CIFS HOMEDIRECTORY - H2283 EMC Celerra Home Directory - A Detailed Review

7/27/2019 CIFS HOMEDIRECTORY - H2283 EMC Celerra Home Directory - A Detailed Review

http://slidepdf.com/reader/full/cifs-homedirectory-h2283-emc-celerra-home-directory-a-detailed-review 1/34

White Paper

Abstract

This paper provides an overview of the VNX® Home Directoryfeature. VNX gives its system administrators the ability toconfigure powerful rules that automates the process of creatingand assigning home directories to users. Whether anorganization has hundreds of users or tens of thousands, thisfeature helps relieve the management burden of providing CIFShome directories for the organization’s users.

October 2011

EMC VNX HOME DIRECTORYA Detailed Review



2White Paper Title

Copyright © 2011 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate asof its publication date. The information is subject to changewithout notice.

The information in this publication is provided “as is.” EMCCorporation makes no representations or warranties of any kindwith respect to the information in this publication, andspecifically disclaims implied warranties of merchantability orfitness for a particular purpose.

Use, copying, and distribution of any EMC software described in

this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMCCorporation Trademarks on EMC.com.

Part Number H2283.2



3White Paper Title

Table of Contents

Executive summary ....................................................................................... 4 Introduction ................................................................................................. 5

Audience ............................................................................................................................ 5 Terminology ....................................................................................................................... 6

What is VNX Home Directory? ............... ......... ........ .......... ......... ......... ........ ...... 7 Traditional approaches to CIFS home directory implementation ......................................... 7

Shared drive................................................................................................................... 7 Unique shares ................................................................................................................ 8

VNX Home Directory’s approach ......................................................................................... 9 Process for matching user credentials against database entries ....................................... 12

Home Directory database search: In detail ................................................................... 13 Path syntax ...................................................................................................................... 14 Regular expressions ......................................................................................................... 15 Auto-create ...................................................................................................................... 17

How do I manage Home Directory? .............. ......... ......... ........ .......... ......... ...... 18 Managing home directory entries ..................................................................................... 18 Enabling the Home Directory service ................................................................................ 19 Scope of the Home Directory feature ................................................................................ 19 Exporting/importing the Home Directory database ........................................................... 20 Security considerations .................................................................................................... 20 Setting the Home Directory path in AD User Profile ........................................................... 22 Spreading users across two or more file systems.............................................................. 24

When <domain,user> are identical between database entries ....................................... 25 When only <domain> is identical between database entries .......................................... 28

Spreading users across two or more Data Movers............................................................. 28 Replicating Home Directory configurations ....................................................................... 29 Migrating Home Directory configurations.......................................................................... 31 File Extension Filtering and Quotas ................................................................................... 32

Conclusion ................................................................................................ 32 References................................................................................................. 32



4White Paper Title

Executive summary

Data is vital to the operation of today’s businesses – even the small data files that aregenerated every day by individual users can sometimes have costly repercussions ifthey are lost or damaged. Yet, by failing to provide a protected storage location on the

network for this data many companies are effectively mandating that users store dataon fault-sensitive disks in laptop or desktop computers.

CIFS home directories can be combined with fault-tolerant storage (such as VNX) toprovide safe, secure, network-accessible storage for this user-level data.Management of these home directories can be burdensome to the storageadministrator, so EMC® VNX® provides an integrated Home Directory feature thatsignificantly reduces the administrative burden by shifting the directory and sharemanagement to VNX.

In the typical business environment user home directories are not shared – eachhome directory is intended for only one specific user. Consequently, it is up to the

system or domain administrator to:

1. Determine where the user’s home directory will exist.

2. Create a directory on the file server to act as the user’s home directory.

3. Create a CIFS share to give the user access to the home directory.

4. Secure the CIFS share.

5. Set the home directory field of the user’s profile on the domain controller toreflect the appropriate home directory location.

VNX’s Home Directory feature eliminates the need for three of these steps. Further, itsignificantly eases the burden of the last step because the contents of the homedirectory field in the user profile can be the same for all users.

When using VNX’s Home Directory feature the administrator initially sets up somerules that govern home directory behavior. To add a user home directory, theadministrator then follows this significantly less burdensome sequence of steps:

1. Determine where the user’s home directory will exist .

2. Set the home directory field of the user’s profile on the domain controller toreflect the appropriate home directory location.

Other very important benefits of the Home Directory feature are seen when looking atdisaster recovery (DR) architectures and migration scenarios. VNX’s CIFSconfigurations can be replicated to remote sites for DR purposes, and the homedirectory database is one component of the configuration that is replicated. Shoulddisaster strike, end users need only to reconnect to the home directory – there is nochange in the UNC path.



5White Paper Title

In migration scenarios, the home directory database and user file systems can bemigrated to the new VNX Data Mover with little downtime. Once the home directorydatabase has been migrated, users can simply be referred to the new VNX Data Moverwhere each user will see his home directory as it was on the old VNX Data Mover.Contrast this with the need to manually migrate a CIFS home directory configurationthat includes hundreds or thousands of individual CIFS shares (one per user). As the

home directory storage needs of your company grow, you can migrate to newer orlarger VNX cabinets with less work than would otherwise be required.

Let us recap VNX Home Directory’s benefits:

Significantly reduced administrative costs around home directorymanagement

Simpler, more reliable disaster recovery

Simpler, more reliable home directory migrations to VNX or between VNX DataMovers (intra- and extra-cabinet)

Introduction

This white paper’s goal is to communicate the business case for VNX Home Directory,as well as some high-level implementation and design considerations of the feature.Specific implementation details are documented in the VNX Home DirectoryManagement Help Files and will not be covered here.

