Manual Chapter :
External Filer
Applies To:
Show VersionsARX
- 6.3.0
An external filer is either a Network-Attached Storage (NAS) device or a file server.
For filers that do not use a well-known port for CIFS, use the cifs-port command to set the CIFS port. Use the no form of this command to use well-known CIFS ports. | |
cifs-port port port is the TCP port number (1-65535). | |
TCP 445, falling back to 139. See the Guidelines below. | |
bstnA(gbl-filer[fs2])# cifs-port 1111 | |
Use the optional description command to set a descriptive string for the current external filer. This appears in the show command. Use the no form of the command to delete the description. | |
description text text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces. | |
bstnA(gbl-filer[das1])# description shares with financial data (LINUX filer, rack 14) | |
Use the external-filer command to begin external-filer configuration. This is a logical representation of an external file server or NAS filer connected to the ARX. Use the no form of this command to remove the external-filer configuration. | |||
external-filer name no external-filer name name is a name that you choose for the external filer. Use up to 64 characters. You cannot use all; this is a reserved keyword. | |||
This command puts you into gbl-filer mode. From that mode, you must use ip address to identify the external filer. If the filer is a Windows cluster, you must also use spn to provide the Service-Principal Name (SPN) for the cluster. You can also use the description (gbl-filer) command to describe the filer.
An external filers default CIFS port is 445, or 139 for filers that do not support CIFS over raw TCP; use cifs-port to change this, if necessary. Use show external-filer to show the filer configuration. The show statistics namespace ... fastpath command shows read/write statistics for each of the filers shares. For statistics on NFS and/or CIFS traffic between the switch and this filer, use show statistics filer. You can use show filer connections to see all current connections from the switch to the filer. | |||
If the filer supports snapshots (point-in-time copies), you can use several commands to prepare it for use in an ARX snapshot. The filer-type command identifies the filers vendor. The proxy-user (gbl-filer) command associates a proxy user with this filer, so that the ARX can uses its credentials to access the filers CLI or API. (An ARX volume coordinates its snapshots by logging into its filers and issuing snapshot commands.) You can also use the ip address ... management command to specify a management IP for accessing the CLI (by default, the ARX volume uses the primary-IP address). The manage snapshots command declares that the filer can support snapshots or checkpoints. | |||
You can change the primary by re-running the ip address command with a new address, before the filer is used in any volume. After any of the filers shares are used in any volume, you can only change the address with ip address ... change-to, followed by a failover or reboot (reload). | |||
bstnA(gbl)# external-filer das1 bstnA(gbl)# no external-filer das1 | |||
You can use the ip address ... change-to command to prepare for changing one or more IP addresses for your external-filers, then use this command to reboot the ARX and activate all the address changes. If the ARX has a redundant peer, this command reboots both peers. | |
After the reboot(s) finish, all IP-address changes made by the ip address ... change-to command go into effect. The ip address ... change-to command has no effect on client/server traffic until you invoke this command. If there are no IP-address changes pending, the command prompts you that there is nothing to do. No reboot occurs in this case. As mentioned above, you can use the ip address ... change-to command to prepare for changing a filers IP address. The ip address ... change-to command is only necessary after one of the filers shares or exports is used in an ARX volume. If none of the filers shares are in active use, you can re-run the ip address command to change the address, and the ext-filer-ip-addrs activate command is unnecessary. | |
bstnA# ext-filer-ip-addrs activate activates all IP-address changes made by the ip address ... change-to command and reboots the ARX. This would also reboot the redundant peer if one was configured. | |
An ARX volume can coordinate snapshots (point-in-time copies) of all of its back-end shares. To support these coordinated snapshots, the ARX volume logs into each filers CLI and runs snapshot or checkpoint commands. Use the filer-type command for a filer that supports snapshots, to identify the filer vendor. An ARX volume can use this information to determine the proper CLI-command set to invoke snapshots or checkpoints. Use the no form of this command to designate no filer type. This makes it impossible for an ARX volume to use the filer for coordinated snapshots. | |
filer-type windows [cluster] [port winrm-port] network-appliance declares that NetApp is the vendor for this filer. management-protocol {ssh | rsh} (optional) chooses the shell protocol for accessing the filers CLI. The default is SSH. For NetApp filers that do not allow SSH access, you can use management-protocol rsh. emc indicates that this is an EMC Celerra server. nas-db-path path (optional, 1-64 characters) defines a unique NAS-database path for an EMC Celerra server. Specifically, this is the value of the NAS_DB environment variable on the server. The default for this path is /nas; contact EMC Support for the proper setting on your EMC server. data-domain means that the filer is an EMC Data Domain system. The CLI uses SSH to access the Data Domain CLI. bluearc indicates that the filer is Hitachi HNAS, powered by BlueArc. The CLI uses SSH to access the BlueArc CLI. windows means that the filer is a Windows server that supports snapshots and management through WinRM (see Guidelines, below). cluster (optional) asserts that this is in a Windows server 2008 (or later) cluster. If the Windows cluster has NetBIOS disabled, there is no way for the ARX software to automatically determine that it is a cluster, and this information is necessary to support snapshots. You can use this option to overcome this issue and directly inform the ARX. port winrm-port (optional, 1-65535) specifies the port where the servers WinRM listener is waiting for instructions. | |
cluster - by default, this flag is down and the ARX attempts to automatically discover if the filer is in a cluster | |
This command identifies the vendor of the current filer. You must use this command to prepare the filer for coordinated-snapshot support with a snapshot rule. Additionally, you must create a proxy-user with credentials for logging into the filers management interface, and you must use the proxy-user (gbl-filer) command to associate that proxy user with this filer. You can also use the ip address ... management command to specify a management IP for accessing the CLI (by default, the ARX volume uses the primary-IP address). The manage snapshots command declares that the filer is eligible for ARX snapshots. | |
Each NetApp volume to be used for ARX snapshots must have the nosnapdir option turned off. From the NetApp CLI, you can use the vol options command to turn this option off. For example: vol options vol2 nosnapdir off. If you use management-protocol ssh (the default), please verify that the idle timeout value, ssh.idle.timeout, is set properly. The ARX cannot create snapshots on the NetApp if this option is set to 0 (zero). From the NetApp CLI, use options ssh to check the current timeout setting, and use options ssh.idle.timeout 600 to set the idle timeout to 600 seconds (the default for most releases). | |
A Windows filer must have Windows Remote Management (WinRM) installed and configured for the ARX to manage its snapshots. The minimum configuration is a WinRM listener that allows HTTP negotiations (encrypted or unencrypted), and allows up to 5 minutes before timing out a snapshot operation. Use the port option if the listener is waiting at any IP port other than 80. The ARX volume communicates with the WinRM listener to create, list, and remove snapshots from the Windows Server. The ARX uses Kerberos authentication over HTTP; use active-directory update seed-domain to prepare for Kerberos authentication. You can use the following command at the Windows filers DOS prompt to create a 5-minute timeout for snapshots: winrm set winrm/config @{MaxTimeoutms=300000}. | |
bstnA(gbl-filer[nas10])# filer-type network-appliance bstnA(gbl-filer[nas2])# filer-type network-appliance management-protocol rsh bstnA(gbl-filer[fs2])# filer-type windows bstnA(gbl-filer[nasE4])# filer-type emc nas-db-path /nas/rdf/500 bstnA(gbl-filer[das1])# no filer-type | |
Some directories are only related to a filers local operation, such as local snapshot and checkpoint directories, and should not be presented to the client. Use the ignore-name command to identify each virtual directory to be ignored by the ARX. The ARX also ignores all files with the same name. Use the no form of this command to remove a directory from the ignore list. | |
ignore-name directory no ignore-name directory directory (1-256 characters) identifies the directory to be ignored (for example, .snapshot). Do not use any slashes (/) in the directory name; mydir is valid, but mydir/subdir is not. You can use a * at the end of the directory name as a wildcard, as long as the directory name starts with a . and contains at least three characters. These wildcards only apply to the root of the share: .ignore* ignores /.ignore2, but does not ignore /docs/.ignore7. | |
The filer command includes directories into a namespace volume. This command omits any subdirectories that should not be included. You can ignore up to eight directories per external filer. The CLI prompts for confirmation if you use a wildcard. Enter yes to continue. The show external-filer command shows all ignored directories. | |
bstnA(gbl-filer[nas10])# ignore-name ~snapshot bstnA(gbl-filer[nasE1])# ignore-name .ckpt* bstnA(gbl-filer[das1])# no ignore-name .bin | |
Use the ip address command to identify the filer or file server associated with the current external-filer configuration object. Use the no form of the command to remove an IP address from the current external-filer configuration. | |
