Manage SMB using the CLI

This page provides procedures for setting up an SMB cluster over WEKA filesystems and managing the cluster itself, using the CLI.

Using the CLI, you can manage both SMB-W and legacy SMB:

Show the SMB cluster

Command: weka smb cluster

Use this command to view information about the SMB cluster managed by the WEKA system.

Show the SMB domain configuration

Command: weka smb domain

Use this command to view information about the SMB domain configuration.

Create the SMB cluster

Command: weka smb cluster create

Use the following command line to create a new SMB cluster to be managed by the WEKA system:

weka smb cluster create <netbios-name> <domain> <config-fs-name> [--domain-netbios-name domain-netbios-name] [--idmap-backend idmap-backend] [--default-domain-mapping-from-id default-domain-mapping-from-id] [--default-domain-mapping-to-id default-domain-mapping-to-id] [--joined-domain-mapping-from-id joined-domain-mapping-from-id] [--joined-domain-mapping-to-id joined-domain-mapping-to-id] [--encryption encryption] [--smb-conf-extra smb-conf-extra] [--container-ids container-ids]... [--smb-ips-pool smb-ips-pool]... [--smb-ips-range smb-ips-range]...

The weka smb cluster create command creates an SMB-W cluster. To create a legacy SMB cluster, contact the Customer Success Team.

Parameters

NameValueDefault

netbios-name*

NetBIOS name for the SMB cluster

domain*

The Active Directory domain to join the SMB cluster to

config-fs-name*

domain-netbios-name

Domain NetBIOS name.

The first part of the domain parameter

idmap-backend

The ID mapping method to use. Possible values: rfc2307 or rid

rfc2307

default-domain-mapping-from-id

The first ID of the range for the default AD ID mapping (for trusted domains that have no range defined). Not supported in SMB-W yet.

4290000001

default-domain-mapping-to-id

The last ID of the range for the default AD ID mapping (for trusted domains that have no range defined). Not supported in SMB-W yet.

4291000000

joined-domain-mapping-from-id

The first ID of the range for the main AD ID mapping.

0

joined-domain-mapping-to-id

The last ID of the range for the main AD ID mapping.

4290000000

encryption

The global encryption policy to use:

  • enabled - enables encryption negotiation but doesn't turn it on automatically for supported sessions and share connections.

  • disabled - doesn't support encrypted connections.

  • desired - enables encryption negotiation and turns on data encryption on supported sessions and share connections.

  • required - enforces data encryption on sessions and share connections. Clients that do not support encryption will be denied access to the server.

SMB-W possible values: enabled, desired, required Legacy SMB possible values: enabled, disabled, desired, required

enabled

smb-conf-extra

Additional SMB configuration options.

container-ids

The container IDs of the containers with a frontend process to serve the SMB service. Minimum of 3 containers.

smb-ips-pool

A pool of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients.

These IPs must be unique; do not assign these IPs to any host on the network. Format: comma-separated IP addresses.

smb-ips-range

A range of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients.

These IPs must be unique; do not assign these IPs to any host on the network. Format: A.B.C.D-E Example: 10.10.0.1-100

To enable HA through IP takeover, all IPs must reside on the same subnet.

The floating IPs configured but MUST NOT be in use by any other application/server in the subnet, including WEKA system management nodes, WEKA system IO nodes, or WEKA system NFS floating IPs. Setting a list of SMB floating IPs in all-cloud installations is impossible due to cloud provider network limitations. In this case, the SMB service must be accessed by using the primary addresses of the cluster nodes.

The --smb-ips parameter must accept the virtual IPs that the SMB cluster exposes. To mount the SMB cluster in an high-availability manner, clients must be connected through one of the exposed virtual IPs, thereby ensuring that they automatically reconnect if one of the SMB containers fail.

If setting the global options to the SMB library is required, contact the Customer Success Team.

Example:

weka smb cluster create wekaSMB mydomain --container-ids 0,1,2,3,4 --smb-ips-pool 1.1.1.1,1.1.1.2 --smb-ips-range 1.1.1.3-5

In this example of a full command, an SMB cluster is configured over the WEKA system containers 0-4. The SMB cluster is called wekaSMB,the domain name is called mydomain, and is directed to use virtual IPs 1.1.1.1 to 1.1.1.5.

Update the SMB cluster

Command: weka smb cluster update

Use the following command line to update an existing SMB cluster:

weka smb cluster update [--encryption encryption] [--smb-ips-pool smb-ips-pool]... [--smb-ips-range smb-ips-range]

Parameters

NameValue

encryption

The global encryption policy to use:

  • enabled: enables encryption negotiation but doesn't turn it on automatically for supported sessions and share connections.

  • disabled: doesn't support encrypted connections.

  • desired: enables encryption negotiation and turns on data encryption on supported sessions and share connections.

  • required: enforces data encryption on sessions and share connections. Clients that do not support encryption are denied access to the server.,

Possible values in SMB-W: enabled, desired, required Possible values in legacy SMB: enabled, disabled, desired, required

smb-ips-pool

A pool of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients.

These IPs must be unique; do not assign these IPs to any host on the network. Format: comma-separated IP addresses.

smb-ips-range

A range of public IPs is used as floating IPs to provide high availability for the SMB cluster to serve the SMB clients. These IPs must be unique; do not assign these IPs to any host on the network. Format: A.B.C.D-E Example: 10.10.0.1-100

Check the status of SMB cluster readiness

Command: weka smb cluster status

The SMB cluster is comprised of three to eight SMB containers. Use this command to check the status of the SMB containers that are part of the SMB cluster. Once all the SMB containers are prepared and ready, it is possible to join an SMB cluster to an Active Directory domain.

Join an SMB cluster in Active Directory

Command: weka smb domain join

Use the following command line to join the SMB cluster to an Active Directory domain:

weka smb domain join <username> <password> [--server server] [--create-computer create-computer]

Ensure the AD servers are resolvable to all WEKA servers. This resolution enables the WEKA servers to join the AD domain.

Parameters

NameValueDefault

username*

Name of an AD user with permission to add a server to the domain.

password*

The password of the AD user. This password is not retained or cached.

server

WEKA identifies the AD server automatically based on the AD name. You do not need to set the server name. In some cases, if required, specify the AD server. Not applicable for SMB-W yet.

The AD server is automatically identified based on the AD name.

create-computer

The default AD organizational unit (OU) for the computer account is the Computers directory. You can define any OU to create the computer account in - that the joining account has permissions to - such as SMB Servers or Corporate Computers. Not applicable for SMB-W yet.

The Computers directory.

To join an existing SMB cluster to another Active Directory domain, leave the current Active Directory using the following command line:

weka smb domain leave <username> <password>

On completion of this operation, it is possible to join the SMB cluster to another Active Directory domain.

Delete an SMB cluster

Command: weka smb cluster destroy

Use this command to destroy an SMB cluster managed by the Weka system.

Deleting an existing SMB cluster managed by the WEKA system does not delete the backend WEKA filesystems but removes the SMB share exposures of these filesystems.

Add or remove SMB cluster containers

Command: weka smb cluster containers add

Command: weka smb cluster containers remove

Use these commands to add or remove containers from the SMB cluster.

weka smb cluster containers add [--containers-id containers-id]...

weka smb cluster containers remove [--containers-id containers-id]...

This operation might take some time to complete. During that time, SMB IOs are stalled.

Parameters

NameValue

containers-id*

Container IDs of containers with a frontend process to serve the SMB service. Specify a comma-separated list with a minimum of 3 containers.

Configure trusted domains

List trusted domains

Command: weka smb cluster trusted-domains

Use this command to list all the configured trusted domains and their ID ranges.

Add trusted domains

Command: weka smb cluster trusted-domains add

Use the following command line to add an SMB trusted domain:

weka smb cluster trusted-domains add <domain-name> <from-id> <to-id>

Parameters

NameValue

domain-name*

The name of the domain to add.

from-id*

The first ID of the range for the domain ID mapping. The range cannot overlap with other domains.

to-id*

The last ID of the range for the domain ID mapping. The range cannot overlap with other domains

Remove trusted domains

Command: weka smb cluster trusted-domains remove

Use the following command line to remove an SMB-trusted domain:

weka smb cluster trusted-domains remove <domain-id>

Parameters

NameValue

domain-id*

The internal ID of the domain to remove

List SMB shares

Command: weka smb share

Use this command to list all existing SMB shares.

