Applies To:Show Versions
Character encoding is the mapping between binary numbers and written characters. Some character-encoding schemes use only a single byte for each character; these typically support alphabets without any Asian characters. Multi-byte encoding schemes encompass Asian character sets. Unicode (such as UTF-8) can also use more than one byte per character, and encompasses most character sets and languages. Use the character-encoding command to set the namespaces character encoding for NFS file names.
Use no character-encoding to reset NFS file names back to the single-byte default.
utf-8 specifies UTF-8 (Unicode) character encoding.
shift-jis specifies Shift_JIS (Japanese) character encoding.
cp932 is Code Page 932, or Windows-31J (Japanese) character encoding. This is the Microsoft version of Shift_JIS.
euc-jp specifies EUC-JP (Extended Unix Code - Japanese) character encoding.
ksc5601 is KSC5601 (Korean) character encoding.
iso-8859-1 is ISO 8859-1 (Latin1, single-byte) character encoding.
NFS character encoding determines the character encoding for file names. Any NFS server and client must be set for the same NFS character encoding to communicate properly. The NFS character encoding should be well-established at any site before the ARX is installed.
A multi-protocol (NFS and CIFS) namespace does not allow a CIFS client to name a file or directory with characters that are not supported by NFS character encoding. If NFS names support only single-byte characters, the namespace enforces the same restriction on CIFS names. During the initial import of multi-protocol shares, the volume uses the NFS-side name of each file (possibly a filer-generated name), and renames each directory so that it is valid in NFS. (You can use no import rename-directories to prevent directory renames on import.) We recommend UTF-8 character encoding for multi-protocol namespaces and the filers behind them.
The no form of the command returns the namespace to default character encoding.
bstnA(gbl-ns[wwmed])# no character-encoding nfs
Some scanners and photocopiers have a Save As feature that allows the client to save a copy of a scanned file onto a remote CIFS server. Many scanners and copiers make queries to the CIFS servers hidden IPC$ share before they save the file. These devices make their queries as the anonymous Windows-user account. To allow anonymous queries to the current namespaces IPC$ share, use the cifs anonymous-access command.
Use no cifs anonymous-access in a namespace that does not support connections to the IPC$ share.
There are only a small set of photocopiers that require this access before they save files to the namespace. The F5 Data Solutions Compatibility Matrix (included with this doc set) lists all the photocopiers that are known to require this feature.
The cifs anonymous-access command permits anonymous queries to the virtual IPC$ share, but does not permit scanners and photocopiers to actually save files to any of the namespaces volumes. As always, the scanner/copier must provide a valid Windows username and password to perform the file-save operation.
Certain CIFS-client operating systems, such as Mac OS X v10.4, also require anonymous access to make certain queries.
If a single front-end cifs service has exports from more than one namespace, this setting must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) Therefore, if this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
provA(gbl-ns[provMed])# cifs anonymous-access
allows certain scanners and copiers to perform anonymous queries in the provMed namespace. This is a necessary first step to supporting the Save As feature from those scanners.
bstnA(gbl-ns[insur])# no cifs anonymous-access
Synchronize conflicting parameter(s) for all the namespaces exported along with this namespace in a service and continue? [yes/no] yes
Use the cifs filer-signatures command to enable (or perhaps require) SMB signing between this namespace and the external filers behind it. SMB signing is the process of placing a digital signature into each Server Message Block (SMB) exchanged between a CIFS server (each filer) and client (the namespace software). SMB signing prevents man-in-the-middle attacks at the cost of slower performance.
Use no cifs filer-signatures to disable SMB signing between the namespace and its filers. This breaks all CIFS communication with any filers that require SMB signing.
required (optional) obligates all CIFS filers to use SMB signing in their communication with the namespace. If any of the namespaces filers refuse to support SMB signing, the namespace cannot make any CIFS connections to the filer.
This applies only to namespaces that support CIFS. Use the protocol command to set the file-access protocols for the namespace.
Without SMB signing, the default for the namespace, the namespace cannot access the CIFS storage on any of its filers that require it.
If you use this command with the required option, the namespace can only connect to filers that support SMB signing. The namespace refuses to make a CIFS connection to any filer that does not support SMB signatures.
The least-restrictive setting is to enable SMB signing without requiring it (using the cifs filer-signatures syntax). The namespace can then connect to any filer, whether it requires or refuses SMB signing. If the namespace software has a choice, it prefers not to use SMB signing for performance reasons.
To control the SMB-signing policy between the ARX and its clients, you can use the signatures command in gbl-cifs mode. To see the number of filers and/or clients who have used SMB signing, along with some success and failure statistics, use the show fastpath cifs-signatures command.
bstnA(gbl-ns[insur])# cifs filer-signatures
allows SMB signing for any filer behind the insur namespace. If a filer requires SMB signing, the namespace will comply. Otherwise, to improve CIFS performance, the namespace negotiates for no SMB signing.
bstnA(gbl-ns[ns1])# cifs filer-signatures required
requires SMB signing for all filers behind the ns1 namespace. If any filer behind the namespace refuses SMB signing, the namespace cannot connect to any of its CIFS shares.
bstnA(gbl-ns[ns4])# no cifs filer-signatures
Use the optional description command to set a descriptive string for the current namespace, volume, or share. This appears in the show namespace command.
Use the no form of the command to delete the description.
text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
bstnA(gbl-ns[wwmed])# description namespace for World-Wide Medical network
bstnA(gbl-ns-vol-shr[medarcv~/rcrds~rx])# description prescriptions since 2002
Use the enable command to activate the current namespace or volume, or its shares.
Use no enable to stop access to the current namespace or volume.
shares (optional) causes all of the namespaces or volumes shares to be enabled.
take-ownership (optional) causes the namespace or managed volume to take ownership of all back-end shares. Use this option only if you are sure that the shares are not in active use by a managed volume on another ARX. For example, some sites use filer applications to replicate all data from one site to another; if an ARX had managed volumes at the primary site, the ARXs ownership marker (a file) would be copied to the second site. An ARX at the second site could only import the share if you use the take-ownership option. The option has no effect on a direct volume, or on any direct volumes in the namespace.
Important: This option could possibly remove a share from another managed volume that is in service. Use the take-ownership option only for cases where some shares are spuriously marked by another ARX. The CLI prompts for confirmation if you use this option; enter yes to proceed.
You must enable a volume for it to be accessible by clients. When you enable a namespace, the CLI enables all volumes in the namespace.
The enable command causes a managed volume to import external files and directories into its shares. For large directory structures, this takes some time. If there are any name collisions, they occur when you issue the enable command. The import happens asynchronously; you can monitor its progress with the show namespace or show namespace status commands.
Important: For shares backed by NetApp or EMC, you may need to access the filer directly and pre-create some qtrees or EMC tree quotas. This rare configuration issue only occurs if:
- this is a managed volume,
- you want to support both free-space quotas (freespace cifs-quota), and
- you also want to support filer-subshares in this volume.
In this case, a NetApp share requires one qtree per subshare, and an EMC import share must be an EMC File System with one quota tree per subshare. Pre-create the NetApp qtrees and/or EMC quota trees before you enable the share. See the Guidelines: Subshare Replication with Free-Space Quotas section of the filer-subshares documentation.
Each volume belongs to a volume group, which shares a memory pool as well as CPU time. The volume group is associated with several resource limits that are enforced as soon as the volume is enabled. Refer to the volume-group and reserve files commands for details.
The no enable command makes the volume(s) inaccessible to clients. When a volume is disabled, client applications get no response from it. Different applications react to this in different ways; some hang, others log error messages to an internal log. The shutdown is cleaner for your clients if you first perform no export (gbl-nfs), no export (gbl-cifs), and no browsing for all NFS and/or CIFS services that export the volume.
A direct volume is a collection of directory attach points that is easier to configure than a managed volume but does not offer any policy features. Each attach-point directory in the direct volume is attached to an actual directory on a back-end filer. A direct volume keeps no metadata. You use the direct command to declare a volume to be a direct volume.
The enable command does not trigger an import in a direct volume, since there is no metadata to construct. The enable operation is therefore much faster. Also, the take-ownership option has no effect on a direct volume.
A CIFS volume with filer-subshares or cifs access-based-enum enabled performs some additional processing during import. Specifically, the volume software discovers CIFS subshares (shares under the imported shares) and ABE settings, and it makes these settings consistent at every back-end filer. This process produces a report to show its results, named syncSshrNewStorageReport_timestamp.rpt. You can use show reports to get a list of reports, and show reports report-name to read a particular report.
bstnA(gbl-ns[ns])# enable shares take-ownership
enables all shares in the current namespace, ns. For all managed volumes in the namespace, this takes ownership of any filer shares that appear to be managed by another ARX.
bstnA(gbl-ns-vol[unused-ns~/vol2])# no enable
Use the namespace command to create a new namespace, or edit an existing one.
Use the no form of the command to delete a namespace.
no namespace name
name (1-30 characters) is a name you choose for the namespace. The name all is reserved and cannot be used.
The CLI prompts for confirmation before creating a namespace; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.)
This places you in gbl-ns mode, where you must establish one or more managed volumes and/or direct volumes for the namespace. Each managed volume is like a file system in the namespace; it is composed of files and directories from various back-end filers. A direct volume contains shares with attach points, which are analogous to NFS mount points and mapped CIFS shares. A managed volume contains metadata and supports policy rules, a direct volume does not. Use the volume command to create either type of volume.
From gbl-ns mode, you must also set the file-access protocol (NFSv2, NFSv3 (over UDP), and/or CIFS), and you must configure any security parameters to properly authenticate clients. Use the protocol command to set the file-access protocol(s). Use the enable (gbl-ns, gbl-ns-vol) command to enable the namespace.
You must remove all of the namespaces volumes before you can remove the namespace with no namespace. Removing a volume is a complex process, described in the documentation for the volume command. The remove namespace command removes all volumes for you; best practices dictate that you use that command instead. The remove service command removes the namespace and all other configuration objects that are exclusively dedicated to the namespace, such as external filers and global servers.
bstnA(gbl)# namespace ns
bstnA(gbl)# no namespace myNameSpace
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command.
Use the ntlm-auth-db command to assign an NTLM-authentication database to the current namespace.
Use the no form of the command to remove an NTLM authentication database.
no ntlm-auth-db name
This feature is designed for demonstrations with limited CIFS-service offerings. This is for CIFS services that either do not support Kerberos or support Kerberos with unconstrained delegation. For a namespace behind a non-Kerberos service, or a service with unconstrained delegation, the ntlm-auth-server is designed for long-term use.
This command assigns an NTLM authentication database to a namespace. One database can be used in multiple namespaces. Use the gbl-mode ntlm-auth-db command to create an NTLM authentication demo database.
You must also use cifs authentication ntlm and/or cifs authentication ntlmv2 for the namespace to support NTLM or NTLMv2 authentication.
If a single front-end cifs service has exports from more than one namespace, this group of NTLM-Authentication DBs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
bstnA(gbl-ns[ns1])# ntlm-auth-db DEMO
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command.
Use the ntlm-auth-server command to assign an ARX Secure Agent (ASA) server to the current namespace. To support clients from multiple Windows domains, you can use this command multiple times.
Use the no form of the command to remove an ASA from the namespace. This prevents clients in the ASAs Windows Domain from using NTLM or NTLMv2 authentication.
no ntlm-auth-server name
name (1-128 characters) is the name of an ASA.
Use this command to assign an ARX Secure Agent (ASA) server to a namespace. The ASA facilitates NTLM and/or NTLMv2 authentication for the namespaces clients. Each ASA runs on a Windows-Domain Controller (DC) for a single Windows Domain. See the ARX Secure Agent Installation Guide for more information.
Note: If the namespaces front-end CIFS Service uses constrained delegation, introduced with Windows Server 2003, the Secure Agent (and this command) is unnecessary. An administrator with Domain Administrator privileges can go to the DC and configure constrained delegation for this CIFS service. You can use the probe delegate-to command to find all back-end filers behind a CIFS service, which the DC administrator adds to the CIFS services delegate-to list. Once the CIFS service is set up this way at the DC, the services NTLM/NTLMv2 clients can authenticate without help from a Secure Agent.
A single namespace can support NTLM/NTLMv2 for clients from multiple Windows domains. For each supported domain, install an ASA on at least one DC.
A namespace can authenticate its clients with NTLM, NTLMv2, and Kerberos concurrently. This facilitates network transitions from NTLM to Kerberos. Use cifs authentication to configure NTLM, NTLMv2, Kerberos, or any combination of those authentication protocols. Each client chooses a protocol from that set.
If a single front-end cifs service has exports from more than one namespace, this group of ASAs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.)
If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
Removing an ASA (with no ntlm-auth-server) may stop NTLM and NTLMv2 support for the ASAs Windows domain; if this is the only ASA for the domain, clients from that domain can no longer authenticate through NTLM. This may also affect Kerberos clients in the domain if they drop down to NTLMv2 or NTLM. You can add a new ASA to the namespace at any time to support NTLM and/or NTLMv2 in a new Windows domain.
For demonstration purposes, there is an alternative to configuring an external ASA: you can use ntlm-auth-db to map a small group of clients to a single set of valid NTLM credentials. The switch uses the back-end credentials to authenticate to CIFS filers.
bstnA(gbl-ns[insur])# ntlm-auth-server server1
NFS and CIFS services may export volume paths from multiple namespaces subject to certain restrictions. Parameter 'NTLM auth servers' for namespace 'insur' conflicts with that for namespace 'medarcv' in service 'ac1.medarch.org'. Synchronize conflicting parameter(s) for all the namespaces exported along with this namespace in a service and continue? [yes/no] yes
Use this command to assign Windows credentials (username, password, and Windows domain) to the current namespace. The namespaces managed volumes use these credentials to import CIFS shares, periodically check their health, and migrate files between them.
Use the no form of the command to remove a proxy-user configuration from this namespace.
name (1-32 characters) is the Windows proxy user to associate with the current namespace.
If the proxy user has an FQDN for its windows-domain (gbl-proxy-user), it uses Kerberos to authenticate with back-end filers. If it fails to get a Kerberos ticket, it drops down to NTLMv2, and then (if that fails, too) NTLM.
Note: This has no relationship to the proxy-user (gbl-filer) command, which a snapshot-supporting volume uses to log into the filers CLI. This command supports CIFS imports and policy migrations, and the gbl-filer command supports coordinated snapshots. You must assign both types of proxy users to support both features.
bstnA(gbl-ns[medarcv])# proxy-user acoProxy2
Use the remove namespace command to remove a namespace or volume, along with all of its associated metadata and front-end exports.
remove namespace name [volume volume] [timeout seconds] [sync]
name (1-30 characters) identifies the namespace.
volume (optional, 1-1024 characters) focuses on a single volume.
seconds (optional, 300-10,000) sets a time limit for the removal of each namespace (or volume) component.
sync (optional) shows the operations progress at the command line. With this option, the CLI prompt does not return until all components have been removed.
The CLI prompts for confirmation before removing any configuration objects or metadata; enter yes to proceed.
By default, this command generates a report to show all of the actions it takes to remove the volume(s), in order. The CLI shows the report name after you issue the command, and then returns. You can enter CLI commands as the namespace software removes the objects in the background. Use tail to follow the report as it is written. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. Use the sync option to send the status to the command line instead; the command does not generate a report if you use the sync option.
To remove a namespace and all other configuration objects dedicated to the namespace (including global servers and external filers), use remove service. To remove a share from a volume, use remove-share migrate or remove-share nomigrate. Use the remove namespace ... policy-only command to remove all policy objects (rules, share farms, and/or filesets) from a namespace or volume. The remove namespace ... volume ... exports-only command finds all front-end exports for a volume and removes them, leaving the volume itself intact.
prtlndA# remove namespace insur_bkup sync
Use the show namespace command to show summaries of all namespaces, or to include a single namespace name to view configuration details for that namespace.
show namespace name [volume vol-path [share share-name]]
name (optional, 1-30 characters) identifies the namespace. If you omit this, the output lists all namespaces on the switch.
vol-path (optional, 1-1024 characters) is the name of the volume.
share-name (optional, 1-64 characters) is the name of the share.
all lists details for all configured namespaces.
This shows the full configuration and status of a namespace. For status only (to monitor the progress of an import), you can use the smaller show namespace status command.
The show namespace output displays the following fields:
Metadata Cache Size is the internal cache size in MB (512 MB is the default). To change the cache size, use the metadata cache-size command.
Proxy User is the username/password used by the ARX to access back-end CIFS shares. Use the proxy-user (gbl-ns) command to set this.
Filer SMB Signatures describes this namespaces setting for SMB signing, a CIFS security feature. This is Enabled (use SMB signing if and only if the filer requires it), Required (only connect to CIFS filers that agree to use SMB signing), or Not Enabled (only connect to filers that do not require SMB signing). You can change this with the cifs filer-signatures command.
NFS Character Encoding only appears in a namespace that supports NFS. This shows the character encoding used for all file and directory names sent to NFS clients. You can change this with the character-encoding nfs command.
SAM Reference Filer only appears if explicitly set with the sam-reference command. This shows the CIFS filer used to answer all CIFS-client queries to the Security Account Management (SAM) database.
CIFS Authentication appears only for a namespace that supports CIFS:
Protocols is a list of the authentication used (NTLM, NTLMv2, and/or Kerberos). Use cifs authentication to change this setting.
NTLM Servers (only appears if configured) is a list of external authentications servers, set by ntlm-auth-server (gbl-ns).
Metadata shares is shown only if the namespace uses a metadata-only share. Use the metadata share command to use a metadata-only share for the namespace. This is a table with the following columns (one row per configured share):
Filer is the IP address or DNS name for the filer,
Backend Path is the filers share name or NFS-export path,
Contains Metadata is yes for the one export that holds metadata, and
Status is the current status of the share. For possible status values, see Guidelines: Import Status below.
Windows Management Authorization Policies appears for namespaces that support CIFS and management by authorized Windows clients. The Microsoft Management Console (MMC) bundled with Windows is a typical interface for remote management. The windows-mgmt-auth (gbl-ns) command assigns a group of authorized clients to a namespace. If any Windows-management-authorization (WMA) groups are assigned to the namespace, they are listed in this table.
CIFS: is a list of supported CIFS options, if applicable. The following commands set these options: compressed-files, named-streams, persistent-acls, sparse-files, unicode-on-disk, cifs case-sensitive, and cifs file-system-name.
Volume freespace is the amount of free space advertised to this volumes clients. After the free-space amount is the calculation method for free space: automatic, or manual, or clients use dir-master-only.
Volume total space is the sum of total space on all shares behind the volume. This is the actual space. The volumes clients may see different space settings, as determined by the settings above.
CIFS quotas is Enabled if the volume supports path-based quotas on its back-end filers. This indicates that the volume shows free-space values based on these back-end quotas; each client sees his or her space quota, not the entire size of the volume. You can use the freespace cifs-quota command to enable or disable this feature.
Auto Sync Options: Rename-Files appears only if the volume is permitted to rename files when auto-synchronizing. That is, if auto-sync discovers a file whose name is the same as an already-imported file, this feature allows the volume to rename the newly-discovered file. As above, use the auto sync files command to enable or disable this feature.
Metadata size is the amount of metadata space allotted to this volume.
Metadata free space is the amount of free space left on this volumes metadata share. This does not appear if metadata is stored on the internal disks.
Filer Subshares: Enabled appears only if the filer-subshares flag is enabled. This applies only to managed volumes that support CIFS; it indicates that the volume can pass a client from a CIFS subshare at the front-end service through to the corresponding subshare at the back-end filer. This pass-through mechanism makes it possible to support share-level ACLs for the volumes subshares. The additional text, native-names-only, appears if the filer-subshares command was invoked with a flag of the same name.
Oplock support appears only for volumes that support CIFS. This shows whether or not this volume supports CIFS opportunistic locks (oplocks). This can be Enabled, Disabled, or Automatic, as set by the cifs oplocks-disable command.
Notify-change mode shows the degree of support for the CIFS change notification feature. This is Normal (tell clients only of changes in the top level of the directory requested, ignoring any request to track changes in its subtree), Use Subtree Flag (inform CIFS clients of all back-end file system changes that they request), or No changes sent (silently ignore all client requests for change notification). You can change this with cifs notify-change-mode.
