Hey netapper

i'm configuring nfsv4 on netapp c-mode 9.1,there is a issue blocking me that is no nfs SPN generated on c-mode server after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

qacl6::vserver nfs kerberos interface> show
               Logical
Vserver        Interface     Address         Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
qavs1          lif1          10.17.16.108    disabled -
qavs2          lif2          10.17.16.109    enabled  nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM
2 entries were displayed.

only host/* SPNs returned,i believe they are created when joining c-mode to domain actually,also tried add nfs/qavs2-qacl6.qa.arkivio.com via ADSI EDIT on c-mode account get error saying added SPN is not unique in domain,any idea how can i make nfs/* spn comes up?

thanks

C:\>setspn -L -C qavs2-qacl6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivi
o,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6

Hello, I have been asked to find out if we can share volume(s) created on netapp with multiple of windows and/or Linux servers. 

We have bunch of physical serves running windows and Linux OS. We would like to know if we can share the same volume (folders/data) between them.

The end goal is to have two vloumes created on Netapp and share folders to a VM running on Windws OS. 

Thanks,

AJ

Perhaps those of you who use DFS can help.

I have a pretty typical setup with a cluster at my prod site and a cluster at my DR site, with snapmirror protecting my CIFS. My hardware is AFF8080s running CDOT 9.

I have a DNS A record for my production CIFS SVM: Let's call it

uscifsProd1.companyname.net

and a DNS A record for my DR SVM. Let's call it

uscifsDR1.companyname.net

I also have a CNAME record pointing to the production CIFS SVM:

usfs1.companyname.net >uscifsProd1.mathematica.net

I use this name in my DFS namespace, so a typical target looks like:

\\usfs1.companyname.net\Project1\NYC

During a failover, I will "float" the CNAME record over to my DR CIFS SVM:

usfs1.companyname.net >uscifsDR1.mathematica.net

I also change the Service Principal Names for the CIFS service:

Old:

setspn.exe -D HOST/usfs1.companyname.net USCIFSProd1

setspn.exe -D HOST/usfs1 USCIFSProd1

New:

setspn.exe -A HOST/usfs1.companyname.net USCIFSDR1

setspn.exe -A HOST/usfs1 USCIFSDR1

I then force a replication in AD. Once the DNS change propagates, clients should be able to access the CIFS shares at the DR site.

Key facts:

The CNAME record is updated and responds correctly to pings.

The workstation can access the share if I browse directly via

\\usfs1.companyname.net\Project1\NYC

or

\\uscifsDR1.companyname.net\Project1\NYC

However, when I browse to the network locations via the drive letter assigned to the namespace, i.e.

N:\Project1\NYC

or the UNC which uses the namespace, i.e.

\\companyname.net\NDrive\ProjectVol\Project1\NYC

I receive an error: The network path cannot be found.

A wireshark trace reveals a Kerberos mismatch. So it's not a network issue; it's that Kerberos is failing.

I have tried using KLIST to purge every ticket I can think of, including those of the network service, and the local system account. I have also purged the DFS caches using DfsUtil. All to no avail.

I do know that the client gets its DFS info through the Workstation Service. And, restarting the Workstation service (or rebooting the client) clears the issue.

So, question one:

1) Is there a way to remedy the issue without rebooting the clients (~1500) or restarting the Workstation service?

2) If not, is there another/better way to engineer the failover? I am NOT willing to move my CIFS service to a Windows environment as many have suggested, for many reasons.

I've considered instead modifying the links in the namespace directly via a script but this would obviously not be preferred as I'd much rather change one CNAME record than 2000 DFS target links.

Thanks.

I need to export a NFS share with these options - *(rw,sync,anonuid=1111,anongid=1111,all_squash) in a VNX. Please guide me. I am using ONTAP 8.3.2 Cluster

Hi

I have some people but not all who have problem when browsing a directory in an unix volume from windows 

The configuration is based on an active directory.

when i run 

diag secd authentication show-creds -win-name PC\gsamson -node cns_n03 -vserver cns_svm_01

 UNIX UID: gsamson <> Windows User: PC\gsamson (Windows Domain User)

 GID: g_gsamson
 Supplementary GIDs (partial):
  g_gsamson

 Windows Membership:
  PC\g_smb (Windows Domain group)
  PC\g_metabo (Windows Domain group)
  PC\g_wanda (Windows Domain group)
  PC\g_info (Windows Domain group)
  PC\g_lisdev (Windows Domain group)
  PC\g_vigne (Windows Domain group)
  PC\g_tara (Windows Domain group)
  PC\g_principal_cns (Windows Domain group)
  PC\g_extprj (Windows Domain group)
  PC\g_dosage (Windows Domain group)
  PC\g_sybase (Windows Domain group)
  PC\g_submit (Windows Domain group)
  PC\g_cloacadata (Windows Domain group)
  PC\g_cns (Windows Domain group)
  PC\g_atelier (Windows Domain group)
  PC\g_urza (Windows Domain group)
  PC\g_cnsnglapps (Windows Domain group)
  PC\g_gsamson (Windows Domain group)
  PC\g_lims_adm (Windows Domain group)
  PC\Utilisa. du domaine (Windows Domain group)
  BUILTIN\Users (Windows Alias)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x2080):
  SeChangeNotifyPrivilege

we can see that the used gsamson doesn't receive all her groups from the AD. 

in a unix machine based on the AD we got all the groups 

uid=1202(gsamson) gid=1202(g_gsamson) groupes=1202(g_gsamson),502(g_cns),106(g_sybase),507(g_wanda),529(g_cloacadata),128(g_extprj),545(g_tara),127(g_vigne),501(g_info),522(g_metabo),544(g_smb),102(g_atelier),2665(g_principal_cns),1357(g_lims_adm),1477(g_urza),1970(g_cnsnglapps),539(g_submit),542(g_dosage),556(g_lisdev)

the stange things is trhat thet netapp has the fallowing messages

 Supplementary GIDs (partial):

and that s true the list is partial.

how can i get all the gid list? 

Hello, I have a FAS2240-4 NetApp Release 8.2P3 7-Mode

On my Qtrees OPLOCKS are enabled

I also have 2 Vfiler: default Vfiler0 (with no associated volumes) and MyVfiler1 with all volumes

I want do disable OPLOCKS for CIFS shares

When I try to disable OPLOCKS on a qtree i have an error: VFILER0 does not own "my volume"

How can I disable all OPLOCKS?

Thank you

Environment:

V6220 Cluster running Ontap 8.2.4P3 7-Mode

Using AD 2012

A new share is created and the share level permissions are set to Everyone Full Control. - Normal behavior

A windows admin maps the share and attempts to change the folder permissions to match what is requested.

The following happens:

They get an error message stating they do not have permission to change the permissions, they click cancel, and then cancel again for the permission denied pop ups.

The properties window closes

They reopen the properties window, select the security tab and the permissions they set have stayed in place even though they were told by pop ups that they had no permission to do so.

This also sometimes removes the "Everyone" setting.

Has anybody else seen this?  Is it unique to binding to a 2012 server?

Hi,

I have a NETAPP CODT 9.1 with 2 SVMs offering shares SMB2, SMB3.0 a nd SMB3.1 . Some shares show a folder called .copy_offload. Others don't. Where does it comes from ? What is the impact on all the shares of the vserver if i disable ODX ? Can  i disable ODX for 1 share of a SVM ?

Regards,

Johan

Hi,

our security guy wants to limit the  LM Compatibility Level to krb only.

Now I tried that. This works fine, if a user is already authenticated in domain and has a kerboeros ticket.

But, Users with fresh logins (f.e. the VSCAN User in the DOMAIN\USER format) can't longer login.

After I set it to ntlmv2-krb, it works again.

Ontap does not accept users in the user@domain format.

Any hint?

Regards..

This document provides an understanding of FPolicy framework and define steps to deploy a file access auditing solution using the data governance software STEALTHbits File Activity Monitor. The scope of the document includes the required deployment steps and best practices for the solution.

For more info, please click here

Hi everyone,

i´ve created a cifs share and enabled fpolicy. 

Some of us have macs and using the finder tags. If I disable the fpolicy for the specific share, they are able to tag folders on their macs. But if its enabled, its not working.
Thats the tagging "feature" Mac Finder Tag

I´ve tried to find the problem by setting up a security trace filter without success.

Thats the output.

Share: *********
Path: /:AFP_AfpInfo
Win-User: *****\******
UNIX-User: root
Session-ID: 15035548830954498242
Node******* Security Style: NTFS and NT ACL
Access is allowed because the CIFS user is owner, explicit ACE grants requested access while opening existing file or directory. Access is granted for: "Read Control", "Read Attributes"

Any ideas?

Thanks!

Hello to all

I hold in the first one to excuse me beforehand for my English, I am French.

I would have a question to ask you about the implementation of a DS4243.
I would like to know if I can connect it on my server Dell with Perc H200e

Thaks a lot

Emmanuel

Hi All,

I would like to find out which entries in /etc/exports have bigger prio, when i set them on vol and qtree level.

Let's say that we have an exports configured as follows:

/vol/volume1/qtree1       -sec=sys,rw=hp-hosts-all:10.22.11.10:0.22.12,root=10.22.11.02

/vol/volume1/qtree2       -sec=sys,rw=hp-hosts-all:10.22.11.11:0.22.12,root=10.22.11.02

and I have a request to add rw permissions for /vol/volume1 which would look like these:

/vol/volume1/qtree1       -sec=sys,rw=hp-hosts-all:10.22.11.10:0.22.12,root=10.22.11.02

/vol/volume1/qtree2       -sec=sys,rw=hp-hosts-all:10.22.11.11:0.22.12,root=10.22.11.02

/vol/volume1                    -sec=sys,rw=linux-hosts-all

Does it mean that only linux-hosts-all netgroup users will see volume1 and it's qtrees exported?

I wan't to export the whole volume and just wondering if doing so won't take access rights to it's qtrees.

Thank You in advance!

