Skip to main content

Setting up file access using SMB

You must complete a number of steps to allow clients to access files using SMB on the CIFS-enabled storage virtual machine (SVM).

  • Configuring security styles
    You configure security styles on FlexVol volumes and qtrees to determine the type of permissions ONTAP uses to control access and what client type can modify these permissions.
  • Creating and managing data volumes in NAS namespaces
    To manage file access in a NAS environment, you must manage data volumes and junction points on your storage virtual machine (SVM). This includes planning your namespace architecture, creating volumes with or without junction points, mounting or unmounting volumes, and displaying information about data volumes and NFS server or CIFS server namespaces.
  • Configuring name mappings
    ONTAP uses name mapping to map CIFS identities to Linux identities, Kerberos identities to Linux identities, and Linux identities to CIFS identities. It needs this information to obtain user credentials and provide proper file access regardless of whether they are connecting from an NFS client or a CIFS client.
  • Configuring multidomain name-mapping searches
    You can configure storage virtual machines (SVMs) to perform multidomain name-mapping searches. This enables ONTAP to search every bidirectional trusted domain to find a match when performing Linux user to Windows user name mapping.
  • Creating and configuring SMB shares
    Before users and applications can access data on the CIFS server over SMB, you must create and configure SMB shares, which is a named access point in a volume. You can customize shares by specifying share parameters and share properties. You can modify an existing share at any time.
  • Securing file access by using SMB share ACLs
    You can secure access to files and folders over a network by configuring share access control lists (ACLs) on SMB shares. Share-level ACLs are used in combination with file-level permissions and, optionally, export policies to determine effective access rights.
  • Securing file access by using file permissions
    You can secure access by configuring file permissions on files and folders contained within the share through which SMB clients access data. File-level permissions are used in combination with share-level ACLs and, optionally, export policies to determine effective access rights. Files and folders might be secured with NTFS permissions or Linux permissions.
  • Securing file access by using Dynamic Access Control (DAC)
    You can secure access by using Dynamic Access Control and by creating central access policies in Active Directory and applying them to files and folders on SVMs through applied Group Policy Objects (GPOs). You can configure auditing to use central access policy staging events to see the effects of changes to central access policies before you apply them.
  • Securing SMB access using export policies
    You can optionally use export policies to restrict SMB access to files and folders on SVM volumes. You can use export policies in combination with share-level and file-level permissions to determine effective access rights.
  • Securing file access by using Storage-Level Access Guard
    In addition to securing access by using native file-level and export and share security, you can configure Storage-Level Access Guard, a third layer of security applied by ONTAP at the volume level. Storage-Level Access Guard applies to access from all NAS protocols to the storage object to which it is applied.