Manual Chapter : Troubleshooting CIFS Services

Applies To:

Show Versions Show Versions

ARX

  • 6.3.0
Manual Chapter
11 
A CIFS service keeps client-access statistics for each of its exports/shares. Use the show cifs-service exports command to show these statistics:
where fqdn | all is a required choice:
fqdn (1-128 characters) identifies a single CIFS service by its fully-qualified domain name (for example, www.myorg.org).
all selects all CIFS services on the current switch.
bstnA> show cifs-service exports ac1.medarch.org
show cifs-service exports fqdn slot.processor
fqdn (1-128 characters) identifies the CIFS service,
slot (2 in the ARX-4000, 1 in all other platforms) is the slot number of the desired NSM, and
processor (1-12) is the NSM-processor number. Use show processors for a complete list of processors (and their modules and slots) on the ARX.
bstnA> show cifs-service exports ac1.medarch.org 2.5
If MMC is allowed for this CIFS service (see Supporting MMC Browsing, on page 11-23 of the ARX® CLI Storage-Management Guide), authorized clients can use MMC to list all client connections to the CIFS service. You can perform the same operation from the CLI. Use the show cifs-service user-sessions command to list the client connections to one or all CIFS services:
where fqdn | all is a required choice:
fqdn (1-128 characters) identifies a single CIFS service by its fully-qualified domain name (for example, www.company.com).
all selects all CIFS services on the current switch.
fqdn (1-128 characters) identifies a single CIFS service,
slot (2 on the ARX-4000, 1 in all other platforms) is the slot number of the desired NSM, and
processor (1-12) is the NSM-processor number. Use show processors for a complete list of processors (and their modules and slots) on the ARX.
bstnA> show cifs-service user-sessions ac1.medarch.org 2.7
The show statistics cifs work-queues command enables you to display time statistics for various CIFS-related tasks that transit the CIFS work queues. These statistics are useful for diagnosing problems with CIFS performance.
where vg-id or instance-id specifies the volume group or namespace instance identifier for which you want to display CIFS work queue statistics.
The command clear statistics cifs work-queues enables you to reset those statistics. The clear statistics filer command resets some CIFS statistics that are not covered by clear statistics cifs work-queues.
The command show statistics cifs fastpath enables you to display a variety of statistics related to CIFS servers. These statistics include the numbers of front end and back end connections, the number of transactions handled, and others.
slot.processor indicates a specific NSM processor against which to execute the command.
bstnA# show statistics cifs fastpath
From priv-exec mode, you can use drop cifs-service user-session to close a session with a CIFS client:
drop cifs-service user-session fqdn slot.processor ipaddress client
fqdn (1-128 characters) identifies a single CIFS service,
slot.processor identifies a network processor, and
client identifies the client session by its source-IP address.
For example, this command sequence shows all CIFS clients, drops a client session, then shows that the sessions Age has restarted (indicating that the client application re-connected to the CIFS service):
bstnA> show cifs-service user-sessions all
bstnA> enable
bstnA# drop cifs-service user-session ac1.medarch.org 2.9 ipaddress 172.16.100.68
bstnA# show cifs-service user-sessions all
where fqdn | all is a required choice:
fqdn (1-128 characters) is the fully-qualified domain name (for example, www.company.com) for the CIFS services global server.
all selects all CIFS services on the current switch.
If remote-Windows management is allowed for this CIFS service (see Supporting MMC Browsing, on page 11-23 of the ARX® CLI Storage-Management Guide), authorized clients can use MMC to list these files.
bstnA> show cifs-service open-files ac1.medarch.org
fqdn (1-128 characters) identifies a single CIFS service,
slot (2 on the ARX-4000, 1 in all other platforms) is the slot number of the desired NSM, and
processor (1-12) is the NSM-processor number. Use show processors for a complete list of processors (and their modules and slots) on the ARX.
bstnA> show cifs-service open-files ac1.medarch.org 2.5
For situations where a client needs access to a long-opened file, you can use the close cifs file command to forcibly close the file. Invoke this command from priv-exec mode:
close cifs file fqdn slot.processor fid file-id
fqdn (1-128 characters) identifies a single CIFS service,
slot.processor identifies a network processor, and
file-id (0-65535) identifies the file. This ID is shown in the output of show cifs-service open-files, described above.
bstnA> show cifs-service open-files ac1.medarch.org 2.2
bstnA> enable
bstnA# close cifs file ac1.medarch.org 2.2 fid 515
bstnA# show cifs-service open-files ac1.medarch.org 2.2
If Kerberos is active for this CIFS service, the service passes Kerberos tickets to clients who successfully authenticate. The CIFS service caches the Kerberos tickets on behalf of its clients. These tickets have an expiration time. To view all cached tickets, the clients who hold the tickets, and the expiration times, use the show cifs-service kerberos-tickets command:
where fqdn | all is a required choice:
fqdn (1-128 characters) is the fully-qualified domain name (for example, www.company.com) for the CIFS services global server.
all selects all CIFS services on the current switch.
The output refers to a client as a Principal and a server or Ticket-Granting Ticket as a Service Principal. For each principal with a Kerberos ticket, this shows the contents of all tickets (including grant times and expiration times). The total number of principals, ticket-granting tickets, and service tickets appears at the end. If you select all, each CIFS service has a separate section with the totals at the end.
bstnA> show cifs-service kerberos-tickets ac1.medarch.org
You can search for a particular principal by adding the user clause to the end of the command:
show cifs-service kerberos-tickets {fqdn | all} user username
where username (1-128 characters) is a search string for one or more principals. The output includes all principles whose first characters match this string. This is a case-blind comparison, so jpub matches jpublic, jpublisher, and JPUBS.
bstnA> show cifs-service kerberos-tickets ac1.medarch.org user juser
Some AD policies set an expiration period for machine-account passwords; if a CIFS services password expires, its clients can no longer use Kerberos authentication. Before the password expires, you can use a CLI command to reset it (see Changing the ARXs Machine-Account Keys (Kerberos), on page 11-38 of the ARX® CLI Storage-Management Guide). If a services password expires before you reset it with that command, you must remove and rebuild the CIFS-service configuration to get an entirely new machine account password. The CIFS service cannot use its expired password to get a new one.
You begin to remove a CIFS service by recording its configuration. Use the show global-config cifs fqdn command for an ordered list of the CLI commands required to build the fqdn service (recall Focusing On Named Configurations). For example, this shows the configuration for the ac1.medarch.org service:
bstnA> show global-config cifs ac1.medarch.org
Remove the kerberos-creds command from the file. The CLI uses this command only for global-config playback. That command preserves the now-expired machine-account password, and precludes the domain-join command that you must execute later.
If there are any dynamic-dns commands, as above, remove all of them. If there are more than one, you may want to save them to a separate file. Each of these commands registers a DNS name with a dynamic-DNS server; this is only possible after the CIFS service rejoins the domain.
Also remove the enable command. You enable the service manually, after you rejoin the CIFS service to the AD domain.
For example, this is the correct configuration (without the kerberos-creds command, the enable command, or any dynamic-dns commands) to store for the above CIFS service:
At the ARX CLI, enter no terminal confirmation to avoid any confirmation prompts. This makes it easier to copy and paste the above configuration into the CLI later. You can enter this command from any mode. For example:
bstnA(gbl)# no terminal confirmation
If the CIFS service uses dynamic DNS, you must remove the services hostname(s) from your local DNS before you remove the service. This is evident in the global-config file you created above; each dynamic-dns command in the file (if there are any) represents one DNS hostname. You can skip this section if your CIFS service does not use any dynamic-DNS hostnames.
Use no dynamic dns for each of this services DNS hostnames. This sends hostname-removal notifications to local dynamic-DNS servers (typically DCs; see Removing a Host Name, on page 11-36 of the ARX® CLI Storage-Management Guide). For each dynamic-dns command in the global-config file, go to gbl-cifs mode and enter the no form of that exact command. To continue the above example, this removes DNS support for four hostnames:
bstnA(gbl)# cifs ac1.medarch.org
Wait several seconds after you remove the final hostname, so that the DNS server(s) have time to remove the hostname(s) from service. You can use the show dynamic-dns command to monitor the operation (see Showing Dynamic-DNS Status, on page 11-36 of the ARX® CLI Storage-Management Guide).
Once all dynamic-DNS hostnames are removed, you can remove the entire CIFS service. Use the no cifs fqdn command from gbl mode (as described in Removing a CIFS Service, on page 11-54 of the ARX® CLI Storage-Management Guide). For example:
bstnA(gbl)# no cifs ac1.medarch.org
The next step is to rejoin the CIFS service to the AD domain. This generates a new secret password for the CIFS service. Use the domain-join command from gbl-cifs mode, as described in Joining a CIFS Service to an Active Directory Domain, on page 11-26 of the ARX® CLI Storage-Management Guide. Then use the enable command from the same mode. For example, this joins the ac1.medarch.org service to its AD domain, MEDARCH.ORG:
bstnA(gbl)# cifs ac1.medarch.org
bstnA(gbl-cifs[ac1.medarch.org])# domain-join MEDARCH.ORG
Username: acoadmin
bstnA(gbl)# cifs ac1.medarch.org
Best practices dictate that terminal confirmation is enabled for everyday use of the CLI. As a final step, turn terminal confirmation back on. For example:
3.
After the DCs are synchronized with the new password, re-run the user (gbl-proxy-user) command to change the password on the ARX.