Articles in this section

See more

Enabling Multiprotocol Access (NFSv3 + SMB)

Sara Levy
  • Updated
Follow

Note

This article describes the steps needed to expose directories to SMB and NFSv3 clients. To set up views that are exposed to SMB exclusively, see Enabling SMB Access. To set up views that are exposed to NFSv3 exclusively, see Enabling NFSv3 Access.

Note

Enabling SMB and NFSv4.1 on the same view is not supported.

  1. Configure the Auth Provider

  2. Set SPN (Service Principle Name) if Needed

  3. Configure a View Policy

  4. Create Views as Needed

Prerequisites

  • Active Directory Windows 2008R2 or newer.

  • Active Directory server to join, with the DNS server of the VAST Cluster able to resolve the _ldap and _kerberos SRV records of the Active Directory (AD) domain.

    Note

    The DNS server IP of the cluster is specified during installation. For assistance with verifying or changing DNS configuration, please contact VAST Data Support.

  • Client users should be defined on the Active Directory server with SMB user SID and group memberships. If the Active Directory server will also serve as a POSIX provider, POSIX attributes should be stored also. The attributes used to store the POSIX UID, the user's leading group GID and other GIDs should be mapped to the LDAP schema using the Advanced attribute mappings which are configured when you configure Active Directory.

Configure the Auth Provider

For multiprotocol views, begin by joining the Active Directory server and configuring an LDAP connection to the same Active Directory server. For instructions, see Joining Active Directory (AD). Follow all steps of the procedure.

Important

As part of the LDAP configuration (detailed in Joining Active Directory (AD)) you MUST map the advanced LDAP attributes as included in the Active Directory procedure. This is required in order for user authentication and SMB access to work.

Set SPN (Service Principle Name) if Needed

In order for clients to connect to SMB shares on the cluster, they must connect to DNS names which match host SPNs for the Active Directory machine account. These DNS names need to match the DNS names you configured to forward DNS requests to the relevant VIP pools (see Configuring Network Access). If you plan to have clients use <machine account name>.<AD domain name> as the DNS name, there is no need to add any HOST SPN attributes. However, to enable clients to use any other or additional DNS names, you must add HOST SPN attributes to the cluster's machine account after you have joined the Active Directory domain. The HOST SPN is needed so that the Kerberos protocol can access the cluster and perform authentication. It must be set up for each FQDN from which you want client users to be able to access SMB shares.

Add two entries per DNS name to the SPN attributes with the values HOST/<FQDN> and HOST/<short DNS name> where <FQDN> is the FQDN and <short DNS name> is the short DNS name of the same FQDN.

To set SPN in Active Directory:

  1. Locate the machine account object that you just added for the cluster by joining the cluster to the Active Directory domain.

  2. Open the machine account object's properties. This is usually done by right-clicking the object and selecting Properties.

  3. In the properties, edit the servicePrincipalName attribute. This is usually found in the Attribute Editor tab where you can click the attribute to edit it in the Multi-valued String Editor.

  4. Add one entry per DNS name with the value HOST/<FQDN> where <FQDN > is the FQDN of the cluster and another entry with the value HOST/<short DNS name> in which <short DNS name> is the short DNS name component of the FQDN.

    For example, supposing you have configured your DNS server to map the cluster's VIPs to cluster.domain.com, then you will add two entries: HOST/cluster.domain.com and HOST/cluster.

  5. Click OK in the editor and the properties dialogs as needed to save the entries.

Configure a View Policy

A view policy is a reusable set of configurations. Every view has a view policy, which can be the default view policy or another view policy that you add. Multiple views may use the same view policy. You can either modify the default view policy or create a new one.

Creating/modifying the Multiprotocol View Policy via the VAST Web UI

  1. In the VAST Web UI, select Element Store from the left navigation menu and then select View Policies.

  2. To add a new view policy, click Create Policy. To modify an existing view policy, click ActionsButtonGUI2.png to open the Actions menu for the policy and select Edit.

