This topic describes how to add an SMB file system mount target to an AD domain. After that user identity authentication in the AD domain and access control at the file level are supported.

Background information

Before you mount a NAS file system that uses SMB protocol, you must register a service for the NAS file system in the AD domain. Generate and upload the Keytab file.
Note SMB ACL-based access control is available only for file systems that reside in the following regions: Asia Pacific SOU 1 (Mumbai) , China (Hong Kong), China East 2 (Shanghai), UK (London), EU Central 1 (Frankfurt), China (Chengdu), Asia Pacific SE 2 (Sydney), Asia Pacific SE 5 (Jakarta), US West 1 (Silicon Valley), US East 1 (Virginia), China North 3 (Zhangjiakou), China East 1 (Hangzhou), China North 5 (Hohhot), China North 2 (Beijing).

If your region does not support SMB ACL, please submitWork Order, and ask how to upload the Keytab file and enable the AD/ACL feature of the SMB file system.

Prerequisites

Procedure

  1. Create a service account for the Alibaba Cloud NAS file system.
    Use the dsadd commmand to add a service account in the AD domain for NAS. The Powershell command template using the dsadd tool is as follows.
    dsadd user CN=[username ID],DC=MYDOMAIN,DC=com
      -samid [username ID]
      -display [user description]
      -pwd [user password]
      -pwdneverexpires yes
    An example command is as follows.
    dsadd user CN=alinas,DC=MYDOMAIN,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHePaSsWoRd123 -pwdneverexpires yes
  2. Register the domain name of the NAS file system mount target.
    Use the setspn command line tool to register a mount target for the NAS file system under the account name of the NAS service and add a service principal. The Powershell command template using the setspn tool is as follows.
    setspn -S cifs/[SMB protocol NAS file system mount target domain name] [NAS service account username ID]
    An example command is as follows.
    setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas
  3. Generates the Keytab file for the NAS file system mount target service.
    Use the ktpass command-line tool to generate a Keytab file for the NAS mount target service principal to implement NAS user identity authentication. The Powershell command template using the ktpass tool is as follows.
    ktpass
      -princ cifs/[the mount target for an SMB-based NAS file system]
      -ptype KRB5_NT_PRINCIPAL
      -crypto All
      -out [file path of the generated key table file]
      -pass [user password]
    An example command is as follows.
    ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@MYDOMAIN.com -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123
  4. Download the keytab file.
    According to the path used in Powershell commands for the ktpass tool to download the keytab file.
  5. Upload the Keytab file for the Alibaba Cloud file system.
    Log on to Alibaba Cloud NAS console, Select NAS File System > File System > File System ID/Name, in Access Control page, click On, and upload the Keytab file for the Alibaba Cloud file system service account.Enable SMBACL
    After you enable SMB permissions, the following parameter information is displayed. Click Modify Configuration you can modify the parameters. Modify SMBACL
    Parameter Modifiable Description
    Authentication Method No Default value: Kerberos.
    Allow anonymous access Yes If anonymous access is allowed, the volume is allowed to be mounted by NTLM by anyone. Once logged on, the user has identity as Everyone, and the ACL continues to work, the ACL continues to work.

    Default value: Off.

    Enable transport encryption Yes Specifies whether to enable the SMB3 transport encryption feature.

    Default value: Off.

    Deny non-encrypted clients Yes Specifies whether to reject clients that do not support transport encryption.

    Modifiable only when Enable transport encryption is enabled.

    Default value: Off.

    Keytab file Yes Upload the Keytab file.

    Click Modify Configuration to modify this parameter.

    Note In Modify Configuration if the volume is mounted to the client, you must re-mount the volume to make the Modify Configuration take effect.

Result

The mount target of the Alibaba Cloud SMB file system is connected to the AD domain. After you access the AD domain, you can mount an SMB file system on an ECS instance that uses the AD domain.