CIFS authentication with AD

Requirements

  • Accessible AD controller ports from share network:

    • 53 tcp + udp (DNS)
    • 88 tcp+udp (Kerberos)
    • 123 udp (NTP)
    • 389,636 tcp+udp (LDAP)
    • 138,137 udp (NetBIOS)
    • 139 tcp (NetBIOS)
    • 445 tcp+udp (SMB)
  • NTP server enabled on AD controller

  • AD domain user account with add computer to the domain privilege

Create AD security service

At first security service defining the domain has to be created:

  1. Click on Shares (Project | Compute | Shares) in the left menu.
  2. Switch to the Security Services tab.
  3. Press the Create Security Service button in the right top corner.
  4. Fill in following field:
  5. name,
  6. IP address of domain DNS server (usually a AD controller),
  7. AD controller IP address or hostname,
  8. DNS domain name (e. g. test.company.local)
  9. user credentials of domain user with add computer to the domain privilege
  10. type selector has to be set to “Active directory”.

Create AD security service

Note

Only domains with same NetBIOS name (short, in uppercase) and first part of DNS domain name are supported - e.g. test.company.local (DNS name) and TEST (NetBIOS name).

Assign Security service to the Share network

  1. Create a share network in share network tab.
  2. In the share network list click Edit share network next to the created share network.
  3. Switch to Security services within share network tab in the dialog.
  4. Add the previously created security service to the Selected security services section.
Note

Despite the fact that UI allows you to assign multiple security services to one share network, such combination is not supported and leads to error state. The assignment also has to be done before creating any share on the share network.

Assign Security service to the Share network

Create test share

The connection between service instance (Manila VM) and AD is established upon creating a first share so it is necessary to create one after setup.

  1. Create a CIFS share attached to the share network with previously created security service.
  2. If the connection fails consult the logs for errors. Otherwise the setup has been successful and proceed to next section.

Assign access rules for share

  1. In the Share overview list click on the Access Rules button next to the created share.
  2. Click on the Add rule button in top right corner.
  3. Fill in the dialog:
  4. type = user,
  5. access level (rw/ro)
  6. usernames (or groups prefixed by @ - e.g. @admins) separated by commas.

Assign access rules for share

Last modified: Nov. 7, 2017