How do I configure SVM with AWS Managed Microsoft AD for CIFS shares on FSx for ONTAP?

7 minute read
0

I want to configure my storage virtual machines (SVMs) when using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) for CIFS on Amazon FSx for NetApp ONTAP.

Short description

To access data using the Server Message Block (SMB) protocol, domain join the SVM. You can domain join when creating an SVM from the Amazon FSx console. For more information, see Creating a storage virtual machine.

Resolution

SVM domain join using the NetApp ONTAP CLI

1.    Open the Amazon FSx console.

2.    Select the Administration tab under your FSx for ONTAP file system. Note the management endpoint IP address. You'll use the IP address to connect to the cluster.

3.    SSH into the FSx for ONTAP cluster's management endpoint. Do this using a Windows PowerShell or a Linux shell on your Amazon Elastic Compute Cloud (Amazon EC2) instance. In the following example command, replace management IP with your management endpoint IP address.

ssh fsxadmin@ management IP

For more information, see Using the NetApp ONTAP CLI.

4.    Enter the fsxadmin service account password to connect to the FSx for ONTAP management endpoint.

Note: The fsxadmin service account password is set on the Administration tab in the Amazon FSx console.

5.    After connecting to the endpoint, run the following commands to complete the domain join operation. In the following example commands, replace svm name, domain name, domain DNS IP, and name of the computer object to be created for svm with the correct values for your use case.

vserver services name-service dns create -vserver <svm name> -domains <domain name> -name-servers <domain DNS IP> 
vserver cifs create -vserver <svm name> -cifs-server <name of the computer object to be created for svm> -domain <domain name> -ou "Organizational Unit Distinguished Name"

6.    To check if the domain join is successful, verify that the computer objects are created in the organization unit in the AWS Managed Microsoft AD. Also, run the following commands to view the status of your domain joined SVMs and DNS settings:

vserver cifs show
vserver services name-service dns show

7.    Run the following command to un-join the SVM from the domain. In the following example command, replace svm name with the correct name for your SVM.

vserver cifs delete -vserver svm name

Administer CIFS shares using the NetApp ONTAP CLI

Note: The following commands are from the NetApp website.

Create shares and add permissions to the shares using the NetApp ONTAP CLI. To create shares, use the vserver cifs share create command. When creating shares, define the path and share name. Also, set different share properties including oplocks, attributecache, and continuously-available.

To review share details, run the vserver cifs share show command. In the following command, replace svm name with the correct name for your SVM.

vserver cifs share show -vserver svm name

Add permissions to the shares using the vserver cifs share access-control create command, as shown in the following example. In the following command, replace myonpremdomain with the correct name of your domain.

vserver cifs share access-control create -share c$ -user-or-group myonpremdomain\administrator -permission Full_Control

The preceding command adds myonpremdomain\administrator to the C$ share with Full Control.

When creating SVM with AWS Managed Microsoft AD, specify the Delegated file system administrators group. If this group isn't specified, then domain admin group is the default. Because AWS Managed Microsoft AD, doesn't have access to the domain admin account, you might not be able to connect to the file system. If this occurs, then run the cifs share access-control command to add the required user or group to the C$.

After adding permissions, review the access control by running the vserver cifs share access-control show command:

vserver cifs share access-control show -vserver new-svm

You can optionally add Active Directory users or groups to specific groups in the SVM by running the vserver cifs users-and-groups local-group add-members command:

vserver cifs users-and-groups local-group add-members -group-name BUILTIN\Administrators -member-names myonpremdomain\ontap-admin -vserver new-svm

After adding members to the local groups in SVM, check the group membership using the vserver cifs users-and-groups local-group show-members command:

vserver cifs users-and-groups local-group show-members

Troubleshooting

You might see the following errors when creating CIFS vserver along with AWS Managed Microsoft AD:

ERROR: Error when creating - Failed to create the Active Directory machine account..Reason: SecD Error: no server available

The preceding error might occur if DNS port 53 (TCP or UDP) is blocked. Validate that FSx for ONTAP for the SVM in question can communicate with the DNS server or servers on port 53 (UPD/TCP). To validate and update vserver DNS servers, use the command vserver services name-service. For more information, see vserver services name-service dns create in the NetApp documentation.

ERROR: Failed to create CIFS server XXXXXXXXXX. Reason: Kerberos Error: KDC Unreachable

The preceding error might occur if Kerberos port 88 (TCP) or port 464 is blocked. Verify that the ports are open between the SVM and the AWS Managed Microsoft AD network.

ERROR: Error when creating - Failed to create the Active Directory machine account. Reason: LDAP Error: Cannot contact the LDAP server

To resolve the preceding error, complete the following steps:

1.    Verify that the LIF selected for egress has reachability to the LDAP server.

2.    Make sure that LDAP port 389 (TCP or UDP) isn't blocked.

3.    Make sure that port 636 is turned on if you're using LDAPS.

ERROR: Failed to create the Active Directory machine account. Reason: LDAP Error: Local error occurred

To resolve the preceding error, complete the following steps:

1.    Use the following command to turn on LDAPs on the SVM:

vserver cifs security modify -vserver <svm> -use-ldaps-for-ad-ldap true

2.    Follow the instructions in the NetApp documentation to install the self-signed root CA on the SVM.

ERROR: Failed to create the Active Directory machine account. Reason: Socket receive error

To resolve the preceding error, turn on SMB2 as a default setting. SMB2 is turned off for Domain Controller (DC) communication in FSx for ONTAP versions 8.3.2P5 and higher.

1.    Run the following command to verify the SMB settings:

vserver cifs security show -vserver SVM

2.    Run the following command to turn on SMB2:

vserver cifs security modify -vserver svm -smb2-enabled-for-dc-connections true

For more information, see vserver cifs security modify in the NetApp documentation.

ERROR: Failed to create the Active Directory machine account account. Reason: LDAP Error: A constraint violation occurred.

During CIFS creation, a service principal name (SPN) is created for the CIFS server. The SPN is attached to the account that you specify in the CIFS creation command. To resolve the preceding error, complete the following steps:

1.    Use the SetSPN command to verify the SPNs.

2.    Query the AWS Managed Microsoft AD to find a possible existing SPN from the CMD prompt. In the following example command, replace account with your account.

setspn -q */account

To delete the existing SPN, run the following command from a domain controller. In the following command, replace SPN with the SPN from the preceding command output and account with your account.

setspn -D SPN account

For more information, see Service principal names in the Microsoft documentation.

ERROR: Failed to create CIFS server. Reason: Failed to create the Active Directory machine account. Reason: LDAP Error: Strong authentication is required.

The preceding error occurs when the domain policy requires LDAP sealing and signing. This functionality was added in FSx for ONTAP 9. To resolve this issue, complete one of the following steps:

  • Follow the instructions in the NetApp documentation to turn on LDAP signing and sealing.
  • Upgrade to ONTAP 9.5 or later and turn on LDAPS.
  • Follow the instructions in the NetApp documentation to configure LDAP over TLS.
  • If none of the preceding options are feasible, then turn off the requirement for LDAP signing and sealing in the domain GPO or registry.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago