ONTAP Discussions

Need help troubleshooting access to c-mode cifs share

doug_clendening
15,724 Views

This is my first attempt at creating CIFS shares in c-mode.  I followed the Cheat Sheet document (DOC-16964) for the basics, but I get error "Windows can not access \\<ip>\wdc_test$.

I don't know if this is relevant or not, but our DNS Domain and AD Domain don't have the same name.

Thanks in advance.

wdc

Below is configuration info:

chvpk-cmode-flab::> vserver show -vserver lab_dcr_cifs

                                    Vserver: lab_dcr_cifs

                               Vserver Type: cluster

                               Vserver UUID: 4347abc8-a394-11e2-aa7a-123478563412

                                Root Volume: root_cifs

                                  Aggregate: lab_c06_01

                        Name Service Switch: ldap, file

                        Name Mapping Switch: file

                                 NIS Domain: -

                 Root Volume Security Style: ntfs

                                LDAP Client: -

                                   Language: en_US

                            Snapshot Policy: default

                                    Comment:

                Anti-Virus On-Access Policy: default

                               Quota Policy: default

                List of Aggregates Assigned: -

Limit on Maximum Number of Volumes allowed: unlimited

                        Vserver Admin State: running

                          Allowed Protocols: nfs, cifs, fcp, iscsi

                       Disallowed Protocols: -

                      Is Repository Vserver: false

chvpk-cmode-flab::> vserver cifs show -vserver lab_dcr_cifs

                                          Vserver: lab_dcr_cifs

                         CIFS Server NetBIOS Name: CHVPKV3170-06

                    NetBIOS Domain/Workgroup Name: CT

                      Fully Qualified Domain Name: CT.CHEVRONTEXACO.NET

Default Site Used by LIFs Without Site Membership:

                             Authentication Style: domain

chvpk-cmode-flab::> vserver cifs share show -vserver lab_dcr_cifs

Vserver        Share         Path              Properties Comment  ACL

-------------- ------------- ----------------- ---------- -------- -----------

lab_dcr_cifs   admin$        /                 browsable  -        -

lab_dcr_cifs   ipc$          /                 browsable  -        -

lab_dcr_cifs   wdc_test$     /wdc_test         oplocks    -        Everyone / Full Control

                                               browsable

                                               showsnapshot

                                               changenotify

chvpk-cmode-flab::> vol show wdc_test

  (volume show)

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

--------- ------------ ------------ ---------- ---- ---------- ---------- -----

lab_dcr_cifs

          wdc_test     lab_c06_01   online     RW          1GB    972.7MB    5%

9 REPLIES 9

parisi
15,723 Views

I'd suggest opening a case up.

Troubleshooting this will require cluster logs and packet traces. The errors Windows generally returns aren't very descriptive. Since you're using an IP instead of a hostname, DNS shouldn't factor in here. However, keep in mind you can add additional DNS domains to the vserver.

I'd recommend checking the export policy rules for that export policy to ensure you're not restricting access to CIFS at all, as well as the allowed protocols on your data LIF.

doug_clendening
15,723 Views

The export policy is wide open.

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -fields rorule,rwrule,protocol

vserver      policyname ruleindex protocol rorule rwrule

------------ ---------- --------- -------- ------ ------

lab_dcr_cifs cifs       1         cifs     any    any

parisi
15,723 Views

Let's see the following:

::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -instance

::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname default -instance

::> net int show -role data -vserver lab_dcr_cifs -instance

::> cifs options show -vserver lab_dcr_cifs -instance

::> unix-user show -vserver lab_dcr_cifs

::> vol show -vserver lab_dcr_cifs -fields policy,junction-path,unix-permissions,security-style,user,group

doug_clendening
15,723 Views

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -instance

                                    Vserver: lab_dcr_cifs

                                Policy Name: cifs

                                 Rule Index: 1

                            Access Protocol: cifs

                          Client Match Spec: 0.0.0.0/0

                             RO Access Rule: any

                             RW Access Rule: any

User ID To Which Anonymous Users Are Mapped: 65534

                 Superuser Security Flavors: never

               Honor SetUID Bits In SETATTR: true

                  Allow Creation of Devices: true

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname default -instance

There are no entries matching your query.

