This topic describes how to use an Active Directory (AD) account to mount a Server Message Block (SMB) file system of Apsara File Storage NAS on a Windows client. This topic also describes how to use an AD account to view and edit the access control lists (ACLs) of files and directories in the SMB file system.

Prerequisites

The mount target of an SMB file system is joined to an AD domain. For more information, see Join the mount target of an SMB file system to an AD domain.

Background information

Before you join the mount target of an SMB file system to an AD domain, anonymous access is allowed. You must use an Everyone account to mount the SMB file system. After you join the mount target of the SMB file system to the AD domain, you can specify whether to allow anonymous access to the SMB file system.

  • If anonymous access is allowed, you can use an AD account to mount the SMB file system based on Kerberos authentication. You can also use an Everyone account to mount the SMB file system based on NT LAN Manager (NTLM) authentication.
  • If anonymous access is disallowed, you must use an AD account to mount the SMB file system based on Kerberos authentication.
Note The SMB ACL feature is available for SMB file systems only in the following regions: India (Mumbai), China (Hong Kong), China (Shanghai), UK (London), Germany (Frankfurt), China (Chengdu), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), China (Zhangjiakou-Beijing Winter Olympics), China (Hangzhou), China (Hohhot), and China (Beijing). If the SMB ACL feature is not supported in the region where your SMB file system resides, submit a ticket.

Run the commands that are described in this topic in a Windows command-line interface (CLI).

Run the net use command to mount the SMB file system

The following syntax of the net use command is used in Command Prompt:

net use <Target drive letter> <Domain name of the mount target>

The following example shows the net use command:

  • Run the following command to mount an SMB file system that is in the AD domain:

    net use z: \\nas-mount-target.nas.aliyuncs.com\myshare
  • Run the following command to mount an SMB file system that is not in the AD domain:

    net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:MYDOMAIN.com\USERNAME PASSWORD

After the net use command is run to mount SMB file system, you can access the SMB file system and view the ACLs of files and directories in the SMB file system. However, you cannot edit the ACLs.

Run the mklink command to mount an SMB file system

You can run the mklink command to create a symbolic link on a local disk of a Windows client. The symbolic link points to the mount target of an SMB file system.

Note The mklink command is unavailable in PowerShell. You must run the command in Command Prompt.

The following syntax of the mklink command is used in Command Prompt:

mklink /D <Path of the symbolic link> <Domain name of the mount target>

The following example shows the mklink command:

mklink /D c:\myshare \\nas-mount-target.nas.aliyuncs.com\myshare

By default, only users in the Administrators group can create symbolic links. If you need to use a standard user to create symbolic links, the standard user must be granted the required permissions by an Administrator user.

  1. Use an Administrator account to log on to the Windows client, type secpol.msc in the Start menu, and then press Enter to open the Local Security Policy.secpol
  2. Add the required user to the Create symbolic links permission group.Mount an SMB file system on a Windows client that is in an AD domainsecpol_03
  3. Log on to the Windows client as the specified user, and the symbolic link comes into effect.

The symbolic link enables you to access the SMB file system in the same way that you access a subdirectory on a local disk in the Windows client. In this case, you can access the SMB file system from the Windows client. You can also view and edit the ACLs of files and directories in the SMB file system.

Use the Windows File Explorer to view and edit ACLs

After you create a symbolic link for the mount target of an SMB file system, use the Windows File Explorer to view and edit the ACLs of files and directories.

The following figures show how to use the File Explorer to view and edit the ACLs of files and directories in an SMB file system. After you run the mklink command, a symbolic link myshare is created in the Computer > Local Disk path. Right-click a file in the symbolic link, and click Properties. In the Properties dialog box, click the Security tab to view the ACL of the file. You can click Edit to edit the access control entries (ACEs) in the ACL. You can also click Add to add a new ACE.

set_sec_02set_sec_03set_sec_04set_sec_05
If you need to go back to the previous directory, click the Back icon (① in the figure) or the Up icon (② in the figure). However, do not click one section of a path in the path bar (③ in the figure). The following figure includes the preceding digits.Use the File Explorer to access an SMB file system

When you use the File Explorer to access an SMB file system, the SMB file system is not joined to an AD domain. If you use a network path such as \\nas-mount-point.nas.aliyuncs.com\myshare rather than a file path such as C:\myshare to access the SMB file system, an error may occur. When you edit ACLs, the client cannot determine whether the mount target is joined to the AD domain. This issue occurs if the Remote Procedure Call (RPC) server is unavailable. The following figures show error messages.

SMB_ACL_Error message_1SMB_ACL_Error message_2

Run the Get-Acl and Set-Acl command in PowerShell to view and edit ACLs

You can run the Get-Acl and Set-Acl command in PowerShell to view and edit ACLs of files and directories in an SMB file system.
  • The following example shows the Get-Acl command:
    $value = Get-Acl dir
    $value.Access
    Get-Acl
  • The following example shows the Set-Acl command:
    Set-Acl .\dirKid2 $value
    Get-Acl .\dirKid1 | Set-Acl .\dirKid2

Run the icacls command to view and edit ACLs

You can run the icacls command in Command Prompt to view and edit ACLs of files and directories in an SMB file system. The following example shows the icacls command:

icacls .\dir0
icacls .\dir0 /grant *S-1-1-0:(d,wdac)
icacls .\dir0
icacls