Active Directory Overview

VAST Cluster enables you to use Active Directory as an authentication provider and as an LDAP-based authorization provider.

To use Active Directory as an authentication provider, create an Active Directory configuration and then join the cluster to the configured Active Directory domain. Joining Active Directory is required for clients to access the cluster's storage using the SMB protocol and can be used to enable access to the cluster's storage using the NFSv4 protocol with Kerberos authentication and/or ID mapping. Kerberos Authentication for NFSv4.1

To use Active Directory as an authorization provider, such as for NFSv3 access or for NFSv4 access without Kerberos authentication and without ID mapping, you can create an Active Directory configuration and you do not need to join the cluster to the Active Directory domain.

Note
You can create multiple Active Directory configurations. Note that VAST Cluster does not allow adding two different Active Directory configuration records that have:
The same domain name but different settings for multi-forest authentication.
The same domain name and the same machine account name.

Note
Views exposed as SMB shares work only if the cluster is joined to Active Directory. This includes both SMB-only and multiprotocol views.

Note
The Active Directory configuration procedure is also used where you intend to use Active Directory as an LDAP server without the need to join an Active Directory domain.

Prerequisites for Joining Active Directory

Active Directory running on Windows Server 2008R2 or newer.
A domain name served by Active Directory, and a DNS setup to resolve the domain name.
User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.

Active Directory Domain Auto-Discovery

VAST Cluster supports client user access from multiple automatically discovered Active Directory domains, with automatic discovery of domain controllers (DCs).

VAST Cluster automatically discovers all domains and domain controllers that reside in the Active Directory forest of the cluster's joined domain and are trusted by the joined domain. If multi-forest authentication is enabled, it also discovers domains in other forests that have a two-way transitive trust relationship with the cluster's forest. When the cluster queries Active Directory for users and groups, all discovered domains are queried. After initial discovery is complete, you can view discovered Active Directory objects, including Active Directory global catalog servers. The information is updated periodically, with indication of the time to the next refresh of the global catalog that is currently used by the cluster.

You can choose whether to use LDAPS for Active Directory domain auto-discovery. If set to use LDAPS, VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.

Active Directory Multi-Forest Authentication

VAST Cluster can authorize client access by querying users and groups from one or more trusted domains across multiple forests, in addition to the forest of the cluster's joined domain. When multi-forest authentication is enabled, VAST Cluster automatically discovers all domains in the forest of the cluster's joined domain, and also all domains in forests that have a two-way transitive trust relationship with the cluster's forest.

Note
If your environment includes one-way trust domains, consider using SMB native authentication for SMB users.Authentication by Kerberos, NTLM

When multi-forest authentication is enabled, VAST Cluster uses a user account in the cluster's joined domain to establish an LDAP bind as follows:

For the LDAP bind to domain controllers in the forest of the cluster's joined domain, the authentication method (Simple or SASL) is determined by the Authentication method option in VAST Cluster LDAP settings.
For the LDAP bind to domain controllers in other trusted forests, SASL authentication is used, regardless of the Authentication method option in VAST Cluster LDAP settings.
SASL authentication requires that the bind DN is specified in username@domain or DOMAIN\username format.

The requirements for multi-forest authentication are as follows:

Active Directory and DNS configuration:
- Each domain name is unique across all forests where VAST Cluster runs the discovery.
- There are no duplicate UIDs or GIDs defined on the provider that is selected as the POSIX attribute source for the VAST cluster.
- A user account is configured in the joined domain that will be used to establish LDAP binds across the forests, with the bind DN specified in username@domain or DOMAIN\username format.
- There is a single DNS setup that can be used to reach all domains in all trusted forests.

To enable or disable multi-forest authentication for a new Active Directory configuration:

In VAST Web UI, when you create a new Active Directory configuration record (User Management -> Active Directory -> click + Create Active Directory), in the Advanced tab, toggle Enable trusted domains on other forests on or off.
In VAST CLI, use the activedirectory create command with the --enable-multi-forest or --disable-multi-forest option specified. .

To enable or disable multi-forest authentication for an existing Active Directory configuration:

In VAST Web UI, go to User Management -> Active Directory, right-click the Active Directory configuration record, select Edit and in the Advanced tab, toggle Enable trusted domains on other forests on or off.
In VAST CLI, run the activedirectory modify command with the --enable-multi-forest or --disable-multi-forest option specified.