  3. The Add Policy or Update Policy dialog opens with the General area expanded.

  4. In the Name field, enter a unique name for the policy.

  5. From the Security Flavor dropdown, choose a security flavor. The security flavor determines how file and directory permissions are controlled. For a full description of the security flavors, see File and Directory Permissions in Multiprotocol Views. In brief, the options are:

    • NFS. NFS clients can set permission mode bits on files and directories when creating new files and directories or modifying existing files and directories. Attempts by SMB clients to set file and directory permissions are ignored. Files and directories created by SMB clients receive a configurable set of initial permission bits (see step 9).

    • SMB. SMB clients can set permissions on files and directories. Attempts by NFS clients to set permission bits for files and directories are ignored. Files and directories created on NFS clients inherit permissions set on the parent directory by the SMB client.

    • Mixed Last Wins. This flavor is designed to act as natively as possible to whichever protocol is used to create or modify a file or directory. It allows permissions to be set and modified from all clients. As far as possible, this flavor is designed such that whenever a user changes permissions via a given protocol, the permission change that is applied in vast permissions is as the user intended.

  6. To limit access to specific VIP pools, select those VIP pool(s) in the VIP Pools dropdown.

    If no VIP pools are selected, all VIP pools can access all views that are attached to this view policy.

  7. From the Group Membership Source dropdown, select Providers. This setting determines the source trusted for users' group memberships during the permission checking process. This must be set to Providers for multiprotocol views. The other options are supported only for views that are exposed exclusively to NFS.

  8. Expand the NFS section. Here you can manage which NFS hosts are allowed to access the view and the types of access you allow to different hosts.

    Two wildcard entries initially appear in the Read/Write and Root Squash rows of the grid:

    ViewPol_NFS_Hosts.png

    These wildcards represent all IPs of all hosts. This default configuration gives all hosts read/write access and root squashing.

  9. Add and remove entries in the access type grid to allow the exact host access that you want.

    1. Click the +Add new IP button for the access type you want to add hosts to.

      The IPs list for the access type becomes editable.

    2. Add hosts using any of the following expressions in a comma separated list:

      • A single IP.

      • A netgroup key, which starts with '@'. This is supported for NIS netgroups if NIS is configured. For information about how to use netgroups, see Using NIS Netgroups to Authorize Host Access to NFS Exports for more information.

      • A subnet indicated by CIDR notation. For example: 1.1.1.1/24.

      • A range of IPs indicated by an IP address with '*' as a wildcard in place of any of the 8-bit fields in the address. For example, 3.3.3.*, or 3.3.*.*.

      The access types comprise these categories:

      • Controlling read and write operations:

        • Read / Write. Read/write access.

        • Read Only. Read only access.

      • Controlling squash policy:

        • No Squash. All operations are supported. Use this option if you trust the root user not to perform operations that will corrupt data.

        • Root Squash. The root user is mapped to nobody for all file and folder management operations on the export. This enables you to prevent the strongest super user from corrupting all user data on the VAST Cluster.

        • All Squash. All client users are mapped to nobody for all file and folder management operations on the export.

      • Controlling access to the trash folder:

        • Trash Access. This option does not appear here by default. It appears only if Enable trash folder access is enabled on the Settings page. Granting this permission gives hosts the ability to delete files by moving them into a trash folder, from which they are automatically deleted. Requires also No Squash. For more information, see Trash Folder (for Rapid Parallel File Deletion).

      You can add hosts to any and all of the types, but within each category no more than one type will be applied to any given host. If a host is specified with multiple entries in mutually exclusive types, the conflict is resolved as follows:

      • An IP overrides a netgroup, a netgroup overrides a CIDR, and a CIDR overrides a wildcard expression.

      • If a conflict remains after the previous rule is applied, then:

        • Read Only overrides Read / Write.

        • All Squash overrides Root Squash.

        • Root Squash overrides No Squash.

    3. Click Add or press the ENTER key on your keyboard.

      The entries are added.

