Skip to main content

Create a CIFS server

Contributors

POST /protocols/cifs/services

Introduced In: 9.6

Creates a CIFS server. Each SVM can have one CIFS server.

Important notes

  • The CIFS server name might or might not be the same as the SVM name.

  • The CIFS server name can contain up to 15 characters.

  • The CIFS server name does not support the following characters: @ # * ( ) = + [ ] \| ; : " , < > / ?

Required properties when creating CIFS server with Windows Active Directory domain

  • svm.uuid or svm.name - Existing SVM in which to create the CIFS server.

  • name - Name of the CIFS server.

  • ad_domain.fqdn - Fully qualified domain name of the Windows Active Directory to which this CIFS server belongs.

  • ad_domain.user - User account with the access to add the CIFS server to the Active Directory.

  • ad_domain.password - Account password used to add this CIFS server to the Active Directory.

Required properties when creating CIFS server in Workgroup mode

  • svm.uuid or svm.name - Existing SVM in which to create the CIFS server.

  • name - Name of the CIFS server.

  • workgroup - Name of the workgroup to which this CIFS server belongs.

Required properties when using AKV for authentication (ANF platform)

  • svm.uuid or svm.name - Existing SVM in which to create the CIFS server.

  • name - Name of the CIFS server.

  • ad_domain.user - User account with the access to add the CIFS server to the Active Directory.

  • ad_domain.fqdn - Fully qualified domain name of the Windows Active Directory to which this CIFS server belongs.

  • client_id - Application client ID of the deployed Azure application with appropriate access to an AKV.

  • tenant_id - Directory (tenant) ID of the deployed Azure application with appropriate access to an AKV.

  • key_vault_uri - URI of the deployed AKV that is used by ONTAP for storing keys.

  • authentication_method - Authentication method used by the application to prove its identity to AKV. It can be either "client_secret" or "certificate".

  • client_secret - Secret used by the application to prove its identity to AKV.

  • client_certificate - Base64 encoded PKCS12 certificate used by the application to prove its identity to AKV.

  • comment - Add a text comment of up to 256 characters about the CIFS server.

  • netbios.aliases - Add a comma-delimited list of one or more NetBIOS aliases for the CIFS server.

  • netbios.wins_servers - Add a list of Windows Internet Name Server (WINS) addresses that manage and map the NetBIOS name of the CIFS server to their network IP addresses. The IP addresses must be IPv4 addresses.

Default property values

If not specified in POST, the following default property values are assigned:

  • ad_domain.organizational_unit - CN=Computers

  • enabled - true

  • restrict_anonymous - no_enumeration

  • smb_signing - false

  • smb_encryption - false

  • encrypt_dc_connection - false

  • kdc_encryption - false

  • default_unix_user - pcuser

  • netbios_enabled - false However, if either "netbios.wins-server" or "netbios.aliases" is set during POST and if netbios_enabled is not specified then netbios_enabled is set to true.

  • aes_netlogon_enabled - false

  • try_ldap_channel_binding - true

  • ldap_referral_enabled - false

  • vserver cifs server create

  • vserver cifs server options modify

  • vserver cifs security modify

  • vserver cifs server add-netbios-aliases

Parameters

Name Type In Required Description

force

boolean

query

False

If this is set and a machine account with the same name as specified in 'cifs-server name' exists in the Active Directory, existing machine account will be overwritten and reused.

  • Introduced in: 9.11

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

ad_domain

ad_domain

auth-style

string

Authentication type.

authentication_method

string

Specifies the authentication method. The available values are:

  • client_secret

  • certificate

client_certificate

string

PKCS12 certificate used by the application to prove its identity to AKV.

client_id

string

Application client ID of the deployed Azure application with appropriate access to an AKV.

client_secret

string

Secret used by the application to prove its identity to AKV.

comment

string

A descriptive text comment for the CIFS server. SMB clients can see the CIFS server comment when browsing servers on the network. If there is a space in the comment, you must enclose the entire string in quotation marks.

default_unix_user

string

Specifies the UNIX user to which any authenticated CIFS user is mapped to, if the normal user mapping rules fails.

enabled

boolean

Specifies if the CIFS service is administratively enabled.

group_policy_object_enabled

boolean

If set to true, group policies will be applied to the SVM.