To achieve that goal, this white paper will attempt to answer the following questions:

• What is Home Directory?

• How does Home Directory work?

• How do I manage Home Directory?

• How can I take Home Directory beyond its basic functionality and use it inadvanced ways?

Audience

EMC customers, people who are considering the purchase of EMC VNX storage, andEMC field personnel are the intended recipients of this paper.

Readers of this paper are expected to have a basic understanding of VNX conceptsand the administration of users within a Microsoft Windows NT4 or Windows2000/2003/2008 Active Directory domain. A basic understanding of VNX CIFS

technology is assumed, although this white paper should also be digestible by thosewho understand Microsoft CIFS concepts but lack an understanding of VNX’s CIFSimplementation.



6White Paper Title

Terminology

VNX File/Celerra Management: Also called Celerra CIFS Management, it is an EMCMMC snap-in that provides management functions for Home Directory, as well as forsome other VNX features.

Common Internet File System (CIFS): A file sharing technology for IP networks that is

the primary file sharing technology for Microsoft Windows operating systems and thathas gained traction with other operating systems in recent years. CIFS is based on theServer Message Block (SMB) protocol.

Disaster recovery (DR): The recovery of business IT operations after the primary datasite is lost to a disaster. Such disasters may include power outages, natural disasterssuch as wind damage or flooding, terrorist attacks, and so on.

Home Directory: A dedicated, network-attached (CIFS) file storage resource; typicallyone per user and mapped as a network drive at login.

Microsoft Management Console (MMC ): An extensible Microsoft application(mmc.exe) that provides the ability to create a custom system management

“dashboard” (or view). Many Microsoft Windows features are managed via the MMC;for example, Computer Management (compmgmt.msc) is an MMC application.

MMC Snap-in: A plug-in to the Microsoft Management Console. These plug-ins can bearbitrarily gathered together into a single, customized MMC view by using themmc.exe /console command. Microsoft provides many such plug-ins, but third-partyvendors such as EMC may also provide plug-ins to manage their own products. VNXFile/Celerra Management is an example of an MMC Snap-in that is provided by EMC.

Virtual Data Mover (VDM): A virtual container of VNX file systems and CIFS servers. AVDM is treated as a unit, and it can be moved between Data Movers within a VNXcabinet and replicated to other Data Movers for disaster recovery.



7White Paper Title

What is VNX Home Directory?

Traditional approaches to CIFS home directory implementation

To understand exactly what VNX Home Directory is and what it does, we first take alook at two traditional approaches for providing CIFS home directories: shared driveand unique shares.

Note that the examples will use a simple subset of a hypothetical user base, and theywill show the perspective of the following three users:

Table 1 Users and logon name

Full name Windows logon name

Joanna Smith MARKETING\jsmith

Mark Fodor MARKETING\mfodor

Rue Prada FINANCE\rprada

We will use a CIFS server called ATLANTA3. Assume that it is joined to the MARKETINGdomain. Also assume that the MARKETING domain has a bidirectional trustrelationship with the FINANCE domain so that members of both domains canauthenticate with ATLANTA3.

Shared drive

One common implementation for CIFS home directories is the “shared drive”implementation, as shown in Figure 1. This is a very simple implementation bothconceptually and in practice: One large shared drive (CIFS share) is created andshared by many users. Each user has a folder/directory on the shared drive that isused as the user’s home directory. The big win with this approach is that it can be

extremely easy to implement – if security is not a concern. Some problems that canbe found with this approach are:

Creation of each user’s home directory can be labor-intensive

Setting permissions on each new home directory can be very-labor intensiveand is prone to error.

Unless proper security measures are implemented with file permissions/ACLs,one user may be able to see – and perhaps modify – another user’s files.Correctly applying ACLs to home directories can be a labor-intensive and error-prone process.

The user must navigate into a subdirectory of the share to find his own homedirectory

This problem can be prevented by specifying the full path to a user’s homedirectory in his Windows profile. For example, in Figure 1 mfodor’s profilewould contain the path \\atlanta3\shared\mfodor in his home directorysettings.

http://atlanta3/shared/mfodor






8White Paper Title

Figure 1. The shared drive approach to home directory management - all users mapthe same CIFS share.

Unique shares

A second common implementation for CIFS home directories is the unique sharesapproach, as shown in Figure 2. In this approach, a unique CIFS share is created foreach user’s home directory. Only the user that owns the home directory is permittedto map the share. This approach is more secure than the shared driveimplementation, but it suffers from being much more difficult to implement. Some ofits big drawbacks include:

Creation of all the shares can be very labor-intensive.

Creation of the directory that roots each share can be very labor-intensive.

Setting permissions on each new share can be very labor-intensive and isprone to error.



9White Paper Title

Figure 2. In the unique shares approach to home directory management, a CIFS shareis created for each user. This share is rooted at the user s home directory.

VNX Home Directory s approach

VNX Home Directory offers a way to achieve the benefits of both the shared drive andthe unique shares approaches (ease of implementation and high security) whileeliminating most of the administrative burden. It accomplishes this in two ways:

It provides a unique, secure home directory view to each user withoutrequiring a unique share for each user.

It automates most of the traditional home directory management duties bymoving responsibility for those duties from the administrator to the VNXserver.

Home Directory uses CIFS login information and a database to provide a unique,secure home directory view to each user. The home directory view that is seen by anygiven user is defined by the rules stored in the Home Directory database. A VNXadministrator configures the database to meet the specific needs of the organization.

VNX Home Directory eases home directory administration in two big ways:

It enables users to see their unique home directory views while logging into

the same CIFS share.

It has a flexible language for specifying home directory mapping rules thatallows the administrator to specify mapping behavior for hundreds or eventhousands of users with a single rule.



