Manual Chapter : Namespace

Applies To:

Show Versions Show Versions

ARX

  • 6.3.0
Manual Chapter
21 
Character encoding is the mapping between binary numbers and written characters. Some character-encoding schemes use only a single byte for each character; these typically support alphabets without any Asian characters. Multi-byte encoding schemes encompass Asian character sets. Unicode (such as UTF-8) can also use more than one byte per character, and encompasses most character sets and languages. Use the character-encoding command to set the namespaces character encoding for NFS file names.
Use no character-encoding to reset NFS file names back to the single-byte default.
utf-8 specifies UTF-8 (Unicode) character encoding.
shift-jis specifies Shift_JIS (Japanese) character encoding.
cp932 is Code Page 932, or Windows-31J (Japanese) character encoding. This is the Microsoft version of Shift_JIS.
euc-jp specifies EUC-JP (Extended Unix Code - Japanese) character encoding.
ksc5601 is KSC5601 (Korean) character encoding.
iso-8859-1 is ISO 8859-1 (Latin1, single-byte) character encoding.
The no form of the command returns the namespace to default character encoding.
If a single front-end nfs service has exports from more than one namespace, this setting must be the same for all of the exported namespaces. The export (gbl-nfs) command exports a namespace volume through NFS.
bstnA(gbl-ns[wwmed])# no character-encoding nfs
Use no cifs anonymous-access in a namespace that does not support connections to the IPC$ share.
There are only a small set of photocopiers that require this access before they save files to the namespace. The F5 Data Solutions Compatibility Matrix (included with this doc set) lists all the photocopiers that are known to require this feature.
The cifs anonymous-access command permits anonymous queries to the virtual IPC$ share, but does not permit scanners and photocopiers to actually save files to any of the namespaces volumes. As always, the scanner/copier must provide a valid Windows username and password to perform the file-save operation.
If a single front-end cifs service has exports from more than one namespace, this setting must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) Therefore, if this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
provA(gbl-ns[provMed])# cifs anonymous-access
bstnA(gbl-ns[insur])# no cifs anonymous-access
Use the cifs authentication command to enable an authentication protocol (Kerberos, NTLM, and/or NTLMv2) for the namespaces CIFS clients.
Use no cifs authentication to disable a CIFS-authentication protocol for this namespace.
CIFS clients access namespace storage through a front-end CIFS service. If a single CIFS service has exports from more than one namespace, the authentication settings must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) Therefore, if this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
The domain-join command can also enable a CIFS service for NTLM or NTLMv2. If you (or an authorized Domain Administrator) go to the domain controller (DC) and set up constrained delegation for the CIFS service, clients can authenticate with NTLM, NTLMv2, or Kerberos. No further configuration is required. In this case, the namespace software connects to its back-end filers with Kerberos, whether or not the client uses a variant of NTLM.
A CIFS service that is configured for unconstrained delegation, or is not even joined to its domain, requires more configuration to support NTLM or NTLMv2. For these configurations, you must install an application onto one or more DCs. This DC application, called the Secure Agent, enables the namespace to authenticate a client once and then access storage on multiple back-end filers. See the ARX Secure Agent Installation Guide for instructions on installing a Secure Agent onto a DC. Then you can use ntlm-auth-server and ntlm-auth-server (gbl-ns) to connect the namespace software to the Secure Agent application.
bstnA(gbl-ns[ns1])# cifs authentication kerberos
bstnA(gbl-ns[ns1])# cifs authentication ntlmv2
bstnA(gbl-ns[insur])# no cifs authentication ntlm
Use the cifs filer-signatures command to enable (or perhaps require) SMB signing between this namespace and the external filers behind it. SMB signing is the process of placing a digital signature into each Server Message Block (SMB) exchanged between a CIFS server (each filer) and client (the namespace software). SMB signing prevents man-in-the-middle attacks at the cost of slower performance.
Use no cifs filer-signatures to disable SMB signing between the namespace and its filers. This breaks all CIFS communication with any filers that require SMB signing.
required (optional) obligates all CIFS filers to use SMB signing in their communication with the namespace. If any of the namespaces filers refuse to support SMB signing, the namespace cannot make any CIFS connections to the filer.
This applies only to namespaces that support CIFS. Use the protocol command to set the file-access protocols for the namespace.
If you use this command with the required option, the namespace can only connect to filers that support SMB signing. The namespace refuses to make a CIFS connection to any filer that does not support SMB signatures.
The least-restrictive setting is to enable SMB signing without requiring it (using the cifs filer-signatures syntax). The namespace can then connect to any filer, whether it requires or refuses SMB signing. If the namespace software has a choice, it prefers not to use SMB signing for performance reasons.
To control the SMB-signing policy between the ARX and its clients, you can use the signatures command in gbl-cifs mode. To see the number of filers and/or clients who have used SMB signing, along with some success and failure statistics, use the show fastpath cifs-signatures command.
bstnA(gbl-ns[insur])# cifs filer-signatures
bstnA(gbl-ns[ns1])# cifs filer-signatures required
bstnA(gbl-ns[ns4])# no cifs filer-signatures
Use the optional description command to set a descriptive string for the current namespace, volume, or share. This appears in the show namespace command.
Use the no form of the command to delete the description.
text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
bstnA(gbl-ns[wwmed])# description namespace for World-Wide Medical network
bstnA(gbl-ns-vol-shr[medarcv~/rcrds~rx])# description prescriptions since 2002
Use the enable command to activate the current namespace or volume, or its shares.
Use no enable to stop access to the current namespace or volume.
shares (optional) causes all of the namespaces or volumes shares to be enabled.
take-ownership (optional) causes the namespace or managed volume to take ownership of all back-end shares. Use this option only if you are sure that the shares are not in active use by a managed volume on another ARX. For example, some sites use filer applications to replicate all data from one site to another; if an ARX had managed volumes at the primary site, the ARXs ownership marker (a file) would be copied to the second site. An ARX at the second site could only import the share if you use the take-ownership option. The option has no effect on a direct volume, or on any direct volumes in the namespace.
Important: This option could possibly remove a share from another managed volume that is in service. Use the take-ownership option only for cases where some shares are spuriously marked by another ARX. The CLI prompts for confirmation if you use this option; enter yes to proceed.
The enable command causes a managed volume to import external files and directories into its shares. For large directory structures, this takes some time. If there are any name collisions, they occur when you issue the enable command. The import happens asynchronously; you can monitor its progress with the show namespace or show namespace status commands.
Important: For shares backed by NetApp or EMC, you may need to access the filer directly and pre-create some qtrees or EMC tree quotas. This rare configuration issue only occurs if:
- this is a managed volume,
- you want to support both free-space quotas (
freespace cifs-quota), and
- you also want to support filer-subshares in this volume.
In this case, a NetApp share requires one qtree per subshare, and an EMC import share must be an EMC File System with one quota tree per subshare. Pre-create the NetApp qtrees and/or EMC quota trees before you enable the share. See the Guidelines: Subshare Replication with Free-Space Quotas section of the filer-subshares documentation.
The no enable command makes the volume(s) inaccessible to clients. When a volume is disabled, client applications get no response from it. Different applications react to this in different ways; some hang, others log error messages to an internal log. The shutdown is cleaner for your clients if you first perform no export (gbl-nfs), no export (gbl-cifs), and no browsing for all NFS and/or CIFS services that export the volume.
