Accessible AD controller ports from share network:
53 tcp + udp (DNS)
88 tcp+udp (Kerberos)
123 udp (NTP)
389,636 tcp+udp (LDAP)
138,137 udp (NetBIOS)
139 tcp (NetBIOS)
445 tcp+udp (SMB)
NTP server enabled on AD controller
AD domain user account with add computer to the domain privilege
Create AD security service
At first security service defining the domain has to be created:
Click on Shares (Project | Compute | Shares) in the left menu.
Switch to the Security Services tab.
Press the Create Security Service button in the right top corner.
Fill in following field:
IP address of domain DNS server (usually a AD controller),
AD controller IP address or hostname,
DNS domain name (e. g. test.company.local)
user credentials of domain user with add computer to the domain privilege
type selector has to be set to “Active directory”.
Only domains with same NetBIOS name (short, in uppercase) and first part of DNS domain name are supported - e.g. test.company.local (DNS name) and TEST (NetBIOS name).
Assign Security service to the Share network
Create a share network in share network tab.
In the share network list click Edit share network next to the created share network.
Switch to Security services within share network tab in the dialog.
Add the previously created security service to the Selected security services section.
Despite the fact that UI allows you to assign multiple security services to one share network, such combination is not supported and leads to error state. The assignment also has to be done before creating any share on the share network.
Create test share
The connection between service instance (Manila VM) and AD is established upon creating a first share so it is necessary to create one after setup.
Create a CIFS share attached to the share network with previously created security service.
If the connection fails consult the logs for errors. Otherwise the setup has been successful and proceed to next section.
Assign access rules for share
In the Share overview list click on the Access Rules button next to the created share.
Click on the Add rule button in top right corner.
Fill in the dialog:
type = user,
access level (rw/ro)
usernames (or groups prefixed by @ - e.g. @admins) separated by commas.