Strsw Ed Ilt Cifsad Rev03 Exerciseguide

NetApp University

Data ONTAP 7.3CIFS Administration on

Exercise Guide

NetApp University - Do not distribute or duplicate

NETAPP UNIVERSITY

CIFS Administration on Data ONTAP 7.3

Version Number: Version 5.0 Release Number: Release 7.3 Course Number: STRSW-ED-ILT-CIFSAD-REV03 Catalog Number: STRSW-ED-ILT-CIFSAD-REV03-EG


E0-2 CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise

2008 NetApp. This material is intended for training use only. Not authorized for re-production purposes.

ATTENTION

The information contained in this guide is intended for training use only. This guide contains information

and activities that, while beneficial for the purposes of training in a closed, non-production environment,

can result in downtime or other severe consequences and therefore are not intended as a reference guide.

This guide is not a technical reference and should not, under any circumstances, be used in production

environments. To obtain reference materials, please refer to the NetApp product documentation located

at www.now.com for product information.

COPYRIGHT

2008 NetApp. All rights reserved. Printed in the U.S.A. Specifications subject to change

without notice.

No part of this book covered by copyright may be reproduced in any form or by any meansgraphic,

electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval

systemwithout prior written permission of the copyright owner.

NetApp reserves the right to change any products described herein at any time and without notice.

NetApp assumes no responsibility or liability arising from the use of products or materials described

herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product or

materials does not convey a license under any patent rights, trademark rights, or any other intellectual

property rights of NetApp.

The product described in this manual may be protected by one or more U.S. patents, foreign patents,

or pending applications.

RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph

(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7103

(October 1988) and FAR 52-227-19 (June 1987).

TRADEMARK INFORMATION

NetApp, the NetApp logo, and Go further, faster, FAServer, NearStore, NetCache, WAFL, DataFabric,

FilerView, SecureShare, SnapManager, SnapMirror, SnapRestore, SnapVault, Spinnaker Networks,

the Spinnaker Networks logo, SpinAccess, SpinCluster, SpinFS, SpinHA, SpinMove, SpinServer, and

SpinStor are registered trademarks of Network Appliance, Inc. in the United States and other countries.

Network Appliance, Data ONTAP, ApplianceWatch, BareMetal, Center-to-Edge, ContentDirector, gFiler,

MultiStore, SecureAdmin, Smart SAN, SnapCache, SnapDrive, SnapMover, Snapshot, vFiler, Web Filer,

SpinAV, SpinManager, SpinMirror, and SpinShot are trademarks of NetApp, Inc. in the United States and/or

other countries.

Apple is a registered trademark and QuickTime is a trademark of Apple Computer, Inc. in the United States

and/or other countries.

Microsoft is a registered trademark and Windows Media is a trademark of Microsoft Corporation in the

United States and/or other countries.

RealAudio, RealNetworks, RealPlayer, RealSystem, RealText, and RealVideo are registered trademarks

and RealMedia, RealProxy, and SureStream are trademarks of RealNetworks, Inc. in the United States

and/or other countries.

All other brands or products are trademarks or registered trademarks of their respective holders and should

be treated as such.

NetApp is a licensee of the CompactFlash and CF Logo trademarks.


E0-3 CIFS Administration on Data ONTAP 7.3: M00_Welcome_Exercise


EXERCISE & ANSWER TABLE OF CONTENTS

MODULE 1: OVERVIEW ........................................................................................................... E1-1

MODULE 2: WORKGROUPS ................................................................................................... E2-1

MODULE 3: SHARES AND SESSIONS ................................................................................... E3-1

MODULE 4: ACCESS CONTROL ............................................................................................ E4-1

MODULE 5: DOMAINS ............................................................................................................. E5-1

MODULE 6: ADVANCED ADMINISTRATION ......................................................................... E6-1

MODULE 7: PERFORMANCE .................................................................................................. E7-1

MODULE 8: TROUBLESHOOTING ......................................................................................... E8-1

MODULE 9: APPENDIX A: ANSWER KEY ............................................................................. E9-1

MODULE 10: APPENDIX B: SIMULATOR INSTALLATION .................................................. E10-1


Overview


E1-1 CIFS Administration on Data ONTAP 7.3: M01_Overview_Exercise


MODULE 1: OVERVIEW

Exercise

Module 1: CIFS Overview

Estimated Time: 15-60 minutes

EXERCISE

NOTE: This lab normally takes only 15 minutes. However, if you dont have an appropriate storage system environment, the lab will refer you to Appendix B for instructions on how to set up a Data ONTAP simulator. Setting up the simulator may take up to 60 minutes.

EXERCISE: EXPLORING THE EXERCISE ENVIRONMENT

OVERVIEW

The goal of this exercise is to give you an opportunity to explore the current exercise environment with the instructors assistance. If you do not have a storage system environment, you will then be redirected to Appendix B for the simulator setup.

OBJECTIVES

At the conclusion of the lab, you will be able to do the following:

Identify all the essential components of your exercise environment

TIME ESTIMATE

15 Minutes




37 2008 NetApp. All rights reserved.

Check Your Understanding

In a network, which two abilities does a

Windows client user require?

What is the difference between authentication

and authorization?

What are the three types of storage system

CIFS service environments?

What is the purpose of a name resolution

server?

What kind of information is kept in the directory

that the domain controller stores and

maintains?

CHECK YOUR UNDERSTANDING






In a Windows domain, how does a storage

system authenticate users?

In a non-Windows workgroup, how does a

storage system authenticate users?





TASK I: EXPLORING THE EXERCISE ENVIRONMENT

This task will familiarize you with the exercise environment that you will use for all future exercises. If you dont have an appropriate storage system environment, see Appendix B for the steps required to set up the Data ONTAP simulator.

START OF EXERCISE

Execute the following steps:

STEP ACTION

1. With the assistance of your instructor, identify the following essential equipment:

Windows Workstation

Name: ______________________________

IP address: _________________________

Domain

Administrator

Password: __________________________

Local

Administrator

Password: __________________________

Domain Controller

Domain Name: _______________________

Controller

IP address: _________________________

DNS: ____________________________

IP address: _________________________




STEP ACTION

Storage System

Name: ___________________________________

Type: ___________________________________

Internal

IP address: _______________________________

Terminal

IP address: _______________________________

Root

Password: _______________________________

2. Task complete.

END OF EXERCISE


Workgroup


E2-1 CIFS Administration on Data ONTAP 7.3: M02_Workgroups_Exercise


MODULE 2: WORKGROUPS

Exercise

Module 2: Workgroups

Estimated Time: 45 minutes

EXERCISE: CIFS SETUP

OVERVIEW

The goal of this lab is to give you an opportunity to configure a storage system for a Windows workgroup environment. In a future exercise, you will repurpose the storage system for an Active Directory Domain environment.

