If the workspace in which an Apsara File Storage NAS (NAS) file system is created is an Active Directory (AD) workspace and the NAS file system has the Server Message Block (SMB) access control list (ACL) feature enabled, you can attach the mount target of the NAS file system to the AD domain to authenticate user identities and perform file-level access control as an AD domain user. This topic describes how to configure access control rules and how to attach the mount target of a NAS file system that has the SMB ACL feature enabled to an AD domain.

Prerequisites

A NAS file system is created, and it works in an Active Directory (AD) workspace. For more information about how to create a NAS file system, see Create a NAS file system.

Background information

Before you mount and use a NAS SMB file system as a user of a specific AD domain, you must attach the mount target of the NAS file system that has the SMB ACL feature enabled to the AD domain. To attach the mount target to an AD domain, perform the following operations:
  1. Register the domain name of the mount target of the NAS file system within the AD domain.
  2. Create and upload a keytab file.

Procedure

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, choose Resources > Apsara File Storage NAS.
  4. On the Shared Storage NAS page, find the NAS file system for which you want to configure access control policies and click Access control in the Actions column.
  5. On the Access Control page, complete the configurations.
    1. Read the instructions, log on to the AD server, and then run a command in PowerShell to obtain the keytab file. Then, click Next: Upload Keytab File.
      You can click Download Command File, upload the command file to the AD server, and then copy and run the command. Sample commands:
      1. Create a service account for NAS in the AD domain.
        dsadd user CN=alinas,DC=edstest,DC=org -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHePaSsWoRd123 -pwdneverexpires yes
      2. Register the domain name of the mount target of the NAS file system.
        setspn -S cifs/0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com alinas

        In the preceding sample command, 0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com indicates the domain name of the mount target of the NAS file system, and alinas indicates the service account created in the previous step.

      3. Create a keytab file for the NAS file system.
        ktpass -princ cifs/0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com@edstest**.org -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123

        In the preceding sample command, 0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com indicates the domain name of the mount target of the NAS file system, edstest**.org indicates the AD domain name, and -out c:\nas-mount-target.keytab indicates that the created keytab file is saved in drive C.

    2. Click Select File, upload the created keytab file, and then click Next: Configure Rules.
    3. Confirm the rules and click Close.
      You cannot modify the rules. Take note of the following parameters:
      • Authentication Method: The default value of this parameter is Kerberos.
      • Allow Anonymous Access: The default value of this parameter is Off. You cannot mount the NAS file system by using Everyone accounts based on NT LAN Manager (NTLM) authentication.
        Note For Linux cloud desktops, NAS file systems can only be anonymously mounted when the file systems are automatically mounted. To mount NAS file systems as a domain user, you must manually mount the file systems.
      • Enable Transmission Encryption: The default value of this parameter is Off. The SMB3 encryption feature is disabled.
      • Deny Unencrypted Clients: The default value of this parameter is Off.

What to do next

Perform the following operations based on the operating system of your cloud desktop:
  • For Windows cloud desktops, NAS file systems can be automatically mounted by domain users. After you configure access control rules, no further actions are required.
  • For Linux cloud desktops, NAS file systems can only be anonymously mounted when the file systems are automatically mounted. After you configure access control rules, you must manually mount NAS file systems to the cloud desktop as a domain user. For more information, see Manually mount a NAS file system to a Linux cloud desktop.