CIFS path cache only appears for volumes that support CIFS. This is Enabled or Not Enabled, depending on the cifs path-cache setting. If enabled, NSM processors keep a cache of the volumes CIFS paths as it learns them. This prevents repetitive queries to the volume process on an ACM processor. Otherwise, NSM processors query the volume process for each CIFS-client request.
CIFS access based enum also appears only for volumes that support CIFS. This is Enabled or Not Enabled, possibly followed by some combination of Auto-Enable, Ignore Metadata Skew, and/or Full Autosync. This output depends on the cifs access-based-enum setting. If enabled, the volume changes its behavior for sending directory listings to its CIFS clients; if a back-end share omits some files or directories, the volume assumes that the omissions are caused by ABE, and makes no attempt at correction. Additionally, the volume only allows a share to import if the share has ABE enabled at its back-end filer; the volume rejects shares with ABE disabled, or automatically enables ABE if the Auto-enable flag is raised. If Not Enabled, the volume presumes that none of its filers have ABE enabled, and therefore may amend a directory listing with omissions.
Snapshots is either Enabled or Not Enabled, depending on whether or not the volume contains at least one snapshot rule.
Migration method: Direct is either Staged or Direct. This indicates the method for migrating files; either performing a network transfer to a staging area first, or performing the transfer directly to the final location. The direct method fails if the migration is interrupted by a snapshot. You can use the policy migrate-method command to change this setting.
State is usually Enabled or Disabled, as set by the enable (gbl-ns, gbl-ns-vol) command. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the volume and its share(s). See Guidelines: Volume State, below, for an explanation of all possible volume states.
Host Switch is the ARX with the volume-group where this volume resides. This is typically the ARX peer where the volume was originally created. If you want to use show volume-group to show this volumes group, run the command on the ARX shown in this field.
Instance is an integer ID for the volume processes.
Volume Group is the volume group where this volumes processes run. Several volumes from the same namespace can run in a given volume group. The volume group is automatically assigned when the volume is enabled. You can optionally use the volume-group command to pre-set the volume group beforehand.
Processor shows the physical CPU where the volume group is currently running. A volume group can fail over between peers in a redundant pair. The processor appears in slot.processor format.
Files is the number of files in the volume, and the file credits that are remaining for the volume. This also shows the maximum possible number of file credits if auto reserve files is set. The auto-reserve feature adds file credits as the volume grows.
If the share has been designated as a replica-snap share, a replica of one of the other shares that is dedicated to snapshots, [replica-snap] appears next to the share name. Many of the detailed fields (below) do not appear for replica-snap shares because they are irrelevant to snapshots.
Filer is the filer that hosts the back-end share. This is set by the filer command. If [Acopia Namespace] appears after the filer name, the filer is a managed-volume in a direct volume; this shows the namespace name and the Volume Path field (below) shows the volume name.
Volume Path only appears for managed-volume shares in direct volumes. This is the name of the volume behind this direct share, as set by the managed-volume command.
NFS Export is the name of the NFS export at the back-end filer. This is also set by the filer command.
Features is a list of multi-protocol features supported at the back-end share:
CIFS Maximum Request Size is the maximum size (in bytes) for a CIFS request (other than a write request). This is a maximum found at the back-end filer. This information is for internal use only.
CIFS Access-based Enum is Exclude if someone issued cifs access-based-enum exclude for the share. Otherwise, this field does not appear in the output. The Exclude flag indicates that the filer behind the share cannot support access-based enumeration (ABE), so this share is excluded from the volumes ABE-consistency checking.
SID Translation only appears for a CIFS volume that translates Security IDs (SIDs) for all files migrated to or from this share. This indicates that the filer uses Local Group support, so the SID for each group name is unique at this filer. Use the sid-translation command to enable SID translation for a share.
Ignore SID errors only appears for a volume that supports CIFS. A Yes indicates that the back-end server is configured to return an error for a file or directory with an unknown SID, but accept the file/directory anyway. A No indicates that SID errors from the filer indicate a rejection of the file or directory. You can change this with the ignore-sid-errors command.
Status is the current status of the share. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the share. See Guidelines: Share-Import Status, below.
Volume Root Backing appears if the share is designated to hold new files created in the root of the volume. This is the first share imported into the volume, which is typically the first share configured.