Add an SMB share

Command: weka smb share add

Use the following command line to add a new share to be exposed by SMB. Ensure the SMB cluster is joined to the Active Directory. For details, see Join an SMB cluster in Active Directory.

weka smb share add <share-name> <fs-name> [--description description] [--internal-path internal-path] [--file-create-mask file-create-mask] [--directory-create-mask directory-create-mask] [--obs-direct obs-direct] [--encryption encryption] [--read-only read-only] [--user-list-type user-list-type] [--users users]... [--allow-guest-access allow-guest-access] [--hidden hidden]

The mount mode for the SMB share is readcache and cannot be modified.

Parameters

NameValueDefault

share-name*

Valid name of the share to add. SMB-W: you cannot create the same share name with different case insensitivity.

fs-name*

Valid name of the filesystem to share. A filesystem with Required Authentication set to ON cannot be used for SMB share.

description

The description of the share received in remote views.

internal-path

The internal valid path within the filesystem (relative to its root) which will be exposed.

.

file-create-mask

POSIX permissions for the file created through the SMB share. Numeric (octal) notation. Maximum value: 0777.

0744

directory-create-mask

POSIX permissions for directories created through the SMB share. Numeric (octal) notation. Maximum value: 0777. SMB-W: the specified string must be greater or equal to 0600.

0755

acl

off

obs-direct

A special mount option to bypass the time-based policies.

off

encryption

The share encryption policy.

cluster_default: The share encryption policy follows the global SMB cluster setting.

desired: If negotiation is enabled globally, it turns on data encryption for this share for clients that support encryption.

required: Enforces encryption for the shares. Clients that do not support encryption are denied when accessing the share. If the global option is disabled, the access is restricted to these shares for all clients.

Possible value for SMB-W: cluster_default Possible values for legacy SMB: cluster_default , desired, required

cluster_default

read-only

Sets the share as read-only. Users cannot create or modify files in this share.

Possible values: on, off

off

user-list-type

The type of initial permissions list for users. Possible values: read_only : List of users who have been denied write access to the share, regardless of the read-only setting. read_write: List of users given write access to the share, regardless of the read-only setting.

valid : List of users that are allowed to log in to this share (empty list = all users are allowed) invalid - list of users that are not allowed to log in to this share

users

A list of users to use with the user-list-type list.

Format: Domain short name followed by group name, for example WEKAAD\internalShareUsers Possible values: Up to 8 users/groups for all lists combined per share.

Empty list

allow-guest-access

Allows connecting to the SMB service without a password. Permissions are as the nobody user account permissions. Possible values: on, off

off

hidden

Sets the share as non-browsable. It will be accessible for mounting and IOs but not discoverable by SMB clients. Possible values: on, off

off

If it is necessary to set a share with specific options to the SMB library, contact the Customer Success Team.

Example: The following is an example for adding users to a share mounted on a filesystem named "default":

weka smb share add rootShare default weka smb share add internalShare default --internal-path some/dir --description "Exposed share"

In this example, the first SMB share added has the WEKA system share for default. The second SMB share has internal for default.

Update SMB shares

Command: weka smb share update

Use the following command line to update an existing share:

weka smb share update <share-id> [--encryption encryption] [--read-only read-only] [--allow-guest-access allow-guest-access] [--hidden hidden]

SMB-W does not yet support share updates.

Parameters

NameValue

share-id*

A valid share ID to update.

encryption

The share encryption policy:

desired: turns on data encryption for this share for clients that support encryption if negotiation has been enabled globally.

required: enforces encryption for the shares. Clients that do not support encryption are denied access to the share. If the global option is set to disabled, the access is denied to these shares for all clients. Possible values: cluster_default, desired, required

read-only

Mount the SMB share as read-only.

Possible values: on, off

allow-guest-access

Allow guest access.

Possible values: on, off

hidden

Hide the SMB share.

Possible values: on, off

Control SMB share user-lists

SMB-W does not yet support share user-lists.

