Clustered Data ONTAP 8.3 Update 3, SMB (CIFS ... - NetApp · PDF fileNETAPP UNIVERSITY . Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements Self-paced Lab. Course ID: STRSW-SPL-CDOT83UPD3

NETAPP UNIVERSITY

Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements Self-paced Lab Course ID: STRSW-SPL-CDOT83UPD3 Content Version: 1.0

NetApp University - Do Not Distribute

E-2 Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements: Welcome

© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.

ATTENTION

The information contained in this course is intended only for training. This course contains information and activities that, while beneficial for the purposes of training in a closed, non-production environment, can result in downtime or other severe consequences in a production environment. This course material is not a technical reference and should not, under any circumstances, be used in production environments. To obtain reference materials, refer to the NetApp product documentation that is located at http://now.netapp.com/.

COPYRIGHT

© 2014 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.

No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of NetApp, Inc.

U.S. GOVERNMENT RIGHTS

Commercial Computer Software. Government users are subject to the NetApp, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

TRADEMARK INFORMATION

NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap, Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries.

Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.


http://www.netapp.com/us/legal/netapptmlist.aspx

E3-1 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements


CLUSTERED DATA ONTAP 8.3 UPDATE 3: SMB (CIFS) ENHANCEMENTS

EXERCISE

In this exercise, you explore the SMB enhancement that is built into clustered Data ONTAP 8.3.

NOTE: In general, the terms “SMB” and “CIFS” refer to the same network file sharing protocol. The CIFS

protocol is an implementation of the SMB protocol. In this exercise, the term SMB is used in all cases except

when referring to UI in which the term “CIFS” appears.

In this exercise, you configure svm1 in cluster1 as an SMB server. You use Microsoft Management Console

(MMC) tool called Computer Management to configure a share for svm1. MMC is supported in clustered

Data ONTAP 8.3 and later. Then you configure a claims-based authentication that is available within

Microsoft Dynamic Access Control (DAC).

Administrators who use DAC do not need to create thousands of groups to control access; instead, they can

define claims based on classified data. For more information regarding DAC, please see Microsoft’s TechNet:

http://technet.microsoft.com/en-us/library/dn408191.aspx

NOTE: This is a simulated environment. The clustered Data ONTAP 8.3 Simulators are not high-availability

(HA) pairs. This is not a supported configuration. The only non-high-availability configuration that is

supported is a single-node cluster.

FEATURED NETAPP PRODUCTS

Clustered Data ONTAP 8.3

OnCommand System Manager

KEY FEATURES TO DEMONSTRATE

DAC support

MMC support

HIGH-LEVEL VALUE PROPOSITION

Clustered Data ONTAP 8.3 provides support for DAC and claim-based authentication.

Clustered Data ONTAP 8.3 provides support for the MMC.

OBJECTIVES

By the end of this exercise, you should be able to:

Configure an SMB server in svm1 of cluster1

Use the MMC to configure svm1

Enable DAC in svm1 of cluster1

Create two claim types

Create two resource properties for the svm1 server

Create a central access rule and a central access policy

Create a GPO to deploy a central access policy

Apply the central access policy to content

Create user accounts to test DAC

Test the effective permissions provided by DAC


http://technet.microsoft.com/en-us/library/dn408191.aspx



EXERCISE ENVIRONMENT

This environment consists of:

Windows Server 2012 R2 Active Directory

Two-node cluster: cluster1

HOST NAME IP ADDRESS USER NAME PASSWORD

w2k12 192.168.0.11 administrator Netapp123

cluster1 192.168.0.50 admin Netapp123

cluster1-01 192.168.0.51 admin Netapp123

cluster1-02 192.168.0.52 admin Netapp123

svm1 (admin LIF) 192.168.0.110 vsadmin Netapp123

svm1 (SMB LIF) 192.168.0.111 N/A N/A

NOTE: This table lists only the lab components. Please refer to the tasks that follow for the detailed steps.

W2k12

e0d e0c

e0a e0b

e0d e0c

e0a e0b

cluster1




TASK 1: CONFIGURE A CIFS SERVER IN SVM1 OF CLUSTER1

In this task, you configure SVM1 as an SMB server. Then you create a volume in svm1’s namespace. Finally,

you create a new logical interface (LIF) to handle the SMB traffic.