Migrate Retain Files: Yes only appears the share is set to keep copies of all files migrated away from it. The copies are kept in a hidden directory at the root of the share. Use migrate retain-files to edit this setting.
Strict Attr Consistency: No only appears if you disable strict-attribute consistency. This is recommended for multi-protocol (CIFS and NFS) shares, which may have directories with different CIFS-side and NFS-side names. If the volume cannot find the CIFS-side name of a directory, it may not be able to find all of its CIFS attributes. The volume must either rename these directories (see below) or be allowed to operate without strict-attribute consistency; it cannot import the share otherwise. You can use no strict-attribute-consistency to set this.
Import Sync Attributes: Yes only appears if (during import) the volume is allowed to synchronize the attributes of colliding directories in this share. That is, if a directory in this share has the same name as an already-imported directory but different file attributes (such as read/write permissions), the volume can change the attributes. This is strongly recommended for shares in multi-protocol namespaces. Use import sync-attributes to change this.
Import Rename Files: No only appears if (during import) the volume is prevented from renaming collision files in this share. A file is said to collide if it has the same name and path as an already-imported file or directory. Use modify to allow the volume to change files at all during import, and use no import rename-files to disallow file-name changes in this particular share.
Import Skip Managed Check: Yes is another import option. This only appears if someone used import skip-managed-check on this share. It means that the volume will not run a time-consuming test on any of the shares directories during import. The test confirms that the directory is not already managed by another ARX volume.
Import Rename Directories: No only appears if (during import) the volume is prevented from renaming collision directories in this share. Use modify to allow the volume to change directories at all during import, and use no import rename-directories to disallow directory-name changes in this particular share.
Import Rename Non Mappable Directories: Yes only appears if the volume is allowed to rename a multi-protocol directory with a CIFS-side name that is unmappable to the NFS character-encoding. Filers create unintelligible NFS-side names for these files; this indicates that the volume is allowed to rename these directories during import. Use import rename-directories unmapped-unicode to set this.
Import Priority shows the priority for this share over other shares in the same volume. If two shares have a conflicting file or directory and their import priorities are different, the share with the higher priority wins the conflict. The file or directory on the winning share is the master, and the other file or directory may have to change according to one of the import settings above. You can use the import priority command to change the import priority for any given share.
Free space on storage is the remaining space on the share. The expression, (excluded from volume), appears after the number if someone used the freespace ignore command in this share; it means that this shares free space is not being counted toward the volumes free space.
Freespace adjustment only appears if someone used freespace adjust to change the advertised free space for this share. This is the adjustment to the free space advertised for this back-end share. For example, if this is 1024 bytes, the volume adds 1024 bytes to the shares current free space.
Total space on storage is the sum of the shares free space (above) and used space.
Apparent size of storage is the size of the share that is advertised to clients. You can change this with the freespace apparent-size command; this field only appears if that command is set.
Policy Maintain Freespace is the amount of free space to maintain on the share. The policy engine does not migrate files to this share if it drops below this amount of free space. You can change this with the policy freespace (gbl-ns, gbl-ns-vol) command.
Policy Resume Freespace is another free-space threshold for this share. If the share drops below the free-space to maintain (above), the share is ineligible for any more migrations until it rises back up to this resume value. You can change this threshold with the same policy freespace (gbl-ns, gbl-ns-vol) command that you use for the maintain threshold.
Free files on storage (NFS shares only) is the maximum number of files that can be added to the back-end export. All file systems impose a limit on the maximum number of files on a share.
Virtual inodes (NFS direct shares only) is the total number of inodes (files) that can be supported at the direct share.
Transitions shows the number of times that the share has changed from offline to online, or from online to offline.
Last Transition is the date of the last transition.
Last Probe Status only appears if the most-recent probe of the share resulted in a failure. The volume probes the share at regular intervals to confirm its health; if this field appears, the share failed the latest probe and the failure status appears here. This often indicates a problem with the back-end filer or filer connection; contact F5 Support if you see this field and require any guidance.
