Upload
letram
View
249
Download
8
Embed Size (px)
Citation preview
NETAPP UNIVERSITY
Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements Self-paced Lab Course ID: STRSW-SPL-CDOT83UPD3 Content Version: 1.0
NetApp University - Do Not Distribute
E-2 Clustered Data ONTAP 8.3 Update 3, SMB (CIFS) Enhancements: Welcome
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
ATTENTION
The information contained in this course is intended only for training. This course contains information and activities that, while beneficial for the purposes of training in a closed, non-production environment, can result in downtime or other severe consequences in a production environment. This course material is not a technical reference and should not, under any circumstances, be used in production environments. To obtain reference materials, refer to the NetApp product documentation that is located at http://now.netapp.com/.
COPYRIGHT
© 2014 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.
No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of NetApp, Inc.
U.S. GOVERNMENT RIGHTS
Commercial Computer Software. Government users are subject to the NetApp, Inc. standard license agreement and applicable provisions of the FAR and its supplements.
TRADEMARK INFORMATION
NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap, Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries.
Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.
NetApp University - Do Not Distribute
E3-1 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
CLUSTERED DATA ONTAP 8.3 UPDATE 3: SMB (CIFS) ENHANCEMENTS
EXERCISE
In this exercise, you explore the SMB enhancement that is built into clustered Data ONTAP 8.3.
NOTE: In general, the terms “SMB” and “CIFS” refer to the same network file sharing protocol. The CIFS
protocol is an implementation of the SMB protocol. In this exercise, the term SMB is used in all cases except
when referring to UI in which the term “CIFS” appears.
In this exercise, you configure svm1 in cluster1 as an SMB server. You use Microsoft Management Console
(MMC) tool called Computer Management to configure a share for svm1. MMC is supported in clustered
Data ONTAP 8.3 and later. Then you configure a claims-based authentication that is available within
Microsoft Dynamic Access Control (DAC).
Administrators who use DAC do not need to create thousands of groups to control access; instead, they can
define claims based on classified data. For more information regarding DAC, please see Microsoft’s TechNet:
http://technet.microsoft.com/en-us/library/dn408191.aspx
NOTE: This is a simulated environment. The clustered Data ONTAP 8.3 Simulators are not high-availability
(HA) pairs. This is not a supported configuration. The only non-high-availability configuration that is
supported is a single-node cluster.
FEATURED NETAPP PRODUCTS
Clustered Data ONTAP 8.3
OnCommand System Manager
KEY FEATURES TO DEMONSTRATE
DAC support
MMC support
HIGH-LEVEL VALUE PROPOSITION
Clustered Data ONTAP 8.3 provides support for DAC and claim-based authentication.
Clustered Data ONTAP 8.3 provides support for the MMC.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure an SMB server in svm1 of cluster1
Use the MMC to configure svm1
Enable DAC in svm1 of cluster1
Create two claim types
Create two resource properties for the svm1 server
Create a central access rule and a central access policy
Create a GPO to deploy a central access policy
Apply the central access policy to content
Create user accounts to test DAC
Test the effective permissions provided by DAC
NetApp University - Do Not Distribute
E3-2 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
EXERCISE ENVIRONMENT
This environment consists of:
Windows Server 2012 R2 Active Directory
Two-node cluster: cluster1
HOST NAME IP ADDRESS USER NAME PASSWORD
w2k12 192.168.0.11 administrator Netapp123
cluster1 192.168.0.50 admin Netapp123
cluster1-01 192.168.0.51 admin Netapp123
cluster1-02 192.168.0.52 admin Netapp123
svm1 (admin LIF) 192.168.0.110 vsadmin Netapp123
svm1 (SMB LIF) 192.168.0.111 N/A N/A
NOTE: This table lists only the lab components. Please refer to the tasks that follow for the detailed steps.
W2k12
e0d e0c
e0a e0b
e0d e0c
e0a e0b
cluster1
NetApp University - Do Not Distribute
E3-3 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 1: CONFIGURE A CIFS SERVER IN SVM1 OF CLUSTER1
In this task, you configure SVM1 as an SMB server. Then you create a volume in svm1’s namespace. Finally,
you create a new logical interface (LIF) to handle the SMB traffic.
STEP ACTION
1. Verify that you see the Modern view of your assigned Windows server.
2. Click the Desktop tile.
NetApp University - Do Not Distribute
E3-4 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. Verify that you see the administrator desktop.
4. On the administrator desktop, open Internet Explorer.
5. In the URL textbox of Internet Explorer, enter this URL: https://192.168.0.50/
NetApp University - Do Not Distribute
E3-5 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
6. When the Certificate Error page appears, click Continue to this website (not recommended).
7. Verify that OnCommand System Manager for your assigned cluster appears in the browser.
NetApp University - Do Not Distribute
E3-6 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. Use the following credentials to authenticate with your cluster:
User Name: admin
Password: Netapp123
9. Click Sign In.
10. Verify that the System Manager interface appears.
NetApp University - Do Not Distribute
E3-7 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. NOTE: In a previous course a storage virtual machine named svm1 was created to support
SMB, but no data LIF was configured for svm1.
Select Cluster > cluster1 > Configuration > Network.
12. Click the Network Interfaces tab.
NetApp University - Do Not Distribute
E3-8 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. Click Create.
14. In the Create Network Interface dialog box, enter these settings:
Name: svm1_cifs_lif1
Interface Role: Serves Data
SVM: svm1
Protocol Access: CIFS
Management Access: Clear checkbox
Subnet: sn-SVM1
Port: cluster1-02:e0d
15. Click Create.
NetApp University - Do Not Distribute
E3-9 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. Verify that the interface was created.
17. Select Storage Virtual Machines > cluster1.
NOTE: In a previous course a storage virtual machine named svm1, was created to support
SMB, but the SMB server was not configured.
NetApp University - Do Not Distribute
E3-10 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
18. Configure the CIFS protocol
Select Storage Virtual Machines > cluster1 > svm1 > Configuration > Protocols > CIFS.
19. Click Setup.
NetApp University - Do Not Distribute
E3-11 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
20. In the CIFS Server Setup dialog box, enter these settings:
NetBIOS Name: svm1
Domain: learn.netapp.local
Organizational Unit: CN=Computers
User Name: Administrator
Password: Netapp123
21. Click Setup.
NetApp University - Do Not Distribute
E3-12 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
22. Verify that the SMB server is configured and started.
23. Select Storage Virtual Machines > cluster1 > svm1 > Storage > Volumes.
24. Click Create.
NetApp University - Do Not Distribute
E3-13 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. In the Create Volume dialog box, enter these settings:
Name: svm1_vol1
Aggregate: n1_aggr1
Storage Type: NAS
Size: 1 GB
Snapshot Reserve: 5%
Thin Provisioned: Clear checkbox
26. Click Create.
NetApp University - Do Not Distribute
E3-14 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
27. Verify that the volume was created.
28. Select Storage Virtual Machines > cluster1 > svm1 > Storage > Namespace.
29. Verify that the volume was mounted under the root of svm1.
NetApp University - Do Not Distribute
E3-15 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 2: USE MMC TO CONFIGURE SVM1
In this task, you use the MMC tool called Computer Management to configure a share for the volume that you
created in the previous task. You grant full control to everyone because permissions will be handled by a
central access policy.
STEP ACTION
1. On the administrator desktop, open Server Manager.
2. Verify that the Server Manager tool started.
3. In the Tools menu, select Computer Management.
NetApp University - Do Not Distribute
E3-16 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. Verify that the Computer Management tool started.
5. In the Action menu, select Connect to another computer.
6. In the Select Computer dialog box, enter svm1.
NetApp University - Do Not Distribute
E3-17 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. Verify that Computer Management is connected to svm1.
8. Select Computer Management (SVM1) > System Tools > Shared Folders > Shares.
NetApp University - Do Not Distribute
E3-18 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. In the Action menu, select New Share.