    • To remove an entry, hover to the right of the entry until a removal button appears and click it:

      removeIP.png

  10. If you selected NFS as the security flavor, expand the SMB section and set the SMB file mode permission bits and the SMB directory mode permission bits. When NFS security flavor is used, these permission bits are applied to files and directories created by SMB clients.

    To learn more about permissions and how they are transposed between the protocols, see File and Directory Permissions in Multiprotocol Views.

  11. Switch back to the General tab and (optionally) expand the Advanced section and change the following settings:

    • Path Length Limit. Affects the maximum limit of file path component name length. Choose between:

      • Lowest Common Denominator (default). Imposes the lowest common denominator file length limit of all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view.

      • Native Protocol Limit. Imposes no limitation beyond that of the client protocol.

        Caution

        If you select this mode in a view policy and then in the future expose a view using this policy to a previously not exposed protocol, that view might contain files that won't be accessible by the newly added protocol, due to the limitations of that protocol.

    • Allowed Characters. Determines which characters are allowed in file names. Choose between:

      • Lowest Common Denominator (default). Allows only characters allowed by all VAST Cluster-supported protocols, regardless of the specific protocol enabled on a specific view. WIth this (default) option, the limitation on the length of a single component of the path is 255 characters.

      • Native Protocol Limit. Imposes no limitation beyond that of the client protocol.

        Caution

        If you select this mode in a view policy and then in the future expose a view using this policy to a previously not exposed protocol, that view might contain files that won't be accessible by the newly added protocol, due to the limitations of that protocol.

    • Atime Frequency. atime is a metadata attribute of NFS files that represents the last time the file was updated. atime is updated on read operations if the difference between the current time and the file's atime value is greater than the configured atime frequency. Consider that a very low value might have a performance impact if high numbers of files are being read.

      Specify ATIME_FREQUENCY as an integer followed by a unit of time (s = seconds, m= minutes, h=hours, d=days).

      Example: 1h

    • Posix ACL. Enables full support of extended POSIX Access Control Lists (ACL). By default, VAST Cluster supports the traditional POSIX file system object permission mode bits, (minimal ACL mode) in which each file has three ACL entries defining the permissions for the owner, owning group, and others, respectively. To learn more about POSIX ACL, we recommend reading https://linux.die.net/man/5/acl.

      Note

      Thesetfacl Linux command is blocked if this option is not enabled.

    • Use 32-bit File IDs (disabled by default). Sets the VAST Cluster's NFS server to use 32bit file IDs. This setting supports legacy 32-bit applications running over NFS.

  12. Click Create.

    The policy is created and added to the list.

Creating/Modifying the Multiprotocol View Policy via the VAST CLI

Use the viewpolicy create command to create a new view policy or the viewpolicy modify command to modify the default view policy. For command syntax, follow Multiprotocol Usage.

Create Views as Needed
Creating a View via the VAST Web UI

  1. In the VAST Web UI, select Element Store from the left navigation menu and then select Views.

  2. Click Create View to add a new view.

    The Add View dialog appears.

  3. In the Path field, enter the full path from the top level of the storage system on the cluster to the location that you want to expose. The directory may exist already, such as if it was created by a client inside a mounted parent directory. It could also be a path to a new directory which you'll create now. (see step 8)

  4. Open the Protocols dropdown, select both NFS and SMB to expose the view to both protocols.

  5. In the SMB Share Name field, enter the name of the SMB share. This is required. The name cannot include the following characters: /\:|<>*?"

  6. In the NFS Alias field, you can optionally specify an alias for the mount path of the NFS export. An alias must begin with a forward slash ("/") and must consist of only ASCII characters.

  7. From the Policy Name dropdown, select the view policy that is configured as required for a multiprotocol view (see Configure a View Policy).

  8. If the directory does not already exist in the file system, enable the Create Directory setting to create the directory.

  9. Click Create.

    The view is now created and can be accessed via NFS or SMB clients. You can see it displayed in the Views tab.

Creating a View via the VAST CLI

Use the view create command to create the view.

Related articles

Comments

0 comments

Article is closed for comments.