Solved: Re: Active Directory Domain Tunnel

NEO-BAHAMUT · ‎2025-06-25

Hi Everyone,

I've been told that we have an SVM that is using Active Directory Domain Tunnelling. When I run the command "security login domain-tunnel show" It shows me that it is indded enabled and assigned to one of our SVMs

Can anyone tell me what this is actually doing. Looking at the SVM it only actually has a few shares on it. So is this for the entire cluster? or because its on a specific SVM is it only working for what ever is on that SVM?

From this article - security login domain-tunnel create I cant work out if its working as a global thing, or just for access to that SVM.

Thanks in advance if anyone can clear this up

parisi · ‎2025-06-25

To add to this (and reduce concerns) the tunnel does *NOT* allow any AD user to log in. It only provides the mechanism to authenticate. User logins are still defined by adding security login users (via CLI or GUI) and roles. If a user has neither of those, they cannot log into an ONTAP cluster - even with a domain tunnel in place.

From the docs:

security login domain-tunnel create

Before using this command to establish the tunnel, the following must take place:

You must use the security login create command to create one or more AD domain user accounts that will be granted access to the cluster.
The -authmethod parameter of the security login create command must be set to 'domain'.
The -username parameter of the security login create command must be set to a valid AD domain user account that is defined in a Windows Domain Controller's Active Directory. The user account must be specified in the format of <domainname>\<username> , where "domainname" is the name of the CIFS domain server.
You must identify or create a CIFS-enabled data Vserver that will be used for Windows authentication with the Active Directory server. This Vserver is the tunnel Vserver, and it must be running for this command to succeed.

View solution in original post

TMACMD · ‎2025-06-25

The only thing that is used for is to allow Active Directory domain users/groups to log into the Netapp cluster with ssh or the GUI. On the command line run

security login show -auth domain

that will show you the domain users allowed to log into the cluster and if they can via ssh and/or the GUI (ontapi/http->both needed for proper GUI)

rafaelcezario · ‎2025-06-25

Hello @NEO-BAHAMUT,

The security login domain-tunnel show command in NetApp ONTAP displays which SVMs (Storage Virtual Machines) are configured as authentication tunnels. An authentication tunnel allows data SVMs that are not directly joined to an Active Directory (AD) domain to authenticate domain users by leveraging the AD connectivity of an admin or cluster SVM. This is a per-SVM configuration, not global, and is useful in environments where only certain SVMs are allowed or able to connect to the AD infrastructure. The tunnel must be explicitly created using the security login domain-tunnel create command, and the authenticating SVM must be joined to the domain. Even with the tunnel in place, domain user access must still be configured individually using the security login create command.

Here is a good link with more informations: https://docs.netapp.com/us-en/ontap/authentication/enable-ad-users-groups-access-cluster-svm-task.html

TMACMD · ‎2025-06-25

Pretty sure that’s not accurate. From the security login domain-tuned create page

Add authentication tunnel Vserver for administrative Vserver

i am pretty sure it only works with the admin vserver and not date svms. Please, show me exactly in some documentation what you say above. The link you provided certainly doesn’t. There is no reason for data svms to use the domain tunnel. They can just create the cifs svm inside the vserver it is running

in 9.16, you can simply create an “active-directory” vserver in the admin svm and not even need a domain tunnel anymore

rafaelcezario · ‎2025-06-25

You are correct. I simulated it here in the lab environment in version 9.16.
It is possible to create the tunnel directly using the vserver.
> vserver active-directory create -vserver vservername -account-name computername -domain domainl -ou CN=Computers

> vserver active-directory show

NEO-BAHAMUT · ‎2025-06-25

Thanks guys, just looking in to this now. Cant see why you wouldn't just do this at cluster level rather than SVM?

Is there a way to swap it to cluster level if we wanted to?

rafaelcezario · ‎2025-06-25

As noted by @TMACMD,

If you are on version 9.16, create a vserver. You can use:

> vserver active-directory create -vserver vservername -account-name computername -domain domainl -ou CN=Computers

NEO-BAHAMUT · ‎2025-06-25

Not quite there yet. I've got 4 nodes to evict out of my cluster (currently on 9.11.1P10). Plan is to remove these nodes, upgrade my new controllers to the latest and greatest. Im just trying to find about the bits i dont know about and unearthing lots.

So would it be, create the vserver as above and then disable it from the SVM?

TMACMD · ‎2025-06-25

History. Historically, NetApp just did not allow it. The admin svm was the admin svm and you couldnt do anything else. The domain-tunnel was create a very long time ago, near the beginning of Clustered ONTAP to allow for better security. Those customer that need to "secure" ONTAP are not allowed to have local logins and all logins must be authenticated via a domain resource (like Active Direcrtory or LDAP). NetApp added the Domain-tunnel and it has stuck for a long time.

The active-directoy svm has also been around for a very long time. This was actually put in place for those customers that did not purchase the CIFS/SMB license. It allowed ONTAP to create an svm then create the active-directory object in the svm and finally create the domain tunnel. This way, those old NFS-only NetApp Filers could still benefit from domain logins.

Finally, in ONTAP 9.16 they are allowing the active-directory object in the admin svm and a domain tunnel is no longer needed.

parisi · ‎2025-06-25

To add to this (and reduce concerns) the tunnel does *NOT* allow any AD user to log in. It only provides the mechanism to authenticate. User logins are still defined by adding security login users (via CLI or GUI) and roles. If a user has neither of those, they cannot log into an ONTAP cluster - even with a domain tunnel in place.

From the docs:

security login domain-tunnel create

Before using this command to establish the tunnel, the following must take place:

You must use the security login create command to create one or more AD domain user accounts that will be granted access to the cluster.
The -authmethod parameter of the security login create command must be set to 'domain'.
The -username parameter of the security login create command must be set to a valid AD domain user account that is defined in a Windows Domain Controller's Active Directory. The user account must be specified in the format of <domainname>\<username> , where "domainname" is the name of the CIFS domain server.
You must identify or create a CIFS-enabled data Vserver that will be used for Windows authentication with the Active Directory server. This Vserver is the tunnel Vserver, and it must be running for this command to succeed.

TMACMD · ‎2025-06-25

Thanks @parisi

i personally dislike that document wording.
you do not have to create a cifs enabled svm

i personally create a vserver and remove all protocols. I then set up the networking and create an active-directory vserver. No cifs. More secure

Active Directory Domain Tunnel

New video on NetApp KB TV

NetApp Wins ASP Award for 8th year in a row!

Site Operation Hours via NSS

New video on NetApp KB TV