Does anyone know the granular permissions used by the Windows account used to join CIFS to the domain during the initial filer setup? We are being tasked with removing "Domain Admins" membership from the account we used. I was directed to an article that indicated this should not effect filer operations. But, we'd like to know the permissions required by the Windows account used during CIFS getting joined to the domain. Thanks in advance.
Any user who is authorized to create machine accounts in the AD domain to which you are joining the SMB server can create the SMB server on the SVM. This can include users from other domains.
Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the-keytab-uriparameter with thevserver cifscommands.