How to Access the ETC$ Share from a Windows Client using CIFS: Method 1/2 - Active Directory Domain Authentication
This following post
applies to NetApp Data ONTAP 8 running in 7-Mode. The method is ages old,
nothing new here at all, just given the topic a good thorough seeing to.
Starting point
NetApp FAS/V-Series controller has DNS configured.
CIFS is not licensed (and hence cifs setup has not been
run.)
Walkthrough
1) Verify the
correct domain, and correct nameserver(s) are configured on the Filer.
NTAP> rdfile /etc/rc
There should be a
line like:
options dns.domainname domain.com
NTAP> /etc/resolv.conf
For each
nameserver, there should be a line like:
nameserver IP_ADDRESS
2) License CIFS
NTAP> license add
CIFSCODE
(For the 8.1.2 SIM
used here it’s: license add DZDACHD)
3) Setup/check
time services
If the time
difference between the filer and domain controller is more than 5 minutes,
authentication will fail!
NTAP> timezone
NTAP> timezone GB
NTAP> date
NTAP> date
CCYYMMDDHHMM.SS
NTAP> options
timed.enable on
NTAP> options
timed.servers NTP_SERVER_IP/FQDN {,NTP_SERVER2_IP,...}
4) Add a DNS entry
for the filer
Image: Example Host
A record for the filer in DNS Manager
Note: cifs
setup creates a machine account for the filer, but does not create a DNS
A record
5) Create an OU
for the NetApp
Image: Example OU
for NetApp in ADU&C
6) Run cifs setup
The first line is so
you don’t have to change your root password once and then back again (here CIFS
setup prompts for a new password for the root user.) We set history back to the
default 6 after CIFS setup.
NTAP> options
security.passwd.rules.history 0
NTAP> cifs setup
This process will
enable CIFS access to the filer from a Windows(R) system.
Use "?"
for help at any prompt and Ctrl-C to exit without committing changes.
Your filer does
not have WINS configured and is visible only to clients on the same subnet.
Do you want to
make the system visible via WINS?: N
A filer can be
configured for multiprotocol access, or as an NTFS-only filer. Since NFS, DAFS,
VLD, FCP, and iSCSI are not licensed on this filer, we recommend that you configure
this filer as an NTFS-only filer
(1) NTFS-only
filer
(2) Multiprotocol
filer
Selection (1-2)?:
2
CIFS requires
local /etc/passwd and /etc/group files and default files will be created. The default passwd file contains entries for
'root', ‘pcuser', and 'nobody'.
Enter the
password for the root user: XXXX
Retype the
password: XXXX
The default name
for this CIFS server is 'NTAP'.
Would you like to
change this name?: N
Data ONTAP CIFS
services support four styles of user authentication. Choose the one from the
list below that best suits your situation.
(1) Active Directory domain authentication (Active
Directory domains only)
(2) Windows NT 4
domain authentication (Windows NT or Active Directory domains)
(3) Windows
Workgroup authentication using the filer's local user accounts
(4) /etc/passwd
and/or NIS/LDAP authentication
Selection (1-4)?
[1]: 1
What is the name
of the Active Directory domain?: LAB.PRIV
In order to
create an Active Directory machine account for the filer, you must supply the
name and password of a Windows account with sufficient privileges to add
computers to the LAB.PRIV domain.
Enter the name of
the Windows user: Administrator@LAB.PRIV
CIFS - Logged in
as Administrator@LAB.PRIV.
The user that you
specified has permission to create the filer's machine account in several (4)
containers. Please choose where you would like this account to be created.
(1) CN=computers
(2) OU=Domain
Controllers
(3) OU=~USERS
(4) OU=~NETAPP CONTROLLERS
(5) None of the
above
Selection (1-5)?:
4
CIFS - Starting
SMB protocol...
It is highly
recommended that you create the local administrator account (NTAP\administrator)
for this filer. This account allows access to CIFS from Windows when domain
controllers are not accessible.
Do you want to create
the NTAP\administrator account?: Y
Enter the new
password for NTAP\administrator: XXXX
Retype the
password: XXXX
Currently the
user "NTAP\administrator" and members of the group "LAB\Domain
Admins" have permission to administer CIFS on this filer. You may specify
an additional user or group to be added to the filer's "BUILTIN\Administrators"
group, thus giving them administrative privileges as well.
Would you like to
specify a user or group that can administer CIFS?: N
Welcome to the
LAB.PRIV (LAB) Active Directory(R) domain.
CIFS local server
is running.
NTAP>
NTAP> options
security.passwd.rules.history 6
Note 1: We chose
multiprotocol filer, even though the recommendation was for NTFS only, since
multiprotocol filers tend to be more common in practice.
Note 2: We
purposely declined adding a user/group in addition to the “LAB\Domain Admins”
etcetera, to demonstrate how to add these in later.
7) Verify default
CIFS shares exist and test access with a domain admin account
NTAP> cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote
Administration
BUILTIN\Administrators
/ Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote
Administration
BUILTIN\Administrators
/ Full Control
Since the ETC$ share is given “Full Control” to
‘BUILTIN\Administrators’ which includes the ‘DOMAIN\Domain Admins’ group; then,
from a Windows domain-joined workstation logged in as a domain admin, you can
either \\NTAP\ETC$ or map a drive
(without requiring additional credentials):
net use
net use Z: \\NTAP\ETC$
net use /delete Z:
Image: The ETC$
share in Windows Exporer
8) Give
non-‘Domain Admin’ user access
Of course, a
standard user account could just map a drive using a domain admin user
credentials like below:
net use Z: \\NTAP\ETC$ /USER:administrator@lab.priv
net use /delete Z:
To give say the domain account storageadmin access to /etc:
NTAP> useradmin group
add storageadmins
NTAP> useradmin
domainuser add storageadmin@lab.priv -g storageadmins
NTAP> cifs access
ETC$ storageadmins “Full Control”
NTAP> cifs shares
Name Mount Point Description
---- ----------- -----------
ETC$ /etc Remote
Administration
BUILTIN\Administrators / Full Control
NTAP01\storageadmins /
Full Control
HOME /vol/vol0/home Default Share
everyone / Full Control
C$ / Remote
Administration
BUILTIN\Administrators
/ Full Control
Now our storageadmin can do a RUN> \\NTAP\ETC$ or map a drive to \\NTAP\ETC$ without recourse to needing
different credentials.
Note: cifs lookup DOMAIN\user is a handy command for verifying the domain
account exists and also for obtaining the SID.
Comments
Post a Comment