chvpk-cmode-flab::> net int show -role data -vserver lab_dcr_cifs -instance

  (network interface show)

                    Vserver Name: lab_dcr_cifs

          Logical Interface Name: dcr_cifs

                            Role: data

                   Data Protocol: cifs

                       Home Node: chvpkv3170-06

                       Home Port: e0a

                    Current Node: chvpkv3170-06

                    Current Port: e0a

              Operational Status: up

                 Extended Status: -

                         Is Home: true

                 Network Address: 146.27.206.42

                         Netmask: 255.255.255.0

                 IPv4 Link Local: -

             Bits in the Netmask: 24

              Routing Group Name: d146.27.206.0/24

           Administrative Status: up

                 Failover Policy: nextavail

                 Firewall Policy: data

                     Auto Revert: false

              Use Failover Group: enabled

   Fully Qualified DNS Zone Name: none

             Failover Group Name: failover_cluster_mgmt

                        FCP WWPN: -

                         Comment:

chvpk-cmode-flab::> cifs options show -vserver lab_dcr_cifs -instance

                                       Vserver: lab_dcr_cifs

                             Default UNIX User: -

                Read Grants Exec for Mode Bits: disabled

Windows Internet Name Service (WINS) Addresses: -

chvpk-cmode-flab::> unix-user show -vserver lab_dcr_cifs

  (vserver services unix-user show)

There are no entries matching your query.

chvpk-cmode-flab::> vol show -vserver lab_dcr_cifs -fields policy,junction-path,unix-permissions,security-style,user,group

  (volume show)

vserver      volume                        policy user group security-style unix-permissions junction-path

------------ ----------------------------- ------ ---- ----- -------------- ---------------- ------------------------------

lab_dcr_cifs chvpk_fs04_data_bdo_kernriver cifs   -    -     ntfs           ------------     /chvpk_fs04_data_bdo_kernriver

lab_dcr_cifs root_cifs                     cifs   -    -     ntfs           ------------     /

lab_dcr_cifs wdc_test                      cifs   -    -     ntfs           ------------     /wdc_test

3 entries were displayed.

scottgelb
15,723 Views

Needs the default unix user and usually set to pcuser. And create the unix user and group for it then cifs options modify to set to pcuser.

Sent from my iPhone 5

parisi
15,723 Views

Try making superuser "any" in the export policy rule in addition to what Scott mentioned.

parisi
15,723 Views

Also, in the future, use "vserver setup" instead of "vserver create" in CLI.

If using System Manager, these issues are resolved in the 3.0 version, which is in beta. You may be able to sign up for the beta release.

doug_clendening
15,723 Views

I created "pcuser" default unix-user and unix-group and set cifs options "default-unix-user" to pcuser

I added a wide open ro rule to "default" export policy.

I can now access shares. 

davelinder
15,724 Views

So I also ran into this and it took me a while to resolve.  When you run vserver setup from the CLI for a CIFS vServer, all works well.  When doing the same from System Manager (haven't tried 3.0 yet) it doesn't work.  Yes, you can manually create accounts to fix this.  However, try running through all of that for a customer demo... (too many steps to be cool).  Try this:

1) Create a CIFS vServer through System Manager as usual.

     a.  Choose the default for LDAP and Local Users (Default)

          **This will auto create all the default accounts for your (not name mappings required).

2) run the following command at the CLI once the CIFS vserver is up and running:

     a.  vserver modify  -vserver <name> -ns-switch file

          **The default switch is set to ldap so the default local users (root and daemon stuff for unix) are not referenced.

This is faster and much easier than manually creating users.  🙂

Public