To provide more than 16 groups, NFSv3 uses Active Directory as an LDAP server for the extended groups feature. Kerberized NFSv4.1 uses Active Directory as an LDAP and Kerberos server.
Make sure that you've configured the Active Directory connection settings. A machine account is created in the organizational unit that is specified in the Active Directory connection settings. The settings are used by the LDAP client to authenticate with your Active Directory.
LDAP support is available for the CVS-Performance service type.
You can enable the LDAP with extended groups feature only during volume creation. You can't enable or disable this feature after you have created a volume.
LDAP with extended groups is supported only with Active Directory. OpenLDAP and other third-party LDAP directory services aren't supported.
LDAP signing is supported and enabled if requested by your Active Directory domain controller.
The following table describes the time to live (TTL) settings for the LDAP cache. You must wait until the cache is refreshed before trying to access a file or directory through the client. Otherwise, an access denied or permission denied message appears on the client. After the TTL timeout period, entries age out so that stale entries don't linger. To help avoid performance issues because of LDAP queries for objects that might not exist, the negative TTL value is where a failed lookup resides.
| Cache | Default timeout |
|---|---|
| Group membership list | 24-hour TTL |
| Unix groups | 24-hour TTL, 1-minute negative TTL |
| Unix users | 24-hour TTL, 1-minute negative TTL |
In the Google Cloud console, go to Cloud Volumes.
Select Active Directory connections, and then click Create.
In the Create Active Directory Connection dialog, enter the information indicated in the following table.
Required fields are marked with an asterisk (*). This table only shows fields relevant to Network File System (NFS).
Field Description CVS CVS-Performance Username*
Password*Credentials for the Active Directory account with permissions to create the computer account within the specified organizational unit. For details, see permissions needed to create Active Directory machine accounts. Connection type* Specifies whether an Active Directory connection can be used for volumes of the CVS service type or volumes of the CVS-Performance service type.
You can mark existing Active Directory connections with the Active Directory connection type to avoid problems when creating new volumes or editing parameters of that Active Directory connection. Specifying the wrong connection type for an existing Active Directory connection can cause problems with creating new volumes or editing parameters of that Active Directory connection.
Domain* Fully qualified domain name for the Active Directory domain. Site Name of an Active Directory site. Limits discovery of Active Directory domain controllers. Use when multiple Active Directory connections in different regions are configured. DNS Servers* IP addresses for DNS servers (3 maximum) that are used for DNS-based domain controller discovery. The CVS-Performance service type checks all IP addresses listed. The CVS service type uses the first IP address listed.
NetBIOS* Name of the created Active Directory machine account. A 5-character random ID is generated automatically–for example, -6f9a).Organizational Unit LDAP path for the organizational unit where the computer account is created. Enable AES Encryption for Active Directory authentication Enables AES-128 and AES-256 encryption for Kerberos-based communication with Active Directory. Always enabled Kerberos Realm (Only required if using Kerberos.) Used with NFSv4.1 Kerberos volumes to create the service principal name machine account. Active Directory Server Name and Key Distribution Center IP can be the same server. Region* Associates the Active Directory connection that you're creating with a single region. Allow local NFS users with LDAP Provides occasional and temporary access to local users. When this option is enabled, user authentication and lookup from the LDAP server stop working. This option also limits the number of group memberships that CVS supports to 16.
Keep this option disabled on Active Directory connections, except for the occasion when a local user needs to access LDAP-enabled volumes. In that case, you should disable this option as soon as local user access is no longer required for the volume.
Click Save.