This topic describes how to use Active Directory (AD) to authenticate users and control access to Apsara File Storage NAS Server Message Block (SMB) file systems.

Background information

SMB file systems allow you to authenticate users and control access at the file system level based on AD. You can use an AD user to log on to a client that hosts an SMB file system and control access to files and directories in the SMB file system. SMB file systems do not support access control for multiple client users at the file and directory level. You can authenticate clients based on Alibaba Cloud accounts and permission groups and control access to SMB file systems. Each permission group is treated as a whitelist. You can specify one or more IP addresses in a permission group and allow access to SMB file systems from these IP addresses.

Note The SMB ACL feature is available only for SMB file systems in the following regions: China (Zhangjiakou-Beijing Winter Olympics), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Chengdu), China (Hong Kong), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and India (Mumbai).

If the region where your file system resides does not support the SMB ACL feature, submit a ticket. You can also submit questions about how to upload keytab files, create SMB file systems, enable AD-based authentication and access control, or enable access control lists (ACLs) in the ticket.

Prerequisites

Authenticate users and control access

You can use Active Directory Domain Services to manage users in a virtual private cloud (VPC) or a local Internet data center (IDC). NAS allows you to control access to file systems from these users. This enables authentication between local users and cloud services and access control over file systems in a hybrid cloud. SMB file systems allow you to use the Kerberos protocol to authenticate AD users. The authentication is based on the domain controller that you deployed in the localhost or Alibaba Cloud. You can use an AD user to log on to a Windows or Linux server that serves as a domain controller. After you log on to the system, you can access an SMB file system. If your user identity is verified, you can control access to the file system at the file and directory level. The following figure shows how to authenticate an SMB client based on AD.NAS_AD-based authentication and access control
  1. Connect an SMB client to AD.
    1. Create a service account for NAS.
    2. Add the mount target of the SMB file system as a principle to the service account.
    3. Create a keytab file for the principle.
    4. Download the keytab file of the NAS service account.
  2. Log on to the NAS console to manage NAS file systems.
    Choose NAS File System > File System > File System List. Find the target file system and click the file system ID or Manage. On the File System Details page, click the Access Control tab and select On (or Off). Specify an authentication method and access control-related parameters for the file system and upload the keytab file to NAS.
    After you upload the keytab file, the information that the keytab file contains is stored in NAS. After you connect the mount target of the SMB file system to AD, you can use an AD user to mount the SMB file system. For more information, see Use an Active Directory user to mount an SMB file system on Windows and manage the ACLs of the SMB file system.
  3. Authenticate users and control access from clients.
    If virtual machines in the VPC or applications in the IDC attempt to access the SMB file system, the domain controller authenticates each client and controls access from these clients based on the predefined permission group. The procedure is as follows:
    1. An SMB client attempts to access an SMB file system.
    2. NAS checks whether Kerberos authentication is enabled on the SMB file system.

      For more information, see Introduction to Kerberos authentication and how to apply the authentication to SMB file systems.

    3. The SMB client makes a request for accessing the SMB file system to a domain controller. The domain controller resides in a VPC or a local IDC.
    4. The domain controller authenticates the SMB client and sends the encrypted user information to the SMB client.
    5. The SMB client adds the encrypted user information to an SMB SESSION_SETUP request and sends the request to NAS.
    6. NAS uses the keytab file to decrypt the encrypted user information.
      Note All subsequent messages in the session are used for communication between the SMB client and NAS.
    7. After the authentication is completed, NAS allows access to the SMB file system from the SMB client. If the authentication failed, NAS denies the SESSION_SETUP request.
    8. The SMB client can access the SMB file system.
    9. NAS sends results to the SMB client.

      NAS controls access to the SMB file system. Based on the user information in a session, NAS denies or allows access to files or directories that are stored in an SMB file system.