Storage
Mobility
Protection
Analysis and control
TOPICShare
Organizations rely on enterprise file sharing tools to provide access for critical files from multiple devices and platforms. But not all of those devices and platforms will rely on the same file protocols. This is true for both on-prem and cloud file sharing.
An enterprise organization’s IT landscape is usually a mix of Windows and Linux machines—in certain scenarios a single file share may need access by both Windows and Linux machines at the same time. Managing this could get complex, as Windows and Linux follow different security semantics and protocols. Luckily, BlueXP and Cloud Volumes ONTAP offer a solution.
This blog will explore multi-protocol file sharing and show you how to set it up with Cloud Volumes ONTAP, giving you an easy way for Windows and Linux servers in mixed environments to access the same volumes.
Jump down with the links below to get started:
NFS vs. SMB
Server Messaging protocol (SMB) is the native file sharing protocol implemented in Windows systems. SMB uses share level and user level security to authorize access to file shares. The Common Internet File System (CIFS) protocol is a dialect of SMB, which in turn is a collection of message packages that defines a specific version of SMB. The Network File System (NFS) protocol is used by Linux systems to share files and folders.
NFS mount options use export policies in addition to file and folder permissions as a security mechanism. When the same volume must be shared between Windows and Linux systems, interoperability between these mechanisms is essential and also quite complex to achieve. Other major differences between the protocols include their authentication mechanisms, security settings, and renaming and locking policies.
Mounting NFS in Windows
While it is possible to configure Windows servers to enable communication with NFS and Linux servers to access shares over SMB, it isn’t an easy configuration process. To use NFS with Windows, the role should be enabled from Server Manager or through PowerShell. In addition to that, User ID mapping and Group ID mapping should be configured so that users from Windows domains can access the files in the NFS share.
Alternatively, RPCSEC_GSS, a Kerberos V5-based protocol, can be used for authentication and better security; however, identity mapping is still going to be required. Configuring anonymous access eliminates most of the complicated identity mapping requirements, but that introduces a security risk as the share will be mounted using root user privileges.
Mounting SMB in Linux
Mounting SMB shares in Linux also requires additional configuration for access and authentication. Administrators can use Samba tools to access SMB shares from Linux. Depending on the CIFS module and SMB protocol version, not all SMB features will be available.
A credential file should be created for authenticating to the SMB share with details such as Windows username, password, domain, etc. In multi-user scenarios, users also need to provide their individual credentials using the cifscred utility, which is used for passing on user credentials to a kernel when CIFS is mounted with a multi-user option.
From all of this it’s clear that using the same share for Linux and Windows is not an easy job, and the cloud isn’t helping. The major cloud file service offerings, such as Amazon EFS, most versions of Amazon FSx, or Azure Files either provide access to NFS or SMB, not both. Cloud Volumes ONTAP offers a solution: support for both NFS and SMB access for volumes on AWS and Azure.
How to Configure NFS/SMB Multiprotocol Access on Cloud Volumes ONTAP
Cloud Volumes ONTAP offers a versatile enterprise file sharing storage for hybrid and multicloud environments, with many advanced storage features such as high availability, data protection, cost-saving storage efficiencies, data tiering, and more. With Cloud Volumes ONTAP, data can be accessed over SMB, NFS, or both at the same time, which allows Windows and Linux environments to have concurrent access to the same files on the same volume.
Configuring multiprotocol access can be done through a set of simple steps. Note that this can be done starting with NFS and then switching to SMB, or vice versa. In this example we are going to start with an NFS volume and then add SMB.
Let’s start by logging in to BlueXP, then follow the steps below.
Setting up the NFS Volume
- On the BlueXP canvas you will see your current working environments listed as icons.
- Select Cloud Volumes ONTAP instance deployed in Azure and then click the “Enter Working Environment” button in the details panel.
- On the Azure instance’s details page, click the “Add volume” button, then select the option to create a new volume.
- In the Volume Details, Protection & Tags step, enter in all of the volume information requested. When you are done, click “Next.”
- On the Protocols page we will select the NFS as our volume’s first protocol, then click “Next” to proceed.
- In this step, select your disk type. Since we are configuring this volume for file sharing, select the high performance SSD option.
- Choose the usage profile and tiering policy for the volume, then click “Next.”
- In the review stage, verify the volume creation. Finalize by clicking “Add.”
Setting Up CIFS for the Working Environment
When your volume is created you will be brought back to the working environment page for the Cloud Volumes ONTAP instance. We will now set up CIFS access for the working environment.
- Start by clicking on the Overview tab, as shown below.
- In the Overview tab, choose the Features Tab.
Find the option for “CIFS setup” at the bottom of the menu and select it.
- Add details for the DNS primary IP, secondary IP, the Active Directory domain, CIFS server NetBIOS name, your organizational unit, DNS domain, and your credentials to join the domain.
Once all the information is added, click “Set” to proceed.
The working environment is now ready to be used via CIFS / SMB. You can continue to set an SMB share for the volume.
System Manager Steps to Configure SMB
Now that the volume allows for CIFS setup, we can set it to use SMB. To complete the remaining configuration step, we need to access System Manager.
Follow these steps:
- From BlueXP, click on the working environment, then select the “Switch to Advanced View” button in the upper right.
- In System Manager, go to the left-side menu and expand the Storage menu options. Select “Shares” from the list.
- Click the “+Add” button in the upper left of the window, then select “Share.”
- In the Add Share window, choose a name for the share, its access path, a description, and the access permission.
- Next, we will configure username mapping for Windows and UNIX usernames. This will allow Windows users to access files on the share using UNIX file permissions and vice versa.
If individual-level file tracking is required, we recommend using a conversion rule of a 1:1 conversion of Windows users to UNIX users, and vice versa.You could also configure a default user mapping for all users not covered by a name-mapping or conversion rule. - Now, expand the Storage menu option, then select “Storage VMs” from the list.
Go to the Setting tab and scroll down until you see the Host Users and Groups widget.
- In the Host Users and Groups widget, select “Name Mapping.”
- The following screenshot shows an example conversion mapping from a Windows user to a UNIX user:
- The SMB share is now set up. To return your working environment back to its standard view, go back to the BlueXP Canvas and find your working environment.
Click the “Switch to Standard View” button in the upper right corner of the environment.
Once you complete the configuration steps above, the share will be accessible from Windows Server through Windows Explorer using the SMB protocol. The same volume can be accessed from Linux servers using the NFS protocol by mounting it to a local folder using the Mount command.
Note that user mapping is one option for configuring authentication to allow users from Windows and Linux to access the volume. It can be used when the number of users who need access is limited. However, in use cases where a large number of users need access to the same share (e.g., file shares) it is recommended to use a Kerberos NFS configuration. You can find more details about Kerberos and NFS here.
Conclusion
NetApp has been providing enterprise data storage solutions with multiprotocol access for years: now that’s possible in the cloud and hybrid architectures with Cloud Volumes ONTAP. Cloud Volumes ONTAP provides an innovative solution for solving the issues of sharing files between disparate environments. It simplifies the process of sharing data across the organization.