STEP ACTION

1. Verify that you see the Modern view of your assigned Windows server.

2. Click the Desktop tile.




STEP ACTION

3. Verify that you see the administrator desktop.

4. On the administrator desktop, open Internet Explorer.

5. In the URL textbox of Internet Explorer, enter this URL: https://192.168.0.50/




STEP ACTION

6. When the Certificate Error page appears, click Continue to this website (not recommended).

7. Verify that OnCommand System Manager for your assigned cluster appears in the browser.




STEP ACTION

8. Use the following credentials to authenticate with your cluster:

User Name: admin

Password: Netapp123

9. Click Sign In.

10. Verify that the System Manager interface appears.




STEP ACTION

11. NOTE: In a previous course a storage virtual machine named svm1 was created to support

SMB, but no data LIF was configured for svm1.

Select Cluster > cluster1 > Configuration > Network.

12. Click the Network Interfaces tab.




STEP ACTION

13. Click Create.

14. In the Create Network Interface dialog box, enter these settings:

Name: svm1_cifs_lif1

Interface Role: Serves Data

SVM: svm1

Protocol Access: CIFS

Management Access: Clear checkbox

Subnet: sn-SVM1

Port: cluster1-02:e0d

15. Click Create.




STEP ACTION

16. Verify that the interface was created.

17. Select Storage Virtual Machines > cluster1.

NOTE: In a previous course a storage virtual machine named svm1, was created to support

SMB, but the SMB server was not configured.




STEP ACTION

18. Configure the CIFS protocol

Select Storage Virtual Machines > cluster1 > svm1 > Configuration > Protocols > CIFS.

19. Click Setup.




STEP ACTION

20. In the CIFS Server Setup dialog box, enter these settings:

NetBIOS Name: svm1

Domain: learn.netapp.local

Organizational Unit: CN=Computers

User Name: Administrator

Password: Netapp123

21. Click Setup.




STEP ACTION

22. Verify that the SMB server is configured and started.

23. Select Storage Virtual Machines > cluster1 > svm1 > Storage > Volumes.

24. Click Create.




STEP ACTION

25. In the Create Volume dialog box, enter these settings:

Name: svm1_vol1

Aggregate: n1_aggr1

Storage Type: NAS

Size: 1 GB

Snapshot Reserve: 5%

Thin Provisioned: Clear checkbox

26. Click Create.




STEP ACTION

27. Verify that the volume was created.

28. Select Storage Virtual Machines > cluster1 > svm1 > Storage > Namespace.

29. Verify that the volume was mounted under the root of svm1.




TASK 2: USE MMC TO CONFIGURE SVM1

In this task, you use the MMC tool called Computer Management to configure a share for the volume that you

created in the previous task. You grant full control to everyone because permissions will be handled by a

central access policy.

STEP ACTION

1. On the administrator desktop, open Server Manager.

2. Verify that the Server Manager tool started.

3. In the Tools menu, select Computer Management.




STEP ACTION

4. Verify that the Computer Management tool started.

5. In the Action menu, select Connect to another computer.

6. In the Select Computer dialog box, enter svm1.




STEP ACTION

7. Verify that Computer Management is connected to svm1.

8. Select Computer Management (SVM1) > System Tools > Shared Folders > Shares.




STEP ACTION

9. In the Action menu, select New Share.

10. Verify that the Create a Shared Folder Wizard has started.

11. Click Next.

12. Click the Browse button to select this folder path: C:\svm1_vol1.

13. Click Next.

14. Accept the default name.

15. Click Next.




STEP ACTION

16. Select Customize permissions.

17. Click Custom.

18. With the group or user name Everyone selected, select the Allow checkbox for Full Control.

NTFS permissions and DAC work together. The permission that is least accessible between the

two methods is used. When the share is set so that everyone has full control, the claims-based

authentication determines the effective permission.

19. Click OK.

20. Click Finish.

21. Click Finish to close the wizard.




STEP ACTION

22. Verify that the share was created.

23. On the administrator desktop, open Windows Explorer.




STEP ACTION

24. Verify that Windows Explorer is open.

25. Select Computer > Map a Drive.

26. In the Map Network Drive dialog box, enter these settings:

Drive: Z

Folder: \\svm1\svm1_vol1




STEP ACTION

27. Click Finish.

The share location should appear.