A direct volume is a collection of directory attach points that is easier to configure than a managed volume but does not offer any policy features. Each attach-point directory in the direct volume is attached to an actual directory on a back-end filer. A direct volume keeps no metadata. You use the direct command to declare a volume to be a direct volume.
The enable command does not trigger an import in a direct volume, since there is no metadata to construct. The enable operation is therefore much faster. Also, the take-ownership option has no effect on a direct volume.
A CIFS volume with filer-subshares or cifs access-based-enum enabled performs some additional processing during import. Specifically, the volume software discovers CIFS subshares (shares under the imported shares) and ABE settings, and it makes these settings consistent at every back-end filer. This process produces a report to show its results, named syncSshrNewStorageReport_timestamp.rpt. You can use show reports to get a list of reports, and show reports report-name to read a particular report.
bstnA(gbl-ns[ns])# enable shares take-ownership
Use the metadata cache-size command to specify how much cache memory (in MB) to reserve for managed-volume metadata. This size is used for each volume-group domain used by the current namespace.
Use the no form of this command to revert to the default cache size.
cache-size (64-1750) is the size, in megabytes (MB), of memory to reserve for the current namespaces metadata cache(s).
On the ARX-500, you can increase the maximum number of volume groups. The memory and CPU resources are more scarce on this platform than its newer counterparts, so it is shipped with a lower volume-group maximum. If you increase the maximum number of volume groups (using the max-volume-groups command), you should also consult with F5 to change this metadata cache size. The total memory used for this namespace is the total number of volume groups times this cache size. All platforms can use swap space (from their internal disks) to add to memory size if memory gets low. You can use the show processors usage command to monitor memory and swap-space usage on the system.
bstnA(gbl-ns[wwmed])# metadata cache-size 500
Use the namespace command to create a new namespace, or edit an existing one.
Use the no form of the command to delete a namespace.
name (1-30 characters) is a name you choose for the namespace. The name all is reserved and cannot be used.
The CLI prompts for confirmation before creating a namespace; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.)
This places you in gbl-ns mode, where you must establish one or more managed volumes and/or direct volumes for the namespace. Each managed volume is like a file system in the namespace; it is composed of files and directories from various back-end filers. A direct volume contains shares with attach points, which are analogous to NFS mount points and mapped CIFS shares. A managed volume contains metadata and supports policy rules, a direct volume does not. Use the volume command to create either type of volume.
You must remove all of the namespaces volumes before you can remove the namespace with no namespace. Removing a volume is a complex process, described in the documentation for the volume command. The remove namespace command removes all volumes for you; best practices dictate that you use that command instead. The remove service command removes the namespace and all other configuration objects that are exclusively dedicated to the namespace, such as external filers and global servers.
bstnA(gbl)# namespace ns
bstnA(gbl)# no namespace myNameSpace
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command.
Use the ntlm-auth-db command to assign an NTLM-authentication database to the current namespace.
Use the no form of the command to remove an NTLM authentication database.
name (1-64 characters) is the name of an NTLM authentication database. Use the show ntlm-auth-db command for a list of configured NTLM databases.
You must also use cifs authentication ntlm and/or cifs authentication ntlmv2 for the namespace to support NTLM or NTLMv2 authentication.
If a single front-end cifs service has exports from more than one namespace, this group of NTLM-Authentication DBs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
Use the show ntlm-auth-db command to display a list of configured NTLM authentication databases.
bstnA(gbl-ns[ns1])# ntlm-auth-db DEMO
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command.
Use the ntlm-auth-server command to assign an ARX Secure Agent (ASA) server to the current namespace. To support clients from multiple Windows domains, you can use this command multiple times.
Use the no form of the command to remove an ASA from the namespace. This prevents clients in the ASAs Windows Domain from using NTLM or NTLMv2 authentication.
name (1-128 characters) is the name of an ASA.
After you install the ASA on a DC, use the ntlm-auth-server command to configure it on the ARX. Then use this command to make it available to the current namespace. Use the show ntlm-auth-server command to display the configured ASAs along with connection statistics.
Note: If the namespaces front-end CIFS Service uses constrained delegation, introduced with Windows Server 2003, the Secure Agent (and this command) is unnecessary. An administrator with Domain Administrator privileges can go to the DC and configure constrained delegation for this CIFS service. You can use the probe delegate-to command to find all back-end filers behind a CIFS service, which the DC administrator adds to the CIFS services delegate-to list. Once the CIFS service is set up this way at the DC, the services NTLM/NTLMv2 clients can authenticate without help from a Secure Agent.
A namespace can authenticate its clients with NTLM, NTLMv2, and Kerberos concurrently. This facilitates network transitions from NTLM to Kerberos. Use cifs authentication to configure NTLM, NTLMv2, Kerberos, or any combination of those authentication protocols. Each client chooses a protocol from that set.
If a single front-end cifs service has exports from more than one namespace, this group of ASAs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.)
Removing an ASA (with no ntlm-auth-server) may stop NTLM and NTLMv2 support for the ASAs Windows domain; if this is the only ASA for the domain, clients from that domain can no longer authenticate through NTLM. This may also affect Kerberos clients in the domain if they drop down to NTLMv2 or NTLM. You can add a new ASA to the namespace at any time to support NTLM and/or NTLMv2 in a new Windows domain.
This is not an issue if the cifs services in from of the namespace all support constrained delegation. You can use show cifs-service all to see all CIFS services, the namespace behind each service, and whether or not the service supports constrained delegation.
For demonstration purposes, there is an alternative to configuring an external ASA: you can use ntlm-auth-db to map a small group of clients to a single set of valid NTLM credentials. The switch uses the back-end credentials to authenticate to CIFS filers.
bstnA(gbl-ns[insur])# ntlm-auth-server server1
Use the protocol command to establish the protocol for accessing the files in this namespace (NFSv2UDP, NFSv3UDP, CIFS, or NFSv3TCP).
nfs2 | nfs3 | cifs | nfs3tcp is a required choice:
nfs2 is NFS version 2 over UDP,
nfs3 is NFS version 3 over UDP,
cifs is CIFS, and
nfs3tcp is NFS version 3 over TCP.
To make any of the above changes after the volume is imported, you must use nsck ... destage, change the protocol with this command, then bring the volume back online with enable (gbl-ns, gbl-ns-vol).
For other protocol changes, such as adding NFSv2 to a running NFSv3 namespace, you must disable the volume (no enable (gbl-ns, gbl-ns-vol)) and its front-end service (no enable (gbl-cifs, gbl-nfs)), change the protocol, then re-enable both. This causes a shorter service outage.
A namespace cannot support both nfs2 and nfs3tcp unless it also supports nfs3.
bstnA(gbl-ns[ns])# protocol nfs2
Use the no form of the command to remove a proxy-user configuration from this namespace.
name (1-32 characters) is the Windows proxy user to associate with the current namespace.
From gbl mode, use the proxy-user command to add a proxy-user configuration to the ARX.
If the proxy user has an FQDN for its windows-domain (gbl-proxy-user), it uses Kerberos to authenticate with back-end filers. If it fails to get a Kerberos ticket, it drops down to NTLMv2, and then (if that fails, too) NTLM.
Use the show proxy-user command to view all configured proxy-users and their associated usernames and Windows domains.
