NetAPP Active Directory Authentication

By | October 28, 2020

Security has always been a concern, regardless of whether your NetApp storage array is locked in a data center or not. A good practice is to enable Active Directory Authentication and disable the local admin account.

As I continue to build out my lab, that now consists of several Intel NUCs with NetApp ONTAP Select (OTS), vCenter and a Windows Active Directory VM. Make sure to check out my previous blog posts on how I deployed the various components.

In order for you to enable Active Directory (AD) domain users to access your NetApp ONTAP cluster, you must set up an authentication tunnel through a CIFS-enabled SVM.

Before you begin

NetAPP Document CIFS Setup Requirements

  • The CIFS license must be installed on your storage system. 
  • While configuring CIFS in the Active Directory domain, the following requirements must be met: 
    • DNS must be enabled and configured correctly.
    • The storage system must be able to communicate with the domain controller using the fully qualified domain name (FQDN). 
    • The time difference (clock skew) between the cluster and the domain controller must not be more than five minutes.
  • If CIFS is the only protocol configured on the storage virtual machine (SVM), the following requirements must be met:
    • The root volume security style must be NTFS. 

By default, NetApp System Manager sets the security style as UNIX.

  • Superuser access must be set to Any for CIFS protocol.
  • A user account with appropriate permissions will be required to join the domain.

Configure / Setup CIFS

  1. Click Setup

2. Enter Details

3. Click Setup

Create Active Directory Security Group

  1. Create an Organizational Group “HDC Admin Accounts”
  2. Create Subfolders for Admin, Security and Service accounts

3. Create Users (Administrator) to the Admin Account Subfolder

4. Create Security Group and add Users (Administrator)

How to Setup Authentication

  1. Create the Security Tunnel

ots100::> security login domain-tunnel create -vserver svm100

ots100::> security login domain-tunnel show

2. Allow Active Directory (AD) user or Group Access

ots100::> security login create -vserver ots100 -user-or-group-name HDC\NetAppAdmins -authmethod domain -application http

ots100::> security login create -vserver ots100 -user-or-group-name HDC\NetAppAdmins -authmethod domain -application ontapi

ots100::> security login create -vserver ots100 -user-or-group-name HDC\NetAppAdmins -authmethod domain -application ssh

3. Allow Specific Domain Users

ots100::> security login create -vserver ots100 -user-or-group-name HDC\Administrator -authmethod domain -application http

ots100::> security login create -vserver ots100 -user-or-group-name HDC\Administrator -authmethod domain -application ontapi

ots100::> security login create -vserver ots100 -user-or-group-name HDC\Administrator -authmethod domain -application ssh

NOTE:

If the authentication tunnel or SVM is deleted, subsequent login sessions cannot be authenticated, and Active Directory domain users cannot access the cluster.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.