ONTAP Discussions

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

How to grant admin access to a CDOT cluster via an Active Directory group

89sigo
‎2014-08-07 06:10 AM
27,517 Views

We have a new 4 node CDOT cluster that we are building out at this time. This is the first on our company as the rest are all running 7-mode.

When I add execute the following commands on our new CDOT cluster, I am able to successfully login via putty or system manager:

security login create -vserver vs1 -username DOMAIN\username -application ontapi -authmethod domain -role admin
security login create -vserver vs1 -username DOMAIN\username -application ssh -authmethod domain -role admin

However, I need to provision security access via AD groups as we have a ot of admins that need access.

If I use the following commands to provision security, the commands are accepted by ONTAP but AD credential sets will not grant access to putty or system manager.

security login create -vserver vs1 -username "DOMAIN\AD Group" -application ontapi -authmethod domain -role admin
security login create -vserver vs1 -username "DOMAIN\AD Group" -application ssh -authmethod domain -role admin

Please provide comments if you have ideas on next steps.

View By:
Tags (1)
11 REPLIES 11

SMINATHA22
‎2014-08-12 10:50 AM
27,456 Views

We have the exact same issue here. Really tough from a management perspective to have to set manually add and remove user admin accounts on the cluster.

0 Kudos

jbastogne
‎2014-08-13 05:17 AM
27,456 Views

AD security group is not supported, only AD domain user could be used starting DOT 8.1.1.

From the Release Notes:

Starting with Data ONTAP 8.1.1, you can enable Active Directory (AD) domain users to access the cluster (admin Vserver) by setting up an authentication tunnel through a CIFS-enabled Vserver. You must also create cluster user accounts for the domain users.

0 Kudos

DaleS
‎2015-08-03 12:13 PM
In response to jbastogne
25,666 Views

I have done it in 8.3 please see below for the steps

 

Here are the steps to grant access after you have CIFS setup in your SVM (This portion has to be done before the below steps will allow access)

 

my-fas8060> security login domain-tunnel create -vserver (nameofSVM)

 

(gives SSH  login)

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application ssh -authmethod domain -role admin

 

(gives GUI login)

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application http -authmethod domain -role admin

 

my-fas8060> security login create -vserver (nameofSVM) -username domain\group name -application ontapi -authmethod domain -role admin

aborzenkov
‎2015-08-04 12:02 AM
In response to DaleS
25,620 Views

What credentials are used to log in? You cannot set group password, cannot you?

0 Kudos

JROBERTS6670
‎2015-11-18 11:53 AM
In response to DaleS
24,281 Views

Hi, 

 

In 8.2.3P4, I found that you have to first create the domain-tunnel SVM, then create the user for the cluster name.

 

my-fas8060> security login domain-tunnel create -vserver (nameofDomainTunnelSVM)

 

(gives SSH  login)

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application ssh -authmethod domain -role admin

 

(gives GUI login)

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application http -authmethod domain -role admin

 

my-fas8060> security login create -vserver (nameofCluster) -username domain\group name -application ontapi -authmethod domain -role admin

 

That is how it worked for me.

 

-Jack

Sahana
NetApp
‎2015-11-18 07:04 PM
In response to JROBERTS6670
24,269 Views

Hi,

 

Refer https://kb.netapp.com/support/index?page=content&id=1013901 for the procedure.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
0 Kudos

rpulikool
‎2016-10-05 02:16 PM
In response to JROBERTS6670
19,937 Views

Hi,

 

I was able to set the configuration that you have mentioned, but how do you login once it is set.

 

Is login id "Domain\username" or "Domain\group\username"

 

Regards

0 Kudos

piosos
‎2017-07-21 07:38 AM
In response to rpulikool
10,126 Views

 

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fsecurity__login__create.html

 

example ONTAP 9:

 

cluster1::> security login create -user-or-group-name DOMAIN\adgroup -application ssh -authentication-method domain -role readonly

 

 

login as Domain\username

0 Kudos

ARUP-Labs
‎2017-11-15 09:15 AM
In response to JROBERTS6670
9,691 Views

Thnaks for this post, it worked for us!

0 Kudos

scottgelb
NetApp A-Team
‎2015-08-04 02:02 PM
In response to jbastogne
25,570 Views

8.3 adds support for domain groups over ssh and ontap (not the gui though)

0 Kudos

ilonak
NetApp
‎2015-08-10 01:59 PM
In response to scottgelb
25,462 Views

If the group name has a space in it, the quotes around it should work, yes?  Example:  "DOMAIN\Domain Admins"

0 Kudos
All Community Forums
Public