Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Configure Oracle Cloud Infrastructure File Storage Service with Active Directory User Access Control

Introduction

This tutorial provides a step-by-step approach to integrating Active Directory (AD) users with unique user ID (UID)/group ID (GID) mapping for secure access to Oracle Cloud Infrastructure (OCI) File Storage service using the Windows Network File System (NFS) client. It ensures proper authentication and access control by leveraging Active Directory permissions, enabling organizations to restrict file system access to specific users and groups while maintaining compliance with enterprise security policies.

By enabling UID/GID mapping in Active Directory and using Windows security permissions, you can:

• Restrict OCI File Storage access to specific Active Directory users/groups.

• Ensure file ownership and access control are correctly applied.

• Allow NFS-based Windows clients to securely interact with OCI File Storage.

In this tutorial, we will create an OCI File Storage and a mount target in the same Virtual Cloud Network (VCN) as your Active Directory Domain Services (AD DS) and domain-joined Windows virtual machine (VM) for seamless integration and access control from Task 1 to 4 and enable Active Directory integration for OCI File Storage, create users with specific UID/GID mappings, and enforce folder-level access restrictions from Task 5 to 8.

Objectives

• Integrate Active Directory users with UID/GID mapping to securely access OCI File Storage using Windows NFS client, while enforcing access control based on Active Directory permissions.

  • Create an OCI File Storage.

  • Configure a mount target in the same VCN as the domain controller and Windows VM.

  • Ensure proper security rules for NFS access.

  • Mount the file system on the Windows VM.

  • Prepare for Active Directory-based access control.

  • Create AD users with UID/GID attributes.

  • Configure OCI File Storage with folder-level access control.

  • Mount OCI File Storage on domain-joined VMs.

  • Validate user-based access restrictions.

  This setup ensures seamless Active Directory integration with OCI File Storage, allowing secure file sharing and controlled access based on UID/GID mappings. This setup ensures secure, role-based access control for OCI File Storage service using Active Directory authentication and UID/GID mapping.

Prerequisites

• OCI File Storage with a mount target configured.

• AD DS with RFC2307 attributes enabled.

• Windows NFS client installed on domain-joined machines.

• Both Active Directory domain controller and OCI File Storage mount target should be on the same network VCN.

Task 1: Create an OCI File Storage

1. Log in to the OCI Console, navigate to Storage and click File Storage.

2. Click Create File System and enter the following information.

   • Compartment: Select an appropriate compartment.
   • Name: Enter a descriptive name. For example, AD-Integrated-FSS.

3. Click Create to provision the file system.

Task 2: Create a Mount Target in the Same VCN

1. Go to the OCI Console, navigate to File Storage and click Mount Targets.

2. Click Create Mount Target and enter the following information.

   • Compartment: Select the same compartment as your OCI File Storage.
   • Name: Enter a name. For example, AD-MountTarget.
   • Virtual Cloud Network (VCN): Select the same VCN where your domain controller and domain-joined VM are deployed.
   • Subnet: Select a private or public subnet in the VCN (ensure it allows NFS traffic).
   • Hostname: Enter a hostname for the mount target.

3. Click Create Mount Target and wait for it to be provisioned.

   

Task 3: Configure Security Rules for NFS Access

1. Go to the OCI Console, navigate to Networking, Virtual Cloud Networks (VCN) and select your VCN.

2. Click Security Lists and update the Ingress Rules for the mount target’s subnet with the following information.

   • Source CIDR: The subnet containing your domain controller and domain-joined VM.
   • Protocol: Select TCP.
   • Port Range: Enter 2049 (for NFS).

3. Add an Egress Rule to allow outbound traffic from the mount target’s subnet with the following information.

   • Destination CIDR: Enter 0.0.0.0/0.
   • Protocol: Select TCP.
   • Port Range: Enter 2049.

   If using security groups, ensure your domain controller, domain-joined VM, and mount target are in the same group, with NFS (TCP 2049) and DNS (TCP/UDP 53) allowed.

Task 4: Verify Connectivity

1. Log in to the domain-joined Windows VM.

2. Test connectivity to the mount target using the ping or nslookup command.

   ping <MOUNT_TARGET_IP>
   nslookup <MOUNT_TARGET_HOSTNAME>
   

   Ensure the domain controller and Windows VM can resolve the mount target hostname using DNS.

Task 5: Configure Active Directory Users with UID/GID Attributes

1. Open Active Directory Users and Computers (ADUC).

2. In Domain Controller, open ADUC (dsa.msc), click View and enable Advanced Features.

   

3. Create Users with RFC2307 attributes.

   1. Navigate to Users under your domain. For example, fs-ad.com.

   2. Create the following users and set RFC2307 attributes.

      User	UID Number	GID Number	Description
      fssadmin	0	0	FSS Administrator
      applicationuser1	101	501	App User 1
      applicationuser2	102	502	App User 2

      

      

4. Modify user attributes.

   1. Right-click each user and click Properties.

   2. Navigate to Attribute Editor and update the following RFC2307 attributes.

      • objectClass: Add posixAccount.
      • uidNumber: Assign values from the table in Task 5.3.
      • gidNumber: Assign values from the table in Task 5.3.
      • uid: Set as sAMAccountName.