TASK 3: ENABLE DAC ON SVM1 OF CLUSTER1

In this task, you enable DAC on SVM1. By default, DAC service is disabled on Data ONTAP. If this feature

is not enabled on the storage virtual machine (SVM), an error message indicates that attribute values cannot

be applied.

STEP ACTION

1. On your Windows desktop, double-click the “link to PuTTY” icon.

2. Verify that the PuTTY window opens.

3. Select the cluster1-mgmt saved session.

4. Click Load.

5. Click Open to start the session.

6. Verify that you see the login prompt.

login as:

7. Use the following credentials to authenticate with your cluster:

User Name: admin

Password: Netapp123




STEP ACTION

8. Verify that the command prompt appears.

cluster1::>

9. Change to advanced privilege.

cluster1::> set –privilege advanced

Sample output:

Warning: These advanced commands are potentially dangerous; use

them only when directed to do so by NetApp personnel.

10. Confirm the warning message by entering y.

Do you want to continue? {y|n}: y




STEP ACTION

11. Enter this command to display the CIFS options for svm1:

cluster1::*> vserver cifs options show

Sample output:

Vserver: svm1

Client Session Timeout: 900

Copy Offload Enabled: true

Default Unix Group: -

Default Unix User: pcuser

Direct-Copy Copy Offload Enabled: true

Export Policies Enabled: false

Is DAC Enabled: false

Is Fake Open Support Enabled: true

Is Local Auth Enabled: true

Is Local Users and Groups Enabled: true

Is Referral Enabled: false

Is Trusted Domain Enumeration And Search Enabled: true

Is UNIX Extensions Enabled: false

Is Use Junction as Reparse Point Enabled: true

Max Multiplex Count: 255

NT ACLs on UNIX Security Style Volumes Enabled: true

Read Grants Exec: disabled

Read Only Delete: disabled

Reported File System Sector Size: 4096

Restrict Anonymous: no-restriction

Shadowcopy Dir Depth: 5

Shadowcopy Enabled: true

SMB2 Enabled: true

SMB3 Enabled: true

WINS Servers: -

12. Enter this command to enable DAC on svm1:

cluster1::*> vserver cifs options modify -vserver svm1

-is-dac-enabled true

Sample output:

Warning: Once DAC is enabled, the file system can contain ACLs with

DAC-related entries. If DAC is disabled, these entries remain

in use, but new ones will not be allowed. If the system is

reverted, the DAC ACEs will be ignored in file access checks.

You may need to re-ACL these files to restore their previous

level of security.




STEP ACTION

13. Confirm the warning message by entering y.

Continue? {y|n}: y

14. Enter this command to confirm the change:

cluster1::*> vserver cifs options show

Sample output:

Vserver: svm1

Client Session Timeout: 900

Copy Offload Enabled: true

Default Unix Group: -

Default Unix User: pcuser

Direct-Copy Copy Offload Enabled: true

Export Policies Enabled: false

Is DAC Enabled: true

Is Fake Open Support Enabled: true

Is Local Auth Enabled: true

Is Local Users and Groups Enabled: true

Is Referral Enabled: false

Is Trusted Domain Enumeration And Search Enabled: true

Is UNIX Extensions Enabled: false

Is Use Junction as Reparse Point Enabled: true

Max Multiplex Count: 255

NT ACLs on UNIX Security Style Volumes Enabled: true

Read Grants Exec: disabled

Read Only Delete: disabled

Reported File System Sector Size: 4096

Restrict Anonymous: no-restriction

Shadowcopy Dir Depth: 5

Shadowcopy Enabled: true

SMB2 Enabled: true

SMB3 Enabled: true

WINS Servers: -




TASK 4: CREATE TWO CLAIM TYPES

In this task, you prepare Active Directory for claims-based authentication and DAC. You add two existing

Active Directory attributes to the list of attributed values when evaluating DAC. The user’s country value and

department value are part of the calculation that determines whether a user has access to specific files.

