Set up Active Directory for NFS

Last reviewed 2022-01-24 UTC

To provide more than 16 groups, NFSv3 uses Active Directory (AD) as an LDAP server for the extended groups feature. Kerberized NFSv4.1 uses AD as an LDAP and Kerberos server.

Make sure that you've configured the AD connection settings. A machine account is created in the organizational unit (OU) that is specified in the AD connection settings. The settings are used by the LDAP client to authenticate with your AD.

  • LDAP support is available for the CVS-Performance service type.
  • You can enable the LDAP with extended groups feature only during volume creation. You can't enable or disable this feature after you have created a volume.
  • LDAP with extended groups is supported only with Active Directory. OpenLDAP and other third-party LDAP directory services aren't supported.
  • LDAP signing is supported and enabled if requested by your AD domain controller.

The following table describes the time to live (TTL) settings for the LDAP cache. You must wait until the cache is refreshed before trying to access a file or directory through the client. Otherwise, an access denied or permission denied message appears on the client. After the TTL timeout period, entries age out so that stale entries don't linger. To help avoid performance issues because of LDAP queries for objects that might not exist, the negative TTL value is where a failed lookup resides.

Cache Default timeout
Group membership list 24-hour TTL
Unix groups 24-hour TTL, 1-minute negative TTL
Unix users 24-hour TTL, 1-minute negative TTL
  1. In the Google Cloud console, go to Cloud Volumes.

    Go to the Cloud Volumes page

  2. Select Active Directory connections, and then click Create.

  3. In the Create Active Directory Connection dialog, enter the information indicated in the following table.

    Required fields are marked with an asterisk (*). This table only shows fields relevant to NFS.

    Field Description CVS CVS-Performance
    Credentials for the AD account with permissions to create the computer account within the specified organizational unit. For details, see permissions needed to create Active Directory machine accounts.
    Connection type*

    Specifies whether an AD connection can be used for volumes of the CVS service type or volumes of the CVS-Performance service type.

    You can mark existing AD connections with the AD connection type to avoid problems when creating new volumes or editing parameters of that AD connection. Specifying the wrong connection type for an existing AD connection can cause problems with creating new volumes or editing parameters of that AD connection.

    Domain* Fully qualified domain name for the AD domain.
    Site Name of an AD site. Limits discovery of AD domain controllers. Use when multiple AD connections in different regions are configured.
    DNS Servers*

    IP addresses for DNS servers (3 maximum) that are used for DNS-based domain controller discovery. The CVS-Performance service type checks all IP addresses listed. The CVS service type uses the first IP address listed.

    NetBIOS* Name of the created AD machine account. A 5-character random ID is generated automatically–for example, -6f9a).
    Organizational Unit LDAP path for the organizational unit where the computer account is created.
    Enable AES Encryption for AD authentication Enables AES-128 and AES-256 encryption for Kerberos-based communication with Active Directory. Always enabled
    Kerberos Realm (Only required if using Kerberos.) Used with NFSv4.1 Kerberos volumes to create the service principal name machine account. AD Server Name and Key Distribution Center IP can be the same server.
    Region* Associates the AD connection that you're creating with a single region.
    Allow local NFS users with LDAP

    Provides occasional and temporary access to local users. When this option is enabled, user authentication and lookup from the LDAP server stop working. This option also limits the number of group memberships that CVS supports to 16.

    Keep this option disabled on AD connections, except for the occasion when a local user needs to access LDAP-enabled volumes. In that case, you should disable this option as soon as local user access is no longer required for the volume.

  4. Click Save.