Network and Storage Protocols

Can't find the option -domain-workgroup when create cifs server

FengXiaoli

I create a two node netapp simulater. I'd like to specify domain-workgroup when create or modify cifs server. But can't find this option. After create cifs, can find this option in -fields.

 

fsqe-2nc1::vserver*> version
NetApp Release 9.7: Thu Jan 09 11:10:19 UTC 2020

fsqe-2nc1::*> cifs modify -vserver vs1 -cifs-server ONTAP2-04A5 -domain FSQE04A5.REDHAT.COM -domain-workgroup rhts

Error: invalid argument "-domain-workgroup

fsqe-2nc1::vserver*> cifs show -vserver vs1 -fields domain-workgroup
vserver domain-workgroup
------- ----------------
vs1 FSQE04A5REDHATC

 

I have two questions:

1. why need to specify domain option when mount cifs? That's the reason I want to modify the domain-workgoup

like this:

  mount //$ONTAPIP/cifs1 -o domain=FSQE04A5REDHATC,user=administrator,password=~Ocgxyz /mnt/cifsmp-ontap

But without 

 

2. How can I specify or  modify domain-workgoup?

 

Thanks.

 

 

 

1 ACCEPTED SOLUTION

parisi

You shouldn't need to change that. You should be able to use what's already there:

 

# kinit administrator
Password for administrator@NTAP.LOCAL:
# mount -o username=administrator,sec=krb5 -t cifs //companyb/share /mnt/client2

# mount | grep companyb
//companyb/share on /mnt/client2 type cifs (rw,relatime,vers=default,sec=krb5,cache=strict,username=administrator,uid=0,noforceuid,gid=0,noforcegid,addr=10.x.x.x,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

 

If you need a different name, that's going to be controlled via the netbios name.

 

ontap9-tme-8040::*> cifs server show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: COMPANYB
NetBIOS Domain/Workgroup Name: NTAP
Fully Qualified Domain Name: NTAP.LOCAL
Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
Workgroup Name: -
Kerberos Realm: -
Authentication Style: domain
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -

 

That field is not controlled by ONTAP, but by the AD domain.

 

If you want to specify a new name for the clients to use, use the NETBIOS alias.

 

ontap9-tme-8040::*> cifs server add-netbios-aliases -vserver COMPANYB -netbios-aliases ALIAS

ontap9-tme-8040::*> cifs server show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: COMPANYB
NetBIOS Domain/Workgroup Name: NTAP
Fully Qualified Domain Name: NTAP.LOCAL
Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
Workgroup Name: -
Kerberos Realm: -
Authentication Style: domain
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: ALIAS

 

Add the alias to DNS with the same IP address using a CNAME record. Make sure the client can resolve it. For Kerberos, it should point to the DNS record that associates with the CIFS server name.

 

# nslookup alias
Server: 10.x.x.y
Address: 10.x.x.y#53

alias.ntap.local canonical name = companyb.ntap.local.
Name: companyb.ntap.local
Address: 10.x.x.x

 

You also would need to add an SPN for that alias.


PS C:\> setspn /L COMPANYB
Registered ServicePrincipalNames for CN=COMPANYB,CN=Computers,DC=NTAP,DC=local:
cifs/alias.ntap.local
cifs/alias
HOST/companyb.ntap.local
HOST/COMPANYB

 

Then you can mount using the alias:

 

# mount -o username=administrator,sec=krb5 -t cifs //alias/share /mnt/client2
# mount | grep alias
//alias/share on /mnt/client2 type cifs (rw,relatime,vers=default,sec=krb5,cache=strict,username=administrator,uid=0,noforceuid,gid=0,noforcegid,addr=10.x.x.x,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

View solution in original post

10 REPLIES 10

Mjizzini

-domain-workgroup is a parameter for  vserver active-directory show command.

[-domain-workgroup <CIFS domain>] - NetBIOS Domain/Workgroup Name. If you specify this parameter, the command displays information only for the Active Directory accounts that are in the specified NetBIOS domain or workgroup

 

In the cifs modify command, you can use.

| [-workgroup <NetBIOS>]} - Workgroup Name .This parameter specifies the name of the workgroup (up to 15 characters).

 

More about Workgroup. How to convert a CIFS SVM from a domain membership to workgroup

FengXiaoli

Thanks for the answer. But I'd like to create smb server by window servers AD. Because workgroup for smb servers doesn't support kerberos.

fsqe-2nc1::> vserver active-directory show
This table is currently empty.

 

parisi

You don't use -domain-workgroup to rename workgroup objects.

 

You use -workgroup. See the example below.