STEP ACTION

1. Open Server Manager.

2. In the Tools menu, select Active Directory Administrative Center.

3. Verify that the Active Directory Administrative Center tool is open.




STEP ACTION

4. In the left pane, select Dynamic Access Control > Claim Types.

5. In the right pane, select New and then Claim Type.




STEP ACTION

6. In the Source Attribute list, select the Display Name department.

7. Click OK.

8. In the right pane, select New and then Claim Type.

9. In the Source Attribute list, select the Display Name c.




STEP ACTION

10. Scroll down to Suggested Values.

Under Suggested Values, select The following values are suggested.

11. Click Add.

12. In the Value and Display name boxes, type US.

13. Click OK.

14. Click Add.

15. In the Value and Display name boxes, type CA.

16. Click OK.




STEP ACTION

17. Click OK.

18. Verify that two new Claim Types were created.




TASK 5: CREATE TWO RESOURCE PROPERTIES FOR THE SVM1 SERVER

In this task, you configure the properties that will be downloaded by file servers and used to classify files.

Future DAC rules will compare user attribute values with resource properties. The list of resource properties

is predefined by Microsoft as a starter set of properties that can be used by most organizations. You can

enable existing properties or create new ones. You will add a resource property to match the country claim,

and then enable the existing department property to match the department claim. Each resource property must

be added to at least one resource property list before it is downloaded by file servers. The global resource

property list is downloaded by all file servers; however, individual lists can be created and delivered to

specific file servers using Group Policy.

STEP ACTION

1. In the left pane, select Dynamic Access Control > Resource Properties.




STEP ACTION

2. In the right pane, select New and then Resource Property.

3. For the Display name, type Country.

4. In the Suggested Values Pane, click Add.




STEP ACTION

5. For the Value and Display name boxes, type US.

6. Click OK.

7. In the Suggested Values Pane , click Add.

8. In the Value and Display name boxes, type CA.

9. Click OK.

10. Click OK.




STEP ACTION

11. In the left pane, select Dynamic Access Control > Resource Properties.

12. Select the Department_MS ID property.

13. In the right pane, click Enable.




STEP ACTION

14. In the left pane, select Dynamic Access Control > Resource Property Lists.

15. In the right pane, click Add resource properties.

16. Select Country and Department, and then click the Add button (>>).

17. Click OK.




TASK 6: CREATE A CENTRAL ACCESS RULE AND A CENTRAL ACCESS POLICY

In this task, you create a new central access rule. This is similar to an access control list (ACL) in that it

describes which conditions must be met for file access to be granted. A central access policy is a group of

rules that are enforced as a unit. A file or folder can have only one central access policy applied to it.

In this specific rule, you will require that the following conditions be met before access is granted: user

accounts, department, and country attributes must match the value of the file’s department and country

attributes. You will add the new rule to a central access policy.

STEP ACTION

1. In the left pane, select Dynamic Access Control > Central Access Rules.

2. In the right pane, select New and then Central Access Rule.

3. In the Name box, type Department-Country-Match-Required.

4. Under Target Resources, click Edit.




STEP ACTION

5. Click Add a condition.

6. Add the condition Resource Department Exists.

7. Click Add a condition.

8. Add the condition Resource Country Exists.

9. Click OK.




STEP ACTION

10. Select Use following permissions as current permissions.

This setting enforces DAC. The default setting creates audit log entries and is used before

implementation for impact analysis.

11. Click Edit.

12. Click Add.




STEP ACTION

13. Click Select a principal.

14. Enter Authenticated Users and click Check Names

15. Click OK.




STEP ACTION

16. In the Permission Entry for Permissions dialog box, enter these settings:

Principal: Authenticated Users

Type: Allow

Basic permissions: Full Control

Condition 1: User c Equals Resource Country

Condition 2: User Department Equals Resource Department

NOTE: In creating this rule, the list of attributes used for claim types generates the list of

attributes for the user. The list of enabled resource properties generates the list of attributes for

the resource.

17. Click OK.

18. Click OK.




STEP ACTION

19. Click OK.

20. Verify that the characteristics of the new central access rule are correct.




STEP ACTION

21. In the left pane, select Dynamic Access Control > Central Access Policies.

22. In the right pane, select New and then Central Access Policy.

23. In the Create Central Access Policy dialog box, enter these settings:

Name: SVM1 File Server Policy

Rule: Department-Company-Match-Required (Click the Add button.)

24. Click OK.




STEP ACTION

25. Verify that the new policy was created.

TASK 7: CREATE A GROUP POLICY OBJECT TO DEPLOY A CENTRAL ACCESS POLICY

In this task, you create a new group policy object (GPO) to deliver the central access policy to your file

servers. This makes the policy available but does not enforce it on individual files or folders. You enable

Kerberos armoring for domain controllers to ensure that Kerberos tickets contain the required claims

information, which the file servers can then evaluate.

STEP ACTION


2. In the Tools menu, select Group Policy Management.

3. Select Group Policy Management > Forest: learn.netapp.local > Domains >

learn.netapp.local.




STEP ACTION

4. In the Action menu, select Create a GPO in this domain and link it here.

5. Name the GPO Dynamic Access Control Policy.

6. Click OK.

7. Expand the Domains > learn.netapp.local folder.

8. Select the Dynamic Access Control Policy GPO, and then click OK.




STEP ACTION

9. Under Security Filtering, select Authenticated Users.

10. Click Remove.

11. Click OK to confirm the warning message.

12. Click Add.

13. Click Object Types, check Computer, and then click OK.




STEP ACTION

14. For the object name, enter SVM1.

15. Click OK.

16. In the left pane, right-click the Dynamic Access Control Policy GPO and select Edit.

17. Select Dynamic Access Control Policy > Computer Configuration > Policies > Windows

Settings > Security Settings > File System > Central Access Policy.

18. In the Action menu, click Manage Central Access Policies.




STEP ACTION

19. Add the SVM1 File Server Policy to the applicable policies.

20. Click OK.

21. Verify that the central access policy was added to the GPO.

22. Close the Group Policy Management Editor tool.

23. In the left pane, select the Default Domain Policy.

24. Click OK to confirm the warning message.




STEP ACTION

25. In the left pane, right-click the Default Domain Policy GPO and select Edit.

26. Select Default Domain Policy > Computer Configuration > Policies > Administrative

Templates > System > KDC.

27. Double-click KDC Support for claims, compound authentication, and Kerberos armoring.

28. Select Enabled.

29. Click OK.




STEP ACTION

30. Select Default Domain Policy > Computer Configuration > Policies > Administrative

Templates > System > Kerberos.

31. Double-click Kerberos client support for claims, compound authentication, and Kerberos

armoring.

32. Select Enabled.

33. Click OK.

34. Close the Group Policy Management Editor tool.

35. Close the Group Policy Management tool.




TASK 8: APPLY THE CENTRAL ACCESS POLICY TO CONTENT

In this task, you verify that the file server role is enabled. You then refresh the local Windows server and

cluster1 to apply the new GPO that deploys the central access policy. You then configure a folder of sample

content on the SVM1 share and set the default values on the content.

NOTE: On a production system, this classification process can be accomplished with scripts.

STEP ACTION


2. Click Add Roles and Features.

3. Click Next until you see the Select server roles page.

4. In the list of roles, under File and Storage Services, and within the File and iSCSI Services

group, select File Server Resource Manager.




STEP ACTION

5. Click Add Features.

6. Verify that File Server Resource Manager is selected.

7. Click Next.

8. Click Next.




STEP ACTION

9. Click Install.

10. Wait a few minutes and, after the manager is installed, click Close.




STEP ACTION

11. On the administrator desktop, open Windows PowerShell.

12. Enter the following command to ensure that the central policy defined by the Dynamic Access

Control Policy GPO is applied to the system:

PS C:\> GPUpdate /Force

NOTE: Under normal circumstances, the regular group policy refresh would perform this step.

13. Verify that the script returns confirmation that the computer and user policy update was

completed successfully.

