Will the Set-NaCifs cmdlet create the computer object if it does not already exist in the domain, when it is run against a filer with NetApp Release 8.1.3P1?
I am running the following powershell command... Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol -Domain my.domain.com -User svc_user -Password MyPassw0rd -OrganizationalUnit OU=NAS,OU=Storage
I have NOT created the computer object in the OU and want to know if it will automatically get created in this OU if it is not there. The account that I am supplying in the command does have rights to create computer objects in that OU.
If I run the exact same command after creating the computer account manually, it succeeds without any errors.
Thoughts as to why the cmdlet doesn't appear to be creating the computer account?
I used the service account that I am specifying in the cmdlet to manually create the computer account, so I know that it has rights to do so. The service account has full control permissions of the OU that I am trying to create the computer account in.
The filer that I am running this on is an FAS3170 running NetApp Release 8.1.3P1 7-Mode
Thanks for the information Sean! If the service account has full control rights on the OU, and we can use the service account to manually create the computer account, wouldn't this be suffecient rights for that account when being used with the Set-NaCifs cmdlet?
The user needs different rights depending on where you are authenticating from.
If you are authenticating from within windows/domain, you are using private keys. However, if you are authenticating from outside of windows, you are using public keys.
From the KB article referenced above:
Note: The "ALLOW" requirements above are due to Microsoft publishing public and private Kerberos keys. Windows uses private keys and Data ONTAP uses public keys.
I did verify this in my lab. I created a service account and tried to use the regular "cifs setup" from the ONTAP CLI. It was not able to create the computer account and provided a more usable error message.