1. Configure OCI File Storage Service for Windows Active Directory users
  2. Considerations for Security

Considerations for Security

Consider security when using NFS export and Unix permissions from Microsoft Windows and folder permissions.

Considerations for Export

Consider the following security best practices for NFS Export settings:

  • Do not enable SYS authentication with Kerberos authentication. This is to make sure that users cannot mount the export without Kerberos option to bypass the Active Directory authentication. If SYS authentication is needed, create another export on the file system and allow only secure CIDR or IP addresses to use SYS authentication.
  • Consider enabling root squash so that no clients can get root access to the file system. If root access is required, create another export on the file system and allow only secure CIDR or IP address for root access.
  • When anonymous access is enabled, all users that don’t exist in LDAP or users without RFC2307 attribute will get anonymous uid and gid set in the export options. Disable anonymous access if this is not preferred.
  • Squashing all uses to a uid and gid will let all the Active Directory authenticated users to access the file system with same level of permissions. Use this option with caution.