This topic describes how to join the mount target of a Server Message Block (SMB) file system of Apsara File Storage NAS to an Active Directory (AD) domain. After the mount target of an SMB file system is joined to an AD domain, you can control access to files and directories in the SMB file system based on the AD users.

Background information

Before you use an AD account to mount an SMB file system, you must perform the following steps: create a service account for NAS, register the domain name of the mount target, and then create and upload a keytab file.
Note You could Join the mount target of an SMB file system to an AD domain.If the SMB ACL feature is not supported in the region where your SMB fie system resides, submit a ticket. You can also submit a ticket to raise questions about how to upload keytab files, join a mount target to an AD domain, and enable the SMB ACL feature.

Prerequisites

Procedure

  1. Create a service account for NAS in the AD domain.
    Run the dsadd command to create a service account for NAS in the AD domain. In this example, the name of the service account is alinas. The following syntax of the dsadd command is used in PowerShell:
    dsadd user CN=<Name of the service account>,DC=MYDOMAIN,DC=com
      -samid <Name of the service account>
      -display <Description of the service account>
      -pwd <Password of the service account>
      -pwdneverexpires yes
    The following example shows the dsadd command:
    dsadd user CN=alinas,DC=MYDOMAIN,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHePaSsWoRd123 -pwdneverexpires yes
  2. Register the domain name of the mount target for the SMB file system.
    Run the setspn command to register the domain name of the mount target under the service account. The following syntax of the dsadd command is used in PowerShell:
    setspn -S cifs/<Domain name of the mount target> <Name of the service account>
    The following example shows the setspn command:
    setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas
  3. Create a keytab file for the SMB file system.
    Run the ktpass command to create a keytab file for the SMB file system. This file is used by NAS to authenticate users. The following syntax of the ktpass command is used in PowerShell:
    ktpass
      -princ cifs/<Domain name of the mount target>
      -ptype KRB5_NT_PRINCIPAL
      -crypto All
      -out <Path of the keytab file>
      -pass <Password of the service account>
    The following example shows the ktpass command:
    ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@MYDOMAIN.com -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123
  4. Download the keytab file for the SMB file system.
    Find the keytab file in the path that you specified in the ktpass command, and download the file.
  5. Upload the keytab file in the NAS console.
    Log on to the NAS console, and choose File System > File System List. On the page that appears, find the target file system, and click the file system ID or Management. On the Access Control tab, select On. In the dialog box that appears, upload the keytab file for the SMB file system.Enable SMB ACL
    After you enable the SMB ACL feature, the following parameters are displayed on the Access Control tab. Click Modify configuration to modify the parameters. Modify the SMB ACL
    Parameter Required Description
    Authentication method No The value is Kerberos.
    Allow anonymous access Yes If anonymous access is allowed, an Everyone account can be used to mount the SMB file system based on NT LAN Manager (NTLM) authentication. ACLs that are configured for files and directories in the SMB file system still apply.

    Default value: Off

    Enable transport encryption Yes Specifies whether to enable the SMB3 encryption feature.

    Default value: Off

    Deny non-encrypted clients Yes Specifies whether to deny access from clients that do not support encryption.

    This parameter is available only when the Enable transport encryption parameter is set to On.

    Default value: Off

    Keytab file Yes The keytab file to upload. You can remove the uploaded keytab file and upload a new keytab file.

    This parameter is displayed only in the Modify configuration dialog box.

    Note If the file system is already mounted on a client, the modified parameter settings in the Modify configuration dialog box are applied to the client only after the file system is mounted again.

Result

The mount target of the SMB file system is joined to the AD domain. After the mount target of the SMB file system is joined to the AD domain, you can use an AD account to mount the SMB file system.