简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。
使用 ACL 将 CIFS 数据从源存储箱迁移到 ONTAP
贡献者
建议更改
PDF
本节介绍将包含安全信息的 CIFS 数据从源系统迁移到目标 ONTAP 系统的分步操作步骤。
-
验证目标 ONTAP 系统是否运行正常。
C1_sti96-vsim-ucs540m_cluster::> cluster show Node Health Eligibility --------------------- ------- ------------ sti96-vsim-ucs540m true true sti96-vsim-ucs540n true true 2 entries were displayed. C1_sti96-vsim-ucs540m_cluster::> node show Node Health Eligibility Uptime Model Owner Location --------- ------ ----------- ------------- ----------- -------- --------------- sti96-vsim-ucs540m true true 15 days 21:17 SIMBOX ahammed sti sti96-vsim-ucs540n true true 15 days 21:17 SIMBOX ahammed sti 2 entries were displayed. cluster::> storage failover show Takeover Node Partner Possible State Description -------------- -------------- -------- ------------------------------------- sti96-vsim-ucs540m sti96-vsim- true Connected to sti96-vsim-ucs540n ucs540n sti96-vsim-ucs540n sti96-vsim- true Connected to sti96-vsim-ucs540m ucs540m 2 entries were displayed. C1_sti96-vsim-ucs540m_cluster::> -
验证目标系统上是否至少存在一个非根聚合。聚合正常。
cluster::*> storage aggregate show Aggregate Size Available Used% State #Vols Nodes RAID Status --------- -------- --------- ----- ------- ------ ---------------- ------------ aggr0_sti96_vsim_ucs540o 7.58GB 373.3MB 95% online 1 sti96-vsim- raid_dp, ucs540o normal aggr0_sti96_vsim_ucs540p 7.58GB 373.3MB 95% online 1 sti96-vsim- raid_dp, ucs540p normal aggr_001 103.7GB 93.63GB 10% online 1 sti96-vsim- raid_dp, ucs540p normal sti96_vsim_ucs540o_aggr1 23.93GB 23.83GB 0% online 1 sti96-vsim- raid_dp, ucs540o normal sti96_vsim_ucs540p_aggr1 23.93GB 23.93GB 0% online 0 sti96-vsim- raid_dp, ucs540p normal 5 entries were displayed.
如果没有数据聚合,请使用 storage aggr create命令创建一个新聚合。 -
在目标集群系统上创建 SVM 。
cluster::*> vserver create -vserver vs1 -rootvolume root_vs1 -aggregate sti96_vsim_ucs540o_aggr1 -rootvolume-security-style mixed Verify that the SVM was successfully created. C2_sti96-vsim-ucs540o_cluster::*> vserver show -vserver vs1 Vserver: vs1 Vserver Type: data Vserver Subtype: default Vserver UUID: f8bc54be-d91b-11e9-b99c-005056a7e57e Root Volume: root_vs1 Aggregate: sti96_vsim_ucs540o_aggr1 NIS Domain: NSQA-RTP-NIS1 Root Volume Security Style: mixed LDAP Client: esisconfig Default Volume Language Code: C.UTF-8 Snapshot Policy: default Data Services: data-nfs, data-cifs, data-flexcache, data-iscsi Comment: vs1 Quota Policy: default List of Aggregates Assigned: - Limit on Maximum Number of Volumes allowed: unlimited Vserver Admin State: running Vserver Operational State: running Vserver Operational State Stopped Reason: - Allowed Protocols: nfs, cifs, fcp, iscsi, ndmp Disallowed Protocols: - Is Vserver with Infinite Volume: false QoS Policy Group: - Caching Policy Name: - Config Lock: false Volume Delete Retention Period: 0 IPspace Name: Default Foreground Process: - Is Msid Preserved for DR: false Force start required to start Destination in muliple IDP fan-out case: false Logical Space Reporting: false Logical Space Enforcement: false -
在目标 SVM 上创建新的读写数据卷。验证安全模式,语言设置和容量要求是否与源卷匹配。
CLUSTER CLUSTER::> vol create -vserver vs1 -volume dest_vol -aggregate aggr_001 -size 150g type RW -state online -security-style ntfs
-
创建数据 LIF 以处理 SMB 客户端请求。
CLUSTER::> network interface create -vserver vs1 -lif sti96-vsim-ucs540o_data1 -address 10.237.165.87 -netmask 255.255.240.0 -role data -data-protocol nfs,cifs -home-node sti96-vsim-ucs540o -home-port e0d
验证是否已成功创建 LIF 。
cluster::*> network interface show -vserver vs1 Logical Status Network Current Current Is Vserver Interface Admin/Oper Address/Mask Node Port Home ----------- ---------- ---------- ------------------ ------------- ------- ---- vs1 sti96-vsim-ucs540o_data1 up/up 10.237.165.87/20 sti96-vsim-ucs540o e0d true -
如果需要,使用 SVM 创建静态路由。
Network route create -vserver dest -destination 0.0.0.0/0 -gateway 10.237.160.1
验证是否已成功创建路由。
cluster::*> network route show -vserver vs1 Vserver Destination Gateway Metric ------------------- --------------- --------------- ------ vs1 0.0.0.0/0 10.237.160.1 20 ::/0 fd20:8b1e:b255:9155::1 20 2 entries were displayed. -
在 SVM 命名空间中挂载目标数据卷。
CLUSTER::> volume mount -vserver vs1 -volume dest_vol -junction-path /dest_vol -active true
验证是否已成功挂载此卷。
cluster::*> volume show -vserver vs1 -fields junction-path vserver volume junction-path ------- -------- ------------- vs1 dest_vol /dest_vol vs1 root_vs1 / 2 entries were displayed. Note: You can also specify the volume mount options (junction path) with the volume create command.
-
在目标 SVM 上启动 CIFS 服务。
cluster::*> vserver cifs start -vserver vs1 Warning: The admin status of the CIFS server for Vserver "vs1" is already "up".
验证此服务是否已启动并正在运行。
cluster::*> Verify the service is started and running C2_sti96-vsim-ucs540o_cluster::*> cifs show Server Status Domain/Workgroup Authentication Vserver Name Admin Name Style ----------- --------------- --------- ---------------- -------------- vs1 D60AB15C2AFC4D6 up CTL domain -
验证默认导出策略是否应用于目标 SVM 。
CLUSTER::> vserver export-policy show -vserver dest Vserver Policy Name --------------- ------------------- dest default
如果需要,为目标 SVM 创建新的自定义导出策略。
CLUSTER::> vserver export-policy create -vserver vs1 -policyname xcpexport
-
修改导出策略规则以允许访问 CIFS 客户端。
CLUSTER::> export-policy rule modify -vserver dest -ruleindex 1 -policyname xcpexportpolicy -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 0
验证是否已修改策略规则。
cluster::*> export-policy rule show -instance Vserver: vs1 Policy Name: default Rule Index: 1 Access Protocol: any List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0 RO Access Rule: any RW Access Rule: any User ID To Which Anonymous Users Are Mapped: 65534 Superuser Security Types: any Honor SetUID Bits in SETATTR: true Allow Creation of Devices: true NTFS Unix Security Options: fail Vserver NTFS Unix Security Options: use_export_policy Change Ownership Mode: restricted Vserver Change Ownership Mode: use_export_policy Policy ID: 12884901889 Vserver: vs1 Policy Name: default Rule Index: 2 Access Protocol: any List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0:0:0:0:0:0:0:0/0 RO Access Rule: any RW Access Rule: any User ID To Which Anonymous Users Are Mapped: 65534 Superuser Security Types: none Honor SetUID Bits in SETATTR: true Allow Creation of Devices: true NTFS Unix Security Options: fail Vserver NTFS Unix Security Options: use_export_policy Change Ownership Mode: restricted Vserver Change Ownership Mode: use_export_policy Policy ID: 12884901889 2 entries were displayed. -
验证是否允许客户端访问卷。
cluster::*> export-policy check-access -vserver vs1 -volume dest_vol -client-ip 10.234.17.81 -authentication-method none -protocol cifs -access-type read-write Policy Policy Rule Path Policy Owner Owner Type Index Access ----------------------------- ---------- --------- ---------- ------ ---------- / default root_vs1 volume 1 read /dest_vol default dest_vol volume 1 read-write 2 entries were displayed. -
连接到安装了 XCP 的 Windows 客户端系统。浏览到 XCP 安装路径。
C:\WRSHDNT>dir c:\netapp\xcp dir c:\netapp\xcp Volume in drive C has no label. Volume Serial Number is 5C04-C0C7 Directory of c:\netapp\xcp 09/18/2019 09:30 AM <DIR> . 09/18/2019 09:30 AM <DIR> .. 06/25/2019 06:27 AM 304 license 09/18/2019 09:30 AM <DIR> Logs 09/29/2019 08:45 PM 12,143,105 xcp.exe 2 File(s) 12,143,409 bytes 3 Dir(s) 29,219,549,184 bytes free -
在 XCP Windows 客户端主机系统上运行
XCP show命令,以查询源节点 SMB 导出。C:\WRSHDNT>c:\netapp\xcp\xcp show \\10.237.165.71 c:\netapp\xcp\xcp show \\10.237.165.71 XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 Shares Errors Server 6 0 10.237.165.71 == SMB Shares == Space Space Current Free Used Connections Share Path Folder Path 9.50GiB 4.57MiB 1 \\10.237.165.71\source_share C:\source_vol 94.3MiB 716KiB 0 \\10.237.165.71\ROOTSHARE C:\ 0 0 N/A \\10.237.165.71\ipc$ N/A 94.3MiB 716KiB 0 \\10.237.165.71\c$ C:\ == Attributes of SMB Shares == Share Types Remark source_share DISKTREE test share DISKTREE test_sh DISKTREE ROOTSHARE DISKTREE \"Share mapped to top of Vserver global namespace, created bydeux_init \" ipc$ PRINTQ,SPECIAL,IPC,DEVICE c$ SPECIAL == Permissions of SMB Shares == Share Entity Type source_share Everyone Allow/Full Control ROOTSHARE Everyone Allow/Full Control ipc$ Everyone Allow/Full Control c$ Administrators Allow/Full Control/ -
运行
help命令进行复制。C:\WRSHDNT>c:\netapp\xcp\xcp help copy c:\netapp\xcp\xcp help copy XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 usage: xcp copy [-h] [-v] [-parallel <n>] [-match <filter>] [-preserve-atime] [-acl] [-fallback-user FALLBACK_USER] [-fallback-group FALLBACK_GROUP] [-root] source target positional arguments: source target optional arguments: -h, --help show this help message and exit -v increase debug verbosity -parallel <n> number of concurrent processes (default: <cpu-count>) -match <filter> only process files and directories that match the filter (see `xcp help -match` for details) -preserve-atime restore last accessed date on source -acl copy security information -fallback-user FALLBACK_USER the name of the user on the target machine to receive the permissions of local (non-domain) source machine users (eg. domain\administrator) -fallback-group FALLBACK_GROUP the name of the group on the target machine to receive the permissions of local (non-domain) source machine groups (eg. domain\administrators) -root copy acl for root directorytxt -
在目标 ONTAP 系统上,获取需要作为
backfall-user和backfall-group参数路径的值提供的本地用户和本地组名称列表。cluster::*> local-user show (vserver cifs users-and-groups local-user show) Vserver User Name Full Name Description ------------ --------------------------- -------------------- ------------- vs1 D60AB15C2AFC4D6\Administrator Built-in administrator account C2_sti96-vsim-ucs540o_cluster::*> local-group show (vserver cifs users-and-groups local-group show) Vserver Group Name Description -------------- -------------------------------- ---------------------------- vs1 BUILTIN\Administrators Built-in Administrators group vs1 BUILTIN\Backup Operators Backup Operators group vs1 BUILTIN\Guests Built-in Guests Group vs1 BUILTIN\Power Users Restricted administrative privileges vs1 BUILTIN\Users All users 5 entries were displayed -
要将使用 ACL 的 CIFS 数据从源迁移到目标,请使用 ` -acl` 和 ` – backft-user/group` 选项运行
XCP copy命令。对于
backfall-user/group选项,指定 Active Directory 中的任何用户或组,或者将本地用户 / 组分配给目标系统。C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 8s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 13s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 18s ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "BUILTIN\Users". Please check if the principal with the name "BUILTIN\Users" exists on "D60AB15C2AFC4D6". 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 23s ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\Administrator". Please check if the principal with the name "D60AB15C2AFC4D6\Administrator" exists on "D60AB15C2AFC4D6". 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 28s 753 scanned, 0 errors, 0 skipped, 249 copied, 24.0KiB (4.82KiB/s), 33s 753 scanned, 0 errors, 0 skipped, 744 copied, 54.4KiB (6.07KiB/s), 38s 753 scanned, 0 errors, 0 skipped, 746 copied, 54.5KiB (20/s), 43s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (1.23KiB/s), 44s C:\WRSHDNT>
-
如果
XCP copy导致错误消息error failed to Obtain fallbackt security principal,请在 hosts 文件(C : \Windows\System32\drivers\etc\hosts)中添加目标框。对 NetApp 存储目标框条目使用以下格式。
<data vserver data interface ip> 1 or more white spaces <cifs server name>
cluster::*> cifs show Server Status Domain/Workgroup Authentication Vserver Name Admin Name Style ----------- --------------- --------- ---------------- -------------- vs1 D60AB15C2AFC4D6 up CTL domain C2_sti96-vsim-ucs540o_cluster::*> network interface show Logical Status Network Current Current Is Cluster sti96-vsim-ucs540p_clus1 up/up 192.168.148.136/24 sti96-vsim-ucs540p e0a true sti96-vsim-ucs540p_clus2 up/up 192.168.148.137/24 sti96-vsim-ucs540p e0b true vs1 sti96-vsim-ucs540o_data1 up/up 10.237.165.87/20 sti96-vsim-ucs540o e0d true sti96-vsim-ucs540o_data1_inet6 up/up fd20:8b1e:b255:9155::583/64 sti96-vsim-ucs540o e0d true sti96-vsim-ucs540o_data2 up/up 10.237.165.88/20 sti96-vsim-ucs540o e0e true 10.237.165.87 D60AB15C2AFC4D6 -> destination box entry to be added in hosts file. -
在 hosts 文件中添加目标框条目后,如果仍收到错误消息
error failed to get backfalling security principal,则表示目标系统中不存在用户 / 组。C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\unknown_user -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\unknown_user -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6". ERROR failed to obtain fallback security principal "D60AB15C2AFC4D6\unknown_user". Please check if the principal with the name "D60AB15C2AFC4D6\unknown_user" exists on "D60AB15C2AFC4D6". 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s 753 scanned, 0 errors, 0 skipped, 284 copied, 27.6KiB (5.54KiB/s), 20s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (2.44KiB/s), 22s C:\WRSHDNT>
-
使用
XCP copy迁移使用 ACL (包含或不包含根文件夹)的 CIFS 数据。如果没有根文件夹,请运行以下命令:
C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share c:\netapp\xcp\xcp copy -acl -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s 753 scanned, 0 errors, 0 skipped, 210 copied, 20.4KiB (4.08KiB/s), 20s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (2.38KiB/s), 22s C:\WRSHDNT>
使用根文件夹运行以下命令:
C:\WRSHDNT>c:\netapp\xcp\xcp copy -acl -root -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share c:\netapp\xcp\xcp copy -acl -root -fallback-user D60AB15C2AFC4D6\Administrator -fallback-group BUILTIN\Users \\10.237.165.79\source_share \\10.237.165.89\dest_share XCP SMB 1.6; (c) 2020 NetApp, Inc.; Licensed to XXX [NetApp Inc] until Mon Dec 31 00:00:00 2029 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 5s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 10s 753 scanned, 0 errors, 0 skipped, 0 copied, 0 (0/s), 15s 753 scanned, 0 errors, 0 skipped, 243 copied, 23.6KiB (4.73KiB/s), 20s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (6.21KiB/s), 25s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 30s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 35s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 40s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 45s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 50s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 55s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 1m0s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (0/s), 1m5s 753 scanned, 0 errors, 0 skipped, 752 copied, 54.7KiB (817/s), 1m8s C:\WRSHDNT>