no ip address address [secondary | management] address identifies the external filer (for example, 192.168.70.65). This address must be on a server/proxy-IP subnet (see ip proxy-address) or reachable through a gateway on that subnet (via static route: see ip route to create a static route). secondary (optional) flags a physical-IP addresses in a multi-homed filer. Some filers are configured redundantly, accepting all packets at a shared virtual-IP address and responding to some UDP packets from their physical-IP addresses. For these filers, enter the virtual-IP address without any flag, then add up to four physical addresses with the secondary flag. Note that CIFS is a TCP-only protocol, so this option is unnecessary if you only use the filer for CIFS. management (optional) is for an out-of-band (OOB) or external management address. The ARX uses this address to access the filers CLI. A volume with a snapshot rule accesses the CLI to issue snapshot or checkpoint commands at the filer. If you do not specify any IP address with this flag, it uses the primary-IP address. | |
This command is required for configuring a NAS device or file server as an external filer. To verify that the address is valid in the current configuration, use the show exports command before you use this one. You can repeat this command up to four times with the secondary flag, to identify secondary addresses for the filer. The management flag indicates an interface for accessing the filers CLI; this is unnecessary if the CLI is accessible through the primary interface. To change the primary IP address of a filer whose storage is in use, you can use the ip address ... change-to command followed by the reload command. If the filer does not have any exports or shares used by any volume, you can change the IP address by re-running this command with the new address. | |
bstnA(gbl-filer[das1])# ip address 192.168.25.19 bstnA(gbl-filer[nas3])# ip address 192.168.25.133 bstnA(gbl-filer[nas3])# ip address 192.168.25.134 secondary bstnA(gbl-filer[nas3])# ip address 192.168.25.135 secondary bstnA(gbl-filer[nasE1])# ip address 192.168.25.51 bstnA(gbl-filer[nasE1])# ip address 192.168.25.52 management | |
Use the ip address ... change-to command to prepare for changing the current external-filers IP address. The new IP address becomes the primary IP address for the filer the next time someone uses the ext-filer-ip-addrs activate command. Use the no form of the command to remove the new IP address from the current external-filer configuration. Use this if you want the external filers IP address to remain the same in case someone invokes ext-filer-ip-addrs activate. | |||||
address identifies an existing external filer. You can use show external-filer for a full list of external filers and their IP addresses. new-address is the address to assign to this filer the next time someone invokes ext-filer-ip-addrs activate. You cannot use an existing secondary address (set with the ip address command) or any other IP address that is already in use on the ARX. | |||||
The CLI prompts for confirmation before reserving a new IP address for the external-filer; enter yes to proceed. This command has no effect on client/server traffic until someone uses ext-filer-ip-addrs activate to activate the change. After you run this command, you can change the IP address of the filer itself, and then use the ext-filer-ip-addrs activate command to reboot the ARX or ARX pair. You only need to activate once for multiple IP-address changes. This command is only necessary after one of the filers shares or exports is used in an ARX volume. If none of the filers shares are in active use, you can re-run the ip address command to immediately change the address. | |||||
The ip address ... change-to command has no effect on the following IP-address settings:
The ext-filer-ip-addrs activate command is not necessary for these commands to take effect. | |||||
bstnA(gbl-filer[nas3])# ip address 192.168.25.133 change-to 192.168.25.198 assigns a new IP address to the external-filer named nas3. The new address, 192.168.25.198, takes affect the next time someone runs ext-filer-ip-addrs activate. bstnA(gbl-filer[nas3])# no ip address 192.168.25.133 change-to 192.168.25.198 | |||||
An ARX volume can coordinate snapshots (point-in-time copies) of all of its back-end shares. A limited number of filers and filer-OS releases support snapshots. Use the manage snapshots command to indicate that the current filer supports coordinated snapshots. Use the no form of this command to indicate that the current filer does not support snapshots. | |
This command declares that the filer can support snapshots. This is the final command to prepare the filer for coordinated-snapshot support with a snapshot rule. Before you enter this command, use the filer-type command to enter some vendor-specific information about the filer. Additionally, you must create a proxy-user with the credentials for accessing into the filers CLI or API, and you must use the proxy-user (gbl-filer) command to associate that proxy user with this filer. For some filers, you can use the ip address ... management command to specify a management IP for accessing the CLI (by default, the ARX volume uses the primary-IP address). You can use the no manage snapshots command to suspend snapshot support on an entire filer. While this is disabled, no snapshot rule can take a snapshot on the filer. In a volume where other back-end filers support snapshots, this creates a sparse snapshot from which some of the volumes shares are excluded. You may want to create one or more place-rules to ensure that the snapshot-capable filers contain all the files that require backups. Run the affirmative form of the command, manage snapshots, to reinstate ARX snapshots on the filer. | |
