Active Directory & Kerberos

Integrate MayaNAS with directory services for centralized authentication. Required for Kerberos-secured NFS exports and domain-joined SMB sharing.

Access

Navigate to Configure Server > Directory Services in the Web UI sidebar.

Supported Directory Services

Service	Use Case
Azure Active Directory	Azure-hosted AD for cloud deployments
FreeIPA	Open-source identity management (Linux-native)
LDAP	Lightweight Directory Access Protocol
NIS	Network Information Service (legacy Unix)
Kerberos (Standalone)	Kerberos KDC without full AD integration

Active Directory

Prerequisites

• AD domain controller reachable from MayaNAS
• DNS configured to resolve the AD domain
• An AD account with domain join privileges

Join a Domain

1. Navigate to Configure Server > Directory Services > Active Directory
2. Click Join
3. Fill in:

Field	Description
Domain	AD domain name (e.g., corp.example.com)
Username	Admin username with join privileges
Password	Admin password
Enable Winbind	Enable Winbind service for name resolution

4. Optionally expand Additional Options:

Field	Description
Computer OU	Organizational Unit for the computer account
User Principal	User principal name
Automatic ID Mapping	Map Windows SIDs to Unix UIDs/GIDs automatically

5. Click Join

Discover a Domain

Before joining, you can click Discover to verify DNS resolution and locate domain controllers:

1. Enter the domain name
2. Click Discover
3. Review the discovered domain controllers and services

Leave a Domain

1. Click Leave
2. Confirm the action

After Joining

Once joined, the configuration panel shows:

• Domain Name
• Directory Type
• Client Software
• Login Formats
• Login Policy
• NFS SPN (Service Principal Name for Kerberos NFS)

FreeIPA

Join a FreeIPA Domain

1. Navigate to Configure Server > Directory Services > FreeIPA
2. Click Join
3. Fill in:

Field	Description
Domain	FreeIPA domain
Username	Admin username
Password	Admin password

4. Optionally configure Computer OU, User Principal, and Automatic ID Mapping
5. Click Join

Leave FreeIPA

Click Leave to disjoin from the FreeIPA domain.

NIS

Enable NIS

1. Navigate to Configure Server > Directory Services > NIS
2. Click Enable
3. The panel shows the NIS Domain and NIS Server (from ypwhich)

Disable NIS

Click Disable to stop NIS name resolution.

Standalone Kerberos

For environments with a Kerberos KDC but no full AD or FreeIPA deployment.

Configure Kerberos

1. Navigate to Configure Server > Directory Services > Kerberos
2. Fill in:

Field	Description	Default
Realm	Kerberos realm (e.g., CORP.EXAMPLE.COM)	—
KDC Server	Hostname or IP of the KDC	—
KDC Port	KDC port	88

3. Click Save

Test Connectivity

Click Test to verify connectivity to the KDC.

Upload Keytab

A keytab file is required for NFS Kerberos. The keytab must contain an nfs/<hostname>@REALM principal.

1. Generate the keytab on the KDC:

   kadmin -q "ktadd -k nfs.keytab nfs/mayanas.corp.com@CORP.EXAMPLE.COM"

2. Click Upload Keytab
3. Select the .keytab file
4. The panel shows the imported principals

Impact on NFS and SMB

NFS with Kerberos

After configuring directory services, NFS shares can use Kerberos security:

• sec=krb5 — Authentication only
• sec=krb5i — Authentication + integrity
• sec=krb5p — Authentication + integrity + encryption

The NFS Shares panel shows a lock icon on Kerberos-secured exports. See NFS Shares for export configuration.

SMB with Active Directory

After AD join, SMB shares authenticate domain users automatically:

• Domain users can access shares with their AD credentials
• Windows ACLs can be applied via the Security panel
• Domain-joined clients get transparent Kerberos SSO

See SMB Shares for share configuration.