Active Directory

Active Directory Authentication

By joining the VPSA to the Active Directory (AD), Users can use the same credentials that are stored in the AD to login to the SMB shares.

Note

Microsoft Active Directory requires the following ports for users and computers authentication:

  • Kerberos - 88(UDP/TCP)

  • Microsoft-DS - 445(UDP/TCP)

  • LDAP - 389(UDP/TCP)

  • RPC Endpoint mapper - 135(UDP/TCP)

  • RPC - Dynamically-assigned unless restricted, 49152-65535(TCP)

  • DNS - 53(UDP)

Warning

Active Directory cannot be used while the VPSA is configured to use the LDAP service. The transition from LDAP to Active Directory based authentication should be handled carefully, as existing NAS permissions may be affected.

Joining the VPSA to Active Directory

To join the VPSA to a Microsoft Active Directory Go to VPSA GUI > NAS Access Control > Active Directory and click the Join button.

Enter the following information:

  1. Active Directory Server Name

  2. Domain Name

  3. Domain NetBIOS Name

  4. Administrator Name (of the AD Domain)

  5. Administrator Password (of the AD Domain)

  6. DNS IP - Up to three DNS servers IPs, used for domain name resolution.

Advanced options:

  1. Active Directory UID Mapping - Use RFC2307 attributes, the UID/GID will be taken from Active Directory attributes(uidNumber, gidNumebr). In case UID mapping is required, it is required to specify the valid id range. In the case of trusted domains enabled it is required to specify the ID range for each trusted domain after joining the Active Directory and trusted domain discovery.

  2. Allow trusted domains - allow users from a trusted domain to access SMB Volumes.

  3. DNS Lookup realms - Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host.

  4. DNS Lookup KDC - Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm. Once disabled, the KDC server IP should be provided manually.

  • Click the Submit button and then press OK to confirm the following warning message, which requests that you ensure proper permissions of files and folders created on the VPSA shares, prior to joining the AD Domain.

Note

The joining of the VPSA to the Active Directory may fail if the time on the VPSA and the Active Directory Domain Controller is out of sync by more than a few minutes. Sync the time and try again. Different time zones are not an issue.

Note

As of version 22.06-SP1, in order to avoid access issues - on top of the existing scheduled connectivity check (once in 10 minutes), in case a DC connectivity issue was detected the system will retry to establish connectivity in a 1 minute interval. After 10 attempts the VPSA AD service will be automatically restarted and in case the connectivity wasn’t restored the VPSA administrator will be notified.

Modifying an existing Active Directory connection

On an existing Active Directory connection, the following parameters can be modified:

  • DNS IP - Up to three DNS servers IPs, used for domain name resolution.

Advanced options:

  • DNS Lookup realms - Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host.

  • DNS Lookup KDC - Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm. Once disabled, the KDC server IP should be provided manually.

    Warning

    While a VPSA maintains an SMB connection, changing this setting might impact new authentication requests.

    If you are considering this type of transition, contact the Zadara support team for additional information.

Changing Active Directory DNS

You can update the DNS servers associated with your Active Directory without leaving the domain. To update the DNS server Go to VPSA GUI > NAS Access Control > Active Directory, Select the Domain you want to change and click the Configure button. Edit the DNS server(s) IP address(s).

Leaving an Active Directory

To leave the Active Directory, Go to VPSA GUI > NAS Access Control > Active Directory , Select the Domain you want to leave and click the Leave button (the Join and Leave button toggles depending on the current status).

Enter the Domain Administrator’s Name and Password and press Submit.

Press OK to confirm the following warning message, which requests that you ensure proper permissions of files and folders created using AD, before leaving it.

Sometimes there is a need to temporary leave the Active Directory, and re-join the domain at later time. In this case check the Keep Configuration. The domain’s details will be kept for future use.