Create keytab files for SMB authentication
Beginning with ONTAP 9.7, ONTAP supports SVM authentication with Active Directory (AD) servers using keytab files. AD administrators generate a keytab file and make it available to ONTAP administrators as a uniform resource identifier (URI), which is supplied when
vserver cifs commands require Kerberos authentication with the AD domain.
AD administrators can create the keytab files using the standard Windows Server
ktpass command. The command should be run on the primary domain where authentication is required. The
ktpass command can be used to generate keytab files only for primary domain users; keys generated using trusted-domain users are not supported.
Keytab files are generated for specific ONTAP admin users. As long as the admin user’s password does not change, the keys generated for the specific encryption type and domain will not change. Therefore, a new keytab file is required whenever the admin user’s password is changed.
The following encryption types are supported:
ONTAP does not support DES-CBC-CRC encryption type.
AES256 is the highest encryption type and should be used if enabled on the ONTAP system.
Keytab files can be generated by specifying either the admin password or by using a randomly-generated password. However, at any given time only one password option can be used, because a private key specific to the admin user is needed at the AD server for decrypting the keys inside the keytab file. Any change in the private key for a specific admin will invalidate the keytab file.