bstnA(gbl-filer[nas10])# manage snapshots bstnA(gbl-filer[das1])# no manage snapshots | |
The ARX may use Kerberos, NTLM, or NTLMv2 to authenticate with the CIFS filers behind it. Use the probe authentication command to test any of these authentication methods against any desired CIFS filer. This is useful for testing authentication methods in your network, qualifying an external filer or DC for inclusion in the ARX configuration, or for troubleshooting filers and DCs that are already used in the configuration. | |
probe authentication {kerberos | ntlm | ntlmv2} host ip-address [spn spn] [user user-name windows-domain domain | proxy-user proxy] kerberos | ntlm | ntlmv2 chooses the authentication protocol to test. ip-address identifies the filer or Domain Controller (DC). spn (optional, 1-256 characters) identifies the filer by its Service-Principal Name (SPN). Use this option for a Windows cluster; use the SPN that is shared between the cluster nodes, if there is one. If there is a $ at the end of the SPN name, omit it in this command. user user-name windows-domain domain | proxy-user proxy are credentials to test. The ARX uses this identity to authenticate with the filer(s). user user-name (1-64 characters) and windows-domain domain (1-1024 characters) comprise a valid Windows user and domain name. If you are probing Kerberos authentication, use an FQDN for the domain name. The CLI prompts for the users password after you enter the command. proxy-user proxy (1-32 characters) is an already-configured proxy-user with permissions to access the filer(s). Use show proxy-user for a list of proxy users. For a Kerberos probe, the windows-domain (gbl-proxy-user) for the proxy user must be an FQDN. | |
external-filer ext-filer-name (1-64 characters) identifies an external filer that has already been configured on the ARX. For a list of configured external filers, use show external-filer. | |
IP address is the address used to connect to the filer. SPN is the Service-Principal Name used in the CIFS connection. User is the Windows username used for authentication. Protocol is the authentication protocol, chosen in the command. Status is STATUS_SUCCESS if the authentication succeeded, or an error otherwise. You can use this command to test authentication methods in your Windows network. The show exports and probe exports commands are tests to qualify share(s) for inclusion in a namespace. You can also use this command to test a configured filer that seems to be malfunctioning. The show namespace command has error messages that sometimes suggest failures at the filer; this command can help to isolate the failure(s). | |
bstnA# probe authentication ntlmv2 host 192.168.25.20 proxy-user acoProxy2 bstnA# probe authentication kerberos external-filer fs1 proxy-user acoProxy2 | |
The ARX independently migrates files from one back-end filer to another, and requires credentials with adequate permissions to do so. Use the probe exports command to test your Windows credentials (or test Unix root credentials) against a filer. The test attempts to write and delete a file at each of the filers shares. This is useful for qualifying the shares for inclusion in an external filer, or for troubleshooting filer shares that are already used in a namespace. | |
probe exports host {ip-address | hostname} [spn spn] [share share-name] [user user-name windows-domain domain-name | proxy-user proxy] ip-address | hostname (1-1024 characters) identifies the filer. To use a hostname, the switch must be configured to perform DNS lookups; refer to the ip name-server documentation for instructions. spn (optional, 1-256 characters) identifies the filer by its Service-Principal Name (SPN). Use this option for a Windows cluster; use the SPN that is shared between the cluster nodes, if there is one. If there is a $ at the end of the SPN name, omit it in this command. user user-name windows-domain domain-name | proxy-user proxy are Windows credentials to test. If you omit these options, the command uses root as its identity and probes for Unix/NFS permissions. The ARX uses this identity to authenticate with the filer(s), for permission to probe the shares. user user-name (1-32 characters) and windows-domain domain-name (1-1024 characters) comprise a valid Windows user and domain name. The CLI prompts for the users password after you enter the command. proxy-user proxy (1-32 characters) is an already-configured proxy-user with permissions to access the filer(s). Use show proxy-user for a list of proxy users. | |
probe exports external-filer ext-filer-name [share share-name] [user user-name windows-domain domain-name | proxy-user proxy] external-filer ext-filer-name (1-64 characters) identifies an external filer that has already been configured on the ARX. You can use all to probe all configured filers. For a list of configured external filers, use show external-filer. | |
The output lists all CIFS shares or NFS exports, depending on whether or not you used Windows credentials (user-name or proxy), and examines the access privileges at each of them. For CIFS shares, it performs a write test using the credentials of the user-name or proxy user. It also verifies that the user or proxy user has adequate permissions at the filer, equivalent to those of a Backup Operator. The results of these two tests, labeled Write and Privs, must be OK for the user or proxy user. For NFS shares, it performs a mount test as the Unix root user; the mount must succeed for NFS shares. You can use this command to qualify a filers shares before including them in a namespace. The show exports command runs some less-intrusive tests to qualify the share(s). For a share that passes all tests, you can use filer, a gbl-ns-vol-shr command, to include the share in a namespace. You can also use this command to test a configured filer that seems to be malfunctioning. The show namespace command has error messages that sometimes suggest failures at the filer; this command can help to isolate the failure(s). | |
bstnA# probe exports host 192.168.25.20 share histories user jqpublic windows-domain MEDARCH.ORG Password: jqpasswd runs a security test on one CIFS shares at 192.168.25.20. See Figure 20.1 on page 20-23 for sample output. bstnA# probe exports external-filer nas1 share insurance proxy-user acoProxy2 runs the same test on a host that has been defined as an external filer, nas1. This uses the credentials defined for a proxy-user, acoProxy2. For sample output, see Figure 20.2 on page 20-24. prtlndA# probe exports external-filer das-p2 runs an NFS-security test on another filer, das-p2. This uses root as its identity. For sample output, see Figure 20.3 on page 20-24. | |
bstnA# probe exports host 192.168.25.20 share histories user jqpublic windows-domain MEDARCH.ORG
Password: jqpasswd
bstnA# probe exports external-filer nas1 share insurance proxy-user acoProxy2
prtlndA# probe exports external-filer das-p2
Use this command to assign SSH, RSH, or WinRM credentials (username and password) for the current filer. The ARX uses these credentials to log into the filers management CLI/API and run snapshot or checkpoint commands. The ARX can also use these credentials to find physical paths (as opposed to virtual, shared paths) for storage in a file-history archive. Use the no form of the command to remove the proxy-user configuration from this filer. This prevents any ARX volume from using this filer for snapshots, or for finding physical paths on this filer for its file-tracking records. | |
proxy-user name name (1-32 characters) is the proxy user to use for accessing the filers CLI. | |
From gbl mode, use the proxy-user command to add a proxy-user configuration to the ARX. Use the show proxy-user command to view all configured proxy-users and their associated usernames. | |
Note: This has no relationship to the proxy-user (gbl-ns) command, which a namespace uses for policy-driven migrations. This command supports CLI logins, and the gbl-ns command supports policy migrations. You must assign both types of proxy users to support both features. | |
You must use this command to prepare the filer for coordinated-snapshot support with a snapshot rule. Additionally, you must use filer-type to identify the vendor of the current filer and manage snapshots to confirm that the filer supports snapshots. You can also use the ip address ... management command to specify a management IP for accessing the CLI (by default, the ARX volume uses the primary-IP address). | |
You should also use this command for a managed volume that is tracking its files. This type of managed volume has a snapshot rule with special contents: the volumes configuration and possibly its metadata. The rule stores these regularly on an external archive. With these options in place, you can query the archive for the volumes file paths at different times. Use the show virtual path-history and show file-history virtual-service commands for these queries. These queries can tell you a files location yesterday, when you may have performed an incremental backup on your filers, and today, when the managed volume may have migrated the file to a new filer according to your administrative policies. To find the physical paths for display in the above queries, the snapshot rule accesses the volumes backing-filer through its CLI or API. Every filer behind the managed volume needs this assignment, or the physical paths may be blank in those queries. The volume does not have to manage snapshots, but it does need the filer-type. | |
bstnA(gbl-filer[nas10])# proxy-user nas_admin bstnA(gbl-filer[das2])# no proxy-user | |
ip address ... management |
Use the show exports command to examine back-end filers that may or may not be configured as external filers. This command is useful for qualifying a filers shares for inclusion in an external filer, or for troubleshooting filers that are already used in a namespace. | |||||||||||||||||
show exports host {ip-address | hostname} [spn spn] [share share-name] [connectivity|capabilities|shares|time|attributes|paths] [user user-name windows-domain domain-name | proxy-user proxy] ip-address | hostname identifies the filer. (To use a hostname, the switch must be configured to perform DNS lookups. Refer to the ip name-server documentation for instructions.) spn (optional, 1-256 characters) identifies the filer by its Service-Principal Name (SPN). Use this option for a Windows cluster; use the SPN that is shared between the cluster nodes, if there is one. If there is a $ at the end of the SPN name, omit it in this command. connectivity | ... | paths selects a particular topic for examination; if you omit this, several of these topics are examined. Each topic generates a different table with its results. See the Guidelines, below, for details about each table. user user-name windows-domain