Friday, 6 September 2013

How to Access the ETC$ Share from a Windows Client using CIFS: Method 2/2 - Workgroup Authentication

This following post applies to NetApp Data ONTAP 8 running in 7-Mode. The method is ages old, nothing new here at all, just given the topic a good thorough seeing to.

Starting point

CIFS is not licensed (and hence cifs setup has not been run.)

Walkthrough

With Workgroup Authentication, we don’t need to concern ourselves with DNS configuration, time synchronization. DNS (on a DNS server/hosts file) is simply a nice to have which we skip here.

1) License CIFS

NTAP> license add CIFSCODE

(For the 8.1.2 SIM used here it’s: license add DZDACHD)

2) Run cifs setup

The first line is so you don’t have to change your root password once and then back again (here CIFS setup prompts for a new password for the root user.) We set history back to the default 6 after CIFS setup.

NTAP> options security.passwd.rules.history 0
NTAP> cifs setup

This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

Your filer does not have WINS configured and is visible only to clients on the same subnet.
Do you want to make the system visible via WINS?: N

A filer can be configured for multiprotocol access, or as an NTFS-only filer. Since NFS, DAFS, VLD, FCP, and iSCSI are not licensed on this filer, we recommend that you configure this filer as an NTFS-only filer

(1) NTFS-only filer
(2) Multiprotocol filer
       
Selection (1-2)?: 2

CIFS requires local /etc/passwd and /etc/group files and default files will be created.  The default passwd file contains entries for 'root', ‘pcuser', and 'nobody'.

Enter the password for the root user: XXXX
Retype the password: XXXX

The default name for this CIFS server is 'NTAP'.
Would you like to change this name?: N

Data ONTAP CIFS services support four styles of user authentication. Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)?: 3

What is the name of the Workgroup?: WORKGROUP

CIFS - Starting SMB protocol...

It is recommended that you create the local administrator account (NTAP\administrator) for this filer.

Do you want to create the NTAP\administrator account?: Y
Enter the new password for NTAP\administrator: XXXX
Retype the password: XXXX

Welcome to the WORKGROUP Windows(R) workgroup

CIFS local server is running.

NTAP>
NTAP> options security.passwd.rules.history 6

3) Verify default CIFS shares exist and test access by mapping a drive with filer the local administrator account

NTAP> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        BUILTIN\Administrators / Full Control
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        BUILTIN\Administrators / Full Control

From the Windows client:

net use
net use Z: \\10.0.20.11\ETC$ /USER:administrator
net use /delete Z:

Note: Where 10.0.20.11 is the IP address of the filer.

4) Grant a specific filer local account access

To give say a filer local storageadmin access to /etc:

NTAP> useradmin group add storageadmins
NTAP> useradmin user add storageadmin -g storageadmins
NTAP> cifs access ETC$ storageadmins “Full Control”
NTAP> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        BUILTIN\Administrators / Full Control
                        NTAP\storageadmins / Full Control
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        BUILTIN\Administrators / Full Control

From the Windows client:

net use
net use Z: \\10.0.20.11\ETC$ /USER:storageadmin
net use /delete Z:

Image: Mapped drive to \\FILER_IP\ETC$

No comments:

Post a Comment