search

NetAppDocs / ontap

https://docs.netapp.com/us-en/ontap/
28 stars 75 forks source link

AD Tunnel is necessary even without SMB enabled SVM! #1460

Open SPGoetze opened 3 months ago

SPGoetze commented 3 months ago

Page URL

https://docs.netapp.com/us-en/ontap/authentication/enable-ad-users-groups-access-cluster-svm-task.html

Page title

Configure Active Directory domain controller access overview

Summary

Problem: Centrally manage Administrator access to ONTAP, no (fitting) Data SVM with SMB enabled (to tunnel through)

The documentation says:

If you have already configured a SMB server for a data SVM, you can use the security login domain-tunnel create command to configure the SVM as a gateway, or tunnel, for AD access to the cluster.

and later:

If you have not configured an SMB server for a data SVM, you can use the vserver active-directory create command to create a computer account for the SVM on the domain.

What it does not explicitly mention is, that the vserver active-directory create command only accepts Data SVMs, not the Admin SVM.

In other words, if you want to centrally manage ONTAP administrator accounts (cluster, not SVM level), you'll have to set up a minimally configured 'Authentication SVM' and then still use the tunnel mentioned above!

E.g.

vserver create auth vserver remove-protocol -vserver auth -protocols *

net int create -vserver auth -lif auth -service-policy default-management -home-port e0M -home-node local -address xxx -netmask yyy -failover-policy broadcast-domain-wide -auto-revert true

route create -vserver auth -dest 0.0.0.0/0 -gate ggg

vserver cifs security modify -vserver auth -is-aes-encryption-enabled true -lm-compatibility-level ntlmv2-krb -session-security-for-ad-ldap sign -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

dns create -server auth -domain demo.netapp.com -name-server ccc,ddd

vserver active-directory create -vserver auth -account-name cluster1 -domain demo.netapp.com In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "example.com" domain. Enter the user name: Administrator Enter the password:

security login domain-tunnel create -vserver auth

security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application ssh -authentication-method domain -role admin security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application http -authentication-method domain -role admin security login create -vserver cluster1 -user-or-group-name DEMO\StorageAdmins -application ontapi -authentication-method domain -role admin

Public issues must not contain sensitive information

dmp-netapp commented 2 months ago

Thanks for your feedback. We are reviewing it.

dmp-netapp commented 2 weeks ago

Sorry for the delay. We've just published the doc update for ONTAP 9.16.1 RC. I should have time now to look at this in more detail.