PSTK 4.2 PowerShell 5.1 (Server 2016 TP5) ONTAP 9.0 ... View more

Yes it worked for me. Only difference is i used "$True" instead "$true" (all small characters). when i use all small characters it did not set the value.   Here is the output.   PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list IsAesEncryptionEnabled                : False IsPasswordComplexityRequired          : True IsSigningRequired                     : False IsSmbEncryptionRequired               : False KerberosClockSkew                     : 5 KerberosKdcTimeout                    : 3 KerberosRenewAge                      : 7 KerberosTicketAge                     : 10 LmCompatibilityLevel                  : lm_ntlm_ntlmv2_krb NcController                          : 10.195.49.190 SessionSecurityForAdLdap              : UseStartTlsForAdLdap                  : False Vserver                               : infra IsAesEncryptionEnabledSpecified       : True IsPasswordComplexityRequiredSpecified : True IsSigningRequiredSpecified            : True IsSmbEncryptionRequiredSpecified      : True KerberosClockSkewSpecified            : True KerberosKdcTimeoutSpecified           : True KerberosRenewAgeSpecified             : True KerberosTicketAgeSpecified            : True UseStartTlsForAdLdapSpecified         : True     PS C:\test> Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $True WARNING: 'KerberosKdcTimeout' parameter is not available for Data ONTAP 9.0 and up. Ignoring 'Kerberos KdcTimeout'. KerberosClockSkew          KerberosRenewAge         KerberosTicketAge -----------------          ----------------         -----------------                 5                         7                        10   PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list IsAesEncryptionEnabled                : False IsPasswordComplexityRequired          : True IsSigningRequired                     : True IsSmbEncryptionRequired               : False KerberosClockSkew                     : 5 KerberosKdcTimeout                    : 3 KerberosRenewAge                      : 7 KerberosTicketAge                     : 10 LmCompatibilityLevel                  : lm_ntlm_ntlmv2_krb NcController                          : 10.195.49.190 SessionSecurityForAdLdap              : UseStartTlsForAdLdap                  : False Vserver                               : infra IsAesEncryptionEnabledSpecified       : True IsPasswordComplexityRequiredSpecified : True IsSigningRequiredSpecified            : True IsSmbEncryptionRequiredSpecified      : True KerberosClockSkewSpecified            : True KerberosKdcTimeoutSpecified           : True KerberosRenewAgeSpecified             : True KerberosTicketAgeSpecified            : True UseStartTlsForAdLdapSpecified         : True ... View more

I tried this way and it worked   Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $False   Not sure if this is the mothod works for you ... View more

SMB 3.0 is only available in cDot. As of now, Product Management does not have any plans to bring SMB 3.0 to 7-mode. - Chowdary ... View more

Here the concern should be AD authentication (Kerberos). When we create CIFS server, it will register it as computer account in AD. If the end users use any alias  apart from CIFS server name to access the shares, then the authentication fall back to NTLM. Kerberos authentication does not work. What is the rational behind using the DNS alias instead of CIFS server? ... View more

the folder will be automatically created only when the user directly log on to the controller using domain credentials. If that is not the option, as long as the folder name is appropriately named as per the format you have chosen in the options cifs.home_dir_namestyle. If the option is not configured the default would be ntname and should the folder be the username then it will automatically mapped, but the folder should be there for mapping to be successful. ... View more

1. homedirectory created for each user normally will have the same username as the directory under the searc_path. Share the search_path and extract the directory names and cross check randomly the directory name with the username in the permissions tab on the folder. 2. drive mapping has to be done from the AD. Storage can only facilitate the homedirectory space. In the migration scenario, if you can keep the new storage name (\\cifsservername) same as the old name, then you can avoid doing the re-mappings. ... View more

there is no force user kind of functionality, but you can use -forcegroup" functionality for CIFS access. set the necessary permissions to the UNIX group on the directory or volume. configure that group as "-forcegroup" on the share. ... View more

Can you explain the scenario little more detailed? why do you want to add the computer account access to the NFS export? Please provide following information 1. volume/qtree security style of the NFS export 2. name mapping configuration 3. How does the access works? is that the windows sytem account which is trying to access the NFS export or any application running in system account is accessing the NFS export? ... View more

Those machines are in same work-group, we still need to provide credentials because the credentials are not centralized. Workaround would be create same user:password on both controller and windows server. Windows 7 on wards, operating system has option to store the credentials so that wont be prompted for credentials in the subsequent access. ... View more

domain admin password change will not effect CIFS server. Admin password is only need while joining to AD. Once the computer account is created a corresponding account password will be created and will be authenticated by the computer account password when ONTAP contacts AD. ... View more

SMB 3.0 is not available in 7-mode. This option should be set. cifs.smb2.signing.required   off ... View more

There are few things changed Windows 2012 1. Secure Negotiation - Enable SMB signing and check 2. SID Compression - Applies to the Windows 2012 DCs. Check the article http://support.microsoft.com/kb/2774190 SMB 1.0 will work because these doesn't come into picture when negotiated with SMB 1.0 ... View more

hope you have compared the settings between the filers. what is different on this filer? you can disable cifs.oplocks.enable and check. ... View more

check the following options : wafl.default_unix_user       pcuser cifs.guest_account           pcuser cifs.LMCompatibilityLevel    1 ... View more

Hi Regis, If Linux servers are already been authenticated by AD, why would you need name-mapping? Once you configure CIFS server AD DC is added as an LDAP server to the Vserver and LDAP schema configuration is setup automatically. What is the challenge here and Is there something I am missing here? - Chowdary. ... View more

in 8.2 we have local users and groups. Probably you can use that remote office scenario. ... View more

what is the lmcompatibility setting on the controller and the singing settings? ... View more