Note: This has no relationship to the proxy-user (gbl-filer) command, which a snapshot-supporting volume uses to log into the filers CLI. This command supports CIFS imports and policy migrations, and the gbl-filer command supports coordinated snapshots. You must assign both types of proxy users to support both features.
bstnA(gbl-ns[medarcv])# proxy-user acoProxy2
Use the remove namespace command to remove a namespace or volume, along with all of its associated metadata and front-end exports.
remove namespace name [volume volume] [timeout seconds] [sync]
name (1-30 characters) identifies the namespace.
volume (optional, 1-1024 characters) focuses on a single volume.
seconds (optional, 300-10,000) sets a time limit for the removal of each namespace (or volume) component.
sync (optional) shows the operations progress at the command line. With this option, the CLI prompt does not return until all components have been removed.
By default, this command generates a report to show all of the actions it takes to remove the volume(s), in order. The CLI shows the report name after you issue the command, and then returns. You can enter CLI commands as the namespace software removes the objects in the background. Use tail to follow the report as it is written. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. Use the sync option to send the status to the command line instead; the command does not generate a report if you use the sync option.
To remove a namespace and all other configuration objects dedicated to the namespace (including global servers and external filers), use remove service. To remove a share from a volume, use remove-share migrate or remove-share nomigrate. Use the remove namespace ... policy-only command to remove all policy objects (rules, share farms, and/or filesets) from a namespace or volume. The remove namespace ... volume ... exports-only command finds all front-end exports for a volume and removes them, leaving the volume itself intact.
prtlndA# remove namespace insur_bkup sync
Use no sam-reference to allow the namespace to choose the SAM-reference filer. This is appropriate to an installation that only uses globally-defined groups.
sam-reference ext-filer [cluster cluster-name]
ext-filer (1-64 characters) identifies the external filer to use. For a list of configured external filers, use show external-filer.
cluster-name (optional, 1-64 characters) is only relevant if the ARX is part of a disaster-recovery (DR) configuration. In a DR configuration, there is an active ARX cluster with one set of filers and a backup cluster with a mirrored set of filers. This determines which cluster uses this ext-filer for its SAM queries. Run the sam-reference command twice per namespace if you use DR: once to designate the SAM-reference filer for the active cluster, and again to determine the SAM-reference filer at the backup cluster. Use show cluster for a list of configured clusters. If you omit this option, the command assumes that this is the local cluster.
If a single front-end cifs service has exports from more than one namespace, this SAM-reference filer must be the same for all of the exported namespaces. By extension, the single SAM-reference filer must define all the Local Groups behind all of the namespaces behind the CIFS service. (The export (gbl-cifs) command exports a namespace volume through CIFS.)
bstnA(gbl-ns[medarcv])# sam-reference fs2
bstnA(gbl-ns[medarcv])# no sam-reference
Use the show namespace command to show summaries of all namespaces, or to include a single namespace name to view configuration details for that namespace.
show namespace name [volume vol-path [share share-name]]
name (optional, 1-30 characters) identifies the namespace. If you omit this, the output lists all namespaces on the switch.
vol-path (optional, 1-1024 characters) is the name of the volume.
share-name (optional, 1-64 characters) is the name of the share.
all lists details for all configured namespaces.
The show namespace output displays the following fields:
Metadata Cache Size is the internal cache size in MB (512 MB is the default). To change the cache size, use the metadata cache-size command.
Proxy User is the username/password used by the ARX to access back-end CIFS shares. Use the proxy-user (gbl-ns) command to set this.
Filer SMB Signatures describes this namespaces setting for SMB signing, a CIFS security feature. This is Enabled (use SMB signing if and only if the filer requires it), Required (only connect to CIFS filers that agree to use SMB signing), or Not Enabled (only connect to filers that do not require SMB signing). You can change this with the cifs filer-signatures command.
NFS Character Encoding only appears in a namespace that supports NFS. This shows the character encoding used for all file and directory names sent to NFS clients. You can change this with the character-encoding nfs command.
SAM Reference Filer only appears if explicitly set with the sam-reference command. This shows the CIFS filer used to answer all CIFS-client queries to the Security Account Management (SAM) database.
Supported Protocols lists the protocols (NFSv2, CIFS, and so on) supported by the namespace. This is set with the protocol command.
CIFS Authentication appears only for a namespace that supports CIFS:
Protocols is a list of the authentication used (NTLM, NTLMv2, and/or Kerberos). Use cifs authentication to change this setting.
Anonymous Access (IPC$ only) may also appear in this list. This indicates that CIFS clients can access the namespaces IPC$ volume with the anonymous Windows-user account; some scanners/photocopiers require this access for saving files to the namespaces CIFS volumes. You can use the cifs anonymous-access command to change this setting.
None indicates that CIFS clients cannot authenticate to this namespace, and therefore cannot access any of the namespaces storage.
NTLM Servers (only appears if configured) is a list of external authentications servers, set by ntlm-auth-server (gbl-ns).
NTLM Database (only appears if configured) is set by ntlm-auth-db (gbl-ns).
Participating Switches is a list of ARXes that support the namespace. For each switch, the volume groups are shown in parenthesis; this is where the namespace software runs. Before you enable a volume (not after), you can specify its volume group with the volume-group command.
Metadata shares is shown only if the namespace uses a metadata-only share. Use the metadata share command to use a metadata-only share for the namespace. This is a table with the following columns (one row per configured share):
Filer is the IP address or DNS name for the filer,
Backend Path is the filers share name or NFS-export path,
Contains Metadata is yes for the one export that holds metadata, and
Status is the current status of the share. For possible status values, see Guidelines: Import Status below.
Windows Management Authorization Policies appears for namespaces that support CIFS and management by authorized Windows clients. The Microsoft Management Console (MMC) bundled with Windows is a typical interface for remote management. The windows-mgmt-auth (gbl-ns) command assigns a group of authorized clients to a namespace. If any Windows-management-authorization (WMA) groups are assigned to the namespace, they are listed in this table.
Volumes is a list of managed volumes in the namespace. Use the volume command to create a volume.
CIFS: is a list of supported CIFS options, if applicable. The following commands set these options: compressed-files, named-streams, persistent-acls, sparse-files, unicode-on-disk, cifs case-sensitive, and cifs file-system-name.
Volume freespace is the amount of free space advertised to this volumes clients. After the free-space amount is the calculation method for free space: automatic, or manual, or clients use dir-master-only.
automatic - Add up the free space from all shares behind the volume and present the sum to all clients. The namespace volume monitors the back-end-storage ID behind each share; if two or more shares have matching storage IDs (that is, they draw their free space from the same storage pool), only one of the shares has its free space counted. This is the default setting for a new volume.
manual - Add up the free space from all shares, ignoring any shares that draw from the same back-end-storage pool. You can manually eliminate shares from this sum with freespace ignore. You can also adjust the free space that is counted for each share with freespace adjust. Use freespace calculation manual to set this.
clients use dir-master-only - Give the client the free space for the master back-end share only, without adding any any free space from any of the stripe shares in the same volume. The volume chooses the master share when the client connects to the volume through a front-end share or subshare: the volume starts with the root directory of that front-end share, finds the master instance of that directory, and chooses the back-end share that hosts that master directory. This is useful for volumes where directory trees reside only on a single back-end filer most of the time. Use the freespace calculation dir-master-only command to set this.
Volume total space is the sum of total space on all shares behind the volume. This is the actual space. The volumes clients may see different space settings, as determined by the settings above.
