| Sun StorageTek NAS OS Administration Guide |    
|
| Sun StorageTek NAS OS Administration Guide |
|
| C H A P T E R 8 |
This chapter describes the various methods of controlling user access to the files and volumes on NAS appliances and gateway systems.
It includes the following sections:
|
Managing Shares |
This section provides information about managing shares. The following subsections are included:
Common Internet File System (CIFS) is an enhanced version of the Microsoft Server Message Block (SMB) protocol. SMB/CIFS allows client systems of Windows environments to access files on NAS appliances and gateway systems.
A shared resource, or share, is a local resource on a server that is accessible to Windows clients on the network. On a NAS appliances and gateway systems, it is typically a file-system volume or a directory tree within a volume. Each share is identified by a name on the network. To clients on the network, the share appears as a complete volume on the server, and they do not see the local directory path directly above the root of the share.
Note: Shares and directories are independent entities. Removing a share does not affect the underlying directory.
Shares are commonly used to provide network access to home directories on a network file server. Each user is assigned a home directory within a file volume.
There are two types of shares: static SMB/CIFS shares and autohome SMB/CIFS shares. Static shares are persistent shares that remain defined regardless of whether users are attached to the server. Autohome shares are temporary shares created when a user logs on to the system and removed when the user logs off.
When a user browses the system, only statically defined shares and autohome shares for connected users will be listed.
A static share is created to allow users to map their home directories as network drives on a client workstation. For example, if volume vol1 contains a home directory named home and subdirectories for users bob and sally, the shares would be defined as shown below:
If defining and maintaining a static home directory share for each Windows user who has access to the system is inconvenient, you can use the autohome feature. See About Autohome Shares for more information.
When you add a share, you have the option to specify Umask access permissions for the share. The Umask defines the security policy for files and directories created in Share mode. It is a three-digit number that is used to set access permissions when new directories and files are created.
Of the Umask three-digit number, the first digit designates access permissions for the owner; the second number, the group; the third number, everybody. Each digit comprises of three bits designating read, write, and executable permissions. Bit 1 enables; bit 0 disables.
For example, enabling all three bits (111) grants read, write, and executable permissions. The octal equivalent value of "111" is "7" which you type in the Umask option box, accessible from the Configure Shares panel. Therefore, typing "777" in the Umask box grants all read, write, and executable permissions to the owner, the group, and everyone. Typing "700" grants read, write, and executable permissions only to the owner.
Note: If the DOS read-only attribute is set in a file create request, all write bits are disabled ("0") when the Umask option is applied, as shown in TABLE 8-1.
This section provides information about configuring static shares. The following subsections are included:
You can add, view, and update static Microsoft Server Message Block (SMB) shares from two places in the Web Administrator GUI:
The table at the top of the Configure Shares panel shows information about all existing SMB shares. This information includes the share name and directories shared, container names, and desktop database calls, as well as information concerning Windows Workgroups only (user, group, and umask).
A file volume or directory must exist before it can be shared.
By default, a hidden share is created for the root of each file volume when that volume is created, and is accessible only to Domain Administrators. These shares are typically used by administrators to migrate data and create directory structures. Refer to the Configure Shares screen for these share names.
You must create a file volume before you can create a share. For more information, see About Creating a File Volume or a Segment.
To add a new Microsoft Server Message Block (SMB) share:
1. From the navigation panel, choose Windows Configuration > Configure Shares.
Note: Alternatively, navigate to the target file volume and directory under the System Manager, then right-click and choose the appropriate option from the pop-up menu (for example, Sharing > New Share).
2. Click Add, then fill in the fields as described below.
For more detailed field information, see New Share Window.
3. Type the name of the share you want to add in the Share Name field.
4. (Optional) Add a Comment to describe the share.
5. Select the Mac Extensions Desktop DB Calls checkbox to allow the system to access and set Macintosh desktop database information.
6. Select the volume to share from the Volume Name drop-down menu.
7. If you are sharing at the directory level, type the name of the existing directory. Keep in mind, however, that sharing directories below the volume root eases security administration.
You cannot create a directory in this field. Omit this field to create a root-level share.
8. If you enabled ADS in the Set Up ADS panel, specify the ADS container where the share will be published. See Publishing Shares in ADS for more information.
9. Type the user ID and group ID, if applicable, as well as the read/write and read-only passwords.
These fields are only applicable if you enable Windows Workgroup mode (not NT Domain mode), as described under Configure Domains and Workgroups Panel. Also refer to Configuring Windows Security for information about enabling Windows security models.
Windows Workgroup uses share-level security. The User ID (UID) and Group ID (GID) fields in this screen represent the sole means of security for NAS appliance and gateway-system file ownership and access by Windows Workgroup users. In other words, the rights to a directory are determined by the share definition rather than by the user.
You can create multiple shares for the same directory with different UIDs and GIDs. You can also manage individual user and group limitations on the amount of file volume space or number of files used through quotas. For more information about quotas, refer to About Managing Quotas.
10. In the Umask field, specify the file creation mask, if any, you want to apply to this share. This field is available only if Windows Workgroup mode is enabled.
The umask defines the security policy for files and directories created in Share mode. It specifies the permission bits to turn off when a file is created.
The umask is defined in octal because octal numbers are composed of three bytes, which maps easily to the Unix file permission representation. The umask is applied using standard Unix rules, except for the DOS read-only attribute. If the DOS read-only attribute is set when the file is created, all write bits will be removed from the file's permissions after the umask has been applied.
The following table shows umask to permission examples, including the effect of the DOS read-only attribute. For more information, see About Share Access Permissions.
11. Click Apply to save your changes.
To edit an existing Microsoft Server Message Block (SMB) share:
1. From the navigation panel, choose Windows Configuration > Configure Shares.
2. Select the share you want to update, then choose Edit.
Note: Alternatively, navigate to the target file volume and directory under the System Manager, then right-click and choose Sharing > Edit Share from the pop-up menu.
3. Modify the fields you want to change.
For more detailed field information, see New Share Window.
For Edit processing, the share name displays as the Old Share Name field. If you you want to change this name, type the new name in the Share Name field.
4. Click Apply to save your changes.
To remove a Microsoft Server Message Block (SMB)/Common Internet File System (CIFS) share:
1. From the navigation panel, choose Windows Configuration > Configure Shares.
2. Select the share you want to remove from the shares table, then choose Remove.
Note: Alternatively, navigate to the target file volume and directory under the System Manager, then right-click and choose Sharing > Remove Share from the pop-up menu. Select the share to delete and click Apply.
3. From the verifications window, select Yes.
After you configure security and network settings, the NAS appliance or gateway system becomes visible to Microsoft Server Message Block (SMB)/Common Internet File System (CIFS) clients by registering with the master browser on its local network. Clients can connect with the NAS storage as follows:
If they map the network drive, they need the Universal Naming Convention (UNC) path for the NAS appliance or gateway system, which consists of a computer name and share name as follows: \\computer_name\share_name. If they connect through Network Neighborhood, they need the system name used to identify the appliance or gateway system on the network.
If they map the network drive, they need the UNC path for the NAS appliance or gateway system, which consists of a computer name and share name as follows:
\\computer_name\share_name. If they connect through Network Neighborhood, they need the system name used to identify the appliance or gateway system on the network.
If ADS is installed, users can connect by clicking on a NAS appliance or gateway- system share published in ADS.
The Microsoft Server Message Block (SMB)/Common Internet File System (CIFS) autohome share feature eliminates the administrative task of defining and maintaining home directory shares for each Windows user accessing the system. The system creates autohome shares when a user logs on and removes them when the user logs off. This reduces the administrative effort needed to maintain user accounts and increases the efficiency of server resources.
To configure the autohome feature, enable it and provide the path for the base directory for the directory shares. For example, if a user's home directory is /vol1/fort/sally, the autohome path is /vol1/fort. The temporary share is named sally. The user's home directory name must be the same as the user's log-in name.
When a user logs on, the server checks for a subdirectory that matches the user's name, according to any rules that have been specified. If it finds a match and that share does not already exist, it adds a temporary share. When the user logs off, the server removes the share.
Windows clients might log a user off after 15 minutes of inactivity, which results in the autohome share disappearing from the list of published shares. This is normal CIFS protocol behavior. If the user clicks on the server name or otherwise attempts to access the system (for example, in an Explorer window), the share reappears.
Note: All autohome shares are removed when the system reboots.
When you use the Autohome feature, you must decide under what conditions a temporary share will be allowed to be established. The conditions are set first by any specific rules that you define and then by the default rule that you set, if any.
Note: When configuring a user's home directory using the Active Directory administrative tool, you will get a warning indicating the autohome path cannot be found. You can ignore this message because the autohome share will be created when the user logs on.
