Managing A Multiprotocol Environment On VNX
Managing A Multiprotocol Environment On VNX
Managing A Multiprotocol Environment On VNX
VNX
Series
Release 7.0
Managing a Multiprotocol Environment on VNX
P/N 300-011-819
REV A03
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright 1998 - 2012 EMC Corporation. All rights reserved.
Published January 2012
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date regulatory document for your product line, go to the Technical
Documentation and Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on
EMC.com.
All other trademarks used herein are the property of their respective owners.
Corporate Headquarters: Hopkinton, MA 01748-9103
2 Managing a Multiprotocol Environment on VNX 7.0
Contents
Preface.......................................................................................................5
Chapter 1: Introduction...........................................................................7
System requirements....................................................................................8
User interface choices...................................................................................8
Related information.......................................................................................8
Chapter 2: Concepts.............................................................................11
Planning considerations..............................................................................12
CIFS user ID resolution...............................................................................12
Security on file system objects....................................................................13
User access control of file system objects..................................................14
Inheritance rules.................................................................................23
Windows-style credential for UNIX users....................................................24
Using Windows-style credential with Virtual Data Mover....................25
Determining the GID for file system objects................................................26
Backing up and restoring file system objects..............................................27
File naming..................................................................................................27
File locking..................................................................................................28
Wide links....................................................................................................29
Distributed File System server....................................................................32
Chapter 3: Managing............................................................................35
Set the access-checking policy...................................................................36
Migrate access_checking policy to MIXED and MIXED_COMPAT..............36
Synchronize Windows and UNIX permissions...................................37
Reset the access policy......................................................................37
Managing a Multiprotocol Environment on VNX 7.0 3
Check the translation status...............................................................38
Manage a Windows credential....................................................................39
Generate Windows credentials ..........................................................39
Include UNIX groups in a Windows credential...................................40
Modify Windows credential settings...................................................40
Set the Windows default domain........................................................41
Define the Windows credential cache................................................41
Set the time-to-live expiration stamp..................................................42
Use only UNIX permissions for access checking........................................43
Manage UNIX permissions from a Windows client......................................44
Manage Windows ACL from a UNIX client..................................................45
Display security descriptor.................................................................46
View access rights..............................................................................47
Use UNIX GIDs for file system objects........................................................47
Determine the GIDs on copied file system objects.....................................48
Set the file locking policy.............................................................................48
Configure and administer DFS support.......................................................49
Create a DFS root using dfsutil.exe....................................................49
Create a stand-alone DFS root using DFS MMC...............................50
Disable DFS support..........................................................................50
Create wide links.........................................................................................51
Chapter 4: Troubleshooting..................................................................57
EMC E-Lab Interoperability Navigator.........................................................58
VNX user customized documentation.........................................................58
server_log error message construct............................................................58
Kerberos error codes...................................................................................59
NT status codes..........................................................................................59
Known problems and limitations..................................................................60
Error messages...........................................................................................63
EMC Training and Professional Services....................................................63
Appendix A: emcgetsd and emcsetsd...............................................65
Using emcgetsd and emcsetsd...................................................................66
Glossary..................................................................................................73
Index.......................................................................................................77
4 Managing a Multiprotocol Environment on VNX 7.0
Contents
Preface
As part of an effort to improve and enhance the performance and capabilities of its product
lines, EMC periodically releases revisions of its hardware and software. Therefore, some
functions described in this document may not be supported by all versions of the software
or hardware currently in use. For the most up-to-date information on product features, refer
to your product release notes.
If a product does not function properly or does not function as described in this document,
please contact your EMC representative.
Managing a Multiprotocol Environment on VNX 7.0 5
Special notice conventions
EMC uses the following conventions for special notices:
Note: Emphasizes content that is of exceptional importance or interest but does not relate to
personal injury or business/data loss.
Identifies content that warns of potential business or data loss.
Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
Indicates a hazardous situation which, if not avoided, could result in death or
serious injury.
Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
Where to get help
EMC support, product, and licensing information can be obtained as follows:
Product information For documentation, release notes, software updates, or for
information about EMC products, licensing, and service, go to the EMC Online Support
website (registration required) at http://Support.EMC.com.
Troubleshooting Go to the EMC Online Support website. After logging in, locate
the applicable Support by Product page.
Technical support For technical support and service requests, go to EMC Customer
Service on the EMC Online Support website. After logging in, locate the applicable
Support by Product page, and choose either Live Chat or Create a service request. To
open a service request through EMC Online Support, you must have a valid support
agreement. Contact your EMC sales representative for details about obtaining a valid
support agreement or with questions about your account.
Note: Do not request a specific support representative unless one has already been assigned to
your particular system problem.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications.
Please send your opinion of this document to:
[email protected]
6 Managing a Multiprotocol Environment on VNX 7.0
Preface
1
Introduction
In a UNIX environment, the Network File System (NFS) protocol is used
to access file systems. In a Windows environment, the Common Internet
File System (CIFS) protocol is used to access file systems. VNX supports
a mixed NFS and CIFS environment by providing multiprotocol access
capabilities such as access-checking policies and locking mechanisms.
This multiprotocol access enables UNIX and Windows users to share the
same file systems.
This document is part of the VNX documentation set and is intended for
system administrators responsible for implementing VNX platform in their
mixed Windows and UNIX environment.
