5.1 Using iManager to Manage CIFS

You can manage CIFS services from iManager. The recommended method to configure, manage, and modify CIFS properties and parameters is by using iManager.

NOTE:Admin equivalent/container admin users should be LUM-enabled in order to manage the CIFS server through the CIFS iManager plug-in. For more information, see Using iManager for Linux User Management in the Linux User Management Administration Guide.

5.1.1 Prerequisites

5.1.2 Selecting a Server to Manage

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html 

    where server_IP_address is the IP address of the server on which iManager is running.

    For example:

    http://192.168.0.1/nps/iManager.html
  2. At the login prompt, specify the server administrator user name, password, and tree name or IP address of the tree, then click Next.

    For more information on iManager administration, see the NetIQ iManager Administration Guide.

  3. In the left pane of the iManager application, click File Protocols > CIFS.

    The default CIFS parameters page is displayed. Use this page to configure and manage CIFS.

  4. In the Server field, specify the OES server name.

    or

    Browse and select the server using the object selector.

    or

    Select the server from the object history list.

  5. Verify the status of the server. If the CIFS server is stopped, click Start to start the CIFS server.

    The information displayed changes to reflect the current state and properties of the selected server.

  6. Continue with other administrative actions as necessary:

5.1.3 Setting the CIFS Server and Authentication Properties

The server and authentication parameters can be set using the General and Share tabs on the default CIFS server page in iManager.

For information on starting iManager and accessing the CIFS server, see Section 5.1.2, Selecting a Server to Manage.

To change these parameters from command line, see Section 5.2.5, Modifying the CIFS Configuration.

Setting CIFS General Server Parameters

The General page contains the Server and Authentication properties tabs. By default, the Server Properties page is displayed. View or edit the server parameters on this page.

NOTE:For a virtual server, only CIFS Virtual Server Name and Comment are not inherited from the physical server. Hence, only these parameters can be edited for CIFS on a shared pool server.

Table 5-1 CIFS Server Page Parameters

Parameter

Description

CIFS Virtual Server Name

The name of the server running CIFS services. The length can be a maximum of 15 characters. The default server name is the OES server name.

If OES host or a cluster resource is joined to domain and you need to rename this parameter, then follow the procedure provided at Renaming the Netbios Name of OES Host or Cluster Resource in the NSS AD Administration Guide.

WINS IP Address

The address of the WINS server.

Comment

The text in the Comment field is displayed when viewing details of the server. This can be useful if you want to provide a more detailed description of the server. The maximum length is 47 characters.

IMPORTANT:You should use single-byte characters in comments. Double-byte characters are not supported.

OpLocks (Opportunistic Locking)

Improves file access performance. The option is enabled by default.

Distributed File Services (DFS) Support

This option enables Distributed File Services support in CIFS. The option is disabled by default.

SMB Signature

This option is Disabled by default. Select Mandatory or Optional or Disabled. For details, see Enabling and Disabling SMB Signing.

Enabling and Disabling SMB Signing

SMB signing is a security mechanism designed to improve the security of the CIFS protocol. With SMB signing, an authenticating signature is added by placing a digital signature into each SMB packet. The digital signature is then verified by both the client and the server. It can be set to mandatory or optional mode. For more information, see Microsoft Knowledge Base article.

SMB signing should be turned off when domain authentication is configured.

To use SMB signing mode, both the client and the server should be enabled for SMB signing. Use either Optional or Mandatory modes to enable it.

Optional mode: If SMB signing is set to the optional mode (the default mode after enabling it by using console commands), it automatically detects whether or not individual clients have SMB signing enabled. If a client does not have SMB signing enabled, the server does not use SMB signing for client communication. If a client has SMB signing enabled, the server uses SMB signing for client communication.

Mandatory mode: If you set SMB signing to mandatory mode, all clients must have SMB signing enabled or they cannot connect to the server. If SMB signing is set as mandatory on the server, clients cannot establish sessions with the server unless they have SMB signing enabled.

Disable mode: You can disable SMB signing by setting SMB signing to disabled mode.

IMPORTANT:After enabling or disabling SMB signing, or changing the mode to optional or mandatory, clients must reconnect in order for changes to take effect. For example, if SMB signing is enabled on the server, SMB signing is not in effect for individual clients until each of those clients reconnects.

Setting CIFS General Authentication Parameters

On the General page, select Authentication to view or edit the CIFS authentication parameters. When third party domain authentication is selected, SMB signing is disabled.

The functionality of CIFS third party domain authentication in OES is as same as in NetWare.

Table 5-2 CIFS Authentication Page Parameters

Parameters

Description

Mode

Indicates the method of authentication used by CIFS. CIFS uses either eDirectory (local) or third-party Domain authentication mechanisms.

  • eDirectory (Local): Clients are members of a workgroup. The server running CIFS services performs the user authentication. The login credentials (user name and password) on an OES server must match the login credentials used by the client users.

  • Third Party Domain: Clients are members of a domain. A Windows domain controller performs user authentication. The user name and password on the domain controller must match the user name and password used to log in to the Windows workstation.

IMPORTANT:If you change the modes from Local to Third Party Domain or from Third Party Domain to Local, restart the CIFS server for the changes to take effect.

NOTE:Extended Security (NTLMSSP) and SMB2 are not supported for Third Party Domain mode authentication.

For more information on enabling Third party domain authentication, see Section 5.6, Third-Party Domain Authentication.

Work Group / Domain Name

The workgroup or Windows domain to which the CIFS users belong.

The domain name should be a valid DNS entry or the NetBIOS name of the domain.

LMCompatibilityLevel

NTLMv2 is an authentication protocol that is cryptographically stronger than NTLMv1. NTLMv2 is not negotiated between the client and the server. The protocol does not determine the challenge or response algorithms, so it must be configured on both the client and the server.

