No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor 2600 V3 Video Surveillance Edition V300R006 Basic Storage Service Configuration Guide for File

This document is applicable to OceanStor OceanStor 2600 V3 Video Surveillance Edition. This document describes the basic storage services and explains how to configure and manage basic storage services for storage system.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a CIFS Share

Configuring a CIFS Share

This section describes how to configure a CIFS share.

Configuration Process

Figure 3-8 shows the CIFS share configuration process.

Figure 3-8 CIFS share configuration process

Preparing Data

Before configuring a CIFS share in a storage system, plan and collect required data to facilitate follow-up service configurations.

You need to prepare the following data:

  • Logical IP address

    Logical IP address used by a storage system to provide shared space for clients.

  • File system

    File system or its quota tree configured as a CIFS share.

  • Name of a CIFS share
  • Permission

    Permission of a user or user group to access a CIFS share, including:

    • Full control: The user can fully control the CIFS share.
    • Read-only: The user can only read the CIFS share.
    • Read and write: The user can read and write the CIFS share.
    • Forbidden: The user cannot access the CIFS share.
  • Local authentication user

    Users for local authentication of the storage system in a non-domain environment.

  • AD domain information
  • DNS

    IP address of the DNS server.

NOTE:

You can contact your network administrator to obtain desired data.

Checking the License File

Each value-added feature requires a license file for activation. Before configuring a value-added feature, ensure that its license file is valid for the feature.

Context

On DeviceManager, the CIFS feature is displayed in Feature as CIFS Protocol.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > License Management.
  3. Check the active license files.

    • For V300R006C20, perform the following steps to check the activated license file:
      1. In the navigation tree on the left, choose Active License.
      2. In the middle information pane, verify the information about active license files.
    • For V300R006C30 and later versions, you can view all activated license files in the function pane at the lower part of the License Management page.

Follow-up Procedure
  • If no license for the feature is available, apply for and import a license file. For details about how to apply for and import a license file, see the installation guide specific to your product model.
  • If the storage system generates an alarm indicating that the license has expired, obtain and import the license again.

Configuring a Network

Before configuring shared services, plan and configure a network properly for accessing and managing file services.

(Optional) Bonding Ethernet Ports

This section describes how to bond Ethernet ports on a same controller.

Prerequisites

Ethernet ports to be bonded are not configured with any IP addresses.

Context
  • Port bonding provides more bandwidth and link redundancy. Although ports are bonded, each host still transmits data through a single port and the total bandwidth can be increased only when there are multiple hosts. Determine whether to bond ports based on site requirements.
  • Port bonding on a storage system has the following restrictions:
    • Only Ethernet ports with the same rate (GE or 10GE) on a same controller can be bonded. A maximum of eight Ethernet ports can be bonded as a bond port.
    • Ethernet ports on a SmartIO interface module cannot be bonded if they are in cluster or FC mode or run FCoE service in FCoE/iSCSI mode.
    • The MTU of bonded SmartIO ports must be the same as that of the hosts.
    • Read-only users are unable to bond Ethernet ports.
    • A port can only be added to one bond port.
    • A member in a port group cannot be added to a bond port.
  • After Ethernet ports are bonded, MTU changes to the default value and you must set the link aggregation mode for the ports. On Huawei switches, you must set the ports to work in static LACP mode.

    The link aggregation modes vary with switch manufacturers. If a non-Huawei switch is used, contact technical support of the switch manufacturer for specific link aggregation configurations.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Bond Ports.
  3. Click Create.

    The Create Bond Port dialog box is displayed.

  4. Set the name, controller, interface module, and optional ports that can be bonded.

    1. Specify Name for the bond port.

      The name:

      • Contains only letters, digits, underscores (_), periods (.), and hyphens (-).
      • Contains 1 to 31 characters.
    2. From Controller, select the owning controller of the Ethernet ports to be bonded.
    3. Specify Interface Module.
    4. From the Optional port list, select the Ethernet ports you want to bond.
      NOTE:
      • Select at least two ports.
      • The port name format is controller enclosure ID.interface module ID.port ID.
    5. Click OK.

      The security alert dialog box is displayed.

  5. Confirm the bonding of the Ethernet ports.

    1. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
    2. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

(Optional) Creating a VLAN

Ethernet ports and bond ports on a storage system can be added into multiple independent VLANs. You can configure different services in different VLANs to ensure the security and reliability of service data.

Prerequisites

The Ethernet ports for which you want to create VLANs have not been assigned IP addresses or used for networking.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > VLAN.
  3. Click Create.

    The Create VLAN dialog box is displayed.

  4. Select the type of ports used to create VLANs from the Port Type drop-down list.

    Port Type can be Ethernet port or Bond port.

  5. In the port list, select the desired Ethernet port or bond port.
  6. In ID, enter the VLAN ID and click Add.

    NOTE:
    • The VLAN ID ranges from 1 to 4094. You can enter a single VLAN ID or VLAN IDs in batches in the format of "start ID-end ID".
    • To remove a VLAN ID, select it and click Remove.

  7. Click OK.

    The Execution Result dialog box is displayed, indicating that the operation succeeded.

  8. Click Close.
Creating a Logical Port

This section describes how to create a logical port for managing and accessing files based on Ethernet ports, bond ports, or VLANs.

Context

The logical ports are virtual ports that carry host services. A unique IP address is allocated to each logical port for carrying services.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Logical Ports.
  3. Click Create.

    The Create Logical Port dialog box is displayed.

  4. In the Create Logical Port dialog box, configure related parameters.

    Table 3-24 describes the related parameters.

    NOTE:

    GUIs may vary with product versions and models. The actual GUIs prevail.

    Table 3-24 Logical port parameters

    Parameter

    Description

    Value

    Name

    Name of the logical port.

    The name:

    • Must be unique.
    • Can contain only letters, digits, underscores (_), periods (.), and hyphens (-).
    • Must contain 1 to 31 characters.

    [Example]

    Lif01

    IP Address Type

    IP address type of the logical port, including IPv4 Address and IPv6 Address.

    [Example]

    IPv4 Address

    IPv4 Address

    IPv4 address of the logical port.

    [Example]

    192.168.50.16

    Subnet Mask

    IPv4 subnet mask of the logical port.

    [Example]

    255.255.255.0

    IPv4 Gateway

    IPv4 gateway of the logical port.

    [Example]

    192.168.50.1

    IPv6 Address

    IPv6 address of the logical port.

    [Example]

    fc00::1234

    Prefix

    IPv6 prefix length of the logical port.

    [Example]

    64

    IPv6 Gateway

    IPv6 gateway of the logical port.

    [Example]

    fc00::1

    Home Port

    Port to which the logical port belongs, including Ethernet port, Bond port, and VLAN.

    [Example]

    CTE0.A.IOM0.P0

    Failover Group

    Failover group name.

    NOTE:
    • If a failover group is specified, services on the failed home port will be taken over by a port in the specified failover group.
    • If no failover group is specified, services on the failed home port will be taken over by a port in the default failover group.

    [Example]

    System-defined

    IP Address Failover

    After IP address failover is enabled, services fail over to other normal ports within the failover group if the home port fails. In addition, the IP address used by services remains unchanged.

    NOTE:

    Shares of file systems do not support the multipathing mode. IP address failover is used to improve reliability of links.

    [Example]

    Enable

    Failback Mode

    Mode in which services fail back to the home port after the home port is recovered. The mode can be Manual or Automatic.

    NOTE:
    • If Failback Mode is Manual, you need to ensure that the link to the home port is normal before the failback. Services will manually fail back to the home port only when the link to the home port keeps normal for over five minutes.
    • If Failback Mode is Automatic, ensure that the link to the home port is normal before the failback. Services will automatically fail back to the home port only when the link to the home port keeps normal for over five minutes.

    [Example]

    Automatic

    Activate Now

    To activate the logical port immediately.

    [Example]

    Enable

    Role

    Roles of the logical ports, including:

    • Management: The port is used by a super administrator to log in to the system for management.
    • Service: The port is used by a super administrator to access services such as CIFS shares.
    • Management+Service: The port is used by a super administrator to log in to the system to manage the system and access services.

    [Example]

    Service

    Dynamic DNS

    When dynamic DNS is enabled, the DNS service will automatically and periodically update the IP address configured for the logical port.

    [Example]

    Enable

    Listen DNS Query Request

    After this function is enabled, external NEs can access the DNS service provided by the storage system by using the IP address of this logical port.

    [Example]

    Disabled

    DNS Zone

    Name of the DNS zone.

    NOTE:
    • If you do not specify this parameter, the logical port will not used for DNS-based load balancing.
    • Only the logical ports whose Role is Service or Management+Service can be added to a DNS zone. The logical ports whose Role is Management cannot be added to a DNS zone.
    • One logical port can be associated with only one DNS zone. One DNS zone can be associated with multiple logical ports.
    • A DNS zone can be associated with both IPv4 and IPv6 logical ports.
    • The load balancing effect varies with the distribution of logical ports associated with a DNS zone. To obtain a better load balancing effect, ensure that logical ports associated with a DNS zone are evenly distributed among controllers.

