Categories

NetApp ONTAP Active Directory Authentication

Created On
Last Updated On
bypreshmarketing
Print
You are here:
< All Topics

To enable Active Directory (AD) domain users to access the cluster or Storage Virtual Machines (SVMs), set up an authentication tunnel through a CIFS-enabled SVM. This is for administrative access only.

This procedure will work with any data SVM that has a CIFS server created and joined to the domain. However, Red8 recommends creating a standalone SVM for AD authentication purposes only. This allows for the following:

  • System isolation as sole purpose for the SVM is for authentication and not serving any data.
  • Eliminates the need of having to recreate in the event that a preexisting data SVM used for access is deleted.
  • This can not be used for Service Processor authentication. A local account must be used for Service Processor access.

Before you begin

  • The AD users or groups that are granted access must exist in the AD domain.
  • The cluster time must be kept within five minutes of the time on the AD domain controller (preferably using the same NTP servers) to enable users and groups of that domain to access the cluster or SVM.
  • The domain-tunnel is a 1-to-1 relationship

Creating Standalone Authentication SVM

If using a preexisting CIFS SVM then skip to the Setting Up Authentication section.

NOTE: The networking references (LIFs, DNS, IPs, etc.) used in this article are for example purposes only. Replace these items with values that relate to the specific environment.

  1. Create the SVM – Use the naming convention established for the environment. Red8 recommends having “ADauth” as the suffix of the name.

    cluster1::> vserver create -vserver svmADauth -subtype default -rootvolume svmADauth_root -aggregate cluster1_01_aggr0 -rootvolume-security-style ntfs

    cluster1::> vserver remove-protocol -protocols nfs,fcp,iscsi -vserver svmADauth

  2. Create Networking for the SVM – Set up a data LIF, a network route and DNS services.

    cluster1::> network interface create -vserver svmADauth -lif svmADauth_mgmt -role data -data-protocol none -address 192.168.1.100 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0M

    cluster1::> network route create -vserver svmADauth -destination 0.0.0.0/0 -gateway 192.168.1.1

    cluster1::> dns create -vserver svmADauth -domain domain.com -name-servers 192.168.1.10,192,168.1.11,192.168.1.12

  3. Create an AD server for the SVM – This is the equivalent of joining the SVM to the domain however this will work regardless if a CIFS license is present or not.

    cluster1::> vserver active-directory create -account-name svmADauth -domain domain.com -vserver svmADauth

NOTE: A user account with appropriate permissions will be required to join the domain. Alternatively a machine account can be created in advance and will be used for the join process. Also, since the AD domain name is provided in the command above just specify the account using the syntax “username“.

Setting Up Authentication

  1. Create the Security Tunnel

    cluster1::> security login domain-tunnel create -vserver svmADauth

    cluster1::> security login domain-tunnel show

  2. Grant the AD user or Group Access

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application http

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application ontapi

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Administrator -authmethod domain -application ssh

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application http

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application ontapi

    cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\Group -authmethod domain -application ssh

    cluster1::> security login show

NOTE: The value of the -user-or-group-name parameter must be specified in the format of \, where is the NetBIOS name of the AD domain and is the AD user or group that is granted access. If the user or group name has any spaces in it enclose the “\” in quotes. Replace the “cluster1” with “svm”, of the -vserver parameter, if authentication for a specific SVM is required.

If the authentication tunnel or SVM is deleted, subsequent login sessions cannot be authenticated, and Active Directory domain users cannot access the cluster. Open sessions that were authenticated prior to the deletion of the authentication tunnel remain unaffected.

Table of Contents