1. Configure OCI File Storage Service for Windows Active Directory users
  2. Plan Your Configuration

Plan Your Configuration

Determine how you want to configure Windows file sharing.

  1. Simple NFS access from Windows instances without authentication.
  2. Authenticate users without authorization.
  3. Authorize users without authentication.
  4. Authenticate and authorize users with Active Directory.

Required Infrastructure Components

Proper DNS and LDAP configuration is critical for the environment to function properly. Review the following prerequisites and infrastructure requirements for more information on how to configure the environment correctly.

  • Customer-managed DNS infrastructure. The mount target should be able to communicate with UDP and TCP port 53 on DNS server.
  • Customer-managed Active Directory infrastructure to support Kerberos authentication and LDAP authorization. The domain controllers hosting LDAP service must have LDAPS enabled on port 636 with proper signed certificates, as mount targets do not accept self-signed certificates.

  • A login account to the LDAP server (LDAP service hosted on Active Directory domain controller) that an OCI File Storage mount target can use to look up RFC2307-compliant user and group information.

Configure the Windows NFS Client with Active Directory

Enable Active Directory user integration on all workstations that use Oracle Cloud Infrastructure File Storage NFS share. This configuration step is only required when using mode 3 (authorize users without authentication).

Once Active Directory Lookup is enabled, Windows NFS client will use the uidNumber and gidNumber from Active Directory as the uid and gid for each user accessing OCI File Storage. The NFS client will only use AnonymousUid and AnonymousGid from the Windows registry when the uidNumber and gidNumber are not present for the user.

  1. Enable Active Directory user integration from the powershell prompt on the NFS Client.
    PS C:\Users\administrator> Set-NfsMappingStore -EnableADLookup $true
PS C:\Users\administrator>
  2. Repeat Step 1 on each workstation that uses OCI File Storage NFS share.

Configure RFC2307 Attributes in Active Directory

The following RFC2307 attributes are required to integrate Oracle Cloud Infrastructure File Storage with Active Directory (AD), but they are not populated by default. You must populate these attributes when configuring for mode 3 (authorize users without authentication) and mode 4 (Authenticate and authorize users with Active Directory).

Object Type Attribute Value Comment
User objectClass posixAccount Add posixAccount as an additional object class
uidNumber Unique numeric user id Unix user id representing the user
gidNumber Numeric group id Primary numeric group id for the user
uid Name of the user Although it is called uid, it is not the Unix id of the user. Unique username/sAMAccountName
Group posixGroup posixGroup Add posixGroup as an additional object class
gidNumber Unique numeric group id Unix group id representing the group
memberUid uid of the users those are members of the group Add each user name (uid) as a member of the group. See uid attribute above

You can use Active Directory Users and Computers snap-in or the ADSIEdit tool to edit user attributes. This example uses the Active Directory Users and Computers snap-in.

  1. Go to the Active Directory Users and Computers directory in AD.
  2. Expand fs-ad.com, then select Users.
  3. Click View in the top navigation, then click Advanced Features.
  4. Select the user.
    In this example, the user is fss-user-1.
  5. Modify the attributes, as needed.
  6. Verify the attributes from powershell. 
    PS C:\Users\administrator> $Filter = "(&(objectClass=posixAccount)(uid=fss-user-1))"
>> $RootOU = "CN=Users,DC=fss-ad,DC=com"
>> $Searcher = New-Object DirectoryServices.DirectorySearcher
>> $Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
>> $Searcher.Filter = $Filter
>> $Searcher.SearchScope = "Subtree"
>> $Results = $Searcher.FindAll()
>> $R = foreach  ($line in $Results) {
>>  $line_entry =  $line.GetDirectoryEntry()
>>  $line_entry | Select-Object -Property uid, objectClass, uidNumber, gidNumber
>> }
>> $R

uid          objectClass                                          uidNumber gidNumber
---          -----------                                          --------- ---------
{fss-user-1} {top, posixAccount, person, organizationalPerson...} {901}     {500}


PS C:\Users\administrator> $Filter = "(&(objectClass=posixGroup)(gidNumber=8001))"
>> $RootOU = "CN=Users,DC=fss-ad,DC=com"
>>
>> $Searcher = New-Object DirectoryServices.DirectorySearcher
>> $Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
>> $Searcher.Filter = $Filter
>> $Searcher.SearchScope = "Subtree"
>> $Results = $Searcher.FindAll()
>> $R = foreach  ($line in $Results) {
>>  $line_entry =  $line.GetDirectoryEntry()
>>  $line_entry | Select-Object -Property gidNumber, objectClass, memberUid
>> }
>> $R

gidNumber objectClass              memberUid
--------- -----------              ---------
{fss-rw-group-1} {8001}    {top, posixGroup, group} {fss-user-2, fss-user-1}