   3. Click Apply and OK.

Task 6: Configure OCI File Storage Permissions

1. Set OCI File Storage main folder with 0 UID/GID (root access for fssadmin).

   1. Go to the OCI Console, navigate to File Storage and click File Systems.

   2. Click your OCI File Storage instance and select the main folder.

   3. Click Advanced Permissions and enter the following information.

      • UID: Enter 0.
      • GID: Enter 0.

2. Create and restrict application-specific folders.

   1. Inside the OCI File Storage main folder, create two folders with the following information.

      • Folder1: For applicationuser1 with uid=101.
      • Folder2: For applicationuser2 with uid=102.

   2. Click Advanced Options and set folder permissions.

      • Folder1:

        • UID: Enter 101.
        • GID: Enter 501.

      • Folder2:

        • UID: Enter 102.
        • GID: Enter 502.

Task 7: Mount OCI File Storage on Domain-Joined Windows VMs

1. Log in to the domain-joined Windows VM as applicationuser1 or applicationuser2.

2. Open Command Prompt as Administrator.

3. Mount OCI File Storage using the mount target IP.

   mount -o sec=sys Mount_Target_IP:/<EXPORT_PATH> S:
   

   Note:

   • Replace <MOUNT_TARGET_IP> with the mount target’s IP.

   • Replace <EXPORT_PATH> with OCI File Storage export path.

4. Verify the mount using the following command.

   net use
   

   Ensure S: is successfully mounted.

   

Task 8: Validate Folder Access Restrictions

• User Access Verification

  • applicationuser1:

    • Access: Can read and write inside Folder1 (UID: 101).
    • Restriction: Cannot create files inside Folder2 (UID: 102).

  • applicationuser2:

    • Access: Can read and write inside Folder2 (UID: 102).
    • Restriction: Cannot create files inside Folder1 (UID: 101).

  Additionally, users cannot create new folders in the OCI File Storage main folder, ensuring strict access control enforcement.

• Configuring Group-Based Access Control for OCI File Storage (FSS)

  To grant a group of users access to a specific folder in OCI File Storage (FSS), assign the same GID to all users in the group while keeping their UIDs unique. When creating the folder in OCI FSS, set only the GID in the Advanced Options to match the assigned group GID(Example: GID 501). This ensures that all users within the group can mount the FSS and access the designated folder while maintaining individual user identities.

• Enforce Access Control with Active Directory

  When users log in to a domain-joined VM, they can mount the drive and access only the OCI File System folders they are authorized for. Any attempt to access or modify unauthorized folders will be restricted based on defined permissions.

  Access control is centrally managed through Active Directory, allowing only domain administrators and file system administrators (GID/UID: 0) to have full control over the OCI File Storage folders. This ensures a structured and secure permission model.

• Strengthen Security with Export Options

  To further enhance security, OCI export options should be configured to allow access only from specific, verified IP addresses. By restricting the mount target access to known and authorized IPs, unauthorized systems are denied access by default, making this approach one of the most secure ways to control OCI File Storage access.

  

Manage File Attributes in OCI File Storage to Prevent :Zone.Identifier Attachment on Windows

Issue: :Zone.Identifier attachment to OCI File Storage files on Windows.

When copying files to OCI File Storage mounted on Windows, an alternate data stream (:Zone.Identifier) may be appended to files. This happens because Windows uses zone identifier metadata to track the security zone of downloaded files, primarily to prevent execution of potentially unsafe content.

Since OCI File Storage uses the NFS protocol, which supports extended attributes but does not natively handle Windows-specific NTFS alternate data streams (ADS), these :Zone.Identifier streams may be unintentionally retained when files are copied. This can cause unexpected security warnings or issues when executing files.

To prevent this, follow these steps on every client VM’s accessing this OCI File Storage mount target drive.

1. Click Internet (inetcpl.cpl) on the domain client machine.

2. Go to the Security tab, select Local intranet and click Sites.

3. Click Advanced and add your OCI File Storage mount target hostname (the mss mount point \fss-mount-target or \IP-Address-FSS).

   

Related Links

• Configure File Storage for Microsoft Windows Active Directory Users

• Mounting File System from Windows Server Command Prompt

Acknowledgments

• Authors - Akarsha I K (Cloud Architect), Mayank Kakani (Cloud Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configure Oracle Cloud Infrastructure File Storage Service with Active Directory User Access Control

G27525-01

February 2025

Copyright ©2025, Oracle and/or its affiliates.