CIFS Overview

Module 5
Accelerated NCDA Boot Camp
Data ONTAP 8.0 7-Mode
Module Objectives

By the end of this module, you should be able to:

 Describe basic CIFS features
 Describe the following network environments:
– Microsoft® Windows® workgroup
– Non-Windows workgroup
– Windows domains
 Describe how a storage system authenticates
users in each server environment
 Explain the advantages and disadvantages of
each server environment

© 2010 NetApp, Inc. All rights reserved.

CIFS Features

© 2010 NetApp, Inc. All rights reserved.

CIFS Definition
 Common Internet File System (CIFS)
– A Microsoft network file-sharing protocol that
evolved from the Server Message Block (SMB)
protocol
– Access and manipulate files and folders on
remote servers as if they are on a local machine

© 2010 NetApp, Inc. All rights reserved.

CIFS: Basic Functions
 Network browsing to locate:
– Machines within an environment (provided by a
browse list)
– Shared resources that are available on a given
machine (provided by that machine)
 User authentication
 Authorization
– Shared resource access
– Folder and file access

© 2010 NetApp, Inc. All rights reserved.

CIFS: Basic Functions (Cont.)
 Basic file attributes
– Read-only
– Archive
– System
– Hidden
 Extended NTFS file attributes of indexing,
compression, and encryption
 Unicode support
 File locking (opportunistic locks)
 Dialect negotiation

© 2010 NetApp, Inc. All rights reserved.

Client-Server Communications

1. SMB_COM_NEGOTIATE
Client requests CIFS dialect, a list of strings with dialects supported.

2. SMB_COM_NEGOTIATE
Server responds with client’s requested CIFS dialect. An 8-byte random string is sent back,
which is used in the next step to authenticate the client during logon.

3. SMB_COM_SESSION_SETUP_ANDX
Client sends its user name and password to obtain a User’s Security ID (SID).

4. SMB_COM_SESSION_SETUP_ANDX
If the username and password are accepted, a valid SID is included in the packet. If not, an
error code is sent and access is denied.

5. SMB_COM_TREE_CONNECT_ANDX
Client requests access to the share. The packet contains the fully specified path in Uniform
Client Naming Convention (UNC) form. Server

© 2010 NetApp, Inc. All rights reserved.

Client-Server Communications (Cont.)

6. SMB_COM_TREE_CONNECT_ANDX
If access to the share is granted, the server returns the 16-bit tree ID (TID) corresponding to
the share. If the path is not found or there are insufficient credentials, an error code is sent.

7. SMB_COM_OPEN_ANDX
Client requests to open a file on a share. The name of the file is included.

8. SMB_COM_OPEN_ANDX
If access to the file is granted, the server returns the file ID of the requested file. If the file
does not exist or there are insufficient credentials, an error code is sent.

9. SMB_COM_READ_ANDX
The client requests that the server read the data and return its contents. The file ID obtained
by the client when the client was opened is included.

10. SMB_COM_READ_ANDX
The requested data is returned.
Client Server

© 2010 NetApp, Inc. All rights reserved.

CIFS Environments

© 2010 NetApp, Inc. All rights reserved.

Network Environments

Storage systems can participate in:

 Workgroups
– Windows workgroup
– Non-Windows workgroup
 Domains
– Windows NT® 4.0
– Windows Active Directory

© 2010 NetApp, Inc. All rights reserved.

Client Requirements

Each client in a CIFS environment must:

Locate other computers
Request resources from a server
– Requires user authentication
– Requires resource authorization
Share permissions
File-level permissions

NOTE: Implementation differs depending on the CIFS

environment

© 2010 NetApp, Inc. All rights reserved.

Windows Workgroups

© 2010 NetApp, Inc. All rights reserved.

Windows Workgroup
 A Windows workgroup:
– Logical grouping of networked machines
– Shares resources, such as folders and files
 Each machine in the workgroup authenticates
and authorizes users through a local security
database

NOTE: Users must have an account on the machine they

wish to access

© 2010 NetApp, Inc. All rights reserved.

 Storage System Joins a Workgroup
For a storage system to “join” a Windows workgroup…
 It must broadcast its “name” to the network
 The master browser must update the master browse list
 It must broadcasts the browse list to all members of the domain
– 15-minute delay possible
– NOTE: Storage systems do not pull the master browse list.

Clients Storage System

Master
Browser B
List List List

I’m a storage system, and I’m new!

© 2010 NetApp, Inc. All rights reserved.

 Name Resolution in a Workgroup
 Machine name to IP resolution through NetBIOS resolution:
– A user broadcasts a name query on the network
– The requested machine responds to the name query by returning its
IP address
 Machine name to IP resolution through DNS resolution is also
available (discussed later)

Clients Storage System

A B
List List List

What’s the IP address of the storage system?

Storage system’s IP

© 2010 NetApp, Inc. All rights reserved.

 Storage System User Authentication
Storage system user authentication is performed locally:
 Users are added to a storage system
 Authentication is performed locally
 Authenticated users are provided with a session

Machine B requests user Authenticates

session authentication Machine B

Storage System Local User Accounts

Clients
Machine name
User Info
Master
Browser B username
password
List List List group info
user rights
User Info User Info User Info

Session with Machine B

© 2010 NetApp, Inc. All rights reserved.

Windows Workgroup Advantages
 Does not require running Windows Domain
Controller
– Advantageous for small organizations
 Simple to design and implement
 Convenient for a limited number of machines
in close proximity
– Limited to 96 local clients

© 2010 NetApp, Inc. All rights reserved.

Windows Workgroup Disadvantages
 Administrative overhead in maintaining a list of
user accounts on multiple machines
– Any changes to a user account (for example,
passwords) must be made on each machine
 Joining or leaving a workgroup must be
replicated by the master browse list
– Delay up to 15 minutes
 Generally, a browse list cannot span subnets
– Workgroup depends on subnet broadcasting

© 2010 NetApp, Inc. All rights reserved.

Non-Windows
Workgroups

© 2010 NetApp, Inc. All rights reserved.

Non-Windows Workgroups
 A non-Windows workgroup:
– Support for Windows client machines when
there is no Windows workgroup or domain
– Share resources with Windows client users
 This environment is also referred to as:
– UNIX® password workgroup
– /etc/passwd-style workgroup

© 2010 NetApp, Inc. All rights reserved.

Non-Windows Workgroup Storage System
 Provides user authentication by one or more of the
following:
– Storage system local /etc/passwd file
– Network Information Services (NIS) server
– Lightweight Directory Access Protocol (LDAP) server
 Provides name-to-IP resolution by one or more of the
following:
– Storage system local /etc/hosts file
– NIS server
– Domain Name System (DNS) server

NOTE: /etc/nsswitch.conf sets the order of precedence for the

mechanism used

© 2010 NetApp, Inc. All rights reserved.

Non-Windows Workgroup Advantages
 In a mostly UNIX environment, CIFS shares
are made available to the few Windows client
users
 User authentication performed by existing:
– NIS
– LDAP server
– /etc/passwd file
 Name-to-IP resolution performed by existing:
– NIS
– DNS server
– /etc/hosts
© 2010 NetApp, Inc. All rights reserved.
Non-Windows Workgroup Disadvantages
 Administrative overhead in maintaining a list of
user accounts on multiple machines
– Any changes to a user account (for example,
passwords) must be made on each machine
– Sends passwords in clear text
 Requires both NFS and CIFS licenses
 Generally, a browse list cannot span subnets
– Workgroup depends on subnet broadcasting

© 2010 NetApp, Inc. All rights reserved.

Windows Domains

© 2010 NetApp, Inc. All rights reserved.

