[Cheat Sheet] Setting up a Vserver for user home directories in a Windows File Sharing environment

by Frequent Contributor on ‎2012-06-11 06:05 AM - edited on ‎2014-09-26 11:55 AM by Community Manager

[With inputs from Michael Saberi]

 

In the example that follows the specifics are:

Cluster - c-mode (four nodes)
Vserver - vs01
DNS Domain - nltestlab.hq.netapp.com
AD Domain - nltestlab.hq.netapp.com
Users - mrinal (Administrator), user1 and user2

 

[Step 1]

Configure CIFS on the Vserver

c-mode::> vserver cifs create -vserver vs01 -cifs-server vs01 -domain nltestlab.hq.netapp.com

 

[Step 2]

Create volumes that will be used to host the user home directories.

c-mode::> volume create -vserver vs01 -volume home1 -aggregate aggr1_01 -size 10g -state online -type RW -policy default -security-style ntfs -junction-path /home1 -comment "first path for user home directories" -snapshot-policy default -antivirus-on-access-policy default
c-mode::> volume create -vserver vs01 -volume home2 -aggregate aggr1_02 -size 10g -state online -type RW -policy default -security-style ntfs -junction-path /home2 -comment "second path for user home directories" -snapshot-policy default -antivirus-on-access-policy default
c-mode::> volume create -vserver vs01 -volume home4 -aggregate aggr1_04 -size 10g -state online -type RW -policy default -security-style ntfs -junction-path /home4 -comment "fourth path for user home directories" -snapshot-policy default -antivirus-on-access-policy default
c-mode::> volume create -vserver vs01 -volume home3 -aggregate aggr1_03 -size 10g -state online -type RW -policy default -security-style ntfs -junction-path /home3 -comment "third path for user home directories" -snapshot-policy default -antivirus-on-access-policy default

 

[Step 3]

Create CIFS shares for admin-only access

c-mode::> vserver cifs share create -vserver vs01 -share-name home1 -path /home1 -share-properties oplocks,browsable,showsnapshot,changenotify -comment "first path for user home directories"
c-mode::> vserver cifs share create -vserver vs01 -share-name home2 -path /home2 -share-properties oplocks,browsable,showsnapshot,changenotify -comment "second path for user home directories"
c-mode::> vserver cifs share create -vserver vs01 -share-name home3 -path /home3 -share-properties oplocks,browsable,showsnapshot,changenotify -comment "third path for user home directories"
c-mode::> vserver cifs share create -vserver vs01 -share-name home4 -path /home4 -share-properties oplocks,browsable,showsnapshot,changenotify -comment "fourth path for user home directories"

 

c-mode::> vserver cifs share access-control create -vserver vs01 -share home1 -user-or-group mrinal -permission Full_Control
c-mode::> vserver cifs share access-control create -vserver vs01 -share home2 -user-or-group mrinal -permission Full_Control
c-mode::> vserver cifs share access-control create -vserver vs01 -share home3 -user-or-group mrinal -permission Full_Control
c-mode::> vserver cifs share access-control create -vserver vs01 -share home4 -user-or-group mrinal -permission Full_Control

 

c-mode::> vserver cifs share access-control modify-vserver vs01 -share home1 -user-or-group Everyone -permission Read
c-mode::> vserver cifs share access-control modify-vserver vs01 -share home2 -user-or-group Everyone -permission Read
c-mode::> vserver cifs share access-control modify-vserver vs01 -share home3 -user-or-group Everyone -permission Read
c-mode::> vserver cifs share access-control modify-vserver vs01 -share home4 -user-or-group Everyone -permission Read

 

[Step 4]

From a Windows host map the four shares created and disable the option that propogates folder permissions to traverse down from parent to child folders
Map the 'home1' share on a Windows host to a drive letter
Right-click on the network drive on Windows Explorer and select the 'Security' tab
Select 'Advanced' option on the 'Security' tab
In the 'Permissions' tab on the new text box select the 'Change Permissions' button
Uncheck "Include inheritable permissions from the object's parent" and "Replace all child object permissions with the inheritable permissions from this object"
Repeat the above steps for 'home2', 'home3' and 'home4' shares.

 

[Step 5]

Add the volumes that have been created to the home directory search path

c-mode::> vserver cifs home-directory search-path add -vserver vs01 -path /home1
c-mode::> vserver cifs home-directory search-path add -vserver vs01 -path /home2
c-mode::> vserver cifs home-directory search-path add -vserver vs01 -path /home3
c-mode::> vserver cifs home-directory search-path add -vserver vs01 -path /home4

 

[Step 6]

Create home folders for user1 and user2
On the Windows admin host create folders for 'user1' and 'user2' on any of the four network drives that have been mapped. After the user home folder has been created right-click on the folders and confirm that the ownership of the folder is set to the respective user.

 

[Step 7]

Create dynamic shares for user home directories

c-mode::> vserver cifs share create -vserver vs01 -share-name %w -path %w -share-properties oplocks,browsable,showsnapshot,changenotify,homedirectory -comment "home drive with dynamic mappings"

 

[Step 8]

Log into another Windows host as 'user1'. Map the users home drive from Windows Explorer as '\\vs01.nltestlab.hq.netapp.com\user1'.

 

[Optional Steps]
Enable quota for users on the Vserver

c-mode::> volume quota policy create -vserver vs01 -policy-name home_quota
c-mode::> vserver modify -vserver vs01 -quota-policy home_quota
c-mode::> volume quota policy rule create -vserver vs01 -policy-name home_quota -volume home1 -type user -target "" -qtree "" -user-mapping on -disk-limit 100m -file-limit 500000 -threshold 90m
c-mode::> volume quota on -vserver vs01 -volume *
c-mode::> volume quota show -vserver vs01
c-mode::> volume quota report -vserver vs01

Comments

Just curious... What is your reasoning that you are creating 4 volumes for home folders? Performance on different back end disks? The dynamic shares? You are creating them all on different aggregates so I am assuming performance is why. I know it is just an example, but one could have several reasons for doing this. I'm just curious what your reason was. Typically I'll configure the home folders on the same aggregate. If quotas are a concern I'll make multiple qtrees and/or volumes depending on the environment. Thanks.

Frequent Contributor

The logic for selecting four volumes on four different aggregates was to demonstrate the ability to spread the user homes across controllers in the cluster. Performance would be a consideration depending on the number of user homes, size of the cluster and disk media in use. If the aggregate in question is used for other applications in addition to hosting user home, the ability to have multiple volumes in the search path provides the ability to circumvent the platform limits.

We have had a few customers setup CIFS home directories in clustered ONTAP for 1000's of users. The ability to use multiple aggregates allowed them to use multiple controllers, multiple aggregates and multiple network ports but present all these resources as a single logical entity with easy management.

Hope this helps.

Is there any way to exclude some users from seeing home directories?   In 7-mode, if a user didn't have a folder in the homedir path(s), they wouldn't get a homedir link when browsing to the CIFS server.   

 

In cDOT, using the method described above, any user who browses the CIFS server UNC path, gets a shortcut to a home directory -- even if one hasn't been created.   

 

Any way around this (there are shops that need that kind of functionality)?

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.