Print this page
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15425 rework share man pages
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15425 rework share man pages
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-5273 SMB 3 Encryption
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
@@ -455,398 +455,10 @@
unshare(1M) functionality. By default, the unshare is temporary.
The -p option is provided to remove the share from the
configuration in a way that persists across reboots.
- Supported Properties
- Properties are protocol-specific. Currently, only the NFS and SMB
- protocols are supported. Properties have the following characteristics:
-
- o Values of type boolean take either true or false.
-
- o Values of type value take a numeric value.
-
- o Values of type file take a file name and not a file path.
-
- o Values of type access-list are described in detail following
- the descriptions of the NFS properties.
-
-
- The general properties supported for NFS are:
-
- abe=boolean
-
- Set the access-based enumeration (ABE) policy for a share. When
- set to true, ABE filtering is enabled on this share and directory
- entries to which the requesting user has no access will be omitted
- from directory listings returned to the client. When set to false
- or not defined, ABE filtering will not be performed on this share.
- This property is not defined by default.
-
- disabled
-
- Disable ABE for this share.
-
-
- enabled
-
- Enable ABE for this share.
-
-
-
- aclok=boolean
-
- Allows the NFS server to do access control for NFS Version 2
- clients (running SunOS 2.4 or earlier). When aclok is set on the
- server, maximum access is given to all clients. For example, with
- aclok set, if anyone has read permissions, then everyone does. If
- aclok is not set, minimum access is given to all clients.
-
-
- ad-container
-
- Specifies the AD container in which to publish shares.
-
- The AD container is specified as a comma-separated list of
- attribute name-value pairs using the LDAP distinguished name (DN)
- or relative distinguished name (RDN) format. The DN or RDN must be
- specified in LDAP format using the cn=, ou=, and dc= prefixes:
-
- o cn represents the common name
-
- o ou represents the organizational unit
-
- o dc represents the domain component
- cn=, ou= and dc= are attribute types. The attribute type used to
- describe an object's RDN is called the naming attribute, which, for
- ADS, includes the following object classes:
-
- o cn for the user object class
-
- o ou for the organizational unit (OU) object class
-
- o dc for the domainDns object class
-
-
- anon=uid
-
- Set uid to be the effective user ID of unknown users. By default,
- unknown users are given the effective user ID UID_NOBODY. If uid is
- set to -1, access is denied.
-
-
- catia=boolean
-
- CATIA V4 uses characters in file names that are considered to be
- invalid by Windows. CATIA V5 is available on Windows. A CATIA V4
- file could be inaccessible to Windows clients if the file name
- contains any of the characters that are considered illegal in
- Windows. By default, CATIA character substitution is not performed.
-
- If the catia property is set to true, the following character
- substitution is applied to file names.
-
- CATIA CATIA
- V4 UNIX V5 Windows
- " \250 0x00a8 Dieresis
- * \244 0x00a4 Currency Sign
- / \370 0x00f8 Latin Small Letter O with Stroke
- : \367 0x00f7 Division Sign
- < \253 0x00ab Left-Pointing Double Angle Quotation Mark
- > \273 0x00bb Right-Pointing Double Angle Quotation Mark
- ? \277 0x00bf Inverted Question Mark
- \ \377 0x00ff Latin Small Letter Y with Dieresis
- | \246 0x00a6 Broken Bar
-
-
-
-
- cksum=cksumlist
-
- Set the share to attempt to use end-to-end checksums. The value
- cksumlist specifies the checksum algorithms that should be used.
-
-
- csc=value
-
- Set the client-side caching policy for a share. Client-side caching
- is a client feature and offline files are managed entirely by the
- clients.
-
-
- The following are valid values for the csc property:
-
- o manual - Clients are permitted to cache files from the
- specified share for offline use as requested by users.
- However, automatic file-by-file reintegration is not
- permitted. manual is the default value.
-
- o auto - Clients are permitted to automatically cache
- files from the specified share for offline use and file-
- by-file reintegration is permitted.
-
- o vdo - Clients are permitted to automatically cache files
- from the specified share for offline use, file-by-file
- reintegration is permitted, and clients are permitted to
- work from their local cache even while offline.
-
- o disabled - Client-side caching is not permitted for this
- share.
-
-
- guestok=boolean
-
- Set the guest access policy for the share. When set to true guest
- access is allowed on this share. When set to false or not defined
- guest access is not allowed on this share. This property is not
- defined by default.
-
- An idmap(1M) name-based rule can be used to map guest to any local
- username, such as guest or nobody. If the local account has a
- password in /var/smb/smbpasswd the guest connection will be
- authenticated against that password. Any connection made using an
- account that maps to the local guest account will be treated as a
- guest connection.
-
- Example name-based rule:
-
- # idmap add winname:Guest unixuser:guest
-
-
-
-
- index=file
-
- Load file rather than a listing of the directory containing this
- file when the directory is referenced by an NFS URL.
-
-
- log=tag
-
- Enables NFS server logging for the specified system. The optional
- tag determines the location of the related log files. The tag is
- defined in etc/nfs/nfslog.conf. If no tag is specified, the default
- values associated with the global tag in etc/nfs/nfslog.conf is
- used. Support of NFS server logging is available only for NFS
- Version 2 and Version 3 requests.
-
-
- nosub=boolean
-
- Prevents clients from mounting subdirectories of shared
- directories. For example, if /export is shared with the nosub
- option on server wool then an NFS client cannot do:
-
- # mount -F nfs wool:/export/home/mnt
-
-
- NFS Version 4 does not use the MOUNT protocol. The nosub option
- applies only to NFS Version 2 and Version 3 requests.
-
-
- nosuid=boolean
-
- By default, clients are allowed to create files on a shared file
- system with the setuid or setgid mode enabled. Specifying nosuid
- causes the server file system to silently ignore any attempt to
- enable the setuid or setgid mode bits.
-
-
- public=boolean
-
- Moves the location of the public file handle from root (/) to the
- exported directory for WebNFS-enabled browsers and clients. This
- option does not enable WebNFS service; WebNFS is always on. Only
- one file system per server can have the public property. You can
- apply the public property only to a share and not to a group.
-
-
-
- NFS also supports negotiated optionsets for supported security modes.
- The security modes are documented in nfssec(5). The properties
- supported for these optionsets are:
-
- charset=access-list
-
- Where charset is one of: euc-cn, euc-jp, euc-jpms, euc-kr, euc-tw,
- iso8859-1, iso8859-2, iso8859-5, iso8859-6, iso8859-7, iso8859-8,
- iso8859-9, iso8859-13, iso8859-15, koi8-r.
-
- Clients that match the access-list for one of these properties will
- be assumed to be using that character set and file and path names
- will be converted to UTF-8 for the server.
-
-
- ro=access-list
-
- Sharing is read-only to the clients listed in access-list;
- overrides the rw suboption for the clients specified. See the
- description of access-list below.
-
-
- rw=access-list
-
- Sharing is read-write to the clients listed in access-list;
- overrides the ro suboption for the clients specified. See the
- description of access-list below.
-
-
- none=access-list
-
- Access is not allowed to any client that matches the access list.
- The exception is when the access list is an asterisk (*), in which
- case ro or rw can override none.
-
-
- root=access-list
-
- Only root users from the hosts specified in access-list have root
- access. See details on access-list below. By default, no host has
- root access, so root users are mapped to an anonymous user ID (see
- the anon=uid option described above). Netgroups can be used if the
- file system shared is using UNIX authentication (AUTH_SYS).
-
-
- root_mapping=uid
-
- For a client that is allowed root access, map the root UID to the
- specified user id.
-
-
- window=value
-
- When sharing with sec=dh (see nfssec(5)), set the maximum lifetime
- (in seconds) of the RPC request's credential (in the authentication
- header) that the NFS server allows. If a credential arrives with a
- lifetime larger than what is allowed, the NFS server rejects the
- request. The default value is 30000 seconds (8.3 hours). This
- property is ignored for security modes other than dh.
-
-
-
- The general properties supported for SMB are:
-
- ro=access-list
-
- Sharing is read-only to the clients listed in access-list;
- overrides the rw suboption for the clients specified. See the
- description of access-list below.
-
-
- rw=access-list
-
- Sharing is read-write to the clients listed in access-list;
- overrides the ro suboption for the clients specified. See the
- description of access-list below.
-
-
- none=access-list
-
- Access is not allowed to any client that matches the access list.
- The exception is when the access list is an asterisk (*), in which
- case ro or rw can override none.
-
-
- Access List Argument
- The access-list argument is either the string "*" to represent all
- hosts or a colon-separated list whose components can be any number of
- the following:
-
- hostname
-
- The name of a host. With a server configured for DNS or LDAP naming
- in the nsswitch.conf(4) hosts entry, a hostname must be represented
- as a fully qualified DNS or LDAP name.
-
-
- netgroup
-
- A netgroup contains a number of hostnames. With a server configured
- for DNS or LDAP naming in the nsswitch.conf(4) hosts entry, any
- hostname in a netgroup must be represented as a fully qualified DNS
- or LDAP name.
-
-
- domainname.suffix
-
- To use domain membership the server must use DNS or LDAP, rather
- than, for example, NIS, to resolve hostnames to IP addresses. That
- is, the hosts entry in the nsswitch.conf(4) must specify dns or
- ldap ahead of nis, because only DNS and LDAP return the full domain
- name of the host. Other name services, such as NIS, cannot be used
- to resolve hostnames on the server because, when mapping an IP
- address to a hostname, they do not return domain information. For
- example, for the IP address 172.16.45.9:
-
- NIS
-
- Returns: myhost
-
-
- DNS or LDAP
-
- Returns: myhost.mydomain.mycompany.com
-
- The domain name suffix is distinguished from hostnames and
- netgroups by a prefixed dot. For example:
-
- rw=.mydomain.mycompany.com
-
- A single dot can be used to match a hostname with no suffix. For
- example, the specification:
-
- rw=.
-
- ...matches mydomain but not mydomain.mycompany.com. This feature
- can be used to match hosts resolved through NIS rather than DNS and
- LDAP.
-
-
- network
-
- The network or subnet component is preceded by an at-sign (@). It
- can be either a name or a dotted address. If a name, it is
- converted to a dotted address by getnetbyname(3SOCKET). For
- example:
-
- =@mynet
-
- ...is equivalent to:
-
- =@172.16 or =@172.16.0.0
-
- The network prefix assumes an octet-aligned netmask determined from
- the zeroth octet in the low-order part of the address up to and
- including the high-order octet, if you want to specify a single IP
- address. In the case where network prefixes are not byte-aligned,
- the syntax allows a mask length to be specified explicitly
- following a slash (/) delimiter. For example:
-
- =@theothernet/17 or =@172.16.132/22
-
- ...where the mask is the number of leftmost contiguous significant
- bits in the corresponding IP address.
-
-
-
- A prefixed minus sign (-) denies access to a component of access-list.
- The list is searched sequentially until a match is found that either
- grants or denies access, or until the end of the list is reached. For
- example, if host terra is in the netgroup engineering, then:
-
- rw=-terra:engineering
-
-
-
- ...denies access to terra, but:
-
- rw=engineering:-terra
-
-
-
- ...grants access to terra.
-
EXIT STATUS
0
Successful completion.
@@ -875,11 +487,11 @@
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
- idmap(1M), sharectl(1M), zfs(1M), attributes(5), nfssec(5), smf(5),
- standards(5)
+ idmap(1M), sharectl(1M), zfs(1M), attributes(5), nfssec(5),
+ shareacl(5), sharenfs(5), sharesmb(5), smf(5), standards(5)
- February 25, 2017 SHAREMGR(1M)
+ September 5, 2017 SHAREMGR(1M)