Friday, 6 September 2013

How to Access the ETC$ Share from a Windows Client using CIFS: Method 1/2 - Active Directory Domain Authentication

This following post applies to NetApp Data ONTAP 8 running in 7-Mode. The method is ages old, nothing new here at all, just given the topic a good thorough seeing to.

Starting point

NetApp FAS/V-Series controller has DNS configured.
CIFS is not licensed (and hence cifs setup has not been run.)

Walkthrough

1) Verify the correct domain, and correct nameserver(s) are configured on the Filer.

NTAP> rdfile /etc/rc

There should be a line like:
options dns.domainname domain.com

NTAP> /etc/resolv.conf

For each nameserver, there should be a line like:
nameserver IP_ADDRESS

2) License CIFS

NTAP> license add CIFSCODE

(For the 8.1.2 SIM used here it’s: license add DZDACHD)

3) Setup/check time services
If the time difference between the filer and domain controller is more than 5 minutes, authentication will fail!

NTAP> timezone
NTAP> timezone GB
NTAP> date
NTAP> date CCYYMMDDHHMM.SS
NTAP> options timed.enable on
NTAP> options timed.servers NTP_SERVER_IP/FQDN {,NTP_SERVER2_IP,...}

4) Add a DNS entry for the filer

Image: Example Host A record for the filer in DNS Manager
Note: cifs setup creates a machine account for the filer, but does not create a DNS A record

5) Create an OU for the NetApp

Image: Example OU for NetApp in ADU&C

6) Run cifs setup

The first line is so you don’t have to change your root password once and then back again (here CIFS setup prompts for a new password for the root user.) We set history back to the default 6 after CIFS setup.

NTAP> options security.passwd.rules.history 0
NTAP> cifs setup

This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

Your filer does not have WINS configured and is visible only to clients on the same subnet.
Do you want to make the system visible via WINS?: N

A filer can be configured for multiprotocol access, or as an NTFS-only filer. Since NFS, DAFS, VLD, FCP, and iSCSI are not licensed on this filer, we recommend that you configure this filer as an NTFS-only filer

(1) NTFS-only filer
(2) Multiprotocol filer

Selection (1-2)?: 2

CIFS requires local /etc/passwd and /etc/group files and default files will be created.  The default passwd file contains entries for 'root', ‘pcuser', and 'nobody'.

Enter the password for the root user: XXXX
Retype the password: XXXX

The default name for this CIFS server is 'NTAP'.
Would you like to change this name?: N

Data ONTAP CIFS services support four styles of user authentication. Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 1

What is the name of the Active Directory domain?: LAB.PRIV

In order to create an Active Directory machine account for the filer, you must supply the name and password of a Windows account with sufficient privileges to add computers to the LAB.PRIV domain.

Enter the name of the Windows user: Administrator@LAB.PRIV
Password for Administrator@LAB.PRIV: XXXX

CIFS - Logged in as Administrator@LAB.PRIV.

The user that you specified has permission to create the filer's machine account in several (4) containers. Please choose where you would like this account to be created.

(1) CN=computers
(2) OU=Domain Controllers
(3) OU=~USERS
(4) OU=~NETAPP CONTROLLERS
(5) None of the above

Selection (1-5)?: 4

CIFS - Starting SMB protocol...

It is highly recommended that you create the local administrator account (NTAP\administrator) for this filer. This account allows access to CIFS from Windows when domain controllers are not accessible.

Do you want to create the NTAP\administrator account?: Y
Enter the new password for NTAP\administrator: XXXX
Retype the password: XXXX

Currently the user "NTAP\administrator" and members of the group "LAB\Domain Admins" have permission to administer CIFS on this filer. You may specify an additional user or group to be added to the filer's "BUILTIN\Administrators" group, thus giving them administrative privileges as well.

Would you like to specify a user or group that can administer CIFS?: N

Welcome to the LAB.PRIV (LAB) Active Directory(R) domain.

CIFS local server is running.

NTAP>
NTAP> options security.passwd.rules.history 6

Note 1: We chose multiprotocol filer, even though the recommendation was for NTFS only, since multiprotocol filers tend to be more common in practice.
Note 2: We purposely declined adding a user/group in addition to the “LAB\Domain Admins” etcetera, to demonstrate how to add these in later.

7) Verify default CIFS shares exist and test access with a domain admin account

NTAP> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        BUILTIN\Administrators / Full Control
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        BUILTIN\Administrators / Full Control

Since the ETC$ share is given “Full Control” to ‘BUILTIN\Administrators’ which includes the ‘DOMAIN\Domain Admins’ group; then, from a Windows domain-joined workstation logged in as a domain admin, you can either \\NTAP\ETC$ or map a drive (without requiring additional credentials):

net use
net use Z: \\NTAP\ETC$
net use /delete Z:

Image: The ETC$ share in Windows Exporer

8) Give non-‘Domain Admin’ user access

Of course, a standard user account could just map a drive using a domain admin user credentials like below:

net use Z: \\NTAP\ETC$ /USER:administrator@lab.priv
net use /delete Z:

To give say the domain account storageadmin access to /etc:

NTAP> useradmin group add storageadmins
NTAP> useradmin domainuser add storageadmin@lab.priv -g storageadmins
NTAP> cifs access ETC$ storageadmins “Full Control”
NTAP> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /etc                              Remote Administration
                        BUILTIN\Administrators / Full Control
                        NTAP01\storageadmins / Full Control
HOME         /vol/vol0/home                    Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        BUILTIN\Administrators / Full Control

Now our storageadmin can do a RUN> \\NTAP\ETC$ or map a drive to \\NTAP\ETC$ without recourse to needing different credentials.

Note: cifs lookup DOMAIN\user is a handy command for verifying the domain account exists and also for obtaining the SID.


No comments:

Post a Comment