    [Example]

    None

  5. Click OK.

    The Success dialog box is displayed, indicating that the logical port has been successfully created.

  6. Click OK.
(Optional) Configuring DNS-based Load Balancing Parameters

The DNS-based load balancing feature can detect loads on various IP addresses on a storage system in real time and use a proper IP address as the DNS response to achieve load balancing among IP addresses.

Context

Working principle:

  1. When a host accesses the NAS service of a storage system using a domain name, the host first sends a DNS request to the built-in DNS server and the DNS server obtains the IP address according to the domain name.
  2. If the domain name contains multiple IP addresses, the storage system selects the IP address with a light load as the DNS response based on the configured load balancing policy and returns the DNS response to the host.
  3. After receiving the DNS response, the host sends a service request to the destination IP address.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS-based Load Balancing.

    Table 3-25 lists parameters related to DNS-based load balancing.
    Table 3-25 DNS-based load balancing parameters

    Parameter

    Description

    Value

    DNS-based Load Balancing

    Enables or disables DNS-based load balancing.

    NOTE:
    • When enabling the DNS-based load balancing function, you are advised to disable the GNS forwarding function. This function affects DNS-based load balancing.
    • After the DNS-based load balancing function is disabled, the domain name resolution service is unavailable and file systems cannot use the function.
    • This parameter can be set only in the system view, not in the vStore view. The setting takes effect for the entire storage system.

    [Example]

    Enabled

    Load Balancing Policy

    Specifies a DNS-based load balancing policy. The following load balancing policies are available:

    • Weighted round robin: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the performance data. Under the same domain name, IP addresses that are required to process loads have the same probability to be selected to process client services.
    • CPU usage: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the CPU usage of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Bandwidth usage: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the total bandwidth usage of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Open connections: When a client uses a domain name to initiate an access request, the storage system calculates the weight based on the NAS connections of each node. Using the weight as the probability reference, the storage system selects a node to process the client's service request.
    • Overall load: When a client uses a domain name to initiate an access request, the storage system selects a node to process the client's service request based on the comprehensive load. The comprehensive node load is calculated based on the CPU usage, bandwidth usage, and number of NAS connections. Less loaded nodes are more likely to be selected.
    NOTE:

    This parameter can be set only in the system view, not in the vStore view. The setting takes effect for the entire storage system.

    [Example]

    Weighted round robin

  3. Configure a DNS zone.

    A DNS zone contains IP addresses of a group of logical ports. A host can use the name of a DNS zone to access shared services provided by a storage system. Services can be evenly distributed to logical ports.

    NOTE:

    Only the logical ports whose Role is Service or Management+Service can be added to a DNS zone. The logical ports whose Role is Management cannot be added to a DNS zone.

    1. Add a DNS zone.
      1. Click Add.
      2. The Add DNS Zone dialog box is displayed. In Domain Name, type the domain name of the DNS zone you want to add and click OK.
      NOTE:

      The domain name complexity requirements are as follows:

      • The domain name can contain 1 to 255 characters and consists of multiple labels separated by periods (.).
      • A label can contain 1 to 63 characters including letters, digits, hyphens (-), and underscores (_), and must start and end with a letter or a digit.
      • The domain name must be unique.
    2. Remove a DNS zone.
      1. In the DNS zones that are displayed, select a DNS zone you want to remove.
      2. Click Remove.
    3. Modify a DNS zone.
      1. In the DNS zones that are displayed, select a DNS zone you want to modify.
      2. Click Modify.
      3. The Modify DNS Zone dialog box is displayed. In Domain Name, type the domain name of the DNS zone you want to modify and click OK.
    4. View a DNS zone.
      1. In DNS Zone, type a keyword and click Search.
      2. In DNS Zone, the DNS zone names relevant to the keyword will be displayed.
    NOTE:

    You can select a DNS zone to modify or remove it.

  4. Click Save.

    The Warning dialog box is displayed.

  5. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
  6. Click OK.

    The Execution Result page is displayed.

  7. On the Execution Result page, confirm the modification and click Close. The DNS zone configuration is complete.
Follow-up Procedure

After associating logical ports with a DNS zone, configuring logical ports to listen to DNS requests, setting a DNS-based load balancing policy, and enabling DNS-based load balancing, you need to configure DNS server addresses on clients. For details about how to configure and use DNS-based load balancing, see How Can I Configure and Use DNS-based Load Balancing?

(Optional) Managing the Routes of a Logical Port

When configuring share access, ensure that the logical port can ping the IP addresses of the domain controller, DNS server, and clients. If the ping test fails, add routes from the IP address of the logical port to the network segment of the domain controller, DNS server, or clients.

Prerequisites

The logical port has been assigned an IP address.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Port > Logical Ports.
  3. Select the logical port for which you want to add a route and click Route Management.

    The Route Management dialog box is displayed.

  4. Configure the route information for the logical port.

    1. Click Add.

      The Add Route dialog box is displayed.

    The default IP addresses of the internal heartbeat on a dual-controller storage system are 127.127.127.10 and 127.127.127.11, and those on a four-controller storage system are 127.127.127.10, 127.127.127.11, 127.127.127.12, and 127.127.127.13. Therefore, the destination address cannot fall within the 127.127.127.XXX segment. Besides, the IP address of the gateway cannot be 127.127.127.10, 127.127.127.11, 127.127.127.12, or 127.127.127.13. Otherwise, routing will fail. (Internal heartbeat links are established between controllers for these controllers to detect each other's working status. You do not need to separately connect cables. In addition, internal heartbeat IP addresses have been assigned before delivery, and you cannot change these IP addresses).

    1. In Type, select the type of the route to be added.

      Possible values are Default route, Host route, and Network segment route.

    2. Set Destination Address.
      • If IP Address is an IPv4 address, set Destination Address to the IPv4 address or network segment of the application server's service network port or that of the other storage system's logical port.
      • If IP Address is an IPv6 address, set Destination Address to the IPv6 address or network segment of the application server's service network port or that of the other storage system's logical port.
    3. Set Destination Mask (IPv4) or Prefix (IPv6).
      • Destination Mask specifies the subnet mask of the IPv4 address for the service network port on the application server or storage device.
      • Prefix specifies the prefix of the IPv6 address for application server's service network port or that of the other storage system's logical port.
    4. In Gateway, enter the gateway for the IP address of the local storage system's logical port.

  5. Click OK. The route information is added to the route list.

    The security alert dialog box is displayed.

  6. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
  7. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

    NOTE:

    To remove a route, select it and click Remove.

  8. Click Close.

Setting the CIFS Service

Before creating a share, enable and configure the CIFS service.

Prerequisites

The license for the CIFS protocol has been imported and activated.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > CIFS Service.
  3. In CIFS Service, select Enable.
  4. Configure CIFS service parameters.

    1. Configure parameters described in Table 3-26 based on site conditions.

      Table 3-26 CIFS service parameters

      Parameter

      Description

      Setting

      Authentication Mode

      Authentication mode for accessing a CIFS share.

      • Local authentication: Applies to scenarios where a local authentication user accesses a CIFS share in a non-domain environment.
      • Domain authentication: Applies to scenarios where a domain user accesses a CIFS share in an AD domain.
      • Global authentication: Local authentication is used first. If local authentication fails, domain authentication is used.

      [Default value]

      Global authentication

      Performance Settings

      You can configure performance parameters to improve the CIFS share access efficiency.

      • Oplock: Opportunistic locking (Oplock) is a mechanism used to adjust cache policies of clients, improving performance and network utilization. It is not advised to enable Oplock in the following scenarios:
        • High data integrity is required. If Oplock is enabled, data in the local cache on a client may be lost when your network is interrupted or your client breaks down. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur.
        • Multiple clients access the same file. If Oplock is enabled, the system performance will be adversely affected.
      • Notify: After this function is enabled, a client's operations on a directory, such as adding a sub-directory, adding a file, modifying the directory, and modifying a file, can be detected by other clients that are accessing this directory or its parent directory.

      [Default value]

      Enabled

      Security Settings

      After the guest service is enabled, users can access shared directories without user names or passwords. Besides, users have the same permission as the Everyone local authentication group.

      NOTE:

      After this function is enabled, unauthorized users can access shared directories as a guest user, which may cause information security issues. You are advised to disable this function.

      [Default value]

      Disabled

      Access Settings

      After ABSE (access based share enumeration) is enabled, only the CIFS shares that a user has permission to access are displayed when the user views the CIFS share information.

      NOTE:
      • It takes 10 to 20 minutes to load the CIFS share permission information after the storage system is powered on. During this period, this function does not take effect.
      • You are advised to enable this function. If this function is disabled, users can find all shares (including the shares for which the users do not have access permission), which may cause security threats to other shares.