10. Verify that the Create a Shared Folder Wizard has started.
11. Click Next.
12. Click the Browse button to select this folder path: C:\svm1_vol1.
13. Click Next.
14. Accept the default name.
15. Click Next.
NetApp University - Do Not Distribute
E3-19 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. Select Customize permissions.
17. Click Custom.
18. With the group or user name Everyone selected, select the Allow checkbox for Full Control.
NTFS permissions and DAC work together. The permission that is least accessible between the
two methods is used. When the share is set so that everyone has full control, the claims-based
authentication determines the effective permission.
19. Click OK.
20. Click Finish.
21. Click Finish to close the wizard.
NetApp University - Do Not Distribute
E3-20 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
22. Verify that the share was created.
23. On the administrator desktop, open Windows Explorer.
NetApp University - Do Not Distribute
E3-21 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
24. Verify that Windows Explorer is open.
25. Select Computer > Map a Drive.
26. In the Map Network Drive dialog box, enter these settings:
Drive: Z
Folder: \\svm1\svm1_vol1
NetApp University - Do Not Distribute
E3-22 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
27. Click Finish.
The share location should appear.
NetApp University - Do Not Distribute
E3-23 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 3: ENABLE DAC ON SVM1 OF CLUSTER1
In this task, you enable DAC on SVM1. By default, DAC service is disabled on Data ONTAP. If this feature
is not enabled on the storage virtual machine (SVM), an error message indicates that attribute values cannot
be applied.
STEP ACTION
1. On your Windows desktop, double-click the “link to PuTTY” icon.
2. Verify that the PuTTY window opens.
3. Select the cluster1-mgmt saved session.
4. Click Load.
5. Click Open to start the session.
6. Verify that you see the login prompt.
login as:
7. Use the following credentials to authenticate with your cluster:
User Name: admin
Password: Netapp123
NetApp University - Do Not Distribute
E3-24 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. Verify that the command prompt appears.
cluster1::>
9. Change to advanced privilege.
cluster1::> set –privilege advanced
Sample output:
Warning: These advanced commands are potentially dangerous; use
them only when directed to do so by NetApp personnel.
10. Confirm the warning message by entering y.
Do you want to continue? {y|n}: y
NetApp University - Do Not Distribute
E3-25 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. Enter this command to display the CIFS options for svm1:
cluster1::*> vserver cifs options show
Sample output:
Vserver: svm1
Client Session Timeout: 900
Copy Offload Enabled: true
Default Unix Group: -
Default Unix User: pcuser
Direct-Copy Copy Offload Enabled: true
Export Policies Enabled: false
Is DAC Enabled: false
Is Fake Open Support Enabled: true
Is Local Auth Enabled: true
Is Local Users and Groups Enabled: true
Is Referral Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
Is UNIX Extensions Enabled: false
Is Use Junction as Reparse Point Enabled: true
Max Multiplex Count: 255
NT ACLs on UNIX Security Style Volumes Enabled: true
Read Grants Exec: disabled
Read Only Delete: disabled
Reported File System Sector Size: 4096
Restrict Anonymous: no-restriction
Shadowcopy Dir Depth: 5
Shadowcopy Enabled: true
SMB2 Enabled: true
SMB3 Enabled: true
WINS Servers: -
12. Enter this command to enable DAC on svm1:
cluster1::*> vserver cifs options modify -vserver svm1
-is-dac-enabled true
Sample output:
Warning: Once DAC is enabled, the file system can contain ACLs with
DAC-related entries. If DAC is disabled, these entries remain
in use, but new ones will not be allowed. If the system is
reverted, the DAC ACEs will be ignored in file access checks.
You may need to re-ACL these files to restore their previous
level of security.
NetApp University - Do Not Distribute
E3-26 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. Confirm the warning message by entering y.
