简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

使用 ACL 将 CIFS 数据从源存储箱迁移到 ONTAP

提供者

本节介绍将包含安全信息的 CIFS 数据从源系统迁移到目标 ONTAP 系统的分步操作步骤。

  1. 验证目标 ONTAP 系统是否运行正常。

    C1_sti96-vsim-ucs540m_cluster::> cluster show
    Node                  Health  Eligibility
    --------------------- ------- ------------
    sti96-vsim-ucs540m    true    true
    sti96-vsim-ucs540n    true    true
    2 entries were displayed.
    C1_sti96-vsim-ucs540m_cluster::> node show
    Node      Health Eligibility Uptime        Model       Owner    Location
    --------- ------ ----------- ------------- ----------- -------- ---------------
    sti96-vsim-ucs540m
              true   true        15 days 21:17 SIMBOX      ahammed  sti
    sti96-vsim-ucs540n
              true   true        15 days 21:17 SIMBOX      ahammed  sti
    2 entries were displayed.
    cluster::>  storage failover show
                                  Takeover
    Node           Partner        Possible State Description
    -------------- -------------- -------- -------------------------------------
    sti96-vsim-ucs540m
                   sti96-vsim-    true     Connected to sti96-vsim-ucs540n
                   ucs540n
    sti96-vsim-ucs540n
                   sti96-vsim-    true     Connected to sti96-vsim-ucs540m
                   ucs540m
    2 entries were displayed.
    C1_sti96-vsim-ucs540m_cluster::>
  2. 验证目标系统上是否至少存在一个非根聚合。聚合正常。

    cluster::*> storage aggregate show
    Aggregate     Size Available Used% State   #Vols  Nodes            RAID Status
    --------- -------- --------- ----- ------- ------ ---------------- ------------
    aggr0_sti96_vsim_ucs540o
                7.58GB   373.3MB   95% online       1 sti96-vsim-      raid_dp,
                                                      ucs540o          normal
    aggr0_sti96_vsim_ucs540p
                7.58GB   373.3MB   95% online       1 sti96-vsim-      raid_dp,
                                                      ucs540p          normal
    aggr_001   103.7GB   93.63GB   10% online       1 sti96-vsim-      raid_dp,
                                                      ucs540p          normal
    sti96_vsim_ucs540o_aggr1
               23.93GB   23.83GB    0% online       1 sti96-vsim-      raid_dp,
                                                      ucs540o          normal
    sti96_vsim_ucs540p_aggr1
               23.93GB   23.93GB    0% online       0 sti96-vsim-      raid_dp,
                                                      ucs540p          normal
    5 entries were displayed.
    注 如果没有数据聚合,请使用 storage aggr create 命令创建一个新聚合。
  3. 在目标集群系统上创建 SVM 。

    cluster::*> vserver create -vserver vs1 -rootvolume root_vs1 -aggregate sti96_vsim_ucs540o_aggr1 -rootvolume-security-style mixed
    
    Verify that the SVM was successfully created.
    C2_sti96-vsim-ucs540o_cluster::*>  vserver show -vserver vs1
                                        Vserver: vs1
                                   Vserver Type: data
                                Vserver Subtype: default
                                   Vserver UUID: f8bc54be-d91b-11e9-b99c-005056a7e57e
                                    Root Volume: root_vs1
                                      Aggregate: sti96_vsim_ucs540o_aggr1
                                     NIS Domain: NSQA-RTP-NIS1
                     Root Volume Security Style: mixed
                                    LDAP Client: esisconfig
                   Default Volume Language Code: C.UTF-8
                                Snapshot Policy: default
                                  Data Services: data-nfs, data-cifs,
                                                 data-flexcache, data-iscsi
                                        Comment: vs1
                                   Quota Policy: default
                    List of Aggregates Assigned: -
     Limit on Maximum Number of Volumes allowed: unlimited
                            Vserver Admin State: running
                      Vserver Operational State: running
       Vserver Operational State Stopped Reason: -
                              Allowed Protocols: nfs, cifs, fcp, iscsi, ndmp
                           Disallowed Protocols: -
                Is Vserver with Infinite Volume: false
                               QoS Policy Group: -
                            Caching Policy Name: -
                                    Config Lock: false
                 Volume Delete Retention Period: 0
                                   IPspace Name: Default
                             Foreground Process: -
                       Is Msid Preserved for DR: false
    Force start required to start Destination in muliple IDP fan-out case: false
                        Logical Space Reporting: false
                      Logical Space Enforcement: false
  4. 在目标 SVM 上创建新的读写数据卷。验证安全模式,语言设置和容量要求是否与源卷匹配。

    CLUSTER CLUSTER::> vol create -vserver vs1 -volume dest_vol -aggregate aggr_001 -size 150g type RW -state online -security-style ntfs
  5. 创建数据 LIF 以处理 SMB 客户端请求。

    CLUSTER::> network interface create -vserver vs1 -lif sti96-vsim-ucs540o_data1  -address 10.237.165.87 -netmask 255.255.240.0 -role data -data-protocol nfs,cifs -home-node sti96-vsim-ucs540o  -home-port e0d

    验证是否已成功创建 LIF 。

    cluster::*>  network interface show -vserver vs1
                Logical    Status     Network            Current       Current Is
    Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
    ----------- ---------- ---------- ------------------ ------------- ------- ----
    vs1
                sti96-vsim-ucs540o_data1
                             up/up    10.237.165.87/20   sti96-vsim-ucs540o
                                                                       e0d     true
  6. 如果需要,使用 SVM 创建静态路由。

    Network route create -vserver dest -destination 0.0.0.0/0 -gateway 10.237.160.1

    验证是否已成功创建路由。

    cluster::*>  network route show -vserver vs1
    Vserver             Destination     Gateway         Metric
    ------------------- --------------- --------------- ------
    vs1
                        0.0.0.0/0       10.237.160.1    20
                        ::/0            fd20:8b1e:b255:9155::1
                                                        20
    2 entries were displayed.
  7. 在 SVM 命名空间中挂载目标数据卷。

    CLUSTER::> volume mount -vserver vs1 -volume dest_vol  -junction-path /dest_vol -active true

    验证是否已成功挂载此卷。

    cluster::*> volume show -vserver vs1  -fields junction-path
    vserver volume   junction-path
    ------- -------- -------------
    vs1     dest_vol /dest_vol
    vs1     root_vs1 /
    2 entries were displayed.
    Note: You can also specify the volume mount options (junction path) with the volume create command.
  8. 在目标 SVM 上启动 CIFS 服务。

    cluster::*> vserver cifs start -vserver vs1
    Warning: The admin status of the CIFS server for Vserver "vs1" is already "up".

    验证此服务是否已启动并正在运行。

    cluster::*>
    Verify the service is started and running
    C2_sti96-vsim-ucs540o_cluster::*> cifs show
                Server          Status    Domain/Workgroup Authentication
    Vserver     Name            Admin     Name             Style
    ----------- --------------- --------- ---------------- --------------
    vs1         D60AB15C2AFC4D6 up        CTL              domain
  9. 验证默认导出策略是否应用于目标 SVM 。

    CLUSTER::> vserver export-policy show -vserver dest
    Vserver          Policy Name
    ---------------  -------------------
    dest             default

    如果需要,为目标 SVM 创建新的自定义导出策略。

    CLUSTER::> vserver export-policy create -vserver vs1 -policyname xcpexport
  10. 修改导出策略规则以允许访问 CIFS 客户端。

    CLUSTER::> export-policy rule modify -vserver dest -ruleindex 1 -policyname xcpexportpolicy -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 0

    验证是否已修改策略规则。

    cluster::*> export-policy rule show -instance
                                        Vserver: vs1
                                    Policy Name: default
                                     Rule Index: 1
                                Access Protocol: any
    List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0
                                 RO Access Rule: any
                                 RW Access Rule: any
    User ID To Which Anonymous Users Are Mapped: 65534
                       Superuser Security Types: any
                   Honor SetUID Bits in SETATTR: true
                      Allow Creation of Devices: true
                     NTFS Unix Security Options: fail
             Vserver NTFS Unix Security Options: use_export_policy
                          Change Ownership Mode: restricted
                  Vserver Change Ownership Mode: use_export_policy
                                      Policy ID: 12884901889
                                        Vserver: vs1
                                    Policy Name: default
                                     Rule Index: 2
                                Access Protocol: any
    List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0:0:0:0:0:0:0:0/0
                                 RO Access Rule: any
                                 RW Access Rule: any
    User ID To Which Anonymous Users Are Mapped: 65534
                       Superuser Security Types: none
                   Honor SetUID Bits in SETATTR: true
                      Allow Creation of Devices: true
                     NTFS Unix Security Options: fail
             Vserver NTFS Unix Security Options: use_export_policy
                          Change Ownership Mode: restricted
                  Vserver Change Ownership Mode: use_export_policy
                                      Policy ID: 12884901889
    2 entries were displayed.
  11. 验证是否允许客户端访问卷。