On a Windows client set the LMCompatibilityLevel by modifying the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.

On the server ser the LMCompatibilityLevel by running the novcifs [-L 0|4|5| --lm=0|4|5] command.

CIFS currently supports 0, 4, and 5 compatibility levels for NTLMv2.

Select the appropriate LMCompatibilityLevel from the drop-down list.

  • Accept LM and NTLM responses (Default setting) - Level 0: The server or domain controller compares the client's responses against LM, NTLM, LMv2, and NTLMv2 responses. Any valid response is accepted.

  • Accept NTLM response/refuse LM response (NTLM authentication) - Level 4: The server or domain controller accepts a valid LM, NTLM, LMv2, or NTLMv2 response.

  • Accept NTLMv2 response /refuse LM and NTLM response (NTLMv2 required) - Level 5: The server or domain controller compares the client's responses, using only LMv2 and NTLMv2.

NOTE:When the Accept NTLMv2 responses only option is selected and you are attempting to map a share from a Windows 7 or Windows 8 workstation, make sure you specify the domain name along with the user name for the mapping to be successful.

Primary Domain Controller Name

The name of the PDC server. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS. This field can be changed only if Third Party Domain is selected.

Primary Domain Controller IP Address

The PDC server’s static IP address. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS. This field can be changed only if Third Party Domain is selected.

IMPORTANT:If this is not a static address, the server running CIFS services cannot contact the PDC when the PDC reboots and the address changes.

5.1.4 Managing CIFS Shares

The Share tab on the default CIFS server page in iManager displays the CIFS share details. Use the Shares page to add a new share on the server to be specified as a sharepoint and to be accessible via the Network Neighborhood. NSS Volumes are added by default.

For information on starting iManager and accessing the CIFS server, see Section 5.1.2, Selecting a Server to Manage.

To manage CIFS Shares from command line, see Section 5.2.7, Working with CIFS Shares.

NOTE:If no shares are specified, all mounted volumes are displayed.

IMPORTANT:Double-byte characters are not supported in a Share name, Share path, or Comment.

Administrators can add, edit, and delete CIFS shares.

Adding a New CIFS Share

Before adding a new share, ensure that your CIFS server is running. For details on how to start the server, see Section 5.1.2, Selecting a Server to Manage.

NOTE:There is a limitation on the number of shares a CIFS server can host. For most configurations this limit is between 300 to 500 shares.

  1. On the default CIFS server page in iManager click the Shares tab, then click Add.

    For information on starting iManager and accessing the CIFS server, see Section 5.1.2, Selecting a Server to Manage.

  2. Specify the Share Name, Volume, Path, and Comment for the new share. For details, see Table 5-3.

  3. Click OK to save your changes.

    On the successful addition of a share, a message is displayed:

Editing a CIFS Share

Before editing a share, ensure that your CIFS server is running. For details on how to start the server, see Section 5.1.2, Selecting a Server to Manage.

If you edit the default share name, a new share is created. However, the default share is still present with the same share name.

NOTE:All shares on a volume are removed on pool unmount.

  1. On the default CIFS server page in iManager, click the Shares tab, then select a share from the list and click Edit, or click a particular share link to edit the share.

    For information on starting iManager and accessing the CIFS server, see Section 5.1.2, Selecting a Server to Manage.

  2. Modify the Share Name or Path or Comment for the share. For details, see Table 5-3.

  3. Click the Modify button to modify the Volume and Path on the pop-up screen. For details, see Table 5-3.

  4. Click OK twice to save your changes.

Removing a CIFS Share

Before deleting a share, ensure that your CIFS server is started and running. For information on starting iManager and accessing the CIFS server, see Section 5.1.2, Selecting a Server to Manage.

  1. On the default CIFS server page in iManager, click the Share tab, select one or more shares from the list, then click Remove.

    On successful deletion of the share, a message is displayed:

  2. Either click OK to return to the main page or click Repeat Task to delete more shares.

CIFS Share Parameters

Use the information in the following table to create and edit CIFS shares.

Table 5-3 Shares Page Parameters

Parameter

Description

Name

The name that the CIFS share uses for all the CIFS services and for display on Windows computers. For example, if you specify Company Photos as the share name associated with vol1\graphics, then Windows workstations browsing the network see Company Photos instead of vol1\graphics.

A Share name can be up to 80 characters long and can contain any single-byte characters, but should not begin or end with an underscore _ or contain multiple underscores _.

Volume

The OES volume name.

Path

The CIFS share path. This is the path to the server volume or directory that becomes the root of the sharepoint. This path can contain only single-byte characters.

NOTE:Do not end the path with a backslash (\).

Comment

A description for the sharepoint. The description appears in Network Neighborhood or My Network Places. The maximum length is 47 characters. Comment can contain only single-byte characters.

5.1.5 Configuring a CIFS User Context

On the default CIFS server page in iManager, click the Context tab to list, add, and delete the CIFS user contexts.

To configure a context search from the command line, see Section 5.2.8, Configuring the CIFS Context Search File.

The recommended method is to use iManager to configure the search context.

Adding a New Context

Before adding a new context, ensure that your CIFS server is started and running. For details on how to start the server, see Section 5.1.2, Selecting a Server to Manage.

  1. Click Add to add a new user context to CIFS.

  2. Use the object selector to select a context to add, then click OK to save.

Removing a Context

Before removing a context, ensure that your CIFS server is started and running. Select one or more contexts, then click Remove.

5.1.6 Stopping CIFS

To stop a running CIFS server:

  1. If the CIFS server status is Running on your screen, click Stop to stop the CIFS server.

The Status changes to Stopped and all the CIFS properties are dimmed on the screen.