Skip to main content
NetApp Knowledge Base

How to configure AD authentication for cluster when CIFS is not licensed

Views:
8,443
Visibility:
Public
Votes:
3
Category:
clustered-data-ontap-8
Specialty:
nas
Last Updated:
5/5/2025, 12:15:53 PM

Applies to

  • ONTAP 9.16.1 and later
  • Active Directory (AD)

Description

  • Beginning with ONTAP 9.16.1,  the procedure to enable AD domain users and groups to access the cluster and SVMs when the CIFS is not licensed.
  • If AD authentication is not configured properly, the following error is logged in the messages.log when the user attempts to login to cluster.

MESSAGES.LOG:

00000027.046d4c91 3db22b6e Fri Oct 12 2018 12:11:25 +11:00 [auth_sshd:info:83202] Invalid user Domain\\AD_user from 10.21.xx.yy
00000027.046d4c94 3db22bd2 Fri Oct 12 2018 12:11:35 +11:00 [auth_sshd:error:83212] in do_pam_domain_auth(): ERROR: do_pam_domain_auth: AUTH of user: Domain\AD_user Failed
00000027.046d4c95 3db22bd2 Fri Oct 12 2018 12:11:35 +11:00 [auth_sshd:error:83202] error: PAM: authentication error for Domain\\AD_user from 10.21.xx.yy

Procedure

 

  1. Create a data LIF with data-protocol set to none:
::> network interface create -vserver svm01 -lif adlif -role data -data-protocol none -home-node Node01 -home-port e0a -address a.b.c.d -netmask 255.255.255.0 -status-admin up
  1. Enable DNS for host-name resolution
  2. Use any data SVM in the cluster and join it to a domain by using the following command: 
::> vserver active-directory create -vserver svm01 -account-name <NetBIOS_name> -domain <domain_name>

Note:
  • Joining a data SVM to a domain does not create a CIFS server or require a CIFS license. However, it enables the authentication of AD users and groups at the SVM or cluster level
  • Credentials of a user account with sufficient privileges to add computers to the organizational unit (OU) are required
  1. Grant an AD user or group access to the cluster by using the security login create command with the -authmethod parameter set to domain:
::> security login create -vserver <cluster_name> -user-or-group-name DOMAIN1\AD_user -application ssh -authmethod domain
Note: Use the SVM related to the LIF in step1: cluster SVM if access is to be granted via cluster LIFs -or- data SVM if access is to be granted for the data SVM.
  1. Additionally, we need to create the domain tunnel so that AD login sessions can be authenticated by the cluster:
::> security login domain-tunnel create -vserver svm01
::> security login domain-tunnel show
    Tunnel Vserver: svm01

Note:
  • This is a required step and AD authentication fails if this step is missing. Domain tunneling can be created even if CIFS is not licensed.
  • If an admin SVM was used in step 3 of this procedure, it is not necessary to create the domain tunnel, this step can be omitted.

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.