NetApp ONTAP Active Directory Authentication
To enable Active Directory (AD) domain users to access the cluster or Storage Virtual Machines (SVMs), set up an authentication tunnel through a CIFS-enabled SVM. This is for administrative access only.
This procedure will work with any data SVM that has a CIFS server created and joined to the domain. However, Red8 recommends creating a standalone SVM for AD authentication purposes only. This allows for the following:
- System isolation as sole purpose for the SVM is for authentication and not serving any data.
- Eliminates the need of having to recreate in the event that a preexisting data SVM used for access is deleted.
- This can not be used for Service Processor authentication. A local account must be used for Service Processor access.
Before you begin
- The AD users or groups that are granted access must exist in the AD domain.
- The cluster time must be kept within five minutes of the time on the AD domain controller (preferably using the same NTP servers) to enable users and groups of that domain to access the cluster or SVM.
- The domain-tunnel is a 1-to-1 relationship
Creating Standalone Authentication SVM
If using a preexisting CIFS SVM then skip to the Setting Up Authentication section.
NOTE: The networking references (LIFs, DNS, IPs, etc.) used in this article are for example purposes only. Replace these items with values that relate to the specific environment.
- Create the SVM – Use the naming convention established for the environment. Red8 recommends having “ADauth” as the suffix of the name.
cluster1::> vserver create -vserver svmADauth -subtype default -rootvolume svmADauth_root -aggregate cluster1_01_aggr0 -rootvolume-security-style ntfs
cluster1::> vserver remove-protocol -protocols nfs,fcp,iscsi -vserver svmADauth
- Create Networking for the SVM – Set up a data LIF, a network route and DNS services.
cluster1::> network interface create -vserver svmADauth -lif svmADauth_mgmt -role data -data-protocol none -address 192.168.1.100 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0M
cluster1::> network route create -vserver svmADauth -destination 0.0.0.0/0 -gateway 192.168.1.1
cluster1::> dns create -vserver svmADauth -domain domain.com -name-servers 192.168.1.10,192,168.1.11,192.168.1.12
- Create an AD server for the SVM – This is the equivalent of joining the SVM to the domain however this will work regardless if a CIFS license is present or not.
cluster1::> vserver active-directory create -account-name svmADauth -domain domain.com -vserver svmADauth
NOTE: A user account with appropriate permissions will be required to join the domain. Alternatively a machine account can be created in advance and will be used for the join process. Also, since the AD domain name is provided in the command above just specify the account using the syntax “username“.
Setting Up Authentication
- Create the Security Tunnel
cluster1::> security login domain-tunnel create -vserver svmADauth
cluster1::> security login domain-tunnel show
- Grant the AD user or Group Access
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application http
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application ontapi
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application ssh
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application http
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application ontapi
cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application ssh
cluster1::> security login show
NOTE: The value of the -user-or-group-name parameter must be specified in the format of \, where is the NetBIOS name of the AD domain and is the AD user or group that is granted access. If the user or group name has any spaces in it enclose the “\” in quotes. Replace the “cluster1” with “svm”, of the -vserver parameter, if authentication for a specific SVM is required.
If the authentication tunnel or SVM is deleted, subsequent login sessions cannot be authenticated, and Active Directory domain users cannot access the cluster. Open sessions that were authenticated prior to the deletion of the authentication tunnel remain unaffected.