OBJECTIVES


Configure a storage system for a Windows Workgroup environment

Review the result of cifs setup in a Windows Workgroup environment

TIME ESTIMATE

45 minutes

Please refer to your Exercise Guide for more instruction.






In cifs setup, what are the two security style choices for which a storage system can

be configured?

During the initial questions in CLI cifs setup, for which root user can you enter a password?

What are the three default share volumes created as a result of cifs setup?

What is the name of the NetBIOS alias file?





TASK I: EXPLORING THE EXERCISE ENVIRONMENT

This task will familiarize you with the exercise environment that you will use for all future exercises. If you dont have an appropriate storage system environment, see Appendix B for steps to setup the Data ONTAP simulator.

TASK I: CONFIGURING CIFS SERVICES TO JOIN THE STORAGE SYSTEM TO A WINDOWS WORKGROUP

In this lab, you run cifs setup to join your storage system to a Windows workgroup. The commands in the lab are entered at the storage system prompt.

START OF EXERCISE

STEP ACTION

1. From your workstation,

a) Open a Telnet session to your storage system with the storage system IP address or name. You can use TeraTermPro or PuTTY to open a Telnet

session to your storage system.

b) Log in as root with no password. NOTE: Verify with the instructor the password for root.

2. Type license at the storage systems command prompt to view the current list of licenses registered.

License CIFS by entering the following command and using the CIFS license code

provided by your instructor:

system>license add {license_code_provided_by_instructor} Confirm the license was successfully added by reissuing the license command at the prompt.

3. View the CIFS license with FilerView by performing the following:

a) Open an Internet browser and enter your storage system name http://storage-system-name/na_admin to open the FilerView main navigational

page (or home page). The storage-system-name can be the IP address or the

DNS name for the storage system.

NOTE: Obtain the storage system IP address and name from the instructor.

NOTE: The FilerView main navigational page has the manual (man) pages for the

Data ONTAP commands. Click the Manual Pages icon when you need

information or the syntax for a command.

b) Click the FilerView icon.

c) Log in as root with no password. NOTE: Verify the password with the instructor.

d) In the left column, choose Filer and then Manage Licenses.

e) Note that the CIFS license is displayed.




STEP ACTION

4. Before configuring the CIFS services, at the storage system prompt (in your Telnet session), enter the following command and view the default storage system security

style and NT administrator privileges:

system>options wafl What is the volume (and all qtrees on the volume) default security style?

______________

Look at the wafl.default_security_style option.

Does the NT (Windows) administrator have privileges to map to the UNIX root

user? ___________________

Look at the wafl.nt_admin_priv_map_to_root option.

5 Enter the following command and view the security style of the root volume:

system>qtree status What is the security style of your root volume? _________

6. Configure the CIFS services by entering the following command:

system>cifs setup Enter the following parameters:

Answer no [n] to WINS.

Configure the security style as (2) NTFS-only filer.

Press the Enter key twice for root password (meaning no password).

Press Enter to keep default CIFS server (storage system) name. (Obtain the storage system name from your instructor.)

Choose 3 for Windows workgroup authentication using the storage systems local user accounts.

Press Enter to keep the default name for the workgroup [WORKGROUP].

Answer yes [y] to create the local administrator (system\administrator) account.

Enter the password twice for the local administrator password. (Obtain the password from your instructor.)

NOTE: The name and password for the local administrator on the storage system must match the Windows workstation administrator and password for pass-through authentication to work.

Example:

system > cifs setup This process will enable CIFS access to the filer from a Windows system.

Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

Your filer does not have WINS configured and is visible only to clients on the same subnet.




STEP ACTION

Do you want to make the system visible via WINS? [n]: A filer can be configured for multiprotocol access, or as an NTFS-only filer. Since NFS, DAFS, VLD, FCP, and iSCSI are not licensed on this filer, we recommend that you configure this filer as an NTFS-only filer

(1) Multiprotocol filer (2) NTFS-only filer Selection (1-2)? [2]: CIFS requires local /etc/passwd and /etc/group files and default files will be created. The default passwd file contains entries for 'root', 'pcuser', and 'nobody'.

Enter the password for the root user [ ]: Retype the password: The default name for this CIFS server is ' system '. Would you like to change this name? [n]: Data ONTAP CIFS services support four styles of user authentication.

Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only) (2) Windows NT 4 domain authentication (Windows NT or Active Directory domains) (3) Windows Workgroup authentication using the filer's local user accounts (4) /etc/passwd and/or NIS/LDAP authentication Selection (1-4)? [3]: What is the name of the workgroup? [WORKGROUP]: Fri Jun 23 19:32:53 GMT [wafl.quota.sec.change:notice]: security style for /vol/vol0/ changed from unix to ntfs CIFS - Starting SMB protocol... It is recommended that you create the local administrator account (system\administrator) for this filer.

Do you want to create the system\administrator account? [y]: Enter the new password for system\administrator: Retype the password:

Welcome to the WORKGROUP Windows workgroup CIFS local server is running. SYSTEM> Fri Jun 23 19:33:18 GMT [nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have been completed for the local server.




STEP ACTION

7. After configuring the CIFS services, enter the following command and view the default storage system security style and NT administrator privileges:

system>options wafl

What is the volume (and all qtrees on the volume) default security style? ___________________

Does the NT (Windows) administrator have privileges to map to the UNIX root user? _______________

8. Enter the following command and view the security style of the root volume:

system>qtree status After configuring the CIFS services, what is the security style of your root volume?

__________________

9. Task complete.

10. Please proceed to the next task.




TASK II: REVIEWING

In this lab, you will review the files modified during the process of configuring the storage systems CIFS server for a Windows Workgroup environment. All commands in the lab are entered at the storage system prompt.

START OF EXERCISE

STEP ACTION

1. At the storage system prompt, review the cifs configuration file with the

rdfile command by typing: system>rdfile /etc/cifsconfig_setup.cfg Notice how this file holds all the configurations entered during the wizard

questions of the cifs setup command.

2. At the storage system prompt, review the following files with the rdfile command:

/etc/usermap.cfg

/etc/passwd

/etc/nsswitch.conf

/etc/cifsconfig_share.cfg

We will discuss these files in more detail in future modules.

3. As you recall, cifs setup created a local administrator. We will now verify this new user was created.

system>useradmin user list administrator Now, we will verify that this user was added to the lclgroups.cfg file under the

BUILTIN\Administrators group.

system>rdfile /etc/lclgroups.cfg Notice, there is a SID under the BUILTIN\Administrators group. Because the

lclgroups.cfg file is a newly created, there should only be one SID. Now, lets

verify that this SID is the same as the administrator that we saw with the

useradmin command: sytem>cifs lookup {copy the SID here} This SID should resolve to the storage systems local administrator that was

created with cifs setup.

