Scribd
Upload
255 views7 pages

NetApp ONTAP Active Directory Authentication

This document provides instructions for enabling Active Directory authentication to access an ONTAP cluster or Storage Virtual Machines. It recommends creating a standalone SVM dedicated for AD authentication purposes only, for system isolation and ease of recreating if needed. The steps include creating the SVM, setting up its networking, joining it to the AD domain, and creating a security tunnel to grant AD users or groups access to the cluster.

Uploaded by

nixdorf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
255 views7 pages

NetApp ONTAP Active Directory Authentication

This document provides instructions for enabling Active Directory authentication to access an ONTAP cluster or Storage Virtual Machines. It recommends creating a standalone SVM dedicated for AD authentication purposes only, for system isolation and ease of recreating if needed. The steps include creating the SVM, setting up its networking, joining it to the AD domain, and creating a security tunnel to grant AD users or groups access to the cluster.

Uploaded by

nixdorf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

NetApp ONTAP Active Directory Authentication

Create: narit.kl

Support : Service Request ID:2246

To enable Active Directory (AD) domain users to access the cluster or Storage Virtual Machines (SVMs), set up an
authentication tunnel through a CIFS-enabled SVM. This is for administrative access only.

This procedure will work with any data SVM that has a CIFS server created and joined to the domain. However,
Red8 recommends creating a standalone SVM for AD authentication purposes only. This allows for the following:

• System isolation as sole purpose for the SVM is for authentication and not serving any data.
• Eliminates the need of having to recreate in the event that a preexisting data SVM used for access is
deleted.
• This can not be used for Service Processor authentication. A local account must be used for Service
Processor access.

Before you begin

• The AD users or groups that are granted access must exist in the AD domain.
• The cluster time must be kept within five minutes of the time on the AD domain controller (preferably using
the same NTP servers) to enable users and groups of that domain to access the cluster or SVM.
• The domain-tunnel is a 1-to-1 relationship

Creating Standalone Authentication SVM

If using a preexisting CIFS SVM then skip to the Setting Up Authentication section.

NOTE: The networking references (LIFs, DNS, IPs, etc.) used in this article are for example purposes only. Replace
these items with values that relate to the specific environment.

1. Create the SVM – Use the naming convention established for the environment. Red8 recommends having
“ADauth” as the suffix of the name.

AISCLUSTER::> vserver create -vserver SVM_DAUTHEN -subtype default -rootvolume SVM_DAUTHEN_root -


aggregate AISCLUSTER01_SAS -rootvolume-security-style ntfs
AISCLUSTER::> vserver remove-protocol -protocols nfs,fcp,iscsi -vserver SVM_DAUTHEN
2.Create Networking for the SVM – Set up a data LIF, a network route and DNS services.
AISCLUSTER::> network interface create -vserver SVM_DAUTHEN -lif SVM_DAUTHEN_mgmt -role data -data-
protocol none -address 172.26.12.47 -netmask 255.255.252.0 -home-node AISCLUSTER-01 -home-port e0M
AISCLUSTER::> network route create -vserver SVM_DAUTHEN -destination 0.0.0.0/0 -gateway 172.26.12.1
AISCLUSTER::> dns create -vserver SVM_DAUTHEN -domain aishispeed.com -name-servers
AISCLUSTER::>

3. Create an AD server for the SVM – This is the equivalent of joining the SVM to the domain however this will work
regardless if a CIFS license is present or not.
AISCLUSTER::> vserver active-directory create -account-name SVM_DAUTHEN -domain aishispeed.com -vserver
SVM_DAUTHEN

NOTE: A user account with appropriate permissions will be required to join the domain. Alternatively a machine
account can be created in advance and will be used for the join process. Also, since the AD domain name is
provided in the command above just specify the account using the syntax “username“.
Setting Up Authentication

1. Create the Security Tunnel

Setting Up Authentication

AISCLUSTER::> security login domain-tunnel create -vserver SVM_DAUTHEN

AISCLUSTER::> security login domain-tunnel show

Grant the AD user or Group Access


AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Administrator -
authmethod domain -application http
AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Administrator -
authmethod domain -application ontapi
AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Administrator -
authmethod domain -application ssh
AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Storage-admin -
authmethod domain -application http
AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Storage-admin -
authmethod domain -application ontapi
AISCLUSTER::> security login create -vserver AISCLUSTER -user-or-group-name AISHISPEED\Storage-admin -
authmethod domain -application ssh
AISCLUSTER::> security login show

You might also like