NetApp ONTAP Active Directory Authentication
This procedure will work with any data SVM that has a CIFS server created and joined to the domain. However, Red8 recommends creating a standalone SVM for AD authentication purposes only. This allows for the following:
- System isolation as sole purpose for the SVM is for authentication and not serving any data.
- Eliminates the need of having to recreate in the event that a preexisting data SVM used for access is deleted.
- This can not be used for Service Processor authentication. A local account must be used for Service Processor access.
Before you begin
- The AD users or groups that are granted access must exist in the AD domain.
- The cluster time must be kept within five minutes of the time on the AD domain controller (preferably using the same NTP servers) to enable users and groups of that domain to access the cluster or SVM.
- The domain-tunnel is a 1-to-1 relationship
Creating Standalone Authentication SVM
If using a preexisting CIFS SVM then skip to the Setting Up Authentication section.
NOTE: The networking references (LIFs, DNS, IPs, etc.) used in this article are for example purposes only. Replace these items with values that relate to the specific environment.
- Create the SVM – Use the naming convention established for the environment. Red8 recommends having “ADauth” as the suffix of the name.
- Create Networking for the SVM – Set up a data LIF, a network route and DNS services.
- Create an AD server for the SVM – This is the equivalent of joining the SVM to the domain however this will work regardless if a CIFS license is present or not.
NOTE: A user account with appropriate permissions will be required to join the domain. Alternatively a machine account can be created in advance and will be used for the join process. Also, since the AD domain name is provided in the command above just specify the account using the syntax “username“.
Setting Up Authentication
- Create the Security Tunnel
- Grant the AD user or Group Access
NOTE: The value of the -user-or-group-name parameter must be specified in the format of \, where is the NetBIOS name of the AD domain and is the AD user or group that is granted access. If the user or group name has any spaces in it enclose the “\” in quotes. Replace the “cluster1” with “svm”, of the -vserver parameter, if authentication for a specific SVM is required.
If the authentication tunnel or SVM is deleted, subsequent login sessions cannot be authenticated, and Active Directory domain users cannot access the cluster. Open sessions that were authenticated prior to the deletion of the authentication tunnel remain unaffected.