Recently, in our environment one of our application groups has described a situation where one of their application servers running Windows 2012 R2 randomly loses connectivity to a NetApp filer running CDOT 8.2.3. P3. The share they use becomes unavailable by name but remain accessible by IP address. The share is available by name and IP on other clients. This seems to be a localized issue on this server. The server in question is a VM, and is running on an ESXi 5.5 update 3b is using version 9 of the Vmware hardware and tools. 

I haven't heard of this problem from any other application teams or business unit. Again seems to be isolated to this server. As mentioned the server is Windows 2012 R2 and our domain controllers are all Windows 2012 and two are Windows 2012 R2. I've looked into the posts around SID Compression and the KDC but we are running a version of code on this NAS that has that particular bug 649280 patched. 

I've created a script that the does several tests including netstats, pings and walking the file structure from a mapped drive and via UNC from calling a powershell command. The issue happens infrequently, about every 12-14 days and seems to exist from within an application or when the UNC is accessed via Windows Explorer (however I've yet to see this). I'm wondering if anyone out there has seen this issue in their environment. 

Thank you for your insights.

Regards,

McCranium

What's the file path/name character limit on ONTAP 9 for Windows 8.x clients please?

Any reference docs available?

Cheers

Hello

I have a A200 with ONTAP 9.3 and I need to add it to AD which uses LDAPS. I have enabled the Use start_tls for AD LDAP connection: true and we also imported the certificate. But the CIFS setup process fails

Error: Machine account creation procedure failed

  [  7810] Loaded the preliminary configuration.
  [  7865] Successfully connected to ip 149.x.x.x, port 88
           using TCP
  [  8056] Successfully connected to ip 149.x.x.x, port 389
           using TCP
  [  8134] Unable to start TLS: Connect error
  [  8134] Additional info: error:14090086:lib(20):func(144):reason(1
           34)
  [  8134] Unable to connect to LDAP (Active Directory) service on
           dc01.ad.neco.com
**[  8134] FAILURE: Unable to make a connection (LDAP (Active
**         Directory):AD.NECO.COM), result: 7652

Error: command failed: Failed to create the Active Directory machine account "FILE99". Reason: LDAP Error: Cannot establish a connection to the server.

What could be wrong? The time is in sync.

Thank you

Jan

I'm encountering an issue where I currently work in that we have this "Common" SMB share and the default behavior is that Everyone has access to view the root of this share. Requests for shared storage are satisfied by creating a folder within this Common share and assigning NTFS permissions to grant access.

This process has been in place for years, very few new shares have been created, but there are over 1000 folders within the share now.

This seems to be unsustainable because the volume is now over 20TB in size, so we are lacking restore granularity and snapshot deltas for replication purposes are fairly large as we even have applications using that share. (For example, we recently had a large portion of this share go missing and due to this lack of granularity, we couldn't perform SnapRestore as it would have affected too many other people not impacted by the data loss and it ended up taking days to restore from snapshots using "previous versions")

One of the most obvious solutions to this sprawling share is to use junction paths and mount additional volumes within the namespace, but that introduces other issues, such as not being able to browse previous versions as seamlessly. This feels "dirty" to me and seems like it could potentially cause problems with backup & recovery or data governance tools we use in the future possibly not being able to traverse the junction paths properly. It also opens up the possibility of having different protection policies applied to volumes mounted within the same share and causing confusion in regard to what level of data protection a user actually has.

While I have more NetApp experience than most of my peers in my current position, a large portion of my experience is in SAN as opposed to NAS, so I haven't seen many large NAS environments and I'm wondering what people do to manage this.

What would you do in this case? Do I need to get over my "fear" of junction paths and just start using them? If this is what people do, do you "promote" a folder to a volume with a junction path at some point or is a folder always a folder? If a folder is always a folder, how do you plan for that? Users don't often understand the full extent of their needs and may initially ask for 100 GB of storage and end up needing 5TB as their data grows.

I have a CIFS share on my FAS2040 that I want to migrate to a Windows Server. on the NetApp side the path is /vol/CIFS_VOL_Test./share On the windows side the UNC is \\server\test. I have created the file /etc/symlink.translations file and placed the following entry in it:

widelink /vol/CIFS_VOL_Test/share/* \\server\test\*

I have widelink enabled on the volume containing the share. When I display CIFS Shares the cifs share in question displays the following:

... widelinks supported
... strict symlink security disabled

when I access the cifs share on the netapp is does not redirect. What steps, if any, am I missing? 

Thank you for your assistance. 

Details: 

Model:   FAS270

Version: 7.3.7

Domain functional level: Windows server 2003

Forest functional level: Windows server 2003

DC2 is 2K12 R2

DC1 is 2K3 R2

cannot be able to configure FAS270 with active directory, please help.

Community rocks!!