domain-name | proxy-user proxy is a required choice for either of the following tests on a CIFS filer: shares or attributes. If you omit both of these options, the command only probes for NFS services and attributes. The ARX uses this identity to authenticate with the CIFS filer(s), for permission to examine the shares. user user-name (1-32 characters) and windows-domain domain-name (1-1024 characters) is a valid Windows user and domain name. The CLI prompts for the users password after you enter the command. The domain name must be an FQDN (that is, thisdomain.thatdomain.com as opposed to thisdomain) to test Kerberos authentication. proxy-user proxy (1-32 characters) is an already-configured proxy-user with permissions to access the filer(s). Use show proxy-user for a list of proxy users. As above, the proxy users domain must be fully-qualified for the command to use Kerberos authentication. | |||||||||||||||||
show exports external-filer ext-filer-name [share share-name] [connectivity | capabilities | shares | time | attributes | paths] [user user-name windows-domain domain-name | proxy-user proxy] external-filer ext-filer-name identifies an external filer that has already been configured on the ARX. You can use all to show all configured filers. For a list of configured external filers, use show external-filer. | |||||||||||||||||
This command shows several tables that indicate whether or not a filers shares can be used in a namespace. Use this together with probe exports, which runs a write test to verify that your Windows credentials are adequate for CIFS shares. To test various CIFS-authentication methods against a filer, such as Kerberos, use the probe authentication command. You can use this command to qualify a filers shares before including them in a namespace volume. For a share that passes all tests, you can use filer, a gbl-ns-vol-shr command, to include the share in a volume. You can also use this command to test a configured filer that seems to be malfunctioning. The show namespace command has error messages that sometimes suggest failures at the filer; this command can isolate the failure(s). If you use any Windows credentials (user/windows-domain or proxy-user), the command ignores NFS shares, capabilities, and time. If you omit Windows credentials, the command focuses exclusively on NFS. | |||||||||||||||||
Connectivity indicates whether or not the ARX can ping the filer IP from each of its proxy-IP addresses. The ARX sends multiple pings from each proxy-IP, each with a different-sized packet, to ensure that the MTU size is consistent between the proxy IP and the filer. All pings must succeed from all proxy IPs for the filer to be usable. For the pings to succeed, the filer must reside on the same subnet as the proxy IPs, or be reachable through a static route (where the next-hop router is on the proxy-IP subnet). Use ip proxy-address to establish the proxy-IP subnet. Use ip route to add a static route. Additionally, all switches and network equipment between the ARX and filer must have consistent MTU settings; use jumbo mtu to set the MTU at an ARX VLAN. CIFS Credentials are the credentials presented to the back-end filer for authentication. This is a table with three fields: User name, Windows Domain, and Pre-Win2k domain. Use the user and windows-domain options to set these, or the proxy-user option. The Pre-Win2k domain is only used for NTLM authentication: if you previously ran active-directory update seed-domain, this was automatically discovered; if not, and you specified a user in the command, this is the first part of the Domains FQDN; if you specified a proxy-user, someone can explicitly set this with an option in the windows-domain (gbl-proxy-user) command. If the credentials were omitted from the command, anonymous appears in the User field. Capabilities shows the NFS or CIFS services available at the filer: NFS lists the three services required for NFS, one per row. Each service shows the protocol and version used for transport (TCP vs. UDP), along with the port number where the service is listening. CIFS also shows some server-level security settings, whether or not the ARX can connect to the IPC$ share on the filer, and the authentication method (NTLM, NTLMv2, or Kerberos) used for the user or proxy-user in the command. For Kerberos authentications, the Windows domain for the user or proxy user must be an FQDN. | |||||||||||||||||
Shares lists all the NFS or CIFS shares, each in its own table: NFS shows the results of two tests on each share, one share per row.
CIFS displays the disk space on the share and the serial number for the shares storage volume. Any two shares with the same serial number draw from the same storage pool, so their disk-space numbers match. Time shows the current time at the filer. The skew field at the end of the output shows the skew between the filers clock and that of the ARX. The time settings must be nearly synchronized (preferably through NTP; see ntp server) for time-based policies to function. Attributes shows each CIFS share and its CIFS attributes. If all of the shares behind an ARX volume support one of these attributes, the volume can support it, too. You can set each CIFS attribute for a volume with cifs access-based-enum, compressed-files, named-streams, persistent-acls, sparse-files, or unicode-on-disk, respectively. The attribute settings are either X, -, or ?.
