Join the mount target of an SMB file system to an AD domain

Prerequisites

• The Active Directory Domain Services and DNS Server roles are installed and configured. For more information, see Install and configure the Active Directory Services and DNS Server roles.
• An SMB file system is created. For more information, see Create a file system.

Procedure

1. Create a service account for NAS in the AD domain.
   Run the dsadd command to create a service account for NAS in the AD domain. In this example, the name of the service account is alinas. The following syntax of the dsadd command is used in PowerShell:

   dsadd user CN=<Name of the service account>,DC=MYDOMAIN,DC=com
     -samid <Name of the service account>
     -display <Description of the service account>
     -pwd <Password of the service account>
     -pwdneverexpires yes

   The following example shows the dsadd command:

   dsadd user CN=alinas,DC=MYDOMAIN,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHePaSsWoRd123 -pwdneverexpires yes

2. Register the domain name of the mount target for the SMB file system.
   Run the setspn command to register the domain name of the mount target under the service account. The following syntax of the dsadd command is used in PowerShell:

   setspn -S cifs/<Domain name of the mount target> <Name of the service account>

   The following example shows the setspn command:

   setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas

3. Create a keytab file for the SMB file system.
   Run the ktpass command to create a keytab file for the SMB file system. This file is used by NAS to authenticate users. The following syntax of the ktpass command is used in PowerShell:

   ktpass
     -princ cifs/<Domain name of the mount target>
     -ptype KRB5_NT_PRINCIPAL
     -crypto All
     -out <Path of the keytab file>
     -pass <Password of the service account>

   The following example shows the ktpass command:

   ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@MYDOMAIN.com -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123

4. Download the keytab file for the SMB file system.
   Find the keytab file in the path that you specified in the ktpass command, and download the file.
5. Upload the keytab file in the NAS console.
   Log on to the NAS console, and choose File System > File System List. On the page that appears, find the target file system, and click the file system ID or Management. On the Access Control tab, select On. In the dialog box that appears, upload the keytab file for the SMB file system.
   After you enable the SMB ACL feature, the following parameters are displayed on the Access Control tab. Click Modify configuration to modify the parameters.

   Parameter	Required	Description
   Authentication method	No	The value is Kerberos.
   Allow anonymous access	Yes	If anonymous access is allowed, an Everyone account can be used to mount the SMB file system based on NT LAN Manager (NTLM) authentication. ACLs that are configured for files and directories in the SMB file system still apply. Default value: Off
   Enable transport encryption	Yes	Specifies whether to enable the SMB3 encryption feature. Default value: Off
   Deny non-encrypted clients	Yes	Specifies whether to deny access from clients that do not support encryption. This parameter is available only when the Enable transport encryption parameter is set to On. Default value: Off
   Keytab file	Yes	The keytab file to upload. You can remove the uploaded keytab file and upload a new keytab file. This parameter is displayed only in the Modify configuration dialog box.

   Note If the file system is already mounted on a client, the modified parameter settings in the Modify configuration dialog box are applied to the client only after the file system is mounted again.