Re: Need help troubleshooting access to c-mode cifs share

doug_clendening · ‎2013-04-23

This is my first attempt at creating CIFS shares in c-mode. I followed the Cheat Sheet document (DOC-16964) for the basics, but I get error "Windows can not access \\<ip>\wdc_test$.

I don't know if this is relevant or not, but our DNS Domain and AD Domain don't have the same name.

Thanks in advance.

wdc

Below is configuration info:

chvpk-cmode-flab::> vserver show -vserver lab_dcr_cifs

Vserver: lab_dcr_cifs

Vserver Type: cluster

Vserver UUID: 4347abc8-a394-11e2-aa7a-123478563412

Root Volume: root_cifs

Aggregate: lab_c06_01

Name Service Switch: ldap, file

Name Mapping Switch: file

NIS Domain: -

Root Volume Security Style: ntfs

LDAP Client: -

Language: en_US

Snapshot Policy: default

Comment:

Anti-Virus On-Access Policy: default

Quota Policy: default

List of Aggregates Assigned: -

Limit on Maximum Number of Volumes allowed: unlimited

Vserver Admin State: running

Allowed Protocols: nfs, cifs, fcp, iscsi

Disallowed Protocols: -

Is Repository Vserver: false

chvpk-cmode-flab::> vserver cifs show -vserver lab_dcr_cifs

Vserver: lab_dcr_cifs

CIFS Server NetBIOS Name: CHVPKV3170-06

NetBIOS Domain/Workgroup Name: CT

Fully Qualified Domain Name: CT.CHEVRONTEXACO.NET

Default Site Used by LIFs Without Site Membership:

Authentication Style: domain

chvpk-cmode-flab::> vserver cifs share show -vserver lab_dcr_cifs

Vserver Share Path Properties Comment ACL

-------------- ------------- ----------------- ---------- -------- -----------

lab_dcr_cifs admin$ / browsable - -

lab_dcr_cifs ipc$ / browsable - -

lab_dcr_cifs wdc_test$ /wdc_test oplocks - Everyone / Full Control

browsable

showsnapshot

changenotify

chvpk-cmode-flab::> vol show wdc_test

(volume show)

Vserver Volume Aggregate State Type Size Available Used%

--------- ------------ ------------ ---------- ---- ---------- ---------- -----

lab_dcr_cifs

wdc_test lab_c06_01 online RW 1GB 972.7MB 5%

parisi · ‎2013-04-23

I'd suggest opening a case up.

Troubleshooting this will require cluster logs and packet traces. The errors Windows generally returns aren't very descriptive. Since you're using an IP instead of a hostname, DNS shouldn't factor in here. However, keep in mind you can add additional DNS domains to the vserver.

I'd recommend checking the export policy rules for that export policy to ensure you're not restricting access to CIFS at all, as well as the allowed protocols on your data LIF.

doug_clendening · ‎2013-04-23

The export policy is wide open.

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -fields rorule,rwrule,protocol

vserver policyname ruleindex protocol rorule rwrule

------------ ---------- --------- -------- ------ ------

lab_dcr_cifs cifs 1 cifs any any

parisi · ‎2013-04-23

Let's see the following:

::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -instance

::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname default -instance

::> net int show -role data -vserver lab_dcr_cifs -instance

::> cifs options show -vserver lab_dcr_cifs -instance

::> unix-user show -vserver lab_dcr_cifs

::> vol show -vserver lab_dcr_cifs -fields policy,junction-path,unix-permissions,security-style,user,group

doug_clendening · ‎2013-04-23

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname cifs -instance

Vserver: lab_dcr_cifs

Policy Name: cifs

Rule Index: 1

Access Protocol: cifs

Client Match Spec: 0.0.0.0/0

RO Access Rule: any

RW Access Rule: any

User ID To Which Anonymous Users Are Mapped: 65534

Superuser Security Flavors: never

Honor SetUID Bits In SETATTR: true

Allow Creation of Devices: true

chvpk-cmode-flab::> vserver export-policy rule show -vserver lab_dcr_cifs -policyname default -instance

There are no entries matching your query.

chvpk-cmode-flab::> net int show -role data -vserver lab_dcr_cifs -instance

(network interface show)

Vserver Name: lab_dcr_cifs

Logical Interface Name: dcr_cifs

Role: data

Data Protocol: cifs

Home Node: chvpkv3170-06

Home Port: e0a

Current Node: chvpkv3170-06

Current Port: e0a

Operational Status: up

Extended Status: -

Is Home: true

Network Address: 146.27.206.42

Netmask: 255.255.255.0

IPv4 Link Local: -

Bits in the Netmask: 24

Routing Group Name: d146.27.206.0/24

Administrative Status: up

Failover Policy: nextavail

Firewall Policy: data

Auto Revert: false

Use Failover Group: enabled

Fully Qualified DNS Zone Name: none

Failover Group Name: failover_cluster_mgmt

FCP WWPN: -

Comment:

chvpk-cmode-flab::> cifs options show -vserver lab_dcr_cifs -instance

Vserver: lab_dcr_cifs

Default UNIX User: -

Read Grants Exec for Mode Bits: disabled

Windows Internet Name Service (WINS) Addresses: -

chvpk-cmode-flab::> unix-user show -vserver lab_dcr_cifs

(vserver services unix-user show)

There are no entries matching your query.

chvpk-cmode-flab::> vol show -vserver lab_dcr_cifs -fields policy,junction-path,unix-permissions,security-style,user,group

(volume show)

vserver volume policy user group security-style unix-permissions junction-path

------------ ----------------------------- ------ ---- ----- -------------- ---------------- ------------------------------

lab_dcr_cifs chvpk_fs04_data_bdo_kernriver cifs - - ntfs ------------ /chvpk_fs04_data_bdo_kernriver

lab_dcr_cifs root_cifs cifs - - ntfs ------------ /

lab_dcr_cifs wdc_test cifs - - ntfs ------------ /wdc_test

3 entries were displayed.

scottgelb · ‎2013-04-23

Needs the default unix user and usually set to pcuser. And create the unix user and group for it then cifs options modify to set to pcuser.

Sent from my iPhone 5

parisi · ‎2013-04-23

Try making superuser "any" in the export policy rule in addition to what Scott mentioned.

parisi · ‎2013-04-23

Also, in the future, use "vserver setup" instead of "vserver create" in CLI.

If using System Manager, these issues are resolved in the 3.0 version, which is in beta. You may be able to sign up for the beta release.

doug_clendening · ‎2013-04-23

I created "pcuser" default unix-user and unix-group and set cifs options "default-unix-user" to pcuser

I added a wide open ro rule to "default" export policy.

I can now access shares.

davelinder · ‎2013-05-19

So I also ran into this and it took me a while to resolve. When you run vserver setup from the CLI for a CIFS vServer, all works well. When doing the same from System Manager (haven't tried 3.0 yet) it doesn't work. Yes, you can manually create accounts to fix this. However, try running through all of that for a customer demo... (too many steps to be cool). Try this:

1) Create a CIFS vServer through System Manager as usual.

a. Choose the default for LDAP and Local Users (Default)

**This will auto create all the default accounts for your (not name mappings required).

2) run the following command at the CLI once the CIFS vserver is up and running:

a. vserver modify -vserver <name> -ns-switch file

**The default switch is set to ldap so the default local users (root and daemon stuff for unix) are not referenced.

This is faster and much easier than manually creating users. 🙂

Need help troubleshooting access to c-mode cifs share

Portfolio Updates | NetApp ONAIR