Window Domains
 A Windows domain:
– A logical grouping of networked machines
– Share a central directory of resources
 A domain controller centralizes:
– User/Group/Machine account management
– User authentication
– Group policy management across the domain

NOTE: In this course, we will consider NT-style security

and Active Directory domains together

© 2010 NetApp, Inc. All rights reserved.

Typical Machines in a Domain
Type of machines in a domain:
 Clients
– Clients requires resources from a server
 Member servers
– Servers that provide resources to clients
 Domain controllers (DCs)
– Servers that each maintain a copy of a centralized
database
 Domain name resolution servers
– Windows Internet Name Service (WINS) for Windows
NT-style domains
– Domain Name System (DNS) for Windows 2000 Server
(or later) domains

© 2010 NetApp, Inc. All rights reserved.

Storage System Joins a Domain
 When a storage system joins a domain:
– Domain controller adds the storage system to a
domain database
– Becomes a member server

Directory
Clients Member Server Domain Controller

Machine Machine name

Accounts

Joining a domain

© 2010 NetApp, Inc. All rights reserved.

 Domain Name to IP Resolution
 When a client accesses a storage system’s resource:
– Requests the browse list from the DC
– Contacts DNS/WINS server for the IP address
– Client communicates with storage system
What is the
Here is storage system’s IP
storage
system’s IP?
Domain Controller /
Clients Member Server Browser Server DNS/WINS

Machine name

Here is the browse list

What machines are available?

© 2010 NetApp, Inc. All rights reserved.
 User Authentication
 User authentication on a storage system in a domain:
– Domain users created on domain controller (DC)
– User session authentication occurs at the DC
– Authenticated users must be authorized to access a share and
resources

Clients Member Server Domain Controller

A B Machine name

Session with Client-B user

Client-B authenticated

Client-B user requests user Authenticates Client-B user

session authentication

© 2010 NetApp, Inc. All rights reserved.

Domain Advantages and Disadvantages
 Advantages:
– Centralized administration of all user information
– A centralized mechanism for authentication
– Scalable
 Disadvantages:
– Complexity of architecting Active Directory
– Requires server license

© 2010 NetApp, Inc. All rights reserved.

Module Summary

© 2010 NetApp, Inc. All rights reserved.

Module Summary

In this module, you should have learned to:

 Describe basic CIFS features
 Describe the following network environments:
– Microsoft Windows workgroup
– Non-Windows workgroup
– Windows domains
 Describe how a storage system authenticates
users in each server environment
 Explain the advantages and disadvantages of
each server environment

© 2010 NetApp, Inc. All rights reserved.

Exercise
Module 5: CIFS Overview
Estimated Time: 15 minutes
Check Your Understanding: Answers
 In a network, which two abilities does a
Windows client user require?
– Find other computers
– Request resources from a server
 What is the difference between user
authentication and authorization?
– User authentication = user identity verification
– User authorization = allows certain functionality
at the share or file level

© 2010 NetApp, Inc. All rights reserved.

Check Your Understanding: Answers
(Cont.)
 What are the three types of storage system
CIFS service environments?
– Windows workgroup
– Non-Windows workgroup
– Windows domain
 What is the purpose of a name resolution
server?
– To resolve machine names to IP addresses

© 2010 NetApp, Inc. All rights reserved.

Check Your Understanding: Answers
(Cont.)
 What kind of information is kept in the directory
that the domain controller stores and
maintains?
– Machine accounts
– User names/passwords/rights
– Group membership information
– Group policies
 In a Windows workgroup, how does a storage
system authenticate users?
– Locally

© 2010 NetApp, Inc. All rights reserved.

Check Your Understanding: Answers
(Cont.)
 In a Windows domain, how does a storage
system authenticate users?
– By means of a domain controller
 In a non-Windows workgroup, how does a
storage system authenticate users?
– By way of UNIX mechanisms:
 Local /etc/passwd file
 NIS server
 LDAP server

© 2010 NetApp, Inc. All rights reserved.