How to configure AD authentication for cluster when CIFS is not licensed
Applies to
- ONTAP 9
- Active Directory (AD)
Description
- Joining a data SVM to a domain does not create a CIFS server or require a CIFS license
- It enables the authentication of AD users and groups at the SVM or cluster level
Procedure
Prerequisites
- Credentials of a user account with sufficient privileges to add computers to the organizational unit (OU) are required
- Enable DNS for host-name resolution
Process
- Create an active directory connection with any one of the following three methods:
- Starting in ONTAP 9.16.1 create an SVM computer account on the domain for the Admin SVM (no domain tunnel required).
Example:cluster1::> vserver active-directory create -vserver <SVM_name> -account-name <NetBIOS_account_name> -domain <domain> -ou <organizational_unit> - Configure an authentication tunnel (referred to as a domain tunnel) ensuring a SVM Management LIF exists (Create ONTAP LIFs).
- Starting in ONTAP 9.16.1 create an SVM computer account on the domain for the Admin SVM (no domain tunnel required).
- Example:
cluster1::> security login domain-tunnel create -vserver svm01
cluster1::> security login domain-tunnel show Tunnel Vserver: svm01
- Grant an AD user or group access to the cluster by using the security login create command with the -authmethod parameter set to domain:
cluster1::> security login create -vserver <cluster_name> -user-or-group-name DOMAIN1\AD_user -application ssh -authmethod domainNote: Specify either the Admin SVM or the Data SVM if access is to be granted for the data SVM.
Video Overview
Additional Information
- How to configure System Manager for authentication using domain user or group
- Configure Active Directory domain controller access overview
- Routing
- Firewall configuration
- DNS