      [Default value]

      Disabled

      Signature Settings

      You can set signatures to enhance CIFS share access security.

      • Signature: This function is available for a client that employs SMB 1.0. After this option is selected, the system supports the signature function. For a client that employs an SMB later than SMB 1.0, the system supports the signature function by default. Whether to use the signature function also depends on the registry settings of clients. If the registry settings are not modified as required, the signature function is not used by default.
      • Signature enforcement: After this option is selected, the storage system must adopt the signature function no matter the signature function is enabled by clients or not.
      NOTE:

      If the signature function is disabled, the storage system may encounter man-in-the-middle (MITM) attacks, resulting in security risks.

      [Default value]

      Disabled

    2. Click Save.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

Configuring a Local Authentication User (Group)

In a non-domain environment, you must configure a local authentication user (group). The storage system enables you to allocate different CIFS share access permissions to different users (groups).

(Optional) Creating a Local Authentication User Group

This section describes how to create a local authentication user group. Local authentication user groups help you control the share access permissions of local authentication users.

Context

The following four local authentication user groups are automatically created and cannot be deleted:

  • default_group: default user group. When the group members access shared file systems, they must be authenticated to obtain their permissions.
  • Administrators: administrator group.
    • For V300R006C50 and earlier versions, when the group members access shared file systems, they do not need to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
    • For V300R006C60 and later versions, you can run the change service cifs administrators_privileg=? command to change the permissions of members in the Administrators group. For details about the command, see the command reference specific to your product model. The values of administrators_privileg are described as follows:
      • admin (default value): When the group members access shared file systems, they do not need to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
      • default_group: The group members have the same permissions as those in the default user group.
      • owner: The group members have the permissions to query and set file/directory ACLs and change file/directory owners. When the group members access shared file systems, they need to be authenticated by directory/file level NT ACLs, but do not need to be authenticated by share level ACLs.

      Modified permissions take effect only after users are re-authenticated on clients.

      NOTE:
      • Access control list (ACL): a collection of permissions that are authorized to users or user groups to operate shared files. ACL permissions involve ACL permission storage and ACL permission authentication. When a user accesses a share, the system checks the permissions of the user and determines whether the user can write or read the share based on the ACL permissions. Each ACL permission is stored as an Access Control Entry (ACE). After CIFS shares are mounted to a Windows client, the client sends NT ACLs to a server (a storage system that provides CIFS shares).
      • For V300R006C60 and later versions, you can run the show service cifs command and check the administrator group permissions in the returned Administrators Privilege field. Alternatively, you can choose Provisioning > User Authentication > Local Authentication User Group on DeviceManager and check permissions in Description for Administrators.
  • AntivirusGroup: antivirus user group. The group members can use third-party antivirus software to scan for shared file systems. They have administrator permissions.
  • Backup Operators: backup user group. The group members can use third-party backup software to back up and recover shared file systems. They do not have administrator permissions.
Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > User Authentication > Local Authentication User Group.
  3. Click Create.

    The Local Authentication User Group dialog box is displayed.

  4. Specify User Group Name.

    NOTE:
    • Cannot contain the quotation mark ("), slash (/), backslash (\), square brackets ([]), less than sign (<), larger than sign (>), plus sign (+), colon (:), semicolon (;), comma (,), question mark (?), asterisk (*), vertical bar (|), equal sign (=), at sign (@), or end with a period (.). Spaces at the beginning and end of a user group name are not displayed.
    • Can contain case-insensitive letters. Therefore, you cannot create both aa and AA user groups.
    • Cannot be the same as the name of a local authentication user.
    • Must contain 1 to 63 characters.

  5. Optional: Specify Description.
  6. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

  7. Click OK.
Creating a Local Authentication User

This section describes how to create a local authentication user. For applications that use local authentication, local user accounts are used to access a share. You can add a local user to a user group and access a share as the user group.

Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > User Authentication.
  3. Click the Local Authentication User tab.
  4. Click Create.

    The Local Authentication User dialog box is displayed.

  5. Specify Username.

    A user name:

    • Cannot contain space, double quotation mark ("), slash (/), backslash (\), square brackets ([]), less than sign (<), larger than sign (>), plus (+), colon (:), semicolon (;), comma (,), question mark (?), asterisk (*), vertical bar (|), equal mark (=), at sign (@), or end with a period (.).
    • Can contain case-insensitive letters. Therefore, you cannot create both aaaaaaaa and AAAAAAAA users.
    • Cannot be the same as the name of a local authentication user group.
    • Must contain 8 to 32 characters by default.
    NOTE:

    You can modify the minimum length of user name by choosing More > Set Security Policies.

  6. Specify Password.

    By default, a password:

    • Contains 8 to 16 characters.
    • Contains special characters, including !"#$%&'()*+,-./:;<=>?@[\]^`{_|}~ and space.
    • Contains any two types of the uppercase letters, lowercase letters, and digits.
    • Cannot contain three consecutive same characters.
    • Differs from the user name or the reverse of the user name.
    NOTE:

    Click More and choose Set Security Policies to set a security policy for the password of a local authentication user. If Password Validity Period (days) is not selected, your password will never expire. For the security purpose, you are advised to select Password Validity Period (days) and set a validity period. After the password expires, you cannot access shares, but you can set a password again or modify the password security policy.

  7. In Confirm Password, enter the password again.
  8. Select Primary Group.

    The Select Primary Group dialog box is displayed.

    NOTE:

    The primary group to which users belong controls the users' permission for CIFS shares. A user must and can only belong to one primary group.

  9. Select the user group to which the user belongs and click OK.
  10. (Optional) Select Secondary Group.

    The Select Secondary Group dialog box is displayed.

    NOTE:

    A local authentication user must belong to a primary group but not to a secondary group.

  11. Click Add.

    The Select User Group dialog box is displayed.

  12. Select one or multiple secondary groups which the user belongs to and click OK.

    The Select Secondary Group dialog box is displayed.

  13. Click OK.

    The Local Authentication User dialog box is displayed.

  14. Optional: Specify Description.
  15. Click OK.

    The Success dialog box is displayed, indicating that the operation succeeded.

  16. Click OK

Adding a Storage System to an AD Domain

After a storage system is added to an AD domain, domain users can access CIFS shares that are allocated to the domain. This section describes how to add a storage system to an AD domain.

Preparing AD Domain Configuration Data
Why AD Domains?

In Windows shared mode, every device that provides shares is an independent node. The account and permission information about users allowed to access shares are stored on each node. As a result, the information maintenance is complex and uncontrollable.

If an AD domain is used, however, the domain controller manages all the user configuration information and authenticates the access to the domain. The domain controller incorporates a database that stores information about the domain account, password, and nodes in the domain. A user can access all the shared content in the domain after passing the authentication by the domain controller.

Working Principles
Figure 3-9 Network diagram of AD domain server authentication
  1. The DNS server provides a full domain name (123.com for example) for the AD domain.
  2. The storage system is added into the AD domain and provides share services.
  3. Users can access shares after logging in to hosts in the AD domain using domain accounts.
Data Preparation

Collect Domain Administrator Username, Password, Full Domain Name, Organization Unit (optional), and System Name. For details about how to obtain the data, see Configuring AD Domain Authentication Parameters.

Connecting a Storage System to a DNS Server (Applicable to V300R006C50 and Earlier)

After a storage system is connected to a DNS server, you can access the storage system through an IP address or domain name.

Prerequisites
  • A DNS server has been configured and is running properly.
  • Port 53 for the TCP/UDP protocol between the storage system and the DNS server is enabled.
Context
  • A DNS server resolves host names in a domain.
  • If you want to configure a standby DNS server, ensure that the domain names of the active and standby DNS servers are consistent.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS Service.

  3. Set the DNS server information.

    1. Specify Active DNS IP Address.
    2. Optional: Specify Standby DNS IP Address 1.
    3. Optional: Specify Standby DNS IP Address 2.
    NOTE:
    • Configure the standby DNS IP address 1 and then the standby DNS IP address 2.
    • You can click Test to test the IP address availability.
    • You can click Test All to test the connection between the DNS server and storage system.

  4. Click Save.

    The Success dialog box is displayed, indicating that the operation succeeded.

  5. Click OK.
Connecting a Storage System to a DNS Server (Applicable to V300R006C60 and Later Versions)

After a storage system is connected to a DNS server, you can access the storage system through an IP address or domain name.

Prerequisites
  • A DNS server has been configured and is running properly.
  • Port 53 for the TCP/UDP protocol between the storage system and the DNS server is enabled.
Context
  • A DNS server resolves host names in a domain.
  • If you want to configure a standby DNS server, ensure that the domain names of the active and standby DNS servers are consistent.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > DNS Service.

  3. Configure IP addresses for the DNS service.

    1. Set Active DNS IP Address.
    2. Optional: Set Standby DNS IP Address 1.
    3. Optional: Set Standby DNS IP Address 2.
      NOTE:

      Please configure the standby DNS IP address 1 first and then the standby DNS IP address 2.

    4. Optional: Test the connection between the DNS server and storage system.
      • You can click Test of each DNS IP address to test its availability.
      • You can click Test All to test the connection between the DNS server and storage system.

  4. Optional: Configure domain names for the DNS service.

    NOTE:
    • Before configuring domain names, set at least one DNS IP address.
    • Domain names are used in sequence. A maximum of six domain names are supported.
    • Adding a domain name
      1. Click Add.

        The Add Domain Name dialog box is displayed.

      2. Set the domain name.
        NOTE:

        A domain name must meet the following requirements:

        • Be case-insensitive and unique.
        • Contains 1 to 255 characters, including letters, digits, periods (.), underscores (_), and hyphens (-).
        • Each label separated by a period (.) contains a maximum of 63 characters and must start and end with a letter or digit.
      3. Click OK.
    • Modifying a domain name
      1. Select the domain name that you want to modify, and click Modify.

        The Modify Domain Name dialog box is displayed.

      2. Set the domain name.
        NOTE:

        A domain name must meet the following requirements:

        • Be case-insensitive and unique.
        • Contains 1 to 255 characters, including letters, digits, periods (.), underscores (_), and hyphens (-).
        • Each label separated by a period (.) contains a maximum of 63 characters and must start and end with a letter or digit.
    • Removing a domain name

      Select the domain name that you want to remove, and click Remove.

    • Moving up a domain name

      Select the domain name that you want to move up, and click Up.

    • Moving down a domain name

      Select the domain name that you want to move down, and click Down.

  5. Click Save.

    The Success dialog box is displayed, indicating that the operation succeeded.

  6. Click OK.
Configuring AD Domain Authentication Parameters

After a storage system is added to an AD domain, the AD server can authenticate CIFS clients when they try to access shared resources. The administrator can manage the share access permissions and quotas of domain users. If the storage system is not added to an AD domain, domain users cannot use share services provided by the storage system.

Prerequisites
  • An AD domain has been set up.
  • The storage system has been connected to a DNS server.
  • The time of the AD domain server and DNS server have been synchronized with the storage system. The time difference must be no larger than 5 minutes.
  • Between the storage system and AD domain environment, the following ports are enabled: ports 88 (TCP/UDP), 389 (TCP/UDP), 445 (TCP), and 464 (TCP/UDP).
NOTE:
  • The 2000, 5000, and 6000 series storage systems can be connected to AD domain servers and DNS servers through management network ports or service network ports (logical ports). If a storage system communicates with an AD domain server and DNS server through a management network port, the management network port of each controller must be connected properly to the AD domain server and DNS server. If a storage system communicates with the AD domain server and DNS server through a service network port, the service network port of each controller under each vStore must be connected properly to the AD domain server and DNS server. It is recommended that storage systems use service network ports to connect to an AD domain server.
  • AD domain servers support primary/secondary domains, parent/child domains, active/standby domains, or trust domains.
Precautions
  • Before adding a storage system to an AD domain, ensure that the primary controller of the storage system has connected to a DNS server and an AD domain server. If it has not, enable the AD domain forwarding function and connect a service port of the storage system to a DNS server and an AD domain server.
NOTE:
  • Run the show controller general command to query information about all controllers. The controller whose Role is Master is the primary controller of a storage system.
  • Run the change domain ad_config controller_forwarding_enable=yes command to enable the AD domain forwarding function. For details, see the command reference specific to your product model.
  • If Overwrite System Name is enabled, a newly entered system name will overwrite the same system name already existed on the AD domain server if any.
  • A simple password may cause security risks. A complex password is recommended, for example, a password containing uppercase letters, lowercase letters, digits, and special characters.
  • You are advised to use physical isolation and end-to-end encryption to ensure security of data transfer between clients and AD domain servers.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > Domain Authentication.
  3. In the AD Domain Settings area, configure the AD domain authentication parameters.

    Table 3-27 describes the related parameters.

    Table 3-27 AD domain authentication parameters

    Parameter

    Description

    Value

    Domain Administrator Username

    User name for an administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 63 characters.

    [Example]

    test123

    [How to Obtain]

    Contact the AD domain controller administrator.

    Password

    Password for the administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 127 characters.

    [Example]

    !QAZ2wsx

    [How to Obtain]

    Contact the AD domain controller administrator.

    Full Domain Name

    Full domain name of the AD domain server.

    NOTE:

    Click Test to verify the full domain name.

    [Rule]

    Contains 1 to 127 characters.

    [Example]

    abc.com

    [How to Obtain]

    Contact the AD domain controller administrator.

    Organization Unit

    A type of directory objects in a domain. These objects include users, computers, and printers. After an object is added to a domain, it will be a member in the organization unit. If you do not enter anything, the storage system is added to organization unit as Computers by default.

    If the type of organization units of a domain controller is container, enter cn=xxx,dc=abc,dc=com. Otherwise, enter ou=xxx,dc=abc,dc=com.

    [Example]

    ou=xxx,dc=abc,dc=com

    [How to Obtain]

    1. On the Windows AD domain server, open Active Directory Users and Computers or ADSI Edit.
    2. Select the directory on the left, right-click the directory, and choose Properties.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the organization unit.

    System Name

    Name of the storage system in the AD domain. After the storage system is added to the domain, a client can use the name to access the storage system.

    [Rule]

    The system name:

    • Must contain 1 to 15 characters.
    • Can contain letters, digits, and hyphens (-).
    • Must not contain only digits.

    [Example]

    systemname

    Overwrite System Name

    After this option is selected, a newly entered system name will overwrite the same system name already existed on the domain control server if any.

    [Example]

    Enable

    Domain Status

    Displays whether storage system has been added to a domain.

    [Example]

    Exited domain

  4. Click Join Domain.
Follow-up Procedure

If you want to remove a storage system from a domain, perform the following operations:

  1. In AD Domain Settings, input Domain Administrator Username and Password.
  2. Click Exit domain.

    The Success dialog box is displayed, indicating that the operation succeeded.

  3. Click OK.

Creating a CIFS share

This section describes how to create a CIFS share through which users can access the shared storage space.

Prerequisites
  • The CIFS service is enabled.
  • If it is a non-domain environment, the CIFS authentication mode is configured as local authentication or global authentication.
  • If it is an AD domain environment, the CIFS authentication mode is configured as domain authentication or global authentication.
Procedure
  1. Log in to DeviceManager.
  2. Choose Provisioning > Share > CIFS (Windows/MAC).
  3. Click Create.

    The Create CIFS Share Wizard dialog box is displayed.

    NOTE:

    GUIs may vary with product versions and models. The actual GUIs prevail.

  4. Set CIFS parameters.

    1. On the CIFS setting page, configured required parameters.

      Table 3-28 describes the related parameters.

      Table 3-28 Parameters for creating a CIFS share

      Parameter

      Description

      Value

      File System

      File system for which you want to create a CIFS share.

      NOTE:
      • When global root directory / is selected for File System, you can create a CIFS GNS share.
      • After GNS CIFS shares are created, all file systems are mounted to the root directory / by default. By enabling the access based enumeration (ABE) function, you can allow users to or not to visit unauthorized files and file folders. By setting ACL permissions on the file system, you can control user access to a specific file system.
      • GNS root directory / only has read permissions. You cannot create, modify, delete directories or files under /, or modify directory attributes of /. Files or directories cannot be moved across level-1 directories (file systems).
      • Directory names of the CIFS protocol are case insensitive. If file systems have duplicate names with different capitalization, for example file systems AA and aa, only the file system created earlier or with a smaller file system ID is added to a GNS. Change the names of the files with duplicate names and ensure that the names are unique. After the modification is successful, the file system is automatically added to GNS.
      • SMB1 does not support GNS.
      NOTE:

      When the internal network of the LAN is stable, you can run the change service cifs global_namespace_forward_enabled=yes command to enable the GNS forwarding function so that the performance can be improved when the non-owning controller of the file system is accessed. For details, see the command reference of the corresponding product model. When the internal network of the LAN is unstable (for example, node fault, upgrade, or IP address failover), you are not advised to enable the GNS forwarding function, which may interrupt services.

      • After the GNS forwarding function is enabled or disabled, the client needs to remount the share for the client to take effect. In addition, the client may fail to access certain directories. In this case, the client needs to stop services and wait until the client cache times out, and then mount the share. You can also use the dfsutil.exe tool (provided by Microsoft) to clear the client cache and then mount the share.
      • To use the GNS forwarding function, you need to configure an IP address that can be accessed by the client for the logical port and enable the IP address failover.
      • If the GNS forwarding function is enabled, the DNS-based load balancing function is affected. To enable the function, you are advised to disable the DNS-based load balancing function.
      NOTE:

      c$ is the default GNS share whose Share Path is the root directory / and Permission is Full control by Administrators.

