Skip to main content
NetApp Knowledge Base

What is the impact of a shares symlink settings and DFS advertisement in ONTAP on SMB client traffic

  1. Last updated
  2. Save as PDF
Views:
5,607
Visibility:
Public
Votes:
3
Category:
ontap-9
Specialty:
nas
Last Updated:

 

Applies to

  • ONTAP 9
  • Data ONTAP 8 7-mode

Answer

  • NetApp has identified situations whereby the configuration of UNIX symbolic links, called symlinks, in conjunction with the overall environment that a cluster runs, might result in unexpected behavior for CIFS clients.
    • Server Message Block (SMB) clients using SMB2/SMB3 such as Window 10, Windows Server 2016, and Windows Server 2019 are affected.
    • Clients who use SMB1 (for example, Windows XP) are not affected.
  • This article will contrast the symlink settings available in ONTAP 9 versus Data ONTAP operating in 7-Mode.
  • It will not be an exhaustive review of symlinks and their overall configuration.
  • The following three environments are explained in this article:
    • Environments that have Riverbed WAN accelerators in the data path.
    • Environments that have removed the NTFS permissions of 'Traverse/Execute'.
    • Environments that have enabled the local security setting 'Do not allow storage of passwords and credentials for network authentication'.

Note: The symlinks have to be correctly configured as outlined in NetApp product documentation. If any of the above environments are missing, symlink access works without issue. This article does not advise on how to correctly configure or troubleshoot symlinks. See Data ONTAP product documentation to validate your symlink setup prior to walking through this article. This article describes how the configuration of symlinks can impact these three specific environments. The discussion of symbolic links is not the NTFS implementation of symbolic links, rather the creation of a symbolic link through a UNIX client and then allowing a CIFS client the ability to access the link. As of the last update to this article, Data ONTAP running in any mode does not support NTFS Symbolic links.

Data ONTAP 7-Mode

The use of symlinks is generally controlled through the options and CIFS share settings outlined below. In addition to these settings, there is also the symlink.translations file. This file is not outlined in this article. For further details, see the File Access Management Guide for the release of Data ONTAP 7-Mode running on your storage controllers.

  • CIFS option: The cifs.symlinks.enable option controls whether a symbolic link is followed when encountered by an SMB client. The symlink could be a relative or absolute symbolic link.
  • CIFS Share setting: When creating or modifying a share, symlinks can be further controlled using the settings widelink or nowidelink. This particular setting allows or disallows a symlink to be redirected to a location outside of the share path where the symbolic link resides. Additionally the setting of widelink triggered Data ONTAP 7-Mode to advertise support for an SMB feature called Distributed File System (DFS).
ONTAP 9

The use of symlinks in ONTAP 9 is controlled by a few different settings. The ability to advertise DFS is both global to the SVM and an individual share property.

  • CIFS share 'symlink-properties' property: This particular share setting controls the ability for a symlink to be followed, essentially enabling symlinks to function. Note: SMB autolocation relies on widelinks which requires that symlink-properties be set to either "symlinks-and-widelinks"(9.0+) or "enable" (pre 9.0) The following are the values that can be defined:
    • Enable: Allows symlinks to be enabled for both read and write access (deprecated in ONTAP 9.0 and above)
    • Read_only,enable: Allows symlinks to be enabled for read-only access (deprecated in ONTAP 9.0 and above
    • Hide: Symlinks cannot be followed by an SMB client. The symlink name is not returned when the SMB client enumerates the directory in which it is located. (Deprecated in ONTAP 9.0 and above)
    • Symlinks: This property enables local symlinks for read-write access. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
    • Symlinks-and-widelinks: This property enables both local symlinks and wide links for read-write access. DFS advertisements are generated for both local symlinks and wide links even if the CIFS option -is-advertise-dfs-enabled is set to false.
    • Disable - This property disables symlinks and wide links. DFS advertisements are not generated even if the CIFS option -is-advertise-dfs-enabled is set to true.
    • “ “ (null or blank): Symlinks are visible when the directory in which they are is enumerated. However, the SMB client will not be able to follow the symlink
  • CIFS 'is-advertise-dfs-enabledoption: This option was introduced starting in clustered Data ONTAP 8.2.3 and 8.3. This setting controls whether there is an advertisement for an SMB feature called DFS. The DFS advertisement is what will allow a symlink that is a 'widelink' to work properly. This particular advertisement occurs during the time the client is making its initial connection to a CIFS share. This feature has a setting of 'true' or 'false' and the setting of this option controls how DFS is advertised in ONTAP 9.
    • True – DFS will be advertised upon connection to the share, regardless of the setting for the share property 'symlink-properties'.
    • False – DFS will not always be advertised upon connection to the share. When set to 'false', ONTAP 9 will defer to the share property setting 'symlink-properties' for further guidance on how to advertise the DFS capability.

This section has several different explanations, outlining several different scenarios. See the particular sections below that relate to your environment to better understand the impact that symlinks have and what settings will work best in your environment. The commands listed below provide the current defined settings and how to change them if necessary.

How to confirm and modify necessary settings: 
ONTAP 9

  • Confirm CIFS settings:
    • Share setting for symlink-properties
      cli::> cifs share show –vserver <SVM_Name> -fields symlink-properties
    • CIFS option for DFS advertisement
      cli::>set advanced (answer Y)
      cli::>cifs options show –vserver <SVM_Name> -fields is-advertise-dfs-enabled
  • Modify CIFS setting:
    • Share setting for symlink-properties
      cli::> cifs share modify –vserver prod01 –share-name test –symlink-properties <enable|hide|read_only,enable|" " (null)>
    • CIFS option for DFS advertisement
      cli::> set advanced (answer Y)
      cli::> cifs options modify –vserver prod01 –is-advertise-dfs-enabled <true|false>

Note: Modifying the symlink-properties value might require a reboot of clients when this option is modified. Clients cache how DFS was advertised when a connection to a share is made. If the option is modified in-between a client connecting and disconnecting from the share, it will not be possible to reconnect to the share without a reboot. The charts within each section will provide details on various scenarios involving ONTAP 9 settings and their impact. The charts will also indicate which features in ONTAP 9 could be impacted based on the combination of settings.

Guidance:

Use Case #1 – Symlinks and Riverbed WAN acceleration -

Riverbed WAN Accelerators may have a compatibility issue involving a particular SMB feature advertisement called 'DFS Capability'. When a Riverbed device comes across a share that advertises support for DFS, it will not accelerate SMB2 and SMB3 client traffic. Riverbed is currently aware of this issue, please contact Riverbed Support for more details. 

ONTAP 9

  Symlink.Properties share setting CIFS option is-advertise-dfs-enabled setting: Riverbed Acceleration of SMB2/3 Do symlinks Work  Is an ONTAP 9 Feature Impacted What ONTAP 9 Feature is impacted 
Scenario #1 Enable True N Y N N/A
Scenario #2 Enable False N Y N N/A
Scenario #3 Read_only,enable True N Y N N/A
Scenario #4 Read_only,enable False N Y N N/A
Scenario #5 Hide or “ “ (null) True N N Y Symlinks and Widelinks
Scenario #6 Hide or “ “ (null) False Y N Y Symlinks, Widelinks and Autolocate

 

Use Case #2 – Symlinks and Traverse/Execute permission – If a CIFS share is hosted by a volume with NTFS-style authentication, and the folder at the root of the share does not have traverse/execute NTFS permission, the configuration for symlinks might impact access to data from SMB2 capable clients. 

For example:

  • Admin creates volume: cifsvol1 and mounts to junction /cifsvol1
  • Admin creates share cifsvol1$ to /cifsvol1
  • Admin maps Z: drive to cifsvol1$ and creates the following folder structure
    • Z:foo
    • Z:foosubfoo
  • Admin removes the “traverse/Execute” permission from the subdirectory named 'subfoo' for user domainbobbyj ; leaving all other permissions unchanged.
  • Admin within ONTAP 9 creates the share 'fooshare' and provides the path for share as /cifsvol1/foo/subfoo
    Note: The root of the share path points to the same location that the Admin removed the 'traverse/execute' permissions)
  • User domainbobbyj attempts to map a drive to \toaster.domain.localfooshare
  • User domainbobbyj is prompted for username and password

This is just an example to provide explanation for this use case. A share can be created to any valid path at or below the junction path for a volume. If the share had been created at the root of the junction, that is: /cifsvol1, then the share map would have succeeded. This particular use case requires that the traverse/execute permission be removed from the location to which the share points directly. In ONTAP 9, the configuration of symlinks can result in the SMB feature 'DFS' being advertised. When DFS is advertised, it creates a situation where certain SMB clients from Microsoft can be impacted. For more information, see the following Microsoft KB. The charts below will provide insight into the impact of symlink configurations and the lack of traverse/execute permissions.

ONTAP 9

  CIFS option is-advertise-dfs-enabled setting Symlink.properties
settting
 		 Traverse/execute permissions
Removed
 		 Do symlinks
Work		 Will drive mapping succeed  Is an ONTAP 9 Feature Impacted  What ONTAP 9 Feature is impacted 
Scenario #1 True Enable Y Y N N N/A
Scenario #2 True Read_only,enable Y Y N N N/A
Scenario #3 True Hide or “ “ (null) Y N N Y Symlinks, Widelinks and Autolocate
Scenario #4 False Enable Y Y N N N/A
Scenario #5 False Read_only,enable Y Y N N N/A
Scenario #6 False Hide or " " (null) Y N Y Y Symlinks, Widelinks and Autolocate

 

Use Case #3 – Local Security Policy 'Network Access: Do not allow storage of passwords and credentials for network authentication'. The following Microsoft KB article outlines more details about this particular local security setting. The setting of this policy using a GPO or using Control Panel can result in the inability to connect to a network share, even if you are logged in as the same user that you will use to map the network drive. For more information, see the example below:

  • Domain User bobbyj logs into a workstation that has the above GPO defined
  • Bobbyj attempts to map to drive and uses Windows Explorer to map the drive, but when doing so selects the option to connect with different credentials
  • When prompted, bobbyj provides the proper credentials (these credentials can be the same as the logged on user or a different user that has been granted access)
  • Drive mapping fails with error message 'A specified logon session does not exist. It may already have been terminated'

Note: The same situation will apply if the client runs the 'net use' Windows command line and specifies the /user:<username> option. This again is due to how DFS is advertised and how setting the GPO impacts a client when DFS is advertised. The charts below explain the various settings and the GPO's impact.

ONTAP 9

  CIFS option is-advertise-dfs-enabled setting Symlink.properties
settting
 		 Is the GPO Applied
 		 Will drive mapping succeed Do symlinks
work		 Is an ONTAP 9 Feature Impacted  What ONTAP 9 Feature is impacted 
Scenario #1 True Enable N Y Y N N/A
Scenario #2 True Read_only,enable N Y Y N N/A
Scenario #3 True Hide or “ “ (null) N Y N Y Symlinks, Widelinks and Autolocate
Scenario #4 False Enable Y N Y N N/A
Scenario #5 False Read_only,enable Y N Y N N/A
Scenario #6 False Hide or " " (null) Y N N Y Symlinks, Widelinks and Autolocate

 

 

Additional Information

Deploying SMB server-based services has more details on SMB features that may be impacted by symlink and DFS settings

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.