This topic describes how to mount a Server Message Block (SMB) file system on a macOS client and access the SMB file system by using the Kerberos protocol.

Prerequisites

Mount the SMB file system on a macOS client

  1. Connect the macOS client to the VPC by using a virtual private network (VPN) gateway. For more information, seeRemote access from a Mac client .
    When you create a Secure Sockets Layer (SSL) server, the Classless Inter-Domain Routing (CIDR) blocks of Local Network and Client Subnet cannot overlap with each other. Local Network specifies the CIDR block of the VPC. For more information, see Remote access from a Mac client. You can view the CIDR block on the VPC details page in the VPC console.
  2. Check whether the macOS client can access the mount target of the SMB file system.
    After the VPN gateway is set up between the VPC and the macOS client, run the ping command on the macOS client to ping the domain name of the mount target.mac003
    Note If you cannot ping the domain name of the mount target, run the ping command on an Elastic Compute Service (ECS) instance that resides in the same VPC as the SMB file system. You can then obtain the IP address of the mount target and use the IP address to mount the SMB file system.
  3. Mount the SMB file system on the macOS client.
    • Mount the SMB file system on the macOS client by using graphical user interface (GUI)
      1. In the menu bar of the macOS client desktop, choose Go > Connect to Server.mac004
      2. In the Connect to Server dialog box, enter the domain name of the mount target and click Connect.mac005
      3. In the Connect As section, select Guest, and then click Connect.mac006
      4. In the menu bar of the macOS client desktop, choose Go > Computer. Click the myshare disk to view the SMB file system that is mounted on the macOS client.
        Note After a file system is mounted, the macOS client reads all files that are stored in the file system. The myshare disk may be empty when the macOS client is reading the files. Wait until the read process is complete.
        mac007
    • Mount the SMB file system on the macOS client by using command line interface (CLI)
      Run the mount_smbf command to mount the SMB file system. The following code provides an example of the mount_smbf command:
      mount_smbfs '//guest@nas-mount-point.nas.aliyuncs.com/myshare' /Volumes/myshare/
      nas-mount-point.nas.aliyuncs.com is the domain name of the mount target in the VPC.
      The following figure shows a successful mount.mac

Access the SMB file system by using the Kerberos protocol

After an SMB file system is mounted on a macOS client based on NT LAN Manager (NTLM), the macOS client has all permissions on the SMB file system by default. To grant different permissions to different users, NAS allows you to authenticate users and control access to SMB file systems based on an Active Directory (AD) domain. You can perform the following steps to control access to the SMB file system based on an AD domain:

  1. Configure an ECS instance as an AD domain controller and set up an AD domain. For more information, see Build an AD domain on a Windows ECS instance.
  2. Join the mount target of the SMB file system to the AD domain. For more information, see Join the mount target of an SMB file system to an AD domain.
  3. Add the CIDR block of the SSL VPN network to a security group of the ECS instance. For more information, see Add security group rules.
    Add rules for the following ports to a security group of the ECS instance. This ensures that the SMB file system can be mounted on the macOS client based on the AD domain.
    • Domain Name System (DNS) port: UDP 53
    • Kerberos port: TCP 88
    • LDAP port: TCP 389
    • LDAP Global Catalog port: TCP 3268
  4. Change the DNS server that the macOS client uses to the AD domain controller.
    1. Run the ipconfig command on the ECS instance to query the internal IP address of the AD domain controller.
    2. In the menu bar of the macOS client desktop, choose Go > Network.
    3. In the Network dialog box, set the DNS server of the macOS client to the internal IP address of the AD domain controller.
  5. Verify the connection between the macOS client and the AD domain.
    On the macOS client, ping the AD domain controller. The following figure shows a successful mount.ping
  6. Use an AD domain identity to mount the SMB file system on the macOS client by using the Kerberos protocol.
    1. Run the kinit command to verify the security of the AD domain identity. The following code provides an example of the kinit command:
      kinit user@MYDOMAIN.COM
    2. Run the klist command to view the AD domain identity. The following code provides an example of the klist command:
      klist
    3. Run the kinit command to use the AD domain identity to log on to the macOS client. The following code provides an example of the kinit command:
      kinit
    4. Run the mount_smbfs command to mount the SMB file system. The following code provides an example of the mount_smbfs command:
      mount_smbfs //administrator@nas-mount-point.nas.aliyuncs.com/myshare /Volumes/myshare
      Note If an error message mount_smbfs: server rejected the connection: Authentication error is returned, run the kinit command to verify the AD domain identity and remount the file system.
      The following figure shows a successful mount.succeedAfter the successful mount, run the klist command. Two service principals are returned. The following figure gives an example of the klist command.succeed2
      Note SMB access control lists (ACLs) are not displayed on the macOS client. However, when you perform an operation on the SMB file system, the SMB server verifies the ACLs and then allows or denies the operation. You can configure the ACLs of the SMB file system when you mount the SMB file system on the AD domain controller.