CIFS quotas is Enabled if the volume supports path-based quotas on its back-end filers. This indicates that the volume shows free-space values based on these back-end quotas; each client sees his or her space quota, not the entire size of the volume. You can use the freespace cifs-quota command to enable or disable this feature.
Auto Sync Files: Enabled appears only if the volume is permitted to synchronize metadata that is found to be incorrect. This means that certain client-access errors will trigger an auto-sync operation. Use the auto sync files command to enable or disable this feature.
Auto Sync Options: Rename-Files appears only if the volume is permitted to rename files when auto-synchronizing. That is, if auto-sync discovers a file whose name is the same as an already-imported file, this feature allows the volume to rename the newly-discovered file. As above, use the auto sync files command to enable or disable this feature.
Metadata size is the amount of metadata space allotted to this volume.
Metadata free space is the amount of free space left on this volumes metadata share. This does not appear if metadata is stored on the internal disks.
Filer Subshares: Enabled appears only if the filer-subshares flag is enabled. This applies only to managed volumes that support CIFS; it indicates that the volume can pass a client from a CIFS subshare at the front-end service through to the corresponding subshare at the back-end filer. This pass-through mechanism makes it possible to support share-level ACLs for the volumes subshares. The additional text, native-names-only, appears if the filer-subshares command was invoked with a flag of the same name.
Oplock support appears only for volumes that support CIFS. This shows whether or not this volume supports CIFS opportunistic locks (oplocks). This can be Enabled, Disabled, or Automatic, as set by the cifs oplocks-disable command.
Notify-change mode shows the degree of support for the CIFS change notification feature. This is Normal (tell clients only of changes in the top level of the directory requested, ignoring any request to track changes in its subtree), Use Subtree Flag (inform CIFS clients of all back-end file system changes that they request), or No changes sent (silently ignore all client requests for change notification). You can change this with cifs notify-change-mode.
CIFS path cache only appears for volumes that support CIFS. This is Enabled or Not Enabled, depending on the cifs path-cache setting. If enabled, NSM processors keep a cache of the volumes CIFS paths as it learns them. This prevents repetitive queries to the volume process on an ACM processor. Otherwise, NSM processors query the volume process for each CIFS-client request.
CIFS access based enum also appears only for volumes that support CIFS. This is Enabled or Not Enabled, possibly followed by some combination of Auto-Enable, Ignore Metadata Skew, and/or Full Autosync. This output depends on the cifs access-based-enum setting. If enabled, the volume changes its behavior for sending directory listings to its CIFS clients; if a back-end share omits some files or directories, the volume assumes that the omissions are caused by ABE, and makes no attempt at correction. Additionally, the volume only allows a share to import if the share has ABE enabled at its back-end filer; the volume rejects shares with ABE disabled, or automatically enables ABE if the Auto-enable flag is raised. If Not Enabled, the volume presumes that none of its filers have ABE enabled, and therefore may amend a directory listing with omissions.
Snapshots is either Enabled or Not Enabled, depending on whether or not the volume contains at least one snapshot rule.
Migration method: Direct is either Staged or Direct. This indicates the method for migrating files; either performing a network transfer to a staging area first, or performing the transfer directly to the final location. The direct method fails if the migration is interrupted by a snapshot. You can use the policy migrate-method command to change this setting.
State is usually Enabled or Disabled, as set by the enable (gbl-ns, gbl-ns-vol) command. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the volume and its share(s). See Guidelines: Volume State, below, for an explanation of all possible volume states.
Host Switch is the ARX with the volume-group where this volume resides. This is typically the ARX peer where the volume was originally created. If you want to use show volume-group to show this volumes group, run the command on the ARX shown in this field.
Instance is an integer ID for the volume processes.
Volume Group is the volume group where this volumes processes run. Several volumes from the same namespace can run in a given volume group. The volume group is automatically assigned when the volume is enabled. You can optionally use the volume-group command to pre-set the volume group beforehand.
Processor shows the physical CPU where the volume group is currently running. A volume group can fail over between peers in a redundant pair. The processor appears in slot.processor format.
Files is the number of files in the volume, and the file credits that are remaining for the volume. This also shows the maximum possible number of file credits if auto reserve files is set. The auto-reserve feature adds file credits as the volume grows.
Metadata shares is shown only if the volume uses a metadata-only share. Use the metadata share command to use a metadata-only share for the volume. This is a table with the same columns as shown above in Guidelines: Metadata Shares (Namespace).
Share name (s) are the configured shares in the volume. Use the share command to add a share to the volume.
Note: Instead of using show namespace for this information, you can use the shorter show namespace status or show share status command to display share, filer, path, and import status only.
If the share has been designated as a replica-snap share, a replica of one of the other shares that is dedicated to snapshots, [replica-snap] appears next to the share name. Many of the detailed fields (below) do not appear for replica-snap shares because they are irrelevant to snapshots.
Description appears only if someone set a description (gbl-ns, gbl-ns-...) for the share.
Filer is the filer that hosts the back-end share. This is set by the filer command. If [Acopia Namespace] appears after the filer name, the filer is a managed-volume in a direct volume; this shows the namespace name and the Volume Path field (below) shows the volume name.
Volume Path only appears for managed-volume shares in direct volumes. This is the name of the volume behind this direct share, as set by the managed-volume command.
NFS Export is the name of the NFS export at the back-end filer. This is also set by the filer command.
CIFS Share (also set by filer) is the name of the CIFS share at the filer. In a multi-protocol namespace, both the NFS Export and CIFS Share appear for each namespace share.
Features is a list of multi-protocol features supported at the back-end share:
unix-acls (The filer is a NetApp with the cifs.perserve_unix_security option enabled. The NetApp converts Unix security flags into a special CIFS ACL, so that CIFS clients can change the Unix security settings. The volume software records this setting at import time so that it can support those CIFS clients.)
CIFS Maximum Request Size is the maximum size (in bytes) for a CIFS request (other than a write request). This is a maximum found at the back-end filer. This information is for internal use only.
CIFS Access-based Enum is Exclude if someone issued cifs access-based-enum exclude for the share. Otherwise, this field does not appear in the output. The Exclude flag indicates that the filer behind the share cannot support access-based enumeration (ABE), so this share is excluded from the volumes ABE-consistency checking.
SID Translation only appears for a CIFS volume that translates Security IDs (SIDs) for all files migrated to or from this share. This indicates that the filer uses Local Group support, so the SID for each group name is unique at this filer. Use the sid-translation command to enable SID translation for a share.
Ignore SID errors only appears for a volume that supports CIFS. A Yes indicates that the back-end server is configured to return an error for a file or directory with an unknown SID, but accept the file/directory anyway. A No indicates that SID errors from the filer indicate a rejection of the file or directory. You can change this with the ignore-sid-errors command.
Status is the current status of the share. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the share. See Guidelines: Share-Import Status, below.
Volume Root Backing appears if the share is designated to hold new files created in the root of the volume. This is the first share imported into the volume, which is typically the first share configured.
Critical Share appears if the share has been tagged with the critical command. If a redundant switch loses contact with a critical share, it may fail over to its peer switch.
Migrate Retain Files: Yes only appears the share is set to keep copies of all files migrated away from it. The copies are kept in a hidden directory at the root of the share. Use migrate retain-files to edit this setting.