-----------------------------------------------------

CIFS - Starting SMB protocol...
[FASNEW: cifs.homedir.badEntry:error]: CIFS: Bad entry /vol/vol0TESTDIR while processing home directory paths. Homedir path doesn't exist, discarding this entry.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for FOREST.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using DNS site query (Default-First-Site-Name)..
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using generic DNS query.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 BDC addresses through WINS.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 PDC addresses through WINS.
[FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for FOREST complete. 2 unique addresses found.
[FASNEW: cifs.auditfile.enable.on:info]: ALF: CIFS auditing started.
[FASNEW: nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.
[FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Connection terminated.
[FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC2: Connection terminated.
[FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC2: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
Welcome to the FOREST.CORP (FOREST) Active Directory(R) domain.

----------------------------------------------------

FASNEW> cifs domaininfo
[FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for FOREST.CORP.
[FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 2 AD LDAP server addresses using DNS site query (Default-First-Site-Name).
[FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 2 AD LDAP server addresses using generic DNS query.
[FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for FOREST.CORP complete. 2 unique addresses found.

NetBios Domain: FOREST
Windows 2003 Domain Name: forest.corp
Type: Windows 2003
Filer AD Site: Default-First-Site-Name

Not currently connected to any DCs
Preferred Addresses:
None
Favored Addresses:
192.168.1.111 DC1 PDCBROKEN
192.168.1.112 DC2 PDCBROKEN
Other Addresses:
None

Connected AD LDAP Server: \\dc2.forest.corp
Preferred Addresses:
None
Favored Addresses:
192.168.1.112
dc2.forest.corp
192.168.1.111
dc1.forest.corp
Other Addresses:
None

-------------------------------------------

FASNEW> cifs testdc
Using Established configuration
Current Mode of NBT is H Mode

Netbios scope ""
Registered names...
FASNEW < 0> WINS
FASNEW < 3> WINS
FASNEW <20> WINS
FOREST < 0> WINS
ACSFAS < 0> WINS
ACSFAS < 3> WINS
ACSFAS <20> WINS

 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using generic DNS query.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 BDC addresses through WINS.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 PDC addresses through WINS.

Testing all Primary Domain Controllers
found 2 unique addresses

found PDC DC2 at 192.168.1.112
found PDC DC1 at 192.168.1.111

Testing all Domain Controllers
found 2 unique addresses

found DC DC2 at 192.168.1.112
found DC DC1 at 192.168.1.111

--------------------------------------------------------

FASNEW> cifs resetdc
Disconnecting from domain FOREST...
Reconnecting to domain FOREST...

 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for FOREST.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using DNS site query (Default-First-Site-Name)..
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using generic DNS query.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 BDC addresses through WINS.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 PDC addresses through WINS.
 [FASNEW: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for FOREST complete. 2 unique addresses found.
 [FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Connection terminated.
 [FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC1: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
 [FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC2: Connection terminated.
Reconnection failed!
 [FASNEW: cifs.server.infoMsg:info]: CIFS: Warning for server \\DC2: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
 [FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for FOREST.CORP.
 [FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 2 AD LDAP server addresses using DNS site query (Default-First-Site-Name).
 [FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 2 AD LDAP server addresses using generic DNS query.
 [FASNEW: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for FOREST.CORP complete. 2 unique addresses found.