4. Task complete.





TASK III: CREATING NEW VOLUMES AND QTREES

In this lab, you create an aggregate, a flexible volume, and a traditional volume that will be used in a later lab. All commands in the lab are entered at the storage system prompt.

START OF EXERCISE

STEP ACTION

1. Determine if aggr0 (root volume) is configured for RAID type raid4 by entering the following command at the storage system prompt:

system>aggr status If aggr0 is raid4, then go to Step 3.

2. If aggr0 is raid_dp, then change aggr0 to raid4 by entering the following command:

system>aggr options aggr0 raidtype raid4 Verify that aggr0 is now raid4 and has 2 disks (-d option): system>aggr status system>aggr status aggr0 d Zero out the previous double parity drive by using:

system> disk zero spares

3. Create an aggregate aggr1 with RAID type raid4 and 3 disks:

system>aggr create aggr1 t raid4 3 Verify that the newly created aggr1 is raid4 and has 3 disks (-d option): system>aggr status system>aggr status aggr1 -d

4. Create a flexible volume flexvol1 on aggr1 that is 10GB in size:

system>vol create flexvol1 aggr1 10g Verify that the newly created flexvol1 exists:

system>vol status flexvol1

5. Create a traditional volume tradvol1 with RAID type raid4 and 2 disks using

the aggr command: system>aggr create tradvol1 -v t raid4 2 Verify that the newly created tradvol1 exists:

system>vol status tradvol1 Verify that the newly created aggregate (also called tradvol1) is raid4 and has

2 disks (-d option): system>aggr status system>aggr status tradvol1 -d

6. View the status of all volumes by entering the following command:

system>vol status




STEP ACTION

7. Create a qtree named datatree1_ntfs with NTFS security style on the volume flexvol1 by entering the following command:

system>qtree create /vol/flexvol1/datatree1_ntfs Verify that the newly created qtree datatree1_ntfs exists:

system>qtree status What is the security style on the new qtree? __________________

Why is this the security style? ____________________________________

____________________________________________________________

8. Create a qtree named datatree2_unix with UNIX security style on the volume flexvol1 by entering the following command:

system>qtree create /vol/flexvol1/datatree2_unix Verify that the newly created qtree datatree2_unix exists:

system>qtree status What is the security style on the new qtree? __________________

Change the security style to UNIX by entering the following command:

system> qtree security /vol/flexvol1/datatree2_unix unix

Verify that the security style for qtree datatree2_unix is UNIX:

system>qtree status

9. Create a qtree named datatree3_mixed with mixed security style on the volume flexvol1 by entering the following command:

system>qtree create /vol/flexvol1/datatree3_mixed Change the security style to mixed by entering the following command:

system> qtree security /vol/flexvol1/datatree3_mixed mixed Verify that the security style for qtree datatree3_mixed is mixed:

system>qtree status

10. Task complete.

END OF EXERCISE


Shares


E3-1 CIFS Administration on Data ONTAP 7.3: M03_Shares_Exercise.doc


MODULE 3: SHARES

Exercise

Module 3: Shares


EXERCISE: SHARES

OVERVIEW

The purpose of this activity is to perform routine CIFS administration procedures on your storage system in a Windows Workgroup environment. You will view the current list of shares, add a new share, verify access to the share, and display session information.

OBJECTIVES


View current shares, add a new share and verify share access

Display session information

TIME ESTIMATE

15 minutes






For which storage objects can you create

shares?

What are three methods to manage CIFS

shares?

What command would you use to view the

connected CIFS users?





TASK I: VIEWING THE LIST OF CURRENT SHARES

In this lab, you will display the current shares on your storage system.

START OF EXERCISE

STEP ACTION

1. If you are not already, use the Remote Desktop connection to log in to your Windows workstation as Administrator. NOTE: Use the IP address and password provided by the instructor.

2. On your Windows workstation, go to StartRun. In the Run window, enter the following to browse the shares on your storage system, and click OK:

\\IP_Address_of _Your_Storage_System

What share(s) display? _________________________

3. In the address bar of the Web browser, change the address to the following:

\\IP_Address_of _Your_Storage_System\C$

What folder(s) display? __________________________

4. At your storage system prompt, view the CIFS sessions by entering the following command:

system>cifs sessions What user currently has a session with the storage system? __________________________________________________

What account is the user mapped to? _______________________




STEP ACTION

5. At the storage system prompt, verify the user mapping by entering the following command:

system>options wafl.nt_admin_priv_map_to_root

Is this option set to on? _________________

If wafl.nt_admin_priv_map_to_root is on, then the local administrators user mapping is root.

Verify the default UNIX user name by entering the following command:

system>options wafl.default_unix_user

Is there a default UNIX user? If yes, what is the user name?

________________________________

If the wafl.default_unix_user is set to a user name (for example, pcuser), then this is the default user mapping for any Windows user that is not explicitly mapped.

Verify that the default UNIX user name is in the /etc/passwd file by entering the following command:

system>rdfile /etc/passwd Is the default UNIX user name in the /etc/passwd file? _____________

6. Task complete.


TASK II: CREATING A NEW SHARE

In this lab, you will create a new share on your storage system.

STEP ACTION

1. Create a new share called datatree1 ntfs (for the qtree datatree1_ntfs) on the storage system by entering the following command at the storage system prompt:

system> cifs shares add datatree1_ntfs /vol/flexvol1/datatree1_ntfs Answer yes if you are asked whether you want to use this share name.

2. View the newly created datatree1_ntfs share by entering the following command at the storage system prompt:

system>cifs shares datatree1_ntfs

Which group has access to this share? _______________________

What are the share permissions? _______________________

3. On the Windows workstation, open Windows Explorer and, as the administrator, map




STEP ACTION

a network drive to the new share datatree1_ntfs.

4. After mapping the network drive to datatree1_ntfs in Windows Explorer

a) Right-click the datatree1_ntfs share mapping and choose Properties.

b) Click the Security tab and view the NTFS file permissions.

Note: You might receive a warning stating that the share name is not accessible by

some MS-DOS workstations. MS-DOS generally only allows eight characters in the

name along with a three character extension.

5. On the Windows workstation, create a text file with WordPad and save the file to the new share datatree1_ntfs.

c) Go to StartProgramsAccessoriesWordPad.

d) Open WordPad and type something to create a text document.

e) Save the file to the datatree1_ntfs share.

6. On the Windows workstation using Windows Explorer, go to the mapped network drive for the datatree1_ntfs share to view the newly created text file.

f) Right-click the text file and choose Properties.

g) Click the Security tab and view the NTFS file permissions for the text file.

h) What group has access to this file? ____________________________

List the file access permissions for the text file:_________________________

i) Close all the open windows.

