NAS file system local accounts (CIFS workgroup)
Workgroup client authentication provides an extra layer of security to the ONTAP solution that is consistent with a traditional domain authentication posture. Use the vserver cifs session show
command to display numerous posture-related details, including IP information, the authentication mechanism, the protocol version, and the authentication type.
Starting with ONTAP 9, you can configure a CIFS server in a workgroup with CIFS clients that authenticate to the server by using locally defined users and groups. Workgroup client authentication provides an extra layer of security to the ONTAP solution that is consistent with a traditional domain authentication posture. To configure the CIFS server, use the vserver cifs create
command. After the CIFS server is created, you can join it to a CIFS domain or join it to a workgroup. To join a workgroup, use the -workgroup
parameter. Here is an example configuration:
cluster1::> vserver cifs create -vserver vs1 -cifs-server CIFSSERVER1 -workgroup Sales
A CIFS server in workgroup mode supports only Windows NT LAN Manager (NTLM) authentication and does not support Kerberos authentication. |
NetApp recommends using the NTLM authentication function with CIFS workgroups to maintain your organization's security posture. To validate the CIFS security posture, NetApp recommends using the vserver cifs session show
command to display numerous posture-related details, including IP information, the authentication mechanism, the protocol version, and the authentication type.