What is the impact of a shares symlink settings and DFS advertisement in ONTAP on SMB client traffic
Applies to
- ONTAP 9
- Data ONTAP 8 7-mode
Answer
- NetApp has identified situations whereby the configuration of UNIX symbolic links, called symlinks, in conjunction with the overall environment that a cluster runs, might result in unexpected behavior for CIFS clients.
- Server Message Block (SMB) clients using SMB2/SMB3 such as Window 10, Windows Server 2016, and Windows Server 2019 are affected.
- Clients who use SMB1 (for example, Windows XP) are not affected.
- This article will contrast the symlink settings available in ONTAP 9 versus Data ONTAP operating in 7-Mode.
- It will not be an exhaustive review of symlinks and their overall configuration.
- The following three environments are explained in this article:
- Environments that have Riverbed WAN accelerators in the data path.
- Environments that have removed the NTFS permissions of 'Traverse/Execute'.
- Environments that have enabled the local security setting 'Do not allow storage of passwords and credentials for network authentication'.
Note: The symlinks have to be correctly configured as outlined in NetApp product documentation. If any of the above environments are missing, symlink access works without issue. This article does not advise on how to correctly configure or troubleshoot symlinks. See Data ONTAP product documentation to validate your symlink setup prior to walking through this article. This article describes how the configuration of symlinks can impact these three specific environments. The discussion of symbolic links is not the NTFS implementation of symbolic links, rather the creation of a symbolic link through a UNIX client and then allowing a CIFS client the ability to access the link. As of the last update to this article, Data ONTAP running in any mode does not support NTFS Symbolic links.
Data ONTAP 7-Mode
The use of symlinks is generally controlled through the options and CIFS share settings outlined below. In addition to these settings, there is also the symlink.translations
file. This file is not outlined in this article. For further details, see the File Access Management Guide for the release of Data ONTAP 7-Mode running on your storage controllers.
- CIFS option: The
cifs.symlinks.enable
option controls whether a symbolic link is followed when encountered by an SMB client. The symlink could be a relative or absolute symbolic link. - CIFS Share setting: When creating or modifying a share, symlinks can be further controlled using the settings widelink or nowidelink. This particular setting allows or disallows a symlink to be redirected to a location outside of the share path where the symbolic link resides. Additionally the setting of widelink triggered Data ONTAP 7-Mode to advertise support for an SMB feature called Distributed File System (DFS).
ONTAP 9
The use of symlinks in ONTAP 9 is controlled by a few different settings. The ability to advertise DFS is both global to the SVM and an individual share property.
- CIFS share 'symlink-properties' property: This particular share setting controls the ability for a symlink to be followed, essentially enabling symlinks to function. Note: SMB autolocation relies on widelinks which requires that symlink-properties be set to either "symlinks-and-widelinks"(9.0+) or "enable" (pre 9.0) The following are the values that can be defined:
- Enable: Allows symlinks to be enabled for both read and write access (deprecated in ONTAP 9.0 and above)
- Read_only,enable: Allows symlinks to be enabled for read-only access (deprecated in ONTAP 9.0 and above
- Hide: Symlinks cannot be followed by an SMB client. The symlink name is not returned when the SMB client enumerates the directory in which it is located. (Deprecated in ONTAP 9.0 and above)
- Symlinks: This property enables local symlinks for read-write access. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
- Symlinks-and-widelinks: This property enables both local symlinks and wide links for read-write access. DFS advertisements are generated for both local symlinks and wide links even if the CIFS option -is-advertise-dfs-enabled is set to false.
- Disable - This property disables symlinks and wide links. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
- “ “ (null or blank): Symlinks are visible when the directory in which they are is enumerated. However, the SMB client will not be able to follow the symlink
- CIFS '
is-advertise-dfs-enabled
' option: This option was introduced starting in clustered Data ONTAP 8.2.3 and 8.3. This setting controls whether there is an advertisement for an SMB feature called DFS. The DFS advertisement is what will allow a symlink that is a 'widelink' to work properly. This particular advertisement occurs during the time the client is making its initial connection to a CIFS share. This feature has a setting of 'true' or 'false' and the setting of this option controls how DFS is advertised in ONTAP 9.- True – DFS will be advertised upon connection to the share, regardless of the setting for the share property 'symlink-properties'.
- False – DFS will not always be advertised upon connection to the share. When set to 'false', ONTAP 9 will defer to the share property setting 'symlink-properties' for further guidance on how to advertise the DFS capability.
This section has several different explanations, outlining several different scenarios. See the particular sections below that relate to your environment to better understand the impact that symlinks have and what settings will work best in your environment. The commands listed below provide the current defined settings and how to change them if necessary.
How to confirm and modify necessary settings:
ONTAP 9
- Confirm CIFS settings:
- Share setting for symlink-properties
cli::> cifs share show –vserver <SVM_Name> -fields symlink-properties
- CIFS option for DFS advertisement
cli::>set advanced (answer Y)
cli::>cifs options show –vserver <SVM_Name> -fields is-advertise-dfs-enabled
- Share setting for symlink-properties
- Modify CIFS setting:
- Share setting for symlink-properties
cli::> cifs share modify –vserver prod01 –share-name test –symlink-properties <enable|hide|read_only,enable|" " (null)>
- CIFS option for DFS advertisement
cli::> set advanced (answer Y)
cli::> cifs options modify –vserver prod01 –is-advertise-dfs-enabled <true|false>
- Share setting for symlink-properties
Note: Modifying the symlink-properties value might require a reboot of clients when this option is modified. Clients cache how DFS was advertised when a connection to a share is made. If the option is modified in-between a client connecting and disconnecting from the share, it will not be possible to reconnect to the share without a reboot. The charts within each section will provide details on various scenarios involving ONTAP 9 settings and their impact. The charts will also indicate which features in ONTAP 9 could be impacted based on the combination of settings.
Guidance:
Use Case #1 – Symlinks and Riverbed WAN acceleration -
Riverbed WAN Accelerators may have a compatibility issue involving a particular SMB feature advertisement called 'DFS Capability'. When a Riverbed device comes across a share that advertises support for DFS, it will not accelerate SMB2 and SMB3 client traffic. Riverbed is currently aware of this issue, please contact Riverbed Support for more details.
ONTAP 9
Symlink.Properties share setting | CIFS option is-advertise-dfs-enabled setting: | Riverbed Acceleration of SMB2/3 | Do symlinks Work | Is an ONTAP 9 Feature Impacted | What ONTAP 9 Feature is impacted | |
Scenario #1 | Enable | True | N | Y | N | N/A |
Scenario #2 | Enable | False | N | Y | N | N/A |
Scenario #3 | Read_only,enable | True | N | Y | N | N/A |
Scenario #4 | Read_only,enable | False | N | Y | N | N/A |
Scenario #5 | Hide or “ “ (null) | True | N | N | Y | Symlinks and Widelinks |
Scenario #6 | Hide or “ “ (null) | False | Y | N | Y | Symlinks, Widelinks and Autolocate |
Use Case #2 – Symlinks and Traverse/Execute permission – If a CIFS share is hosted by a volume with NTFS-style authentication, and the folder at the root of the share does not have traverse/execute NTFS permission, the configuration for symlinks might impact access to data from SMB2 capable clients.
For example:
- Admin creates volume:
cifsvol1
and mounts to junction/cifsvol1
- Admin creates share
cifsvol1$
to/cifsvol1
- Admin maps
Z: drive
tocifsvol1$
and creates the following folder structureZ:foo
Z:foosubfoo
- Admin removes the “traverse
/Execute”
permission from the subdirectory named'subfoo'
for userdomainbobbyj
; leaving all other permissions unchanged. - Admin within ONTAP 9 creates the share '
fooshare
' and provides the path for share as/cifsvol1/foo/subfoo
Note: The root of the share path points to the same location that the Admin removed the 'traverse/execute
' permissions) - User
domainbobbyj
attempts to map a drive to \toaster.domain.localfooshare - User
domainbobbyj
is prompted for username and password
This is just an example to provide explanation for this use case. A share can be created to any valid path at or below the junction path for a volume. If the share had been created at the root of the junction, that is: /cifsvol1
, then the share map would have succeeded. This particular use case requires that the traverse/execute
permission be removed from the location to which the share points directly. In ONTAP 9, the configuration of symlinks can result in the SMB feature 'DFS' being advertised. When DFS is advertised, it creates a situation where certain SMB clients from Microsoft can be impacted. For more information, see the following Microsoft KB. The charts below will provide insight into the impact of symlink configurations and the lack of traverse/execute permissions.
ONTAP 9
CIFS option is-advertise-dfs-enabled setting | Symlink.properties settting |
Traverse/execute permissions Removed |
Do symlinks Work |
Will drive mapping succeed | Is an ONTAP 9 Feature Impacted | What ONTAP 9 Feature is impacted | |
Scenario #1 | True | Enable | Y | Y | N | N | N/A |
Scenario #2 | True | Read_only,enable | Y | Y | N | N | N/A |
Scenario #3 | True | Hide or “ “ (null) | Y | N | N | Y | Symlinks, Widelinks and Autolocate |
Scenario #4 | False | Enable | Y | Y | N | N | N/A |
Scenario #5 | False | Read_only,enable | Y | Y | N | N | N/A |
Scenario #6 | False | Hide or " " (null) | Y | N | Y | Y | Symlinks, Widelinks and Autolocate |
Use Case #3 – Local Security Policy 'Network Access: Do not allow storage of passwords and credentials for network authentication'. The following Microsoft KB article outlines more details about this particular local security setting. The setting of this policy using a GPO or using Control Panel can result in the inability to connect to a network share, even if you are logged in as the same user that you will use to map the network drive. For more information, see the example below:
- Domain
User bobbyj
logs into a workstation that has the above GPO defined Bobbyj
attempts to map to drive and uses Windows Explorer to map the drive, but when doing so selects the option to connect with different credentials- When prompted,
bobbyj
provides the proper credentials (these credentials can be the same as the logged on user or a different user that has been granted access) - Drive mapping fails with error message '
A specified logon session does not exist. It may already have been terminated'
Note: The same situation will apply if the client runs the 'net use
' Windows command line and specifies the /user:<username>
option. This again is due to how DFS is advertised and how setting the GPO impacts a client when DFS is advertised. The charts below explain the various settings and the GPO's impact.
ONTAP 9
CIFS option is-advertise-dfs-enabled setting | Symlink.properties settting |
Is the GPO Applied |
Will drive mapping succeed | Do symlinks work |
Is an ONTAP 9 Feature Impacted | What ONTAP 9 Feature is impacted | |
Scenario #1 | True | Enable | N | Y | Y | N | N/A |
Scenario #2 | True | Read_only,enable | N | Y | Y | N | N/A |
Scenario #3 | True | Hide or “ “ (null) | N | Y | N | Y | Symlinks, Widelinks and Autolocate |
Scenario #4 | False | Enable | Y | N | Y | N | N/A |
Scenario #5 | False | Read_only,enable | Y | N | Y | N | N/A |
Scenario #6 | False | Hide or " " (null) | Y | N | N | Y | Symlinks, Widelinks and Autolocate |
Additional Information
Deploying SMB server-based services has more details on SMB features that may be impacted by symlink and DFS settings