7. Task complete.

END OF EXERCISE


Access C

ontrol


E4-1 CIFS Administration on Data ONTAP 7.3: M04_AccessControl_Exercise


MODULE 4: ACCESS CONTROL

Exercise

Module 4: Access Control


EXERCISE: ACCESS CONTROL

OVERVIEW

The purpose of this activity is to perform routine CIFS administration procedures on your storage system in a Windows workgroup environment. You will create a local user account and administer user access, add a new share, map a network drive to the new share and verify access to the share, and create a local group.

OBJECTIVES


Add a new local user account and administer user access

Add a new share, map a network drive to the new share and verify share access, add a file to the share, and access the file on the share

Create a local group

Remove a share

TIME ESTIMATE

30 minutes






What is the purpose of a local administrator

account on a storage system, and why does cifs setup recommend creating one?

What does it mean when a storage system is

configured for multiprotocol access?

What command adds local users and groups

to the storage system?





TASK I: CREATING A LOCAL USER ACCOUNT ON THE STORAGE SYSTEM

In this lab, you will create a local user account on your storage system. All commands in the lab are entered at the storage system prompt.

START OF EXERCISE

STEP ACTION

1. From your workstation

a) Open a Telnet session to your storage system with the storage system IP address or name. You can use TeraTermPro or PuTTY to open a Telnet session to your storage system.

b) Log in as root with no password. Note: Verify with the instructor the password for root.

2. Recall that the storage system currently is in a Windows workgroup. To verify that the storage system is a server in a Windows workgroup, enter the following command:

system>cifs sessions Is the storage system in a Windows workgroup? ________________

3. Before adding a local user to the storage system, check the current security options to determine password rules by entering the following command:

system>options security What is the value for the security.passwd.rules.enable? _________ If the security.passwd.rules.enable option is on, then in order to create a local user, you will need to come up with a password using the following rules:

It must be at least 8 characters long

It must contain at least 2 alphabetic characters

It must contain at least 1 digit

If security.passwd.rules.enable.option is off, then the restrictions will not be enforced when you create a password.

4. Add a local user (your name) in the predefined Guests group to the storage system by entering the following command:

User names are case insensitive.

system>useradmin user add your_name g Guests Remember your password._________________________




STEP ACTION

5. Verify that the local user (you) was added to the storage system by entering the following command:

system>useradmin user list your_name

6. Check the allowed capabilities for the local administrator account by entering the following command:

system>useradmin user list administrator What are the capabilities of the local administrator?

_______________________________________________

7. View the list of all local storage system users by entering the following command:

system>useradmin user list

What local users are listed? _____________________________________

8. Task complete.


TASK II: MAPPING A NETWORK DRIVE TO A SHARE

In this lab, you map a network drive to a share. Recall that in a Windows workgroup, user authentication is performed locally on the storage system.

STEP ACTION

1. On your Windows workstation, map a drive to a storage system share by opening Windows Explorer and going to ToolsMap Network Drive. The Map Network Drive window appears.

a) In the Drive list box, select any unused letter.

b) In the Folder list box, enter the following: \\ IP_Address_of _Your_Storage_System \C$

Click the Finish button.

2. At the storage system prompt in your Telnet session, view the CIFS sessions by entering the following command:

system>cifs sessions From your Windows workstation, who has a session with the storage system?




STEP ACTION

__________________________________________________

You logged in to the Windows workstation as Administrator with a password. This Administrator was authenticated locally on the storage system with the local Administrator account (note that the user names match). The local Administrator account has the same password as the Windows Administrator.

This is called pass-through user authentication, and it works only if the names and passwords match on both the storage system and Windows workstation.

The Administrator account has permission to view the hidden C$ share.

3. On the Windows workstation, open Windows Explorer and disconnect the network drive that you just mapped in the browser by going to ToolsDisconnect Network Drive.

a) Select the network drive to disconnect.

b) Click the OK button.

4. On the Windows workstation, log off as the Administrator and then log back in as the Administrator to clear the share cache.

a) Go to StartLog Off administrator and click the Log off button when you are asked if you are sure that you want to log off.

b) Use the Remote Desktop connection to log back in to your Windows workstation as the Administrator with the Administrator password.

5. On your Windows workstation, map a drive to a storage system share for a different local user (your name) by opening Windows Explorer and going to ToolsMap Network Drive. The Map Network Drive window appears.


b) In the Folder list box, enter the following:

\\IP_Address_of _Your_Storage_System\C$

c) Click Connect using a different user name.

d) The Connect As...window appears.

e) Enter your User name. (Name_of _Your_Storage_System \your_name).

f) Enter your Password. (password for your_name).

g) Click the OK button.

h) Click the Finish button.

i) The Connect to window appears.

j) The user name matches




STEP ACTION

Name_of _Your_Storage_System \your_name.

k) In the password text box, enter your password.

l) Click the OK button.

Are you able to connect to C$ share? _____________________

If not, go to this step, 5 b), and in the Folder list box, enter \\IP_Address_of _Your_Storage_System\Home and proceed again to map the network drive to the share.

The Guests group has no capabilities and, therefore, you cannot access the C$ share, but you can access the Home share since it is available to the Everyone group.

6. At the storage system prompt, view the CIFS sessions by entering the following command:

system> cifs sessions

From your Windows workstation, who has a session with the storage system?

__________________________________________________

You now have successfully mapped a network drive to the Home share on the storage system as a local user (your name) on the storage system that is a member of the Guests group.

You were authenticated locally on the storage system with your name and password.

7. Task complete.


TASK III: CREATING A LOCAL GROUP

In this lab, you will create a new local group on your storage system.

STEP ACTION

1. Before creating a new local group on your storage system, view the current groups on the storage system by entering the following command at the storage system prompt:

System>useradmin group list

2. At the storage system prompt, create a local group on the storage system called friends with the Data ONTAP predefined role power by entering the following command:

system>useradmin group add friends r power

3. At the storage system prompt, verify the newly created group by entering the following command:

system>useradmin group list friends




STEP ACTION

How many capabilities are assigned to the power role for the friends group? __________________________

The Data ONTAP predefined power role grants the ability to:

Invoke all cifs, exportfs, nfs, and useradmin CLI commands. Make all cifs and nfs API calls. Log in to Telnet, HTTP, rsh, and ssh sessions.

4. On the Windows workstation, change the security properties of the text file on the datatree1_ntfs share.

a) Open Windows Explorer and go to the mapped datatree1_ntfs drive to view the text file.

b) Right-click the text file and choose Properties.

c) Select the Security tab and under Group or user names, click the Add button.

d) In the Enter the object names to select text box, enter friends.

e) Click the OK button.

f) Click the friends group. What permissions are displayed for the friends group?

g) Click the Everyone group. How do the friends permissions differ from the permissions in the Everyone group? ___________________________________________________

h) Now, click the Apply button on the Security tab, and then click the OK button.