In the Volumes State field, any of the following messages may appear:
In the Shares Status field, the following messages show the progress of a successful import:
An Error at the beginning of the message indicates the import failed. There are a large number of specific import errors, to help with diagnosis and recovery. See Table 21.1 on page 21-49 for a full list of possible errors and suggestions for troubleshooting each error.
bstnA# show namespace
bstnA# show namespace medarcv
bstnA# show namespace wwmed
prtlndA# show namespace nemed volume /acctShdw
shows one volume with manual free-space calculations. See Figure 21.4 on page 21-45 for sample output.
bstnA# show namespace insur volume /claims
shows one volume in a multi-protocol (NFS and CIFS) namespace. See Figure 21.5 on page 21-46 for sample output.
bstnA# show namespace medco volume /vol share generic
Use the show namespace mapping command to view the back-end shares behind a namespace.
show namespace mapping namespace
show namespace mapping namespace volume vol-path
namespace (1-30 characters) focuses on one namespace. Without this, the command displays the shares behind all namespaces.
vol-path (1-1024 characters) focuses on one volume.
The output is a two-column table with the namespace and volume in the left column and the physical filer shares in the right column. For direct volumes, this shows one line per attach point. The word, [replica-snap], appears next to any replica-snap shares.
bstnA# show namespace mapping
bstnA# show namespace mapping wwmed volume /acct
Use the show namespace status command to view the import status of a namespace.
show namespace status namespace
show namespace status namespace volume vol-path
show namespace status namespace volume vol-path share share-name
namespace (1-30 characters) identifies a namespace.
vol-path (1-1024 characters) focuses on one volume.
share-name (1-64 characters) narrows the focus to a single share.
all displays status for all namespaces.
A managed-volume share imports files from its back-end filer when it is enabled and its parent volume is also enabled. A direct-volume share does not import; it only connects to its attach points (see attach). Use enable (gbl-ns-vol-shr) to enable a share, and use enable (gbl-ns, gbl-ns-vol) to enable a volume.
This shows one table for each namespace and a sub-table for each volume. The top row of each volume table contains the name of the volume and its status. The Status is one of these values:
Shares are grouped under their volumes. For each share, this shows the Share name (or metadata-share for a metadata-only share), the name of the external Filer, the NFS Export or CIFS Share behind this namespace share, and the Status of the share. An [rs] appears before a replica-snap share, which holds snapshots of a standard share in the same volume.
In the Status column, the following messages show the progress of a successful import:
bstnA# show namespace status all
shows volume shares and filer import status for all configured namespaces. For sample output, see Figure 21.9 on page 21-71.
bstnA# show namespace status wwmed
shows volume shares and filer import status for the wwmed namespace. See Figure 21.10 on page 21-73.
bstnA# show namespace status wwmed volume /acct
If a CIFS service has MMC browsing enabled, only authorized Windows clients can manage the service. You can use the windows-mgmt-auth command to create a Windows-management-authorization (WMA) group, a list of Windows clients with MMC permissions, and then you can use this command to apply one or more such groups to the current namespace.
You can also use this command to select privileged CIFS clients who can access snapshots. (This command has no effect on snapshot access by NFS clients.)
Use no windows-mgmt-auth to remove a WMA group from the current namespace.
no windows-mgmt-auth name
name (1-64 characters) identifies the WMA group.
Each WMA group has special MMC access to the namespace. The Windows clients in the group share the same MMC permissions. All cifs services backed by this namespace (if they have browsing enabled) use the WMA group(s) that you identify with this command.
You can also use WMA groups to manage CIFS-client access to snapshots. Use the permit snapshot monitor (see permit (gbl-mgmt-auth)) command to allow group members to view snapshots, and use the snapshot privileged-access command in any volume where the group(s) should access snapshots.
Use this command multiple times to associate multiple WMA groups with the namespace. The show windows-mgmt-auth command shows all available groups and their configurations.
If a single front-end cifs service has exports from more than one namespace, this set of WMA groups must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
bstnA(gbl-ns[medarcv])# windows-mgmt-auth testers
bstnA(gbl-ns[medarcv])# windows-mgmt-auth fullAccess
bstnA(gbl-ns[medarcv])# windows-mgmt-auth readOnly
associates three WMA groups to the medarcv namespace. A Windows client in one of these groups has the MMC permissions defined in the group. No other Windows client has MMC access to the namespace.
bstnA(gbl-ns[medarcv])# no windows-mgmt-auth testers