key_vault_uri

string

URI of the deployed AKV that is used by ONTAP for storing keys.

metric

metric

Performance numbers, such as IOPS latency and throughput, for SVM protocols.

name

string

The name of the CIFS server.

netbios

cifs_netbios

oauth_host

string

Open authorization server host name.

options

cifs_service_options

proxy_host

string

Proxy host.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port.

proxy_type

string

Proxy type.

proxy_username

string

Proxy username.

security

cifs_service_security

statistics

statistics

These are raw performance numbers, such as IOPS latency and throughput for SVM protocols. These numbers are aggregated across all nodes in the cluster and increase with the uptime of the cluster.

svm

svm

SVM, applies only to SVM-scoped objects.

tenant_id

string

Directory (tenant) ID of the deployed Azure application with appropriate access to an AKV.

timeout

integer

AKV connection timeout, in seconds. The allowed range is between 0 to 30 seconds.

verify_host

boolean

Verify the identity of the AKV host name. By default, verify_host is set to true.

workgroup

string

The workgroup name.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "ad_domain": {
    "default_site": "string",
    "fqdn": "example.com",
    "organizational_unit": "string",
    "password": "string",
    "user": "string"
  },
  "auth-style": "domain",
  "authentication_method": "string",
  "client_certificate": "PEM Cert",
  "client_id": "e959d1b5-5a63-4284-9268-851e30e3eceb",
  "client_secret": "<id_value>",
  "comment": "This CIFS Server Belongs to CS Department",
  "default_unix_user": "string",
  "key_vault_uri": "https://kmip-akv-keyvault.vault.azure.net/",
  "metric": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "duration": "PT15S",
    "iops": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "latency": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "status": "ok",
    "throughput": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "timestamp": "2017-01-25 06:20:13 -0500"
  },
  "name": "CIFS1",
  "netbios": {
    "aliases": [
      "ALIAS_1",
      "ALIAS_2",
      "ALIAS_3"
    ],
    "wins_servers": [
      "10.224.65.20",
      "10.224.65.21"
    ]
  },
  "oauth_host": "login.microsoftonline.com",
  "options": {
    "null_user_windows_name": "string",
    "smb_credits": 128,
    "widelink_reparse_versions": [
      "smb1"
    ]
  },
  "proxy_host": "proxy.eng.com",
  "proxy_password": "proxypassword",
  "proxy_port": 1234,
  "proxy_type": "string",
  "proxy_username": "proxyuser",
  "security": {
    "advertised_kdc_encryptions": [
      "string"
    ],
    "lm_compatibility_level": "string",
    "restrict_anonymous": "string",
    "session_security": "string"
  },
  "statistics": {
    "iops_raw": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "latency_raw": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "status": "ok",
    "throughput_raw": {
      "read": 200,
      "total": 1000,
      "write": 100
    },
    "timestamp": "2017-01-25 06:20:13 -0500"
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "tenant_id": "c9f32fcb-4ab7-40fe-af1b-1850d46cfbbe",
  "timeout": 25,
  "workgroup": "workgrp1"
}

Response

Status: 202, Accepted
Name Type Description

job

job_link

Example response
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Response

Status: 201, Created

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

3735751

Failed to authenticate and retrieve the access token from the Azure OAuth host.

3735752

Failed to extract the private key from the Azure Key Vault certificate.

3735753

Unsupported content_type in the Azure secrets response.

3735754

Failed to parse the JSON response from Azure Key Vault.

3735755

REST API call to Azure failed.

3735756

Invalid client certificate.

3735757

Failed to generate client assertion.

3735762

The provided Azure Key Vault configuration is incorrect.

3735763

The provided Azure Key Vault configuration is incomplete.

3735764

Request to Azure failed. Reason - Azure error code and Azure error message.

655388

STARTTLS and LDAPS cannot be used together.

655524

CIFS server creation failed.

655538

CIFS server creation failed because a server with the same name already exists.

655562

NetBIOS name is longer than 15 characters.

655563

NetBIOS name contains characters that are not allowed.

655771

The number of NetBIOS aliases cannot exceed the maximum supported number of '200'.

655914

Failed to create the Active Directory machine account.

655923

Retrieving credentials from AKV is not supported because the effective cluster version is not ONTAP 9.15.0 or later.

