This topic describes how to authenticate users and control access to a Server Message Block (SMB) file system of Apsara File Storage NAS based on an Active Directory (AD) domain.

Background information

NAS allows you to authenticate users and control access to SMB file systems based on an AD domain. After the mount target of an SMB file system is joined to an AD domain, AD users can access the SMB file system. Then, you can control access to files and directories in the SMB file system based on the AD domain. NAS does not support permission control of specific users on specific files or directories in SMB file systems. You can control access to SMB file systems only based on permission groups and Alibaba Cloud accounts. Each permission group represents a whitelist.

Note You could Join the mount target of an SMB file system to an AD domain.If the SMB ACL feature is not supported in the region where your SMB fie system resides, submit a ticket. You can also submit a ticket to raise questions about how to upload keytab files, join a mount target to an AD domain, and enable the SMB ACL feature.

Prerequisites

Procedures

You can join SMB clients in a virtual private cloud (VPC) and SMB clients in a data center to the same AD domain. Then, AD users can be used to access the SMB file system from the SMB clients. You can use the AD domain controller to manage the AD users and control access to the SMB file system in a centralized manner. NAS allows you to authenticate AD users by using the Kerberos protocol. When an AD user attempts to access the file system from a Windows or Linux server that serves as the AD domain controller, the file system verifies the identity of the AD user. In this way, you can control access from a specific user to specific files and directories in the SMB file system. The following figure shows how user authentication and access control are implemented based on an AD domain.Identity authentication and access control for SMB file systems in an AD domain
  1. Join the mount target of the SMB file system to the AD domain.
    1. Create a service account for NAS.
    2. Register the domain name of the mount target for the SMB file system.
    3. Create a keytab file for the mount target of the SMB file system.
    4. Download the keytab file, and upload the file in the NAS console.
  2. Log on to the NAS console to upload the keytab file for the SMB file system.
    Choose File System > File System List. On the page that appears, find the target SMB file system, and click the file system ID or Management. On the Access Control tab, click On (or Off). In the Enable SMB ACL dialog box, upload the keytab file.
    Then, the secret key that the keytab file contains is stored in the NAS console. After the mount target of the SMB file system is joined to the AD domain, you can mount and access the SMB file system as an AD user. For more information, see Use an AD account to mount an SMB file system.
  3. Authenticate an AD user who attempts to access the SMB file system.
    If an AD user from a virtual machine in the VPC or an application in the data center attempts to access the SMB file system, NAS checks whether the IP address of the AD user is allowed to access the file system based on the permission groups. Then, the AD user is authenticated based on the Kerberos protocol. The following procedure describes the process of Kerberos authentication:
    1. A client sends an SMB2 NEGOTIATE request to NAS.
    2. NAS checks whether Kerberos authentication is enabled for the SMB file system.

      For more information, see Introduction to the Kerberos protocol and the procedure of applying the protocol to SMB file systems.

    3. The client sends a request for accessing the SMB file system to the AD domain controller in the VPC or data center.
    4. The AD domain controller authenticates the client. Then, the AD domain controller encrypts the information of the AD user by using the secret key that is contained in the keytab file, and sends the encrypted user information to the client.
    5. The client sends an SMB2 SESSION_SETUP request to NAS. The request message includes the encrypted user information.
    6. NAS decrypts the encrypted user information by using the secret key that is contained in the keytab file.
      Note The authenticated AD user is then used for all subsequent access to the SMB file system in the session.
    7. After the authentication is complete, NAS sends a response to the SMB2 SESSION_SETUP request. This indicates that NAS allows access from the client to the SMB file system. Otherwise, the SMB2 SESSION_SETUP request is denied.
    8. The client sends read, write, and other requests to the SMB file system.
    9. NAS returns the result of the request to the client.

      NAS controls access to the SMB file system. Based on the user information in the session and the ACLs of files and directories in the SMB file system, NAS denies or allows the request.