Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

What is the impact of a shares symlink settings and DFS advertisement in clustered Data ONTAP on SMB2.x/3 client traffic

Views:
427
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

 

Applies to

  • Clustered Data ONTAP 8.3
  • Clustered Data ONTAP 8.2

Answer

NetApp has identified situations whereby the configuration of UNIX symbolic links, called symlinks, in conjunction with the overall environment that a cluster runs, might result in unexpected behavior for CIFS clients. Only Server Message Block (SMB) clients using SMB2/SMB3 such as Window-7, Window-8, Vista, Windows-2008R2, and Windows 2012 are affected. Clients who use SMB1 (for example, Windows XP) are not affected. This article will contrast the symlink settings available in clustered Data ONTAP versus Data ONTAP operating in 7-Mode. It will not be an exhaustive review of symlinks and their overall configuration. The following three environments are explained in this article:

  • Environments that have Riverbed WAN accelerators in the data path.
  • Environments that have removed the NTFS permissions of 'Traverse/Execute'.
  • Environments that have enabled the local security setting 'Do not allow storage of passwords and credentials for network authentication'.

Note: The symlinks have to be correctly configured as outlined in NetApp product documentation. If any of the above environments are missing, symlink access works without issue. This article does not advise on how to correctly configure or troubleshoot symlinks. See Data ONTAP product documentation to validate your symlink setup prior to walking through this article. This article describes how the configuration of symlinks can impact these three specific environments. The discussion of symbolic links is not the NTFS implementation of symbolic links, rather the creation of a symbolic link through a UNIX client and then allowing a CIFS client the ability to access the link. As of the last update to this article, Data ONTAP running in any mode does not support NTFS Symbolic links.

Data ONTAP 7-Mode:

The use of symlinks is generally controlled through the options and CIFS share settings outlined below. In addition to these settings, there is also the symlink.translations file. This file is not outlined in this article. For further details, see the File Access Management Guide for the release of Data ONTAP 7-Mode running on your storage controllers.

  • CIFS option: The cifs.symlinks.enable option controls whether a symbolic link is followed when encountered by an SMB client. The symlink could be a relative or absolute symbolic link.
  • CIFS Share setting: When creating or modifying a share, symlinks can be further controlled using the settings widelink or nowidelink. This particular setting allows or disallows a symlink to be redirected to a location outside of the share path where the symbolic link resides. Additionally the setting of widelink triggered Data ONTAP 7-Mode to advertise support for an SMB feature called Distributed File System (DFS).

Clustered Data ONTAP:

The use of symlinks in clustered Data ONTAP is controlled by a few different settings. Depending on the release running in the cluster, there might be a single share level setting or, in recent releases, an additional global option that controls the advertisement of DFS.

  • CIFS share 'symlink-properties' property: This particular share setting controls the ability for a symlink to be followed, essentially enabling symlinks to function. Note: SMB autolocation relies on widelinks which requires that symlink-properties be set to either "symlinks-and-widelinks"(9.0+) or "enable" (pre 9.0) The following are the values that can be defined:
    • Enable: Allows symlinks to be enabled for both read and write access (deprecated in ONTAP 9.0 and above)
    • Read_only,enable: Allows symlinks to be enabled for read-only access (deprecated in ONTAP 9.0 and above
    • Hide: Symlinks cannot be followed by an SMB client. The symlink name is not returned when the SMB client enumerates the directory in which it is located. (Deprecated in ONTAP 9.0 and above)
    • Symlinks: This property enables local symlinks for read-write access. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
    • Symlinks-and-widelinks: This property enables both local symlinks and wide links for read-write access. DFS advertisements are generated for both local symlinks and wide links even if the CIFS option -is-advertise-dfs-enabled is set to false.
    • Disable - This property disables symlinks and wide links. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
    • “ “ (null or blank): Symlinks are visible when the directory in which they are is enumerated. However, the SMB client will not be able to follow the symlink
  • CIFS 'is-advertise-dfs-enabledoption: This option was introduced starting in clustered Data ONTAP 8.2.3 and 8.3. This setting controls whether there is an advertisement for an SMB feature called DFS. The DFS advertisement is what will allow a symlink that is a 'widelink' to work properly. This particular advertisement occurs during the time the client is making its initial connection to a CIFS share. This feature has a setting of 'true' or 'false' and the setting of this option controls how DFS is advertised in clustered Data ONTAP.
    • True – DFS will be advertised upon connection to the share, regardless of the setting for the share property 'symlink-properties'.
    • False – DFS will not always be advertised upon connection to the share. When set to 'false', clustered Data ONTAP will defer to the share property setting 'symlink-properties' for further guidance on how to advertise the DFS capability.

This section has several different explanations, outlining several different scenarios. See the particular sections below that relate to your environment to better understand the impact that symlinks have and what settings will work best in your environment. The commands listed below provide the current defined settings and how to change them if necessary.

How to confirm and modify necessary settings: 
Clustered Data ONTAP 8.2.3 / 8.3 and later

  • Confirm CIFS settings:
    • Share setting for symlink-properties
      cli::> cifs share show –vserver <SVM_Name> -fields symlink-properties
    • CIFS option for DFS advertisement
      cli::>set advanced (answer Y)
      cli::>cifs options show –vserver <SVM_Name> -fields is-advertise-dfs-enabled
  • Modify CIFS setting:
    • Share setting for symlink-properties
      cli::> cifs share modify –vserver prod01 –share-name test –symlink-properties <enable|hide|read_only,enable|" " (null)>
    • CIFS option for DFS advertisement
      cli::> set advanced (answer Y)
      cli::> cifs options modify –vserver prod01 –is-advertise-dfs-enabled <true|false>

Note: Modifying the symlink-properties value might require a reboot of clients when this option is modified. Clients cache how DFS was advertised when a connection to a share is made. If the option is modified in-between a client connecting and disconnecting from the share, it will not be possible to reconnect to the share without a reboot. The charts within each section will provide details on various scenarios involving clustered Data ONTAP settings and their impact. The charts will also indicate which features in clustered Data ONTAP could be impacted based on the combination of settings. For more information on clustered Data ONTAP features impacted, see the File Access Management Guide for the version running in your cluster. This documentation is available on the NetApp Support site.

Guidance:

Use Case #1 – Symlinks and Riverbed WAN acceleration - For support related issues, users running Riverbed WAN accelerators need to install clustered Data ONTAP 8.2.3 or later. This will provide the ability to control the advertisement of DFS from both an individual share level and globally as a CIFS option. Separate charts that explain several scenarios and the potential impact are listed below (2). Note the column labeled 'Riverbed Acceleration of SMB2/3' and 'Clustered Data ONTAP Feature Impacted'. The Riverbed column reflects, whether SMB2 or SMB3 traffic is eligible for acceleration based on the settings,. If the column has an 'N', then acceleration of the data will be impacted. If it has a 'Y', then the SMB2/SMB3 traffic is eligible for acceleration, depending on the configuration of the Riverbed device. You might have to review the columns detailing the impact to symlinks, covered in the last (2) columns. Those columns will indicate whether there is a clustered Data ONTAP feature impacted and if so, which feature(s). 

Riverbed as of the published or last update of this KB article has a compatibility issue involving a particular SMB feature advertisement called 'DFS Capability'. When a Riverbed device comes across a share that advertises support for DFS, it will not accelerate SMB2 and SMB3 client traffic. Riverbed is currently aware of this issue, see contact Riverbed Support for more details. 

Clustered Data ONTAP 8.2.3 or 8.3 AND later

  Symlink.Properties share setting CIFS option is-advertise-dfs-enabled setting: Riverbed Acceleration of SMB2/3 Do symlinks Work  Is a Clustered Data ONTAP Feature Impacted What Clustered Data ONTAP Feature is impacted 
Scenario #1 Enable True N Y N N/A
Scenario #2 Enable False N Y N N/A
Scenario #3 Read_only,enable True N Y N N/A
Scenario #4 Read_only,enable False N Y N N/A
Scenario #5 Hide or “ “ (null) True N N Y Symlinks and Widelinks
Scenario #6 Hide or “ “ (null) False Y N Y Symlinks, Widelinks and Autolocate

 

Use Case #2 – Symlinks and Traverse/Execute permission – If a CIFS share is hosted by a volume with NTFS-style authentication, and the folder at the root of the share does not have traverse/execute NTFS permission, the configuration for symlinks might impact access to data from SMB2 capable clients. 

