Active Directory (AD) server authentication
Jump to navigation
Jump to search
This functionality is available in User Management > Share users/groups > Authorization protocols.
To configure a connection to the existing Active Directory server:
- Navigate to the User Management section in the left menu.
- Go to the Share users/groups tab.
- Find the Active Directory (AD) server authentication block.
- Enable the Enable protocol option.
AD server authentication status
- Connection - shows whether you are connected to an AD server or not.
- Users/groups list - shows when the lists of users and groups were last synchronized or if the synchronization is taking place at the moment.
Users and groups are synchronized with an Active Directory server every 2 hours. Synchronization can also be started manually by using the Synchronize button.
AD server authentication settings
To connect to the existing AD server, fill in the following fields with credentials provided by the AD server administrator and click the Apply button.
- Realm
- Administrator name
- Password
NOTE: Password cannot contain:- special characters such as ' " ` ^ & $ # ~ [ ] \ / | * : ? < >
- spaces
- less than 12 and more than 16 characters
- Organizational Unit (OU) - a direct path to the container where the Computer Organizational Unit is placed. The path must be entered starting from the primary container name within the domain structure. The container name set by default is Computers. If another container name is used instead, then Computers must be changed to the appropriate name. If the path to the container is nested, use a slash as the connector. In the screenshot below, the OU is in the Computers container that is nested in AllComputers > Marketing. In this example, the path to the OU is: AllComputers/Marketing/Computers
NOTE: Container name can't contain:- special characters such as , + " \ < > ; = / #
- spaces
The following reasons might prevent you from connecting to Active Directory:
- Difference in time between Active Directory Server - if the time difference is greater than 5 minutes, the connection is not possible.
- The method of authenticating trusted domains - the authentication has to be set to two-way trust. Otherwise, it is not possible to read users and groups from trusted domains.
- DNS configuration - for an Active Directory domain, it is not possible to use a round-robin mechanism in DNS. This is connected to the fact that only one IP address is authorized. In a moment when another IP is obtained from DNS, the connection is not possible.
- The server name is the same as the Computer Organizational Unit (OU) named in the Active Directory (AD) server. If the object with the same name exists and the user that you use to log in to the AD server does not have permission to access this file, the connection will fail. The solution is to delete the existing computer object from the AD server. The following information explains how to delete the OU file:
- Log on to the Domain Controller with the domain administrator account. Press Windows Logo + R, enter "dsa.msc" and press Enter.
- In the "Active Directory Users and Computers" window, select the domain container in which the OU you are looking for is located.
- Select the computer object and delete it.
- Note: By default, any created Organizational Unit is protected from accidental deletion. To delete the OU, you need to clear the "Protect object from accidental deletion" checkbox, which you can find in the object properties in the "Object" tab. By deleting OU, you delete all nested objects that it contains as well.
- Note: By default, any created Organizational Unit is protected from accidental deletion. To delete the OU, you need to clear the "Protect object from accidental deletion" checkbox, which you can find in the object properties in the "Object" tab. By deleting OU, you delete all nested objects that it contains as well.
Users and user groups management
Management mode:
- Scan single domain (default) - Using this function allows the user to obtain users and groups from the main domain only.
- Scan all trusted domains - Using this function allows the user to obtain users and groups from the main and trusted domains.
ID mapping backend:
- rid + tdb (default) - This option utilizes the rid backend for ID mapping to AD users. UID/GIDs range has to be entered manually The tdb backend is used when no other configuration is set. Recommended for large databases.Samba Wiki link for rid backend: https://wiki.samba.org/index.php/Idmap_config_rid
- ad (with RFC2307 schema) + tdb - Allows reading ID mappings from an AD server, provided that the uidNumber attributes for users and gidNumber attributes for groups were added in advance in the AD. This backend requires additional configuration of uidNumber and gidNumber on the AD server side. The tdb back end is used when no other configuration is set. Samba Wiki link for rid backend: https://wiki.samba.org/index.php/Idmap_config_ad
- autorid - Automatically configures the range to be used for each domain. The only configuration needed is the range of UID/GIDs used for user/group mappings and the number of IDs per domain. Samba Wiki link for autorid backend: https://wiki.samba.org/index.php/Idmap_config_autorid
Autorid is not recommended in cluster environments.
Troubleshooting
The TDB UID/GIDs mapping does not work properly.
Single-Domain Environments
It is recommended to use the "autorid" option in the "ID mapping backend" settings. Alternatively, you can use the "rid+tdb" option. If you choose "rid+tdb," set the UID/GIDs mapping to "rid" and define the Min ID and Max ID range (e.g., 2,000,000 to 2,999,999). The range 1,000,000 to 1,999,999 is reserved.
Multi-Domain Environments
The "autorid" option cannot be used. Instead, use "rid+tdb" or "ad (with RFC2307 schema) + tdb." Ensure the UID/GIDs mapping is set to "rid" and define the Min ID and Max ID range for each domain (e.g., 2,000,000 to 2,999,999 for the first domain, 3,000,000 to 3,999,999 for the second domain, etc.).