how to create a file share as NFS and CIFS for Unix and Windows

Hi,

creating the shares is easy - you just create CIFS shares and NFS exports that point to the file systems or directories.

You need to design and configure the groundwork first though:

- create a CIFS server
- think about what file system accesspolicy you want (fs mount option)
- configure user mapping

Take a look at these manuals on Powerlink or the Celerra documentation CD:

Configuring CIFS on Celerra for a Multiprotocol Environment

Configuring Celerra User Mapping

Hi,

The CIFS server is already created and has some share files mounted.

So, should I create a NFS export or a CIFS share?

I found this document that mentions:
The NFS protocol enables the Celerra Network Server to assume the functions of an NFS server. NFS environments typically include:

Native UNIX clients
Linux clients
Windows systems configured with third-party applications that provide NFS client services

Please consider that I am new to Celerra

Thank you

you need to create an NFS export (share) then.

Please consider reading these two manuals I've mentioned to get to know the concepts.

Since you already have data there you have used the default usermapper service, which creates Windows-Unix mapping using "free" Unix UIDs. This might have to be changed including re-permissioning the data.

It really depends on what you want to do - .i.e. if both Windows and Unix are creating, reading and writing files or not.

For true multi-protocol access you have to configure an explicit 1:1 mapping between a Windows account and a Unix account using one of the available user mapping methods (not usermapper).

Hi,

I will read the documents, but I want to mention one thing, maybe it was my fault I didn't clear my point from the beginning.

The CIFS server is created and have some CIFS shares, but my task is to create a new "share file" that can serve both NFS and CIFS users; i.e; So, should I first create a new CIFS share and then NFS export and give it permissions?

Thank you

It doesnt matter what share you create first

just creating the CIFS share or the NFS share doenst change anything in terms of security on the files itself or the other worlds share

what does matter is the accesspolicy and the usermapping

It seems to me that, you need to create a new File System first with proper accesspolicy - then create the NFS Export and CIFS share on this File system (As Rainer clarified - the order of creating CIFS Share and NFS exports does not matter).

But once again - please take a note of Rainer's suggestion - please understand and take care of the Multi-protocol access and User Mapping issue.

As of now, if the box is only having CIFS shares, you must be running Internal Usermapper service on the data movers, which automatically maps all domain authenticated users to unique UID/GID and maintains the same mapping. If you plan on true multi-protocol access - you may have to stop the Usermapper service - which will affect the access of existing CIFS Shares unless proper mapping mechanism is in place with all existing users and file/folder lavel permissions are all ok.

Creating Multi-protocol environment requires some extensive knowledge and expertise - I'll suggest to get in touch with your local EMC Technical contact, before making any changes.

Thanks,
Sandip

Hi Mike,

that really depends on your usermapping setup, which really access policy your are using and what permissions and ACLs are on that file or its directory.

I suggest to take a look at manual
Managing Celerra for a Multiprotocol Environment
for the basic concepts

You can also use the server_cifssupport tool to evaluate what access a NFS or CIFS user would have to a certain file

Rainer

Hi MikeChan,

Welcome to the EMC Support Forums.

As Rainer had already mentioned, the usermapping technique is very important here. I hope you are not running usermapper - but some other way of user mapping.

Also, the accesspolicy of the file system mount have a role to play in the multi-protocol environment.

Lastly, when you say NFS users can not write - please ensure the host from where they are mounting the NFS export is listed for READ-Write access in the NFS export definition and proper UNIX permissions are there.

Once you go through the doc Rainer had suggested, if needed please feel free to revert back. I'll suggest you open a new thread on your topic, do not reply to this thread.

Thanks,
Sandip

Hi All,

I would also be implementing a mixed envirronment for nas.

Right now, the cifs share is now on production. They want to mount the same filesystem as nfs.

Do i need to convert the access policy from native to mixed?

Is it safe to that without impacting the production data?

Please give as some advice on how this setup will work.

Thanks in advance!

Regards,

shiela

Sheila,

Like we mentioned earlier, you should also dig in to the manuals that Rainer and Sandip recommended.  In case you were wondering, you can download the entire documentation CD off of Powerlink.  Navigate to the following path:

  Home > Support > Technical Documentation and Advisories > Hardware/Platforms Documentation > Celerra Network Server > General Reference

Look in the list for "Celerra Network Server Documentation CD."

The access policy essentially decides which protocol, CIFS or NFS, has control over the permissions for that file.  Remember that every file in Celerra's filesystem carries both CIFS and NFS attributes, so Celerra can honor either one, or both, of the permission sets.  The default policy is set to NATIVE, which means that Active Directory controls access to the file from the CIFS side, and NFS controls access from the NFS side.  If a user has write permissions in CIFS but not in NFS, he can only write the file from CIFS.

MIXED is a different concept.  Let's say you have a file created in CIFS.  What are its permissions in NFS?  Since they are undefined, MIXED mode will define either set of permissions based on the Windows ACL.  If the ACL is modified, it will rebuild the NFS permissions.  If the NFS permissions are modified, the ACL will be rebuilt based oin the NFS mode bits.  File access for either side will always use the ACL, but the ACL will be modified based on the last permission modification on either side.

MIXED_COMPAT is a similar concept to MIXED, except that permission to access a file are dependent on which side made the last permission modification.  If NFS made the last modification, all access will be determined by the NFS mode bits, and the same is true if CIFS made the last modification.  The only difference in this case is that NFS access will ALSO be determined by the permissions of the folder containing the file.  If the folder was set with UNIX Mode bits and the file was set with EXPLICIT Windows ACLs, then the NFS user will ignore the file ACL and exercise access rights based on UNIX directory mode bits.  If the directory was set with EXPLICIT Windows ACLs and if the file was set with UNIX mode bits, then the NFS user would be checked for access rights based on the Windows directory ACL.

Also to be considered is the inheritance model in both the MIXED and MIXED_COMPAT modes.  When a CIFS client creates a file, if the inheritance flag is set, and the object’s parent has an ACL, the file object will inherit the ACL, and the NFS mode bit permissions will be created based on the ACL translation.  When a CIFS client creates a file, and the parent directory does not have an ACL, then NFS permissions are set according to the umask values—644 Octal for Files and 755 Octal for directories.  When a NFS client creates a file, NFS mode bits are based on the umask value and ACLs are created based on the NFS mode bit translation.

There's quite a bit of information to digest here.  It's such a complex topic that EMC actually offers a service to assist with configuring multiprotocol access in your environment.  So definitely dig into the manuals and compare closely to the needs of your environment.  Hope I didn't confuse too much...

Hi William,

Thanks a lot for the explanation.

Just want to clarify, can also give me some advice what should i consider and best practice when using a mixed policy and mixed compat?

Right now, i have an production cifs filesystem which is using a native policy. What if i decided to convert it into mixed policy?

Do i have to recreate the filesystem? Or is there another way to make it as mixed?

Please enlighten me..

Thanks a lot.

Regards,

Shiela

see "nas_fs -translate" as explained in the CIFS multi-protocol manual

personally I wouldnt recommend to setup a production mixed environment before having at least read and understood the CIFS, CIFS multi-protocol, NFS, name services and user mapping manuals and having done some non-production tests

you can easily create a copy of a production file system using nas_copy from the CLI or GUI and play with that instead of the live data

Rainer

just to clear - if you just want to access some CIFS data from NFS you dont necessarily have to go to mixed access policy

if you dont care about user and permission mapping - like for a backup application that uses root to read the CIFS data you can just create an NFS export and work with the default native access policy

Rainer