1White Paper Title

For a given CIFS server, each user of the CIFS server will connect to\\[cifs-server]\HOME to access their home directory. In other words, the

users all connect to the same CIFS share, as depicted in Figure 3.

Figure 3. User mechanism of connecting to VNX with Home Directory feature. All threeusers are logging in to the same CIFS share.

Each of the users has connected to \\atlanta3\HOME – the location of their homedirectory. Note that any shared drive CIFS solution could provide this functionality if

all three users are allowed to see the same files and directories when connected to\\atlanta3\HOME. For example, in Figure 3 all three users would see the samedirectory listing of \\atlanta3\HOME if a shared drive implementation is used:

$ dir \\atlanta3\HOME

aapple

…

jsmith

mfodorrprada

…

Joanna Smith could access the contents of Mark Fodor’s home directory if the ACLsallow. This is not typically desirable behavior. The alternative unique shares approach

http://atlanta3/HOME









1White Paper Title

– giving each user a dedicated share to map (\\atlanta3\jsmith,

\\atlanta3\mfodor, \\atlanta3\rprada) – is also not desirable becauseit greatly increases the administrative burden of providing the user home directories.

Now, let us change the requirements just a bit. We will add a column to the user table

that specifies not only the user’s logon information, but also the file path that shouldbe exported to the user when they connect to the home directory CIFS share. In otherwords, we will specify that each user should have a unique view when connected to\\atlanta3\HOME.\

Table 2 Users and logon name and home directory path

Full name Windows logon name Home directory path

Joanna Smith MARKETING\jsmith /marketing/jsmith

Mark Fodor MARKETING\mfodor /marketing/mfodor

Rue Prada FINANCE\rprada /finance/rprada

This latest requirement changes things significantly. All users are connecting to thesame share –\\atlanta3\HOME – yet each user sees a different set of files andfolders when connected. This is exactly what VNX Home Directory enables us to do,and Figure 4 illustrates it.

http://atlanta3/jsmith

http://atlanta3/mfodor

http://atlanta3/rprada

http://atlanta3/HOME./

http://atlanta3/HOME./


http://atlanta3/mfodor

http://atlanta3/jsmith



1White Paper Title

Figure 4. Logical view that is built when a user connects to Data Mover with VNXHome Directory. All three users log in to the same share, yet each sees a different

directory.

VNX Home Directory’s secure single share model – in which all users can connect tothe same share yet see unique, private file system views – provides a significantamount of administrative value when configuring user profiles in the Active Directory.The Setting the Home Directory path in AD User Profile section has more information.

VNX Home Directory uses a database to store mappings between users and filesystem paths. Each Data Mover, or Virtual Data Mover, has a database table where arow in the table takes the following general form:

Match criterion Path Options

A match criterion consists of two patterns: One pattern specifies a domain name andthe other pattern specifies a username.

Match criterion Path Options

domain name username

When a user – for example, Joanna Smith – logs in to the CIFS server called atlanta3the Data Mover will extract Joanna’s domain and username from her login credentials.In Joanna’s case, the domain name is MARKETING and the username is jsmith. Thisinformation is used by the Data Mover to search the home directory database – Joanna’s domain and usernames are compared with the various match criterionstored in each row of the database table. If a match is found, then the specified pathwill be associated with Joanna’s CIFS session. If no match is found, then Joanna’sCIFS session fails to be established and she is denied login.

In the following sections we will look more closely at how this process works.

Process for matching user credentials against database entries

Recall from the discussion above that login information (domain name, username) iscompared against the match criterion of database entries to find the user’s homedirectory path. Visually, this database simply looks like:

domain name username path options


… … … …


At the most basic level, the Data Mover consults the database and looks for a matchbased on domain name and username. If it finds such a match, then it looks for thepath specified by the matching entry. If that path is not found then the Data Moverwill look for the next matching database entry. In reality, however, the searchalgorithm is slightly more complex than this description, so we will now take a deeperlook at how the database is searched.



1White Paper Title

Home Directory database search: In detail

Finding a match in the database is not quite as simple as the “first match” algorithmdescribed above. Rather, the actual behavior is that the entire database is searchedtop to bottom when looking for a match and that no single match is “tried” until allmatches have been identified.

When the Data Mover finds multiple matches in the database it will attempt to use(“try”) the most recently found match first. (Note that the most recently foundmatching entry will be the one that was found farthest down the database table.)Should the Data Mover be unable to locate the path specified by that matching entryit will take the next most recently found match and try it, and so on.

We will use Joanna as an example to look at this match process pictorially. Assumethat she maps \\atlanta3\HOME and the Home Directory database looks like the

following:

After reading the database table from top to bottom, the Data Mover is going toprocess the rows that match in “most recently found” order. This means that thematches will be processed in this order:

ORDERPROCESSED

MATCHING ENTRY

1 MARKETING *smith /home/special/msmith options

2 * * /guests options

3 MARKETING jsmith /marketing/jsmith options

The Data Mover will look at Matching Entry #1 first, so it will search for the path/home/special/msmith. Let us assume that the path /home/special does not exist onthe Data Mover. Matching Entry #1 will be discarded because the home directory/home/special/msmith does not exist. Matching Entry #2 ( /guests ) will be processed

next and let us assume that the path /guests does exist. Joanna will be allowed tomap \\atlanta3\HOME and her working directory for that session will be /guests.

FINANCE * /finance options

MARKETING jsmith /marketing/jsmith optionsMARKETING h* /marketing-h options

* *

DatabaseRead

Top-to-Bottom

These rows match







1White Paper Title

Recall that this is not the behavior we wanted – we wanted Joanna’s working directoryto be /marketing/jsmith. We can achieve that by simply changing the order of theHome Directory database table entries so that the entry that we want to apply to Joanna is found last (and processed first):

Domain User Path Options

FINANCE * /finance optionsMARKETING h* /marketing-h options

* * /guests options

… … … …

MARKETING *smith /home/special/msmith options

MARKETING jsmith /marketing/jsmith options

In practice, it is best to ensure that only one database table entry/row will match eachuser unless you want to spread your users across multiple file systems. We willdiscuss how you spread users across multiple file systems later in this white paper.

If multiple matches are necessary to implement the home directory rules required foryour organization, then the best practice is to put the more general criteria toward thetop of the database table and the more specific criteria toward the bottom of thedatabase table. This allows the more specific database entries to be found last andprocessed first.

Path syntax

Recall from previous sections that Home Directory database entries are matched to auser’s login credentials based on the value of the domain name and username.However, the actual database key is not <domain,user> it is <domain,user,path>.

Including the path in the key gives you the flexibility to specify multiple matchingentries in the database so that users can be spread across multiple file systems.Spreading users across multiple file systems will be discussed later; it is onlymentioned here to emphasize the reason the path field is part of the key in the HomeDirectory database.

A path has the following general syntax:

It must begin with a forward ‘/’ or backward slash ‘\’ character.

It may contain two special strings that are substituted by the Data Mover uponprocessing the database entry:

: Substituted with the username of the user who is connecting to the HOMEshare

<d>: Substituted with the domain name of the user who is connecting to theHOME share

It must be specified relative to the root of the Data Mover or Virtual DataMover.



1White Paper Title

The substitution strings give you an enormous amount of flexibility when definingyour database entries. Consider the following example:


* a* /home/<d>/a-c/ options

* b* /home/<d>/a-c/ options

* c* /home/<d>/a-c/ options

* d* /home/<d>/d-f/ options

* e* /home/<d>/d-f/ options

…20 more…

* z* /home/<d>/y-z/ options

FINANCE * /finance/ options

MARKETING * /marketing/ options

The first 26 entries in this table (only six are shown here) are “catch all” entries – users of all domains other than FINANCE and MARKETING will be matched to one ofthese entries, and their home directories are arranged into alphabetical buckets (a-c,d-f, and so on) according to their domain and usernames. For example, ifENGINEERING\ecartman logs in, the Data Mover will process the database anddetermine that his home directory is /home/engineering/d-f/ecartman.

The last two entries in the table catch all users in the MARKETING and FINANCEdomains, associating those users with directories under /marketing and /finance,respectively.

Substitution strings give you the ability to avoid having to specify one Home Directory

database entry per user. Rather, you can specify a generic path that containssubstitution strings and the path will then become customized for each user basedon their login credentials.

Regular expressions

When defining Home Directory database entries using only alphanumeric charactersand the two supported wild cards (‘*’ and ‘.’) it can sometimes be very difficult toencode the patterns you need. This often results in the use of an excessive number ofhome directory database entries to achieve something that should have beenrelatively simple. VNX Home Directory solves this problem by giving you the enormousflexibility of using regular expressions when specifying the domain name and

username of a database entry.

Consider a scenario where we want to divide our users alphabetically among differentfile systems such that groups of four adjacent letters are on the same file system (a-d,e-h, and so on) Without regular expressions we can accomplish this only by creating26 separate database table entries – one for each letter of the alphabet.



1White Paper Title


* a* /homeA-D/<d>/ options

* b* /homeA-D/<d>/ options

* c* /homeA-D/<d>/ options

* d* /homeA-D/<d>/ options

* e* /homeE-H/<d>/ options

…18 more… … … …

* x* /homeU-X/<d>/ options

* y* /homeY-Z/<d>/ options

* z* /homeY-Z/<d>/ options

This set of 26 database entries can be consolidated into a set of only seven databaseentries by using regular expressions:


.* [a-d].* /homeA-D/<d>/ regexp=Yes

.* [e-h].* /homeE-H/<d>/ regexp=Yes

.* [i-l].* /homeI-L/<d>/ regexp=Yes

.* [m-p].* /homeM-P/<d>/ regexp=Yes

.* [q-t].* /homeQ-T/<d>/ regexp=Yes

.* [u-x].* /homeU-X/<d>/ regexp=Yes

.* [y-z].* /homeY-Z/<d>/ regexp=Yes

Clearly the ability to specify regular expressions is powerful.



1White Paper Title

Table 3 shows other examples of how regular expressions can be used in the HomeDirectory database to simplify Home Directory management:



1White Paper Title

Table 3. Examples of regular expression use in the Home Directory database

Domain name Username Matches Does not match

[ENGINEERING|FINANCE] .* All users in the domainsENGINEERING and FINANCE

Users in any otherdomain

.* [wdc|moc].* All users in all domains whosenames are prefixed with thecontractor designations ‘wdc’(Widget Development Corp) or‘moc’ (ManufacturingOperations Consultants)

Users whosenames are notprefixed with oneof the twodesignations

.* .* [2] [0-9]{3}.*

All users in all domains thathave four sequential numericcharacters in the usernamewhere the first digit is 2; forexample, joe2006

Users whosenames do nothave the requiredsequence ofdigits

Regular expressions should be used to simplify your Home Directory management.However, care must be taken to consider whether a given regular expression mayunintentionally match users other than those you designed it for.

Auto-create

While the combination of reg ular expressions with Home Directory’s single sharemodel is very powerful, its usefulness is diminished if you must manually create eachuser’s home directory. VNX Home Directory’s auto-create feature can ensure thathome directories are created automatically as needed by the VNX1.

Auto-create is an option you set on the Home Directory database table entry. It tellsthe Data Mover to create the user’s home directory if it does not already exist. Thereare several choices for the security applied to these auto-created directories (See the“Security Considerations” section for more information). Only the lowest level tokenin the home directory path will be created. Should the parent container of that lowestlevel token not exist, then the home directory entry will be treated as if it does notmatch the login credentials.

1 File system permissions on the automatically created directory are:drwxr--r-- 2 root bin



1White Paper Title

Figure 5. Auto-create and the Home Directory path

For example, assume that MARKETING\jsmith’s home directory is /homeI-

L/marketing/jsmith. Also assume that the only matching database table entry forMARKETING\jsmith specifies a home directory path of /homeI-L/<d>/ and that theauto-create option is set on that entry. When jsmith attempts to map the HOME sharethe Data Mover will create the jsmith directory if it does not already exist in /homeI-

L/marketing. If /homeI-L/marketing does not already exist then jsmith will be unableto map the HOME share because the Data Mover will not create both the parentdirectory ( /homeI-L/marketing) and the home directory itself ( /homeI-

L/marketing/jsmith) . Only the lowest level token in the path (the home directory itself)will be created.

How do I manage Home Directory?

VNX Home Directory is managed through the VNX File/Celerra Management DataMover Management MMC Snap-in2 which is a tool that runs on Microsoft Windows

operating systems and plugs in to the Microsoft Management Console (Figure 6 ).Refer to the Data Mover Management help files for more information. These help filesare available from within the Data Mover Management MMC Snap-in or from the VNXDocumentation CD.

Scope of the Home Directory provides important information about the granularity atwhich the home directory service can be controlled.

Managing home directory entries

Home directory entries are managed through the VNX File/Celerra Management Data

Mover Management MMC Snap-in.

2

You can add, delete, and modify entries. You canalso reorder the database by dragging entries and dropping them at the bottom of thedatabase.

2 The Celerra Data Mover Management MMC Snap-in is available by installing the VNX File/Celerra CIFS Management tool fromthe VNX Applications and Tools CD.

/homeI-L/

marketing/

jsmith/

In path /homeI-L/<d>/ with auto-create enabled, the lowest leveldirectory (represented by – jsmith in this case) will be createdautomatically if needed.



2White Paper Title

Figure 6. VNX File/Celerra Management s Data Mover Management MMC Snap-In. This

snap-in is used to manage the Data Mover s home directory database. Afterconnecting to a CIFS server on the Data Mover you can manage Home Directory.

Note that the Data Mover Management Snap-in operates by connecting to a VNX CIFSserver. You must therefore create a CIFS server and connect the Data MoverManagement Snap-in to that CIFS server before you are able to modify Home Directoryservice status or manage the Home Directory database.

Enabling the Home Directory service

The Home Directory service can be started and stopped through the VNX File/Celerra

Management Data Mover Management MMC Snap-in (Figure 6). The special HOME

CIFS share will be exported automatically when the Home Directory service is running.Scope of the Home Directory feature

It is important to know the scope of the Home Directory feature. Does it apply to thewhole Data Mover? Does it apply to all Data Movers in a VNX cabinet? Or does it havesome other scope?

Home Directory is configured at the Data Mover or Virtual Data Mover level. Thus, thehome directory service can be enabled/disabled independently on each Data Moverand Virtual Data Mover.

Further, each VNX Data Mover or Virtual Data Mover has its own Home Directory

database. Thus, all users logging in to the HOME share on the primary Data Moverwill share a database, but users logging in to a Virtual Data Mover will share adifferent home directory database. Users connecting to two different CIFS servers onthe same Data Mover or Virtual Data Mover will share the same Home Directorydatabase.



2White Paper Title

Exporting/importing the Home Directory database

There is currently no graphical user interface for exporting and importing the HomeDirectory database. However, to give one Data Mover or Virtual Data Mover anidentical copy of another Data Mover’s Home Directory database you can copy thefile3 /.etc/homedir from one Data Mover to the other.

Security considerationsIn the most common and secure configuration, the VNX Home Directory feature allowseach user the ability to access only their own home directory, as defined by the rulesconfigured in each home directory database on each Data Mover. Special care shouldbe taken to ensure that the rules defined by the system administrators do not allowunintended access violations. The default behavior is the most secure and does notneed to be changed if the “owner -only access” model is desired.

For information on defaults and behavior when upgrading from a code versionwithout this functionality (prior to 5.6.50) to a code version with this functionality

The VNX home directory feature gives you more control over who has access toautomatically-created home directories. It does this through the Access Control Lists(ACLs) that are applied to these directories. Specifically, a registry flag offers twosecurity options for automatically-created home directories:

1. Restrict ACL to the owner. (This is the default value.)

2. Set ACL based upon inherited values.

With both of these settings, if the parent ACL is set up correctly, the inheritancemodel ensures that the owner of the new home directory is the Windows user ratherthan UNIX root. When using inheritance, you must be careful when building the

inherited ACL to make sure that you achieve the desired result.

A third setting for this flag is also offered to provide compatibility with the behaviorprior to release 5.6.50. This setting has the UNIX root user as the owner of each HomeDirectory folder and the EVERYONE group is given full control.

This flag applies only to new auto-created home directories . It does not apply tomanually created or existing home directories.

This security feature is controlled through a registry entry belonging to the CIFSServer:

HKEY_LOCAL_MACHINE\Software\EMC\Homedir\Flag

3 The server_file Control Station command can be used to retrieve and upload this file.



2White Paper Title

Figure 7. Setting the registry entry for auto-created home directories

The registry entry is global to each Data Mover and Virtual Data Mover, meaning that

every CIFS Server on the Data Mover shares the same setting, and every CIFS server ona Virtual Data Mover (VDM) shares the same setting. (A VDM has its own registry,which is distinct from the Data Mover’s registry.) .) If you have different groups of CIFSusers that for some reason require different auto-create security policies, you cansegregate those groups of users onto different VDMs to achieve this. This registryentry can be set from any Windows host in the CIFS Server’s domain by using theregedit / regedt32 commands to connect to the CIFS Server’s registry.

