Installation manual
Configuring Front-End Services
Configuring CIFS
11-28 CLI Storage-Management Guide
bstnA6k(gbl)# cifs ac1.medarch.org
bstnA6k(gbl-cifs[ac1.medarch.org])# enable
bstnA6k(gbl-cifs[ac1.medarch.org])# domain-join MEDARCH.ORG
Username: acoadmin
Password: aapasswd
'ac1' successfully joined the domain.
bstnA6k(gbl-cifs[ac1.medarch.org])# ...
Support for Both NTLM and Kerberos
The domain-join operation does not preclude any clients from authenticating with
NTLM; the CIFS service can support both authentication protocols concurrently. You
can use this feature for a network transition from NTLM to Kerberos. (NTLM
authentication is configured in the namespace; recall “Identifying the NTLM
Authentication Server” on page 7-16).
Each client negotiates the authentication protocol with the CIFS service when it
initiates a CIFS session. If both protocols are configured and functional, the CIFS
service indicates its preference for Kerberos but accepts NTLM from its clients. The
CIFS service uses the chosen protocol to authenticate the client, then uses the same
protocol to interact with all back-end filers. The switch does not translate between
NTLM and Kerberos.
For filer interaction that does not directly involve any clients, such as file migrations,
the ARX uses NTLM only.
Using Dynamic DNS (Kerberos)
Every front-end CIFS service that uses Kerberos must be registered with the
network’s Domain Name Service (DNS), which maps IP addresses to FQDNs. In each
AD domain, one or more name servers take these DNS registrations; often, DNS runs
on the DC itself. You can manually update the local name server with the
hostname-to-IP mapping for the CIFS service, or you can configure the service to use
dynamic DNS. With dynamic DNS, the CIFS service automatically registers its
hostname-to-IP mapping, and updates it whenever a failover or configuration change
makes an update necessary.