Topics included are:
x
System requirements on page 8
x
User interface choices on page 8
x
Related information on page 8
Managing a Multiprotocol Environment on VNX 7.0 7
System requirements
For system requirements, see:
x Configuring and Managing CIFS on VNX for CIFS access requirements
x Configuring NFS on VNX for NFS access requirements
User interface choices
The EMC
VNX
Finds a DFS link matching the beginning of the target path in the symbolic link.
Appends the rest of this path to the DFS target for final redirection.
x
A wide link can be configured on a per Virtual Data Mover (VDM) basis. This enables a
Windows client to be directed to as many different directory locations as needed.
x
After the wide links are configured, a symbolic link with an absolute path appears as a
directory instead of a file in Windows Explorer.
x
The path in the DFS link must be the same in Windows and UNIX (in other words, the
UNIX name of each component must be the M256 name in Windows).
x
On an NT4 client, the Security tab does not appear in the Properties dialog box for a file
that is located in a share that supports wide links. The security can be set by using a
security tool such as calcs. Alternatively, manage the ACLs of files by using either files
of a Windows 2000 client or shares that do not support wide symbolic links. There can
be two different shares on the same directory, one that supports wide links and one that
does not, and the share that does not support wide links can be used to manage security
setting by using NT4 clients.
x
If a Windows client is connected to CIFS share on a DFS root and this share is removed
from DFS, the client might not be able to access it. Because the wide links feature is
based on Microsoft DFS, this can also happen with wide links. This behavior occurs
30 Managing a Multiprotocol Environment on VNX 7.0
Concepts
because the clients use a DFS cache to track all DFS links. Until the shares cache entry
times out, the Windows clients attempt to access the deleted share even though it no
longer exists in DFS.
To resolve this:
Or, disconnect the client from the share, clear the clients DFS cache by using the
Microsoft command line tool dfsutil/pktflush, and reconnect to the share.
Note: Wide links cannot be used in conjunction with symbolic links containing absolute paths. The
value of the parameter shadow.followabsolutpath must be 0 for wide links support to be enabled. If
symbolic links using paths from the root of the Data Mover are needed, then the linkscan must be
emulated by using wide links. To do this, create DFS links that emulate the directory structure from
the root of the Data Mover. Distributed File System server on page 32 provides more information.
Process steps
The following steps describe how a Windows client processes the wide links feature by
using DFS:
1. Client opens a path that has an absolute symbolic link.
2. Server detects an absolute link path and sends an error stating this path is not covered.
This is typical DFS behavior.
3. Client requests DFS referrals of this path to determine where to connect next.
4. From the DFS root on the Data Mover defined as the widelink database in the Windows
Registry of the Data Mover, the CIFS server finds a link that matches the beginning
of the target path in the symbolic link and determines the CIFS share to use for wide
links resolution.
5. CIFS server sends DFS referrals pointing the client to the new path.
Establishing wide links
In the following example, the w1_root-1 file system contains the user1 directory that has
the symbolic links:
x link to fs_wslink-1\user1 on the local Data Mover
x link to fs_wlink-29\user1 on a remote Data Mover
Example
w1_root-1 file system exists on server_2:
$ server_export server_2 | grep -w "wl_root-1"
export "/wl_root-1"
share "wl_root-1" "/wl_root-1" maxusr=4294967295 umask=22
Wide links 31
Concepts
user1 directory is located in w1_root-1:
[user1@LINUX1PAG01 user1]$ pwd
/wl_root-1/user1
user1 has two UNIX symbolic links to other directories on separate Data Movers:
[user1@LINUX1PAG01 user1]$ ls -lhat
total 8.0K
drwxr-xr-x 3 root root 0 Feb 2 13:19 ..
drwxr-xr-x 3 user1 group-1001 1.0K Feb 2 12:43 .
-rw-r--r-- 1 user1 group-1001 0 Feb 2 12:43 NFS_user_file
lrwxrwxrwx 1 user1 group-1001 15 Feb 2 12:25
user1_on_fs_wlink-29 -> /wlink-29/user1
lrwxrwxrwx 1 user1 group-1001 14 Feb 2 12:25
user1_on_fs_wlink-1 -> /wlink-1/user1
drwxr-xr-x 2 user1 group-1001 80 Feb 1 17:49 user1
These symbolic links point to:
x user1 on fs_wlink-1 on the local Data Mover (server_2):
[user1@LINUX1PAG01 user1]$ mount | grep wlink-1
automount(pid26562) on /wlink-1 type autofs
(rw,fd=5,pgrp=26562,minproto=2,maxproto=3)
dm2-ana0-1-sa:/wlink-1/user1 on /wlink-1/user1 type nfs
(rw,addr=172.24.100.50)
x user1 on fs_wlink-29 on a remote Data Mover (server_3):
[user1@LINUX1PAG01 user1_on_fs_wlink-29]$ mount | grep wlink-29
automount(pid26592) on /wlink-29 type autofs
(rw,fd=5,pgrp=26592,minproto=2,maxproto=3)
vdm3-ana0-6-sa:/root_vdm_3/wlink-29/user1 on /wlink-29/user1 type nfs
(rw,addr=172.24.100.58)
From Windows, the symbolic links in user1 display as files:
C:\>dir \\dm2-ana0-1-sa\wl_root-1\user1
Volume in drive \\dm2-ana0-1-sa\wl_root-1 is 102
Volume Serial Number is 0000-0014
Directory of \\dm2-ana0-1-sa\wl_root-1\user1
02/02/2005 12:43 PM <DIR> .