656464

Failed to create the Active Directory machine account. Reason: Invalid Credentials.

656465

Failed to create the Active Directory machine account. Reason: Account with same name already exists.

656466

Failed to create the Active Directory machine account. Reason: Domain Controller is not reachable or does not exist.

656467

Failed to create the Active Directory machine account. Reason: Organizational-Unit not found.

656473

Fields security.kdc_encryption and security.advertised_kdc_encryptions are mutually exclusive. Specify only one of the two.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

ad_domain

Name Type Description

default_site

string

The default site used by LIFs that do not have a site membership.

fqdn

string

The fully qualified domain name of the Windows Active Directory to which this CIFS server belongs. A CIFS server appears as a member of Windows server object in the Active Directory store. POST and PATCH only.

organizational_unit

string

Specifies the organizational unit within the Active Directory domain to associate with the CIFS server. POST and PATCH only.

password

string

The account password used to add this CIFS server to the Active Directory. This is not audited.

user

string

The user account used to add this CIFS server to the Active Directory.

iops

The rate of I/O operations observed at the storage object.

Name Type Description

other

integer

Performance metric for other I/O operations. Other I/O operations can be metadata operations, such as directory lookups and so on.

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

latency

The round trip latency in microseconds observed at the storage object.

Name Type Description

other

integer

Performance metric for other I/O operations. Other I/O operations can be metadata operations, such as directory lookups and so on.

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

throughput

The rate of throughput bytes per second observed at the storage object.

Name Type Description

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

metric

Performance numbers, such as IOPS latency and throughput, for SVM protocols.

Name Type Description

_links

_links

duration

string

The duration over which this sample is calculated. The time durations are represented in the ISO-8601 standard format. Samples can be calculated over the following durations:

iops

iops

The rate of I/O operations observed at the storage object.

latency

latency

The round trip latency in microseconds observed at the storage object.

status

string

Any errors associated with the sample. For example, if the aggregation of data over multiple nodes fails then any of the partial errors might be returned, "ok" on success, or "error" on any internal uncategorized failure. Whenever a sample collection is missed but done at a later time, it is back filled to the previous 15 second timestamp and tagged with "backfilled_data". "Inconsistent_ delta_time" is encountered when the time between two collections is not the same for all nodes. Therefore, the aggregated value might be over or under inflated. "Negative_delta" is returned when an expected monotonically increasing value has decreased in value. "Inconsistent_old_data" is returned when one or more nodes do not have the latest data.

throughput

throughput

The rate of throughput bytes per second observed at the storage object.

timestamp

string

The timestamp of the performance data.

cifs_netbios

Name Type Description

aliases

array[string]

enabled

boolean

Specifies whether NetBios name service (NBNS) is enabled for the CIFS. If this service is enabled, the CIFS server will start sending the broadcast for name registration.

wins_servers

array[string]

cifs_service_options

Name Type Description

admin_to_root_mapping

boolean

Specifies whether or not Administrator can be mapped to the UNIX user "root".

advanced_sparse_file

boolean

Specifies whether or not the CIFS server supports the advanced sparse file capabilities. This allows CIFS clients to query the allocated ranges of a file and to write zeroes or free data blocks for ranges of a file.

backup_symlink_enabled

boolean

Specifies whether or not to preserve UNIX symlinks during backup through SMB.

copy_offload

boolean

Specifies whether or not to enable the Copy Offload feature. This feature enables direct data transfers within or between compatible storage devices without transferring the data through the host computer.

Note that this will also enable/disable the direct copy feature accordingly.

export_policy_enabled

boolean

Specifies whether or not export policies are enabled for CIFS.

fake_open

boolean

Specifies whether or not fake open support is enabled. This parameter allows you to optimize the open and close requests coming from SMB 2 clients.

fsctl_trim

boolean

Specifies whether or not the trim requests (FSCTL_FILE_LEVEL_TRIM) are supported on the CIFS server.

junction_reparse

boolean

Specifies whether or not the reparse point support is enabled. When enabled the CIFS server exposes junction points to Windows clients as reparse points. This parameter is only active if the client has negotiated use of the SMB 2 or SMB 3 protocol. This parameter is not supported for SVMs with Infinite Volume.