    cluster::*> export-policy check-access -vserver vs1 -volume dest_vol -client-ip 10.234.17.81 -authentication-method none -protocol cifs -access-type read-write
                                             Policy    Policy       Rule
    Path                          Policy     Owner     Owner Type  Index Access
    ----------------------------- ---------- --------- ---------- ------ ----------
    /                             default    root_vs1  volume          1 read
    /dest_vol                     default    dest_vol  volume          1 read-write
    2 entries were displayed.
  12. 连接到安装了 XCP 的 Windows 客户端系统。浏览到 XCP 安装路径。

    C:\WRSHDNT>dir c:\netapp\xcp
    dir c:\netapp\xcp
     Volume in drive C has no label.
     Volume Serial Number is 5C04-C0C7
     Directory of c:\netapp\xcp
    09/18/2019  09:30 AM    <DIR>          .
    09/18/2019  09:30 AM    <DIR>          ..
    06/25/2019  06:27 AM               304 license
    09/18/2019  09:30 AM    <DIR>          Logs
    09/29/2019  08:45 PM        12,143,105 xcp.exe
                   2 File(s)     12,143,409 bytes
                   3 Dir(s)  29,219,549,184 bytes free
  13. 在 XCP Windows 客户端主机系统上运行 XCP show 命令,以查询源节点 SMB 导出。

    C:\WRSHDNT>c:\netapp\xcp\xcp show \\10.237.165.71
    c:\netapp\xcp\xcp show \\10.237.165.71
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
     Shares   Errors   Server
          6        0            10.237.165.71
    == SMB Shares ==
     Space   Space   Current
     Free    Used    Connections Share Path                   Folder Path
     9.50GiB 4.57MiB 1           \\10.237.165.71\source_share C:\source_vol
     94.3MiB 716KiB  0           \\10.237.165.71\ROOTSHARE    C:\
     0       0       N/A         \\10.237.165.71\ipc$         N/A
     94.3MiB 716KiB  0           \\10.237.165.71\c$           C:\
    == Attributes of SMB Shares ==
     Share                             Types                             Remark
     source_share                      DISKTREE
     test share                        DISKTREE
     test_sh                           DISKTREE
     ROOTSHARE                         DISKTREE             \"Share mapped to top of Vserver global namespace, created bydeux_init \"
     ipc$                              PRINTQ,SPECIAL,IPC,DEVICE
     c$                                SPECIAL
    == Permissions of SMB Shares ==
     Share                             Entity                                         Type
     source_share                      Everyone                                       Allow/Full Control
    ROOTSHARE                         Everyone                                       Allow/Full Control
     ipc$                              Everyone                                       Allow/Full Control
     c$                                Administrators                                 Allow/Full Control/
  14. 运行 help 命令进行复制。

    C:\WRSHDNT>c:\netapp\xcp\xcp help copy
    c:\netapp\xcp\xcp help copy
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
    usage: xcp copy [-h] [-v] [-parallel <n>] [-match <filter>] [-preserve-atime]
                    [-acl] [-fallback-user FALLBACK_USER]
                    [-fallback-group FALLBACK_GROUP] [-root]
                    source target
    positional arguments:
      source
      target
    optional arguments:
      -h, --help            show this help message and exit
      -v                    increase debug verbosity
      -parallel <n>         number of concurrent processes (default: <cpu-count>)
      -match <filter>       only process files and directories that match the
                            filter (see `xcp help -match` for details)
      -preserve-atime       restore last accessed date on source
      -acl                  copy security information
      -fallback-user FALLBACK_USER
                            the name of the user on the target machine to receive
                            the permissions of local (non-domain) source machine
                            users (eg. domain\administrator)
      -fallback-group FALLBACK_GROUP
                            the name of the group on the target machine to receive
                            the permissions of local (non-domain) source machine
                            groups (eg. domain\administrators)
      -root                 copy acl for root directorytxt
  15. 在目标 ONTAP 系统上,获取需要作为 backfall-userbackfall-group 参数路径的值提供的本地用户和本地组名称列表。

    cluster::*> local-user show
      (vserver cifs users-and-groups local-user show)
    Vserver      User Name                   Full Name            Description
    ------------ --------------------------- -------------------- -------------
    vs1          D60AB15C2AFC4D6\Administrator
                                                                  Built-in administrator account
    C2_sti96-vsim-ucs540o_cluster::*>  local-group show
      (vserver cifs users-and-groups local-group show)
    Vserver        Group Name                       Description
    -------------- -------------------------------- ----------------------------
    vs1            BUILTIN\Administrators           Built-in Administrators group
    vs1            BUILTIN\Backup Operators         Backup Operators group
    vs1            BUILTIN\Guests                   Built-in Guests Group
    vs1            BUILTIN\Power Users              Restricted administrative privileges
    vs1            BUILTIN\Users                    All users
    5 entries were displayed
  16. 要将使用 ACL 的 CIFS 数据从源迁移到目标,请使用 ` -acl` 和 ` – backft-user/group` 选项运行 XCP copy 命令。

    对于 backfall-user/group 选项,指定 Active Directory 中的任何用户或组,或者将本地用户 / 组分配给目标系统。

    C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 8s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 13s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 18s
    ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6".
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 23s
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6".
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 28s
    753 scanned, 0 errors, 0 skipped, 249 copied, 24.0KiB (4.82KiB/s), 33s
    753 scanned, 0 errors, 0 skipped, 744 copied, 54.4KiB (6.07KiB/s), 38s
    753 scanned, 0 errors, 0 skipped, 746 copied, 54.5KiB (20/s), 43s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (1.23KiB/s), 44s
    C:\WRSHDNT>
  17. 如果 XCP copy 导致错误消息 error failed to Obtain fallbackt security principal ,请在 hosts 文件(C : \Windows\System32\drivers\etc\hosts )中添加目标框。

    对 NetApp 存储目标框条目使用以下格式。

    <data vserver data interface ip> 1 or more white spaces <cifs server name>
    cluster::*> cifs show
                Server          Status    Domain/Workgroup Authentication
    Vserver     Name            Admin     Name             Style
    ----------- --------------- --------- ---------------- --------------
    vs1         D60AB15C2AFC4D6 up        CTL              domain
    C2_sti96-vsim-ucs540o_cluster::*> network interface show
                Logical    Status     Network            Current       Current Is
    Cluster
                sti96-vsim-ucs540p_clus1
                             up/up    192.168.148.136/24 sti96-vsim-ucs540p
                                                                       e0a     true
                sti96-vsim-ucs540p_clus2
                             up/up    192.168.148.137/24 sti96-vsim-ucs540p
                                                                       e0b     true
    vs1
                sti96-vsim-ucs540o_data1
                             up/up    10.237.165.87/20   sti96-vsim-ucs540o
                                                                       e0d     true
                sti96-vsim-ucs540o_data1_inet6
                             up/up    fd20:8b1e:b255:9155::583/64
                                                         sti96-vsim-ucs540o
                                                                       e0d     true
                sti96-vsim-ucs540o_data2
                             up/up    10.237.165.88/20   sti96-vsim-ucs540o
                                                                       e0e     true
    10.237.165.87  D60AB15C2AFC4D6  -> destination box entry to be added in hosts file.
  18. 在 hosts 文件中添加目标框条目后,如果仍收到错误消息 error failed to get backfalling security principal ,则表示目标系统中不存在用户 / 组。

    C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\unknown_user -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\unknown_user -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6".
    ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6".
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s
    753 scanned, 0 errors, 0 skipped, 284 copied, 27.6KiB (5.54KiB/s), 20s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (2.44KiB/s), 22s
    C:\WRSHDNT>
  19. 使用 XCP copy 迁移使用 ACL (包含或不包含根文件夹)的 CIFS 数据。

    如果没有根文件夹,请运行以下命令:

    C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user  D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    c:\netapp\xcp\xcp copy -acl -fallback-user  D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s
    753 scanned, 0 errors, 0 skipped, 210 copied, 20.4KiB (4.08KiB/s), 20s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (2.38KiB/s), 22s
    C:\WRSHDNT>

    使用根文件夹运行以下命令:

    C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -root  -fallback-user  D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    c:\netapp\xcp\xcp copy -acl -root  -fallback-user  D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users  \\10.237.165.79\source_share \\10.237.165.89\dest_share
    XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s
    753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s
    753 scanned, 0 errors, 0 skipped, 243 copied, 23.6KiB (4.73KiB/s), 20s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (6.21KiB/s), 25s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 30s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 35s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 40s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 45s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 50s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 55s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 1m0s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 1m5s
    753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (817/s), 1m8s
    C:\WRSHDNT>