Hey all,
I've recently discovered that the static homedirs were disabled due to a bug with a public report: 780969 http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=780969
HOMEDIRs can be used in a couple of ways and static is one of them. A new feature in Windows 7 (SMB2.1) called File Lock Lease no longer allows the client to handle the static HOMEDIR correctly (especially so when using VDI or Terminal Services). Basically, if two users who happen to have the same file name in their respective home directory, they could gain access of each other's file.
This concerns engineering (obviously a security issue) and there is no straight-forward way to make Windows 7 behave correctly. It was decided to disable this feature in cDOT. More and more customers are turning to cDOT and engineering is being more aggressive towards this release.
Note however, the same vulnerability exists in 7-mode also. In 7-mode, though, the feature is not disabled and an EMS message is sent to let an admin disable the feature on their own.
If anyone would like to comment, please do. I will make sure any appropriate comments and concerns get back to engineering.
--tmac
*Tim McCarthy* *Principal Consultant* 443-228-TMAC (*Google Voice*) 214-279-3926 (*eFAX*)
Clustered ONTAP Clustered ONTAP NCDA ID: XK7R3GEKC1QQ2LVD RHCE6 110-107-141 https://www.redhat.com/wapps/training/certification/verify.html?certNumber=110-107-141&isSearch=False&verify=Verify NCSIE ID: C14QPHE21FR4YWD4 Expires: 27 October 2016 Current until Aug 02, 2016 Expires: 29 October 2016
On Fri, Feb 27, 2015 at 2:22 PM, Tomlinson, Thomas < Thomas.Tomlinson@supervalu.com> wrote:
I have not, although this shouldn't take a services engagement and doesn't address the root issue. This is functionality that existed up until 8.2.2, and continues if currently configured on such a host that is then upgraded to 8.2.3/8.3. It's on the same level of altered reality that the Cmode Snapdiff / IBM TSM support is currently hovering in.
Thomas Tomlinson
Thomas.tomlinson@supervalu.com
Desk: 208-685-8404
Cel: 208-991-3704
*From:* Ljungberg, Anders [mailto:Anders.Ljungberg@netapp.com] *Sent:* Friday, February 27, 2015 11:44 AM *To:* Tomlinson, Thomas; toasters@teaparty.net *Subject:* Re: cluster mode 8.2.3 / 8.3 dynamic home directory change
Hi Thomas,
Have you explored the UTM (Unified Transition Methodology) with your NetApp or NetApp Partner team?
Many Thanks
*Anders Ljungberg* Sr. Director Enterprise Transformation and Operations & Advanced Consulting Services EMEA
*NetApp* +44(0)208 756 6785 Direct +44(0)7730437939 Mobile
+14084821148 US Mobile anders@netapp.com
[image: Insight 2014] http://www.netapp-insight.com/?ref_source=ad-ins--16283
*From: *<Tomlinson>, Thomas Thomas.Tomlinson@supervalu.com *Date: *Friday, 27 February 2015 10:19 *To: *"toasters@teaparty.net" toasters@teaparty.net *Subject: *cluster mode 8.2.3 / 8.3 dynamic home directory change
Hi Toasters,
I just stumbled upon a change in 8.2.3/8.3 with respect to
the dynamic home shares and curious to get other folks views on it. Currently we make extensive use of the traditional static 7mode home directory share, cifs.homedir (\filername\cifs.homedir). This is further referenced behind DFS as a single link name with multiple targets. It works great, allows for all users to have a static username defined in AD, allows migration of filers without massive user updates, DR, etc. So life is good, or as good as it can be managing windows home directories.
We're now slowly staring to lifecycle 7mode clusters to
cmode, which has had a few hiccups, but I expected that . Prior to 8.2.3, you can replicate 7mode home directory functionality perfectly, even making up whatever static name you want. Fast forward to just recently when I was configuring a small cluster at a remote location. 8.2.3, sure slap that on. Configure the dynamic home directories, sure,errr.... no. A seemingly innocent entry in the release notes for 8.2.3 states that static names are no longer acceptable. A previously configured static share is brought forward and continues to function but you can no longer create new ones. Any new dynamic home share has to have the username in it (%w or %u).
Needless to say this is a major change to our
environment. Automation changes, massive AD updates (close to a nightmare with our IT organization) and a complete invalidation of our DFS namespace structure for home directories. Is anyone else similarly affected by this? I'm struggling to understand what twisted logic guided this coding decision.
Thomas Tomlinson
Thomas.tomlinson@supervalu.com
Desk: 208-685-8404
Cel: 208-991-3704
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters