Configure Authentication and Authorization for Active Directory Users

Set up Oracle Cloud Infrastructure Identity and Access Management, configure Active Directory (AD) authentication and authorization, configure NFS export, and setup Unix permissions.

Set Up Oracle Cloud Infrastructure Identity and Access Management Policies

Create a dynamic group in Oracle Cloud Infrastructure (OCI) Identity and Access Management and add policies to allow the mount targets to have access to the LDAP and Kerberos secrets. This is required for both Kerberos and LDAP configurations.

Log onto OCI.
Open the navigation menu and click Identity & Security.
Click Dynamic Groups.
Click Create dynamic group, then enter the Name and Description.
The name must be unique across all groups in your tenancy (dynamic groups and user groups). You can't change the name later. Avoid entering confidential information.

This example uses the group ad-kerberos-mt-group for all mount targets in the ad-kerberos compartment.

Enter the Matching Rules to define the members of the group.

For example,

ALL { resource.type='mounttarget', resource.compartment.id = '<mount_target_compartment_ocid>' }

Click Create.
Open the navigation menu and click Identity & Security. Under Identity, click Policies.
Click Create Policy.
Enter a name, description, and the compartment for the new policy.
The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
Use the Policy Builder to create a policy to allow mount target access to secrets in the compartment.
This example uses the group ad-kerberos-mt-group for all mount targets in the ad-kerberos compartment.
```
allow dynamic-group ad-kerberos-mt-group to read secret-family in compartment ad-kerberos
```
Click Create.

Configure Active Directory Authentication with Kerberos

After you configure Oracle Cloud Infrastructure Identity and Access Management, you'll configure Active Directory. Configuring Kerberos involves two steps: Join the mount target to Microsoft's Active Directory and then update the mount target settings with the Kerberos configuration.

Join the Mount Target to the Active Directory

Complete this task when authentication is required for Active Directory users. This is a manual process performed outside of Oracle Cloud Infrastructure File Storage service. Joining the mount target to Microsoft's Active Directory involves adding a computer account to Active Directory, setting up the correct cipher, extracting the keytab, and adding the mount target to the DNS.

Create a computer account for the mount target (MT) in the Active Directory.
You can create the account from the command-line, or use the Active Directory Users and Computers snap-in to create a new computer account.
Command-Line
```
C:\Users\administrator>djoin /provision /domain fss-ad.com /machine fss-mt-ad-1 /savefile offlinedomainjoin.txt
```
```
Provisioning the computer...
Successfully provisioned [fss-mt-ad-1] in the domain [fss-ad.com].
…
The operation completed successfully.
```
Active Directory Users and Computers
1. Go to the Active Directory Users and Computers directory, expand fs-ad.com, then select Computers.
2. Click New, then click Computer.
3. Add fss-mt-ad-1.
  
  Once this is done, FSS-MT-AD-1 appears under the Computers tree in the Active Directory Users and Computers snap-in.

Create a keytab using ktpass.exe.

Note:

You must open the command prompt as an Administrator to run ktpass.exe. Otherwise, it will fail. AES256-SHA1 is the aes256-cts-hmac-sha1-96.

C:\>ktpass -princ nfs/fss-mt-ad-1.fss-ad.com@FSS-AD.COM -mapuser FSS-AD\fss-mt-ad-1 -crypto AES256-SHA1 +rndpass -ptype KRB5_NT_SRV_HST  -out fss-mt-ad-1.keytab
Targeting domain controller: ad-server.fss-ad.com
Successfully mapped nfs/fss-mt-ad-1.fss-ad.com to FSS-MT-AD-1$.
WARNING: Account FSS-MT-AD-1$ is not a user account (uacflags=0x1001).
WARNING: Resetting FSS-MT-AD-1$'s password may cause authentication problems if FSS-MT-AD-1$ is being used as a server.

Reset AD-FSS-MT-2$'s password [y/n]?  y
Password successfully set!
Key created.
Output keytab to fss-mt-ad-1.keytab:
Keytab version: 0x502
keysize 88 nfs/fss-mt-ad-1.fss-ad.com@FSS-AD.COM ptype 3 (KRB5_NT_SRV_HST) vno 2 etype 0x12 (AES256-SHA1) keylength 32

Convert the keytab to base64 to use with keytab when configuring Kerberos on the mount target.
```
C:\>certutil.exe -encode fss-mt-ad-1.keytab keytab.txt
Input Length = 94
Output Length = 188
CertUtil: -encode command completed successfully.

C:\>notepad keytab.txt
```
1. Open the keytab.txt file in a notepad.
2. Remove the BEGIN and END CERTIFICATE lines.
3. Copy the base64 text to one continuous long line without space in a single line.
  You'll need the base64 text when you configure the secrets for the mount target for Kerberos later.
Modify the mount target (MT) attribute in the Active Directory to use more secure ciphers. Locate the MT account and change the msDS-SupportedEncryptionTypes attribute value to 24 for aes256-cts-hmac-sha1-96.
Active Directory provides tickets with RC4 cipher by default. If the msDS-SupportedEncryptionTypes attribute doesn’t exist, then create one and set the values.
Open the DNS Manager and expand the DNS Server tree.
Add the Forward Lookup Zones for the Mount Target. Enter the IP address, select Create associated pointer (PTR) record, then click Add Host.

Configure the Mount Target for Kerberos

Create a secret for the keytab. The secret content is the base64 encoded keytab that you copied when you joined the mount target with the Active Directory.

The following are the basic steps needed to configure the mount target for Kerberos:

Join mount target into Active Directory (previous step).
Configure keytab vault secrets.
Configure Kerberos on mount target.

Go to the Oracle Cloud Infrastructure (OCI) Console and open the navigation menu.
Click Identity & Security, then click Vault.
Under List scope, select the compartment in which you want to create a secret.
This example uses the compartment ad-kerberos.
Under Resources, click Secrets and then click Create Secret.
Enter the following information in the Create Secret panel:
Avoid entering any confidential information.
1. Name: Enter a name to identify the secret. For example, fss-mt-ad-1-keytab-secret.
2. Description: Enter a brief description of the secret to help identify it. For example, Keytab for fss-mt-ad-1.
3. Encryption Key: Select the master encryption key that you want to use to encrypt the secret contents while they're imported to the vault. For example, mount-target-secrets.
  The key must belong to the same vault. The key must also be a symmetric key. You cannot encrypt vault secrets with asymmetric keys.
4. Secret Type Template: Base64.
5. Secret Contents: Enter the contents of the secret.
  This is the base64 encoded keytab that you saved earlier when you converted the keytab to base64 as part of joining the mount target to the Active Directory.
Click Create Secret.
Go to the NFS tab for the mount target.
1. Click Storage in the navigation menu.
2. Under File Storage, click Mount Targets.
3. In the List scope section, under Compartment, select a compartment.
  For example, ad-kerberos.
4. Find the mount target, then click the NFS tab.
Click Manage next to Kerberos in the NFS tab.
Select the keytab secret and version, then click Validate keytab, view the results and save. Select Enable Kerberos.
In this example, the Keytab Secret in ad-kerberos compartment is fss-mt-ad-1-keytab-secret and the Current keytab Secret version is 1.

Mount NFS Export Using Kerberos

Kerberos NFS supports the following three security mechanisms.

krb5: Kerberos for authentication only.
krb5i: Authenticated and uses cryptographic hashes with each transaction to ensure integrity. Traffic can still be intercepted and examined, but modifications to the traffic is not possible.
krb5p: Authenticated and encrypt all traffic between the client and server. The traffic cannot be inspected and cannot be modified.

C:\Users\fss-user-1>mount -o sec=krb5 fss-mt-ad-1.fss-ad.com:/krb-fs-1 T:
T: is now successfully connected to fss-mt-ad-1.fss-ad.com:/krb-fs-1

The command completed successfully.

If a security flavor (sys, krb5, krb5i, and krb5p) is not provided during mount, Windows will choose the superior security flavor set on the export. Use the mount command to verify which flavor Windows selected when the drive was mounted.

C:\Users\fss-user-1>mount

Local    Remote                                 Properties
-------------------------------------------------------------------------------
T:       \\fss-mt-ad-1.fss-ad.com\krb-fs-1      UID=0, GID=0
                                                rsize=1048576, wsize=1048576
                                                mount=soft, timeout=0.8
                                                retry=1, locking=yes
                                                fileaccess=755, lang=ANSI
                                                casesensitive=no
                                                sec=krb5


C:\Users\fss-user-1>whoami
fss-ad\fss-user-1

You can now access the drive from Windows Explorer. Note, the drive mappings are done per user and every user accessing OCI File Storage share should map the share to the respective drive letter.

Configure Active Directory Authorization for LDAP

Complete this task when LDAP authorization is required for Active Directory users. Gather the information needed from the Active Directory, set the RFC2307 attributes for all users and groups accessing File Storage, and then configure LDAP on the mount target.

The following are the basic steps needed to configure Active Directory Authorization for LDAP:

Obtain LDAP configuration details from Active Directory.
Configure LDAP bind user secret.
Create outbound connector.
Configure LDAP on mount target.

Note:

The mount target cannot use a self-signed LDAP certificate.

Get the systems hosting LDAP from DNS and save it for a later step.

In this example, the system is fss-ad.com.

C:\Users\administrator>nslookup -type=srv _ldap._tcp.fss-ad.com
Server:  localhost
Address:  ::1
_ldap._tcp.fss-ad.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = ad-server.fss-ad.com
    ad-server.fss-ad.com    internet address = 10.9.1.194

In Active Directory, locate the distinguishedName (DN) attribute search base for users and groups.
1. Go to the Active Directory Users and Computers directory, expand fs-ad.com.
2. Click Users.
Get the LDAP bind user DN.

Note:
This user can be a least privileged user with directory search capabilities. The password for this user is also required later to configure outbound connector.
1. Select the ldap-user.
2. Click the Attribute Editor tab.
3. Select the distinguishedName attribute.
4. Copy the value and save it for a later step.
Verify the RFC2307 attributes for all users and groups accessing OCI File Storage.
See "Configure RFC2307 Attributes in Active Directory" for instructions and the RFC2307 attribute table.
Create a secret for the LDAP bind user discovered in step 3 above.
The secret holds the password for the LDAP user to bind. The format must be plain text.
Configure an Outbound Connector. The Outbound Connector is available in File Storage page under Additional Resources. Create the outbound in the same AD as the mount target.
1. Enter the DNS name.
  For example, ad-server.fss.ad.com.
2. Enter the DSAPS port of the LDAP service.
  For example, 636.
3. Enter the bind distinguished name.
  This is the LDAP user to log into the LDAP server. For example, CN=ldap-user,CN=Users, DC=fss-ad, DC=com.
4. Select the vault in the compartment where your Secrets are stored.
  For example, krb-vault in the ad-kerberos compartment.
5. Select the Secret in the compartment.
  For example, fss-mt-ad-1-ldap-password in the ad-kerberos compartment.
6. Select the Secret version.
  For example, 1.
7. Click Create.
Configure LDAP for the mount target.
You'll use the Outbound Connector from the previous step.
1. Click Storage in the navigation menu. Under File Storage, click Mount Targets.
2. Select a compartment.
  For example, ad-kerberos.
3. Find the mount target, click the NFS tab, then click Manage LDAP.
4. Enter the search base in the Search base for users and Search base for groups fields.
  
  Note:
  
  The search base for user and group is the DN obtained from Active Directory users and group container.
  
  For example, Search base for users: CN=Users,DC=fss-ad,DC=com and Search base for groups: CN=Users,DC=fss-ad,DC=com.
5. Enter the cache intervals and then select the outbound connector created in the Outbound Connector 1 field.
  In this example, the Cache refresh interval, Cache lifetime, and Negative cache lifetime are each 300 seconds. The LDAP account in the Outbound Connector 1 is fss-ad-ob-1.
6. Save settings.

Configure NFS Export

Configure the export settings according to the authorization requirements.

When LDAP authorization is not required and to map all authenticated users to a single uid/gid, configure the following settings to squash all users. Use the NFS client Export options to control how clients can access your file system. Edit the following settings to squash all users.
1. Anonymous access: Select Not allowed
2. Squash: Select Yes
3. Squash UID: Enter 99
4. Squash GID: Enter 99
With these settings, all the authenticated users will be given user id 99 and group id 99. No LDAP lookup is performed.
When users are to be authorized using LDAP, use the NFS Export options to map Kerberos principals to Unix Users.
1. Anonymous access: Select Allowed
2. Squash: Select None
3. Squash UID: Enter 199
4. Squash GID: Enter 199
With these settings, all Kerberos users are mapped to Unix user ID, group ID and group membership from LDAP. If the user is not present in LDAP, then anonymous mapping is used and the user is mapped to Unix user ID 199 and group ID 199. If anonymous access is disabled and if the Kerberos user doesn’t exist in LDAP, then an access denied error is given to the user accessing the share.

Unix Permission in Windows

Oracle Cloud Infrastructure File Storage is accessed using NFSv3 protocol. The authorization is performed using Unix permissions.

You can use the ldp.exe tool to query for user’s and group’s RFC2307 attributes to see uid, gid and group memberships. The Unix permissions are checked based on the uid, gid, and group memberships stored in LDAP.

Tool: ldp.exe
Search Base: CN=Users,DC=fss-ad,DC=com 
Filter: (&(objectClass=posixAccount)(uid=fss-user-1))
Attributes: uidNumber;gidNumber

Use Windows Explorer to see which owner and group owns the file or folder, and what permissions are set on the file or folder. You can access NFS attributes (Unix attributes) from the properties of files or folders.

Although the primary group for the fss-user-1 user is 500, OCI File Storage will consider all the groups the user is a member for permission checking. Use the following query to find the group membership of fss-user-1 user.

Tool: ldp.exe
Search Base: CN=Users,DC=fss-ad,DC=com 
Filter: (&(objectClass=posixGroup)(memberUid=fss-user-1))' gidNumber
Attributes: gidNumber

Create Initial Folder Permissions

When implementing, consider folder permissions.

OCI File Storage root directory is owned by uid 0 and with 755 (rwx for root, r-x for root and r-x for others) permissions. Root access is required to create additional folders for users or to change permissions. It is an administrator task to create and setup initial permissions that meets the requirements.

You can use one of the following methods to get admin access to file system:

All users are just regular users unless mapped to uidNumber 0 and root are not squashed. Map an admin user to uidNumber 0 in LDAP attributes of the user.
Export the file system with SYS authentication to a secure Linux workstation. Use root user to create and manage permissions.