1. From the navigation panel, choose Windows Configuration > Configure Autohome.
2. Select one of the Default Rules buttons to set the condition for allowing a share if no specific rule allows a share:
a. Click on the Add button to open the Add/Edit Rule dialog.
b. Type the Name of the user account.
c. Type the user's home directory. Specify the absolute path from the volume name up to the user name or use one of the following substitution characters:
For more information on the path, see About Autohome Shares.
d. Type name of the ADS container if one is installed. For more information, see About Active Directory Service
The new rule is now listed in the Specific Rules section of the Configure Autohome dialog. You can edit the rule by selecting it and clicking on the Edit button. If you create more than one rule, you can change the order of the rules by selecting the Up or Down buttons.
4. Click Apply to save your changes.
|
Managing Quotas |
This section provides information about managing quotas. The following subsections are included:
The Manage Quotas panel enables you to administer quotas on NAS appliance and gateway-system file volumes and directories. User and group quotas determine how much disk space is available to a user or group and how many files a user or group can write to a volume. Directory tree quotas determine how much space is available for a specific directory and/or how many files can be written to it.
See About Configuring User and Group Quotas to set space and file limits for users and groups. Refer to About Configuring Directory Tree Quotas to set space and file limits for specific directories.
This section provides information about configuring user and group quotas. The following subsections are included:
The Configure User and Group Quotas panel lets you administer quotas on volumes for NT and Unix users and groups. It displays root, default, and individual quotas for the volume selected. The settings for the default user and default group are the settings used for all users and groups that do not have individual quotas.
A hard limit is the absolute maximum amount of space available to the user or group. The hard limit must be equal to or higher than the soft limit. For disk space, it can be no more than approximately 2 terabytes. For the number of files, the hard limit can be no more than 4 billion files.
Reaching a soft limit, which is equal to or lower than the hard limit, triggers a grace period of seven days. After this grace period is over, the user or group cannot write to the volume until the amount of space used is below the soft limit. The Limits Grace fields show the amount of time left in the grace periods (blank if you are still within the soft limit).
The root user and root group are set to have no hard or soft limits for space or files and cannot have quotas defined.
To enable quotas for a file volume:
1. From the navigation panel, choose File Volume Operations > Edit Volume Properties.
2. From the Volumes list, select the file volume for which you are enabling quotas.
3. Select the Enable Quotas box.
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure User and Group Quotas.
2. Click Users if you are configuring a user quota, or Groups if you are configuring a group quota.
3. From the Volume drop-down menu, select the name of the file volume for which you are adding a quota.
The table on this screen shows the root, default, and individual user or group quotas for the file volume selected.
4. To add a quota for a user or group, click Add.
5. Select whether the designated user or group belongs to a Unix or NT environment by clicking on the appropriate option button.
6. Select the appropriate user or group name (and Domain name for NT users or groups).
7. Set the disk space limits for the selected user or group. For detailed information on the disk space limits, see Add/Edit Quota Setting Window.
8. Set limits on the number of files a user or group can write to the file volume. For detailed information on the file limits, see Add/Edit Quota Setting Window.
9. Click Apply to save your changes.
To edit a user or group quota:
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure User and Group Quotas.
2. Click Users to edit a user quota or Groups to edit a group quota.
3. From the Volume drop-down menu, select the name of the file volume for which you are editing quotas.
The table on this screen shows the root, default, and individual user or group quotas for the file volume.
4. Select the user or group for whom you are editing a quota, and click Edit.
5. Edit the disk space limits for the selected user or group. For detailed information on the disk space limits, see Add/Edit Quota Setting Window.
6. Edit the limits on the number of files a user or group can write to the file volume.
7. Click Apply to save your changes.
Root and default quotas cannot be deleted. You can remove an individual quota by setting it to disk space and file defaults.
To delete a user or group quota:
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure User and Group Quotas.
2. In the Configure User and Group Quotas panel, select Users to remove a user quota or Groups to remove a group quota.
3. Select the quota you want to remove in the table, then click Edit.
4. In the Edit Quota Setting window, click the Default option in both the Disk Space Limits and File Limits sections.
5. Click Apply to remove the quota setting.
This section provides information about configuring directory tree quotas. The following subsections are included:
The Configure Directory Tree Quotas (DTQ) panel lets you administer quotas for specific directories in the file system. Directory tree quotas determine how much disk space is available for a directory and how many files can be written to it. You can only configure quotas for directories created in this panel, not for previously existing directories.
