Note
This article describes the steps needed to expose directories exclusively to the SMB file sharing protocol. If you would like to set up multiprotocol views which expose directories to both SMB and NFS, please follow Enabling Multiprotocol Access (NFSv3 + SMB).
-
Active Directory server to join, with the DNS server of the VAST Cluster able to resolve the _ldap and _kerberos SRV records of the Active Directory (AD) domain.
Note
The DNS server IP of the cluster is specified during installation. For assistance with verifying or changing DNS configuration, please contact VAST Data Support.
Begin by joining the cluster to Active Directory and configuring an LDAP connection to the Active Directory server. See Joining Active Directory (AD). Follow all steps of the procedure.
Important
As part of the LDAP configuration (detailed in Joining Active Directory (AD)) you MUST map advanced LDAP attributes to the AD schema. This step is required in order for SMB access to work.
Client users should have user accounts defined on the Active Directory server.
In order for clients to connect to SMB shares on the cluster, they must connect to DNS names which match host SPNs for the Active Directory machine account. These DNS names need to match the DNS names you configured to forward DNS requests to the relevant VIP pools (see Configuring Network Access). If you plan to have clients use <machine account name>.<AD domain name> as the DNS name, there is no need to add any HOST SPN attributes. However, to enable clients to use any other or additional DNS names, you must add HOST SPN attributes to the cluster's machine account after you have joined the Active Directory domain. The HOST SPN is needed so that the Kerberos protocol can access the cluster and perform authentication. It must be set up for each FQDN from which you want client users to be able to access SMB shares.
Add two entries per DNS name to the SPN attributes with the values HOST/<FQDN>
and HOST/<short DNS name>
where <FQDN> is the FQDN and <short DNS name> is the short DNS name of the same FQDN.
To set SPN in Active Directory:
Locate the machine account object that you just added for the cluster by joining the cluster to the Active Directory domain.
Open the machine account object's properties. This is usually done by right-clicking the object and selecting Properties.
In the properties, edit the servicePrincipalName attribute. This is usually found in the Attribute Editor tab where you can click the attribute to edit it in the Multi-valued String Editor.
-
Add one entry per DNS name with the value
HOST/<FQDN>
where <FQDN > is the FQDN of the cluster and another entry with the valueHOST/<short DNS name>
in which <short DNS name> is the short DNS name component of the FQDN.For example, supposing you have configured your DNS server to map the cluster's VIPs to cluster.domain.com, then you will add two entries:
HOST/cluster.domain.com
andHOST/cluster
. Click OK in the editor and the properties dialogs as needed to save the entries.
A view policy is a reusable set of configurations. Every view has a view policy. Multiple views may use the same view policy. Before creating a view that is exposed as an SMB share, you need to make sure you have a view policy that is configured correctly for this type of view. You can either modify a view policy or create a new one.
-
In the VAST Web UI, select Element Store in the left navigation menu and then select View Policies.
The View Policies tab displays at least one view policy, the default view policy.
-
To edit a view policy, click
to open the Actions menu for the policy and select Edit. Alternatively, to create a new view policy, click Create Policy at the top right of the grid.
The Add Policy or Update Policy dialog opens with the General area expanded.
-
In the Name field, enter a unique name for the policy.
From the Security Flavor dropdown, select SMB. Security flavors determine how file permissions are managed when views are exposed to multiple file sharing protocols. SMB is the setting you need for views that you will expose as SMB shares without exposing them to other client protocols.
-
To limit access to specific VIP pools, select those VIP pool(s) in the VIP Pools dropdown.
If no VIP pools are selected, all VIP pools can access all views that are attached to this view policy.
-
From the Group Membership Source dropdown, select Providers. This setting determines the source trusted for users' group memberships during the permission checking process. This must be set to Providers for views that are exposed to SMB. The other options are supported only for views that are exposed exclusively to NFS.
Tip
Skip the Advanced settings, and skip the NFS and SMB tabs. Those settings don't pertain to exclusively SMB-exposed views.
-
Click Create.
The policy is created and added to the list.
Use the viewpolicy create command to create a new view policy or the viewpolicy modify command to modify a view policy. For command syntax, follow SMB Usage.
A view exposes a specific directory to a client protocol (in this case SMB). In other words, this is how you create a directory in the file system and create an SMB share on the directory.
-
In the VAST Web UI, select Element Store in the left navigation menu and then select Views.
-
Click Create View to add a new view.
The Add View dialog appears.
In the Path field, enter the full path from the top level of the storage system on the cluster to the location that you want to expose. The directory may exist already, such as if it was created by a client inside a mounted parent directory. It could also be a path to a new directory which you'll create now (see step 7).
Open the Protocols dropdown, select SMB to expose the view to SMB. Do not select NFS.
-
In the SMB Share Name field, enter the name of the SMB share. This is required. The name cannot include the following characters: /\:|<>*?"
For more information about allowed characters and the max length of a share name, see Advanced Multiprotocol Options.
From the Policy Name dropdown, select the view policy that is configured as described in the previous step.
If the directory does not already exist in the file system, enable the Create Directory setting to create the directory.
-
Click Create.
The view is now created. You can see its configuration displayed in the Views tab.
The share you created is accessible via SMB clients on the joined AD domain, using the configured share name, which is displayed in the Views tab.
Create a view using the view create command. To display configured views with their SMB share names, use view list.
Comments
0 comments
Article is closed for comments.