Create keytab files for SMB authentication

Contributors

Beginning with ONTAP 9.7, ONTAP supports SVM authentication with Active Directory (AD) servers using keytab files. AD administrators generate a keytab file and make it available to ONTAP administrators as a uniform resource identifier (URI), which is supplied when vserver cifs commands require Kerberos authentication with the AD domain.

AD administrators can create the keytab files using the standard Windows Server ktpass command. The command should be run on the primary domain where authentication is required. The ktpass command can be used to generate keytab files only for primary domain users; keys generated using trusted-domain users are not supported.

Keytab files are generated for specific ONTAP admin users. As long as the admin user’s password does not change, the keys generated for the specific encryption type and domain will not change. Therefore, a new keytab file is required whenever the admin user’s password is changed.

The following encryption types are supported:

  • AES256-SHA1

  • DES-CBC-MD5

    Note

    ONTAP does not support DES-CBC-CRC encryption type.

  • RC4-HMAC

AES256 is the highest encryption type and should be used if enabled on the ONTAP system.

Keytab files can be generated by specifying either the admin password or by using a randomly-generated password. However, at any given time only one password option can be used, because a private key specific to the admin user is needed at the AD server for decrypting the keys inside the keytab file. Any change in the private key for a specific admin will invalidate the keytab file.