4

I have an isolated network, into which I've built a vfiler. The point of this network is that it's a non routed 'test' network.

However, there's a need for LDAP/Kerberos and CIFS access to the filer, via domain level accounts.

So we have Read Only domain controllers deployed.

To join a Windows box to the RODC, we would:

  • create a machine account by hand.
  • join the domain, and specify the machine account password on the client.

A spot of googling finds me: https://kb.netapp.com/support/index?page=content&id=1012918

Where the advice is: Point the filer at a writable DC manually first.

I'd rather not do that if I can avoid it - I don't have writable DCs on this piece of the network deliberately. More importantly - my vfilers are on an ipspace, so I can't even temporarily 'jump over' to a network with the right access. (Which is sort of the point I guess, but even so...)

Does anyone have a suggestion for how I can accomplish this - I'm assuming I may need to extract some information from my DC and transfer it over, such as a servicePrincipal. Or perhaps just 'set' my CIFS password manually somewhere.

Sobrique
  • 3,697
  • 2
  • 14
  • 34

2 Answers2

1

You can temporarily jump back by adding a routable interface to the IPSpace- then you could join the domain and then remove that interface from the IPSpace.

Basil
  • 8,811
  • 3
  • 37
  • 73
  • Had considered it, but somewhat awkwardly -- I'm using that interface already. Unless there's a way to have two vlan tagged virtual interfaces with the same vlan in different ipspaces. – Sobrique Oct 14 '14 at 18:44
  • I think you can- if it's the same vlan, that means it's not on the same interface: if you did a `vlan create interface0 310` followed by another `vlan create interface0 310`, I think it would fail. If the second one was on another interface, though, that would be fine. And then you could assign interface1-310 to the nonprod IPSpace temporarily – Basil Oct 14 '14 at 20:46
  • Sorry, I was unclear - I've a single ifgrp that I'm vlan tagging on to different networks. I've got a 'core' network, where I've a vfiler, and a 'dirty' network where I've a vfiler. I'd have to move my new vfiler into 'core' in order to contact the DC, but I don't think I can do that without interrupting my existing core vfilers. – Sobrique Oct 15 '14 at 08:49
  • I'll ping you on the mailing list. – Basil Oct 15 '14 at 13:11
0

In the end I went with open the firewall temporarily. Alternative options might have been to configure a new virtual interface, add it to the IP space temporarily. That would have worked, but not in my environment (I was already using the VLAN/interface I would have needed to move) .

However, once you have access to a writable DC - the article above isn't quite correct.

You need to;

  • set the prefdc with cifs prefdc add <DC_IP>
  • set the ldap server, by setting options.ldap.preferred (typically, this will be the same as the DC).
  • run the domain join and create the machine account.

Change the prefdc and preferred LDAP back to the original. Run cifs resetdc to force it.

Expect No Trusted Logon Servers Available and Client not found in Kerberos database because your local RODCs won't have replicated the right details.

You may also need to adjust the computer account to be a member of a group so that it replicates fully. Part of the point of RODCs is that they don't have a complete database and omit some of the shared secrets as part of the machine account.

Sobrique
  • 3,697
  • 2
  • 14
  • 34