5. At the storage system prompt, modify the local user (your name) and add the friends group to the user by entering the following command:

system> useradmin user modify your_name g Guests,friends

6. At the storage system prompt, verify the groups and capabilities of the newly changed local user (your name) by entering the following command:

system>useradmin user list your_name To which groups does the local user (your name) now belong?________________

Have the local user (your name) capabilities changed? If yes, how?

________________________________________________

7. Task complete.

8. Proceed to the next task.

TASK IV: CONFIGURING THE STORAGE SYSTEM FOR MULTIPROTOCOL ACCESS




In this lab, you will configure the storage system for multiprotocol access, and then view file permissions for files in an NTFS qtree, UNIX qtree, and mixed qtree.

STEP ACTION

1. Before configuring your storage system for multiprotocol access, perform the following from your Windows workstation:

a) Create a share on the storage system called datatree2_unix (for your datatree2_unix qtree on flexvol1) and map a network drive to the share.

b) Create a share on the storage system called datatree3_mixed (for your datatree3_mixed qtree on flexvol1) and map a network drive to the share.

Follow the steps outlined in Task 2 from the previous lab and Task 2 of this lab respectively to create and map a share.

Note: You might need to disconnect all map drives, log out, and log back in to the Windows machine to clear the security cache. Windows does not allow you to map two separate shares with different security accounts.

2. At the storage system prompt, view the current default security style by entering the following command:

system>options wafl.default_security_style

What is the current default security style? ______________________

3. Before changing to multiprotocol access, you must license NFS.

a) At the storage system prompt, enter the following command and look for the NFS license: system>license

b) If you do not have an NFS license, go to FilerViewManage Licenses, type the NFS license (provided by your instructor) and click the Apply button.

4. To change the storage system from NTFS-only to multiprotocol access without using cifs setup, enter the following command at the storage system prompt: system>options wafl.default_security_style unix The effects of changing an NTFS-only storage system to a multiprotocol storage system

are the following:

1) Existing ACLs remain unchanged.

2) The security style of all volumes and qtrees remains unchanged.

3) When you create a volume, its default security style is UNIX.

4) The wafl.default_security_style option is set to UNIX. NOTE: Even though the default security style is set to UNIX, the administrator can

manually change the default to a different security style (NTFS or mixed).

5. At the storage system prompt, enter the following command to view the security style for each qtree on flexvol1:

system>qtree status flexvol1




STEP ACTION

6. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree1_ntfs share, and view the security of the datatree1_ntfs by performing the following:

a) Right-click datatree1_ntfs share and choose Properties.

b) Click the Security tab.

Who has access to the qtree, and what are the NTFS permissions on the file system?

___________________________________________________________

c) Click the Cancel button.

d) Double-click the datatree1_ntfs share in the console tree to view the contents of the share.

e) Right-click the previously created text file and choose Properties.

f) Click the Security tab.

Who has access to the file and what are the file permissions?

_______________________________________________

g) Click the Cancel button.

Recall that the datatree1_ntfs qtree has a designated security style of NTFS. This means that files have Windows NTFS ACLs (permissions).

7. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree2_unix share, and view the security of the datatree2_unix by performing the following:

a) Right-click datatree2_unix share and choose Properties.

Is there a Security tab? ________________________

b) Click the Cancel button.

c) Double-click the datatree2_unix share in the console tree to view the contents of the share.

d) Create a new text file in this share by right-clicking in the right windowpane and choosing NewText Document.

e) Right-click the New Text Document.txt file and choose Properties.

Is there a Security tab? ________________________

f) Click the Cancel button.

Recall that the datatree2_unix qtree has a designated security style of UNIX, and that files and directories have UNIX permissions.

You are a Windows user accessing a UNIX qtree and a UNIX file. The Properties window




STEP ACTION

(in Microsoft Windows) is not designed to interpret the UNIX permissions on the share and file and hence the Security tabs are missing. However, starting with Data ONTAP 7.2, changes have been made to the multiprotocol functionality. Now administrators can both display and change UNIX permissions from the Windows Security tab.




STEP ACTION

8. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree3_mixed share, and view the security of the datatree3_mixed by performing the following:

a) Right-click datatree3_mixed share and choose Properties.

b) Click the Security tab.

Who has access to the qtree, and what are the NTFS permissions on the file system?

__________________________________________________


d) Double-click the datatree3_mixed share in the console tree to view the contents of the share.

e) Create a new text file in this share by right-clicking in the right windowpane and choosing NewText Document.

f) Right-click the New Text Document.txt file and choose Properties.

g) Click the Security tab.

Who has access to the file, and what are the file permissions?

_______________________________________________

h) Click the Cancel button.

Recall that the datatree3_mixed qtree has a designated security style of mixed. This means that the default security style of a file is the style most recently used to set permission on that file. With mixed security style, the volume or qtree can have UNIX or NTFS file security in play.

Since the mixed qtree was created when the storage system was NTFS-only and the parent volume was NTFS, the mixed qtree inherited the effective security style of the parent volume that was created with NTFS.

9. To view the UNIX permissions on the files in this multiprotocol environment, enter the following option at the storage system prompt:

system>options cifs.preserve_unix_security on

Enabling this option allows you to manipulate a files UNIX permissions using the Security tab on a Windows client, or using any application that can query or set Windows ACLs. When enabled, this option causes UNIX qtrees to appear as NTFS volumes. The default for this option is off.

10. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree1_ntfs share, and view the security of the previously created text file by performing the following:

a) Right-click the previously created text file and choose Properties.

b) Click the Security tab and view the permissions for the Everyone and friends group.




STEP ACTION


11. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree2_unix share, and view the security of the New Text Document.txt file by performing the following:

a) Right-click the New Text Document.txt file and choose Properties.

b) Click the Security tab and view the UNIX group, user names, and permissions for this file whose file security is UNIX.

In the Group or user names list box, list the first 4 entries:

____________________________________________________

c) Click the Advanced button in the lower right corner in the Security tab.

d) In the Advanced Security Settings window in the Permissions tab, select pcuser and click the Edit button. (Do not actually edit the permissions.)

In the Permission Entry window, what permissions does pcuser have?

______________________________________________________

e) Click the Cancel button in the Permission Entry window.

f) In the Advanced Security Settings window, click the Owner tab.

Who are the owners for this text file?

___________________________________________________

g) Click the Cancel button in the Advanced Security Settings window.

h) Click the Cancel button in the Properties window.

You are a Windows user accessing this UNIX file with your mapped UNIX credentials. Your UNIX credentials are used when evaluating your access requests by comparing your credentials against the file or folder UNIX access permissions.

12. On the Windows workstation, open Windows Explorer, go to the mapped network drive for datatree3_mixed share, and view the security of the New Text Document.txt file by performing the following:

a) Right-click New Text Document.txt file and choose Properties.

b) Click the Security tab and view the permissions for the Everyone group.


Recall that the mixed qtree was created when the storage system was NTFS-only and the parent volume was NTFS, so the mixed qtree inherited the effective security style of the parent volume that was created with NTFS.

The effective Windows NTFS ACLs (permissions) are shown in the Security tab. The effective security style of the qtree, folders with the qtree, or files may be changed if a UNIX administrator sets permissions on the qtree, subfolders, or files by issuing the

chmod (to change file permissions) or chown (to change the file or group ownership) command from a UNIX host.

13. Task complete.




STEP ACTION

14. Proceed to the next task.

TASK V: REMOVING A SHARE

In this task, you delete a share on your storage system.

STEP ACTION

1. On the Windows workstation, open Windows Explorer and disconnect the network drive that you just mapped in the browser by going to ToolsDisconnect Network Drive.

a) Select the network drive associated with datatree3_mixed to disconnect.

Click the OK button.

2. Do you remember the command to view the current shares? _____________

Remove the datatree3_mixed share by type the following at the prompt:

system> cifs shares delete datatree3_mixed

3. Verify that datatree3_mixed is removed.

4. Do you think when you remove a share that you delete the underlying qtree?

_____________

Go check. Do you remember the command to view the current qtrees and volumes?

_____________

5. Task complete.

END OF EXERCISE


Dom

ains




MODULE 5: DOMAINS

Exercise

Module 5: Domains


EXERCISE: DOMAINS

OVERVIEW

The purpose of this activity is to reconfigure the storage systems CIFS server for an Active Directory environment. You will then create a domain user, create shares, and administrate those shares.

OBJECTIVES


Terminate CIFS services

Reconfigure the CIFS services using FilerView to join your storage system to a Windows Active Directory domain.

Create a domain user

Create shares and manage the permissions of the shares

TIME ESTIMATE

60 Minutes






For which objects can you create shares?

What are three methods used to manage CIFS

shares?

CIFS Kerberos-based authentication fails if the

time difference between the storage system

and the domain controller is more than how

many minutes?

Which command or commands allow you to

configure the preferred domain controllers?





TASK I: CONFIGURING CIFS SERVICES TO JOIN THE STORAGE SYSTEM TO AN ACTIVE DIRECTORY DOMAIN

In this lab, you reconfigure the CIFS services using FilerView to join your storage system to a Windows Active Directory (Windows 2000 or later) domain.

START OF EXERCISE

STEP ACTION

1. View the CIFS license with FilerView by performing the following:

a) Open an Internet browser and enter your storage system name http://storage-system-name/na_admin to open the FilerView main navigational

page (or home page). The storage-system-name can be the IP address or the

DNS name for the storage system.

Note: Obtain the storage system IP address and name from the instructor.

b) Click the FilerView icon.

c) Log in as root with no password. NOTE: Verify the password with the instructor.

2. Reconfigure the CIFS services to join your storage system to a Windows Active Directory (Windows 2000 or later) domain.

You will need to know the following information:

Name of your storage system (Obtain the name from your instructor if you dont already know it.)

Description of your storage system Windows Server

No WINS servers

Type of authentication: Windows 2000 domain

Fully qualified domain name (Obtain the name from your instructor.)

Name of Windows domain administrator: administrator

Password for the Windows domain administrator (Obtain the password from your instructor.)

Security style: NTFS only

NOTE: Currently, CIFS services are running. The CIFS services must be terminated first before reconfiguration can occur. The CIFS Setup Wizard terminates the CIFS services, reconfigures the storage system, and then restarts the CIFS services. The CLI command for stopping the CIFS services is cifs terminate.




STEP ACTION

The following example demonstrates the steps for joining your storage system to a Windows Active Directory (Windows 2000 or later) domain:

a) Go to FilerViewCIFSConfigureSetup Wizard. The CIFS Setup Wizard window is displayed.

b) Click the Next button to run the CIFS Setup Wizard.

c) In the Filer Name text box, enter the name of your storage system.

d) In the Description text box, enter Windows Server and click the Next button.




STEP ACTION

e) Under Domain, click the Windows 2000 radio button and then click the Next button.

f) In the Domain Name text box, enter the fully qualified domain name.

g) In the Windows 2000 Administrator Name text box, enter administrator.

h) In the Windows 2000 Administrator Password text box, enter the administrator password. (Obtain the password from your instructor.)

i) Click the Next button.




STEP ACTION

j) For Security Style, click the NTFS Only radio button and then click the Next button.

k) Review the summary of your changes and, if correct, click the Commit button.




STEP ACTION

l) Congratulations. Your storage system has now joined a Windows 2000 (or later) Active Directory domain. Click the Close button.

3. To test the storage system connection to the Windows domain controller, go to FilerViewCIFSTest Domain Controller and view the results. This is equivalent

to the CLI cifs testdc command. Additional domain information is available with the cifs domaininfo command.

a) To run these commands on the CLI, open a Telnet session on your storage system and log in as root with no password. Verify the password with your

instructor.

b) At the storage system prompt, enter the following commands and view the results:

system>cifs testdc

The cifs testdc command tests the FilerView's ability to connect with Windows NT domain controllers. The output of the cifs testdc command is useful in the diagnosis of CIFS-related network problems.

system> cifs domaininfo

The cifs domainfo command determines whether the storage system is associated with a NT4 or Windows Active Directory domain. When CIFS is

running, additional information about current domain controller connections

and known domain controller addresses for the specified domain are displayed.

In addition, the current Active Directory LDAP server connection and known

Active Directory LDAP servers are also displayed for the specified domain.

4. Task complete.





TASK II: CREATING A NEW USER IN THE DOMAIN

In this lab, you create a new user in the domain that will be used in later labs.

STEP ACTION

1. On the Remote Desktop connection, log in to your Windows workstation by entering the IP address and password provided by the instructor.

2. a) In the Active Directory Users and Computers window, create a new domain user using the following user name format: user_.

For example, the user name for Jane Doe is user_jdoe. This creates a unique

user name for you in the domain.

NOTE: For this lab, enter the new domain user name in the First name text

box and in the User logon name text box.

b) In the console tree on the left, beneath the Domain_name folder, click the Users folder.

c) In the right windowpane, look for the domain user name that you just created.

d) Right-click on your new user and select Properties.

e) Select the Member Of tab. In a future lab, we are going to need to log in as this user. If you are using a remote desktop application, you need to add this

user to the Domain Admins group. To do this:

f) Select Add.

g) Type Domain Admins in the object name textbox and click OK.

3. Task complete.





TASK III: VIEWING THE CURRENT SHARES, SESSIONS, AND LOCAL GROUPS USING THE COMPUTER MANAGEMENT GUI AND GIVING THE NEW DOMAIN USER SHARE-LEVEL ACCESS

In this lab, you display all the current shares, sessions, local groups, and users on your storage system using the Windows Computer Management GUI.

STEP ACTION

1. You are currently logged in to your Windows workstation as the administrator. Before viewing the shares using the Windows workstation Computer Management, disconnect

any mapped network drives.

a) Open Windows Explorer and disconnect any mapped network drives by going to ToolsDisconnect Network Drive.

b) Select the network drive to disconnect.

c) Click the OK button.

d) On the Windows workstation, log off as the administrator and then log back in as the administrator to clear the share cache.

e) Go to StartLog Off administrator and click the Log off button when you are asked if you are sure that you want to log off.

f) Use the Remote Desktop connection to log back in to your Windows workstation as the administrator with the administrator password. Make

sure you log in to the Active Directory domain instead of the local

machines domain.

2. On your Windows workstation (logged in as the administrator using your Remote Desktop connection), open the Computer Management GUI to view the current shares

on your storage system by performing the following steps:

a) Right-click the My Computer icon on your desktop and choose Manage. The Computer Management window opens.

b) Right-click the top of the console tree, where it says Computer Management (Local) and choose Connect to another computer

c) In the Select Computer window, mark the Another computer radio button and type the storage system name (or IP address) in the text box, then click the

OK button.

d) In the console tree in the left windowpane, select System ToolsShared FoldersShares folder.




STEP ACTION

3. Which shares are displayed in the right windowpane?

____________________________________________________________

Computer Management enables you to view shares that you have permission to

view. You cannot see the folders or files in the share from this GUI.

4. To view the share permission for the datatree1_ntfs share, right-click the datatree1_ntfs share, choose Properties, and then click the Share Permissions tab.

Which group has access to see this share? ________________________

5. Give the new domain user (that you created in the previous lab user_) access to the datatree1_ntfs share by performing the

following:

a) In the datatree1_ntfs Properties window, on the Share Permissions tab, click the Add button.

b) In the Enter the object names to select text box, enter the new domain user name.

c) Click the OK button.

What are the share permissions for the new domain user? _______________

d) In the Share Permissions tab, modify the share permissions for the new domain user to Full Control by marking the Full Control check box in the

Allow column.

e) Click the Apply button.

f) Click the OK button.




STEP ACTION

The CLI equivalent entered at the storage system prompt that modifies share-level access control to Full Control is demonstrated in the following example, for which datatree1_ntfs is the name of the share:

system>

cifs access datatree1_ntfs domain_user_name Full Control

6. Click the Sessions folder (beneath the Shares folder in the console tree) to view the current sessions.

Which user or users have current session(s) with the storage system?

_________________________________________

7. Click the Local Users and Groups folder in the console tree.

a) Click the Users folder. Who are the local users in your storage system?

________________________________________________________

b) Click the Groups folder. Which group is not a predefined group?

__________________________________________________

8. With the Groups folder open, right-click the Guests account and choose Properties to view the Guests properties.

Which users are members of the Guests group?

___________________________________________________

Click the Cancel button.

NOTE: The Guests account has domain and local storage system users.

9. With the Groups folder open, right-click the friends account and choose Properties to view the friends group properties.

Which user or users are members of the friends group?

_________________________


10. With the Groups folder open, right-click the friends account and choose Add to Group to add the new domain user to the friends local group by performing the

following:

a) In the friends Properties window, click the Add button.

b) In the Enter the object names to select text box, type the new domain user (user_).

c) Click the Check Names button.

d) Click the OK button.




STEP ACTION

e) In the friends Properties window, view the newly added domain user to the Members list for the friends share.

f) Click the Apply button.

g) Click the OK button.

11. With the Groups folder open, right-click the Administrators account and choose Properties to view the Administrators properties.

Which members can fully administer the storage system?

________________________________________________


12. Task complete.


TASK IV: VIEWING SHARES AND SESSIONS AND ADDING A NEW SHARE USING FILERVIEW

In this lab, you display the current shares and sessions on your storage system and create a new share using FilerView.

STEP ACTION

1. Use an Internet browser to open FilerView and log in as root with no password. Note: Verify the password with the instructor.

2. To view all current CIFS shares, go to FilerViewCIFSSharesReport.

Who has access to the datatree1_ntfs share, and what is their share-level access?

_________________________________________________________

3. To view the current sessions with the storage system, go to FilerViewCIFSSession Report.

a) Click the Sessions button to view the overall session information.

b) Click the Security button to view the overall security information.

c) In the User/PC text box, type the name of your Windows workstation and click the Sessions button.

(The name and IP address are displayed in the overall security information.)

d) With your Windows workstation name in the User/PC text box, click the Security button.

Your Windows workstation user is mapped to the UNIX UID 65534. To whom does

this UID belong? ____________________ (challenge question)




STEP ACTION

4. Create a qtree called datatree4_ntfs on vol0 by performing the following:

a) Go to FilerViewVolumesQtreesAdd.

b) For Volume, select vol0 in the list box.

c) For QTree Name, type datatree4_ntfs in the text box.

d) For Security Style, select NTFS.

e) For Oplocks, mark the Oplocks check box.

f) Click the Add button.

You receive an informational message saying Success.

Go to FilerViewVolumesQtreesManage and view the newly created qtree

datatree4_ntfs on vol0.

5. Add a new share called datatree4_ntfs (for the qtree datatree4_ntfs) on volume vol0 by performing the following:

a) Go to FilerViewCIFSSharesAdd.

b) For Share Name, type datatree4_ntfs.

c) For Mount Point, type /vol/vol0/datatree4_ntfs.

d) For Share Description, type NTFS Qtree on Traditional Volume.

e) Leave Max. Users and Force Group blank.

f) Click the Add button.

You receive a caution message that the share name datatree4_ntfs will not be

accessible from some MS-DOS workstations.

6. To view all current CIFS shares, go to FilerViewCIFSSharesReport.

Notice that there is no difference in creating a share on a traditional volume

or a flexible volume.

7. Task complete.





TASK V: ADDING A NEW SHARE USING COMPUTER MANAGEMENT

In this lab, you create a new share on your storage system using the Computer Management GUI connected to the storage system.

STEP ACTION

1. On your Windows workstation (logged in as the administrator using your Remote Desktop connection), open the Computer Management GUI and connect to your

storage system. Then add a new share on your storage system by performing the

following steps:

a) Right-click the Shares folder in the console tree and choose New Share.... The Share a Folder Wizard appears.

b) Click the Next button to start the wizard.