---------------------------------------------

FASNEW> options
acp.domain 0
acp.enabled off
acp.netmask 0
acp.port
auditlog.enable on (value might be overwritten in takeover)
auditlog.max_file_size 10000000 (value might be overwritten in takeover)
auditlog.readonly_api.enable off (value might be overwritten in takeover)
autologout.console.enable on (value might be overwritten in takeover)
autologout.console.timeout 60 (value might be overwritten in takeover)
autologout.telnet.enable on (value might be overwritten in takeover)
autologout.telnet.timeout 60 (value might be overwritten in takeover)
autosupport.cifs.verbose off
autosupport.content complete
autosupport.doit CHASSIS POWER SUPPLY FAIL: PS 1
autosupport.enable on
autosupport.from your.name@your.domain.com
autosupport.local.nht_data.enable off
autosupport.local.performance_data.enable off
autosupport.mailhost 192.168.1.114
autosupport.minimal.subject.id hostname
autosupport.nht_data.enable on
autosupport.noteto
autosupport.partner.to
autosupport.performance_data.enable on
autosupport.retry.count 15 (value might be overwritten in takeover)
autosupport.retry.interval 4m (value might be overwritten in takeover)
autosupport.support.enable on
autosupport.support.proxy
autosupport.support.to autosupport@netapp.com
autosupport.support.transport https
autosupport.support.url support.netapp.com/asupprod/post/1.0/postAsup
autosupport.throttle on
autosupport.to your.name@your.domain.com
backup.log.enable on
bootfs.chkdsk_enabled off (value might be overwritten in takeover)
cdpd.enable off (value might be overwritten in takeover)
cdpd.holdtime 180 (value might be overwritten in takeover)
cdpd.interval 60 (value might be overwritten in takeover)
cf.giveback.auto.cifs.terminate.minutes 5
cf.giveback.auto.enable off
cf.giveback.auto.terminate.bigjobs on
cf.giveback.check.partner off
cf.hw_assist.enable off
cf.hw_assist.partner.address
cf.hw_assist.partner.port 0
cf.nodestatus.enable off (value might be overwritten in takeover)
cf.quickloop.enable false (same value required in local+partner)
cf.takeover.change_fsid on
cf.takeover.detection.seconds 20
cf.takeover.on_disk_shelf_miscompare off
cf.takeover.on_failure on
cf.takeover.on_network_interface_failure off
cf.takeover.on_network_interface_failure.policy all_nics (same value in local+partner recommended)
cf.takeover.on_panic off
cf.takeover.on_short_uptime on
cf.takeover.use_mcrc_file off (value might be overwritten in takeover)
cifs.LMCompatibilityLevel 1
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable off
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable on
cifs.audit.logsize 524288
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /etc/log/adtlog.evt
cifs.bypass_traverse_checking on
cifs.client.dup-detection ip-address
cifs.comment
cifs.enable_share_browsing on
cifs.gpo.enable off
cifs.gpo.trace.enable off
cifs.grant_implicit_exe_perms off
cifs.guest_account
cifs.home_dir_namestyle domain
cifs.home_dirs_public_for_admin on
cifs.idle_timeout 1800
cifs.ipv6.enable off
cifs.max_mpx 50
cifs.ms_snapshot_mode xp
cifs.netbios_aliases ACSFAS
cifs.netbios_over_tcp.enable off
cifs.nfs_root_ignore_acl off
cifs.oplocks.enable off
cifs.oplocks.opendelta 0
cifs.per_client_stats.enable off
cifs.perfmon.allowed_users
cifs.perm_check_ro_del_ok off
cifs.perm_check_use_gid on
cifs.preserve_unix_security off
cifs.restrict_anonymous 0
cifs.restrict_anonymous.enable off
cifs.save_case on
cifs.scopeid
cifs.search_domains acs.co.il,forest.corp
cifs.show_dotfiles on
cifs.show_snapshot off
cifs.shutdown_msg_level 2
cifs.sidcache.enable on
cifs.sidcache.lifetime 1440
cifs.signing.enable on
cifs.smb2.client.enable off
cifs.smb2.durable_handle.enable on
cifs.smb2.durable_handle.timeout 16m
cifs.smb2.enable on
cifs.smb2.signing.required on
cifs.snapshot_file_folding.enable off
cifs.symlinks.cycleguard on
cifs.symlinks.enable on
cifs.trace_dc_connection on
cifs.trace_login on
cifs.universal_nested_groups.enable off
cifs.weekly_W2K_password_change off
cifs.widelink.ttl 10m
cifs.wins_servers 192.168.1.111
cksum_offload.gbeII off
console.encoding nfs
coredump.dump.attempts 2 (value might be overwritten in takeover)
disk.asup_on_mp_loss on (value might be overwritten in takeover)
disk.auto_assign on (value might be overwritten in takeover)
disk.maint_center.allowed_entries 1 (value might be overwritten in takeover)
disk.maint_center.enable on (value might be overwritten in takeover)
disk.maint_center.max_disks 84 (value might be overwritten in takeover)
disk.maint_center.rec_allowed_entries 5 (value might be overwritten in takeover)
disk.maint_center.spares_check on (value might be overwritten in takeover)
disk.powercycle.enable on (value might be overwritten in takeover)
disk.recovery_needed.count 5 (value might be overwritten in takeover)
dns.cache.enable on (value might be overwritten in takeover)
dns.domainname forest.corp (value might be overwritten in takeover)
dns.enable on (value might be overwritten in takeover)
dns.update.enable on (value might be overwritten in takeover)
dns.update.ttl 24h (value might be overwritten in takeover)
