JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Sun ZFS Storage 7000 System Administration Guide
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Status

3.  Configuration

4.  Services

Services

Introduction

Data Services

Directory Services

System Settings

Remote Access

Security

BUI

Viewing a Specific Service Screen

Enabling a Service

Disabling a Service

Defining Properties

Viewing Service Logs

CLI

Selecting a Service

Viewing a Service's State

Enabling a Service

Disabling a Service

Setting Properties

Viewing Service Logs

Service Help

NFS

Introduction

Properties

Kerberos Realms

Logs

Analytics

CLI

Tasks

NFS Tasks

iSCSI

Introduction

Properties

Authentication

Authorization

Targets and Initiators

CLI

Tips

Troubleshooting

SMB

Introduction

Properties

Share Properties

NFS/SMB Interoperability

DFS Namespaces

Autohome Rules

Local Groups

Local Accounts

MMC Integration

Event Viewer

Share Management

Users, Groups and Connections

Services

CLI

Adding autohome rules

Adding a user to a local group

Tasks

SMB Tasks

FTP

Introduction

Properties

FTP Properties

General Settings

Security Settings

Logs

Tasks

FTP Tasks

HTTP

Introduction

Properties

Authentication and Access Control

Logs

Tasks

HTTP Tasks

NDMP

Introduction

Local vs. Remote Configurations

Backup Formats and Types

Backing up with "dump" and "tar"

Backing up with "zfs"

Incremental backups

Properties

Logs

SFTP

Introduction

Properties

SFTP Port

Logs

Tasks

SFTP Tasks

Virus Scan

Introduction

Properties

File Extensions

Scanning Engines

Logs

Tasks

Virus Scan Tasks

NIS

Introduction

Properties

Logs

Tasks

NIS Tasks

LDAP

Introduction

Properties

Custom Mappings

Logs

Tasks

LDAP Tasks

Active Directory

Introduction

Properties

Join Domain

Join Workgroup

Domains and Workgroups

LDAP Signing

Windows Server 2008 Support

Section A: Kerberos issue (KB951191)

Section B: NTLMv2 issue (KB957441)

Section C: Note on NTLMv2

BUI

CLI

Tasks

Active Directory Tasks

Identity Mapping

Concepts

Identity Mapping Concepts

Mapping Modes

IDMU

Directory-based Mapping

Identity Mapping Directory-based Mapping

Properties

Name-based Mapping

Identity Mapping Name-based Mapping

Name-based Mapping Rules

Case Sensitivity

Mapping Persistence

Domain-Wide Rules

Deny Mappings

Mapping Rule Directional Symbols

Ephemeral Mapping

Best Practices

Testing Mappings

Examples

Tasks

Identity Mapping Tasks

DNS

Introduction

Properties

CLI

Logs

Active Directory and DNS

Non-DNS Resolution

DNS-Less Operation

IPMP

Introduction

Properties

Logs

Tasks

NTP

Introduction

Properties

Validation

Authentication

BUI

CLI

BUI Clock

Tips

Tasks

NTP Tasks

Remote Replication

Introduction

Dynamic Routing

RIP and RIPng Dynamic Routing Protocols

Logs

Phone Home

Introduction

Oracle Single Sign-On Account

Properties

Web Proxy

Registration

Status

Service state

Logs

SNMP

Introduction

Properties

MIBs

Sun FM MIB

Sun AK MIB

Tasks

SNMP Tasks

SMTP

Introduction

Properties

Logs

Service Tags

Introduction

Properties

System Identity

Introduction

Properties

Logs

SSH

Introduction

Properties

Logs

Tasks

SSH Tasks

Shadow Migration

Introduction

Properties

Managing Shadow Migration

Syslog

Introduction

Properties

Classic Syslog: RFC 3164

Updated Syslog: RFC 5424

Message Format

Alert Message Format

Receiver Configuration Examples

Configuring a Solaris Receiver

Configuring a Linux Receiver

5.  Shares

6.  Analytics

7.  Integration

Glossary

SMB

Introduction

The SMB service provides access to filesystems using the SMB protocol. Filesystems must be configured to share using SMB from the Shares configuration.

Properties

Property
Description
LAN Manager compatibility level
Authentication modes supported (LM, NTLM, LMv2, NTLMv2). For more information on the supported authentication modes within each compatibility level, consult the Solaris Express Reference Manual Collection for smb.
Preferred domain controller
The preferred domain controller to use when joining an Active Directory domain. If this controller is not available, Active Directory will rely on DNS SRV records and the Active Directory site to locate an appropriate domain controller.
Active Directory site
The site to use when joining an Active Directory domain. A site is a logical collection of machines which are all connected with high bandwidth, low latency network links. When this property is configured and the preferred domain controller is not specified, joining an Active Directory domain will prefer domain controllers located in this site over external domain controllers.
Maximum # of server threads
The maximum number of simultaneous server threads (workers). Default is 1024.
Enable Dynamic DNS
Choose whether the appliance will use Dynamic DNS to update DNS records in the Active Directory domain. Default is off.
Enable Oplocks
Choose whether the appliance will grant Opportunistic Locks to SMB clients. This will improve performance for most clients. Default is on. The SMB server grants an oplock to a client process so that the client can cache data while the lock is in place. When the server revokes the oplock, the client flushes its cached data to the server.
Restrict anonymous access to share list
If this option is enabled, clients must authenticate to the SMB service before receiving a list of shares. If disabled, anonymous clients may access the list of shares.
System Comment
Meaningful text string.
Idle Session Timeout
Timeout setting for session inactivity.
Primary WINS server
Primary WINS address configured in the TCP/IP setup.
Secondary WINS server
Secondary WINS address configured in the TCP/IP setup.
Excluded IP addreses from WINS
IP addresses excluded from registration with WINS.
SMB Signing Enabled
Enables interoperability with SMB clients using the SMB signing feature. If a packet has been signed, the signature will be verified. If a packet has not been signed it will be accepted without signature verification (if SMB signing is not required - see below).
SMB Signing Required
When SMB signing is required, all SMB packets must be signed or they will be rejected, and clients that do not support signing will be unable to connect to the server.

Changing service properties is documented in the BUI and CLI sections of services. The CLI property names are shorter versions of those listed above.

Share Properties

Several share properties must be set in certain ways when exporting a share over SMB.

Property
Description
SMB clients expect case-insensitive behavior, so this property must be "mixed'" or "'insensitive".
If non-UTF-8 filenames are allowed in a filesystem, SMB clients may function incorrectly.
Non-Blocking Mandatory Locking
This property must be enabled to allow byte range locking to function correctly.
The name by which clients refer to the share. For information about how this name is inherited from a project, see the Protocols documentation.
An ACL which adds another layer of access control beyond the ACLs stored in the filesystem. For more information on this property, see the Protocols documentation.

The case sensitivity and reject non UTF-8 properties can only be set when creating a share.

NFS/SMB Interoperability

The appliance supports NFS and SMB clients accessing the same shares concurrently. To correctly configure the appliance for NFS/SMB interoperability, you must configure the following components:

  1. Configure the Active Directory service.

  2. Establish an identity mapping strategy and configure the service.

  3. Configure SMB.

  4. Configure access control, ACL entries, and ACL inheritance on shares.

Note that SMB and NFSv3 do not use the same access control model. For best results, configure the ACL on the root directory from a SMB client as the SMB access control model is a more verbose model. For information on inheritable trivial ACL entries, see the ACL inheritance behavior documentation.

DFS Namespaces

The Distributed File System (DFS) is a virtualization technology delivered over the SMB and MSRPC protocols. DFS allows administrators to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces. A DFS namespace is a virtual view of shared folders in an organization. An administrator can select which shared folders to present in the namespace, design the hierarchy in which those folders appear and determine the names that the shared folders show in the namespace. When a user views the namespace, the folders appear to reside in a single, high-capacity file system. Users can navigate the folders in the namespace without needing to know the server names or shared folders hosting the data.

Only one share per system may be provisioned as a standalone DFS namespace. Domain-based DFS namespaces are not supported. Note that one DFS namespace may be provisioned per cluster, even if each cluster node has a separate storage pool. To provision a SMB share as a DFS namespace, use the DFS management MMC snap-in to create a standalone namespace.

When the appliance is not joined to an Active Directory domain, additional configuration is necessary to allow Workgroup users to modify DFS namespaces. To enable an SMB local user to create or delete a DFS namespace, that user must have a separate local account created on the server. In the example below, the steps allow the SMB local user dfsadmin to manipulate DFS namespaces.

  1. Create a local user account on the server for user dfsadmin. Be sure to use the same password as when the local user was first created on the Windows machine.

  2. Add dfsadmin to the local SMB group Administrators.

  3. Login as dfsadmin on the Windows machine from which the DFS namespace will be modified.

Autohome Rules

The autohome share feature eliminates the administrative task of defining and maintaining home directory shares for each user that accesses the system through the SMB protocol. Autohome rules map SMB clients to home directories. There are three kinds of autohome rules:

Type
Description
Name service switch
This autohome rule queries NIS or LDAP for a user's home directory, then exports that directory to the SMB client as its home directory.
All users
An autohome rule which finds home directories based on wildcard characters. When substituting for the user's name, "&" matches the user.
Particular user
An autohome rule which provides a home directory for a particular user.

A name service switch autohome rule and an autohome rule for all users cannot exist at the same time.

Local Groups

Local groups are groups of domain users which confer additional privileges to those users.

Group
Description
Administrators
Administrators can bypass file permissions to change the ownership on files.
Backup Operators
Backup Operators can bypass file access controls to backup and restore files.

Local Accounts

Local accounts and user IDs are mapped to Windows user IDs. Note that the guest account is a special, readonly account and cannot be configured for read/write in the appliance.

MMC Integration

The Microsoft Management Console (MMC) is an extensible framework of registered components, known as snap-ins, that provide comprehensive management features for both the local system and remote systems on the network. Computer Management is a collection of Microsoft Management Console tools, that may be used to configure, monitor and manage local and remote services and resources.

In order to use the MMC functionality on the Sun ZFS Storage 7000 appliances in workgroup mode, be sure to add the Windows administrator who will use the management console to the Administrators local group on the appliance. Otherwise you may receive an Access is denied or similar error on the administration client when attempting to connect to the appliance using the MMC.

The Sun ZFS Storage 7000 appliances support the following Computer Management facilities:

Event Viewer

Display of the Application log, Security log, and System log are supported using the Event Viewer MMC snap-in. These logs show the contents of the alert, audit, and system logs of the Sun ZFS Storage 7000 system. Following is a screen capture that illustrates the Application log and the properties dialog for an error event.

image:Image

Share Management

Support for share management includes the following:

Features not currently supported via MMC include the following:

Following is a screen capture that illustrates Permissions properties for a Share.

image:Image

Users, Groups and Connections

Supported features include the following:

Following is a screen capture that illustrates open files per connection.

image:Image

Following is a screen capture that illustrates open sessions.

image:Image

Services

Support includes listing of services of the Sun ZFS Storage 7000 system. Services cannot be enabled or disabled using the Computer Management MMC application. Following is a screen capture that illustrates General properties for the vscan Service.

image:Image

To ensure that only the appropriate users have access to administrative operations there are some access restrictions on the operations performed remotely using MMC.

USERS
ALLOWED OPERATIONS
Regular users
List shares.
Members of the Administrators or Power Users groups
Manage shares, list user connections.
Members of the Administrators group
List open files and close files, disconnect user connections, view services and event log.

CLI

The following are examples of SMB administration at the CLI.

Adding autohome rules

Use the create command to add autohome rules, and the list command to list existing rules. This example adds a rule for the user "Bill" then lists the rules:

twofish:> configuration services smb
twofish:configuration services smb> create
twofish:configuration services rule (uncommitted)> set use_nss=false 
twofish:configuration services rule (uncommitted)> set user=Bill
twofish:configuration services rule (uncommitted)> set directory=/export/wdp
twofish:configuration services rule (uncommitted)> set container="dc=com,dc=fishworks,
   ou=Engineering,CN=myhome"
twofish:configuration services rule (uncommitted)> commit
twofish:configuration services smb> list
RULE       NSS      USER         DIRECTORY            CONTAINER           
rule-000   false    Bill         /export/wdp          dc=com,dc=fishworks,
   ou=Engineering,CN=myhome

Autohome rules may be created using wildcard characters. The & character matches the users' username, and the ? character matches the first letter of the users' username. The following uses wildcards to match all users:

twofish:configuration services smb> create
twofish:configuration services rule (uncommitted)> set use_nss=false 
twofish:configuration services rule (uncommitted)> set user=*
twofish:configuration services rule (uncommitted)> set directory=/export/?/&
twofish:configuration services rule (uncommitted)> set container="dc=com,dc=fishworks,
   ou=Engineering,CN=myhome"
twofish:configuration services rule (uncommitted)> commit
twofish:configuration services smb> list
RULE       NSS      USER         DIRECTORY            CONTAINER           
rule-000   false    Bill         /export/wdp          dc=com,dc=fishworks,
   ou=Engineering,CN=myhome

The name service switch may also be used to create autohome rules:

twofish:configuration services smb> create
twofish:configuration services rule (uncommitted)> set use_nss=true 
twofish:configuration services rule (uncommitted)> set container="dc=com,dc=fishworks,
   ou=Engineering,CN=myhome"
twofish:configuration services rule (uncommitted)> commit
twofish:configuration services smb> list
RULE       NSS      USER         DIRECTORY            CONTAINER           
rule-000   true                                       dc=com,dc=fishworks,
   ou=Engineering,CN=myhome

Adding a user to a local group

twofish:configuration services smb> groups
twofish:configuration services smb groups> create
twofish:configuration services smb member (uncommitted)> set user=Bill
twofish:configuration services smb member (uncommitted)> set group="Backup Operators"
twofish:configuration services smb member (uncommitted)> commit
twofish:configuration services smb groups> list
MEMBER       USER                         GROUP                   
member-000   WINDOMAIN\Bill               Backup Operators     

Tasks

This section provides instructions for how to configure and enable the Sun ZFS Storage 7000 appliances for file sharing over SMB from initial configuration using the BUI.

SMB Tasks

Initial Configuration

Initial configuration of the appliance may be completed using the BUI or the CLI and should take less than 20 minutes. Initial Setup may also be performed again later using the Maintenance > System contexts of the BUI or CLI. Initial configuration will take you through the following BUI steps, in general.

  1. Configure Network Devices, Datalinks, and Interfaces.
  2. Create interfaces using the Datalink add or Interface image:Add item icons or by using drag-and-drop of devices to the datalink or interface lists.
  3. Set the desired properties and click the Apply button to add them to the list.
  4. Set each interface to active or standby as appropriate.
  5. Click the Apply button at the top of the page to commit your changes.
  6. Configure DNS.
  7. Provide the base domain name.
  8. Provide the IP address of at least one server that is able to resolve hostname and server records in the Active Directory portion of the domain namespace.
  9. Configure NTP authentication keys to ensure clock synchronization.
  10. Click the image:Add item icon to add a new key.
  11. Specify the number, type, and private value for the new key and apply the changes. The key appears as an option next to each specified NTP server.
  12. Associate the key with the appropriate NTP server and apply the changes. To ensure clock synchronization, configure the appliance and the SMB clients to use the same NTP server.
  13. Specify Active Directory as the directory service for users and groups.
  14. Set the directory domain.
  15. Click the Apply button to commit your changes.
  16. Configure a storage pool.
  17. Click the image:Add item icon to add a new pool.
  18. Set the pool name.
  19. On the "Allocate and verify storage" screen, configure the JBOD allocation for the storage pool. JBOD allocation may be none, half or all. If no JBODs are detected, check your JBOD cabling and power.
  20. Click the Commit button to advance to the next screen.
  21. On the "Configure Added Storage" screen, select the desired data profile. Each is rated in terms of availability, performance and capacity. Use these ratings to determine the best configuration for your business needs.
  22. Click the Commit button to activate the configuration.
  23. Configure Remote Support.
  24. If the appliance is not directly connected to the internet, configure an HTTP proxy through which the remote support service may communicate with Oracle.
  25. Enter your Online Account user name and password. A privacy statement will be displayed for your review.
  26. Choose which of your inventory teams to register with. The default team for each account is the same as the account user name, prefixed with a '$'.
  27. Commit your initial configuration changes.

Active Directory Configuration

  1. Create an account for the appliance in the Active Directory domain. Refer to Active Directory documentation for detailed instructions.
  2. On the Configuration > Services > Active Directory screen, click the Join Domain button.
  3. Specify the Active Directory domain, administrative user, administrative password and click the Apply button to commit the changes.

Project and Share Configuration

  1. Create a Project.
  2. On the Shares screen, click the image:Panel open icon to expand the Projects panel.
  3. Click the Add... link to add a new project.
  4. Specify the Project name and apply the change.
  5. Select the new project from the Projects panel.
  6. Click the image:Add item icon to add a filesystem.
  7. Click the image:Edit icon for the filesystem.
  8. Click the General link and deselect the Inherit from project checkbox.
  9. Choose a mountpoint under /export, even though SMB shares are accessed by resource name.
  10. On the Protocols screen for the project, set the resource name to on.
  11. Enable sharesmb and share-level ACL for the Project.
  12. Click the Apply button to activate the configuration.

SMB Data Service Configuration

  1. On the Configuration > Services > SMB screen, click the image:Power icon to enable the service.
  2. Set SMB properties according to the recommendations in the properties section of this page and click the Apply button to activate the configuration.
  3. Click the Autohome link on the Configuration > Services > SMB screen to set autohome rules to map SMB clients to home directories according to the descriptions in the Autohome rules section above and click the Apply button to activate the configuration.
  4. Click the Local Groups link on the Configuration > Services > SMB screen and use the image:Add item icon to add administrators or backup operator users to local groups according to the descriptions in the Local Groups section above and click the Apply button to activate the configuration.