 

ontap9-tme-8040::*> cifs server create -vserver COMPANYB -cifs-server WORKGROUP -workgroup WORKGROUP1

 

ontap9-tme-8040::*> cifs show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: WORKGROUP
NetBIOS Domain/Workgroup Name: WORKGROUP1
Fully Qualified Domain Name: -
Organizational Unit: -
Default Site Used by LIFs Without Site Membership: -
Workgroup Name: WORKGROUP1
Kerberos Realm: -
Authentication Style: workgroup
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -

 

ontap9-tme-8040::*> cifs modify -vserver COMPANYB -cifs-server WORKGROUP -workgroup WORKGROUP2

Error: command failed: Failed to modify the CIFS server "WORKGROUP". Reason: Cannot modify CIFS server while its administrative status is "up". Use
"-status-admin down" with the "vserver cifs modify" command to disable the CIFS service.

 

ontap9-tme-8040::*> cifs stop -vserver COMPANYB

ontap9-tme-8040::*> cifs modify -vserver COMPANYB -cifs-server WORKGROUP -workgroup WORKGROUP2

Warning: This operation modified the domain or NetBIOS name of a CIFS server. Verify the CIFS server's symlink configuration with the "vserver cifs symlink
show" command. If necessary, update the CIFS symlink configuration with the "vserver cifs symlink modify" command.

ontap9-tme-8040::*> cifs show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: WORKGROUP
NetBIOS Domain/Workgroup Name: WORKGROUP2
Fully Qualified Domain Name: -
Organizational Unit: -
Default Site Used by LIFs Without Site Membership: -
Workgroup Name: WORKGROUP2
Kerberos Realm: -
Authentication Style: workgroup
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -

 

Mjizzini

vserver cifs commands are the set of commands used to admin a NAS CIFS vserver.

 

 

 

 

FengXiaoli

So in this situation,  domain-group can't be specified or modify for smb server by window servers AD. Is it right?

parisi

Why do you need a workgroup? You can use the domain name to connect to the SMB shares from Linux.

 

But no, you can't use workgroup mode *and* domain mode on the same CIFS server.

FengXiaoli

I don't use workgroup. I use domain mode. But it always request to specify mount option domain when mount samba share.  And the value of the mount option domain is equal to domain-group in ontap.  So I'd like to change the value of domain-group.  Or it's best that don't specify  mount option domain for domain mode.

parisi

You shouldn't need to change that. You should be able to use what's already there:

 

# kinit administrator
Password for administrator@NTAP.LOCAL:
# mount -o username=administrator,sec=krb5 -t cifs //companyb/share /mnt/client2

# mount | grep companyb
//companyb/share on /mnt/client2 type cifs (rw,relatime,vers=default,sec=krb5,cache=strict,username=administrator,uid=0,noforceuid,gid=0,noforcegid,addr=10.x.x.x,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

 

If you need a different name, that's going to be controlled via the netbios name.

 

ontap9-tme-8040::*> cifs server show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: COMPANYB
NetBIOS Domain/Workgroup Name: NTAP
Fully Qualified Domain Name: NTAP.LOCAL
Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
Workgroup Name: -
Kerberos Realm: -
Authentication Style: domain
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -

 

That field is not controlled by ONTAP, but by the AD domain.

 

If you want to specify a new name for the clients to use, use the NETBIOS alias.

 

ontap9-tme-8040::*> cifs server add-netbios-aliases -vserver COMPANYB -netbios-aliases ALIAS

ontap9-tme-8040::*> cifs server show -vserver COMPANYB

Vserver: COMPANYB
CIFS Server NetBIOS Name: COMPANYB
NetBIOS Domain/Workgroup Name: NTAP
Fully Qualified Domain Name: NTAP.LOCAL
Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
Workgroup Name: -
Kerberos Realm: -
Authentication Style: domain
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: ALIAS

 

Add the alias to DNS with the same IP address using a CNAME record. Make sure the client can resolve it. For Kerberos, it should point to the DNS record that associates with the CIFS server name.

 

# nslookup alias
Server: 10.x.x.y
Address: 10.x.x.y#53

alias.ntap.local canonical name = companyb.ntap.local.
Name: companyb.ntap.local
Address: 10.x.x.x

 

You also would need to add an SPN for that alias.


PS C:\> setspn /L COMPANYB
Registered ServicePrincipalNames for CN=COMPANYB,CN=Computers,DC=NTAP,DC=local:
cifs/alias.ntap.local
cifs/alias
HOST/companyb.ntap.local
HOST/COMPANYB

 

Then you can mount using the alias:

 

# mount -o username=administrator,sec=krb5 -t cifs //alias/share /mnt/client2
# mount | grep alias
//alias/share on /mnt/client2 type cifs (rw,relatime,vers=default,sec=krb5,cache=strict,username=administrator,uid=0,noforceuid,gid=0,noforcegid,addr=10.x.x.x,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

View solution in original post

FengXiaoli

Thanks for your defail information. Do you need to specify domain when mount with user/password?

parisi

I didn't have to specify the domain, as my client is joined to the domain via realm join.

 

# realm list
NTAP.local
type: kerberos
realm-name: NTAP.LOCAL
domain-name: ntap.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@ntap.local
login-policy: allow-realm-logins

 

Depends on your samba client and configuration. But "realm join" is the easiest method for NFS Kerberos and Samba config IMO.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public