Strict Attr Consistency: No only appears if you disable strict-attribute consistency. This is recommended for multi-protocol (CIFS and NFS) shares, which may have directories with different CIFS-side and NFS-side names. If the volume cannot find the CIFS-side name of a directory, it may not be able to find all of its CIFS attributes. The volume must either rename these directories (see below) or be allowed to operate without strict-attribute consistency; it cannot import the share otherwise. You can use no strict-attribute-consistency to set this.
Import Sync Attributes: Yes only appears if (during import) the volume is allowed to synchronize the attributes of colliding directories in this share. That is, if a directory in this share has the same name as an already-imported directory but different file attributes (such as read/write permissions), the volume can change the attributes. This is strongly recommended for shares in multi-protocol namespaces. Use import sync-attributes to change this.
Import Rename Files: No only appears if (during import) the volume is prevented from renaming collision files in this share. A file is said to collide if it has the same name and path as an already-imported file or directory. Use modify to allow the volume to change files at all during import, and use no import rename-files to disallow file-name changes in this particular share.
Import Skip Managed Check: Yes is another import option. This only appears if someone used import skip-managed-check on this share. It means that the volume will not run a time-consuming test on any of the shares directories during import. The test confirms that the directory is not already managed by another ARX volume.
Import Rename Directories: No only appears if (during import) the volume is prevented from renaming collision directories in this share. Use modify to allow the volume to change directories at all during import, and use no import rename-directories to disallow directory-name changes in this particular share.
Import Rename Non Mappable Directories: Yes only appears if the volume is allowed to rename a multi-protocol directory with a CIFS-side name that is unmappable to the NFS character-encoding. Filers create unintelligible NFS-side names for these files; this indicates that the volume is allowed to rename these directories during import. Use import rename-directories unmapped-unicode to set this.
Import Priority shows the priority for this share over other shares in the same volume. If two shares have a conflicting file or directory and their import priorities are different, the share with the higher priority wins the conflict. The file or directory on the winning share is the master, and the other file or directory may have to change according to one of the import settings above. You can use the import priority command to change the import priority for any given share.
Free space on storage is the remaining space on the share. The expression, (excluded from volume), appears after the number if someone used the freespace ignore command in this share; it means that this shares free space is not being counted toward the volumes free space.
Freespace adjustment only appears if someone used freespace adjust to change the advertised free space for this share. This is the adjustment to the free space advertised for this back-end share. For example, if this is 1024 bytes, the volume adds 1024 bytes to the shares current free space.
Total space on storage is the sum of the shares free space (above) and used space.
Apparent size of storage is the size of the share that is advertised to clients. You can change this with the freespace apparent-size command; this field only appears if that command is set.
Policy Maintain Freespace is the amount of free space to maintain on the share. The policy engine does not migrate files to this share if it drops below this amount of free space. You can change this with the policy freespace (gbl-ns, gbl-ns-vol) command.
Policy Resume Freespace is another free-space threshold for this share. If the share drops below the free-space to maintain (above), the share is ineligible for any more migrations until it rises back up to this resume value. You can change this threshold with the same policy freespace (gbl-ns, gbl-ns-vol) command that you use for the maintain threshold.
Free files on storage (NFS shares only) is the maximum number of files that can be added to the back-end export. All file systems impose a limit on the maximum number of files on a share.
Virtual inodes (NFS direct shares only) is the total number of inodes (files) that can be supported at the direct share.
Transitions shows the number of times that the share has changed from offline to online, or from online to offline.
Last Transition is the date of the last transition.
Last Probe Status only appears if the most-recent probe of the share resulted in a failure. The volume probes the share at regular intervals to confirm its health; if this field appears, the share failed the latest probe and the failure status appears here. This often indicates a problem with the back-end filer or filer connection; contact F5 Support if you see this field and require any guidance.
In the Volumes State field, any of the following messages may appear:
Enabled - Someone used enable (gbl-ns, gbl-ns-vol) to enable the volume. If nothing appears after this, the volume is capable of processing client requests. Otherwise, one of the following messages appears in parenthesis, indicating an interim and/or degraded state:
Waiting for available metadata location - The volume is looking for an available share amongst its configured metadata shares (metadata share).
Insufficient metadata free space all indicate a progressively-worse problem with free space on the volumes metadata share: the free space is below 512 M, 256 M, or 128 M. Each volume requires multiple Gigabytes of space for its metadata. Choose another metadata share for the volume (using nsck ... migrate-metadata), or connect to the metadata share and clear any space outside of any .acopia directories.
Metadata filer failed - The volumes metadata share is offline. The volume cannot function without this share. Check and correct the share at the file server itself. If necessary, use nsck ... migrate-metadata to move the volumes metadata to a new share.
Metadata starting - Volume processing is starting (perhaps after an ARX reboot), and the volume is re-connecting to its metadata share.
No enabled shares - The volume is ready for processing, but none of its shares are running. Use enable (gbl-ns-vol-shr) to enable a share.
Read Only - The volume allows reads but no writes. This might be because it is configured as a shadow volume, or because no one has set the modify flag.
Instance not responding - Volume processing has failed.
Starting - The volumes enabled shares are currently importing files and directories from back-end filers.
Stopping - Someone has issued a no enable (gbl-ns, gbl-ns-vol) command to stop processing in this volume, and the volume is in the process of stopping. You cannot change the volumes configuration until the volume reaches the Disabled state.
Disabled - The volume is fully stopped after someone has issued a no enable (gbl-ns, gbl-ns-vol) command. Clients cannot access this volume. You can make changes to the volumes configuration.
Offline (Migrating Metadata) - The volumes metadata is migrating from one filer to another. The volume comes back online after the migration finishes. You can use the nsck ... migrate-metadata command to migrate the volumes metadata.
In the Shares Status field, the following messages show the progress of a successful import:
Pending (Uninitialized) - The share is configured, but either the volume or the share is not yet enabled. Use the enable (gbl-ns, gbl-ns-vol) command to enable the volume. For a new share in an already-enabled volume, use the enable (gbl-ns-vol-shr) command to enable the share.
Pending Import - Scheduled for import. If this volume supports CIFS and has filer-subshares or cifs access-based-enum enabled, the volume is synchronizing all of the subshares and/or ABE settings it can find on the filers behind it.
Pending Import: Unavailable - The volume lost contact with the filer after the share was scheduled for import. You can use no enable (gbl-ns-vol-shr) on this share to send it to the Offline: Disabled status; this allows an nsck ... rebuild of the volume.
Importing: a items scanned, b items imported - Actively inventorying the back-end storage. Both counters, a and b, are the sum of files and directories.
Import Interrupted - The ARX unexpectedly lost contact with the back-end share/export, disrupting the import process.
Import Paused: Volume Disabled - Someone issued the no enable command while the volume was importing. To restart the import, use the enable (gbl-ns, gbl-ns-vol) command.
Pending Online - The share is nearly online.
Online: Direct - This volume has direct shares, and is ready for client access (no import is required).
Online - Import completed successfully, back-end storage is ready to be used.
Offline: Disabled - either the share or the entire volume is disabled. Use the enable (gbl-ns-vol-shr) command to enable the share; use the enable (gbl-ns, gbl-ns-vol) command to enable the entire volume.
Offline: Unavailable - the volume lost contact with the filer.
Pending Remove - The share has been marked for removal by the no share command. See share.
Preparing Remove: n records visited - The switch is scanning the volumes metadata, separating out the metadata for this particular share and retrieving all master-directory attributes from the back-end filer. The n is the number of files and directories scanned.