02/02/2005 12:23 PM <DIR> ..
02/01/2005 05:49 PM <DIR> user1
02/02/2005 12:25 PM 14 user1_on_fs_wlink-1
02/02/2005 12:25 PM 15 user1_on_fs_wlink-29
02/02/2005 12:43 PM 0 NFS_user_file
3 File(s) 29 bytes
3 Dir(s) 52,867,235,840 bytes free
Distributed File System server
Microsoft Distributed File System (DFS) allows you to group shared folders located on
different servers into a logical DFS namespace. A DFS namespace is a virtual view of these
shared folders shown in a directory tree structure. By using DFS, you can group shared
32 Managing a Multiprotocol Environment on VNX 7.0
Concepts
folders into a logical DFS namespace and make folders that are distributed across multiple
servers appear to users as if they reside in one place on the network. Users can navigate
through the namespace without needing to know server names or the actual shared folders
hosting the data.
Each DFS tree structure has a root target, which is the host server running the DFS service
and hosting the namespace. A DFS root contains DFS links that point to the shared foldersa
share and any directory below iton the network. The shared folders are referred to as DFS
targets.
Microsoft offers stand-alone and domain-based DFS root servers: the domain DFS root
server and the stand-alone DFS root server. The domain-based DFS server stores the DFS
hierarchy in the AD. The stand-alone DFS root server stores the DFS hierarchy locally. VNX
provides the same functionality as a Windows 2000 or Windows Server 2003 stand-alone
DFS root server.
The Microsoft website at http://www.microsoft.com/windowsserversystem/dfs/default.mspx
provides detailed information about DFS. Configure and administer DFS support on page
49 provides procedural information for creating a DFS root.
Distributed File System server 33
Concepts
34 Managing a Multiprotocol Environment on VNX 7.0
Concepts
3
Managing
The tasks to manage multiprotocol environments are:
x
Set the access-checking policy on page 36
x
Migrate access_checking policy to MIXED and MIXED_COMPAT on
page 36
x
Manage a Windows credential on page 39
x
Use only UNIX permissions for access checking on page 43
x
Manage UNIX permissions from a Windows client on page 44
x
Manage Windows ACL from a UNIX client on page 45
x
Use UNIX GIDs for file system objects on page 47
x
Determine the GIDs on copied file system objects on page 48
x
Set the file locking policy on page 48
x
Configure and administer DFS support on page 49
x
Create wide links on page 51
Managing a Multiprotocol Environment on VNX 7.0 35
Set the access-checking policy
User access control of file system objects on page 14 provides conceptual information about
security models and access-checking policies.
Action
To set the access-checking policy for a file system, use this command syntax:
$ server_mount <movername> -option
accesspolicy={NT|UNIX|SECURE|NATIVE|MIXED|MIXED_COMPAT}<fs_name> <mountpoint>
where:
<movername> = name of the Data Mover or VDM
<fs_name> = name of the file system being mounted
<mountpoint> = name of the mount point
Note: Always verify the current access-checking policy on the file system before executing this command. The default
policy is NATIVE.
Example:
To set the access-checking policy to NT for file system ufs1 on server_2, type:
$ server_mount server_2 -option accesspolicy=NT ufs1 /ufs1
Output
server_2 : done
Migrate access_checking policy to MIXED and MIXED_COMPAT
To migrate the access-checking policy to MIXED and MIXED_COMPAT, you must perform
the following tasks:
x
Synchronize Windows and UNIX permissions on page 37
x
Reset the access policy on page 37
x
Check the translation status on page 38
36 Managing a Multiprotocol Environment on VNX 7.0
Managing
Synchronize Windows and UNIX permissions
Note: Because the synchronization task cannot be undone, first perform a backup of the file system.
Always check the access-checking policy set on the file system before and after executing the translate
command. The file system must be mounted as MIXED or MIXED_COMPAT before executing this
command. If not, the command is refused. The file system to be translated must be a UXFS file system
object mounted as read/write.
After remounting a file system object to MIXED or MIXED_COMPAT, perform the following
steps to synchronize Windows and UNIX permissions.
Action
To synchronize Windows and UNIX permissions on the file system, use this command syntax:
$ nas_fs -translate <fs_name> -access_policy start -to {MIXED} -from
{NT|NATIVE|UNIX|SECURE}
where:
fs_name = name of the file system
Example:
To synchronize Windows and UNIX permissions for ufs1 on server_2 and regenerate ACLs based on UNIX modes, type:
$ nas_fs -translate ufs1 access_policy start -to MIXED -from UNIX
Output
server_2 : done
Note: Using MIXED and MIXED_COMPAT on page 19 explains how Windows and UNIX permissions
are translated to MIXED or MIXED_COMPAT from an NT, NATIVE, UNIX, or SECURE originating
policy.
Reset the access policy
You can remount a file system to reset the access-checking of the file system object to its
originating policy. This action applies the new access right policy and causes the ACLs and
mode bits to become independent when first modified. ACL permissions and the UNIX mode
bits remain unchanged.
Note: File systems might have permissions that are not synchronized. Synchronize Windows and UNIX
permissions on page 37 provides more information.
Migrate access_checking policy to MIXED and MIXED_COMPAT 37
Managing
Action
To reset the MIXED or MIXED_COMPAT access-checking policy for a file system, use this command syntax:
$ server_mount <movername> -option accesspolicy={NT|UNIX|SECURE
|NATIVE|MIXED|MIXED_COMPAT} <fs_name><mount_point>
where:
<movername> = name of the Data Mover
<fs_name> = name of the file system being mounted
<mount_point> = name of the mount point, which begins with a forward slash (/)
Example:
To reset the access-checking policy to UNIX for file system ufs1 on server_2, type:
$ server_mount server_2 -option accesspolicy=UNIX ufs1 /ufs1
Output
server_2: done
Check the translation status
Action
To check the translation status of a file system, use this command syntax:
$ nas_fs -translate <fs_name> -access_policy status
where:
<fs_name> = name of the file system being translated
Example:
To check the translation status for ufs1, type:
$ nas_fs -translate ufs1 -a status
Notes Output
x
If the translation failed, check if the file system is
mounted as MIXED or MIXED_COMPAT.
x
If the translation does not complete due to system fail-
ure, run the command again.
status=In progress
percent_inode_scanned=68
1097154093: ADMIN: 4: Command
succeeded: acl database=/ufs1
convertAccessPolicy status
38 Managing a Multiprotocol Environment on VNX 7.0
Managing
Manage a Windows credential
The tasks to manage a Windows credential are:
x
Generate Windows credentials on page 39
x
Include UNIX groups in a Windows credential on page 40
x
Modify Windows credential settings on page 40
x
Set the Windows default domain on page 41
x
Define the Windows credential cache on page 41
x
Set the time-to-live expiration stamp on page 42
Windows-style credential for UNIX users on page 24 provides conceptual information.
Generate Windows credentials
Action
To generate Windows credentials for a file system object, use this command syntax:
$ server_mount <movername> -option
accesspolicy={NT|UNIX|SECURE|NATIVE|MIXED|MIXED_COMPAT},ntcredential
<fs_name><mount_point>
where:
<movername> = name of the Data Mover or VDM
<fs_name> = name of the file system being mounted
<mount_point> = name of the mount point
Note: The Windows credential function is for multiprotocol file systems. Use this feature only with NT, SECURE, MIXED,
and MIXED_COMPAT access-checking policies.
Example:
To set the access-checking policy and generate the Windows credential for file system ufs1 on server_2, type:
$ server_mount server_2 -option accesspolicy=NT,ntcredential ufs1 /ufs1
Output
server_2: done
Manage a Windows credential 39
Managing
Include UNIX groups in a Windows credential
EMC recommends setting the acl.extendExtraGid parameter if you use credentials. When
the user accesses VNX through CIFS, VNX can be configured to include the users' UNIX
groups in their Windows credential. This is in addition to their Windows groups. VNX will
include users UNIX groups in their Windows credential if the server parameter cifs
acl.extendExtraGid is set to 1. There is no limit to the number of groups a Windows credential
can contain.
Note: The acl.extendExtraGid parameter applies only in multiprotocol environments with a Network
Information Service (NIS) or .etc/group file on the Data Mover. The UNIX groups are retrieved from
the UNIX name services configured on the Data Moverfor example, local group file, NIS, LDAP and
so onby using the username without the .domain extension.
Action
To include users' UNIX group in their Windows credential, use this command syntax:
$ server_param <movername> -facility cifs -modify acl.extendExtraGID -value
<new_value>
where:
<movername> = name of the Data Mover or VDM
<new_value> = 1 (to enable mapping) or 0 (to disable mapping)
Example:
To merge the users' UNIX and Windows groups together to build a Windows credential, type:
$ server_param server_2 -facility cifs -modify acl.extendExtraGid -value 1
Output
server_2: done
Modify Windows credential settings
For Windows 2000, access to a trusted domain requires setting additional rights for the CIFS
server retrieving a list of groups to which a user belongs. This server must be granted the
List contents and Read all properties rights.
Perform the following steps to set rights for the CIFS server:
1. Use the Microsoft AD User and Computer MMC in expert mode.
2. From the menu, select View Advanced features.
3. Right-click the domain name, and select Security Advanced.
40 Managing a Multiprotocol Environment on VNX 7.0
Managing
4. Grant rights:
server_name is the NetBIOS name of the CIFS server. If a global share is used,
only CIFS share name is typed.
00 Success
01 Informational
10 Warning
11 Error
x C Is the customer code flag
x R Is a reserved bit
x Facility Is the facility code
x Code Is the status code of the facility
Kerberos error codes 59
Troubleshooting
Typically, the NT status codes appear in the server_log with a subsystem specification of
SMB. The NT status code is presented in several ways in logged system events. Some
popular ones are:
x A hexadecimal number prefixed by a Em=0x:
SMB: 4: authLogon=SamLogonInvalidReply Es=0x0 Em=0xc0000064
x A simple hexadecimal number with no prefix nor any indication of its format:
SMB: 4: SSXAuth_SERVER_EXT13 aT=3 mT=1 c0000016
x A simple hexadecimal number with a prefix of reply= with no indication of the format:
SMB: 4: lookupNames:bad reply=c0000073
x A simple hexadecimal number with a prefix of failed= with no indication of the format:
SMB: 4: SessSetupX failed=c0000016
x A hexadecimal number clearly marked as NTStatus= but no indication of the format:
SMB: 4: MsError sendLookupNames=21 NTStatus=c0000073
Known problems and limitations
Table 12 on page 60 describes problems that might occur when using VNX for a multiprotocol
environment and presents workarounds.