Command: weka smb share lists show

Use this command to view the various user-list settings.

Command: weka smb share lists add

Use the following command line to add users to a share user-list:

weka smb share lists add <share-id> <user-list-type> <--users users>...

Parameters

NameValue

share-id*

The ID of the share to update.

user-list-type*

The type of permissions list for users: read_only: list of users that do not get write access to the SMB share, regardless of the read-only setting. read_write: list of users get write access to the SMB share, regardless of the read-only setting. valid: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). invalid: list of users that are not allowed to log in to this share SMB service.

users*

A comma-separated list of users to add to the user-list-type list. Can use the @ notation to allow groups of users. For example, root, Jack, @domain\admins. You can set up to 8 users/groups for all lists combined per share.


Command: weka smb share lists remove

Use the following command line to remove users from a share user-list:

weka smb share lists remove <share-id> <user-list-type> <--users users>...

Parameters

NameValue

share-id*

The ID of the share to be updated.

user-list-type*

The type of permissions list for users: read_only: list of users that do not get write access to the SMB share, regardless of the read-only setting. read_write: list of users get write access to the SMB share, regardless of the read-only setting. valid: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). invalid: list of users not allowed to log in to this SMB share service.

users*

A comma-separated list of users to remove from the user-list-type list. Can use the @ notation to allow groups of users, e.g. root, Jack, @domain\admins. You can set up to 8 users/groups for all lists combined per share.


Command: weka smb share lists reset

Use the following command line to remove all users from a share user-list:

weka smb share lists reset <share-id> <user-list-type>

Parameters

NameValue

share-id*

The ID of the share to be updated

user-list-type*

The type of permissions list to reset: read_only: list of users that do not get write access to the SMB share, regardless of the read-only setting. read_write: list of users get write access to the SMB share, regardless of the read-only setting. valid: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). invalid: list of users not allowed to log in to this SMB share service.

Remove SMB shares

Command: weka smb share remove

Use the following command line to remove a share exposed to SMB:

weka smb share remove <share-id>

Parameters

NameValue

share-id*

The ID of the share to remove.

Example: The following is an example of removing an SMB share defined as ID 1:

weka smb share remove 1

Control SMB access based on hosts' IP/name

It is possible to control which hosts are permitted to access the SMB service or share.

SMB-W supports access based only on the host IP addresses (but not host names).

Command: weka smb cluster host-access list

weka smb share host-access list

Use this command to view the various host access settings.

Command: weka smb cluster host-access add

weka smb share host-access add

Use the following command line to add a host to the allow/deny list (at either cluster level or share level):

weka smb cluster host-access add <mode> <--ips ips> <--hosts hosts>

weka smb share host-access add <share-id> <mode> <--ips ips> <--hosts hosts>

Parameters

NameValue

share-id*

The ID of the share to update. Mandatory for the share-level command.

mode*

The access mode of the host. Possible values: allow, deny

ips

A comma-separated list of host IP addresses to allow or deny. Must provide at least one of the IP addresses. Format example for multiple IPs: 192.

192.168. 192.168.1 192.168.1.1/24 192.168.1.2, 192.168.1.2

hosts

Host names to allow/deny. Must provide at least one of the hostnames. A comma-separated list of hostnames. Not supported on SMB-W.

Command: weka smb cluster host-access remove / weka smb share host-access remove

Use the following command line to remove hosts from the allow or deny list (at either cluster level or share level):

weka smb cluster host-access remove <hosts>

weka smb share host-access remove <share-id> <hosts>

Parameters

NameValue

share-id*

The ID of the share to be updated. Mandatory for the share-level command

hosts*

The hosts to remove from the host-access list. Space-separated list of hosts. It must be the exact name as shown under the HOSTNAME column in the equivalent list command.

Command: weka smb cluster host-access reset

weka smb share host-access reset

Use the following command line to remove all containers from the allow or deny list (at either cluster level or share level):

weka smb cluster host-access reset <mode>

weka smb share host-access reset <share-id> <mode>

Parameters

NameValue

share-id*

The ID of the share to update. Mandatory for the share-level command.

mode*

All hosts with this access mode will be removed from the list. Possible values: allow, deny

Last updated