Solved: Domain Join with Admin Account + change Password

thomas382 · ‎2022-03-21

Hello; Sorry for that potential stupid question;-) With my AFF 220, (Ontap 9.5) Cifs SVM I joined the Domaine with an Domain Admin Account, we have 300 Cifs Shares for our Users. For security reason i want to chance the password. What is the best way to do it without disconnect users from there shares? Many Thanks+Gretings, Thomas

cruxrealm · ‎2022-03-22

There are two things here:
1. Account that you use to join the cifs server (aka netapp svm)

2. Machine account of the cifs server

#1 This account is used when you (initially) join the (SVM) cifs server to the domain.

#2 This is created automatically after (#1) joining the domain. Depending on domain policy, the machine account password is refreshed automatically.

For both, no need to change passwords here is why:
For #1 the password you supply when you register is not saved. It is only needed to authenticate to AD to make sure you have the permission to add the machine (aka cifs svm) to the domain.
For #2 the password is refreshed based on the AD policy. You will only need to "reset" the password if someone manually change the "machine password" on the AD without the svm knowing it. On this instance, you will need to run: vserver cifs domain password reset -vserver <server>

View solution in original post

Ontapforrum · ‎2022-03-21

If you do not stop the "cifs" on the vserver then it's fine, all logged in sessions will be fine. However, if stop the CIFS server ( vserver cifs stop -vserver) then of course sessions will be gone.

You can change password:
1) change the password in the AD
2) run the password change command to update it for the svm cifs.

cluster1::> vserver cifs domain password change -vserver vs1

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fvserver__cifs__domain__password__change.html&lang=en

Or,

You can also simply re-set it, by entering the password that you have changed in the AD.

cluster1::> vserver cifs domain password reset -vserver vs1

Enter your user ID: Administrator
Enter your password:

cluster1::>

TMACMD · ‎2022-03-21

You don’t need to change the password!

You used the admin account to join the domain. Now there is a machine account that if I recall correctly automatically changes the password every couple of weeks.

You may be able to look though the log files for “password“ and see the communication.

the Netapp svm is just like any other windows machine in the domain. Do you change those passwords?

thomas382 · ‎2022-03-21

Thanks TMACMD;

That means that the Domain Lookup is done with the machine AD account of the Netapp?

For the dayly work i don't need the Domane Admin?

Greetings, Thomas

tahmad · ‎2022-03-21

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-970%2Fvserver__cifs__domain__password__reset.html

@Ontapforrum already provided the process to reset the password on NetApp side. This document specify when a password reset would be needed

cruxrealm · ‎2022-03-22

There are two things here:
1. Account that you use to join the cifs server (aka netapp svm)

2. Machine account of the cifs server

#1 This account is used when you (initially) join the (SVM) cifs server to the domain.

#2 This is created automatically after (#1) joining the domain. Depending on domain policy, the machine account password is refreshed automatically.

For both, no need to change passwords here is why:
For #1 the password you supply when you register is not saved. It is only needed to authenticate to AD to make sure you have the permission to add the machine (aka cifs svm) to the domain.
For #2 the password is refreshed based on the AD policy. You will only need to "reset" the password if someone manually change the "machine password" on the AD without the svm knowing it. On this instance, you will need to run: vserver cifs domain password reset -vserver <server>

Domain Join with Admin Account + change Password

Get ready to power on