Paths is another option for CIFS shares; this shows the physical disk and path at the root of each CIFS share. Each row contains a CIFS-share name and a path. This is useful for finding and verifying share-to-subshare relationships; see the documentation for filer-subshares. This command requires Administrator-level access to read the directory path for each share; this is an increase from the usual requirements for a user or proxy-user. You can therefore use the paths option to verify that the user or proxy-user belongs to the Administrator group on the target filer. | |||||||||||||||||
bstnA> show exports host 192.168.25.21 user jqpublic windows-domain MEDARCH.ORG Password: jqpasswd shows export information for all CIFS shares on 192.168.25.21. See Figure 20.4 on page 20-31 for sample output. bstnA> show exports host 192.168.25.19 connectivity shows only the Connectivity table for another filer. See Figure 20.5 on page 20-32 for sample output. bstnA> show exports external-filer fs1 capabilities proxy-user acoProxy2 bstnA> show exports host 192.168.25.19 time shows the filers time. See Figure 20.7 on page 20-33 for sample output. | |||||||||||||||||
bstnA> show exports host 192.168.25.29 paths proxy-user acoProxy2 shows the physical paths for every CIFS share at 192.168.25.29. See Figure 20.8 on page 20-33 for sample output, which shows a share and three subshares on the back-end filer. | |||||||||||||||||
bstnA> show exports host 192.168.25.21 user jqpublic windows-domain MEDARCH.ORG
Password: jqpasswd
bstnA> show exports host 192.168.25.19 connectivity
bstnA> show exports external-filer fs1 capabilities proxy-user acoProxy2
Figure 20.7 Sample Output: show exports host ... time
bstnA> show exports host 192.168.25.19 time
bstnA> show exports host 192.168.25.29 paths proxy-user acoProxy2
Use the show external-filer command to display summary or detailed information about the external filers connected to the ARX. | |||||||||||
show external-filer filer-name filer-name (optional; 1-64 characters) identifies a specific filer. This shows a detailed report for the filer. all (optional) shows detailed reports for all external filers. | |||||||||||
Name is set with the external-filer command. IP Address shows the filers address. You can reset this with ip address. Description is the string set with the description (gbl-filer) command. The flag (nth secondary) appears here for filers with multiple IP addresses; this marks one of the filers secondary addresses (see ip address). | |||||||||||
Filer IP is/are the filers address(es). You can use the ip address command to change this list of addresses. Filer IP (new) only appears if someone designated a new primary address for this filer. This becomes the filers primary IP address the next time the ARX reboots or fails over. You can use the ip address ... change-to command to change this new address. Configured SPN only appears if someone used spn to set a service-principal name (SPN) for the external filer. The ARX needs the correct SPN for Windows clusters and for Kerberos support. If this appears, the ARX is always using it (not the Discovered SPN, below) for cluster connections and Kerberos authentications. Discovered SPN is the SPN returned from a filer query. The filer query occurs when the filers first share is enabled in a managed volume. If the Configured SPN is set, the ARX does not use this SPN in its cluster connections or Kerberos authentications. Not Discovered appears here if there is neither a configured SPN or a successfully-discovered SPN. | |||||||||||
Filer Management Proxy User identifies the Unix proxy-user credentials that the ARX uses to access the filers CLI, where the ARX software issues snapshot commands. You can use the proxy-user (gbl-filer) command to select a different proxy user. Filer Management IP is a separate management-IP address, for filers that support an out-of-band IP for management. The ARX logs into the filers CLI through this address. You can use the ip address ... management command to reset it. Filer Manage Snapshots is Yes if the ARX is permitted to run snapshots on the filer, or No otherwise. To change this setting, use the manage snapshots command. CIFS Port is port that the ARX uses to make its CIFS connections. The ARX can automatically choose between the two well-known ports, 445 and 139, or you can set it explicitly with the cifs-port command. CIFS Connection Limit Overall is the maximum number of CIFS/TCP connections to the filer. Use the cifs connection-limit command to set this maximum. CIFS Connection Limit / NSM Processor is the maximum number of CIFS/TCP connections per NSM. NFS TCP Connections is the number of NFSv3/TCP connections to the filer. This is typically 1, but you can set a higher number before you incorporate the share into a managed volume. Use the nfs tcp connections command to set this number.
| |||||||||||
Managed Exports is the list of filer shares that are used in managed volumes (as opposed to direct volumes). This table only appears if one of the filers shares is imported into a managed volume. NFS Export or CIFS Share is the name of the export or share at the back-end filer. A CIFS filer may export ipc$, a standard CIFS share, if an ARX namespace uses it as a sam-reference filer.