Continue? {y|n}: y
14. Enter this command to confirm the change:
cluster1::*> vserver cifs options show
Sample output:
Vserver: svm1
Client Session Timeout: 900
Copy Offload Enabled: true
Default Unix Group: -
Default Unix User: pcuser
Direct-Copy Copy Offload Enabled: true
Export Policies Enabled: false
Is DAC Enabled: true
Is Fake Open Support Enabled: true
Is Local Auth Enabled: true
Is Local Users and Groups Enabled: true
Is Referral Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
Is UNIX Extensions Enabled: false
Is Use Junction as Reparse Point Enabled: true
Max Multiplex Count: 255
NT ACLs on UNIX Security Style Volumes Enabled: true
Read Grants Exec: disabled
Read Only Delete: disabled
Reported File System Sector Size: 4096
Restrict Anonymous: no-restriction
Shadowcopy Dir Depth: 5
Shadowcopy Enabled: true
SMB2 Enabled: true
SMB3 Enabled: true
WINS Servers: -
NetApp University - Do Not Distribute
E3-27 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 4: CREATE TWO CLAIM TYPES
In this task, you prepare Active Directory for claims-based authentication and DAC. You add two existing
Active Directory attributes to the list of attributed values when evaluating DAC. The user’s country value and
department value are part of the calculation that determines whether a user has access to specific files.
STEP ACTION
1. Open Server Manager.
2. In the Tools menu, select Active Directory Administrative Center.
3. Verify that the Active Directory Administrative Center tool is open.
NetApp University - Do Not Distribute
E3-28 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the left pane, select Dynamic Access Control > Claim Types.
5. In the right pane, select New and then Claim Type.
NetApp University - Do Not Distribute
E3-29 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
6. In the Source Attribute list, select the Display Name department.
7. Click OK.
8. In the right pane, select New and then Claim Type.
9. In the Source Attribute list, select the Display Name c.
NetApp University - Do Not Distribute
E3-30 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. Scroll down to Suggested Values.
Under Suggested Values, select The following values are suggested.
11. Click Add.
12. In the Value and Display name boxes, type US.
13. Click OK.
14. Click Add.
15. In the Value and Display name boxes, type CA.
16. Click OK.
NetApp University - Do Not Distribute
E3-31 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
17. Click OK.
18. Verify that two new Claim Types were created.
NetApp University - Do Not Distribute
E3-32 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 5: CREATE TWO RESOURCE PROPERTIES FOR THE SVM1 SERVER
In this task, you configure the properties that will be downloaded by file servers and used to classify files.
Future DAC rules will compare user attribute values with resource properties. The list of resource properties
is predefined by Microsoft as a starter set of properties that can be used by most organizations. You can
enable existing properties or create new ones. You will add a resource property to match the country claim,
and then enable the existing department property to match the department claim. Each resource property must
be added to at least one resource property list before it is downloaded by file servers. The global resource
property list is downloaded by all file servers; however, individual lists can be created and delivered to
specific file servers using Group Policy.
STEP ACTION
1. In the left pane, select Dynamic Access Control > Resource Properties.
NetApp University - Do Not Distribute
E3-33 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
2. In the right pane, select New and then Resource Property.
3. For the Display name, type Country.
4. In the Suggested Values Pane, click Add.
NetApp University - Do Not Distribute
E3-34 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. For the Value and Display name boxes, type US.
6. Click OK.
7. In the Suggested Values Pane , click Add.
8. In the Value and Display name boxes, type CA.
9. Click OK.
10. Click OK.
NetApp University - Do Not Distribute
E3-35 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. In the left pane, select Dynamic Access Control > Resource Properties.
12. Select the Department_MS ID property.
13. In the right pane, click Enable.
NetApp University - Do Not Distribute
E3-36 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. In the left pane, select Dynamic Access Control > Resource Property Lists.
15. In the right pane, click Add resource properties.
16. Select Country and Department, and then click the Add button (>>).
17. Click OK.
NetApp University - Do Not Distribute
E3-37 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 6: CREATE A CENTRAL ACCESS RULE AND A CENTRAL ACCESS POLICY
In this task, you create a new central access rule. This is similar to an access control list (ACL) in that it
describes which conditions must be met for file access to be granted. A central access policy is a group of
rules that are enforced as a unit. A file or folder can have only one central access policy applied to it.