14. Open a PuTTY session to cluster1-mgmt.

15. Enter this command to see whether GPO service is enabled on svm1:

cluster1::> vserver cifs group-policy show

Sample output:

Vserver GPO Status

-------------- ----------

svm1 disabled

16. Enter this command to enable the GPO service:

cluster1::> vserver cifs group-policy modify -vserver svm1

-status enabled




STEP ACTION

17. Enter this command to verify that GPO service is now enabled on svm1:

cluster1::> vserver cifs group-policy show

Sample output:

Vserver GPO Status

-------------- ----------

svm1 enabled

18. Enter this command to force an update of all GPOs:

cluster1::> vserver cifs group-policy update -vserver svm1

-force-reapply-all-settings true

19. Enter this command to verify that the central access policy GPO is visible to the SVM:

cluster1::> vserver cifs group-policy show-defined -vserver

svm1

Sample output:

Vserver: svm1

-----------------------------

GPO Name: Dynamic Access Control Policy

Level: Domain

Status: enabled

Advanced Audit Settings:

Object Access:

Central Access Policy Staging: -

…

Restricted Groups:

-

Central Access Policy Settings:

Policies: SVM1 File Server Policy

…




STEP ACTION

20. Enter this command to verify that the central access policy GPO is applied to the SVM:

cluster1::> vserver cifs group-policy show-applied -vserver

svm1

Troubleshooting:

If the command does not return the correct output, you might:

a. Issue the vserver cifs group-policy update command.

b. Wait about two minutes.

Sample output:

Vserver: svm1

-----------------------------

GPO Name: Dynamic Access Control Policy

Level: Domain

Status: enabled

Advanced Audit Settings:

Object Access:

Central Access Policy Staging: -

…

Restricted Groups:

-

Central Access Policy Settings:

Policies: SVM1 File Server Policy

…

21. Enter this command to verify that the central access policy is visible to the SVM:

cluster1::> vserver cifs group-policy central-access-policy

show-defined -vserver svm1

Sample output:

Vserver Name SID

---------- -------------------- -----------------------------------------------

svm1 C1SVM1 File Server Policy

S-1-17-2284269451-1118572613-2139631292-188622639

Description:

Creation Time: Fri Aug 08 22:53:06 2014

Modification Time: Fri Aug 08 22:53:06 2014

Member Rules: Department-Country-Match-Required




STEP ACTION

22. Enter this command to verify that the central access policy is applied to the SVM:

cluster1::> vserver cifs group-policy central-access-policy

show-applied -vserver svm1

Sample output:

Vserver Name SID

---------- -------------------- -----------------------------------------------

svm1 C1SVM1 File Server Policy

S-1-17-2284269451-1118572613-2139631292-188622639

Description:



Member Rules: Department-Country-Match-Required

23. Enter this command to verify that the central access rule is visible to the SVM:

cluster1::> vserver cifs group-policy central-access-rule show-

defined -vserver svm1

Sample output:

Vserver Name

---------- --------------------

svm1 Department-Country-Match-Required

Description:



Current Permissions:

O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;FA;;;AU;((@USER.ad://ext/ c:88d18a34307ec14f == @RESOURCE.Country_88d1816f53f24f89) &&

(@USER.ad://ext/department:88d18155cbcf2738 == @RESOURCE.Department_MS)))

Target Resources: ((Exists @RESOURCE.Department_MS) && (Exists

@RESOURCE.Country_88d1816f53f24f89))




STEP ACTION

24. Enter this command to verify that the central access rule is applied to the SVM:

cluster1::> vserver cifs group-policy central-access-rule show-

applied -vserver svm1

Sample output:

Vserver Name

---------- --------------------

svm1 Department-Country-Match-Required

Description:



Current Permissions:

O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;FA;;;AU;((@USER.ad://ext/ c:88d18a34307ec14f == @RESOURCE.Country_88d1816f53f24f89) &&

(@USER.ad://ext/department:88d18155cbcf2738 == @RESOURCE.Department_MS)))

Target Resources: ((Exists @RESOURCE.Department_MS) && (Exists

@RESOURCE.Country_88d1816f53f24f89))

25. On the administrator desktop, double-click the shortcut named CourseFiles.

26. Copy the folder named Departments.




STEP ACTION

27. Paste the Departments folder into the Z:\ drive.

NOTE: Remember that this is on cluster1’s svm1.

28. Select Z:\Departments\.




STEP ACTION

29. Right-click Finance and select Properties.

30. Click the Classification tab.

Troubleshooting: If the Properties list is empty, you might:

a. Run the vserver cifs group-policy update command.

b. Wait about two minutes.