Removing: n records visited - The switch is currently removing the share from the namespace. The n is the number of file/directory records that have been removed from the volumes metadata.
Remove Paused: Volume Disabled - the volume was disabled after the removal started. Use the enable (gbl-ns, gbl-ns-vol) command to enable the volume and restart the share removal.
Remove Interrupted - The ARX unexpectedly lost contact with the back-end share/export, disrupting the remove process.
An Error at the beginning of the message indicates the import failed. There are a large number of specific import errors, to help with diagnosis and recovery. See Table 21.1 on page 21-49 for a full list of possible errors and suggestions for troubleshooting each error.
Once the error is corrected, you can use the no share command to remove the share, then share to re-import it. For metadata shares, the entire volume must be re-imported: use the nsck ... rebuild command for the volume.
bstnA# show namespace
bstnA# show namespace medarcv
bstnA# show namespace wwmed
prtlndA# show namespace nemed volume /acctShdw
bstnA# show namespace insur volume /claims
bstnA# show namespace medco volume /vol share generic
bstnA# show namespace
bstnA# show namespace medarcv
bstnA# show namespace wwmed
prtlndA# show namespace nemed volume /acctShdw
bstnA# show namespace insur volume /claims
bstnA# show namespace medco volume /vol share generic
After you correct the problem, use nsck ... rebuild volume to reimport all shares in the volume.
One of the shares directories has a name with Unicode characters that are unsupported by the character-encoding nfs setting. CIFS file names are Unicode and can contain any character, but NFS servers and clients must each configure their character encoding for file names. The volume cannot import a directory with any un-mappable characters in its name.
You can use the import rename-directories unmapped-unicode command to allow the volume to rename such directories during import, or you can rename them manually at the filer. Then restart the share import: enter gbl-ns-vol-shr mode and re use the enable (gbl-ns-vol-shr) command.
A share with a higher import priority has failed its import, so this share cannot import. If any share import fails, the managed volume cannot import any shares with lower import priorities. Find the import error for the failed share(s), look for the error in this table, and take action as directed. This error is resolved as soon as all higher-priority shares successfully import.
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show exports command examine all permission settings at the filer. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
For CIFS shares, the switch uses the namespaces proxy user (username and password). The proxy-user credentials must belong to the Administrators group at every filer behind the namespace. Use the probe exports command to check this. The proxy-user (gbl-ns) command sets the proxy user credentials for a namespace.
After you correct the problem, use nsck ... rebuild volume to reimport all shares in the volume.
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show exports command examine all permission settings at the filer. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
For CIFS shares, the switch uses the namespaces proxy user (username and password). The proxy-user credentials must belong to the Administrators group at every filer behind the namespace. The proxy-user (gbl-ns) command sets the proxy user credentials for a namespace.
The share cannot be found on the external filer. Use the filer command to change the path or share name for this share, then re-enable the share (enable (gbl-ns-vol-shr)) to retry the import.
(CIFS) The volume supports cifs access-based-enum (ABE), and attempted to replicate ABE settings between its back-end shares. This replication process failed. The same process also checks for CIFS subshares (filer-subshares), so you can use sync subshares from-namespace ... tentative to get a full report on this issue.
This often occurs because the ARX does not have proper permissions to check for ABE support on this back-end share. The ARX uses the namespaces proxy user (username and password) as its identity when it checks for ABE support. The proxy-user credentials must belong to the Administrators group at this back-end filer. You can use the proxy-user (gbl-ns) command to choose new proxy user credentials for the namespace.
After you find and fix this issue, use nsck ... rebuild volume to reimport all shares in the volume.
(multi-protocol) The volume software encountered an NFS symbolic link on this back-end share, and the volume has cifs deny-symlinks enabled. You can resolve this issue by using the no cifs deny-symlinks command to allow the volume software to follow these links. Alternatively, you can remove all NFS symbolic links from the back-end share.
After you fix this issue, use nsck ... rebuild volume to reimport all shares in the volume.
(CIFS) The back-end filer returned an unexpected CIFS error during import. The syslog shows the specific error. Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog. You may need to escalate to F5 Support.
(CIFS) The filer returned an unexpected error during the import, and the error indicates a problem at the filer itself. The syslog shows the specific error. (Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog.) Check the filer itself and correct the problem there.
(CIFS) The back-end share returned an error indicating that it does not support a CIFS option that the ARX requires. Consult the F5 Data Solutions Compatibility Matrix (included in this doc set) to confirm that the filer has been qualified for use behind the ARX. If the share cannot possibly support CIFS behind an ARX, you can use no share to remove the share from the volume.
After you fix this issue, use nsck ... rebuild volume to reimport all shares in the volume.
(CIFS) The volume supports filer-subshares and/or cifs access-based-enum (ABE), and attempted to replicate subshares, subshare ACLs, and/or ABE settings between its back-end shares. This replication process, also known as subshare synchronization, failed. As a result, any front-end export of the failed subshare will be degraded. The output of show cifs-service fqdn shows all of the degraded subshares in a given fqdn service.
Use sync subshares from-namespace ... tentative to get a full report on this issue. To repair it, use the sync subshares from-namespace or sync subshares from-service command without the tentative option.
Use the proxy-user command to add or edit these credentials, and use the proxy-user (gbl-ns) command to apply them to a namespace.
You can use show cifs-service open-files to find the open file, close cifs file to close it, and then retry the share import (with enable (gbl-ns-vol-shr)).
Two or more of the volumes shares had common file names that either collided or had NFS/CIFS naming inconsistencies, and this volume disallows import if it encounters either of these problems. As an example of a collision, suppose share A and share B had the same file in the same path, \docs\index.htm: these files would collide. A naming inconsistency can only occur for a directory in a multi-protocol (NFS and CIFS) namespace; the CIFS-side directory name has unicode characters that are inexpressible on the NFS-side (see the documentation for the character-encoding nfs command). The volume must be allowed to modify the directory (or one of the colliding files) for the import to succeed: the directory or file must be renamed.
Using the import report for each share, resolve all file collisions and naming inconsistencies before re-importing. Go to the filers and rename the files, move them, and/or resolve that certain file renames are acceptable. Once the issues are cleared, use the gbl-ns-vol reimport-modify and modify commands to allow modification (renames) on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) To rename inconsistent NFS/CIFS directories, use the import rename-directories unmapped-unicode command, too.
After you correct the problem, use nsck ... rebuild volume to reimport all shares in the volume.
To allow the volume to modify directory attributes on import, you can use modify on the volume and import sync-attributes on the share. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) Then use the enable (gbl-ns-vol-shr) command to retry the import.
This can only occur for NFS-only directories, with names that are illegal in CIFS. If possible, change the directory name(s) so that they are accessible from CIFS. As an alternative, you can use no strict-attribute-consistency to remove the requirement for strict-attribute consistency; this reduces all undiscovered CIFS attributes to zero. Once the volume has stopped importing any shares, you can do this for all shares in the volume. Then restart this share import with the enable (gbl-ns-vol-shr) command.
To allow the volume to correct this by changing the directory name on import, you can use modify on the volume and import rename-directories on the share. Alternatively, you can directly access the filer(s) and correct the problem there. Retry this share import (with enable (gbl-ns-vol-shr)) after you address the issue.
