Hey all, 

I've recently discovered that the static homedirs were disabled due to a bug with a public report: 780969

HOMEDIRs can be used in a couple of ways and static is one of them.  A new feature in Windows 7 (SMB2.1) called File Lock Lease no longer allows the client to handle the static HOMEDIR correctly (especially so when using VDI or Terminal Services). Basically, if two users who happen to have the same file name in their respective home directory, they could gain access of each other’s file.

This concerns engineering (obviously a security issue) and there is no straight-forward way to make Windows 7 behave correctly.
It was decided to disable this feature in cDOT. More and more customers are turning to cDOT and engineering is being more aggressive towards this release.

Note however, the same vulnerability exists in 7-mode also. In 7-mode, though, the feature is not disabled and an EMS message is sent to let an admin disable the feature on their own.

If anyone would like to comment, please do. I will make sure any appropriate comments and concerns get back to engineering.


--tmac

Tim McCarthy
Principal Consultant
443-228-TMAC (Google Voice)
214-279-3926 (eFAX)

          

        Clustered ONTAP                                                        Clustered ONTAP
 NCDA ID: XK7R3GEKC1QQ2LVD          RHCE6 110-107-141           NCSIE ID: C14QPHE21FR4YWD4
     Expires: 27 October 2016               Current until Aug 02, 2016               Expires: 29 October 2016


On Fri, Feb 27, 2015 at 2:22 PM, Tomlinson, Thomas <Thomas.Tomlinson@supervalu.com> wrote:

I have not, although this shouldn’t take a services engagement and doesn’t address the root issue.  This is functionality that existed up until 8.2.2, and continues if currently configured on such a host that is then upgraded to 8.2.3/8.3.  It’s on the same level of altered reality that the Cmode Snapdiff / IBM TSM support is currently hovering in.

 

 

From: Ljungberg, Anders [mailto:Anders.Ljungberg@netapp.com]
Sent: Friday, February 27, 2015 11:44 AM
To: Tomlinson, Thomas; toasters@teaparty.net
Subject: Re: cluster mode 8.2.3 / 8.3 dynamic home directory change

 

Hi Thomas,

 

Have you explored the UTM (Unified Transition Methodology) with your NetApp or NetApp Partner team?

 

Many Thanks

Anders Ljungberg
Sr. Director Enterprise Transformation and Operations  & Advanced Consulting Services EMEA

NetApp
+44(0)208 756 6785 Direct
+44(0)7730437939 Mobile

+14084821148 US Mobile
anders@netapp.com

Insight 2014

 

 

 

 

 

From: <Tomlinson>, Thomas <Thomas.Tomlinson@supervalu.com>
Date: Friday, 27 February 2015 10:19
To: "toasters@teaparty.net" <toasters@teaparty.net>
Subject: cluster mode 8.2.3 / 8.3 dynamic home directory change

 

Hi Toasters,

 

                I just stumbled upon a change in 8.2.3/8.3 with respect to the dynamic home shares and curious to get other folks views on it.  Currently we make extensive use of the traditional static 7mode home directory share, cifs.homedir (\\filername\cifs.homedir).  This is further referenced behind DFS as a single link name with multiple targets.  It works great, allows for all users to have a static username defined in AD, allows migration of filers without massive user updates, DR, etc.  So life is good, or as good as it can be managing windows home directories.

 

                We’re now slowly staring to lifecycle 7mode clusters to cmode, which has had a few hiccups, but I expected that .  Prior to 8.2.3, you can replicate 7mode home directory functionality perfectly, even making up whatever static name you want.  Fast forward to just recently when I was configuring a small cluster at a remote location.  8.2.3, sure slap that on.  Configure the dynamic home directories, sure,errr…. no.  A seemingly innocent entry in the release notes for 8.2.3 states that static names are no longer acceptable.  A previously configured static share is brought forward and continues to function but you can no longer create new ones.  Any new dynamic home share has to have the username in it (%w or %u). 

 

                Needless to say this is a major change to our environment.  Automation changes, massive AD updates (close to a nightmare with our IT organization) and a complete invalidation of our DFS namespace structure for home directories.  Is anyone else similarly affected by this?  I’m struggling to understand what twisted logic guided this coding decision.

 

 

 

Thomas Tomlinson

Thomas.tomlinson@supervalu.com

Desk: 208-685-8404

Cel: 208-991-3704

 


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters