Does Domain Tunnel AD Authentication Still Work When SVM Stopped?

** Why it is sometimes good to have a dedicated authentication SVM **

Q: Does domain tunnel AD authentication still work when the SVM used for domain tunnel is stopped?

You'd think the answer to the above question would be "no" (and it is) but I wasn't sure (I thought I'd seen authentication work with the domain tunnel vserver stopped.)

Lab Test

1) Vserver create

vserver create
-vserver NAS_001_TEST
-rootvolume NAS_001_TEST_root
-aggregate cluster1_01_SSD_1
-rootvolume-security-style unix
-language C.UTF-8
-snapshot-policy default
-comment "NAS TEST SVM"

vserver create -vserver NAS_001_TEST -rootvolume NAS_001_TEST_root -aggregate cluster1_01_SSD_1 -rootvolume-security-style unix -language C.UTF-8 -snapshot-policy default -comment "NAS TEST SVM"

vserver remove-protocols -vserver NAS_001_TEST -protocols fcp,iscsi,ndmp,nvme,s3

2) Create default route and data LIF

route create -vserver NAS_001_TEST -destination 0.0.0.0/0 -gateway 192.168.0.1 -metric 20

network interface create
-vserver NAS_001_TEST
-lif n1_nas
-data-protocol nfs,cifs
-address 192.168.0.135
-netmask 255.255.255.0
-home-node cluster1-01
-home-port e0e

network interface create -vserver NAS_001_TEST -lif n1_nas -data-protocol nfs,cifs -address 192.168.0.135 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0e

3) Setup DNS and CIFS server

dns create -vserver NAS_001_TEST -domains demo.company.com -name-servers 192.168.0.253

cifs server create -vserver NAS_001_TEST -cifs-server NAS_001_TEST -domain demo.company.com

4) Setup domain-tunnel and a domain login

domain-tunnel create -vserver NAS_001_TEST

security login create -user-or-group-name demo\administrator -vserver cluster1 -authentication-method domain -role admin -application http

5) Test the login works - which it does!

6) Stop the domain tunnel vserver


cluster1::> vserver stop -vserver NAS_001_TEST

Warning: Specified Vserver "NAS_001_TEST" is being used as the authentication tunnel. Authentication operations that use the tunnel will fail until either 1) the Vserver is restarted, or 2) a different Vserver is assigned to act as the tunnel.
Do you want to continue? {y|n}: y
[Job 424] Job succeeded: DONE

I don't remember that warning before. But it is very clear, if you stop the vserver being used for domain authentication, you stop domain authentication to the cluster.

Result

We're stuck at "Signing in" at the login prompt.

Comments