NetApp 7-Mode – CIFS overview

CIFS – acronym comes from Common Internet File System. It’s described as Microsoft network file sharing protocol, allows access and manipulate files and folders on remote servers as if they are on local machines.


  • Network browsing to locate machines within domains/workgroups and available shares.
  • User authentication.
  • Authorization at the share, folder and file level.
  • Basic file attributes: Read-only, Archive, System, Hidden.
  • Extended NTFS file attributes for indexing, compression and encryption.
  • Unicode support.
  • Opportunistic locks.
  • Dialect negotiation – each protocol version is defined as dialect.

CIFS setup

Required steps:
1) License CIFS.
2) Initial configuration with cifs setup command. After setup the cifs server (daemon) starts automatically.
During cifs setup some significant options must be set:

  • NTFS only or Multiprotocol if NTFS only will be chosen then all existing (except read only) volumes will be converted to NTFS (wafl.default_security_style option will be set to ntfs).
  • root user must be set, because of mapping Windows users to Unix servers even with NTFS only security style. Authentification is performed with /etc/passwd
  • Local administrator – locally authenticated by CIFS and has privileges to administration on the storage system.

During setup some configuration files has been created like /etc/usermap.cfg responsible for multiprotocol support for NFS and CIFS.

CIFS default shares

  • C$ maps to /vol/vol0 root volume
  • ETC$ maps to /vol/vol0/etc
  • HOME maps to /vol/vol0/home and is accessible to everyone

$ means that share is hidden. C$ and ETC$ are only available to administrators.

CIFS lookup

In simple words this command translates names into SIDs (Security ID). Usage is simple:
cifs lookup [[user] or [SID]]

SID Cache exist and can be turn on with
options cifs.sidcache.enable on

CIFS shares

To display all shares on a system:
filer> cifs shares

How to access shares

  • Windows net use command
    C:\> net use e: \\filer\regmen /user:boss\regmen
  • Run dialog and type for example '\\filer\C$'
  • Map a drive from GUI.


Unicode is not set on by default. Unicode directories take up more space and are slower on some workloads. When Unicode is set on, then in first access by CIFS directory is transparently converted to Unicode and it’s time consuming. It can be distinguished by two options:
– create_ucode – newly created directories to Unicode
– convert_ucode – all directories are forced to be converted to Unicode when accessed from both NFS or CIFS.

CIFS sessions

There is several ways to view CIFS sessions:

  • cifs sessions [* or [username|IP|host]] with parameters:
    -s for security information
    -t for total count
    -c for names of open directories
  • NetApp OnCommand System Manager
  • Windows OS -> computer management GUI -> System Tools -> Shared Folders -> Sessions

Terminating sessions

cifs terminate -t [time_in_minutes] [host]

CIFS broadcast

Related with sessions, there is a possibility to send message to all users. It’s not available since Windows Server 2008 R2 (Messenger service should be active). But in some older environment it’s still possible to use:
cifs broadcast [workstation] -v volname "message"

Creating a share

To create a share some information is needed:
– complete path name,
– name of the share,
– description of the share (optional),
– maximum number of users simultaneously access the share (optional),
– share level access control list (ACL).

Important: Share can be created for folders, qtrees or volumes.

cifs shares -add share_name /vol/vol_name/qtree_name -comment "Share for my qtree"
by default access control is for Everyone / Full Control

CIFS share deletion

cifs shares -delete share_name
It’s not affecting data in qtree.

CIFS access control

Local Users

– Authenticated locally.
– Associated with groups on the storage system.
– Created and managed using useradmin command or a text editor.
– Saved in /etc/registry or /etc/passwd.

Purpose for local user acccounts:
– Windows workgroups (/etc/registry).
– non-Windows workgroups (Unix).
– Windows domain (if domain controller fail or domain become untrusted).

Info: Local administrator can be created during cifs setup.

Local user on Data ONTAP 7-Mode has some restrictions that need to be meet:
– unique name,
– associate user with group,
– created by useradmin command, when storage system is set to CIFS workgroup authentication.

Local User Management – useradmin user

filer> useradmin user add [username] -g [usergroup] – add user
filer> useradmin user modify [username] -g [usergroup] – modify user
filer> useradmin user list [username] – list detailed user information
filer> useradmin user delete [username] – deleting user

Local Groups

– Contain local and domain users.
– Created by CLI useradmin with CIFS setup.

Local Groups Management – useradmin group

filer> useradmin group add [groupname] -g [usergroup] – add group
filer> useradmin group modify [groupname] -g [usergroup] – modify group
filer> useradmin group list [groupname] – list detailed group information
filer> useradmin group delete [groupname] – deleting group

Share permissions

– Can be set on share level, folder or file level.
– Managed by cifs access command, MMC or OnCommand System Manager.
– Windows share permissions:
Read-Only: Viewing filenames and subfolders, data in files, deleting subfolders and files.
Full Control: Read, Change, changing permissions.
Change: All read permissions, adding files and subfolders, changing data in files, deleting subfolders and files.

CIFS access

filer> cifs access [share_name] [-g] [user_rights] – to modify share access
filer> cifs access -delete [share_name] [-g] [user] – to delete an ACL entry for a user on a share
-g option specifies that user is the name of UNIX group. Use it when you have an UNIX group and a UNIX user, NT user or group with the same name.

File permissions

NTFS file level permissions for folders and files are managed from Windows client only or Group Policy Objects (GPOs).

Access Based Enumeration

By standard folders and files are visible to anyone regardless of whether the user have access to them. To protect names of shared folders or files you can use Access Based Enumeration (ABE). To set:
filer> cifs shares -change [share] [-accessbasedenum | - noaccessbasedenum]
also may be set with -add during share creation.

CIFS domains

Reconfiguring CIFS:
1. cifs terminate to disconnect users and stop CIFS service.
2. cifs setup service will be restarted with new configuration
3. Active Directory
– name of domain,
– time services (NTP),
– AD administrator should add storage system to DC.

Domain administrators

For view all domain administrators:
rdfile /etc/lclgroups.cfg

Domain specific commands

cifs domaininfo
cifs testdc

Preferred DC

Microsoft Active Directory members use a mechanism called site awareness to discover their closest domain controller within AD.
filer> options cifs.site_awareness.enable on|off – enable/disable mechanism on Data ONTAP.
filer> cifs prefdc setting preferred domain
filer> cifs prefdc print display list of preferred domain controllers
filer> cifs prefdc add domain address [address] add preferred DC list.
filer> cifs prefdc delete domain delete preferred domain controller list.

DC ping

DC ping occurs every time the CIFS service starts, every time cifs prefdc executed and every four hours.
Ping order is like this: Preferred -> Favored -> Other

Domain Users

– Created in domain.
– Authenticated by the domain.
– Created with the AD Users and Computer Tool.

Adding Domain Users to Groups

filer> useradmin domainuser add [user] -g [group] – add user.
filer> useradmin domainuser list -g [group] – list domain user in a group.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.