file system, the changed information will take effect after authentication is passed in the next time (by mounting shares again).

The storage system supports offline sharing. If a client with a mounted share is disconnected from the storage system, the client can still read and write a local duplicate. When the connection resumes, data modified offline in the local duplicate is synchronized automatically to the storage system. (If the shared data in the storage system is changed, you need to manually start the synchronization.)

Accessing a CIFS Homedir Share (Applicable to V300R006C10 and Later Versions)

This section describes how to access CIFS Homedir shares. A CIFS Homedir share enables a user to access the directory same as the user name under a specified file system directory.

Prerequisites
  • The CIFS service is running normally.
  • A CIFS client is connected to the storage network.
  • A CIFS user has been created.
  • A CIFS Homedir share has been created successfully.
Procedure
  1. Map the network drive on a client.

    The following uses a Windows Server 2012 client as an example.

    1. Open File Explorer and choose Computer > Map network drive > Map network drive.

      NOTE:

      GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

    2. In the displayed Map Network Drive dialog box, configure the network folder you want to map.

      • In Drive, specify the drive letter for the connection.
      • In Folder, specify the folder that you want to connect to. Select Connect using different credentials and click Finish.

        The folder is in the format of \\logical ip address\sharename.

        Wherein, logical ip address indicates the IP address of the storage system's logical port providing the CIFS Homedir share, and sharename indicates the name of the CIFS Homedir share.

        NOTE:
        • To query the IP address of a logical port, choose Provisioning > Port > Logical Ports on DeviceManager.
        • If a Homedir share named autohome exists in the system, the value of Folder can be in the following formats: \\logical IP address\username, \\logical IP address\~domain name~domain username, \\logical IP address\~, and \\logical IP address\autohome.

  2. Authenticate a user.

    In the displayed Windows Security dialog box, enter the user name and password for accessing the CIFS Homedir share.

    • In a domain, enter the domain user name in the Domain name/Domain user name format and the corresponding password.
    • In a non-domain environment, enter the user name and password of the local authentication user.

  3. Click OK.

    NOTE:

    In a shared directory, the name of a new file or directory can contain a maximum of 256 characters.

    If errors occur during the access, verify that:

    • The CIFS service is enabled.
    • The storage system is added into a correct AD domain.
    • The network between the client and storage system is normal.
    • The domain user has the access permission.

    Then, log in to DeviceManager to restart the CIFS service in CIFS Service. It takes a period of time for the CIFS service to take effect after the restart.

    Restarting the CIFS service interrupts all the ongoing CIFS share services. Before restarting the CIFS service, ensure that no CIFS share service is running.

CIFS Homedir Share Configuration Example

This section uses an example to explain how to configure a CIFS Homedir share.

Scenario

This section describes the customer's existing environment and requirements.

Network Diagram

Figure 3-17 shows the customer's network.

Figure 3-17 Customer's network diagram

The status quo of the customer's live network can be concluded as follows:

  • All clients use the Windows operating system.
  • The clients of the three departments reside on the same LAN as the storage system.
Customer Requirements

A storage system is required to provide storage space for the School Office, Teaching Affairs Office, and Finance Office. The storage space must be allocated as follows:

  • Each of the three departments has 1 TB dedicated storage space.
  • Each of the three departments has read and write permissions to its own private directories.
  • Private directories of a department are invisible to other departments.
Requirement Analysis

This section provides an analysis of the customer's requirements and a solution.

Customer requirement analysis:

  • All clients use the Windows operating system, so the OceanStor storage system can use Homedir shares to provide storage space for the three departments respectively.
  • The Homedir multipath management function is supported, which allows employees to have their own private directories by setting rules for different Homedir shares.

Solution:

  • Table 3-54 describes the basic information of the three departments.
    Table 3-54 Basic information of the three departments

    Department

    Share Name

    User Name of the CIFS Homedir Mapping Rule

    Local User

    Local User Group

    School Office

    share01

    office*

    office_user01

    group01

    Teaching Affairs Office

    share01

    education*

    education_user01

    group01

    Finance Office

    share01

    finance*

    finance_user01

    group01

  • group01 has complete control over share01.
Configuration Process

Figure 3-18 shows the configuration process, helping you understand the subsequent configuration.

Figure 3-18 Configuration process
NOTE:

This configuration process is only applicable to this configuration example. For the complete configuration process of CIFS Homedir share, see Configuration Process.

Configuration Procedure

This section describes how to configure a Homedir share on DeviceManager.

Creating a File System

File systems provide storage space for shares. You can create different file systems to provide storage space for different shares.

  1. On DeviceManager, choose Provisioning > File System.

    The File System page is displayed.

  2. Click Create.

    The Create File System dialog box is displayed.

  3. In the Create File System dialog box, configure parameters as planned.

    Table 3-55 describes related parameters.
    Table 3-55 Create File System parameters

    Parameter

    Planned Value

    Name

    FileSystem

    Capacity

    1 TB

    File System Block Size

    32 KB

    Quantity

    3

    Owning Storage Pool

    StoragePool000

    NOTE:
    • When multiple file systems are created, the storage system automatically adds a number to each file system name for distinction. In this example, the created file systems are named FileSystem0000, FileSystem0001, and FileSystem0002 respectively.
    • Assume that the size of most files in the file system is between 100 KB and 1 MB. The file system block size can be set to 32 KB.