In this specific rule, you will require that the following conditions be met before access is granted: user
accounts, department, and country attributes must match the value of the file’s department and country
attributes. You will add the new rule to a central access policy.
STEP ACTION
1. In the left pane, select Dynamic Access Control > Central Access Rules.
2. In the right pane, select New and then Central Access Rule.
3. In the Name box, type Department-Country-Match-Required.
4. Under Target Resources, click Edit.
NetApp University - Do Not Distribute
E3-38 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. Click Add a condition.
6. Add the condition Resource Department Exists.
7. Click Add a condition.
8. Add the condition Resource Country Exists.
9. Click OK.
NetApp University - Do Not Distribute
E3-39 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. Select Use following permissions as current permissions.
This setting enforces DAC. The default setting creates audit log entries and is used before
implementation for impact analysis.
11. Click Edit.
12. Click Add.
NetApp University - Do Not Distribute
E3-40 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. Click Select a principal.
14. Enter Authenticated Users and click Check Names
15. Click OK.
NetApp University - Do Not Distribute
E3-41 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. In the Permission Entry for Permissions dialog box, enter these settings:
Principal: Authenticated Users
Type: Allow
Basic permissions: Full Control
Condition 1: User c Equals Resource Country
Condition 2: User Department Equals Resource Department
NOTE: In creating this rule, the list of attributes used for claim types generates the list of
attributes for the user. The list of enabled resource properties generates the list of attributes for
the resource.
17. Click OK.
18. Click OK.
NetApp University - Do Not Distribute
E3-42 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
19. Click OK.
20. Verify that the characteristics of the new central access rule are correct.
NetApp University - Do Not Distribute
E3-43 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
21. In the left pane, select Dynamic Access Control > Central Access Policies.
22. In the right pane, select New and then Central Access Policy.
23. In the Create Central Access Policy dialog box, enter these settings:
Name: SVM1 File Server Policy
Rule: Department-Company-Match-Required (Click the Add button.)
24. Click OK.
NetApp University - Do Not Distribute
E3-44 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. Verify that the new policy was created.
TASK 7: CREATE A GROUP POLICY OBJECT TO DEPLOY A CENTRAL ACCESS POLICY
In this task, you create a new group policy object (GPO) to deliver the central access policy to your file
servers. This makes the policy available but does not enforce it on individual files or folders. You enable
Kerberos armoring for domain controllers to ensure that Kerberos tickets contain the required claims
information, which the file servers can then evaluate.
STEP ACTION
1. Open Server Manager.
2. In the Tools menu, select Group Policy Management.
3. Select Group Policy Management > Forest: learn.netapp.local > Domains >
learn.netapp.local.
NetApp University - Do Not Distribute
E3-45 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the Action menu, select Create a GPO in this domain and link it here.
5. Name the GPO Dynamic Access Control Policy.
6. Click OK.
7. Expand the Domains > learn.netapp.local folder.
8. Select the Dynamic Access Control Policy GPO, and then click OK.
NetApp University - Do Not Distribute
E3-46 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. Under Security Filtering, select Authenticated Users.
10. Click Remove.
11. Click OK to confirm the warning message.
12. Click Add.
13. Click Object Types, check Computer, and then click OK.
NetApp University - Do Not Distribute
E3-47 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. For the object name, enter SVM1.
15. Click OK.
16. In the left pane, right-click the Dynamic Access Control Policy GPO and select Edit.
17. Select Dynamic Access Control Policy > Computer Configuration > Policies > Windows
Settings > Security Settings > File System > Central Access Policy.
18. In the Action menu, click Manage Central Access Policies.
NetApp University - Do Not Distribute
E3-48 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
19. Add the SVM1 File Server Policy to the applicable policies.
20. Click OK.
21. Verify that the central access policy was added to the GPO.
22. Close the Group Policy Management Editor tool.
23. In the left pane, select the Default Domain Policy.
24. Click OK to confirm the warning message.
NetApp University - Do Not Distribute
E3-49 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. In the left pane, right-click the Default Domain Policy GPO and select Edit.