Two or more of the volumes shares had common file/directory names that somehow collided, causing one of the shares to fail its import. The following collisions can cause this failure:
A file or directory in share A has a CIFS case collision with a file or directory on share B, and the volume is set for no cifs case-sensitive. For example, myDir/MYFILE.doc on share A could collide with myDir/myFile.doc on share B.
All duplicate files and naming inconsistencies are recorded in the import reports for the share. These reports are named import.job-id.share-name.share-id.rpt. Use show reports type Imp to list all import reports, and use show reports report-name to read a report.
The share import failed for an undetermined reason. Run the collect diag-info CLI command to collect diagnostic information, then contact F5 Support.
The managed volume software supports a maximum of 1024 hard links per file. One or more files on this back-end share exceed this limit. These files are recorded in the shares import report, named import.job-id.share-name.share-id.rpt. Use show reports type Imp to list all import reports, and use show reports report-name to read a particular report. Then access the filer directly to reduce the number of hard links for all of these files.
After you correct the problem, use nsck ... rebuild volume to reimport all shares in the volume.
After you correct the problem, use nsck ... rebuild volume to reimport all shares in the volume.
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
For CIFS shares, the switch uses the namespaces proxy user as its identity. The proxy user, created by the proxy-user command, must belong to the Administrators group. The proxy-user (gbl-ns) command sets the proxy user for a namespace.
This indicates permissions problems at the back-end filer. Use the show exports command to examine all permission settings at the filer.
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
For CIFS shares, the switch uses the namespaces proxy user as its identity. The proxy user, created by the proxy-user command, must belong to the Administrators group. The proxy-user (gbl-ns) command sets the proxy user for a namespace.
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
For CIFS shares, the switch uses the namespaces proxy user as its identity. The proxy user, created by the proxy-user command, must belong to the Administrators group. The proxy-user (gbl-ns) command sets the proxy user for a namespace.
You can use show cifs-service open-files to find the open file, close cifs file to close it, and then retry the share import (with the enable (gbl-ns-vol-shr) command).
Use the show exports command and/or ping to troubleshoot the connection to the filer. After the filer connection is re-established, you can use the enable (gbl-ns-vol-shr) command to restart the share import.
(CIFS) The namespace supports Kerberos authentication (see cifs authentication), but the namespace software is unable to confirm that the share is configured to support Kerberos, too.
Check the connection to the back-end filer with show exports and/or ping. Restart the import (with enable (gbl-ns-vol-shr)) after you correct the problem.
A file on this share has the same name and path as a file on an already-imported share. To fix this, you can manually go to the filer and rename the file, or you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the file on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) You must also have the default settings for import rename-files and import rename-directories on this share.
Check the directory at the back-end share, and rename it so that both versions have the same name. Alternatively, you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the directory on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.)
You may also need to set import rename-directories unmapped-unicode for this share; this allows the volume to rename directories whose CIFS names do not map to the character encoding for NFS. Then restart the import with the enable (gbl-ns-vol-shr) command.
A file on this share has the same name and path as a file on an already-imported share. To fix this, you can manually go to the filer and rename the file, or you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the file on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) You must also have the default settings for import rename-files and import rename-directories on this share.
Rename the file at the filer share, then use nsck ... rebuild volume to reimport all shares in the volume.
The protocol(s) configured for the back-end share are not actually supported at the filer. Use the show exports command to check the protocols supported by the filer. Use the show global-config namespace command to view the required protocols for the namespace. The share must support all of the namespaces protocols.
You can remove the share from the volume (with no share), or you can add protocol support at the back-end filer. If you add the protocol support to the filer, you can then restart the share import with the enable (gbl-ns-vol-shr) command.
The back-end filer behind this share returned an error that the ARX does not recognize. You can use the show logs syslog command to view the system log and learn more about the circumstances around the failure.
After the issue is resolved, use nsck ... rebuild volume to reimport all shares in the volume.
Use the show exports command and/or ping to check the connection to the filer. Restart the import (with enable (gbl-ns-vol-shr)) after the connection is restored.
This share contains more files than the volume can hold. Use the auto reserve files command to automatically increase the number of files that this volume can hold as the volume grows. If you prefer to manually set the maximum files for the volume, use reserve files to manually increase the maximum. Then restart the share import with the enable (gbl-ns-vol-shr) command.
These errors each indicate an internal software problem. Run the collect diag-info CLI command to collect diagnostic information, then contact F5 Support.
The specific directory and file name appears in a syslog message labeled ERROR_MAX_HASH_COLLISIONS. Use grep ERROR_MAX_HASH_COLLISIONS logs syslog to search for this error in the syslog.
Once the external problem is resolved, use nsck ... rebuild volume to reimport all shares in the volume.
Use nsck ... rebuild volume to re-initialize the metadata share and reimport all shares in the volume.
The switch could not contact the metadata share. Use the show exports command and/or ping to check the connection to the metadata shares filer. The show export command also verifies that the share is accessible by root (for NFS shares) or the namespaces proxy-user (gbl-ns) (for CIFS shares).
(multi-protocol) The NFS character-encoding setting for the namespace does not match the character encoding supported at the filer. If this share was imported, lost NFS files could result. Reset the namespace character encoding (using the character-encoding nfs command) and retry the import. You can use the enable (gbl-ns-vol-shr) command to restart the share import.
(multi-protocol) The filer command specified an NFS export and a CIFS share over two different directory trees. This is unsupported. Retry the command with the correct share and export names, then retry the import with enable (gbl-ns-vol-shr).
(multi-protocol) During import, the volume creates a test file through CIFS and then attempts to delete it through NFS. The volume could read and write the file (as root), but was unable to remove it. This may indicate a permissions problem in the top-level directory for the share. Check the NFS configuration at the back-end share, correct the problem, and retry the import (enable (gbl-ns-vol-shr)).
(NFS) The back-end share does not support the NFS version(s) configured for the external filer. Use the show exports command to check the protocols supported by the filer. Use the filer command to change the configured NFS version(s) for the share/export.
Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. After the filer connection is re-established, you can restart the share import with the enable (gbl-ns-vol-shr) command.
(CIFS) A connection error occurred in the middle of a CIFS-permissions test. Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. Once the connection is fully restored, you can restart the share import with the enable (gbl-ns-vol-shr) command.
The namespaces proxy-user does not have adequate privileges to write to this CIFS share, so the import failed. The proxy user must belong to the Administrators group on this filer. You can choose new, more-privileged credentials for your proxy user, or you can go to the filer and add the current proxy user to a more-privileged group. The probe exports command can verify that the new proxy-user credentials pass this write test. Then restart the import with the enable (gbl-ns-vol-shr) command.
An administrator issued the cancel import command to stop this share import. You can restart the import with the enable (gbl-ns-vol-shr) command.
For CIFS shares, the switch uses the proxy user for the namespace; the proxy-user (gbl-ns) command sets these credentials. The proxy user must belong to the Administrators group.
(CIFS) The back-end filer returned an unexpected CIFS error during import. The syslog shows the specific error. Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog. You may need to escalate to F5 Support.
After you correct the error, use nsck ... rebuild volume to reimport all shares in the volume.
(multi-protocol) The proxy user is a Windows username and password that the volume can use as its identity for share import and for policy operations. In a multi-protocol (CIFS and NFS) namespace, the proxy user on the Windows side must map to the root user on the UNIX side.
You can select a new proxy user for the namespace with the command. If necessary, map the proxy user to root at the filer itself; the ARX Site Planning Guide has instructions for creating this mapping on common multi-protocol filers.