Table 12. Known problems
Workaround Symptom Known problem
Verify that the client is sending the cor-
rect domain name to the passwd file.
To verify that the client is sending the
correct domain:
x In the Network option in the Control
Panel, double-click the network
client (Client for Microsoft Net-
works).
x Under General properties, verify
that the correct domain name is
shown.
The domain name sent to the Data
Mover by the client was incorrectly
specified, or the username.domain is
not mapped in the passwd file on the
Data Mover.
With NT user authentication, certain
Windows 95 clients might not be able
to map drives from the Data Mover.
60 Managing a Multiprotocol Environment on VNX 7.0
Troubleshooting
Table 12. Known problems (continued)
Workaround Symptom Known problem
Add the Windows NT user to the PDC
and map the user to a UNIX username
and UID.
The Windows NT user account might
be missing from the primary domain
controller (PDC), or the Data Mover was
unable to determine a UID to use for
this user.
With NT user authentication,
Incorrect password
or
unknown username
error message appears after attempts
to connect to the server, and the
username and password window
appears.
Check if PDC or backup domain con-
troller (BDC) is up. Check if the Data
Mover can access a WINS server that
knows about the PDC domain, or have
the PDC and BDC in the same local
subnet as the Data Mover.
No domain controller found for the do-
main.
With NT user authentication, clients are
unable to connect to the server, and the
window to prompt for username and
password does not appear on the client
side.
Verify that the computer account exists
and add the computer account, if
needed. If the computer account does
exist, remove it and add it again before
retrying the command. The Microsoft
NT server 4.0 documentation provides
more information on setting up a trust
relationship between domains.
The server NetBIOS name is not
registered as a computer account on
the PDC domain or a trust relationship
has not been established between the
client and server domains.
The following message appears in the
server_log:
The SAM database on the
Windows NT server does
not have a complete
account for this
workstation trust
relationship.
Verify that the DNS servers zone does
not have the same FQDN with a differ-
ent IP address for another computer
account.
The DNS servers zone might include
the same fully-qualified domain name
(FQDN) for another computer account.
After joining a CIFS server to a domain,
the following error appears in the
server_cifs output, indicating that the
system cannot update the DNS record:
FQDN=dm4-a140-ana0.c1t1.
pt1.c3lab.nsgprod.emc.com
(Update of "A" record
failed during update:
Operation refused for
policy or security
reasons)
Known problems and limitations 61
Troubleshooting
Table 12. Known problems (continued)
Workaround Symptom Known problem
Delete the computer and then re-create
it with the Allow pre-Windows 2000
computers to use this account option
enabled.
Access is denied because the computer
was created on the domain controller
without enabling the Allow pre-Windows
2000 computers to use this account
option on the Windows New Object -
Computer dialog box.
0xC0000022
2004-04-26 10:49:40:
SMB: 3:
Srv=<VNX_netbios_name>
buildSecureChanel=Authenticate2
InvalidReply
E=0xc0000022
Upgrade the version of the Internet Ex-
plorer to 6.0.
MMC requires Internet Explorer 6.0 to
use its Document Object Model (DOM)
XML parser.
When attempting to start MMC, the
following error message appears:
OLE Object: PBrush
In a multiprotocol environment, to ex-
tend this group number to more than
16, use VNX File Server NT credential
feature.
This is likely caused by the Solaris
NGROUPS_MAX kernel parameter be-
ing set to more than 16 groups, which
is the default limit on Solaris systems.
NFS only has support for a maximum
of 16 groups.
Depending on the UNIX implementation,
the limit on the number of groups per
user is different:
x Solaris has a limit of 16 groups
x Linux has a limit of 32 groups
Solaris client receives the following
warning message during the creation
of a user account:
UX:useradd: WARNING:
more than
NGROUPS_MAX(16) groups
specified
The user account is still created but
data availability might occur.
When attempting access, Solaris client
receives an error message similar to:
nfs: [ID XXXXXX
kern.notice] NFS access
failed for server
dm3-121-ana0-2: error 1
(RPC: Can not encode
arguments)
Before upgrading, change the domain
suffix.
Unable to change domain suffix be-
cause it was hardcoded in dynamic
DNS (DDNS).
When upgrading from a Windows NT
domain to Windows 2000, unable to
change the original domain suffix during
Windows 2000 setup.
Specify the same username and pass-
word on IIS 6.0, the Data Mover, and
the client.
For a stand-alone CIFS server with local
user support enabled, the username
and password must be the same on IIS
6.0, the Data Mover, and the client.
Access is denied to Internet Information
Services (IIS) 6.0 when attempting to
connect to the web directory on VNX
share.
In the IIS web log, the error bad user-
name or password appears even though
the username and password are in the
local user database.
62 Managing a Multiprotocol Environment on VNX 7.0
Troubleshooting
Error messages
All event, alert, and status messages provide detailed information and recommended actions
to help you troubleshoot the situation.
