ONTAP Recipes: Did you know you can…?
Easily manage NetApp Storage with your corporate Active Directory (AD) login credentials
This recipe will help you setup NetApp Storage admin accounts that are based on your current login accounts served by your corporate Active Directory server.
The steps illustrated below are for both cluster management vserver (SVM) and data serving SVM.
Pre-conditions:
- Ensure that the required network settings [ipaddr, netmask, route, DNS et.al] are in place and the AD server is reachable from the interface(s) configured for the SVM [administrative and/or data SVM].
- The ONTAP user account to be created has to be a valid user account defined at the AD server.
PART 1: Data SVM workflow :
You will need an administrative account credentials for the AD server. This is needed for adding the SVM as a machine account at the AD server.
Example : The following sequence of commands is needed to create user account “vs1u1” for a data SVM “vs1” with role “vsadmin” and configure it in AD serving domain “mydomain.com":
- Create the AD entry for the SVM
Cluster-1_2::>vserver active-directory create -account-name vs1 -domain mydomain.com -ou CN=Computers -vserver vs1
In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "mydomain.com" domain.
Enter the user name:administrator [This is the administrator privileged account at the AD server]
Enter the password:
2. Verify the AD configuration [Also login to the AD server and verify the entry for “vs1” in the machines’ list for the configured domain]
Cluster-1_2::> vserver active-directory show
Account Domain/Workgroup
Vserver Name Name
----------- ------------- ------------
vs1 VS1 mydomain
3. Create the user account for the SVM. Note that the user name will be in the format <domainname>\<username>
Cluster-1_2::> security login create -user-or-group-name mydomain\vs1u1 -application ssh -authentication-method domain -role vsadmin -vserver vs1
Cluster-1_2::> security login show -user-or-group-name mydomain\vs1u1 -vserver vs1
Vserver: vs1
User/Group Authentication Acct
Name Application Method Role Name Locked
-------------- ----------- --------- ------------ ------
mydomain\vs1u1 ssh domain vsadmin -
4. Login to ONTAP using the account thus created
Client-host-machine> ssh mydomain\\vs1u1@vs1
Password:
vs1::> security login whoami
User: mydomain\vs1u1
Role: vsadmin
PART 2 : Administrative SVM workflow :
For the administrative SVM (cserver), a domain tunnel (tunnel vserver) needs to be created first. This establishes an authentication gateway or "tunnel" for authentication of user accounts with the Active Directory, thus enabling the login to administrative SVM
- Identify an already created or create a new data vserver (SVM) that is configured with the AD server as explained in PART 1 (Data SVM workflow). This is the SVM that will be specified with subsequent tunnel command. The tunnel SVM has to be running or this command will return an error. Only one SVM is allowed to be used as a tunnel. If you attempt to specify more than one SVM the system returns an error. If the tunnel Vserver is stopped or destroyed, user authentication requests for administrative SVM will fail.
The following shows example of commands needed to create login user “user_ad_ssh” for administrative SVM “Cluster-1_2”. In this example, the SVM created in PART 1 above is re-purposed as tunnel SVM for the administrative SVM.
Cluster-1_2::> security login domain-tunnel create -vserver vs1
Cluster-1_2::> security login domain-tunnel show
Tunnel Vserver: vs1
2. Create the user
Cluster-1_2::> security login create -user-or-group-name mydomain\user_ad_ssh -application ssh -authentication-method domain -role admin -vserver Cluster-1_2
Cluster-1_2::> security login show -user-or-group-name mydomain\user_ad_ssh -vserver Cluster-1_2
Vserver: Cluster-1_2
User/Group Authentication Acct
Name Application Method Role Name Locked
-------------- ----------- ------------- ------------- ---------
mydomain\user_ad_ssh ssh domain admin -
3. Login to ONTAP administrative SVM using the account thus created
Client-host-machine> ssh mydomain\\user_ad_ssh@Cluster-1_2
Password:
Cluster-1_2::> security login whoami
User: mydomain\user_ad_ssh
Role: admin
Note: Often, authentication does not work as expected due to incomplete/wrong name-services configuration. Ensure you have the right DNS, AD, ns-switch settings.
For more information, see the ONTAP 9 documentation center