      • Share c$ cannot be deleted but its properties and permission can be modified.
      • After the c$ share is created, you can choose a file system as the share path when creating shares on MMC and do not need to manually enter the share path.

      [Example]

      Filesystem001

      Directory

      Directory or subdirectory under the file system root directory.

      [Example]

      Share01

      Share Path

      The share path of a file system consists of File System and Directory.

      NOTE:

      The default share path is / for creating GNS.

      [Example]

      /Filesystem001/Share01

      Share Name

      Name used by a user for accessing the shared resources.

      [Value range]

      • The share name can be in Chinese, English, or Japanese.
      • Contain 1 to 80 characters.
      • Cannot contain special characters "/\[]:|<>+;,?*=.
      • Cannot be the name reserved by the system. The names reserved by the system are: ipc$, autohome, ~ and print$.

      [Example]

      share_for_user1

      Description

      Description of the created CIFS share.

      [Value range]

      The name can be left blank or contain up to 255 characters.

      [Example]

      Share for user 1.

      Oplock

      Opportunistic locking (Oplock) is a mechanism used to adjust cache policies of clients, improving performance and network utilization.

      This function is not recommended in the following scenarios:

      • Scenarios that have high requirements for data integrity: Local cache loss will occur if your network is interrupted or your client breaks down after Oplock is enabled. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur.
      • Scenarios where multiple clients access the same file: If Oplock is enabled, the system performance will be adversely affected.

      [Default value]

      Enabled

      Notify

      After this parameter is enabled, a client's operations on a directory, such as adding a sub-directory, adding a new file, modifying the directory, and modifying a file, can be sensed by other clients that are accessing this directory or the parent directory of this directory.

      [Default value]

      Enabled

      Offline Cache Mode

      Cache files to be accessed in different offline cache modes to local clients so that files can be operated offline. The following offline cache modes are supported:

      • Manual

        Specified files and programs in the shared directory can be cached to local clients and operated offline.

      • Documents

        If a user accesses the shared directory and opens a file or program in the shared directory, the file or program is automatically cached to a local client so that the user can operate it offline. Files and programs that can be operated offline are saved in the clients' cache and synchronized with those in the shared directory until the cache is full or users delete them. Files and programs that have not been opened cannot be cached locally.

      • Programs

        Performance is optimized based on the Documents mode. If an executable file (EXE or DLL) in the shared directory is executed by a local client, the file is automatically cached to the client. If the client needs to run the executable file online or offline next time, it accesses the cached file instead of that in the shared directory.

      • None

        Files and programs in the shared directory cannot be cached to local clients. Therefore, these files and programs cannot be operated offline. This mode prevents the offline file function of clients from creating duplicates of files in the shared directory.

      NOTE:

      The offline file function of clients must be enabled so that files and programs can be automatically cached.

      [Default value]

      Manual

      CA

      This option is for SMB3.0 continuous availability, only applied to the share for Hyper-V. This feature depends on Oplock, ensure that Oplock is enabled.

      [Default value]

      Disabled

      Security Restriction

      After security restriction is enabled, only the added IP addresses can be used to access devices. If security restriction is not enabled, all IP addresses can be used to access devices.

      [Default value]

      Disabled

      Create Default ACL

      This function creates a default ACL (full control rights to everyone; applied to the current directory, its subdirectories, and files in them) for a shared CIFS root directory if the directory has no ACL. You can change the default ACL in follow-up operations. If you want to retain the UNIX MODE rights, disable this function.

      NOTE:

      This function cannot be enabled for creating GNS.

      [Default value]

      Enabled

      File Name Extension Filtering

      After file name extension filtering is enabled, the types of files that users access on a CIFS share are controlled.

      NOTE:

      SMB2 and SMB3 support this function but SMB1 does not.

      [Default value]

      Disabled

      ABE

      After Access Based Enumeration (ABE) is enabled, files and folders that users have no access permission are not displayed.

      NOTE:

      SMB2 and SMB3 support ABE but SMB1 does not.

      [Default value]

      Disabled

      Show Previous Versions

      If the function of showing historical versions is enabled, clients can show and roll back historical versions.

      [Default value]

      Enabled

      Audit Log

      After the audit function is enabled, the system can record audit logs of the shared directory. The audit log items include Open, Create, Read, Write, Close, Delete, Rename, Obtain properties, Set properties, Obtain security properties, Set security properties, Obtain extension properties, and Set extension properties. After the audit function is enabled, by default, the system records Create, Write, Delete, and Rename operations of the shared directory.

      NOTE:

      Before configuring this function, choose Settings > Monitor Settings > Audit Log Settings, and enable the Audit Log Settings function.

      [Default value]

      Disabled

    2. Click Next.

      The Set Permissions page is displayed.

  5. Set the permissions for the user or user group accessing the CIFS share.

    1. In Users/User Groups area, click Add.

      The Add User/User Group dialog box is displayed.

    2. In User/User Group, select the user type or user group type.

      The values include: Everyone, Local authentication user, Local authentication user group, Domain user and Domain user group.

      • If you select Everyone, click Add.
      • If you select Local authentication user or Local authentication user group, click Find in the pop-up Add User or Add User Group dialog box to select the user or user group you want to add. Click OK.
      • If the desired local authentication user or user group does not exist, click Create to create and add a new authentication user or user group.
      • If you select Domain user or Domain user group, enter the corresponding name in Name, and click Add.
      NOTE:
      • Everyone means every user has the access permission.
      • The name format is Domain name\Domain user name or Domain name\Domain user group name.
    3. In Permission Level, select the CIFS access permission for the user or user group added.

      Table 3-29 provides details about the permissions.

      Table 3-29 Description of CIFS share permissions

      Operation

      Forbidden

      Read-Only

      Read and Write

      Full Control

      Viewing files and subdirectories

      Not allowed

      Allowed

      Allowed

      Allowed

      Viewing the contents of files

      Not allowed

      Allowed

      Allowed

      Allowed

      Running executable files

      Not allowed

      Allowed

      Allowed

      Allowed

      Adding files or subdirectories

      Not allowed

      N/A

      Allowed

      Allowed

      Modifying the contents of files

      Not allowed

      N/A

      Allowed

      Allowed

      Deleting files and subdirectories

      Not allowed

      N/A

      Allowed

      Allowed

      Renaming

      Not allowed

      N/A

      Allowed

      Allowed

      Changing the ACL of files or directories

      Not allowed

      N/A

      N/A

      Allowed

      NOTE:
      • Priorities of permission levels in descending order are Forbidden > Full control > Read and write > Read-only. The permission with the highest priority prevails. When a user's access permission is extended, the new permission takes effect immediately. For example, if a user's original access permission is Read-only but the user later is added to a user group with Full control permission, the user's access permission changes to Full control immediately. It does not need to be re-authenticated to access the CIFS share.
      • For V300R006C50 and earlier versions, if a local authentication user's primary group is the Administrators group, it does not need to be authenticated by share level ACLs or directory/file level NT ACLs when accessing shared file systems. It can operate any file in any share with administrator permissions.
      • For V300R006C60 and later versions, you can run the change service cifs administrators_privileg=? command to change the permissions of members in the Administrators group. For details about the command, see the command reference of your specific product model. The values of administrators_privileg can be admin (default value), default_group, and owner.
        If a local authentication user's primary group is the Administrators group, you can change the local authentication user's permissions by modifying administrators_privileg. The values of administrators_privileg are described as follows:
        • admin: When the group members access shared file systems, they do not to be authenticated by share level ACLs or directory/file level NT ACLs. They can operate any file in any share with administrator permissions.
        • default_group: The group members have the same permissions as those in the default user group.
        • owner: The group members have the permissions to query and set file/directory ACLs and change file/directory owners. When the group members access shared file systems, they need to be authenticated by directory/file level NT ACLs, but do not need to be authenticated by share level ACLs.

        Modified permissions take effect only after users are re-authenticated on clients.

        You can run the show service cifs command and check the administrator group permissions in the returned Administrators Privilege field.

    4. Click OK.

      The system adds the user or user group you select to the Users/User Groups list.

    5. Click Next.

  6. (Optional) Set a security restriction. This parameter is valid only after security restriction is enabled.

    1. In the Accessible IP Address/Address Segment area, click Add.

      The Add IP Address or IP Address Segment dialog box is displayed.

    2. In IP Address/Address Segment, specify the IP addresses or IP address segments.
      NOTE:
      • The IP address segment is in the format of IP address/mask, for example, 192.168.1.100/16. The mask of IPv4 ranges from 1 to 32, and the mask of IPv6 ranges from 1 to 128. A mixed IP address segment (IPv4 and IPv6) is not supported.
      • The IP rule can be:
      • A single IPv4 or IPv6 address, for example, 192.168.1.100.
      • An IP address segment, for example, 192.168.1.100/16 or 192.168.1.10 to 192.168.1.11/30.
      • A maximum of 32 IP addresses or IP address segments can be added.
    3. Click OK.

