Examples of export policy rules that restrict or allow access over SMB

The examples show how to create export policy rules that restrict or allow access over SMB on an SVM that has export policies for SMB access enabled.

Export policies for SMB access are disabled by default. You need to configure export policy rules that restrict or allow access over SMB only if you have enabled export policies for SMB access.

Export rule for SMB access only

The following command creates an export rule on the SVM named vs1 that has the following configuration:

cluster1::> vserver export-policy rule create -vserver vs1 -policyname cifs1 -ruleindex 1 -protocol cifs -clientmatch 192.168.1.0/255.255.255.0 -rorule krb5,ntlm -rwrule krb5

Export rule for SMB and NFS access

The following command creates an export rule on the SVM named vs1 that has the following configuration:

cluster1::> vserver export-policy rule create -vserver vs1 -policyname cifsnfs1 -ruleindex 2 -protocol cifs,nfs -clientmatch 0.0.0.0/0 -rorule any -rwrule krb5,ntlm -anon 65534 -allow-suid true

Export rule for SMB access using NTLM only

The following command creates an export rule on the SVM named vs1 that has the following configuration:

Note: If you configure the read-only option or the read-write option for NTLM-only access, you must use IP address-based entries in the client match option. Otherwise, you receive access denied errors. This is because ONTAP uses Kerberos Service Principal Names (SPN) when using a host name to check on the client's access rights. NTLM authentication does not support SPN names.
cluster1::> vserver export-policy rule create -vserver vs1 -policyname ntlm1 -ruleindex 1 -protocol cifs -clientmatch 0.0.0.0/0 -rorule ntlm -rwrule ntlm