26. Select Default Domain Policy > Computer Configuration > Policies > Administrative
Templates > System > KDC.
27. Double-click KDC Support for claims, compound authentication, and Kerberos armoring.
28. Select Enabled.
29. Click OK.
NetApp University - Do Not Distribute
E3-50 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
30. Select Default Domain Policy > Computer Configuration > Policies > Administrative
Templates > System > Kerberos.
31. Double-click Kerberos client support for claims, compound authentication, and Kerberos
armoring.
32. Select Enabled.
33. Click OK.
34. Close the Group Policy Management Editor tool.
35. Close the Group Policy Management tool.
NetApp University - Do Not Distribute
E3-51 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 8: APPLY THE CENTRAL ACCESS POLICY TO CONTENT
In this task, you verify that the file server role is enabled. You then refresh the local Windows server and
cluster1 to apply the new GPO that deploys the central access policy. You then configure a folder of sample
content on the SVM1 share and set the default values on the content.
NOTE: On a production system, this classification process can be accomplished with scripts.
STEP ACTION
1. Open Server Manager.
2. Click Add Roles and Features.
3. Click Next until you see the Select server roles page.
4. In the list of roles, under File and Storage Services, and within the File and iSCSI Services
group, select File Server Resource Manager.
NetApp University - Do Not Distribute
E3-52 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. Click Add Features.
6. Verify that File Server Resource Manager is selected.
7. Click Next.
8. Click Next.
NetApp University - Do Not Distribute
E3-53 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. Click Install.
10. Wait a few minutes and, after the manager is installed, click Close.
NetApp University - Do Not Distribute
E3-54 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. On the administrator desktop, open Windows PowerShell.
12. Enter the following command to ensure that the central policy defined by the Dynamic Access
Control Policy GPO is applied to the system:
PS C:\> GPUpdate /Force
NOTE: Under normal circumstances, the regular group policy refresh would perform this step.
13. Verify that the script returns confirmation that the computer and user policy update was
completed successfully.
14. Open a PuTTY session to cluster1-mgmt.
15. Enter this command to see whether GPO service is enabled on svm1:
cluster1::> vserver cifs group-policy show
Sample output:
Vserver GPO Status
-------------- ----------
svm1 disabled
16. Enter this command to enable the GPO service:
cluster1::> vserver cifs group-policy modify -vserver svm1
-status enabled
NetApp University - Do Not Distribute
E3-55 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
17. Enter this command to verify that GPO service is now enabled on svm1:
cluster1::> vserver cifs group-policy show
Sample output:
Vserver GPO Status
-------------- ----------
svm1 enabled
18. Enter this command to force an update of all GPOs:
cluster1::> vserver cifs group-policy update -vserver svm1
-force-reapply-all-settings true
19. Enter this command to verify that the central access policy GPO is visible to the SVM:
cluster1::> vserver cifs group-policy show-defined -vserver
svm1
Sample output:
Vserver: svm1
-----------------------------
GPO Name: Dynamic Access Control Policy
Level: Domain
Status: enabled
Advanced Audit Settings:
Object Access:
Central Access Policy Staging: -
…
Restricted Groups:
-
Central Access Policy Settings:
Policies: SVM1 File Server Policy
…
NetApp University - Do Not Distribute
E3-56 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
20. Enter this command to verify that the central access policy GPO is applied to the SVM:
cluster1::> vserver cifs group-policy show-applied -vserver
svm1
Troubleshooting:
If the command does not return the correct output, you might:
a. Issue the vserver cifs group-policy update command.
b. Wait about two minutes.
Sample output:
Vserver: svm1
-----------------------------
GPO Name: Dynamic Access Control Policy
Level: Domain
Status: enabled
Advanced Audit Settings:
Object Access:
Central Access Policy Staging: -
…
Restricted Groups:
-
Central Access Policy Settings:
Policies: SVM1 File Server Policy
…
21. Enter this command to verify that the central access policy is visible to the SVM:
cluster1::> vserver cifs group-policy central-access-policy
show-defined -vserver svm1
Sample output:
Vserver Name SID
---------- -------------------- -----------------------------------------------
svm1 C1SVM1 File Server Policy
S-1-17-2284269451-1118572613-2139631292-188622639
Description:
Creation Time: Fri Aug 08 22:53:06 2014
Modification Time: Fri Aug 08 22:53:06 2014
Member Rules: Department-Country-Match-Required
NetApp University - Do Not Distribute
E3-57 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
22. Enter this command to verify that the central access policy is applied to the SVM:
cluster1::> vserver cifs group-policy central-access-policy
show-applied -vserver svm1
Sample output:
Vserver Name SID
---------- -------------------- -----------------------------------------------
svm1 C1SVM1 File Server Policy
S-1-17-2284269451-1118572613-2139631292-188622639
Description:
Creation Time: Fri Aug 08 22:53:06 2014
Modification Time: Fri Aug 08 22:53:06 2014
Member Rules: Department-Country-Match-Required
23. Enter this command to verify that the central access rule is visible to the SVM:
cluster1::> vserver cifs group-policy central-access-rule show-
defined -vserver svm1
Sample output:
Vserver Name
---------- --------------------
svm1 Department-Country-Match-Required
Description:
Creation Time: Fri Aug 08 22:49:25 2014
Modification Time: Fri Aug 08 22:49:25 2014
Current Permissions:
O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;FA;;;AU;((@USER.ad://ext/ c:88d18a34307ec14f == @RESOURCE.Country_88d1816f53f24f89) &&
(@USER.ad://ext/department:88d18155cbcf2738 == @RESOURCE.Department_MS)))
Target Resources: ((Exists @RESOURCE.Department_MS) && (Exists
@RESOURCE.Country_88d1816f53f24f89))
NetApp University - Do Not Distribute
E3-58 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
24. Enter this command to verify that the central access rule is applied to the SVM:
cluster1::> vserver cifs group-policy central-access-rule show-
applied -vserver svm1
Sample output:
Vserver Name
---------- --------------------
svm1 Department-Country-Match-Required
Description:
Creation Time: Fri Aug 08 22:49:25 2014
Modification Time: Fri Aug 08 22:49:25 2014
Current Permissions:
O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;FA;;;AU;((@USER.ad://ext/ c:88d18a34307ec14f == @RESOURCE.Country_88d1816f53f24f89) &&
(@USER.ad://ext/department:88d18155cbcf2738 == @RESOURCE.Department_MS)))
Target Resources: ((Exists @RESOURCE.Department_MS) && (Exists
@RESOURCE.Country_88d1816f53f24f89))
25. On the administrator desktop, double-click the shortcut named CourseFiles.
26. Copy the folder named Departments.
NetApp University - Do Not Distribute
E3-59 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
27. Paste the Departments folder into the Z:\ drive.
NOTE: Remember that this is on cluster1’s svm1.
28. Select Z:\Departments\.
NetApp University - Do Not Distribute
E3-60 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
29. Right-click Finance and select Properties.
30. Click the Classification tab.
Troubleshooting: If the Properties list is empty, you might:
a. Run the vserver cifs group-policy update command.
b. Wait about two minutes.
NetApp University - Do Not Distribute
E3-61 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
31. For the Department property, select Finance.
32. Click Apply.
33. Click the Security tab.
34. Click Advanced.
NetApp University - Do Not Distribute
E3-62 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
35. Notice the Central Policy tab.
Troubleshooting:
If the Central Policy tab is not present, then the GPO and central access policy with rules were
not applied to the SVM. Go back and verify that it was applied.
36. Click the Central Policy tab.
37. Click Change.
NetApp University - Do Not Distribute
E3-63 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
38. Select the SVM1 File Server Policy applied to This Folder, subfolders, and files.
39. Click OK to close the Advanced Security Settings for Finance dialog box.
40. Click OK to close the Finance Properties dialog box.
41. Repeat steps 28-40 with the HR folder, with these differences:
a. Set the Department property to Human Resources.
b. Set the Central Policy to SVM1 File Server Policy applied to This Folder, subfolders, and
files.
NetApp University - Do Not Distribute
E3-64 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
42. In Windows Explorer, select Z:\\Departments\HR.
43. Right-click CA-Employee1 and select Properties.
44. Click the Classification tab.
45. Assign the Country property to CA.
46. Click OK.
NetApp University - Do Not Distribute
E3-65 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
47. Repeat Steps 42-46 with the US-Employee1 file and set the Country property to US.
TASK 9: CREATE USER ACCOUNTS TO TEST DAC
In this task, you create two users: betty and bob. Betty works in the Human Resources department in the
Canadian branch of the company. Bob works in the Human Resources department in the United States branch
of the company. Optionally, you could create other users in other locations and departments to test other
security scenarios.
STEP ACTION
1. Open Server Manager.
2. In the Tools menu, select Active Directory Administrative Center.
3. In the left pane, select learn (local) > Users.
4. In the right pane, under the Users section, select New > User.
NetApp University - Do Not Distribute
E3-66 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. In the Create User dialog box, enter these settings:
Full name: betty
User SamAccount: betty
Password: Netapp123
Confirm password: Netapp123
Password options: Other password options
Password never expires: Select checkbox
User cannot change password: Select checkbox
Under Organization, Department: Human Resources
Under Organization, Country/Region: Canada
6. Click OK.
7. In the right pane, under the Users section, select New > User.
NetApp University - Do Not Distribute
E3-67 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. In the Create User dialog box, enter these settings:
Full name: bob
User SamAccount: bob
Password: Netapp123
Confirm password: Netapp123
Password options: Other password options
Password never expires: Select checkbox
User cannot change password: Select checkbox
Under Organization, Department: Human Resources
Under Organization, Country/Region: United States
9. Click OK.
NetApp University - Do Not Distribute
E3-68 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. Verify that the user accounts betty and bob were created.
11. Close the Active Directory Administrative Center tool.
NetApp University - Do Not Distribute
E3-69 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 10: TEST THE EFFECTIVE PERMISSIONS THAT DAC PROVIDES
In this task, you test the central policy rule applied to the SVM. You will notice that folders have no security
limitations; however, individual files have limitations. You use the Betty and Bob user accounts created in the
previous task to test the effective permissions of storage objects.
STEP ACTION
1. Select Z:\\.
2. Right-click Departments and select Properties.
3. Click the Security tab.
4. Click Advanced.
NetApp University - Do Not Distribute
E3-70 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. Click the Effective Access tab.
6. Click Select a user.
7. Enter betty and then click OK.
8. Click View effective access.
NetApp University - Do Not Distribute
E3-71 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. After a moment, scroll down and verify that betty has access to this folder.
10. Click OK to close the Advanced Security Settings for Departments dialog box.
11. Click OK to close the Departments Properties dialog box.
12. Select Z:\\Departments\HR.
13. Right-click CA-Employee1 and select Properties.
NetApp University - Do Not Distribute
E3-72 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. Click the Security tab.
15. Click Advanced.
16. Click the Effective Access tab.
17. Click Select a user.
18. Enter betty and then click OK.
NetApp University - Do Not Distribute
E3-73 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
19. Click View effective access.
20. After a moment, scroll down and verify that betty has access to this folder.
21. Click Select a user.
22. Enter bob and then click OK.
23. Click View effective access.
NetApp University - Do Not Distribute
E3-74 Clustered Data ONTAP 8.3 Update 3: SMB (CIFS) Enhancements
© 2014 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
24. After a moment, scroll down and verify that bob does not have access to this folder.
25. Explore on your own more of the effective permissions and the power that NetApp and
Microsoft bring to remote storage.
END OF EXERCISE
NetApp University - Do Not Distribute