      The added IP addresses or IP address segments are displayed in the list.

    4. Click Next.

  7. (Optional) Set the file name extension filtering rule. The rule can be set only after the file name extension filtering function is enabled.

    NOTE:

    File name extension filtering rules are valid only for the current share.

    1. In File Name Extension Filtering Rule, click Add.

      The Add File Name Extension Filtering Rule dialog box is displayed.

    2. In File Name Extension, specify the file name extension (file type) to be filtered.
      NOTE:
      • The file name extension contains 1 to 127 visible ASCII characters, and contains only digits, letters, space, and special characters (!\"#$%&\'()*+\,-.\/\:;\<=\>?@[\\]^_`{\|}~). Wildcard character * can only be the last character. For example, the file name extension can be txt, TXT, T?X, or Tx*.
      • The maximum number of filtering items supported by a share is 128.
      • The maximum number of filtering items supported by a storage system is 120,000.
      • The following are recommended configurations: One share has a maximum of seven file name extension filtering rules, and one file name extension contains 1 to 32 characters (excluding wildcards). The recommended configurations minimize the adverse impact on CIFS service performance. If the recommended configurations are not used, CIFS performance may greatly deteriorate.
      • When configuring a file name extension filtering rule, ensure that the rule does not affect the storage of temporary files that may be generated when application software is running. For example, some application software may generate files with the .tmp file name extension. In this case, add the .tmp extension to the file name extension filtering rule. For details about specific temporary file name extension of application software, contact the relevant software vendor.
    3. Select the permission rule from the Rule Type drop-down list.
      NOTE:
      • Denied only: Files with the specified extension do not have access permission.
      • Allowed only: Only files with the specified extension have access permission.
    4. Click OK.

      The added file name extension filtering rule is displayed in the list.

    5. Click Next.

  8. The Summary page is displayed. On the Summary page, check whether the CIFS information is correct. Click Finish.
  9. On the Execution Result page, view the execution result. Click Close to finish creating a CIFS share.

    You can view the created share in the CIFS share list.

Accessing a CIFS Share

By accessing a CIFS share, different users can access the shared directories that they have permission to access.

Procedure
  1. Choose Map network drive on a Windows client.

    The following uses a Windows Server 2012 client as an example.

    Open File Explorer and choose Computer > Map network drive > Map network drive.

    NOTE:

    GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

  2. In the displayed Map Network Drive dialog box, configure the network folder you want to map.

    • In Drive, specify the drive letter for the connection.
    • In Folder, specify the folder that you want to connect to. Select Connect using different credentials and click Finish.

      The folder is in the format of \\logical ip address\sharename.

      Wherein, logical ip address indicates the IP address of the storage system's logical port providing the CIFS share, and sharename indicates the name of the CIFS share.

      NOTE:

      To query the IP address of a logical port, choose Provisioning > Port > Logical Ports on DeviceManager.

  3. In the displayed Windows Security dialog box, enter the user name and password for accessing the CIFS share.

    • If you log in as a domain authentication user, enter the domain user name in the Domain name\Domain user name format and the corresponding password.
    NOTE:

    After CIFS shares are allocated to domain users, do not modify the domain user information. If you do, the CIFS shares cannot be accessed.

    • If you log in as a local authentication user, enter the user name and password of the local authentication user.

  4. Click OK.

    NOTE:

    If errors occur during the access, verify that:

    • The CIFS service is enabled.
    • The storage system is added into a correct AD domain.
    • The network between the client and storage system is normal.
    • The domain user has the access permission.

    Then, log in to DeviceManager to restart the CIFS service in CIFS Service. It takes a period of time for the CIFS service to take effect after the restart.

    Restarting the CIFS service interrupts all the ongoing CIFS share services. Before restarting the CIFS service, ensure that no CIFS share service is running.

Follow-up Procedure
  • To disconnect from a CIFS share, run the net use [DeviceName] /del command in the Windows CLI. DeviceName indicates the disk drive that needs to be disconnected, such as z:.
  • If the information about a local authentication user or domain user is changed (for example, the user is forbidden, the password is changed or expires, the relationship is changed, or the user is deleted) when a client accesses a CIFS shared file system, the changed information will take effect after authentication is passed in the next time (by mounting shares again).
  • The storage system supports offline sharing. If a client with a mounted share is disconnected from the storage system, the client can still read and write a local duplicate. When the connection resumes, data modified offline in the local duplicate is synchronized automatically to the storage system. (If the shared data in the storage system is changed, you need to manually start the synchronization.)
  • If a GNS is created, run the admin:/>change service cifs global_namespace_capacity=? command to set the GNS size.

Connecting Microsoft Management Console to a Storage System

The Microsoft Management Console (MMC) built in a Windows client can manage users, user groups, shares, sessions, and open files for storage systems.

Introduction

MMC is a Windows tool that can provide a unified and standard management interface and operation platform for Windows administrators. With CIFS used, MMC can manage users, user groups, and shares for storage systems.

In large- and medium-sized NAS applications, multiple NAS servers from different vendors may be deployed. MMC can manage these servers in a unified way, improving management efficiency.

Table 3-30 lists the supported management functions.

Table 3-30 Management function list

Category

Function

Description

CIFS share management

Enumerating shares

Operators must have administrator privileges.

Adding shares

Restricted by Windows clients, a share folder path cannot be longer than 255 characters on MMC. If the path is longer than 255 characters, creating shares will fail.

Viewing shares

-

Modifying shares

The descriptions, permissions, ACLs, and offline cache configurations of shares can be modified.

Stopping sharing

-

User management

Enumerating users

-

Viewing user information

The user group to which users belong can be viewed.

Changing the user group to which users belong

-

User group management

Creating user groups

-

Enumerating user groups

-

Viewing user group information

Group members including domain users can be viewed.

Changing group members

Group members can be added to or removed from user groups.

Modifying user group descriptions

-

Deleting user groups

-

Session management

Enumerating sessions

-

Closing sessions

-

Open files management

Enumerating open files

-

Closing open files

-

Logging In to MMC

After logging in to MMC, you can manage users, user groups, and shares.

Prerequisites
  • If you will log in to a Windows client as a local user, ensure that another local user with the same user name and password has been created on the storage system and added to the administrators user group.
  • If you will log in to a Windows client as a domain user, ensure that the storage system has been added to the same domain and the domain user has been added to the administrators user group on the storage system.
  • The client and storage system have joined the same AD domain.
Procedure
  1. Choose Start > Run. In the text box that is displayed, enter mmc.
  2. In the displayed window, choose File > Add/Remove Snap-ins. In the dialog box that is displayed, select Shared Folders and click Add.
  3. In the dialog box that is displayed, select Another computer, enter the front-end service IP address of the storage system, and click Finish.

    The IP address can be an IPv4 or IPv6 address. Alternatively, you can enter System Name that is used when the storage system joins the AD domain.

  4. Click OK.

    You can manage shares of the storage system.

  5. Choose File > Add/Remove Snap-ins. In the dialog box that is displayed, select Local Users and Groups and click Add.
  6. In the dialog box that is displayed, select Another computer, enter the front-end service IP address of the storage system, and click Finish.
  7. Click OK.

    You can manage users and user groups.

Managing Shares

This section describes how to manage shares using MMC.

Prerequisites
  • You have logged in to MMC.
  • The local administrator account has been disabled on the client.
Procedure
  • Create a share.
    1. Double-click Share Folders.
    2. Right-click Shares and choose NewShare.
    3. In the Create a Shared Folder Wizard dialog box, select a folder that you want to share from the storage system.
      • Restricted by Windows clients, the folder path length cannot be longer than 255 characters. Otherwise, the shares cannot be successfully created.
      • You can click Browse to select a folder from the storage system.
    4. Click Next and enter Share Name and Description.
    5. Click Next and select permissions for the folder.
    6. Click Finish. In the Sharing Was Successful dialog box, click Finish.

      The created folder will be displayed on MMC.

  • View a share.
    1. Choose Share Folders > Shares.
      • In the right pane, all CIFS shares of the storage system are listed.
      • The client connection count of the share is fixed at 1. The actual value cannot be displayed at present.
    2. Right-click the share that you want to view and choose Properties. In the dialog box that is displayed, select Share Permissions to view the access permission for the share.
  • Modify a share.
    1. Choose Share Folders > Shares.

      In the right pane, all CIFS shares of the storage system are listed.

    2. Right-click the share that you want to modify and choose Properties.
    3. In the dialog box that is displayed, select General. Modify Description.
    4. In the dialog box that is displayed, select Share Permissions and modify the permission for the share.
  • Stop sharing.
    1. Choose Share Folders > Shares.

      In the right pane, all CIFS shares of the storage system are listed.

    2. Right-click the folder that you want to stop sharing and choose All Tasks > Stop Sharing.
    3. In the dialog box that is displayed, click Yes.
Managing Users and User Groups

This section describes how to manage users and user groups using MMC.

Prerequisites
  • You have logged in to MMC.
  • The local administrator account has been disabled on the client.
  • The client and storage system have joined the same AD domain.
Procedure
  • Create a user group.
    1. Choose Local Users and Groups (Local) > Groups.
    2. Right-click Groups and choose New Group. Enter user information as instructed and click Create.
NOTE:

A Windows reserved account cannot be created via MMC.

  • View the user and user group.
    1. Choose Local Users and Groups (Local) > Users.

      All users will be displayed in the right pane.

    2. Right-click the user that you want to view and choose Properties to view the user details.
    3. Choose Local Users and Groups (Local) > Groups.

      All user groups will be displayed in the right pane.

    4. Right-click the user group that you want to view and choose Properties to view the user group details.
  • Modify users and user groups.
    1. Choose Local Users and Groups (Local) > Users.
    2. Right-click the user that you want to modify and choose Properties > Member of.
    3. Select the user group to which the user belongs and click Remove.
    4. Click OK for the change to take effect.
    5. Choose Local Users and Groups (Local) > Groups.
    6. Right-click the user group that you want to modify, choose Properties, and click Add to add users to the user group.
    7. Select the user that you want to remove from the user group and click Remove.
    8. Modify Description.
    9. Click OK for the change to take effect.
NOTE:

The description of a Windows reserved user group cannot be modified via MMC.

  • Delete user groups.
    1. Choose Local Users and Groups (Local) > Groups.
    2. Right-click the user group that you want to delete and select Delete.
    3. Read and confirm the risk disclosure statement. In the dialog box that is displayed, click Yes.
Managing Sessions

You can use MMC to disconnect users and close sessions in shared folders.

Prerequisites

You have logged in to MMC.

Context

If you close sessions without notifying users, user data may be lost. Before closing sessions, notify the users.

When you use MMC to enumerate sessions, Windows will use the IP address of each session to parse the session as the corresponding computer name on the DNS server due to Windows restrictions. You must configure the record for the IP address of each session in the reverse lookup zone of the DNS server. Otherwise, MMC refresh will time out.

Procedure
  • View sessions.

    Choose Shared Folders > Sessions.

    Details about all current sessions will be displayed in the right pane.

  • Close a session.
    1. Choose Shared Folders > Sessions.

      Details about all current sessions will be displayed in the right pane.

    2. Right-click the session you want to close and choose Close Session from the shortcut menu.

      A confirmation dialog box is displayed.

    3. Click Yes.

      The session is closed.

NOTE:

If you want to close all sessions, right-click Sessions and choose Disconnect All Sessions from the shortcut menu.

Managing Opened Files

You can use MMC to close opened files in shared folders.

Prerequisites

You have logged in to MMC.

Context

When you close an opened file or folder, the users who connect to the file or folder will be disconnected and user data may be lost. Before closing opened files, notify the users.

Procedure
  • View opened files.

    Choose Shared Folders > Open Files.

    All files that are opened currently will be displayed in the right pane.

  • Close an opened file.
    1. Choose Shared Folders > Open Files.

      All files that are opened currently will be displayed in the window on the right.

    2. Right-click the file you want to close and choose Close Open File from the shortcut menu.

      A confirmation dialog box is displayed.

    3. Click Yes.

      The opened file is closed.

NOTE:

If you want to close all opened files, right-click Open Files and choose Disconnect All Open Files from the shortcut menu.

CIFS Share Configuration Example

This section uses an example to explain how to configure a CIFS share.

Scenario

This section describes the customer's legacy environment and requirements.

Network Diagram

Figure 3-10 shows the customer's network.

Figure 3-10 Customer's network diagram

The status quo of the customer's live network can be concluded as follows:

  • All clients use the Windows operating system.
  • The clients of the three departments reside on the same LAN as the storage system.
Customer Requirements

A storage system is required to provide storage space for the School Office, Teaching Affairs Office, and Finance Office. The storage space must be allocated as follows:

  • Each of the three departments has 1 TB dedicated storage space.
  • The three departments can write and read data in their respective 1 TB storage space.
  • The School Office can access but cannot write or modify the storage space of the Teaching Affairs Office and the Finance Office.
  • The Teaching Affairs Office can access but cannot write or modify the storage space of the Finance Office.
  • The Finance Office can access but cannot write or modify the storage space of the Teaching Affairs Office.
  • The Teaching Affairs Office and Finance Office cannot access the storage space of the School Office.
Requirement Analysis

This section provides an analysis of the customer's requirements and a solution.

Customer requirement analysis:

  • All clients use the Windows operating system, so the OceanStor storage system can use CIFS shares to provide storage space for the three departments respectively.
  • The storage system can manage CIFS share permissions. Allocating different permissions to different shares controls the mutual data access between different departments.

Solution:

  • Table 3-31 describes the basic information of the three departments.
Table 3-31 Basic information of the three departments

Department

Share Name

Share Space

Local User

Local User Group

School Office

share01

1 TB

test_user01

group01

Teaching Affairs Office

share02

1 TB

test_user02

group02

Finance Office

share03

1 TB

test_user03

group03

  • Table 3-32 describes each local user group's permission to access the storage space of the School Office, Finance Office, and Teaching Affairs Office.
Table 3-32 Local user groups' permissions to access the storage space of the three departments

Local User Group

School Office

Finance Office

Teaching Affairs Office

group01

Read and write

Read-only

Read-only

group02

Forbidden

Read and write

Read-only

group03

Forbidden

Read-only

Read and write

Configuration Process

Figure 3-11 shows the configuration process, helping you understand the subsequent configuration.

Figure 3-11 Configuration process
NOTE:

This configuration process is only applicable to this configuration example. For the complete configuration process of CIFS shares, see Configuration Process.

Configuration Procedure

This section describes how to configure CIFS shares on DeviceManager.

Creating a File System

File systems provide storage space for CIFS shares. You can create different file systems to provide storage space for different CIFS shares.

  1. On DeviceManager, choose Provisioning > File System.

    The File System page is displayed.

  2. Click Create.

    The Create File System dialog box is displayed.

  3. In the Create File System dialog box, configure parameters as planned.

    Table 3-33 describes related parameters.
    Table 3-33 Create File System parameters

    Parameter

    Planned Value

    Name

    FileSystem

    Capacity

    1 TB

    File System Block Size

    32 KB

    Quantity

    3

    Owning Storage Pool

    StoragePool000

    NOTE:
    • When multiple file systems are created, the storage system automatically adds a number to each file system name for distinction. In this example, the created file systems are named FileSystem0000, FileSystem0001, and FileSystem0002 respectively.
    • Assume that the size of most files in the file system is between 100 KB and 1 MB. The file system block size can be set to 32 KB.

  4. Click OK.
Creating Local Authentication User Groups

This section describes how to create local authentication user groups. Local authentication user groups help you control the share access permissions of local users.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Local Authentication User Group.
  3. Click Create.

    The Local Authentication User Group dialog box is displayed.

  4. In User Group Name, enter group01.
  5. Click OK.

    The Success dialog box is displayed.

  6. Click OK.
  7. Repeat 3 to 6 to create user groups group02 and group03.
Creating Local Authentication Users

This section describes how to create local authentication users. For applications that use local authentication, local authentication users are used to access a CIFS share.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Create.

    The Local Authentication User dialog box is displayed.

  3. In the Local Authentication User dialog box, enter required local user information.

    Table 3-34 describes related parameters.
    Table 3-34 Local authentication user parameters

    Parameter

    Value

    Username

    test_user01

    Password

    Input a password.

    Confirm Password

    Confirm the password.

    Primary Group

    group01

  4. Click OK.

    The Success dialog box is displayed.

  5. Click OK.
  6. Repeat 2 to 5 to add users test_user02 and test_user03 respectively to user groups group02 and group03.
Creating CIFS Shares

After creating local user groups and local users, you need to create CIFS shares. You can assign different permissions to different users when creating a CIFS share.

  1. On DeviceManager, choose Provisioning > Share.

    The Share page is displayed.

  2. Create a CIFS share.

    1. On the CIFS (Windows/MAC) tab, click Create.

      The Create CIFS Share Wizard page is displayed.

    2. In File System, select file system FileSystem0000. In Share Name, enter the planned CIFS share name share01.
    3. Click Next.

      The Set Permissions page is displayed.

    4. Click Next.

      The Permissions are not configured for users or user groups to access the CIFS share. Are you sure to continue? dialog box is displayed.

      NOTE:

      Access permission configurations for CIFS shares are introduced in 4.

    5. Click OK.

      The Summary page is displayed.

    6. Click Finish.

      The Execution Result page is displayed.