An administrator failed to remove the share with no share because client-visible files are still present on the share. Use the remove-file-entries option to remove all of the file entries from the volume; this produces a client-visible effect, so do this with caution.
Check your back-end filer configuration: the back-end share should have no-root-squash set for all of the ARXs proxy IP addresses. (On some filers, you accomplish this by mapping the anonymous user to UID 0 (zero).) Use the show exports command to check the filers permission settings. Use the show ip proxy-addresses command to list all configured proxy IP addresses.
(CIFS) The CIFS attributes set for the volume (with compressed-files, named-streams, persistent-acls, sparse-files, and/or unicode-on-disk) are not all supported at the back-end share. Use the show exports command to check the supported CIFS attributes for the share.
You can remove the share from the volume (with no share) or disable the conflicting CIFS attribute(s) in the managed volume. If you elect to keep the share in the volume, use the enable (gbl-ns-vol-shr) command to restart the share import.
(CIFS) The namespace supports Kerberos authentication (see cifs authentication), but this share does not. The share must support extended security negotiations for the import to succeed. Also, the ARX needs the correct service-principal name (SPN) for the filer; you can use show exports ... capabilities to verify that the ARX has discovered the correct SPN for the filer, or you can use the spn command to set it manually.
Each back-end share must support all of the namespaces configured protocols (any combination of NFSv2, NFSv3(/UDP), NFSv3/TCP, and CIFS). Use the show global-config namespace command to view the namespaces protocols.
You can remove the share from the volume (with no share) or enable the missing service(s) at the filer. If you elect to keep the share in the volume, use the enable (gbl-ns-vol-shr) command to restart the share import.
The export name is incorrect in the external-filer configuration. Use the filer command to change the configured name for the share/export.
From gbl-ns-vol-shr mode in the CLI, use no filer to detach from the back-end share. Then choose another back-end path with the filer command, or use no share to remove the share from the volume.
Someone attempted to remove a share (with no filer, no share, remove-share migrate, remove-share nomigrate, or remove service), and an internal error caused the removal to fail. Contact F5 Support if you see this message.
The connection to the back-end CIFS share failed due to possible configuration errors or a broken connection to the back-end filer. Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. Once the connection is fully established, you can restart the share import with the enable (gbl-ns-vol-shr) command.
Once the filer issue is corrected, use nsck ... rebuild volume to reimport all shares in the volume.
(CIFS) A file on this share has the same name and path as a file on an already-imported share, based on a case-blind comparison, and the volume is configured with no cifs case-sensitive. That is, some of the characters have differing cases, but the characters match (for example, index.htm matches index.HTM). If the volume is not case-sensitive, it cannot see the difference between the two names.
Set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the file on import. You must wait for all the volumes shares to finish importing before you can use this command.
Use cifs case-sensitive to make the volume case-sensitive.
An administrator stopped the import with the cancel import command. You may be able to restart the import with no enable (gbl-ns-vol-shr) and then enable. If the import was stopped too far in the process, you must first use nsck ... destage to shut down the volume, remove and re-add the share, then enable the volume again.
Internal problem; contact F5 personnel.
The metadata share for the volume failed to import. Use metadata share to designate a new dedicated share for metadata.
The import process was interrupted by an nsck ... rebuild force. The rebuild operation will re-import the share.
Use the filer command to assign a filer to the share, then retry the import.
Use the show namespace mapping command to view the back-end shares behind a namespace.
show namespace mapping namespace volume vol-path
namespace (1-30 characters) focuses on one namespace. Without this, the command displays the shares behind all namespaces.
vol-path (1-1024 characters) focuses on one volume.
Use show server-mapping to show all of the filer shares behind client-side share, from a front-end service such as cifs or nfs.
bstnA# show namespace mapping
bstnA# show namespace mapping wwmed volume /acct
bstnA# show namespace mapping
bstnA# show namespace mapping wwmed volume /acct
Use the show namespace status command to view the import status of a namespace.
show namespace status namespace volume vol-path
show namespace status namespace volume vol-path share share-name
namespace (1-30 characters) identifies a namespace.
vol-path (1-1024 characters) focuses on one volume.
share-name (1-64 characters) narrows the focus to a single share.
all displays status for all namespaces.
Enabled - Available for client access.
Starting indicates that the volume software is starting. This can occur after enabling the volume, after an ARX reload, or after an nsck ... rebuild.
Stopping means that the volume software is shutting down. An nsck ... destage or nsck ... rebuild can cause this.
Migrating shows that the volume is migrating its metadata from one share to another. The nsck ... migrate-metadata command starts a metadata migration.
Disabled indicates that the volume is administratively disabled.
Shares are grouped under their volumes. For each share, this shows the Share name (or metadata-share for a metadata-only share), the name of the external Filer, the NFS Export or CIFS Share behind this namespace share, and the Status of the share. An [rs] appears before a replica-snap share, which holds snapshots of a standard share in the same volume.
In the Status column, the following messages show the progress of a successful import:
Pending - Scheduled for import.
Importing - Actively inventorying the back-end storage.
Online - Import completed successfully, back-end storage is ready to be used. A direct share goes directly to this state.
Disabled means that someone issued a no enable for the share or its volume.
Offline means that the volume lost contact with the back-end filer, or that someone disabled the share with no enable. Use show exports to check the connection with the filer.
Interrupted indicates that the ARX lost contact with the filer during the import.
Error shows that the import failed; use show namespace for a more-detailed error message.
Removing metadata appears when the share is being removed from the namespace. (Use no share, remove-share migrate, or remove-share nomigrate to remove a share.)
Updating Probes occurs after an upgrade to a new software release (see boot system). The initial import of the share used a now-outdated probe to prove that the share is viable for import, so the volume is now running the latest probe test. This status should change to Online very quickly; examine the share with show exports and/or probe exports if this status persists for a long period of time.
Uninitialized means that no one has assigned a filer to the share.
Use the show namespace command for more-detailed progress and error messages.
bstnA# show namespace status all
bstnA# show namespace status wwmed
bstnA# show namespace status wwmed volume /acct
bstnA# show namespace status all
bstnA# show namespace status wwmed
bstnA# show namespace status wwmed volume /acct
If a CIFS service has MMC browsing enabled, only authorized Windows clients can manage the service. You can use the windows-mgmt-auth command to create a Windows-management-authorization (WMA) group, a list of Windows clients with MMC permissions, and then you can use this command to apply one or more such groups to the current namespace.
Use no windows-mgmt-auth to remove a WMA group from the current namespace.
name (1-64 characters) identifies the WMA group.
Each WMA group has special MMC access to the namespace. The Windows clients in the group share the same MMC permissions. All cifs services backed by this namespace (if they have browsing enabled) use the WMA group(s) that you identify with this command.
You can also use WMA groups to manage CIFS-client access to snapshots. Use the permit snapshot monitor (see permit (gbl-mgmt-auth)) command to allow group members to view snapshots, and use the snapshot privileged-access command in any volume where the group(s) should access snapshots.
If a single front-end cifs service has exports from more than one namespace, this set of WMA groups must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s).
bstnA(gbl-ns[medarcv])# windows-mgmt-auth testers
bstnA(gbl-ns[medarcv])# windows-mgmt-auth fullAccess
bstnA(gbl-ns[medarcv])# windows-mgmt-auth readOnly
bstnA(gbl-ns[medarcv])# no windows-mgmt-auth testers