Configure Authentication and Authorization for Active Directory Users
Set up Oracle Cloud Infrastructure Identity and Access Management, configure Active Directory (AD) authentication and authorization, configure NFS export, and setup Unix permissions.
Set Up Oracle Cloud Infrastructure Identity and Access Management Policies
Create a dynamic group in Oracle Cloud Infrastructure (OCI) Identity and Access Management and add policies to allow the mount targets to have access to the LDAP and Kerberos secrets. This is required for both Kerberos and LDAP configurations.
Configure Active Directory Authentication with Kerberos
After you configure Oracle Cloud Infrastructure Identity and Access Management, you'll configure Active Directory. Configuring Kerberos involves two steps: Join the mount target to Microsoft's Active Directory and then update the mount target settings with the Kerberos configuration.
Join the Mount Target to the Active Directory
Complete this task when authentication is required for Active Directory users. This is a manual process performed outside of Oracle Cloud Infrastructure File Storage service. Joining the mount target to Microsoft's Active Directory involves adding a computer account to Active Directory, setting up the correct cipher, extracting the keytab, and adding the mount target to the DNS.
Configure the Mount Target for Kerberos
Create a secret for the keytab. The secret content is the base64 encoded keytab that you copied when you joined the mount target with the Active Directory.
The following are the basic steps needed to configure the mount target for Kerberos:
- Join mount target into Active Directory (previous step).
- Configure keytab vault secrets.
- Configure Kerberos on mount target.
Mount NFS Export Using Kerberos
Kerberos NFS supports the following three security mechanisms.
- krb5: Kerberos for authentication only.
- krb5i: Authenticated and uses cryptographic hashes with each transaction to ensure integrity. Traffic can still be intercepted and examined, but modifications to the traffic is not possible.
- krb5p: Authenticated and encrypt all traffic between the client and server. The traffic cannot be inspected and cannot be modified.
C:\Users\fss-user-1>mount -o sec=krb5 fss-mt-ad-1.fss-ad.com:/krb-fs-1 T:
T: is now successfully connected to fss-mt-ad-1.fss-ad.com:/krb-fs-1
The command completed successfully.
sys
, krb5
,
krb5i
, and krb5p
) is not provided during mount,
Windows will choose the superior security flavor set on the export. Use the mount
command to verify which flavor Windows selected when
the drive was mounted.
C:\Users\fss-user-1>mount
Local Remote Properties
-------------------------------------------------------------------------------
T: \\fss-mt-ad-1.fss-ad.com\krb-fs-1 UID=0, GID=0
rsize=1048576, wsize=1048576
mount=soft, timeout=0.8
retry=1, locking=yes
fileaccess=755, lang=ANSI
casesensitive=no
sec=krb5
C:\Users\fss-user-1>whoami
fss-ad\fss-user-1
You can now access the drive from Windows Explorer. Note, the drive mappings are done per user and every user accessing OCI File Storage share should map the share to the respective drive letter.
Configure Active Directory Authorization for LDAP
Complete this task when LDAP authorization is required for Active Directory users. Gather the information needed from the Active Directory, set the RFC2307 attributes for all users and groups accessing File Storage, and then configure LDAP on the mount target.
The following are the basic steps needed to configure Active Directory Authorization for LDAP:
- Obtain LDAP configuration details from Active Directory.
- Configure LDAP bind user secret.
- Create outbound connector.
- Configure LDAP on mount target.
Note:
The mount target cannot use a self-signed LDAP certificate.Unix Permission in Windows
Oracle Cloud Infrastructure File Storage is accessed using NFSv3 protocol. The authorization is performed using Unix permissions.
ldp.exe
tool to query for user’s and group’s RFC2307
attributes to see uid, gid and group memberships. The Unix permissions are checked based
on the uid, gid, and group memberships stored in
LDAP.Tool: ldp.exe
Search Base: CN=Users,DC=fss-ad,DC=com
Filter: (&(objectClass=posixAccount)(uid=fss-user-1))
Attributes: uidNumber;gidNumber
Use Windows Explorer to see which owner and group owns the file or folder, and what permissions are set on the file or folder. You can access NFS attributes (Unix attributes) from the properties of files or folders.
fss-user-1
user is 500, OCI File Storage will consider all the groups the user is a member for permission checking. Use the
following query to find the group membership of fss-user-1
user.
Tool: ldp.exe
Search Base: CN=Users,DC=fss-ad,DC=com
Filter: (&(objectClass=posixGroup)(memberUid=fss-user-1))' gidNumber
Attributes: gidNumber
Create Initial Folder Permissions
When implementing, consider folder permissions.
OCI File Storage root directory is owned by uid 0 and with 755 (rwx for root, r-x for root and r-x for others) permissions. Root access is required to create additional folders for users or to change permissions. It is an administrator task to create and setup initial permissions that meets the requirements.
You can use one of the following methods to get admin access to file system:
- All users are just regular users unless mapped to uidNumber 0 and root are not squashed. Map an admin user to uidNumber 0 in LDAP attributes of the user.
- Export the file system with
SYS
authentication to a secure Linux workstation. Useroot
user to create and manage permissions.