This setting only applies to new, automatically-created, home directory paths. Pathsthat were previously automatically-created or manually created paths are unaffectedby this registry setting.

The following is a detailed description of the three options for Home Directory security(DART 5.6.50 and later):

0x0 (default) – This setting disallows ACL inheritance from the parent folder and

creates the new home directory with the user as the owner (as opposed to ‘root’).Furthermore, only the user/owner has full privileges. No other privileges are set,which effectively locks out every other user from the directory. To access the



2White Paper Title

user’s home directory, an administrator or user with “take ownership” pr ivilegewill need to take ownership of the home directory and modify the ACL as required.

0x1 – This setting creates the new home directory with the current user as the

owner (as opposed to ‘root’) and gives them full privileges. Inheritance from theparent folder is allowed and dictates any further permissions applied on the homedirectory folder. This setting may revert to the 0x0 behavior if the ACL inheritance

from the parent folder has not been configured. Using inheritance requires care inbuilding the inherited ACL so that the desired result is achieved.

0x2 – This setting provides functionality identical to what is provided with the

5.6.47.11 code release. Any new home directory folder is created with ‘root’ as theowner and allows full privileges to the “EVERYONE” ACE.

NOTE: When using the setting 0x1, particular care must be taken to understand theimplications of permissions and ACL inheritance. In particular, the inheritance of the“CREATOR OWNER” ACE will limit permissions to newly created files and foldersinside a user’s home directory folder to the user that created the file or folder. Forexample, a file created by the Domain Administrator (assuming the permission to doso exists in the ACL) in another user’s home directory will be owned by t he DomainAdministrator and will not be accessible to the user that owns the home directory.This is because there is no ACE in the home directories ACL that specifically grantspermission to that user (instead, it is the CREATOR OWNER ACE.)

Setting the Home Directory path in AD User Profile

Active Directory Users and Computers allows you to assign a network path as a user’shome directory4 (Figure 8). In a traditional unique shares home directory scenarioeach user has a unique home directory network path. For example, the path shown inFigure 8 might be \\atlanta3\rprada if using the unique shares approach. With each

user that is added to the active directory, the administrator must specify in that user’sprofile the unique path of his home directory.

VNX Home Directory removes this burden because all users of a CIFS server connectto the same path. This is precisely why in Figure 8 Rue Prada is connecting to

\\atlanta3\HOME rather than \\atlanta3\rprada. Other users – such as Mark Fodor – would also connect to \\atlanta3\HOME. Thus, it is possible for the Active Directoryadministrator to create a “template” user account that has the home directorypredefined in the profile, and then copy that user account to add a new user. Thehome directory path will be copied from the template account and the administratorwill not need to set it manually.

4 If the home directory field is set in the AD User Profile then Windows will do the following when the user logs in to a domainmember computer:

Map the home directory and assign it to the specified network drive Set the HOMEDRIVE, HOMEPATH, and HOMESHARE user environment variables











2White Paper Title

Figure 8. Setting the home directory in an Active Directory user s profileis done through the AD User Properties dialog box. Access this dialogbox from Active Directory Users and Computers – right-click the userand choose Properties from the context menu.

Figure 8 shows how to set the user home directory using the Active Directory Usersand Computers MMC snap-in. However, the home directory can also be set via the netuser command on the cmd.exe command line. The net user command can beparticularly useful in scripting changes to the home directory configuration of existinguser accounts. The following example shows how the home directory would be set to

\\atlanta3\HOME for the user rprada:net user rprada /homedir:"\\atlanta3\HOME”






2White Paper Title

Spreading users across two or more file systems

In certain scenarios it may be desirable to spread the home directory users of a singledomain across more than one file system. Some of these scenarios include:

Performance: In large domains or under heavy I/O conditions, you may find thatsplitting your home directory users between two or more file systems yields betterperformance.

Capacity: In large domains or in environments where user home directories arevery large, it may be necessary to spread users among two or more file systems toavoid encountering file system capacity limitations.

Billing/chargeback: Spreading users among two or more file systems may helpyou to keep track of the capacity used by each set of users. This can be helpful insituations where parts of the organization are billed internally for their users’ filesystem usage, or for ISVs that are providing storage hosting services for external

customers.VNX Home Directory makes it relatively easy to spread users across two or more filesystems. Recall the discussions in Process for matching user credentials againstdatabase entries and Path syntax that said the database key for the Home Directorydatabase is <domain, user, path> and that in the case of multiple entries that matchon <domain, user > the matches are searched backward until an entry that has aviable/matching path is found. This is the behavior that enables you to spread usersamong multiple file systems.

Two options are available for spreading users among multiple file systems:

1. Create two or more entries where <domain, user> is identical between database

entries, but <path> is different. This option requires caution when using theauto-create functionality.

2. Create two or more entries where only <domain> is identical between databaseentries, but <user> and <path> both differ between database entries. This optionenables unrestricted use of the auto-create functionality.

Let us look at some concrete examples using our two MARKETING domain users fromthe earlier examples, only this time Joanna Smith and Mark Fodor will be on differentfile systems.

Full name Windows logon name Home Directory path

Joanna Smith MARKETING\jsmith /marketing1/jsmith

Mark Fodor MARKETING\mfodor /marketing2/mfodor



2White Paper Title

When <domain,user> are identical between database entries

If we want to keep the username and user domain identical across our home directoryentries, then in most cases we will need to manually create the home directories in

the file systems because the auto-create feature will not produce the desiredbehavior.