STEP ACTION

31. For the Department property, select Finance.

32. Click Apply.

33. Click the Security tab.

34. Click Advanced.




STEP ACTION

35. Notice the Central Policy tab.

Troubleshooting:

If the Central Policy tab is not present, then the GPO and central access policy with rules were

not applied to the SVM. Go back and verify that it was applied.

36. Click the Central Policy tab.

37. Click Change.




STEP ACTION

38. Select the SVM1 File Server Policy applied to This Folder, subfolders, and files.

39. Click OK to close the Advanced Security Settings for Finance dialog box.

40. Click OK to close the Finance Properties dialog box.

41. Repeat steps 28-40 with the HR folder, with these differences:

a. Set the Department property to Human Resources.

b. Set the Central Policy to SVM1 File Server Policy applied to This Folder, subfolders, and

files.




STEP ACTION

42. In Windows Explorer, select Z:\\Departments\HR.

43. Right-click CA-Employee1 and select Properties.

44. Click the Classification tab.

45. Assign the Country property to CA.

46. Click OK.




STEP ACTION

47. Repeat Steps 42-46 with the US-Employee1 file and set the Country property to US.

TASK 9: CREATE USER ACCOUNTS TO TEST DAC

In this task, you create two users: betty and bob. Betty works in the Human Resources department in the

Canadian branch of the company. Bob works in the Human Resources department in the United States branch

of the company. Optionally, you could create other users in other locations and departments to test other

security scenarios.

STEP ACTION


2. In the Tools menu, select Active Directory Administrative Center.

3. In the left pane, select learn (local) > Users.

4. In the right pane, under the Users section, select New > User.




STEP ACTION

5. In the Create User dialog box, enter these settings:

Full name: betty

User SamAccount: betty

Password: Netapp123

Confirm password: Netapp123

Password options: Other password options

Password never expires: Select checkbox

User cannot change password: Select checkbox

Under Organization, Department: Human Resources

Under Organization, Country/Region: Canada

6. Click OK.

7. In the right pane, under the Users section, select New > User.




STEP ACTION

8. In the Create User dialog box, enter these settings:

Full name: bob

User SamAccount: bob

Password: Netapp123

Confirm password: Netapp123

Password options: Other password options

Password never expires: Select checkbox

User cannot change password: Select checkbox

Under Organization, Department: Human Resources

Under Organization, Country/Region: United States

9. Click OK.




STEP ACTION

10. Verify that the user accounts betty and bob were created.

11. Close the Active Directory Administrative Center tool.




TASK 10: TEST THE EFFECTIVE PERMISSIONS THAT DAC PROVIDES

In this task, you test the central policy rule applied to the SVM. You will notice that folders have no security

limitations; however, individual files have limitations. You use the Betty and Bob user accounts created in the

previous task to test the effective permissions of storage objects.

STEP ACTION

1. Select Z:\\.

2. Right-click Departments and select Properties.


4. Click Advanced.




STEP ACTION

5. Click the Effective Access tab.

6. Click Select a user.

7. Enter betty and then click OK.

8. Click View effective access.




STEP ACTION

9. After a moment, scroll down and verify that betty has access to this folder.

10. Click OK to close the Advanced Security Settings for Departments dialog box.

11. Click OK to close the Departments Properties dialog box.

12. Select Z:\\Departments\HR.

13. Right-click CA-Employee1 and select Properties.




STEP ACTION


15. Click Advanced.

16. Click the Effective Access tab.


18. Enter betty and then click OK.




STEP ACTION


20. After a moment, scroll down and verify that betty has access to this folder.


22. Enter bob and then click OK.





STEP ACTION

24. After a moment, scroll down and verify that bob does not have access to this folder.

25. Explore on your own more of the effective permissions and the power that NetApp and

Microsoft bring to remote storage.

END OF EXERCISE


Documents

Clustered Data ONTAP 8.3 Update 3, SMB (CIFS ... - NetApp · PDF fileNETAPP UNIVERSITY . Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements Self-paced Lab. Course ID: STRSW-SPL-CDOT83UPD3