To view message details, use any of these methods:
x Unisphere software:
Right-click an event, alert, or status message and select to view Event Details, Alert
Details, or Status Details.
x CLI:
Use this guide to locate information about messages that are in the earlier-release
message format.
x EMC Online Support website:
Use the text from the error message's brief description or the message's ID to search
the Knowledgebase on the EMC Online Support website. After logging in to EMC
Online Support, locate the applicable Support by Product page, and search for the
error message.
EMC Training and Professional Services
EMC Customer Education courses help you learn how EMC storage products work together
within your environment to maximize your entire infrastructure investment. EMC Customer
Education features online and hands-on training in state-of-the-art labs conveniently located
throughout the world. EMC customer training courses are developed and delivered by EMC
experts. Go to the EMC Online Support website at http://Support.EMC.com for course and
registration information.
EMC Professional Services can help you implement your system efficiently. Consultants
evaluate your business, IT processes, and technology, and recommend ways that you can
leverage your information for the most benefit. From business plan to implementation, you
get the experience and expertise that you need without straining your IT staff or hiring and
training new personnel. Contact your EMC Customer Support Representative for more
information.
Error messages 63
Troubleshooting
64 Managing a Multiprotocol Environment on VNX 7.0
Troubleshooting
Appendix A
emcgetsd and emcsetsd
The emcgetsd and emcsetsd tools can be used on Linux, Solaris, and
HP-UX operating systems. Use the executable appropriate for your
operating system.
You can copy these tools on to a UNIX client without performing an
installation procedure on the client. EMC recommends that prior to using
these tools, you use the chmod command to be sure that the files are
executable, for example:
chmod 755 <filename>
Topic included is:
x
Using emcgetsd and emcsetsd on page 66
Managing a Multiprotocol Environment on VNX 7.0 65
Using emcgetsd and emcsetsd
View ACLs
Use the emcgetsd tool to view ACLs on a file or directory from a UNIX client or Control
Station. Table 13 on page 66 lists the emcgetsd tool command options and descriptions.
Table 13. emcgetsd
Description Command
Displays the security descriptor of a
file system. A security descriptor lists
the owner, ACL, and auditing informa-
tion of the file system.
emcgetsd -D <domain> -v
-x <local_node_path>
emcgetsd a <lo
cal_node_path>
Directs the command to a specified
domain. This domain can be different
from the user domain if a trust relation-
ship exists between the user domain
and another domain. In this case, the
command displays the SIDs for both
domains.
If the domain is not specified, CNS
uses the default domain of the CIFS
server.
emcgetsd -D<domain>
Displays full ACL details.
-v
If CIFS is not started or if the Windows
name of a user or group cannot be
found, the SID of this user is returned
in decimal format unless the x option
is specified.
-x
Displays the access rights of a user
currently logged in from a UNIX client
or a Control Station.
-s
Path of the file or directory on the
UNIX client.
<local_node_path>
66 Managing a Multiprotocol Environment on VNX 7.0
emcgetsd and emcsetsd
Modify ACLs
Use the emcsetsd tool to modify and view the ACL on a file or directory from a UNIX
client or Control Station.
When Windows permissions are changed by using the emcsetsd tool, the Windows
owner is replaced by the UNIX SID and the UNIX UID/GID, as shown in the following
examples:
Owner uid=898 Unix='luc' Sid=S-1-5-18-1-898
Group gid=109 Unix='emc2' Sid=S-1-5-18-2-109
Note: You must have the appropriate rights to use this tool.
Table 14 on page 68 lists the emcsetsd tool command options and descriptions.
Using emcgetsd and emcsetsd 67
emcgetsd and emcsetsd
Table 14. emcsetsd
Description Command
emcsetsd -D<domain> -r
-g <us
er_or_group>,<rights>[,<flags>]
-d <us
er_or_group>,<rights>[,<flags>]
-s <us
er_or_group>,<rights>[,<flags>]
-f <us
er_or_group>,<rights>[,<flags>]
-a<us
er_or_group>,<rights>[,<flags>]
<local_node_path>
68 Managing a Multiprotocol Environment on VNX 7.0
emcgetsd and emcsetsd
Table 14. emcsetsd (continued)
Description Command
Sets, resets, and audits user or group
access control rights on a file or direc-
tory.
Note: If CIFS is not started or if the
Windows name of a user or group is
not found, the command is rejected.
User
A user can be one of the following:
x UI=number
x User=NIS name
x domain\user
Group
A group can be one of the following:
x GID=number
x Group=NIS name
x Everyone
x CreatorOwner
x CreatorGroup
x domain\user
Note: The user and group owner can
be changed by using the chown or
chgrp UNIX command.
Rights
The rights can be one of the following
separated by a pipe (|):
x READ_DATA
x WRITE_DATA
x APPEND_DATA
x READ_EA
Using emcgetsd and emcsetsd 69
emcgetsd and emcsetsd
Table 14. emcsetsd (continued)
Description Command
x WRITE_EA
x EXECUTE
x DELETE_CHILD
x READ_ATTRIBUTES
x WRITE_ATTRIBUTES
x DELETE
x READ_CONTROL
x WRITE_DAC
x WRITE_OWNER
A combination of RWXPDO:
x R: Read
x W: Write
x X: Execute
x P: ChangePermission
x D: Delete
x O: TakeOwnership
One or more of the following separat-
ed by a pipe (|):
x FullControl
x Modify
x ReadExecute
x ListFolderContents
x Read
x Write
Flags
70 Managing a Multiprotocol Environment on VNX 7.0
emcgetsd and emcsetsd
Table 14. emcsetsd (continued)
Description Command
One or more of the following values
separated by a pipe (|):
x OBJECT_INHERIT: subfiles inher-
it this ACE.
x CONTAINER_INHERIT: subfold-
ers inherit this ACE.
x NO_PROPAGATE_INHERIT:
block inheritance from its parent.
x INHERIT_ONLY: ACE is not part
of access rights on the current di-
rectory, only for inheritance.
x INHERITED_ACE: ACE was inher-
ited.
Directs the command to a specified
domain. This domain can be different
from the user domain if there is a trust
relationship between the user domain
and another domain. In this case, the
command displays the SIDs for both
domains.
If the domain is not specified, CNS
uses the default domain of the CIFS
server.
-D
<domain>
Removes current ACLs.
Note: When the -r option is used, the
SID of the owner and group are re-
placed by UNIX SIDs and therefore,
after using the -r option, the identity of
the owner and group reflects the new
SIDs.
-r
Grants access to a user or group.
-g
Denies access to a user or group.
-d
Audits success access of a user or
group.
-s
Using emcgetsd and emcsetsd 71
emcgetsd and emcsetsd
Table 14. emcsetsd (continued)
Description Command
Audits fail access of a user or group.
-f
Audits all access of a user or group.
-a
Specifies the path of the file or directo-
ry on the UNIX client.
<local_node_path>
72 Managing a Multiprotocol Environment on VNX 7.0
emcgetsd and emcsetsd
Glossary
A
access control list (ACL)
Ll ae nl enle (ACI) lhal de nmalnabul lhe ue andgu aved
ae l an b|el.
Active Directory (AD)
Adaned dely ee nuded vlh Wndv ealng ylem. Il le nmaln
abul b|el n a nelv and mae lh nmaln aaabe l ue and nelv
admnlal lhugh a l uh a Lghlveghl Dely Ae Il (LDAI).
Active Directory Users and Computers (ADUC)
Admnlale l degned l em day-l-day Ale Dely admnlaln la.
Thee la nude ealng, deelng, mdyng, mng, and ellng emn n b|el
led n lhe dely. Thee b|el nude ganzalna unl, ue, nlal, gu,
mule, nle, and haed e b|el.
Alternate data stream (ADS)
Alenale dala leamav e l be aaledvlh me lhan ne dala leam. I exame,
a e uh a lexl.lxl an hae an ADS vlh lhe name lexl.lxl:eel ( m
ename:leamname) lhal an ny be aeed by nvng lhe ADS name by eazed
dely bvng gam.
authentication
Ie eyng lhe denlly a ue lyng l ae a eue, b|el, ee, uh
a a e a dely.
C
CIFS server
Lga ee lhal ue lhe CIIS l l lane e. ADala Me an hl many nlane
a CIIS ee. Iah nlane eeed l a a CIIS ee.
CIFS service
CIIS ee e lhal unnng n lhe Dala Me and eenl hae n a nelv a
ve a n Ml Wndv-baed mule.
Managing a Multiprotocol Environment on VNX 7.0 73
Common Internet File System (CIFS)
Ie-hang l baed n lhe Ml See Meage (SM). Il av ue l
hae e ylem e lhe Inlenel and nlanel.
D
Data Mover
In VNX e, a abnel mnenl lhal unnng l vn ealng ylem lhal elee
dala m a lage dee and mae l aaabe l a nelv enl. Th a eeed l a
a bade.
default CIFS server
CIIS ee ealed vhen yu add a CIIS ee and d nl ey any nleae (vlh lhe
nleae ln lhe ee_ -add mmand). The deaul CIIS ee ue a nleae
nl agned l lhe CIIS ee n lhe Dala Me.
domain
Lga gung Ml Wndv See and lhe mule lhal hae mmn
euly and ue aunl nmaln. A eue uh a mule and ue ae dman
membe and hae an aunl n lhe dman lhal unuey denle lhem. The dman
admnlal eale ne ue aunl eah ue n lhe dman, and lhe ue g n l lhe
dman ne. Ue d nl g n l eah nddua ee.
Domain Name System (DNS)
Name euln lvae lhal av ue l ale mule n a UNIX nelv TCI/II
nelv by dman name. The DNS ee manlan a dalabae dman name, hlname,
and lhe endng II addee, and ee ded by lhe aaln ee.
See also ntxmap.
F
File Allocation Table (FAT)
Ie ylem ued by MS-DOS and lhe Wndv-baed ealng ylem l ganze and
manage e. The e aaln labe (IAT) a dala lulue lhal Wndv eale vhen yu
mal a ume by ung lhe IAT IAT32 e ylem. Wndv le nmaln abul
eah e n lhe IAT lhal l an elee lhe e ale.
file system
Melhd alagng and managng lhe e and dele n a ylem.
G
Group Policy Objects (GPO)
In Wndv ealng ylem, admnlal an ue Gu Iy l dene ngualn
ln gu ue and mule. Wndv Gu Iy Ob|el an nl eemenl
uh a a, dman, and nelv euly ellng.
74 Managing a Multiprotocol Environment on VNX 7.0
Glossary
L
Lightweight Directory Access Protocol (LDAP)
Induly-landad nmaln ae l lhal un dely e TCI/II. Il lhe may
ae l Ale Dely and LDAI-baed dely ee. LDAI en 3
dened by a el Ied Slandad dumenl n Inlenel Ingneeng Ta Ie (IITI)
RIC 2251.
N
NetBIOS name
Name egnzed by WINS, vhh ma lhe name l an II adde.
network basic input/output system (NetBIOS)
Nelv gammng nleae and l deeed IM ena mule.
network file system (NFS)
Nelv e ylem (NIS) a nelv e ylem l lhal av a ue n a enl
mule l ae e e a nelv a eay a lhe nelv dee vee allahed l l
a d.
NTFS
NTIS lhe landad e ylem Wndv NT, nudng l ale en. NTIS ueede
lhe IAT e ylem a lhe eeed e ylem Ml Wndv. NTIS ha eea
memenl e IAT uh a med ul meladala and lhe ue adaned dala
lulue l me emane, eably, and d ae ulzaln, u addlna
exlenn uh a euly ae nl l (ACL) and e ylem |unang.
S
Security Access Manager or Security Accounts Manager (SAM)
Ml Wndv ee lhal aulhenlale ue l ue eue n lhe nelv. The SAM
dalabae lhe aln a euly and ue aunl nmaln a Wndv NT dman.
Server Message Block (SMB)
Undeyng l ued by lhe CIIS l enhaned ue n lhe Inlenel l euel e,
nl, and mmunaln ee ma ee e lhe nelv. The CIIS l ue SM
l de eue e ae and lane l many lye hl uh a LAN, nlanel, and
lhe Inlenel.
share name
Name gen l a e ylem, eue n a e ylemaaabe ma alua CIIS ee
l CIIS ue. Thee may be mule hae vlh lhe ame name, haed m deenl CIIS
ee.
V
Virtual Data Mover (VDM)
VNX e lvae ealue lhal enabe ue l admnlaley eaale CIIS ee,
eale CIIS ennmenl, and me CIIS ee m ne Dala Me l anlhe.
Managing a Multiprotocol Environment on VNX 7.0 75
Glossary
W
Windows domain
Ml Wndv dman nled and managed by a Ml Wndv See by ung
lhe Ale Dely l manage a ylemeue and by ung lhe DNS name euln.
Windows Internet Naming Service (WINS)
Slvae ee lhal dynamay ma II addee l mule name (NelIOS name).
Th av ue l ae eue by name nlead eung lhem l ue II addee
lhal ae dul l egnze and emembe. WINS ee ul enl by unnng
Wndv NT 4.0 and eae en Ml ealng ylem.
Windows NT domain
Ml Wndv dman nled and managed by a Ml Wndv NT ee by
ung a SAM dalabae l manage ue and gu aunl and a NelIOS nameae. In a
Wndv NT dman, lhee ne may dman nle (IDC) vlh a ead/vle y
lhe SAM, and by eea bau dman nle (DC) vlh ead-ny e lhe
SAM.
See also domain and domain controller.
76 Managing a Multiprotocol Environment on VNX 7.0
Glossary
Index
A
access rights
configuring policies 39, 40
access-checking
using only UNIX permissions 43
access-checking policies 23, 37, 38
reset to originating policy 37
translation status 38
ACL
modify from UNIX client 67
view from UNIX client 66
acl.extacl 44
acl.extendExtraGid parameter 40
acl.takegroupship 48
acl.unixCheckAcl 43
C
cache
Windows credential 42
cifs
acl.useUnixGid 47
manage UNIX permissions 44
CIFS
deny modes 28
file locking 28
D
DFS
configuring 49
creating stand-alone root 50
DFS server 33
disable support 50
using MMC 50
DFS (continued)
wide links 29
E
EMC E-Lab Navigator 58
emcgetsd 44, 45, 66
emcsetsd 44, 45, 67
error messages 63
expand group membership
Windows credential 40
F
file locking
CIFS deny modes 28
definition 28
limitations 28
policies 28
setting lock policy 48
file system objects
backing up and restoring 27
determining GID 26
G
GID 26, 47, 48
I
inheritance rules 23
M
master policy 37
messages, error 63
MIXED or MIXED_COMPAT
Managing a Multiprotocol Environment on VNX 7.0 77
MIXED or MIXED_COMPAT (continued)
reset to originating policy 37
MIXED/MIXED_COMPAT
inheritance rules 23
multiprotocol environment
backing up FSOs 27
N
NATIVE/USER/NT/SECURE
inheritance rules 23
NDMP 27
NFS
file locking 28
NT status codes 59
P
parameter
acl.extacl 44
acl.extendExtraGid 40
acl.takegroupship 48
acl.unixCheckAcl 43
acl.useUnixGid 47
acl.useUnixGID 48
Planning considerations 12
S
security descriptor 46
server_log 58, 59
NT status codes 59
set access-checking policies
access-checking policies 36
system requirements 8
T
translation status 38
troubleshooting 57
U
UID 26
umask 23
UNIX
client:view access rights 47
determining GID 26
Windows-style credential 24
user interfaces 8
W
wide links
creating 51
DFS 29
setting Windows Registry 53
Windows credential
access a trusted domain using Windows 2000
40
access trusted domain using Windows 2000
40
for UNIX users of 24
include UNIX groups 40
setting 41
Windows credential cache 42
cache
Windows expiration stamp 42
78 Managing a Multiprotocol Environment on VNX 7.0
Index