ONTAP Hardware

IP address restriction on CIFS

SVHO
10,069 Views

 

Hello,

 

Just recevied the FAS2650 and had the professional installer onsite (what a rush by this guy).  I have a question regards to IP address restriction at the CIFS level.

 

 

For an example, our old NAS unit, we can specify the IP address restriction for the CIFS.  For an example, my cifs called "HR" to only allow a certain IP subnet to access.

 

 

Thanks advance.

 

SVHO

1 ACCEPTED SOLUTION

SeanHatfield
9,830 Views

Export policy enforcement for CIFS access has been disabled by default since about 8.2.

 

Check yours like this:

set adv
vserver cifs options show -fields -is-exportpolicy-enabled

If it shows false in the output, you need to enable it:

vserver cifs options modify -vserver <vserver name> -is-exportpolicy-enabled true
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

4 REPLIES 4

mbeattie
10,022 Views

Hi,

 

You can configure an export policy to restrict client access to the volume (which your CIFS share is created within).

Here are few links that explain the configuration and process:

 

https://library.netapp.com/ecmdocs/ECMP1141094/html/GUID-8B4CEBB7-7054-48FD-A98D-5C10E1F01436.html

https://kb.netapp.com/support/s/article/ka21A0000000Z9uQAE/how-do-export-policies-work-in-clustered-data-ontap?language=en_US

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nfs-cg%2FGUID-EB3438EC-21B1-401F-8190-D509E67D8E90.html

 

Did you want to restrict CIFS access via subnets or IP Addresses or restrict access to the AD computer objects in the NTFS permissions?

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

SVHO
9,988 Views

I want to restrict CIFS access via subnets or IP Addresses.  I will take a look at the links you posted.

 

 

 

Thanks,

SVHO

SVHO
9,904 Views

 

 

A little disappointement on the lack of restricting IP at the CIFS level. So creating a qtree within the same volume work (then link an export policy)?

 

 

Anyways, I went ahead and just tested out a simple export policy at the svm level.

 

 

See attached.

 

Client Specification: 192.168.1.5 (made up) and moved the rule index to "1"..  From a host that is none other than 192.168.1.5, I can still acess it.  Am I missing anything?

 

NetApp Release 9.1P2: Tue Feb 28 18:17:30 UTC 2017

 

SeanHatfield
9,831 Views

Export policy enforcement for CIFS access has been disabled by default since about 8.2.

 

Check yours like this:

set adv
vserver cifs options show -fields -is-exportpolicy-enabled

If it shows false in the output, you need to enable it:

vserver cifs options modify -vserver <vserver name> -is-exportpolicy-enabled true
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public