** Why it is sometimes good to have a dedicated authentication SVM **
Q: Does domain tunnel AD authentication still work when the SVM used for domain tunnel is stopped?
You'd think the answer to the above question would be "no" (and it is) but I wasn't sure (I thought I'd seen authentication work with the domain tunnel vserver stopped.)
Lab Test
1) Vserver create
vserver create
-vserver NAS_001_TEST
-rootvolume NAS_001_TEST_root
-aggregate cluster1_01_SSD_1
-rootvolume-security-style unix
-language C.UTF-8
-snapshot-policy default
-comment "NAS TEST SVM"
vserver create -vserver NAS_001_TEST -rootvolume NAS_001_TEST_root -aggregate cluster1_01_SSD_1 -rootvolume-security-style unix -language C.UTF-8 -snapshot-policy default -comment "NAS TEST SVM"
vserver remove-protocols -vserver NAS_001_TEST -protocols fcp,iscsi,ndmp,nvme,s3
2) Create default route and data LIF
route create -vserver NAS_001_TEST -destination 0.0.0.0/0 -gateway 192.168.0.1 -metric 20
network interface create
-vserver NAS_001_TEST
-lif n1_nas
-data-protocol nfs,cifs
-address 192.168.0.135
-netmask 255.255.255.0
-home-node cluster1-01
-home-port e0e
network interface create -vserver NAS_001_TEST -lif n1_nas -data-protocol nfs,cifs -address 192.168.0.135 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0e
3) Setup DNS and CIFS server
dns create -vserver NAS_001_TEST -domains demo.company.com -name-servers 192.168.0.253
cifs server create -vserver NAS_001_TEST -cifs-server NAS_001_TEST -domain demo.company.com
4) Setup domain-tunnel and a domain login
domain-tunnel create -vserver NAS_001_TEST
security login create -user-or-group-name demo\administrator -vserver cluster1 -authentication-method domain -role admin -application http
5) Test the login works - which it does!
6) Stop the domain tunnel vserver
cluster1::> vserver stop -vserver NAS_001_TEST
Warning: Specified Vserver "NAS_001_TEST" is being used as the authentication tunnel. Authentication operations that use the tunnel will fail until either 1) the Vserver is restarted, or 2) a different Vserver is assigned to act as the tunnel.
Do you want to continue? {y|n}: y
[Job 424] Job succeeded: DONE
I don't remember that warning before. But it is very clear, if you stop the vserver being used for domain authentication, you stop domain authentication to the cluster.
Result
We're stuck at "Signing in" at the login prompt.
Comments
Post a Comment