topic Re: How to grant admin access to a CDOT cluster via an Active Directory group in ONTAP Discussions

How to grant admin access to a CDOT cluster via an Active Directory group

89sigo — Thu, 07 Aug 2014 13:10:45 GMT

We have a new 4 node CDOT cluster that we are building out at this time. This is the first on our company as the rest are all running 7-mode.

When I add execute the following commands on our new CDOT cluster, I am able to successfully login via putty or system manager:

security login create -vserver vs1 -username DOMAIN\username -application ontapi -authmethod domain -role admin
security login create -vserver vs1 -username DOMAIN\username -application ssh -authmethod domain -role admin

However, I need to provision security access via AD groups as we have a ot of admins that need access.

If I use the following commands to provision security, the commands are accepted by ONTAP but AD credential sets will not grant access to putty or system manager.

security login create -vserver vs1 -username "DOMAIN\AD Group" -application ontapi -authmethod domain -role admin
security login create -vserver vs1 -username "DOMAIN\AD Group" -application ssh -authmethod domain -role admin

Please provide comments if you have ideas on next steps.

Re: How to grant admin access to a CDOT cluster via an Active Directory group

SMINATHA22 — Tue, 12 Aug 2014 17:50:34 GMT

We have the exact same issue here. Really tough from a management perspective to have to set manually add and remove user admin accounts on the cluster.

Re: How to grant admin access to a CDOT cluster via an Active Directory group

jbastogne — Wed, 13 Aug 2014 12:17:13 GMT

AD security group is not supported, only AD domain user could be used starting DOT 8.1.1.

From the Release Notes:

Starting with Data ONTAP 8.1.1, you can enable Active Directory (AD) domain users to access the cluster (admin Vserver) by setting up an authentication tunnel through a CIFS-enabled Vserver. You must also create cluster user accounts for the domain users.

Re: How to grant admin access to a CDOT cluster via an Active Directory group

DaleS — Mon, 03 Aug 2015 19:14:42 GMT

I have done it in 8.3 please see below for the steps

Here are the steps to grant access after you have CIFS setup in your SVM (This portion has to be done before the below steps will allow access)

my-fas8060> security login domain-tunnel create -vserver (nameofSVM)

(gives SSH login)

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application ssh -authmethod domain -role admin

(gives GUI login)

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application http -authmethod domain -role admin

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application ontapi -authmethod domain -role admin

Re: How to grant admin access to a CDOT cluster via an Active Directory group

aborzenkov — Tue, 04 Aug 2015 07:02:54 GMT

What credentials are used to log in? You cannot set group password, cannot you?

Re: How to grant admin access to a CDOT cluster via an Active Directory group

scottgelb — Tue, 04 Aug 2015 21:02:22 GMT

8.3 adds support for domain groups over ssh and ontap (not the gui though)

Re: How to grant admin access to a CDOT cluster via an Active Directory group

ilonak — Mon, 10 Aug 2015 21:01:05 GMT

If the group name has a space in it, the quotes around it should work, yes? Example: "DOMAIN\Domain Admins"

Re: How to grant admin access to a CDOT cluster via an Active Directory group

JROBERTS6670 — Wed, 18 Nov 2015 19:53:42 GMT

Hi,

In 8.2.3P4, I found that you have to first create the domain-tunnel SVM, then create the user for the cluster name.

my-fas8060> security login domain-tunnel create -vserver (nameofDomainTunnelSVM)

(gives SSH login)

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application ssh -authmethod domain -role admin

(gives GUI login)

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application http -authmethod domain -role admin

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application ontapi -authmethod domain -role admin

That is how it worked for me.

-Jack

Re: How to grant admin access to a CDOT cluster via an Active Directory group

Sahana — Thu, 19 Nov 2015 03:04:08 GMT

Hi,

Refer https://kb.netapp.com/support/index?page=content&id=1013901 for the procedure.

Re: How to grant admin access to a CDOT cluster via an Active Directory group

rpulikool — Wed, 05 Oct 2016 21:16:13 GMT

Hi,

I was able to set the configuration that you have mentioned, but how do you login once it is set.

Is login id "Domain\username" or "Domain\group\username"

Regards

Re: How to grant admin access to a CDOT cluster via an Active Directory group

piosos — Fri, 21 Jul 2017 14:38:46 GMT

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fsecurity__login__create.html

example ONTAP 9:

cluster1::> security login create -user-or-group-name DOMAIN\adgroup -application ssh -authentication-method domain -role readonly

Re: How to grant admin access to a CDOT cluster via an Active Directory group

ARUP-Labs — Wed, 15 Nov 2017 17:15:06 GMT

Thnaks for this post, it worked for us!