We have had a lot of debate on this subject. UNIX admins have had it suggested that they use CIFS; they were predictably horrified. I could not help the feeling this may be a 'knee jerk' reaction, and one that may not have been technically justifiable. For me to outline my requirements would be far too lengthy, so I was wondering - what benefits? As far as I know NFS is not terribly secure, and CIFS isn't terribly efficient by comparison. What's your view?
5 REPLIES 5
You probably gave a good summary - NFS efficiency vs. CIFS (perceived?) security.
The key question is: what are the clients? For me there is no point to push the ball up the hill and enable CIFS for UNIX/Linux client, or enable NFS for Windows clients. That said, if the same data is accessed by two camps over both protocols (doable on NetApp), managing access rights can be a little nightmare...
From my experience, it is generally easier to get *NIX users to install SMB clients than it is to get Windows users to install NFS clients. I also agree that configuring the NetApp to manage security permissions for both protocols simultaneously can be a nightmare. I know of no one who runs "mixed" security styles in production.
CIFS requires sessions, whereas NFS does not. As a result, cluster failover on the NetApp controller will break an active CIFS session. Most modern SMB clients (both Windows and 3rd party) handle this much better that they used to, so the risk is mitigated.
Another factor is existing infrastructure. Does your network already have an Active Directory environment? Does your network already have a NIS environment? Is centralized user and group management important?
If you already have an effective Active Directory environment, leveraging CIFS on your NetApp controllers will be pretty straight forward. There are a few gotchas -- NTP configuration, opening kerberos password change between the NetApp and the DCs (if firewalls are used between the NetApps and their DCs), etc. But if you don't have an existing AD environment, the overhead of deploying AD for a handful of CIFS clients is a difficult task to justify.
I also agree that configuring the NetApp to manage security permissions for both protocols simultaneously can be a nightmare. I know of no one who runs "mixed" security styles in production.
It will become a nightmare when people think they need mixed security because data will be accessed by both NFS and CIFS
It is pretty simple:
Configure NTFS security only on the qtree with AD groups as NTFS this gives you the best security options.
Add the necessary user accounts to the AD groups.
Make sure the unix accounts are correctly mapped the AD users. Easiest way is to use the same account name for unix and windows.
More is not needed
The answer is: It depends
If you are a Microsoft house I don't see the point in deploying NFS, if you are a "mixed" house and need access from both OSs to the same files logic says, use both, but that means 2 licenses and extra administration on your filers which means a penalty to your budget.
Some points to consider:
- Needs Active Directory which means a single point of failure (unless you like to deal with WORKGROUPS).
- NTP dependent, add another point of failure, AD is not well known for keeping the right time all the time.
- It's easier to apply user permissions to files and folders.
- You want oplocks when you use CIFS to avoid data corruption and stale sessions, which limits your files to one user at the time.
- For Windows 7 workstations, only the Enterprise and Ultimate editions include the NFS client
- Needs a deployment of the NFS client on Windows
- For *NIX clients it's easier to map the shares over NFS
- Don't need to deploy SAMBA on *NIX clients