This topic describes how to use Active Directory (AD) to authenticate users and control access to Apsara File Storage NAS Server Message Block (SMB) file systems.
SMB file systems allow you to authenticate users and control access at the file system level based on AD. You can use an AD user to log on to a client that hosts an SMB file system and control access to files and directories in the SMB file system. SMB file systems do not support access control for multiple client users at the file and directory level. You can authenticate clients based on Alibaba Cloud accounts and permission groups and control access to SMB file systems. Each permission group is treated as a whitelist. You can specify one or more IP addresses in a permission group and allow access to SMB file systems from these IP addresses.
If the region where your file system resides does not support the SMB ACL feature, submit a ticket. You can also submit questions about how to upload keytab files, create SMB file systems, enable AD-based authentication and access control, or enable access control lists (ACLs) in the ticket.
- AD and DNS services are installed and started. For more information, see Install and start AD and DNS.
- Kerberos authentication is enabled for SMB file systems. For more information, see Introduction to Kerberos authentication and procedure of applying the authentication to SMB file systems.
- An SMB file system is created. For more information, see Create a file system.
Authenticate users and control access
- Connect an SMB client to AD.
For more information, see Connect an SMB client to an Active Directory domain.
- Create a service account for NAS.
- Add the mount target of the SMB file system as a principle to the service account.
- Create a keytab file for the principle.
- Download the keytab file of the NAS service account.
- Log on to the NAS console to manage NAS file systems.
Choose Access Control tab and select On (or Off). Specify an authentication method and access control-related parameters for the file system and upload the keytab file to NAS.. Find the target file system and click the file system ID or Manage. On the File System Details page, click theAfter you upload the keytab file, the information that the keytab file contains is stored in NAS. After you connect the mount target of the SMB file system to AD, you can use an AD user to mount the SMB file system. For more information, see Use an Active Directory user to mount an SMB file system on Windows and manage the ACLs of the SMB file system.
- Authenticate users and control access from clients.
If virtual machines in the VPC or applications in the IDC attempt to access the SMB file system, the domain controller authenticates each client and controls access from these clients based on the predefined permission group. The procedure is as follows:
- An SMB client attempts to access an SMB file system.
- NAS checks whether Kerberos authentication is enabled on the SMB file system.
For more information, see Introduction to Kerberos authentication and how to apply the authentication to SMB file systems.
- The SMB client makes a request for accessing the SMB file system to a domain controller. The domain controller resides in a VPC or a local IDC.
- The domain controller authenticates the SMB client and sends the encrypted user information to the SMB client.
- The SMB client adds the encrypted user information to an SMB SESSION_SETUP request and sends the request to NAS.
- NAS uses the keytab file to decrypt the encrypted user information.
Note All subsequent messages in the session are used for communication between the SMB client and NAS.
- After the authentication is completed, NAS allows access to the SMB file system from the SMB client. If the authentication failed, NAS denies the SESSION_SETUP request.
- The SMB client can access the SMB file system.
- NAS sends results to the SMB client.
NAS controls access to the SMB file system. Based on the user information in a session, NAS denies or allows access to files or directories that are stored in an SMB file system.