Automatically Striped Subshares is a list of CIFS subshares that a managed volume has created on this filer. You can configure a managed volume to pass a CIFS client from a front-end subshare directly to one of its corresponding back-end subshares, where the back-end filer can subject the client to the correct share-level ACL. To support this feature, some volumes replicate, or stripe, subshares between their filer shares. You can use the filer-subshares command to make a volume stripe its subshares. (restore data share) appears for a share that has been used in a restore data operation, and is not assigned to any namespace. (file-history archive location) appears for a share that is used as a location for a file-history archive, and is not assigned to any namespace. (contains no metadata) indicates that the share is unused. It is not assigned to any namespace, nor is it used in a file-history archive, nor has it ever been used in a restore operation. | |||||||||||
Replica-snap Exports is the list of replica-snap shares, which are also used in managed volumes. This table only appears if one of the filers shares is used as a replica-snap share. NFS Export or CIFS Share is the name of the export or share at the back-end filer.
| |||||||||||
Directories and/or files to ignore for importing shows all directories/files to ignore during the import. You can use the ignore-name command to identify these names. | |||||||||||
Direct Mapped Exports appears only if at least one of the filers shares is used in a direct volume. Each share in a direct volume has one or more virtual directories, called attach points. Each attach point is directly mounted (or mapped) to one path on a back-end share. When a client lists files in an attach point, he sees the contents of the physical directory at the back-end share. Backend Path is the absolute path to the root of the back-end share. This is established by the filer command in gbl-ns-vol mode. Namespace and Volume identify the direct volume that uses this share. Protocols are the namespace protocols, all of which must be supported by this back-end share. Use the gbl-ns protocol command to establish these for the namespace. Volume Path is one of the direct volumes attach-point directories. Clients see this path under the Volume path, above. The attach command creates it. Filer-Path is the actual filer directory to which the volume is attached. This is relative to the Backend Path described earlier. The attach command attaches the Volume Path to this real path. | |||||||||||
Metadata-only shares are back-end shares devoted to managed-volume metadata. Use the metadata share command to add one of these to a namespace or volume. This table only appears if the filer is hosting at least one metadata-only share. It shows the same information as the Managed Exports table. | |||||||||||
bstnA> show external-filer shows IP addresses for all the external filers configured for storage. See Figure 20.9 for sample output. bstnA> show external-filer das1 shows details about the external-filer named das1. See Figure 20.10 on page 20-39 for sample output. bstnA> show external-filer fs2 shows details about a CIFS filer named fs2, where a managed volume has automatically striped some filer subshares. See Figure 20.11 on page 20-39 for sample output. bstnA> show external-filer nas2 shows details about the external-filer named nas2, which has direct exports for a direct volume. See Figure 20.12 on page 20-40 for sample output. bstnA> show external-filer nas10 shows details about the external-filer named nas10, which supports ARX snapshots. See Figure 20.13 on page 20-41 for sample output. bstnA> show external-filer nas11 shows details about the external-filer named nas11, which is the host for replica-snap shares. See Figure 20.14 on page 20-41 for sample output. prtlndA> show external-filer all | |||||||||||
Figure 20.9 Sample Output: show external-filer
bstnA> show external-filer
Figure 20.10 Sample Output: show external-filer das1
bstnA> show external-filer das1
Figure 20.11 Sample Output: show external-filer fs2
bstnA> show external-filer fs2
bstnA> show external-filer nas2
bstnA> show external-filer nas10
bstnA> show external-filer nas11
Figure 20.15 Sample Output: show external-filer all
prtlndA> show external-filer all
The ARX attempts to automatically discover a filers service-principal name (SPN) when the filers first share is enabled in a managed volume. A Windows server in a cluster may provide its local SPN instead of the SPN for the cluster; you can use the spn command to manually set the cluster SPN. This setting overrides any previously-discovered SPN. Use the no form of this command to revert to the discovered SPN, if there is one. | |
hostname@domain (1-256 characters) is the SPN for the external filer. Do not use any $ or / characters. hostname is the filers hostname, or the Cluster Network Name. @ is required, and it must be between the hostname and the domain. There can only be one @ symbol in the SPN. domain must be in FQDN format (for example, ourdiv.ourco.com instead of simply ourdiv). | |
For any cluster, this SPN must be a virtual SPN, one that persists after a cluster failover. Therefore, you must create a virtual SPN on the cluster before using the clusters storage behind the ARX. This may mean joining the clusters virtual service to the local AD domain. | |
For other server types, the correct SPN is required for Kerberos authentications. If the SPN is incorrect, a managed volumes proxy-user cannot connect and cannot import the filers shares. The show external-filer command shows the discovered SPN for the filer. If this is empty or incorrect, you can use the spn command to override the discovery. Once you use the spn command, the show external-filer output contains two SPN values: the discovered SPN and your configured SPN. For an external filer without a discovered SPN, the no spn command ensures that the volume cannot use Kerberos authentication with this filer. A CLI prompt warns you of this; enter yes to proceed. | |
bstnA(gbl-filer[fs3])# spn fs3@medarch.org bstnA(gbl-filer[fs1])# no spn | |