ASA admin accounts in AD? | NetApp | Page 1

eternal crescent Aug 28, 2024, 8:31 AM

#

My students just pointed out their trouble pulling RBAC Admin accounts from their AD:

The vserver active-directory create -vserver SVM_name -account-name NetBIOS_account_name -domain domain -ou organizational_unit command is only available for Data SVMs, not the Admin SVM.
They always have to configure a Data SVM and use the "tunnel".

How would that work on an ASA system???
No possibility to use AD for administrative accounts??

barren cosmos Aug 28, 2024, 9:02 AM

#

What's the issue with the cmd? You can add an SVM to AD and create a domain-tunnel even if CIFS is not licensed.

#

This should also work for ASA

glad goblet Aug 28, 2024, 9:13 AM

#

vserver active-directory create does not require CIFS license and can be used on ASA. What you're thinking about is vserver cifs create, and yes, that will not work on ASA even if you only want to use it for a domain tunnel SVM

kind tiger Aug 28, 2024, 10:36 AM

#

Do this:

Vserver create auth
Vserver remove-protocol -vserver auth -protocols *

Net int create -vserver auth -lif auth -service-policy default-management -home-port e0M -home-node local -address xxx -netmask yyy -failover-policy broadcast-domain-wide -auto-revert true

Route create -vserver auth -dest 0.0.0.0/0 -gate ggg

Vserver cifs security modify -vserver auth -is-aes-encryption-enabled true -lm-compatibility-level ntlmv2-krb -session-security-for-ad-ldap sign -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

DNS create -server auth -domain abc -name-server ccc,ddd

Vserver active-directory create
-vserver auth <rest of command >

Security login domain-tunnel create -vserver auth

Security login create -user “domain\group” -auth domain -app ontapi

Security login create -user “domain\group” -auth domain -app http

Security login create -user “domain\group” -auth domain -app ssh

eternal crescent Aug 28, 2024, 11:57 AM

#

barren cosmos What's the issue with the cmd? You can add an SVM to AD and create a domain-tunn...

The vserver active-directory create command only allows Data SVMs and complains, if you give it the name of the Admin SVM...

#

So the consensus is:

Always tunnel , but the "Authentication" Data SVM can be minimalistic and without CIFS being licensed. See @kind tiger example (just the "tunnel" command and the security login commands are still missing...).

#

The documentation in
https://docs.netapp.com/us-en/ontap/authentication/enable-ad-users-groups-access-cluster-svm-task.html#configure-an-authentication-tunnel

Configure Active Directory domain controller access overview

You must configure AD domain controller access to the cluster or SVM before an AD account can access the SVM. If you have already configured an SMB server fo...

#

is a bit misleading, because it mentions the tunnel and then the vserver active-directory command as an alternative "If you have not configured an SMB server for a data SVM, you can use the vserver active-directory create command to create a computer account for the SVM on the domain."

#

I assumed we could use the Admin SVM directly here...

kind tiger Aug 28, 2024, 1:20 PM

#

Updated post

eternal crescent Aug 28, 2024, 1:29 PM

#

I suggested changes to the documentation and also partially quoted @kind tiger s example... 🙂

mortal valve Aug 28, 2024, 10:06 PM

#

Our doc comments team are great, thanks for the feedback!

#

And yes, that you can’t tunnel from the admin SVM is a.. quirk

kind tiger Aug 29, 2024, 1:42 AM

#

Well if you could just do it from the admin SVM then you really wouldn’t need a tunnel 🤓

#ASA admin accounts in AD?