Clustered Data Ontap 8.3.1: CIFS access issue

VIRTUALEMC · ‎2016-02-19

Dear Admins,

I have a Clustered Data Ontap 8.3.1 two node cluster setup. In this I have two SVMs, namely: svm1 and svm2. I have completed the CIFS server setup but when I try to acces a share, I get a access denied message. I have the SVMs / node added to a AD domain. Please note, the firewall is totalled disabled on the cluster, but however the NTP server is not setup yet. I tried accessing the CIFS server using the AD domain admin account, local admin account etc etc but had no luck. Am able to ping the target server from the cluster successfully.

netappcs::> network ping -node netappcs-01 192.168.100.91
192.168.100.91 is alive

netappcs::> firewall show
(system services firewall show)
Node Enabled Logging
-------------- ------- -------
netappcs-01 false false
netappcs-02 false false
2 entries were displayed.

I have attached the screenshots of each command which can give you an idea of how the network and CIFS setup looks like. Am suspecting a minor configuration error which is causing the cifs server access to fail.

I would appreciate your kind help in this.

Regards

Taz~

SeanHatfield · ‎2016-02-19

First check your timezone:

timezone

Then check your Date/Time and make sure it matches your domain controller:

date

Then make sure you have lifs configured for CIFS access:

net int show -data-protocol cifs

Also check for any erroneous NIS entries.

nis show

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

raj_shrivastava11 · ‎2016-02-19

Hi,

Also check the "Share Properties with ACL" info.

1. Does browsable lists in the property. Share permission should be "Everyone Full Control"

BR

Raj

asulliva · ‎2016-02-19

Are your export rules configured correctly? You'll need to specify the protocol (CIFS) and the IP or subnet of the host(s) accessing the share.

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

VIRTUALEMC · ‎2016-02-20

I tried configuring the below:

1) NTP server configured to point to the DNS server IP. When I try to configure an external "internet" NTP server, am not able to ping it. How can we force re-sync the time to match it with the DNS server time.

2) Access rule created to allow CIFS and any other protocols through the subnet 192.168.100.0/24

After trying to above, I tried to map the drive again on the 2012 R2 client (which has all the firewalls disabled) but still getting the access denied error message.

Please note, this is a simulator environment hosted as two nodes on a VMware ESXi 6.0 environment and being tested for proof of concept (POC testing) for CIFS environment.

Do you guys have any howto guide which I can refer (apart from the simulator step by step guide) for the CIFS setup in a Clustered onTAP 8.3.1 ESXi environment.

Thanks in advance !

Regards

Taz~

asulliva · ‎2016-02-20

The CIFS/SMB Express Guide will walk though getting everything setup in a succinct way. Alternatively, there's the File Access Management Guide for CIFS, which is much more indepth.

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

SeanHatfield · ‎2016-02-20

++ on the express guides.

I was actually thinking the data-protocol filter might reveal missing lifs since your net int show appears to only have management lifs on the cifs SVMs, but the standard output doesn't include the allowed protcolols field. Did you create the SVMs at the cli or the GUI?

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

VIRTUALEMC · ‎2016-02-21

netappcs::> network interface modify -vserver svm1 -lif svm1_mgmt -home-node netappcs-01 -home-port e0d -address 192.168.100.45 -netmask 255.255.255.0 -status-admin up -failover-policy system-defined -firewall-policy data2 -auto-revert false -dns-zone none -listen-for-dns-query false -failover-group Default -comment - -is-dns-update-enabled false -force-subnet-association true

********* The above command does not have the option of adding "data-protocol" parameter in this version of OnTAP 8.3.1 ********************

netappcs::> system services firewall show
Node           Enabled Logging
-------------- ------- -------
netappcs-01    false   false
netappcs-02    false   false
2 entries were displayed.

netappcs::> system services firewall policy show
Vserver Policy       Service    Allowed
------- ------------ ---------- -------------------
netappcs
        data
                     dns        192.168.100.0/24
                     ndmp       192.168.100.0/24
                     ndmps      192.168.100.0/24
netappcs
        intercluster
                     https      0.0.0.0/0
                     ndmp       0.0.0.0/0
                     ndmps      0.0.0.0/0
netappcs
        mgmt
                     dns        192.168.100.0/24
                     http       0.0.0.0/0
                     https      0.0.0.0/0
                     ndmp       192.168.100.0/24
                     ndmps      192.168.100.0/24
                     ntp        192.168.100.0/24
                     snmp       0.0.0.0/0
                     ssh        0.0.0.0/0
svm1
        data2
                     dns        192.168.100.0/24
                     ndmp       192.168.100.0/24
                     ndmps      192.168.100.0/24
                     ntp        192.168.100.0/24
18 entries were displayed.

netappcs::> network routing-groups show -vserver svm1
          Routing
Vserver   Group     Subnet          Role         Metric
--------- --------- --------------- ------------ -------
svm1
          d192.168.100.0/24
                    192.168.100.0/24
                                    data              20

netappcs::> network routing-groups route show -vserver svm1
          Routing
Vserver   Group     Destination     Gateway         Metric
--------- --------- --------------- --------------- ------
svm1
          d192.168.100.0/24
                    192.168.100.0/24
                                    192.168.100.1   20

SeanHatfield · ‎2016-02-21

Protocols cannot be added to a lif once it has been created. You have to make a new lif.

You can see the allowed protocols for each lif with this command:

net int show -fields data-protocol,address

Only lifs with CIFS in the data-protocol list can be used to mount cifs shares.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

VIRTUALEMC · ‎2016-02-21

That was a good catch. I think you are right, there is no data protocol associated with any of the LIFs.

netappcs::> net int show -fields data-protocol,address
(network interface show)
vserver lif               data-protocol address
------- ----------------- ------------- ---------------
Cluster netappcs-01_clus1 none          169.254.128.165
Cluster netappcs-01_clus2 none          169.254.105.184
Cluster netappcs-02_clus1 none          169.254.141.61
Cluster netappcs-02_clus2 none          169.254.129.139
netappcs
        cluster_mgmt      none          192.168.100.40
netappcs
        netappcs-01_mgmt1 none          192.168.100.41
netappcs
        netappcs-02_mgmt1 none          192.168.100.42
svm1    svm1_mgmt         none          192.168.100.45
svm2    svm2_mgmt         none          192.168.100.46
9 entries were displayed.

Then, I deleted and re-created both the SVM LIFs and the output is below:

netappcs::> net int show -fields data-protocol,address
(network interface show)
vserver lif               data-protocol address
------- ----------------- ------------- ---------------
Cluster netappcs-01_clus1 none          169.254.128.165
Cluster netappcs-01_clus2 none          169.254.105.184
Cluster netappcs-02_clus1 none          169.254.141.61
Cluster netappcs-02_clus2 none          169.254.129.139
netappcs
        cluster_mgmt      none          192.168.100.40
netappcs
        netappcs-01_mgmt1 none          192.168.100.41
netappcs
        netappcs-02_mgmt1 none          192.168.100.42
svm1    svm1_cifs         cifs          192.168.100.45
svm2    svm2_cifs         cifs          192.168.100.46
9 entries were displayed.

Now I tried to map the share onto the 2012 R2 client but for some reason, the share got hung onto "Attempting to connect to \\192.168.100.45\oraprod01...."

But am curious, why the NTP does not sync with the external time server I have configured.

netappcs::> date
Node      Date                     Time zone
--------- ------------------------ -------------------------
netappcs-01
          Sun Feb 21 02:56:48 2016 Asia/Qatar
netappcs-02
          Sun Feb 21 02:53:56 2016 Asia/Qatar
2 entries were displayed.

netappcs::> date -u
Node      UTC Date
--------- ------------------------
netappcs-01
          Sat Feb 20 23:56:49 2016
netappcs-02
          Sat Feb 20 23:53:58 2016
2 entries were displayed.

SeanHatfield · ‎2016-02-23

Not sure how you got into that situation. But I would make a new CIFS SVM in OnCommand System Manager as a test. If that works it may be simpler to delete/recreate your SVMs (since they are sims and presumably contain no data). If it doesn't work there is more cluster level troubleshooting to do.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.