For example:

  • Admin creates volume: cifsvol1 and mounts to junction /cifsvol1
  • Admin creates share cifsvol1$ to /cifsvol1
  • Admin maps Z: drive to cifsvol1$ and creates the following folder structure
    • Z:foo
    • Z:foosubfoo
  • Admin removes the “traverse/Execute” permission from the subdirectory named 'subfoo' for user domainbobbyj ; leaving all other permissions unchanged.
  • Admin within Clustered Data ONTAP creates the share 'fooshare' and provides the path for share as /cifsvol1/foo/subfoo
    Note: The root of the share path points to the same location that the Admin removed the 'traverse/execute' permissions)
  • User domainbobbyj attempts to map a drive to \toaster.domain.localfooshare
  • User domainbobbyj is prompted for username and password

This is just an example to provide explanation for this use case. A share can be created to any valid path at or below the junction path for a volume. If the share had been created at the root of the junction, that is: /cifsvol1, then the share map would have succeeded. This particular use case requires that the traverse/execute permission be removed from the location to which the share points directly. In clustered Data ONTAP, the configuration of symlinks can result in the SMB feature 'DFS' being advertised. When DFS is advertised, it creates a situation where certain SMB clients from Microsoft can be impacted. For more information, see the following Microsoft KB. The charts below will provide insight into the impact of symlink configurations and the lack of traverse/execute permissions.

Clustered Data ONTAP 8.2.3 or 8.3 AND later

  CIFS option is-advertise-dfs-enabled setting Symlink.properties
settting
 
Traverse/execute permissions
Removed

 
Do symlinks
Work
Will drive mapping succeed  Is a Clustered Data ONTAP Feature Impacted  What Clustered Data ONTAP Feature is impacted 
Scenario #1 True Enable Y Y N N N/A
Scenario #2 True Read_only,enable Y Y N N N/A
Scenario #3 True Hide or “ “ (null) Y N N Y Symlinks, Widelinks and Autolocate
Scenario #4 False Enable Y Y N N N/A
Scenario #5 False Read_only,enable Y Y N N N/A
Scenario #6 False Hide or " " (null) Y N Y Y Symlinks, Widelinks and Autolocate

 

Use Case #3 – Local Security Policy 'Network Access: Do not allow storage of passwords and credentials for network authentication'. The following Microsoft KB article outlines more details about this particular local security setting. The setting of this policy using a GPO or using Control Panel can result in the inability to connect to a network share, even if you are logged in as the same user that you will use to map the network drive. For more information, see the example below:

  • Domain User bobbyj logs into a workstation that has the above GPO defined
  • Bobbyj attempts to map to drive and uses Windows Explorer to map the drive, but when doing so selects the option to connect with different credentials
  • When prompted, bobbyj provides the proper credentials (these credentials can be the same as the logged on user or a different user that has been granted access)
  • Drive mapping fails with error message 'A specified logon session does not exist. It may already have been terminated'

Note: The same situation will apply if the client runs the 'net use' Windows command line and specifies the /user:<username> option. This again is due to how DFS is advertised and how setting the GPO impacts a client when DFS is advertised. The charts below explain the various settings and the GPO's impact.

Clustered Data ONTAP 8.2.3 or 8.3 AND later

  CIFS option is-advertise-dfs-enabled setting Symlink.properties
settting
 
Is the GPO Applied
 
Will drive mapping succeed Do symlinks
work
Is a Clustered Data ONTAP Feature Impacted  What Clustered Data ONTAP Feature is impacted 
Scenario #1 True Enable N Y Y N N/A
Scenario #2 True Read_only,enable N Y Y N N/A
Scenario #3 True Hide or “ “ (null) N Y N Y Symlinks, Widelinks and Autolocate
Scenario #4 False Enable Y N Y N N/A
Scenario #5 False Read_only,enable Y N Y N N/A
Scenario #6 False Hide or " " (null) Y N N Y Symlinks, Widelinks and Autolocate

 

 

Additional Information

Add your text here.