Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AD Tunnel is necessary even without SMB enabled SVM! #1460

Open
1 task done
SPGoetze opened this issue Aug 28, 2024 · 2 comments
Open
1 task done

AD Tunnel is necessary even without SMB enabled SVM! #1460

SPGoetze opened this issue Aug 28, 2024 · 2 comments
Assignees
@dmp-netapp

Comments

@SPGoetze
Copy link

SPGoetze commented Aug 28, 2024
edited
Loading

Page URL

https://docs.netapp.com/us-en/ontap/authentication/enable-ad-users-groups-access-cluster-svm-task.html

Page title

Configure Active Directory domain controller access overview

Summary

Problem: Centrally manage Administrator access to ONTAP, no (fitting) Data SVM with SMB enabled (to tunnel through)

The documentation says:

If you have already configured a SMB server for a data SVM, you can use the security login domain-tunnel create command to configure the SVM as a gateway, or tunnel, for AD access to the cluster.

and later:

If you have not configured an SMB server for a data SVM, you can use the vserver active-directory create command to create a computer account for the SVM on the domain.

What it does not explicitly mention is, that the vserver active-directory create command only accepts Data SVMs, not the Admin SVM.

In other words, if you want to centrally manage ONTAP administrator accounts (cluster, not SVM level), you'll have to set up a minimally configured 'Authentication SVM' and then still use the tunnel mentioned above!

E.g.

vserver create auth
vserver remove-protocol -vserver auth -protocols *

net int create -vserver auth -lif auth -service-policy default-management -home-port e0M -home-node local -address xxx -netmask yyy -failover-policy broadcast-domain-wide -auto-revert true

route create -vserver auth -dest 0.0.0.0/0 -gate ggg

vserver cifs security modify -vserver auth -is-aes-encryption-enabled true -lm-compatibility-level ntlmv2-krb -session-security-for-ad-ldap sign -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

dns create -server auth -domain demo.netapp.com -name-server ccc,ddd

vserver active-directory create -vserver auth -account-name cluster1 -domain demo.netapp.com
In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "example.com" domain.
Enter the user name: Administrator
Enter the password:

security login domain-tunnel create -vserver auth

security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application ssh -authentication-method domain -role admin
security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application http -authentication-method domain -role admin
security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application ontapi -authentication-method domain -role admin

Public issues must not contain sensitive information

  • This issue contains no sensitive information.
@dmp-netapp
Copy link
Contributor

Thanks for your feedback. We are reviewing it.

@dmp-netapp
Copy link
Contributor

Sorry for the delay. We've just published the doc update for ONTAP 9.16.1 RC. I should have time now to look at this in more detail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmp-netapp dmp-netapp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SPGoetze @dmp-netapp