Creating a CIFS Share

This section describes how to share namespaces in CIFS mode so that users can access the namespaces.

Procedure

Choose Resources > Resources > Share > CIFS Share.
Select a desired account from the Account drop-down list in the upper left corner.
Click Create.
The Create CIFS Share page is displayed on the right.

Set basic CIFS share parameters.

Table 1 describes related parameters.

**Table 1** Basic CIFS share parameters
Parameter	Description
Share Name	Name of the share, to be used by users to access shared resources. [Value range] The name must be unique. The share name cannot contain characters " / \ [ ] : \| < > + ; , ? * = #, start or end with a space, or be reserved name ipc$, autohome, ~, or print$. NOTE: ipc$ is a resource that shares named pipes. A named pipe is one of the mechanisms of inter-process communication. autohome is a share name reserved for the autohome share. ~ is a symbol reserved for the autohome share. print$ is a shared printer. The name contains 1 to 80 characters. NOTE: By default, an ADMIN share named c$ is created. The c$ share has the following characteristics: Its share path is root directory /, and Permission Level of it is Full control for administrators. Each time an account is created, a c$ share is automatically created for this account. You cannot delete it but can add new user permissions for it. You can view or modify the attributes of the c$ share. For example, on Windows Management Console (MMC), you can modify the description and offline settings of the c$ share. On MMC, you can use the c$ share to browse namespaces and dtrees and directly select a namespace or dtree to create a share without manually entering the share path.
Namespace	Namespace for which you want to create a CIFS share. NOTE: If the selected namespace is the secondary resource in a remote replication pair, data in the namespace is probably being modified when it is accessed. Before performing this operation, confirm that the application allows possible data inconsistency.
Dtree	Dtree for which you want to create a CIFS share. If you do not select a dtree, the CIFS share is created for the entire namespace.

Set advanced properties of the CIFS share. Click Advanced.

Table 2 describes related parameters.

**Table 2** Advanced parameters of the CIFS share
Parameter	Description
Description	Description of the CIFS share. NOTE: The description can be left blank or contain up to 255 characters.
Create Default ACL	Determine whether to add a default ACL. This function creates a default ACL (full control rights to everyone; applied to the current directory, its subdirectories, and files in them) for a shared CIFS root directory if the directory has no ACL. You can change the default ACL in follow-up operations. To retain the UNIX mode bits, disable this function.
Notify	After this function is enabled, a client's modification operations on a directory, such as adding a directory, adding a file, modifying the directory, and modifying a file, can be detected by other clients that are accessing this directory or the parent directory of this directory. Results of the modification operations are displayed after the page is automatically refreshed.
Continuously Available	This option is used to enable or disable the SMB Failover feature. NOTE: The SMB Failover feature takes effect only after you enable the Oplock configuration item and run command change service cifs smb_global_ca_enable= yes on the CLI to enable the SMB service continuity function for tenants.
SMB3 Encryption	Determine whether to enable SMB3 encryption. After this function is enabled, the system encrypts the share to ensure data security, but performance deteriorates. NOTICE: Enabling this function affects SMB3 service performance. Check whether this function needs to be enabled. After SMB3 encryption is enabled, only SMB3 clients can access shares by default.
Unencrypted Client Access	After this function is enabled, clients that do not have encryption capabilities can access the share. NOTICE: After this function is enabled, clients of earlier versions (for example, Windows 7) are allowed to access shares where SMB3 encryption is enabled in plaintext. Check whether this function needs to be enabled. This function takes effect only after the SMB3 encryption function is enabled.
Oplock	Opportunistic locking (oplock) is a mechanism used to improve client access efficiency and locally buffer files before they are sent to shared storage. This function is not recommended in the following scenarios: Scenarios that have high requirements for data integrity. If oplock is enabled in such scenarios, the local cache of the client may be lost due to network interruption or client faults. If the upper-layer service software does not have a mechanism to ensure data integrity, recovery, or retry, data loss may occur. Scenarios where multiple clients access the same file. If oplock is enabled in such scenarios, system performance will be adversely affected. NOTE: Oplock for a share takes effect only when both oplock for the account and oplock for the share are enabled.
Lease	Lease allows a client to lock a file using a lease key, and the file locking can be canceled by the server. NOTE: Only clients of SMB 2.1 and later versions support lease. Run the change service cifs enable_leasev2=yes command to enable lease. Lease for a share takes effect only when both lease for the account and lease for the share are enabled.
ABE	Access-based enumeration. Enabling this function hides files and folders that users do not have permissions to access. NOTE: SMB2 and SMB3 support the ABE function, but SMB1 does not.
Show Previous Version	After the function of displaying previous versions is enabled, a client can display previous versions and supports version rollback.

Select user or user groups that can access the CIFS share.

In the Permission area, click Add.
The Add User or User Group page is displayed.
Select the type of the users or user groups.
The value can be Everyone, Local Windows authentication user, Local Windows authentication user group, AD domain user, or AD domain user group.
- If you select Local Windows authentication user or Local Windows authentication user group, select the users or user groups to be added from the list.
- If you select AD domain user or AD domain user group, enter the names of the users or user groups in Name.
  - A domain user name is in the format of Domain name\Domain user name and a domain user group name is in the format of Domain name\Domain user group name.
  - A total of 1 to 256 characters are allowed.
  - Multiple names are separated by carriage returns.
  - If you do not have the CIFS share administrator permission, you need to change the permission of the root directory in a namespace or dtree used by a share to 777 before you can create files or directories in the root directory in the namespace or dtree. The CLI command for modifying the permission on the root directory in a namespace is as follows:
    change namespace general name=Namespace name unix_permissions=777
    
    The CLI command for modifying the permission on the root directory in a dtree is as follows:
    change dtree general dtree_name=Dtree name file_system_id=Namespace ID unix_permissions=777

In Permission Level, select the permission to be granted for the users or user groups.

Table 3 describes related permissions.

**Table 3** CIFS share permissions
Permission	Forbidden	Read-Only	Read/Write	Full Control
Viewing files and subdirectories	X^a	√^b	√	√
Viewing file contents	X	√	√	√
Running executable files	X	√	√	√
Adding files or subdirectories	X	-^c	√	√
Modifying file contents	X	-	√	√
Deleting files and subdirectories	X	-	√	√
Renaming	X	-	√	√
Changing ACL permissions of files or directories	X	-	-	√
a: Users do not have the permission. b: Users have the permission. c: The specified permission is not involved.

When a share is created for the audit log namespace, you cannot set the permission to Read/Write and Full control.

Click OK.
The system adds the selected users or user groups to the Permission list.

Click OK.