How to configure AD authentication for cluster when CIFS is not licensed
- Views:
- 8,443
- Visibility:
- Public
- Votes:
- 3
- Category:
- clustered-data-ontap-8
- Specialty:
- nas
- Last Updated:
- 5/5/2025, 12:15:53 PM
Applies to
- ONTAP 9.16.1 and later
- Active Directory (AD)
Description
- Beginning with ONTAP 9.16.1, the procedure to enable AD domain users and groups to access the cluster and SVMs when the CIFS is not licensed.
- If AD authentication is not configured properly, the following error is logged in the messages.log when the user attempts to login to cluster.
MESSAGES.LOG:
00000027.046d4c91 3db22b6e Fri Oct 12 2018 12:11:25 +11:00 [auth_sshd:info:83202] Invalid user Domain\\AD_user from 10.21.xx.yy
00000027.046d4c94 3db22bd2 Fri Oct 12 2018 12:11:35 +11:00 [auth_sshd:error:83212] in do_pam_domain_auth(): ERROR: do_pam_domain_auth: AUTH of user: Domain\AD_user Failed
00000027.046d4c95 3db22bd2 Fri Oct 12 2018 12:11:35 +11:00 [auth_sshd:error:83202] error: PAM: authentication error for Domain\\AD_user from 10.21.xx.yy
Procedure
- Create a data LIF with data-protocol set to none:
::> network interface create -vserver svm01 -lif adlif -role data -data-protocol none -home-node Node01 -home-port e0a -address a.b.c.d -netmask 255.255.255.0 -status-admin up
- Enable DNS for host-name resolution
- Use any data SVM in the cluster and join it to a domain by using the following command:
::> vserver active-directory create -vserver svm01 -account-name <NetBIOS_name> -domain <domain_name>
Note:
- Joining a data SVM to a domain does not create a CIFS server or require a CIFS license. However, it enables the authentication of AD users and groups at the SVM or cluster level
- Credentials of a user account with sufficient privileges to add computers to the organizational unit (OU) are required
- Grant an AD user or group access to the cluster by using the security login create command with the -authmethod parameter set to domain:
::> security login create -vserver <cluster_name> -user-or-group-name DOMAIN1\AD_user -application ssh -authmethod domain
Note: Use the SVM related to the LIF in step1: cluster SVM if access is to be granted via cluster LIFs -or- data SVM if access is to be granted for the data SVM.
- Additionally, we need to create the domain tunnel so that AD login sessions can be authenticated by the cluster:
::> security login domain-tunnel create -vserver svm01
::> security login domain-tunnel show
Tunnel Vserver: svm01
Note:
- This is a required step and AD authentication fails if this step is missing. Domain tunneling can be created even if CIFS is not licensed.
- If an admin SVM was used in step 3 of this procedure, it is not necessary to create the domain tunnel, this step can be omitted.
Additional Information
- Configure Active Directory domain controller access overview
- Routing
- Firewall configuration
- DNS