    7. Click Close.

  3. Repeat 2 to add CIFS shares share02 and share03.
  4. Configure access permissions for a CIFS share.

    1. Select share01.
    2. In Users/User Groups, click Add.

      The Add User/User Group dialog box is displayed.

    3. In User/User Group, select Local authentication user group. In Name, click Find.

      The Find Local Authentication User Group dialog box is displayed.

    4. Select user group group01 and click OK.

      The Add User/User Group dialog box is displayed.

    5. In Permission Level, select Read and write. Click OK.

      The Execution Result page is displayed.

    6. Click Close.

  5. Repeat 4 to configure different access permissions for different user groups.

    Table 3-35 lists planned access permissions.
    Table 3-35 Access permission planning

    User Group

    share01

    share02

    share03

    group01

    Read and write

    Read-only

    Read-only

    group02

    Forbidden

    Read and write

    Read-only

    group03

    Forbidden

    Read-only

    Read and write

Accessing Shared Space

This section describes how to map a CIFS share to the network drive on a client of the School Office. You can map CIFS shares to the network drives on the other clients in the same way. Ensure that user names test_user02 and test_user03 map the network drives on the clients of the Teaching Affairs Office and Finance Office.

  1. Map a network drive to a client.

    The following uses a Windows Server 2012 client as an example.

    1. Open File Explorer and choose Computer > Map network drive > Map network drive.

      NOTE:

      GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

    2. In Folder, enter \\192.168.50.16\share01, and select Connect using different credentials.

      192.168.50.16 is the logical IP address of the storage system.

    3. Click Finish.

  2. Authenticate a user.

    1. In the Windows Security dialog box, enter local user name test_user01 in User name.
    2. In Password, enter the password of user test_user01.
    3. Click OK.

  3. View the shared space.

CIFS GNS Share Configuration Example

This section uses an example to explain how to configure a CIFS GNS share.

Scenario

The storage administrator of a school needs to manage all departments using a management GUI. This section describes the customer's live network environment and detailed requirements.

Network Diagram

Figure 3-12 shows the customer's network.

Figure 3-12 Customer's network diagram

The status quo of the customer's live network can be concluded as follows:

  • All clients use the Windows operating system.
  • The clients of the three departments reside on the same LAN as the storage system.
Customer Requirements

A storage system is required to provide storage space for the School Office, Teaching Affairs Office, and Finance Office. The storage space must be allocated as follows:

  • The Teaching Affairs Office and Finance Office have 1 TB dedicated storage space each.
  • The Teaching Affairs Office and Finance Office can write and read data in their respective 1 TB storage space.
  • The School Office can access, write, and modify the storage space of the Teaching Affairs Office and the Finance Office.
Requirement Analysis

This section provides an analysis of the customer's requirements and a solution.

Customer requirement analysis:

  • All clients use the Windows operating system, so the OceanStor storage system can use CIFS shares to provide storage space for the three departments respectively.
  • The storage system can manage CIFS share permissions. Allocating different permissions to different shares controls the mutual data access between different departments.

Solution:

  • Table 3-36 describes the basic information of the three departments.
Table 3-36 Basic information of the three departments

Department

Share Name

Share Space

Local User

Local User Group

School Office

share01

2 TB

office_user01

group01

Teaching Affairs Office

share02

1 TB

test_user02

group02

Finance Office

share03

1 TB

test_user03

group03

  • Table 3-37 describes each local user group's permission to access the storage space of the School Office, Finance Office, and Teaching Affairs Office.
Table 3-37 Local user groups' permissions to access the storage space of the three departments

Local User Group

School Office

Finance Office

Teaching Affairs Office

group01

Read and write

Read and write

Read and write

group02

Forbidden

Read and write

Read-only

group03

Forbidden

Read-only

Read and write

Configuration Process

Figure 3-13 shows the configuration process, helping you understand the subsequent configuration.

Figure 3-13 Configuration process
NOTE:

This configuration process is only applicable to this configuration example. For the complete configuration process of CIFS shares, see Configuration Process.

Configuration Procedure

This section describes how to configure a CIFS GNS share on DeviceManager.

Creating File Systems

File systems provide storage space for CIFS shares. You can create different file systems to provide storage space for different CIFS shares.

  1. On DeviceManager, choose Provisioning > File System.

    The File System page is displayed.

  2. Click Create.

    The Create File System dialog box is displayed.

  3. In the Create File System dialog box, configure related parameters as planned.

    Table 3-38 describes related parameters.
    Table 3-38 File system parameters

    Parameter

    Planned Value

    Name

    FileSystem

    Capacity

    1 TB

    File System Block Size

    32 KB

    Quantity

    2

    Owning Storage Pool

    StoragePool000

    NOTE:
    • When multiple file systems are created, the storage system automatically adds a number to each file system name for distinction. In this example, the created file systems are named FileSystem0000 and FileSystem0001 respectively.
    • Assume that the size of most files in the file system is between 100 KB and 1 MB. The file system block size can be set to 32 KB.

  4. Click OK.
Creating Local Authentication User Groups

This section describes how to create local authentication user groups. Local authentication user groups help you control the share access permissions of local users.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Local Authentication User Group.
  3. Click Create.

    The Local Authentication User Group dialog box is displayed.

  4. In User Group Name, enter group01.
  5. Click OK.

    The Success dialog box is displayed.

  6. Click OK.
  7. Repeat 3 to 6 to create user groups group02 and group03.
Creating Local Authentication Users

This section describes how to create local authentication users. For applications that use local authentication, local authentication users are used to access a CIFS share.

  1. On DeviceManager, choose Provisioning > User Authentication.

    The User Authentication page is displayed.

  2. Click Create.

    The Local Authentication User dialog box is displayed.

  3. In the Local Authentication User dialog box, enter required local user information.

    Table 3-39 describes related parameters.
    Table 3-39 Local authentication user parameters

    Parameter

    Value

    Username

    office_user01

    Password

    Input a password.

    Confirm Password

    Confirm the password.

    Primary Group

    group01

  4. Click OK.

    The Success dialog box is displayed.

  5. Click OK.
  6. Repeat 2 to 5 to add users test_user02 and test_user03 respectively to user groups group02 and group03.
Creating a CIFS GNS Share

After creating local user groups and local users, you need to create a CIFS GNS share. You can assign different permissions to different users when creating a CIFS GNS share.

  1. On DeviceManager, choose Provisioning > Share.

    The Share page is displayed.

  2. Create a CIFS GNS share.

    1. On the CIFS (Windows/MAC) tab, click Create.

      The Create CIFS Share Wizard page is displayed.

    2. In File System, select /. In Share Name, enter the planned share name share01.
    3. Click Next.

      The Set Permissions page is displayed.

    4. Click Next.

      The Permissions are not configured for users or user groups to access the CIFS share. Are you sure to continue? dialog box is displayed.

      NOTE:

      Access permission configurations for CIFS shares are introduced in 4.

    5. Click OK.

      The Summary page is displayed.

    6. Click Finish.

      The Execution Result page is displayed.

    7. Click Close.

  3. Repeat 2 to add CIFS shares share02 and share03 for FileSystem0000 and FileSystem0001 respectively.
  4. Configure access permissions for the CIFS share.

    1. Select share01.
    2. In Users/User Groups, click Add.

      The Add User/User Group dialog box is displayed.

    3. In User/User Group, select Local authentication user group. In Name, click Find.

      The Find Local Authentication User Group dialog box is displayed.

    4. Select user group group01 and click OK.

      The Add User/User Group dialog box is displayed.

    5. In Permission Level, select Read and write. Click OK.

      The Execution Result page is displayed.

    6. Click Close.

  5. Repeat 4 to configure different access permissions for different user groups.

    Table 3-40 lists planned access permissions.
    Table 3-40 Access permission planning

    User Group

    share01

    share02

    share03

    group01

    Read and write

    Read and write

    Read and write

    group02

    Forbidden

    Read and write

    Read-only

    group03

    Forbidden

    Read-only

    Read and write

Accessing CIFS GNS Shares

This section describes how to map the network drive on a client of the School Office. You can map the network drives on the other clients in the same way. Note that user names test_user02 and test_user03 must be used to map the network drives on the clients of the Teaching Affairs Office and Finance Office.

  1. Map a network drive to a client.

    The following uses a Windows Server 2012 client as an example.

    1. Open File Explorer and choose Computer > Map network drive > Map network drive.

      NOTE:

      GUIs may be slightly different for clients running different versions of Windows operating systems. The actual GUIs prevail.

    2. In Folder, enter \\192.168.50.16\share01, and select Connect using different credentials.

      192.168.50.16 is the logical IP address of the storage system.

    3. Click Finish.

  2. Authenticate a user.

    1. In the Windows Security dialog box, enter local user name office_user01 in User name.
    2. In Password, enter the password of user office_user01.
    3. Click OK.

  3. View the shared space.

Translation
Download
Updated: 2019-07-12

Document ID: EDOC1100021203

Views: 42736

Downloads: 68

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next