Network Shares
Contents
- 1 Network Share (NAS) Management
- 1.1 Creating and Modifying Network Shares
- 1.2 Controlling SMB/CIFS User & Group Access
- 1.3 Advanced Configuration Options
- 1.4 NFS Access Management
- 1.5 SMB3 Support
- 1.6 Active Directory Configuration
QuantaStor Network Shares provide NAS access to storage pools via NFSv3, NFSv4, SMB2, and SMB3 protocols. To provision a Network Share first a Storage Pool must be created which Network Shares may be provisioned from. With QuantaStor's storage grid technology one can provision Network Shares from any pool on any system in the grid regardless of where it is located. QuantaStor also has Network Share Namespaces which span systems and make it easy to categorize Network Shares into folders which are called namespaces. QuantaStor Network Shares support a broad spectrum of features including, quotas, user & group quotas, compression, encryption (inherited from the pool), remote-replication, snapshots, cloning, snapshots of snapshots, Avid integration, and more. Each Network Share resides within a specific Storage Pool and storage pools can move between systems (much like a VM can move between hypervisor hosts) if configured in high-availability mode. Storage Pools may be used to provision and serve NAS storage (Network Shares) and SAN storage (Storage Volumes) at the same time.
To create a Network Share right-click on a Storage Pool and select Create Share... or select the "Network Shares" section in the left pane and then choose Create from the toolbar. One can also right-click on a share and select Create Share... from the pop-up menu. Network Shares can be concurrently accessed via both NFS and CIFS protocols. After providing a name, and optional description for the share, and selecting the Storage Pool in which the Network Share will be created there are a few other options you can set including protocol access types and a share level quota. After a Network Share has been created/provisioned it may be modified via the "Modify Network Share" dialog from the "Network Shares" toolbar or right click on a Network Share and selecting Modify Share & SMB Access... .
Quota Management
Each Network Share may be configured with a quota to limit how much storage users can place in the share. Quotas are adjustable from both the "Create Network Share" and "Modify Network Share" dialogs. Quotas are important in shared environments with heavy storage users or when charge-back accounting necessitates setting quotas. Network Shares with no quotas assigned may use all the available free space in the Storage Pool in which it resides. To enable hard quota capacity limits on a share select [x] Enable Quota and then move the slider bar or enter a specified quota amount. When typing in a specific quota capacity the suffixes of TB, GB, MB are all allowed.
Enable CIFS/SMB Access
Select this check-box to enable CIFS access to the network share. When you first select to enable CIFS access the default is to make the share public with read/write access. To adjust this so that you can assign access to specific users or to turn on special features you can adjust the CIFS settings further by pressing the CIFS/SMB Advanced Settings button.
Enable Public NFS Access
By default public NFS access is enabled, you can un-check this option to turn off NFS access to this share. Later you can add NFS access rules by right-clicking on the share and choosing 'Add NFS Client Access..'.
Controlling SMB/CIFS User & Group Access
User and group access via the SMB/CIFS protocol is adjustable from the User tab in both the Network Share Create and the Network Share Modify dialogs. After selecting the User tab one is presented with a group of tabs which categorize storage grid users and groups separately from Active Directory Users and Groups. Unless a given share is configured as public each user that needs access to the share must be explicitly assigned as a Valid User or Admin User for the share. To assign groups of users access to a given share use the Groups and/or AD Groups section to assign access at the group level. Admin Users are given special rights to adjust the Windows ACLs associated with a given share so that they may manage access control to the share from the Windows side and within the Windows MMC. Storage grid users which were added via the Users & Groups tab within QuantaStor may also be assigned access to shares. These users and groups have Unix UIDs and GIDs which are auto-generated but they may also be changed via the create and modify dialogs for users and groups respectively.
Ownership Settings
Separately from controlling specific SMB/CIFS access are the Ownership Settings which sets the POSIX UID (user ID) and GID (group ID) ownership settings for a given network share. This setting is important for both SMB and NFS access. The owner of the share is allowed to change the ownership of files and subdirectories of the share and to assign SMB ACLs to the share to delegate management to other users and groups from within Windows. Note that the Windows ACL settings need to work together with the User Access Mode settings discussed above. For example, if an AD user Mary is given access via adjustment of Windows ACLs from an administrator accessing a given share via the Windows MMC, the Mary user account also needs access via an AD User or AD Group setting on the share of Valid User which grants her access.
Permissions Settings
The permission settings are the permissions settings assigned to the share. The User column applies to the owner of the share whereas the Group and Other columns refer to group members and non-group user access to the share. In most cases the User column should be set such that the Owner of the share has access to read/write/execute.
Adjusting Default File Permissions Mask Settings
When new files and directories are created within a given network share, they'll inherit the file and directory permissions mask settings indicated here.
Advanced Configuration Options
There are several advanced configuration options available to be adjusted for Network Shares including compression, sync policy, record size (similar to block size), extended attributes, and special features like Avid Media Composer(tm) integration.
Data Compression
Network Shares and Storage Volumes inherit the compression mode and type from whatever is set for the Storage Pool from which they are provisioned unless explicitly adjusted. Compression levels may be adjusted specifically for any given Network Share to meet the needs of the data contained within the share. For network shares that contain files which are heavily compressible you might increase the compression level to gzip (gzip6) but note that it'll use more CPU power for higher compression levels. For network shares that contain data that is already compressed, you may opt to turn compression 'off'. Note, this feature is specific to ZFS based Storage Pools.
Cache Sync Policy
The Sync Policy indicates the strategy that the pool uses to optimize writes to a given network share. Standard mode is the default and uses a combination of synchronous and asynchronous write modes to ensure consistency while optimizing write performance. If I/O write requests have been tagged as SYNC_IO then all IO is first sent to the file-system intent log (ZIL) and then staged out to disk, otherwise the data can be written directly to disk without first staging to the intent log. In the "Always" mode the data is always sent to the file-system intent log first irrespective of whether the client has specified a given write request as SYNC. The Always mode is generally a bit slower but technically safer if the client is not properly tagging the IO. Databases and virtualization platfoms generally mark all write I/O as SYNC. An SSD based write log will greatly accelerate storage pool performance for all workloads and systems using the SYNC write mode. With an SSD write log in place IOs are combined into transaction groups which greatly improves overall IOPs performance. The Sync Policy for each Network Share is inherited from the Storage Pool from which the share is provisioned but may be adjusted on a per-share basis using the Modify Network Share dialog.
Advanced CIFS Options
When creating or modifying a Network Share there are a number of advanced options which can be set to tune the share to work better in a Windows or OS/X environment including options for extended attributes, and for hiding unreadable and/or unwriteable files.
Hide Unreadable & Hide Unwriteable
To only show users those folders and files to which they have access you can set these options so that things that they do not have read and/or write access to are hidden.
Avid(tm) Integration / Unityed Media VFS Support
Unityed Media is a special Samba VFS module that's integrated into QuantaStor to provide Avid Media Composer(tm) users with capabilities typically only available on Avid Nexus hardware. To enable the special share features for Avid media sharing simply check the box indicating [x] Enable Avid Integration. With Avid integration enabled SMB users each get a separate Avid meta-data MXF folder which enables them to concurrently work on the same Avid project folders at the same time.
Disable Snapshot Browsing
Snapshots can be used to recover data and by default your snapshots are visible under a special ShareName_snaps folder. If you don't want users to see these snapshot folders you can disable it. Note that you can still access the snapshots for easy file recovery via the Previous Snapshots section of Properties page for the share in Windows.
QuantaStor network shares can be managed directly from the MMC console Share Management section from Windows Server. This is often useful in heterogeneous environments where a combination of multiple different filers from multiple different vendors is being used. To turn on this capability for your network share simply select this option. It is also possible to set this capability globally for an system by customizing the underling configuration file for SMB which is outlined here.
Extended Attributes
Extended attributes are a filesystem feature where extra metadata an be associated with files. This is useful for enabling security controls (ACLs) for DOS and OS/X. Extended attributes can also be used by a variety of other applications so if you need this capability simply enable it by checking the box(es) for DOS, OS/X and/or for plain Extended Attribute support.
SMB/CIFS Configuration Options
There are a number of custom options that can be set to adjust the SMB/CIFS access to your network share for different use cases. The 'Public' option makes the network share public so that all users can access it. The 'Writable' option makes the share writable as opposed to read-only and the 'Browseable' option makes it so that you can see the share when you browse for it from your Windows server or desktop.
NFS Access Management
QuantaStor supports NFS access via NFSv3 and NFSv4 at the same time. To use one mode versus another simply change the NFS mount options at the client side to use ones preferred protocol. NFS access may be managed via Kerberos but in general NFS access is managed by allowing or disallowing access to specific IP addresses and/or networks. In QuantaStor these NFS access entries are called Network Share Client Access entries and sometimes NFS Client Access entries. NFS access entries appear in the tree view as child objects of the Network Share and can be modified/edited to apply special options or deleted by using the right-click pop-up menu when the share or Client Access entry is selected.
Configuring NFS Services
The default NFS mode is to support both NFSv3 and NFSv4 but the service may be configured via the NFS Services Configuration dialog to force the system into NFSv4 mode. To access this dialog navigate to the "Network Shares" tab, then select "Configure NFS" from the ribbon bar or via "Configure NFS Services..." in the pop-up menu.
Controlling NFS Access
NFS share access is filtered by IP address. This can be done by right clicking on a network share, and selecting "Add NFS Access...". By default the share is set to have [public] access. This dialog allows one to enable access to specific IP address, a range of IP addresses, or to specific networks.
NFS Client Access Settings & Custom Options
Often times shares access will require special options like no_root_squash and these are all adjustable in the from within the "Modify NFS Client Access" dialog and in the Advanced Settings section in the Add NFS Client Access dialog. To access the Modify NFS Client Access... dialog simply expand the Network Share in the tree view, then right-click on an access entry and select "Modify NFS Client Access..". Various NFS client access options are presented including "Read Only", "Insecure", etc. You can also add custom options such as "no_root_squash" in the space provided below.
SMB3 Support
QuantaStor comes with Samba 4 installed which supports SMB3 and SMB2.1. Note that older v4 versions of QuantaStor require an extra upgrade step to upgrade from Samba v3 to Samba v4. An OSNEXUS Knowledge Base article details how to install samba4 here on older QS v3 systems.
Active Directory Configuration
QuantaStor systems can be joined to an AD domain so that SMB/CIFS access can be applied to specific AD users and AD groups. Note that each QuantaStor system can only be joined to a single AD domain and that each system must be individually joined to an AD domain.
Joining an AD Domain
To join a domain first navigate to the "Network Shares" main tab section. Next select "Configure CIFS" from the toolbar, or by right-clicking in the "Network Shares" section and selecting "Configure CIFS Services..." from the pop-up mentu. Check the box to enable active directory, and provide the necessary information. KDC is most likely your domain controllers FQDN (DC.DOMAIN.COM).
Note: Your storage system name must be <= 15 characters long.
If there are any problems joining the domain please verify that you can ping the IP address of the domain controller, and that you are also able to ping the domain itself.
Once a given QuantaStor system has been joined to an AD domain, verify that it has been added by logging into the AD Domain Controller and then check under the Computer entry tab for the system.
Active Directory User & Group Name/ID Caching
QuantaStor caches AD user names and their associated Unix user ID and group ID (UID/GID) information to accelerate user and group searching from within the web UI. If one has recently added users or groups to an Active Directory configuration then the user or group name should be explicitly specified when searching since the QuantaStor service cache may be stale. User and group specific lookups do not rely on the cache so they will return a result even if the cache is out of date.
Active Directory Caching for Large Enterprise Deployments
For large Active Directory environments (10K-100K+ users and groups) it can take a long time for QuantaStor to gather information from AD to populate QuantaStor's internal cache. If it takes too long the scan will timeout and the AD information list presented to the user in the web user interface will be empty. To account for the slow interaction with some AD servers in large environments QuantaStor has some advanced options for pre-caching information for large Active Directory environments which is documented and outlined in this section.
Leaving an Active Directory Domain
To leave a domain first navigate to the Network Shares section and press the Active Directory Configuration button in the toolbar or by right-clicking in the "Network Shares" space and selecting "Active Directory Configuration" from the pop-up menu. Uncheck the checkbox to disable Active Directory integration and press OK. To remove the Computer entry from to AD domain controller one must specify the Domain Administrator username and password. After pressing OK the selected QuantaStor system will leave the domain.
Verifying Users Have CIFS/SMB Passwords
Older QuantaStor v2 & v3 systems were designed such that user accounts could not be implicitly used for SMB access, just management access. If a given user has the CIFS Ready property set to Password Change Required then the password for that user must be changed before the user account can be used to access SMB/CIFS shares. To do this simply select the user from the User & Groups section then select "Set Password" to change it via the change password dialog. Administrator users may change the password without having to supply the old password. After the password has been changed the property will update and will now show up as SMB/CIFS Ready.
