This topic describes how to add the mount target of a Server Message Block (SMB) file system to an Active Directory (AD) domain. After you add the mount target of an SMB file system to an AD domain, you can manage user authentication and control access to the files of the file system in the AD domain. Before you use an AD account to mount an SMB file system, you must register a service principal for the SMB file system in the AD domain, create a keytab file, and then upload the file to the NAS console. Then, you can enable the access control list (ACL) feature for the SMB file system.

Prerequisites

  1. Log on to the AD domain server.
  2. On the AD domain server, create a service account for the SMB file system.
    Use the following CMD command template:
    dsadd user CN=<Name of the service account>,DC=<AD domain name>,DC=com
  -samid <Name of the service account>
  -display <Description of the service account>
  -pwd <Password of the service account>
  -pwdneverexpires yes
    Example:
    dsadd user CN=alinas,DC=MYDOMAIN,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHe****Rd123 -pwdneverexpires yes
  3. On the AD domain server, register the mount target for the SMB file system and add a service principal.
    Use the following CMD command template: 
    setspn -S cifs/<Domain name of the mount target> <Name of the service account>
    Example:
    setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas
    If the following output is returned, the service principal is added to the SMB file system. 1
  4. Check the setspn configuration on the Windows AD server or Windows client.
    Run the following commands in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script. 
    Invoke-WebRequest https://code.aliyun.com/nas_team/nas-client-tools/raw/master/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
    Check the setspn configuration. 
    .\alinas_smb_windows_inspection.ps1 -MountAddress abcde-123.region-id.nas.aliyuncs.com -CheckAD $true -Userdomain "domain.com" -Username "username" -Password "password" -Locale zh-CN
  5. On the AD domain server, create a keytab file for the mount target of the SMB file system.
    Use the following CMD command template:
    ktpass
  -princ cifs/<Mount target of the SMB file system>
  -ptype KRB5_NT_PRINCIPAL
  -crypto All
  -out <Path of the keytab file>
  -pass <Password of the service account>
    Example:
    ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@MYDOMAIN.com -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123
  6. Upload the keytab file of the service account that you created for the SMB file system to the NAS console.
    1. Log on to the Apsara File Storage NAS console.
    2. In the left-side navigation pane, choose File System > File System List.
    3. On the File System List page, click the ID of the file system or Manage.
    4. On the Access Control tab, click On.
    5. In the Enable SMB ACL dialog box, upload the keytab file of the service account that you created for the SMB file system and click OK.
      Enable the ACL feature for the SMB file system
    6. On the Access Control tab, click Modify Configuration.
    7. In the Modify configuration dialog box, modify the parameters. The following table describes the parameters.
      Modify the ACL feature for the SMB file system
      Parameter Description
      Allow Anonymous Access Specifies whether to allow anonymous access to the file system. Valid values:
      • On: An Everyone account can be used to mount the SMB file system based on NT LAN Manager (NTLM). ACLs that are configured for files and directories in the SMB file system are still in effect.
      • Off: Anonymous users are not allowed to access the file system. This is the default value.
      Enable Transport Encryption Specifies whether to enable transport encryption for the SMB file system. Valid values:
      • On: enables transport encryption for the SMB file system.
      • Off: disables transport encryption for the SMB file system. This is the default value.
      For more information, see Transport encryption of SMB file system.
      Deny Access from Non-encrypted Clients Specifies whether to deny access from clients that do not support encryption to the SMB file system. Valid values:
      • Yes: You can mount the SMB file system by using a compute node for which transport encryption is enabled. This means that you can use an AD account to mount the SMB file system on a compute node whose operating system supports transport encryption.

        However, you cannot mount the SMB file system as an anonymous user or by using a compute node that does not support transport encryption.

      • No: You can mount the SMB file system from all types of compute nodes. However, the transport encryption feature can be enabled only when you use an AD account to mount the SMB file system on a compute node whose operating system supports transport encryption.
      Keytab File The keytab file that you want to upload.
      Note After you modify the configurations, we recommend that you remount the SMB file system for the configurations of the service account to take effect.

What to do next

After you add the mount target of the SMB file system to the AD domain, you can use an AD account to mount and use the SMB file system. For more information, see Mount and use an SMB file system on a Windows client as an AD domain user .