NetApp Cluster Mode – Active Directory Authentication setup

Cluster mode is an awesome beast. I say beast, because everything takes MANY more steps to do. Say you want to just enable SSH or OnCommand System Manager client access to your base level cluster? Not so fast… there’s lots of steps before that.

In order to add active directory authentication to a Cluster Mode environment, you have to do the following:

  1. License CIFS
  2. Make a CIFS vserver
  3. Add an Authentication “DOMAIN-TUNNEL” to punch from the outside “cluster” vserver through the cifs vserver to AD.
  4. Add User entries for every domain user + application + role
  5. Profit!

Here I will walk you through what it takes to create do all the shit I listed above.

######## Add the Licenses ########

s1-fas3220::system license> add MLKRXXXXXXXXXXNVNBAAAAAAAAA
License for package “CIFS” and serial number “1-81-000000000000070000123458” installed successfully.
(1 of 1 added successfully)

s1-fas3220::system license> add CGZDGXXXXXXXNBAAAAAAAAA
License for package “CIFS” and serial number “1-81-0000000000000700001234546” installed successfully.
(1 of 1 added successfully)

######## Create the CIFS vServer ########

s1-fas3220::vserver> vserver setup
Welcome to the Vserver Setup Wizard, which will lead you through
the steps to create a virtual storage server that serves data to clients.

You can enter the following commands at any time:
“help” or “?” if you want to have a question clarified,
“back” if you want to change your answers to previous questions, and
“exit” if you want to quit the Vserver Setup Wizard. Any changes
you made before typing “exit” will be applied.

You can restart the Vserver Setup Wizard by typing “vserver setup”. To accept a default
or omit a question, do not enter a value.

Vserver Setup wizard creates and configures only data Vservers.
If you want to create a Vserver with Infinite Volume use the vserver create command.

Step 1. Create a Vserver.
You can type “back”, “exit”, or “help” at any question.

Enter the Vserver name: s1-cifs-vs
Choose the Vserver data protocols to be configured {nfs, cifs, fcp, iscsi, ndmp}: cifs
Choose the Vserver client services to be configured {ldap, nis, dns}: dns
Enter the Vserver’s root volume aggregate {aggr1_fas3220_01_900GBSAS_01, aggr2_fas3220_02_900GBSAS_02} [aggr2_fas3220_02_900GBSAS_02]: aggr2_fas3220_02_900GBSAS_02
Enter the Vserver language setting, or “help” to see all languages [C]:
Enter the Vserver root volume’s security style {mixed, ntfs, unix} [ntfs]:
Vserver creation might take some time to finish….

Vserver s1-cifs-vs with language set to C created. The permitted protocols are cifs.

Step 2: Create a data volume
You can type “back”, “exit”, or “help” at any question.

Do you want to create a data volume? {yes, no} [yes]:
Enter the volume name [vol1]:
Enter the name of the aggregate to contain this volume {aggr1_fas3220_01_900GBSAS_01, aggr2_fas3220_02_900GBSAS_02} [aggr2_fas3220_02_900GBSAS_02]:
Enter the volume size: 100GB
Enter the volume junction path [/vol/vol1]:
It can take up to a minute to create a volume…

Volume vol1 of size 100GB created on aggregate aggr2_fas3220_02_900GBSAS_02 successfully.
Do you want to create an additional data volume? {yes, no} [no]:

Step 3: Create a logical interface.
You can type “back”, “exit”, or “help” at any question.

Do you want to create a logical interface? {yes, no} [yes]:
Enter the LIF name [lif1]: s1-cifs-vs_cifs_lif1
Which protocols can use this interface {nfs, cifs, iscsi}: cifs
Enter the home node {s1-fas3220-02, s1-fas3220-01} [s1-fas3220-01]:
Enter the home port {a1a, a1a-224, a1a-232, a1a-236, a1a-252, e2a, e2a-220, e2a-224, e2a-232, e2a-236, e2a-240, e2a-244, e2a-252} [a1a]: e2a-252
Enter the IP address:
Enter the network mask:
Enter the default gateway IP address:

LIF s1-cifs-vs_cifs_lif1 on node s1-fas3220-01, on port e2a-252 with IP address was created.
Do you want to create an additional LIF now? {yes, no} [no]:

Step 4: Configure DNS (Domain Name Service).
You can type “back”, “exit”, or “help” at any question.

Do you want to configure DNS? {yes, no} [yes]:
Enter the comma separated DNS domain names: mycorp.local
Enter the comma separated DNS server IP addresses:,

DNS for Vserver s1-cifs-vs is configured.

Step 5: Configure CIFS.
You can type “back”, “exit”, or “help” at any question.

Do you want to configure CIFS? {yes, no} [yes]:
Enter the CIFS server name [S1-CIFS-VS-S1-F]:
Enter the Active Directory domain name: mycorp.local

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the
“CN=Computers” container within the “mycorp.local” domain.
Enter the user name: jk47
Enter the password:

CIFS server “S1-CIFS-VS-S1-F” created and successfully joined the domain.
Do you want to share a data volume with CIFS clients? {yes, no} [yes]:
Enter the CIFS share name [vol1]:
Enter the CIFS share path [/vol/vol1]:
Select the initial level of access that the group “Everyone” has to the share {No_access, Read, Change, Full_Control} [No_access]:

The CIFS share “vol1” created successfully.
Default UNIX users and groups created successfully.
Default export policy rule created successfully.

Vserver s1-cifs-vs, with protocol(s) cifs, and service(s) dns has been configured successfully.

s1-fas3220::vserver> cd .. <---- Important! Goto the base level since "security" doesn't work in the vserver context ######## CRITICAL!!! MAKE THE DOMAIN-TUNNEL ######### s1-fas3220::> security login domain-tunnel create -vserver s1-cifs-vs

######## Add the Logins ########

# Add Login for HTTP (Web/Client app/Api)
s1-fas3220::> security login create -vserver s1-fas3220 -username mycorp\jk47 -application http -authmethod domain -role admin

# Add Login for SSH access, for real men.
s1-fas3220::> security login create -vserver s1-fas3220 -username mycorp\jk47 -application ssh -authmethod domain -role admin

######## Test it! ########

jk-47:~ jk47$ ssh mycorp\\[email protected] <-- notice the \\ for you linux/osx users. Since \ is translated out of the CLI. Password: s1-fas3220::> <----- It works!

Be Sociable, Share!

, , , , , ,

Comments are closed.