With the release of Kerberos and the Lightweight Directory Access Protocol (LDAP) features for Oracle Cloud Infrastructure (OCI) File Storage, Windows users can now be authenticated and authorized using Active Directory. You can learn more about File Storage Kerberos and LDAP features in the first part of the blog series, Authentication and Authorization for OCI File Storage with Kerberos and LDAP. 

This blog post focuses on providing more details about the File Storage service integration with Active Directory and its detailed configuration steps through the File Storage Service and Active Directory solution playbook in Architecture Center.

The Windows environment offers the following benefits:

• File Storage access from Windows, universal access across Linux and Windows, and permissions based on Unix, such as user ID and group ID
• User authentication with Active Directory
• Avoid using SAMBA on a Compute instance to reexport File Storage using SAMBA for Windows access
• Use Active Directory and LDAP for centralized user management
• Enable in-transit encryption with Kerberos
   

Background

Applications running on Windows servers often need to access shared storage concurrently to support high availability and distributed processing architecture. Windows users also need shared storage to collaborate with other users. In some cases, sharing data between Linux and Windows systems also is necessary. 

Windows and Linux need to use a network file system (NFS) because it’s the only file sharing protocol available in File Storage today. Customers have been using one of two workarounds to enable Active Directory authentication for Windows users with File Storage: Reexport the File Storage file system using Samba on another Compute instance or build a separate infrastructure for Windows file sharing.

Windows operating systems starting from Windows 7 and Windows server 2008 has NFS support with NFS clients enabled by default in later versions. 
 

Modes of operation

You can configure Windows file sharing with File Storage in one of the following ways:

• Simple NFS access from windows instances without authentication: Mount File Storage from windows instances without any extra configuration on the mount target. Windows users and application can access File Storage with a preconfigured user ID and group ID in the Windows registry.

• Authenticate users without authorization: Configure Kerberos to authenticate users using Active Directory. All the authenticated users are then mapped to a single user ID and group ID using user squashing of the File Storage export. This user ID and group ID can authorize access to files and folder in File Storage. This mode of operation can simplify the configuration if only in-transit encryption is required.
   
• Authorize users without authentication: Integrate Windows NFS client with Active Directory and use uidNumber and gidNumber user attributes configured in the Active Directory. LDAP configuration on the mount target isn’t mandatory for this mode of operation. However, if you’re considering more group membership for the user for authorization, LDAP configuration is required on the mount target. 
   
• Authenticate and authorize users with Active Directory: Configure both Kerberos and LDAP on mount target to achieve both authentication and authorization. As with other modes, the permission checks and authorization are done based on Unix permissions.
   

Configuring OCI File Storage for Windows Active Directory users

For detailed configuration steps, refer to the File Storage Service and Active Directory solution playbook in the Architecture Center. Accessing NFS from Windows has the following limitations:

• NFS protocol isn’t the default and native file sharing protocol in Windows. Performance observed from individual instances might be slower compared to Server Message Block (SMB). If performance sees any difference, it stems from an NFS client perspective with no effect on performance offered from File Storage.
• Restricted to Unix permissions with no ACL (Access Control List) support
• Limited international characters support with no Unicode. For limited international character set support, see mount command.

Conclusion

Like Linux systems, Windows systems can access File Storage using NFS and have strong user authentication from Active Directory with Kerberos. File Storage can also integrate with Active Directory through LDAP to provide authorization based on Unix permissions. This integration enables file sharing across Linux and Windows platforms. Optionally, you can use in-transit encryption between Windows systems and File Storage service with Kerberos.

Try exploring File Storage and all the enterprise-grade capabilities that Oracle Cloud Infrastructure File Storage offers. Provide your feedback on how we can continue to improve. More feature updates are on the horizon for our cloud storage platform.