New/Updated NAS Technical Reports! – Spring 2020

With the COVID-19 quarantine, stay at home orders and new 1-year ONTAP release cadence, I’m finding I have a lot more spare time, which translates into time to update old, crusty technical reports!

30 Gandalf Facts To Rule Them All | The Fact Site

Some of the old TRs hadn’t been updated for 3 years or so. Much of the information in those still applied, but overall, the TR either had to be retired or needed an update – if only to refresh the publish date and apply new templates.

So, first, let’s cover the grandfather TRs.

Updated TRs

TR-4073: Secure Unified Authentication

This TR was a monolith that I wrote when I first started as a TME back in 2015-ish. It covers LDAP, Kerberos and NFSv4.x for a unified security approach to NFS. The goal was to combine everything into a centralized document, but what ended up happening was I now had a TR that was 250+ pages long. Not only is that hard to read, but it’s also daunting enough to cause people not to want to read it at all. As a result, I made it a goal to break the TR up into more manageable chunks. Eventually, this TR will be deprecated in favor of newer TRs that are shorter and more specific.

TR-4616: NFS Kerberos in ONTAP

I created the NFS Kerberos TR in 2017 to focus only on Kerberos with NFS. To streamline the document, I narrowed the focus to only a set of configuration options (AD KDCs, RHEL clients, newest ONTAP version), removed extraneous details and moved examples/configuration steps to the end of the document. The end result – a 42 page document with the most important information taking up around 30 pages.

However, there hasn’t been an updated version since then. I’m currently in the process of updating that TR and was waiting on some other TRs to be completed before I finished this one. The new revision will include updated information and the page count will rise to around 60-70 pages.

TR-4067: NFS Best Practice Guide

This TR is another of the original documents I created and hasn’t been updated since 2017. It’s currently getting a major overhaul right now, including re-organizing the order to include the more crucial information at the start of the document and reducing the total page count by roughly 20 pages. Examples and advanced topics were moved to the back of the document and the “meat” of the TR is going to be around 90 pages.

Major changes include:

  • New TR template
  • Performance testing for NFSv3 vs. NFSv4.x
  • New best practice recommendations
  • Security best practices
  • Multiprotocol NAS information
  • Removal of Infinite Volume section
  • NFS credential information

As part of the TR-4073 de-consolidation project, TR-4067 will cover the NFSv4.x aspects.

This TR is nearly done and is undergoing some peer review, so stay tuned!

TR-4523: DNS Load Balancing in ONTAP

This TR was created to cover the DNS load balancing approaches for NAS workloads with ONTAP. It’s pretty short – 35 pages or so – and covers on-box and off-box DNS load balancing.

It was updated in May 2020 and was basically a minor refresh.

New TR

TR-4835: How to Configure LDAP in ONTAP

The final part of the TR-4073 de-consolidation effort was creating an independent LDAP TR. Unlike the NFS Kerberos TR, I wanted this one to cover a wide array of configurations and use cases, so the total length ended up being 135 pages, but the “meat” of the document (the most pertinent information) only takes up around 87 pages.

Sections include, in order:

  • LDAP overview
  • Authentication in ONTAP
  • LDAP Components and Considerations
  • Configuration
  • Common Issues and Troubleshooting
  • Best Practices
  • Appendix/Command Examples

Feedback and comments are welcome!

3 thoughts on “New/Updated NAS Technical Reports! – Spring 2020

  1. Having waded though all three, I appreciate the effort and probably could not have configured my array with out them. However, oh lordy are they difficult to use. I get everyone’s use case is going to be a little different but I found it difficult to find I needed (though it was all there) to solve my particular use case. It also speaks VOLUMES to how difficult file services are to when you want something as “simple” as a secure, converged file namespace (kerb5p NFS and SMBv3 on the same volume). Even kerb5p with AD LDAP was a chore. NetApp OnTap developers really need these use cases easier to set up. As for your documents, again, thanks. They were invaluable.

    I would recommend pulling out all the 7-mode stuff along with much of the client-side stuff. They pull focus away from the main topics that should be c-dot focused and make searching more difficult and to be honest, I don’t care how Solaris LDAP works (as an example). I’m more interested in how LDAP server works on OnTap 9.

    Also, as an aside, there’s never any distinction made between a CIFS Server client config set to use LDAP port 636 and the CIFS server security config’s “use-ldaps-for-ad-ldap” being set to false. There’s no information about “which config wins” (and why is there a “use-ldaps-for-ad-ldap” in the CIFS security settings to begin with? Oh developers.

    And finally, again, thank you for your work on these docs!


    • The good news is, I have already done a lot of what you mentioned. TR-4073 was a bear, so I split it up.

      TR-4616 is around 72 pages and covers NFS Kerberos only, with a focus mainly on AD and RHEL/Centos config. The 7-mode stuff was removed.

      TR-4835 covers only LDAP. It’s a bit longer than the Kerberos TR, but includes multiple LDAP server configs, troubleshooting commands, etc. it also covers the secure LDAP stuff.

      As for NFSv4, that’s being covered in more depth in the TR-4067 update, which will be out in a month or so.


  2. We faced a lot of challenges setting up Kerberos communication between VSCAN and ONTAP and ended up having to stop using on-box DNS load-balancing before it would work. A proper guide for configuring VSCAN and ONTAP for Kerberos communication with on-box DNS load balancing would be appreciated.

    Troy Tolle


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s