ems.autosuppress.enable on (value might be overwritten in takeover)
ems.autosuppress.exempt_events (value might be overwritten in takeover)
fcp.enable off
flexcache.access none
flexcache.deleg.high_water 90
flexcache.deleg.low_water 50
flexcache.enable off
flexcache.per_client_stats on
flexscale.enable off (same value in local+partner recommended)
flexscale.lopri_blocks off (same value in local+partner recommended)
flexscale.normal_data_blocks on (same value in local+partner recommended)
flexscale.pcs_high_res off (same value in local+partner recommended)
flexscale.pcs_size 0GB (same value in local+partner recommended)
fpolicy.enable on
fpolicy.i2p_ems_interval 60
fpolicy.multiple_pipes on
ftpd.3way.enable off
ftpd.anonymous.enable off
ftpd.anonymous.home_dir
ftpd.anonymous.name anonymous
ftpd.auth_style mixed
ftpd.bypass_traverse_checking off
ftpd.dir.override
ftpd.dir.restriction off
ftpd.enable off
ftpd.explicit.allow_secure_data_conn on
ftpd.explicit.enable off
ftpd.idle_timeout 900s (value might be overwritten in takeover)
ftpd.implicit.enable off
ftpd.ipv6.enable off
ftpd.locking none
ftpd.log.enable on
ftpd.log.filesize 512k
ftpd.log.nfiles 6
ftpd.max_connections 400 (value might be overwritten in takeover)
ftpd.max_connections_threshold 75% (value might be overwritten in takeover)
ftpd.tcp_window_size 32768
httpd.access legacy
httpd.admin.access legacy
httpd.admin.enable on
httpd.admin.hostsequiv.enable off
httpd.admin.max_connections 512
httpd.admin.ssl.enable on
httpd.admin.top-page.authentication on
httpd.autoindex.enable on
httpd.bypass_traverse_checking off
httpd.enable off
httpd.ipv6.enable off
httpd.log.format common (value might be overwritten in takeover)
httpd.method.trace.enable off
httpd.rootdir XXX
httpd.timeout 300 (value might be overwritten in takeover)
httpd.timewait.enable off (value might be overwritten in takeover)
ic.carnegie.enable on (value might be overwritten in takeover)
interface.blocked.cifs
interface.blocked.ftpd
interface.blocked.iscsi
interface.blocked.mgmt_data_traffic off (value might be overwritten in takeover)
interface.blocked.ndmp
interface.blocked.nfs
interface.blocked.snapmirror
ip.fastpath.enable on (value might be overwritten in takeover)
ip.icmp_ignore_redirect.enable off (value might be overwritten in takeover)
ip.ipsec.enable off
ip.match_any_ifaddr on (value might be overwritten in takeover)
ip.path_mtu_discovery.enable on (value might be overwritten in takeover)
ip.ping_throttle.alarm_interval 0 (value might be overwritten in takeover)
ip.ping_throttle.drop_level 10 (value might be overwritten in takeover)
ip.tcp.newreno.enable on (value might be overwritten in takeover)
ip.tcp.sack.enable on (value might be overwritten in takeover)
ip.v6.enable off (value might be overwritten in takeover)
ip.v6.ra_enable on (value might be overwritten in takeover)
iscsi.enable on
iscsi.isns.rev 18
iscsi.max_connections_per_session use_system_default
iscsi.max_error_recovery_level use_system_default
kerberos.file_keytab.enable off
kerberos.file_keytab.principal
kerberos.file_keytab.realm
kerberos.replay_cache.enable off
ldap.ADdomain
ldap.base
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable off
ldap.minimum_bind_level anonymous
ldap.name
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount posixAccount
ldap.nssmap.objectClass.posixGroup posixGroup
ldap.passwd ******
ldap.port 389
ldap.servers
ldap.servers.preferred 192.168.1.112
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.base
ldap.usermap.enable off
locking.grace_lease_seconds 45 (value might be overwritten in takeover)
lun.clone_restore on (value might be overwritten in takeover)
lun.partner_unreachable.linux.asc 0x4 (value might be overwritten in takeover)
lun.partner_unreachable.linux.ascq 0x1 (value might be overwritten in takeover)
lun.partner_unreachable.linux.behavior error (value might be overwritten in takeover)
lun.partner_unreachable.linux.hold_time 5 (value might be overwritten in takeover)
lun.partner_unreachable.linux.scsi_status 0x2 (value might be overwritten in takeover)
lun.partner_unreachable.linux.skey 0x2 (value might be overwritten in takeover)
lun.partner_unreachable.vmware.behavior error (value might be overwritten in takeover)
lun.partner_unreachable.vmware.hold_time 1 (value might be overwritten in takeover)
lun.partner_unreachable.vmware.scsi_status 0x8 (value might be overwritten in takeover)
lun.partner_unreachable.xen.asc 0x4 (value might be overwritten in takeover)
lun.partner_unreachable.xen.ascq 0x1 (value might be overwritten in takeover)
lun.partner_unreachable.xen.behavior error (value might be overwritten in takeover)
lun.partner_unreachable.xen.hold_time 5 (value might be overwritten in takeover)
lun.partner_unreachable.xen.scsi_status 0x2 (value might be overwritten in takeover)
lun.partner_unreachable.xen.skey 0x2 (value might be overwritten in takeover)
lun.use_partner.cc.bytes 512000 (value might be overwritten in takeover)
lun.use_partner.cc.enable on (value might be overwritten in takeover)
lun.use_partner.cc.warn_limit 10 (value might be overwritten in takeover)
ndmpd.access all
ndmpd.authtype challenge
ndmpd.connectlog.enabled off
ndmpd.data_port_range all
ndmpd.enable on
ndmpd.ignore_ctime.enabled off
ndmpd.offset_map.enable on
ndmpd.password_length 16
ndmpd.preferred_interface disable (value might be overwritten in takeover)
ndmpd.tcpnodelay.enable off
nfs.acache.persistence.enabled on (value might be overwritten in takeover)
nfs.always.deny.truncate on (value might be overwritten in takeover)
nfs.assist.queue.limit 40 (value might be overwritten in takeover)
nfs.export.allow_provisional_access on (value might be overwritten in takeover)
nfs.export.auto-update on (value might be overwritten in takeover)
nfs.export.exportfs_comment_on_delete on (value might be overwritten in takeover)
nfs.export.harvest.timeout 1800 (value might be overwritten in takeover)
nfs.export.neg.timeout 3600 (value might be overwritten in takeover)
nfs.export.pos.timeout 36000 (value might be overwritten in takeover)
nfs.export.resolve.timeout 30 (value might be overwritten in takeover)
nfs.hide_snapshot off
nfs.ifc.rcv.high 98910
nfs.ifc.rcv.low 33170
nfs.ifc.xmt.high 16
nfs.ifc.xmt.low 8
nfs.ipv6.enable off
nfs.kerberos.enable off
nfs.locking.check_domain on (value might be overwritten in takeover)
nfs.max_num_aux_groups 32
nfs.mount_rootonly on
nfs.mountd.trace off
nfs.netgroup.strict off
nfs.notify.carryover on
nfs.ntacl_display_permissive_perms off (value might be overwritten in takeover)
nfs.per_client_stats.enable off
nfs.require_valid_mapped_uid off
nfs.response.trace off (value might be overwritten in takeover)
nfs.response.trigger 60 (value might be overwritten in takeover)
nfs.rpcsec.ctx.high 0
nfs.rpcsec.ctx.idle 360
nfs.tcp.enable on
nfs.thin_prov.ejuke off (value might be overwritten in takeover)
nfs.udp.enable on
nfs.udp.xfersize 32768 (value might be overwritten in takeover)
nfs.v2.df_2gb_lim off (value might be overwritten in takeover)
nfs.v2.enable on (value might be overwritten in takeover)
nfs.v3.enable on (value might be overwritten in takeover)
nfs.v4.acl.enable off (value might be overwritten in takeover)
nfs.v4.enable off (value might be overwritten in takeover)
nfs.v4.id.domain acs.co.il
nfs.v4.read_delegation off (value might be overwritten in takeover)
nfs.v4.write_delegation off (value might be overwritten in takeover)
nfs.webnfs.enable off
nfs.webnfs.rootdir XXX
nfs.webnfs.rootdir.set off
nis.domainname
nis.enable off
nis.group_update.enable off
nis.group_update_schedule 24
nis.netgroup.domain_search.enable on
nis.netgroup.legacy_nisdomain_search.enable on
nis.servers *
nis.slave.enable off
nlm.cleanup.timeout 100
nlm.trace off
pcnfsd.enable off (value might be overwritten in takeover)
pcnfsd.umask 22
ra.path_switch.threshold 100 (value might be overwritten in takeover)
raid.background_disk_fw_update.enable on (value might be overwritten in takeover)
raid.disk.copy.auto.enable on (value might be overwritten in takeover)
raid.disktype.enable off (value might be overwritten in takeover)
raid.max_fill_holes.size 0 (value might be overwritten in takeover)
raid.media_scrub.enable on (value might be overwritten in takeover)
raid.media_scrub.rate 600 (value might be overwritten in takeover)
raid.media_scrub.spares.enable on (value might be overwritten in takeover)
raid.min_spare_count 1 (value might be overwritten in takeover)
raid.mirror_read_plex_pref local (value might be overwritten in takeover)
raid.reconstruct.perf_impact medium (value might be overwritten in takeover)
raid.reconstruct.wafliron.enable on (value might be overwritten in takeover)
raid.resync.perf_impact medium (value might be overwritten in takeover)
raid.rpm.ata.enable off (value might be overwritten in takeover)
raid.rpm.fcal.enable on (value might be overwritten in takeover)
raid.scrub.duration 360
raid.scrub.enable on
raid.scrub.perf_impact low (value might be overwritten in takeover)
raid.scrub.schedule
raid.timeout 24 (value might be overwritten in takeover)
raid.verify.perf_impact low (value might be overwritten in takeover)
replication.logical.reserved_transfers 0 (value might be overwritten in takeover)
replication.logical.transfer_limits current (value might be overwritten in takeover)
replication.throttle.enable off
replication.throttle.incoming.max_kbs unlimited
replication.throttle.outgoing.max_kbs unlimited
replication.volume.reserved_transfers 0 (value might be overwritten in takeover)
replication.volume.transfer_limits current (value might be overwritten in takeover)
replication.volume.use_auto_resync off (value might be overwritten in takeover)
rmc.setup off (value might be overwritten in takeover)
rpc.mountd.tcp.port 4046
rpc.mountd.udp.port 4046
rpc.nlm.tcp.port 4045
rpc.nlm.udp.port 4045
rpc.nsm.tcp.port 4047
rpc.nsm.udp.port 4047
rpc.pcnfsd.tcp.port 4048
rpc.pcnfsd.udp.port 4048
rpc.rquotad.udp.port 4049
rquotad.enable on (value might be overwritten in takeover)
rsh.access legacy
rsh.enable on
security.admin.authentication internal
security.admin.nsswitchgroup
security.passwd.firstlogin.enable off
security.passwd.lockout.numtries 4294967295
security.passwd.rootaccess.enable on
security.passwd.rules.enable on
security.passwd.rules.everyone off
security.passwd.rules.history 0