Our home directory database may look like the following:


… … … …

MARKETING * /marketing2/ auto-create=no


We manually create the following directories in the marketing1 and marketing2 VNX

file systems: /marketing1/jsmith

/marketing2/mfodor

When Joanna Smith maps \\atlanta3\HOME both of these entries will match her userdomain and username. Recall from Home Directory database search: In detail that theData Mover will take the last match and try to find the specified path. In this case, thelast match is the one with path=/marketing1/, and since /marketing1/jsmith exists no further search is needed – /marketing1/jsmith will be used as Joanna’shome directory.

When Mark Fodor maps \\atlanta3\HOME both of these entries will match his userdomain and username. The Data Mover will take the last match and try to find thespecified path. In this case, the last match is the one with path= /marketing1/,and since /marketing1/mfodor does not exist , the Data Mover will look at the next-to-last match – path=/marketing2/. Since /marketing2/mfodor exists no furthersearch is needed – /marketing2/mfodor will be used as Mark’s home directory.

Now you can see what would happen if we were to enable auto-create on thesedatabase entries – the last match (the one with path=/marketing1/ ) is the firstexamined and with auto-create enabled the Data Mover would simply create a/marketing1/mfodor directory for Mark rather than processing the second-to-last

match. This would effectively put all users on the same file system – /marketing1 – which is not what we wanted.











2White Paper Title

With that caution in mind, we could do something like this:


… … … …

MARKETING * /marketing3/ auto-create=yes



In this case, all users who do not have home directories pre-created on /marketing1 or /marketing2 will fall through to the third-to-last match and home directories willautomatically be created for them on /marketing3 if they do not already exist.

This approach is often the least convenient approach from an administrativeperspective, but it is necessary when your usernames lack specific string attributes

that would allow them to be grouped into well-defined sets. Because this approach isperhaps the most difficult to understand, let us look at a concrete, real-world examplefrom a VNX customer:

The situation…

A school has two sets of users – teachers and students. Both teachers and studentslog in to the same Windows domain. Teachers get much larger quota allocations thanstudents, so their home directories are stored in a different path than the studenthome directories. There is no mechanism by which a teacher can be distinguishedfrom a student when examining the username. What would the recommended homedirectory configuration look like?

The analysis…

Perhaps the most important piece of information we learned from reading thedescription of this customer’s situation is that there is no mechanism by which theusername or domain can distinguish a student from a teacher. This tells us that the<domain,username> portion of the Home Directory entry will be identical if

multiple entries are required.

We also learned that the user base must be distributed as groups across multiple filesystems or across multiple paths within the same file system. This tells us thatmultiple Home Directory entries are required – one for each distinct path.



2White Paper Title

Now, we will assume this is like most schools in that the student-teacher ratio is fairlylarge – let us say 20 students per one teacher (20:1). The following Home Directoryconfiguration would perhaps be the most efficient configuration possible:


… … … …

SCHOOL * /homedirs/students/ auto-create=yes

SCHOOL * /homedirs/teachers/ auto-create=no

Note that what this does is it requires the administrator to manually create teacherhome directories in the path /homedirs/teachers/. When a teacher logs in, herdirectory will be found by the first matching entry under the path/homedirs/teachers/.

When a student logs in, his directory will be not be found by the first matching entry( /homedirs/teachers/ ) because it does not exist there. Home Directory then willlook at the second matching entry and will find the student’s home directory in the

path /homedirs/students. If the student does not already have a home directoryunder /homedirs/students, then one will be created automatically because auto-create is enabled on the second matching entry. Thus, the administrator does nothave to manually create home directories for students.

Since the student-teacher ratio is 20:1 the administrator needs only to manuallycreate home directories for approximately 1/21 of the user base (the teachers).Should he forget to create a teacher’s home directory then the teacher willautomatically be given a home directory in /homedirs/students, and the administratorcan later rectify the situation by simply moving that home directory to/homedirs/teachers.



2White Paper Title

When only <domain> is identical between database entries

Let us look at an alternative approach that allows us to use the auto-create feature sothat we can avoid manually creating home directories.

Assume that half of the users in the MARKETING domain have usernames beginningwith one of the letters from the alphabetical set of letters ‘a’ through ‘k’. The other

half of users have usernames beginning with ‘l’ through ‘z’. We can utilize this fact toput half of our users on /marketing1 and the other half on /marketing2 while alsotaking advantage of the auto-create functionality.

Such a home directory database might look like:


… … … …

MARKETING [l-z].* /marketing2/ auto-create=yes,

regexp=yes

MARKETING [a-k].* /marketing1/ auto-create=yes,

regexp=yes

When Joanna Smith maps \\atlanta3\HOME only the last of these entries will matchher user domain and username. If this is her first time mapping the share, then theData Mover will see that /marketing1/jsmith does not exist and will create it to use as Joanna’s home directory.

When Mark Fodor maps \\atlanta3\HOME only the second to last of these entries willmatch his user domain and username. If this is his first time mapping the share, thenthe Data Mover will see that /marketing2/mfodor does not exist and will create it touse as Mark’s home directory.

This approach is often the most convenient approach, and it works best when thelogin names that comprise your user base have specific string attributes that allow

them to be grouped into distinct sets. In our example that attribute is the value of thefirst character of the username. Regular expressions can then be used to specifymatch criteria based upon these attributes.

Spreading users across two or more Data Movers

In certain scenarios it may be desirable to spread the home directory users of a singledomain across more than one Data Mover or CIFS server as shown in Figure 9. Someof these scenarios include:

Performance: In domains with a large number of users or with heavy I/O loads,you may find that putting all of your home directory users on the same Data Mover

is not feasible from a performance standpoint. In this case, you can spread the I/Oload across Data Movers by spreading your user base across those Data Movers.