STEP ACTION

c) The Computer name should be your storage system name or IP address.

d) In the Folder path text box, type the following path: C:\vol\flexvol1\datatree3_mixed. Click the Next Button.

e) The Share name value is datatree3_mixed (for the qtree datatree3_mixed).

f) In the Description text box, type Mixed Qtree on Flexvol1, and click the Next button.




STEP ACTION

g) For Permissions, click the Use custom share and folder permissions radio button.

h) Click the Customize button.

i) For the Everyone group, mark the Allow check boxes for Full Control,




STEP ACTION

Change, and Read.

Note: The Windows default is Everyone to Read only when the storage

system default is Everyone to Full Control.

j) Click the OK button.

k) Click the Finish button on the Permissions page.

l) You receive the message that sharing was successful.

m) Click the Close button to close the wizard.

2. In the Computer Management GUI with the Shares folder opened:

a) View the newly created datatree3_mixed share in the right windowpane.

b) Right-click the datatree3_mixed share and choose Properties.

c) Click the Share Permissions tab and view the group Everyone and the permissions.

d) Click the Cancel button.

3. To view all current CIFS shares with FilerView, go to FilerViewCIFSSharesReport.

4. Task complete.





TASK VI: MAPPING A NETWORK DRIVE TO A SHARE

In this lab, you map a network drive to your new share on the storage system.

STEP ACTION

1. On your Windows workstation desktop, right-click My Computer, and select Map Network Drive. The Map Network Drive window appears.


NOTE: Your letter must be different than that of your Windows

workstation partner.

b) In the Folder list box, enter: \\Storage_System_name \datatree3_mixed

c) The Storage_System_name can be the name or IP address.

d) Click the Finish button.

2. To view the new network drive mapped to the datatree3_mixed share:

a) On your Windows workstation desktop, right-click My Computer and select Explore. The My Computer window appears, displaying the console tree

contents of My Computer.

b) View the network drive to the mapped datatree3_mixed share in the console tree.

c) In the right windowpane, view more details about the mapped network drive to datatree3_mixed, including the type, total size, and free space.

3. To view the CIFS sessions with FilerView, go to FilerViewCIFSSessions




STEP ACTION

Report.

Who has a session with the storage system? _______________________

How many shares are being accessed? _____________________

How many files are being accessed? _______________________

4. Task complete.

END OF EXERCISE


Advanced A

dministration


E6-1 CIFS Administration on Data ONTAP 7.3: M06_AdvancedAdmin_Exercise


MODULE 6: ADVANCED ADMINISTRATION

Exercise

Module 6: Advanced Administration

Estimate Time: 90 minutes

EXERCISE: ADVANCED ADMINISTRATION

OVERVIEW

The purpose of this activity is to set up event logging, configure a storage system for Auto Home Shares, and to configure a Group Policy Object to automatically map the Auto Home Share to a network drive. Then we will configure the native file blocking to prevent users from saving a MP3 file on the storage system.

OBJECTIVES


Set up event logging

Configure Auto Home Shares for a user base

Define a Group Policy Object to automatically map the Auto Home Share to a network drive

Define a Group Policy Object to apply a security policy to a directory structure on a storage system

TIME ESTIMATE

90 minutes






What triggers can be set to autosave the event

file?

What command(s) is/are used to reload the

CIFS GPOs?

What command(s) is/are used to configure

virus scanning on a storage system?

Name three operations a FPolicy can be

configured to monitor.

Share caching is disabled by default.

True/False





TASK I: ENABLING EVENT LOGGING

In this lab, you enable CIFS event auditing on your storage system.

START OF EXERCISE

STEP ACTION

1. At the storage system prompt, enter the following command to view the current cifs.audit options: system>options cifs.audit

What is your cifs.audit.autosave.onsize.enable setting? ____________________________

off

What is your cifs.audit.enable setting? ___________ off

If cifs.audit.enable is set to off, then enable auditing by entering the following command at the storage system prompt: system> options cifs.audit.enable on

What is your cifs.audit.autosave.ontime.interval setting? ___________

2. Set your cifs.audit.file_access_events.enable to on by entering the following command at the storage system prompt:

NetApp> options cifs.audit.file_access_events.enable on

3. At the storage system prompt, check the status of the login events by entering the following command:

NetApp> options cifs.audit.logon_events.enable

If the option is off, turn it on.

4. Change the name of the audit log file by entering the following command:

system> options cifs.audit.saveas /etc/log/storage_system_your_initials.evt NOTE: Use your initials to make your .evt file different from your partner. The file name is the complete path name of the file where Data ONTAP logs audit event information. Use .evt as the file extension.

5. Enter the following command to save the audit file:

system> cifs audit save Note: Since auditing has not been enabled for long, you may receive an error message stating that the event log is empty. We will cause events to write to the log next.

[cifs.auditfile.logFile.IOWarning.warning]: ALF I/O waring




STEP ACTION

for file /etc/log/cifsaudit.alf: the audit log is empty

6. Task complete.


TASK II: SETTING A SACL ON THE FILE YOU WANT TO AUDIT

In this lab, you set a System Access Control List (SACL) on a file that you create.

STEP ACTION

1. Map a drive to the C$ share of your storage system and log in to this share as the administrator.

2. Access the C$ share and create a test text file in the home directory named access_test_your_name.txt.

NOTE: Your file name should be different from your partner.

3. Right-click the file and select Properties. The file Properties window appears.

4. Click the Security tab, and then click the Advanced button. The Advanced Security Settings window appears.

5. Click the Auditing tab, and then click the Add button. The Select User, Computer, or Group window appears.

To add the Everyone group in the Enter the object name to select text box, type Everyone, and then click the OK button. The Auditing Entry window for the text file appears.

6. For the Everyone group in the Access list box, mark a few events to audit and click the OK button.

NOTE: Checks in the boxes indicate what events are to be audited. Both failures and successes can be audited.




STEP ACTION

7. The Advanced Security Settings window for the text file appears.

Click the Apply button and then the OK button.




STEP ACTION

8. In the Properties window, click the OK button.

9. Task complete.


TASK III: ENABLING AUTOSAVE OF EVENT FILES

In this lab, you adjust the cifs.audit.autosave options on your storage system.

STEP ACTION

1. At the storage system prompt, enter the following command to save the audit log via a timer:

system> options cifs.audit.autosave.ontime.interval 1m

system> options cifs.audit.autosave.ontime.enable on

2. Enter the following commands to set the extension and limit:

system> options cifs.audit.autosave.file.extension timestamp

system> options cifs.audit.autosave.file.limit 25




STEP ACTION

3. Experiment with the cifs.audit.autosave.onsize.enable settings and have the storage system autosave on a threshold value.

NOTE: You will have to create actions that are being audited such as logging on and logging off or events configured in Task II with your access_test_your_name.txt file.

Were you successful? ____________________

Documents

Strsw Ed Ilt Cifsad Rev03 Exerciseguide