large_mtu

boolean

Specifies whether or not SMB clients can send reads up to 1 MB in size.

multichannel

boolean

Specifies whether or not the CIFS server supports Multichannel.

null_user_windows_name

string

Specifies a Windows User or Group name that should be mapped in case of a NULL user value.

path_component_cache

boolean

Specifies whether or not the path component cache is enabled on the CIFS server.

referral

boolean

Specifies whether or not to refer clients to more optimal LIFs. When enabled, it automatically refers clients to a data LIF local to the node which hosts the root of the requested share.

shadowcopy

boolean

Specifies whether or not to enable the Shadowcopy Feature. This feature enables to take share-based backup copies of data that is in a data-consistent state at a specific point in time where the data is accessed over SMB 3.0 shares.

shadowcopy_dir_depth

integer

Specifies the maximum level of subdirectories on which ONTAP should create shadow copies.

  • Default value: 1

  • Introduced in: 9.11

  • x-nullable: true

smb_credits

integer

Specifies the maximum number of outstanding requests on a CIFS connection.

widelink_reparse_versions

array[string]

Specifies the CIFS protocol versions for which the widelink is reported as reparse point.

cifs_service_security

Name Type Description

advertised_kdc_encryptions

array[string]

aes_netlogon_enabled

boolean

Specifies whether or not an AES session key is enabled for the Netlogon channel.

encrypt_dc_connection

boolean

Specifies whether encryption is required for domain controller connections.

kdc_encryption

boolean

Important This attribute has been deprecated. Use "security.advertised_kdc_encryptions" to specify the encryption type to use. Specifies whether AES-128 and AES-256 encryption is enabled for all Kerberos-based communication with the Active Directory KDC. To take advantage of the strongest security with Kerberos-based communication, AES-256 and AES-128 encryption can be enabled on the CIFS server. Kerberos-related communication for CIFS is used during CIFS server creation on the SVM, as well as during the SMB session setup phase. The CIFS server supports the following encryption types for Kerberos communication:
  • RC4-HMAC

  • DES

  • AES When the CIFS server is created, the domain controller creates a computer machine account in Active Directory. After a newly created machine account authenticates, the KDC and the CIFS server negotiates encryption types. At this time, the KDC becomes aware of the encryption capabilities of the particular machine account and uses those capabilities in subsequent communication with the CIFS server. In addition to negotiating encryption types during CIFS server creation, the encryption types are renegotiated when a machine account password is reset.

ldap_referral_enabled

boolean

Specifies whether or not LDAP referral chasing is enabled for AD LDAP connections.

lm_compatibility_level

string

It is CIFS server minimum security level, also known as the LMCompatibilityLevel. The minimum security level is the minimum level of the security tokens that the CIFS server accepts from SMB clients. The available values are:

  • lm_ntlm_ntlmv2_krb Accepts LM, NTLM, NTLMv2 and Kerberos

  • ntlm_ntlmv2_krb Accepts NTLM, NTLMv2 and Kerberos

  • ntlmv2_krb Accepts NTLMv2 and Kerberos

  • krb Accepts Kerberos only

restrict_anonymous

string

Specifies what level of access an anonymous user is granted. An anonymous user (also known as a "null user") can list or enumerate certain types of system information from Windows hosts on the network, including user names and details, account policies, and share names. Access for the anonymous user can be controlled by specifying one of three access restriction settings. The available values are:

  • no_restriction - No access restriction for an anonymous user.

  • no_enumeration - Enumeration is restricted for an anonymous user.

  • no_access - All access is restricted for an anonymous user.

session_security

string

Specifies client session security for AD LDAP connections. The available values are:

  • none - No Signing or Sealing.

  • sign - Sign LDAP traffic.

  • seal - Seal and Sign LDAP traffic

smb_encryption

boolean

Specifies whether encryption is required for incoming CIFS traffic.

smb_signing

boolean

Specifies whether signing is required for incoming CIFS traffic. SMB signing helps to ensure that network traffic between the CIFS server and the client is not compromised.

try_ldap_channel_binding

boolean

Specifies whether or not channel binding is attempted in the case of TLS/LDAPS.

use_ldaps

boolean

Specifies whether or not to use use LDAPS for secure Active Directory LDAP connections by using the TLS/SSL protocols.

use_start_tls

boolean

Specifies whether or not to use SSL/TLS for allowing secure LDAP communication with Active Directory LDAP servers.

iops_raw

The number of I/O operations observed at the storage object. This should be used along with delta time to calculate the rate of I/O operations per unit of time.

