There is a share option which specifies if the files in the share will be read-only or if both read and write access will be possible, subject to the authentication and authorization checks when a specific access is attempted. This share option can be given one of these values, either rw or ro.
Grants read and write permission to the exported share.
ro (Default)
Grants read-only permission to the exported share. Files cannot be created or modified.
guest
Another configuration option specifies if a user trying to establish a CIFS connection with the share must always provide the user name and password, or if they can connect without it. In this case, only restricted access to the share will be allowed. The same kind of access is allowed to anonymous or guest user accounts. This share option can have one of the following values, either guest or noguest.
Veritas Access allows restricted access to the share when no user name or password is provided.
noguest (Default)
Veritas Access always requires the user name and password for all of the connections to this share.
full_acl
All Windows Access Control Lists (ACLs) are supported except in the case when you attempt using the Windows Explorer folder Properties > Security GUI to inherit down to a non-empty directory hierarchy while denying all access to yourself.
no_full_acl (Default)
Some advanced Windows Access Control Lists (ACLs) functionality does not work. For example, if you try to create ACL rules on files saved in a CIFS share using Windows explorer while allowing some set of file access for user1 and denying file access for user2, this is not possible when CIFS shares are exported using no_full_acl.
hide_unreadable
Prevents clients from seeing the existence of files and directories that are not readable to them.
The default is: hide_unreadable is set to off.
veto_sys_files
To hide some system files (lost+found, quotas, quotas.grp) from displaying when using a CIFS normal share, you can use the veto_sys_files CIFS export option. For example, when adding a CIFS normal share, the default is to display the system files. To hide the system files, you must use the veto_sys_files CIFS export option.
fs_mode
When a file system or directory is exported by CIFS, its mode is set to an fs_mode value. It is the UNIX access control set on a file system, and CIFS options like rw/ro do not take precedence over it. This value is reset to 0755 when the CIFS share is deleted.
The default is: fs_mode = 1777.
dir_mask
When a directory is created under a file system or directory exported by CIFS, the necessary permissions are calculated by mapping DOS modes to UNIX permissions. The resulting UNIX mode is then bit-wise 'AND'ed with this parameter. Any bit not set here is removed from the modes set on a directory when it is created.
The default is: dir_mask = 0775.
create_mask
When a file is created under a file system or directory exported by CIFS, the necessary permissions are calculated by mapping DOS modes to UNIX permissions. The resulting UNIX mode is then bit-wise 'AND'ed with this parameter. Any bit not set here is removed from the modes set on a file when it is created.
The default is: create_mask = 0775.
oplocks (Default)
Veritas Access supports the CIFS opportunistic locks. You can enable or disable them for a specific share. The opportunistic locks improve performance for some workloads, and there is a share configuration option which can be given one of the following values, either oplocks or nooplocks.
Veritas Access supports opportunistic locks on the files in this share.
nooplocks
No opportunistic locks will be used for this share.
Disable the oplocks when:
1) A file system is exported over both CIFS and NFS protocols.
2) Either CIFS or NFS protocol has read and write access.
owner
There are more share configuration options that can be used to specify
the user and group who own the share. If you do not specify these
options for a share, Veritas Access uses the current values as default
values for these options.
You may want to change the default values to allow a specific user or
group to be the share owner.
Irrespective of who are owner and group of the exported share, any
CIFS clients can create folders and files in the share.
However, there are some operations that require owner privileges; for
example, changing the owner itself, and changing permissions of the
top-level folder (that is, the root directory in UNIX terms). To
enable these operations, you can set the owner option to a specific
user name, and this user can perform the privileged operations.
group
By default, the current group is the primary group owner of the root
directory of the exported share. This lets CIFS clients create folders
and files in the share. However, there are some operations that
require group privileges; for example, changing the group itself,
and changing permissions of the top-level folder (that is, the root
directory in UNIX terms). To enable these operations, you can set the
group option to a specific group name, and this group can perform the
privileged operations.
ip
Veritas Access lets you specify a virtual IP address. If you set ip=virtualip, the share is located on the specified virtual IP address. This address must
be part of the Veritas Access cluster, and is used by the system to serve
the share internally.
ip is not a valid CIFS option when using the ctdb clustering
mode.
If enable_encryption is set, then all the traffic to a share must be encrypted once the connection has been made to the share. The server will return an access denied message to all unencrypted requests on such a share. As SMB3 is the max protocol, only SMB3 clients supporting encryption will be able to connect to the share.
disable_encryption
If disable_encryption is set, then encryption cannot be negotiated by the client. SMB1, SMB2, and SMB3 clients can connect to the share.
enable_durable_handles
Enables support for durable handles for CIFS shares. Enabling this option disables use of POSIX/fcntl locks. Exporting the same CIFS share using NFS may result in data corruption. For support for durable handles on CIFS shares, you must specify this option.