Network and Storage Protocols

Quota Implementation in AD ( Windows ) Enviroment

fazilsaiyed
8,736 Views

Hello,

I have struggled to implement quota on a volume, our enviroment has FAS3050C ( Ontap 7.2.4 8P) in AD domain, i would like to implement quota on home directories so that users can be blocked to save more then 2 GB.

Each user has it's own home directory on volume CIFSA_HOME\QHOME, the share name is CORPHOME.

Ideally, i would like to have various quota on group of users, i.e Group1=1 GB, Group2=2 GB etc.

I was able to turn the quota on, implement the rule & populate the quotas file, i printed out netapp reference to quotas in the ontap site and did everything in it, however without results

Quota are on for the volume and initialized.

#Auto-generated by setup Mon Jun 19 15:31:26 GMT 2006

axe\e203863 user@/vol/CIFSA_RESTORE 1048576K - 921600K 1048576K -

I tried couple of diffrent methods of implemnting quotas file, using username in diffent fashon etc, however, i was only able to generate a soft quota alert  on the filer, i was never stopped from creating or coping large amt of data.

Furthermore, i was told by netapp, AD user groups do not work, i was told to use usermap file, essentialy mapping unix user name to windows, however, i dont like that option and also we are not licenced for NFS.

either way, the quota rules did not enforce any thing, has any one sucessfully, able to implement quota in thier windows only enviroment, if so,can you provide a detial rule explanation.

I appriciate it.

Thanks



13 REPLIES 13

igor
8,686 Views

I also have a similar problem, I need to get AD user groups put under quotas...  If anyone has a recipe for this, please let us know.

P.S. How does one use usermap files, I have NFS so I'd like to try in out.

ogra
8,686 Views

First of all welcome to the world of Quotas....

I think you should be doing the following thing to get it working

1) Use Hard Limit instead of soft limit, by using hard limit you are limiting their home directory disk size to xGB).

2) Whatever is you majority quota rule, say 2GB make it a default Quota on that particular Qtree.

3) Doing above step you will see there might be some exception user's or group's who might want to save more than that, in that case you can add them to the exceptions.

by manually adding their quota entry in the qtree.

This should work for you. let me know if you aren't able to, or you are looking something different.

Cheers !!!

tirtha
8,685 Views

Hi,

@fazilsaiyed

Quota Soft Limit will  only generate alerts and when surpassed will  generate alert that soft  limit has been exceeded. The limit which stops  from further usage is  only Quota Hard limit may it be space or file  specific.

As you said each user has its home directory over a   volume, I think your problem can be solved by tree quota only. Set the   Tree Quota Hard limit as 2 GB or 1 GB as per the owning user, hence the   home directories can never surpass whatever the size you set.

@igor

/etc/usermap.cfg file can be used to customize the mapping process.  The default file will give you some hint in commented lines but to get the  full details of how to configure, please consult the Ontap System  Administrator's Guide available in NOW(now.netapp.com).

Thanks

-Tirtha

ogra
8,685 Views

Just to correct things from above post : In case of CIFS Auto Homedir's each user doesn't need a dedicated qtree. As mentioned in the question there would be around 1000 odd users in a single qtree,

and hence setting a hard limit at TREE level isn't the right way, that would make only 1 or 2GB as hard limit for all users. You need to go for User level quota Hard limit as default.

And later on add exceptions for other user/groups you wish for.

aborzenkov
8,685 Views

And later on add exceptions for other user/groups you wish for.

But that is exactly the question - how to add exception for a group? NetApp quota allows per-user settings only.

igor
8,685 Views

Just like individual user quotas, group quotas are supported and they should override any default quota setting...

The problem is, only UNIX groups are supported. Windows groups under Active Directory are not.

And since most companies use AD, I need a work-around for this. Is there a Windows service that can make AD groups behave like UNIX groups, perhaps?

Cheers,

Igor

highvailsys
8,685 Views

Hi Igor,

Were you able to setup group based quotas?  I'm trying this now, very frustrating that NetApp hasn't caught the wave on this one yet. I'm trying to set this up using the usermap.cfg and mapping local group names to Windows AD group names.

Thanks,


Chris

igor
8,685 Views

Hi Chris!

Sorry, I haven't been able to do that so I did this instead... The system admin used powershell to get the existing quotas for all users, here's an example:

SID Name        = DOMAIN\dvuj186741 (User)
Change time     = Mon Sep 27 13:18:54 2010
Quota Used      = 9297920
Quota Threshold = 52428800
Quota Limit     = 104857600

So basicaly, I created a macro which transformed Quota Limit stated here in bytes, into a hard quota limit in kilobytes (102400K) and set soft quota limit at 80% of that (81920K).

DOMAIN\dvuj186741    user@/vol/korisnici    102400K    -    -    81920K    -

I placed those settings on volume /vol/korisnici and migrated user directories there. After that I opened up /etc/quotas, copy-pasted all the settings and initialized quota monitoring on that volume.

So far so good, but needles to say - there are lots of settings, it takes a long time to load them on FilerView, if you need to change a quota limit you need to do it on NetApp side and it's a bit bothersome to sift through them all. If there were groups however, we could simply move AD user from one group to another and have them log out & log in again. Simple.

So, if you figure out how to map local to AD groups I'd most interested to hear about it!

Good luck,

Igor

highvailsys
8,685 Views

Thanks for the response Igor, I’ll definitely let you know!

Darkstar
7,872 Views

Group quotas won't work in a Windows environment -- they are UNIX/NFS only.

Why? Because on unix, each file belongs to exactly one group (as identified by its gid) and so it can be counted towards exactly one quota rule (the one for that specific group).

On Windows, each file has an owner (which counts towards user quota) but a file does not have an "owning group". There is no such concept in windows. You can have multiple groups with access to the file, but no "primary group".

If you have a file that's 100mb and where groups AD\Group1 and AD\Group2 have the same ACL rights, towards whose quota will this file count? Group1 or Group2? Or both? How about nested groups? How should the filer find out when you nest one group inside another, i.e put ad\group3 inside ad\group2? should the file now also count towards group3's quota? How often should the filer scan all AD groups for such changes? and so on.

If you really need something like that you need to use additional software (there's something called QFS from NTP Software that does things like that)

-Michael

__moulsdale_64974
7,872 Views

I would really like to see a more satisfactory answer from NetApp regarding the orginal quesiton on AD Groups. As has been mentioned a number of times in this thread, a great many organisations use AD as their central security infrastructure and manage authorisation and authentication through it. There should therefore be a way that we can assign a quota limit to an AD group to simplify user storage management. That way our helkp desk can move users between AD security groups when they have the authorisation for increased storage.

Looking forward to seeing a response

Michael

sam_wozniak
7,872 Views

I've seen this as a deficiency in quotas with NetApp that may NEVER be answered better than the answer posted above.  Along with you, I wish we could get an answer from the horses mouth, but with the way I see things moving that may never come.  I liken it to how MS just doesn't do a good job of supporting NFS (yes, even though Win7 has an NFS client) or AV (even though I'm aware of Forefront (or whatever it's called now)).  I may stand corrected, but to me it's where the development dollars go amongst other b2b relationships.  So, from what I gather, some aspects of the management are just handled better by third parties and it isn't worth it to NetApp to reinvent wheel(s).  But I don't work for NetApp, so...

michalburda
7,871 Views

I cannot understand why it is Netapp's fault ?

  answeared it long ago and people are still barking up under wrong tree

Netapp implemented full compatibility with CIFS - so with NTFS in particular

get a windows 2003/8 server and try to add AD group as an quota entry -  uhm wait - pesky Microsoft 

third party software can  manage quota fo helpdesk users not granting them filer admin priviledge - that's all

it won't change NTFS file system ground rules.

Public