security.passwd.rules.maximum 256
security.passwd.rules.minimum 8
security.passwd.rules.minimum.alphabetic 2
security.passwd.rules.minimum.digit 1
security.passwd.rules.minimum.symbol 0
sftp.auth_style mixed
sftp.bypass_traverse_checking off
sftp.dir_override
sftp.dir_restriction off
sftp.enable off
sftp.idle_timeout 900s (value might be overwritten in takeover)
sftp.locking none
sftp.log_enable on
sftp.log_filesize 512k
sftp.log_nfiles 6
sftp.max_connections 15 (value might be overwritten in takeover)
sftp.max_connections_threshold 75% (value might be overwritten in takeover)
sftp.override_client_permissions off
shelf.atfcx.auto.reset.enable auto (value might be overwritten in takeover)
shelf.esh4.auto.reset.enable auto (value might be overwritten in takeover)
shelf.fw.ndu.enable on (value might be overwritten in takeover)
sis.max_vfiler_active_ops 8 (value might be overwritten in takeover)
sis.min_share_blks 1 (value might be overwritten in takeover)
snaplock.autocommit_period none (value might be overwritten in takeover)
snaplock.compliance.write_verify off (value might be overwritten in takeover)
snaplock.log.default_retention 6m (value might be overwritten in takeover)
snaplock.log.maximum_size 10m (value might be overwritten in takeover)
snapmirror.access legacy
snapmirror.checkip.enable off
snapmirror.delayed_acks.enable on
snapmirror.enable on
snapmirror.log.enable on
snapmirror.readahead 0 (value might be overwritten in takeover)
snapmirror.readahead_freq 0 (value might be overwritten in takeover)
snapmirror.vbn_log_enable off (value might be overwritten in takeover)
snapvalidator.version 9
snapvault.access none
snapvault.enable off
snapvault.lockvault_log_volume
snapvault.nbu.archival_snap_default on
snapvault.ossv.compression off
snapvault.preservesnap off
snapvault.snapshot_for_dr_backup vsm_base_only
snmp.access legacy
snmp.enable on
ssh.access *
ssh.enable on
ssh.idle.timeout 600
ssh.passwd_auth.enable on
ssh.port 22
ssh.pubkey_auth.enable on
ssh1.enable off
ssh2.enable on
ssl.enable on
ssl.enable on
ssl.v2.enable on (same value required in local+partner)
ssl.v3.enable on (same value required in local+partner)
sslp.enable off
stats.archive.enable off
tape.reservations off (value might be overwritten in takeover)
telnet.access legacy (same value required in local+partner)
telnet.distinct.enable off (same value required in local+partner)
telnet.enable on (same value required in local+partner)
tftpd.enable off
tftpd.logging off
tftpd.max_connections 8 (value might be overwritten in takeover)
tftpd.rootdir /etc/tftpboot
timed.enable on (same value in local+partner recommended)
timed.log on (same value in local+partner recommended)
timed.max_skew 30m (same value in local+partner recommended)
timed.min_skew 0 (same value in local+partner recommended)
timed.proto ntp (same value in local+partner recommended)
timed.sched hourly (same value in local+partner recommended)
timed.servers 192.168.1.112 (same value in local+partner recommended)
timed.window 0s (same value in local+partner recommended)
tls.enable on (same value required in local+partner)
trusted.hosts * (same value required in local+partner)
vfiler.vol_clone_zapi_allow off
vif.failover.link_degraded off (value might be overwritten in takeover)
vol.copy.throttle 10 (value might be overwritten in takeover)
vol.snaprestore.nondisruptive off
wafl.default_nt_user
wafl.default_qtree_mode 0777
wafl.default_security_style ntfs
wafl.default_unix_user pcuser
wafl.group_cp off (same value required in local+partner)
wafl.inconsistent.asup_frequency.blks 10 (value might be overwritten in takeover)
wafl.inconsistent.asup_frequency.time 24h (value might be overwritten in takeover)
wafl.inconsistent.buf_limit 10
wafl.inconsistent.buf_not_fixable_limit 50
wafl.inconsistent.ems_suppress off (value might be overwritten in takeover)
wafl.inconsistent.ino_limit 5
wafl.inconsistent.snap_limit 5
wafl.maxdirsize 10470 (value might be overwritten in takeover)
wafl.nt_admin_priv_map_to_root off
wafl.root_only_chown on (value might be overwritten in takeover)
wafl.wcc_minutes_valid 20
webdav.enable off

----------------------------------------------

Wish you all the best, thanks

Hey netapper

i'm configuring nfsv4 on netapp c-mode 9.1,there is a issue blocking me that is no nfs SPN generated on c-mode server after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

qacl6::vserver nfs kerberos interface> show
               Logical
Vserver        Interface     Address         Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
qavs1          lif1          10.17.16.108    disabled -
qavs2          lif2          10.17.16.109    enabled  nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM
2 entries were displayed.

only host/* SPNs returned,i believe they are created when joining c-mode to domain actually,also tried add nfs/qavs2-qacl6.qa.arkivio.com via ADSI EDIT on c-mode account get error saying added SPN is not unique in domain,any idea how can i make nfs/* spn comes up?

thanks

C:\>setspn -L -C qavs2-qacl6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivi
o,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6