  4. Click OK.
Creating a Local Authentication User Group

This section describes how to create a local authentication user group. Local authentication user groups help you control the share access permissions of local users.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Local Authentication User Group.
  3. Click Create.

    The Local Authentication User Group dialog box is displayed.

  4. In User Group Name, enter group01.
  5. Click OK.

    The Success dialog box is displayed.

  6. Click OK.
Creating Local Authentication Users

This section describes how to create local authentication users. For applications that use local authentication, local authentication users are used to access a CIFS share.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Create.

    The Local Authentication User dialog box is displayed.

  3. In the Local Authentication User dialog box, enter required local user information.

    Table 3-56 describes related parameters.
    Table 3-56 Local authentication user parameters

    Parameter

    Value

    Username

    office_user01

    Password

    Password

    Confirm Password

    confirms password

    Primary Group

    group01

  4. Click OK.

    The Success dialog box is displayed.

  5. Click OK.
  6. Repeat 2 to 5 to add users education_user01 and finance_user01 to user groups group01.
Creating a CIFS Homedir Share

After creating a local user group and local users, you need to create a CIFS Homedir share. You can assign different permissions to different users when creating a CIFS Homedir share.

  1. On DeviceManager, choose Provisioning > Share.

    The Share page is displayed.

  2. Create a CIFS Homedir share.

    1. On the CIFS Homedir tab page, click Create.

      The Create CIFS Homedir Share Wizard page is displayed.

    2. Enter share01 for Share Name and %d/%w for Relative Directory.

      %d/%w is a wildcard character, which automatically matches the user's domain name and user name, thereby allowing each user to have their private space.

    3. Click Next.

      The Set Permissions page is displayed.

    4. Click Next.

      The No permission for the user/user group to access the CIFS Homedir share. Are you sure you want to continue? message is displayed.

      NOTE:

      Access permission configurations for CIFS Homedir shares are introduced in 3.

    5. Click OK.

      The Set Mapping Rule page is displayed.

    6. Click Next.

      The No mapping rule for the CIFS Homedir share. Are you sure you want to continue? message is displayed.

      NOTE:

      Mapping rule configurations for CIFS Homedir shares are introduced in 4.

    7. Click OK.

      The Summary page is displayed.

    8. Click Finish.

      The Execution Result page is displayed.

    9. Click Close.

  3. Configure access permissions for the CIFS Homedir share.

    1. Select share01.
    2. In Users/User Groups, click Add.

      The Add User/User Group dialog box is displayed.

    3. In User/User Group, select Local authentication user group. In Name, click Find.

      The Find Local Authentication User Group dialog box is displayed.

    4. Select user group group01 and click OK.

      The Add User/User Group dialog box is displayed.

    5. In Permission Level, select Read and write. Click OK.

      The Execution Result dialog box is displayed.

    6. Click Close.

  4. Add mapping rules for the CIFS Homedir share.

    1. Select share01.
    2. Click Add on the CIFS Homedir Mapping Rule tab page.

      The Add CIFS Homedir Mapping Rule dialog box is displayed.

    3. Enter office* for Username.
    4. Click next to File System.

      The Select File System dialog box is displayed.

    5. Select the file system whose Name is set to FileSystem0000, and click OK.

      The Add CIFS Homedir Mapping Rule dialog box is displayed.

    6. Click OK.

      The Warning dialog box is displayed.

    7. Confirm the information in the dialog box, select I have read and understand the consequences associated with performing this operation, and click OK.

      The Success dialog box is displayed.

    8. Click OK.

  5. Repeat 4 to add mapping rules for the CIFS Homedir share.

    Table 3-57 describes mapping rules.
    Table 3-57 Mapping rule plan

    Department

    Homedir Share Name

    Username of the Mapping Rule

    File System Name

    Local User

    Local User Group

    School Office

    share01

    office*

    FileSystem000

    office_user01

    group01

    Teaching Affairs Office

    share01

    education*

    FileSystem001

    education_user01

    group01

    Finance Office

    share01

    finance*

    FileSystem002

    finance_user01

    group01

Accessing Shared Space

This section describes how to map the network drive on a client of the School Office. You can map the network drives on the other clients in the same way. User names education_user01 and finance_user01 must be used to map the network drives on the clients of the Teaching Affairs Office and Finance Office.

  1. Map a network drive to a client.

    The following uses a Windows Server 2012 client as an example.

    1. Open File Explorer and choose Computer > Map network drive > Map network drive.

      NOTE:

      GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

    2. In Folder, enter \\192.168.50.16\share01, and select Connect using different credentials.

      192.168.50.16 is the logical IP address of the storage system.

    3. Click Finish.

  2. Authenticate a user.

    1. In the Windows Security dialog box, enter local user name office_user01 in User name.
    2. In Password, enter the password of user office_user01.
    3. Click OK.

  3. View the shared space.

Translation
Download
Updated: 2019-07-12

Document ID: EDOC1000138856

Views: 64833

Downloads: 847

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next