Capacity: In environments where the individual user home directories are verylarge it may be necessary to spread the users across multiple backend storagesystems that are connected to different VNX cabinets.











3White Paper Title

Location: In geographically distributed domains it may be necessary to spreadusers among two or more Data Movers. Spreading users across Data Movers (andVNX cabinets) may allow you to store each user’s home directory data closer tothe user’s physical location, thus providing the user with a higher level of networkperformance.

Billing/chargeback: Spreading users among two or Data Movers may help to

manage billing/chargeback. For example, if each department in the organizationis charged internally for one Data Mover you may want to put the users of eachdepartment on the Data Mover it is paying for.

Figure 9. Users can be spread across Data Movers by connecting them to different

CIFS servers.

Recall that each Data Mover and Virtual Data Mover has its own Home Directorydatabase that makes the task of spreading users across two or more Data Moverseasy: Simply direct each user to the correct Data Mover (via a CIFS server) when theyattempt to map their home directory. This requires preparatory planning to decidewhich Data Mover each user should utilize, and ensuring that the UNC path to thatData Mover is reflected in the user’s profile.

Replicating Home Directory configurations

CIFS Replication (using Virtual Data Movers) can be used to replicate Home Directoryenvironments between VNX cabinets. This is an asynchronous replication in whichyou can specify the amount of data change required between delta-set transfers.



3White Paper Title

When the primary/source site is lost in a disaster or taken down for maintenance thesecondary site can be brought up and all of the Home Directory services will functionas before. CIFS users will lose their CIFS sessions, but they will be able to reconnectto the same UNC path (for example, \\atlanta3\HOME) without ever realizing that theyare connecting to a location different than before. Figure 10 illustrates this replicationtechnique.5

When using CIFS Replication with Home Directory, keep in mind the following bestpractices:

Replicate between cabinets that are located in different geographic locations ifyour goal is to protect against site outages.

Ensure that the mount path of all replicated Home Directory user file systems isthe same on both the source and destination Virtual Data Movers. If the mountpath is different on the destination Virtual Data Mover then the paths in the HomeDirectory database may be incorrect after failover.

Ensure that the CIFS server names used on your destination Virtual Data Mover are

identical to those used on your source Virtual Data Mover. Ensure that the network interface names used on your destination Virtual Data

Mover are identical to those used on your source Virtual Data Mover. IP addressescan be different on the destination Data Mover.

5 EMC advises you to test your Home Directory replication plan prior to implementing it on production data.





3White Paper Title

Figure 10. CIFS Replication of Home Directory configuration. After failover, users seeno difference in the way they connect to the CIFS server to map home directories.

For more information about using CIFS Replication, please see the document Replicating VNX CIFS Environments.

Migrating Home Directory configurations

VNX Home Directory configurations can be migrated easily to other VNX cabinets bymigrating the user file systems that contain the home directories and manuallycopying the homedir database to the new cabinet. This capability is particularlyuseful when upgrading your VNX cabinet or redistributing workload among VNXcabinets. Further, the use of Celerra Data Migration Service (CDMS) or othersupported migration technologies when migrating Home Directory file systems willminimize end-user downtime.6

6 EMC advises you to test your Home Directory migration plan prior to implementing it on production data.



3White Paper Title

File Extension Filtering and Quotas

File Extension Filtering is a feature that allows you to block the creation of files onCIFS shares when the files have a prohibited extension. The Quotas feature enablesyou to control the total amount of storage that can be consumed by users and/or

groups in a file system. Both the File Extension Filtering and the Quotas features willwork seamlessly with Home Directory.

Consider a situation where we want to prevent creation of files with the .mp3extension on \\atlanta3\HOME. To achieve this, we can simply create the

following file:

\\atlanta3\HOME\c$\.filefilter\mp3@home@atlanta3

To prevent creation of .mp3 files on all HOME shares (for all CIFS Servers) on a DataMover, we would instead create the following file:

\\atlanta3\HOME\c$\.filefilter\mp3@home

Conclusion

VNX Home Directory is a feature that can significantly ease the administrative pain ofproviding home directories for CIFS users. It completely eliminates the need tomanually create and manage CIFS home directory shares, and it can even eliminatethe need to manually create each user home directory.

Enough flexibility is provided by Home Directory that you can implement highlycustomized rules based on regular expressions, and it may require only a few rules tospread all of your domain users over a single file system or several file systems. This

flexibility makes it very easy to scale your Home Directory implementation fromhundreds to thousands or even tens of thousands of CIFS users.

Further, when Home Directory is combined with VDM Replication a Home Directoryenvironment can be seamlessly replicated to a remote site for disaster recovery.When combined with CDMS or other migration technologies, Home Directoryenvironments can easily be migrated to other VNX cabinets.

With an understanding of the Home Directory concepts that were outlined in thiswhite paper, you can create an efficient and effective home directory solution for yourorganization.

References

CDMS Version 2.0 for NFS and CIFS User’s Guide: on Powerlink™

VNX Home Directory Management Help Files : Found on the VNX Documentation CD orby invoking Help from within Unisphere




http://atlanta3/HOME/c$/.filefilter/mp3@home@atlanta3

http://atlanta3/HOME/c$/.filefilter/mp3@home@atlanta3




VNX Documentation CD : Search for “VNX Documentation CD” on Powerlink™

Replicating VNX CIFS Environments : Available from Powerlink or the VNXDocumentation CD.

Documents

CIFS HOMEDIRECTORY - H2283 EMC Celerra Home Directory - A Detailed Review