Name Type Description

other

integer

Performance metric for other I/O operations. Other I/O operations can be metadata operations, such as directory lookups and so on.

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

latency_raw

The raw latency in microseconds observed at the storage object. This should be divided by the raw IOPS value to calculate the average latency per I/O operation.

Name Type Description

other

integer

Performance metric for other I/O operations. Other I/O operations can be metadata operations, such as directory lookups and so on.

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

throughput_raw

Throughput bytes observed at the storage object. This should be used along with delta time to calculate the rate of throughput bytes per unit of time.

Name Type Description

read

integer

Performance metric for read I/O operations.

total

integer

Performance metric aggregated over all types of I/O operations.

write

integer

Peformance metric for write I/O operations.

statistics

These are raw performance numbers, such as IOPS latency and throughput for SVM protocols. These numbers are aggregated across all nodes in the cluster and increase with the uptime of the cluster.

Name Type Description

iops_raw

iops_raw

The number of I/O operations observed at the storage object. This should be used along with delta time to calculate the rate of I/O operations per unit of time.

latency_raw

latency_raw

The raw latency in microseconds observed at the storage object. This should be divided by the raw IOPS value to calculate the average latency per I/O operation.

status

string

Any errors associated with the sample. For example, if the aggregation of data over multiple nodes fails then any of the partial errors might be returned, "ok" on success, or "error" on any internal uncategorized failure. Whenever a sample collection is missed but done at a later time, it is back filled to the previous 15 second timestamp and tagged with "backfilled_data". "Inconsistent_delta_time" is encountered when the time between two collections is not the same for all nodes. Therefore, the aggregated value might be over or under inflated. "Negative_delta" is returned when an expected monotonically increasing value has decreased in value. "Inconsistent_old_data" is returned when one or more nodes do not have the latest data.

throughput_raw

throughput_raw

Throughput bytes observed at the storage object. This should be used along with delta time to calculate the rate of throughput bytes per unit of time.

timestamp

string

The timestamp of the performance data.

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

cifs_service

Name Type Description

_links

_links

ad_domain

ad_domain

auth-style

string

Authentication type.

authentication_method

string

Specifies the authentication method. The available values are:

  • client_secret

  • certificate

client_certificate

string

PKCS12 certificate used by the application to prove its identity to AKV.

client_id

string

Application client ID of the deployed Azure application with appropriate access to an AKV.

client_secret

string

Secret used by the application to prove its identity to AKV.

comment

string

A descriptive text comment for the CIFS server. SMB clients can see the CIFS server comment when browsing servers on the network. If there is a space in the comment, you must enclose the entire string in quotation marks.

default_unix_user

string

Specifies the UNIX user to which any authenticated CIFS user is mapped to, if the normal user mapping rules fails.

enabled

boolean

Specifies if the CIFS service is administratively enabled.

group_policy_object_enabled

boolean

If set to true, group policies will be applied to the SVM.

key_vault_uri

string

URI of the deployed AKV that is used by ONTAP for storing keys.

metric

metric

Performance numbers, such as IOPS latency and throughput, for SVM protocols.

name

string

The name of the CIFS server.

netbios

cifs_netbios

oauth_host

string

Open authorization server host name.

options

cifs_service_options

proxy_host

string

Proxy host.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port.

proxy_type

string

Proxy type.

proxy_username

string

Proxy username.

security

cifs_service_security

statistics

statistics

These are raw performance numbers, such as IOPS latency and throughput for SVM protocols. These numbers are aggregated across all nodes in the cluster and increase with the uptime of the cluster.

svm

svm

SVM, applies only to SVM-scoped objects.

tenant_id

string

Directory (tenant) ID of the deployed Azure application with appropriate access to an AKV.

timeout

integer

AKV connection timeout, in seconds. The allowed range is between 0 to 30 seconds.

verify_host

boolean

Verify the identity of the AKV host name. By default, verify_host is set to true.

workgroup

string

The workgroup name.

Name Type Description

_links

_links

uuid

string

The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.