To create a directory tree with a directory tree quota:
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure Directory Tree Quotas.
2. From the drop-down menu, select the file volume for which you are configuring a directory tree quota.
4. In the DTQ Name field, type a name to identify this directory tree quota.
5. In the DirName field, type a name for the new directory.
6. In the Path field, display the full path of the directory that will contain the new directory that you are creating.
To do this, double-click the folder icon in the box under the Path field. Then select the directory that will contain the new directory that you are creating. Continue until the full path of the directory is shown in the Path field
7. Select the disk space limit for the directory in the Disk Space Limits section, selecting either No Limit or Custom.
8. Select whether the quota is reported in megabytes or gigabytes, and type the disk space limit in the Max Value field.
A Custom value of 0 (zero) is equivalent to choosing No Limit.
9. In the File Limits field, select the maximum number of files that can be written to this directory, either No Limit or Custom.
10. Click Apply to add the quota.
To edit an existing directory tree quota:
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure Directory Tree Quotas.
2. Select the quota you want to edit from the table, then click Edit.
3. Edit the name that identifies this directory tree quota in the DTQ Name field.
The Path is a read-only field that shows the path of the directory.
4. In the Disk Space Limits section, select the disk space limit for the directory, selecting either No Limit or Custom.
5. Select whether the quota is reported in megabytes or gigabytes, and type the disk space limit in the Max Value field.
A Custom value of 0 (zero) is equivalent to choosing No Limit.
6. In the File Limits section, select the maximum number of files to be written to this directory, selecting either No Limit or Custom.
7. Type the file limit in the Max Value field.
8. Click Apply to save your changes.
Note: When you move or rename a directory that contains a directory tree quota (DTQ) setting, the system updates the DTQ's path specification.
To delete a directory tree quota:
1. From the navigation panel, choose File Volume Operations > Manage Quotas > Configure Directory Tree Quotas.
2. Select the quota you want to remove from the table.
3. Click Delete to remove the quota setting.
Deleting a directory tree quota (DTQ) removes the quota setting. However, it does not delete the directory itself or the files in the directory.
Note: If you delete a directory that contains a DTQ setting, both the directory and the DTQ setting are deleted.
|
Setting Up NFS Exports |
This section provides information about setting up NFS exports. The following subsections are included:
Network File System (NFS) exports let you specify access privileges for Unix (and Linux) users. The table in the Configuring Exports panel shows the current NFS export information, including the accessible directories, host name, and access level (Read/Write or Read/Only) for each export.
Any host name beginning with "@" identifies a group of hosts. For example, a host name of @general includes all hosts, and a host name of @trusted includes all trusted hosts. Refer to About Configuring Hosts for information about trusted hosts.
You create exports by specifying access privileges for a particular Unix host. To export a file volume only to a set of hosts with root permission (like Sun Solaris or UNIX), use one of the following methods:
1. From the navigation panel, choose Unix Configuration > Configure NFS > Configure Exports.
The table in this panel shows the current export information. If you have not created any exports, this space is blank.
2. Click the Add button to add an export.
3. In the Volume box, select the volume for which you want to grant Unix NFS host access.
4. In the Path box, specify the directory for which you want to grant Unix NFS host access.
Leaving this field blank exports the root directory of the volume.
5. In the Access section, specify whether the hosts have Read/Write, Read/Only, or No Access privileges on the selected volume.
6. In the Hosts section, select the host or hosts for which you are defining a Network File System (NFS) export.
7. In the Map Root User section, select a method for mapping the user ID for root users.
8. Click Apply to save the export.
9. In the Configure Exports panel, verify that the correct path, host, and access rights are shown for the export you created.
1. From the navigation panel, choose Unix Configuration > Configure NFS > Configure Exports.
2. Select the export you want to change, and click the Edit button.
3. To change the Access rights, click Read/Write, Read/Only, or No Access.
The Hosts section is read-only.
4. Click Apply to save your changes.
5. In the Configure Exports panel, verify that the correct path, host, and access rights are shown for the export you edited.
To remove a Network File System (NFS) export:
1. From the navigation panel, choose Unix Configuration > Configure NFS > Configure Exports.
| Sun StorageTek NAS OS Administration Guide | 819-4284-11 |
|
Copyright © 2007, Sun Microsystems, Inc. All Rights Reserved.