This topic describes how to mount a Server Message Block (SMB) file system on a Linux client by using an Active Directory (AD) account. This topic also describes how to view and edit the access control lists (ACLs) of files and directories in the SMB file system by using an AD account.

Prerequisites

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file to an AD domain, you can specify whether to still allow anonymous access to the SMB file system.
  • If you still allow anonymous access to the SMB file system, you can use an AD account to access the SMB file system based on Kerberos authentication. You can also use an Everyone account to access the SMB file system based on NT LAN Manager (NTLM) authentication.
  • If you no longer allow anonymous access to the SMB file system, you must use an AD account to mount the SMB file system on a Linux client that is authenticated by using Kerberos.
In this example, Ubuntu and CentOS are used.

Method 1: Join a Linux client to an AD domain and mount an SMB file system on the Linux client

  1. Log on to the Linux client.
  2. Join the Linux client to the AD domain.
    • Ubuntu
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo apt-get update
        sudo apt-get -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user
      2. Run the following command to specify a fully qualified domain name (FQDN) for the Linux client:
        sudo hostnamectl set-hostname myubuntu.example-company.com
        In the preceding command, example-company.com is the name of the AD server. Replace the name based on your business requirements.
        After you complete the configuration, run the hostnamectl command to check the specified name of the AD server. 90
      3. Configure DNS.
        Run the following commands to disable the automatic update feature of DNS:
        sudo systemctl disable systemd-resolved
        sudo systemctl stop systemd-resolved
        Add the IP address of the AD server to the /etc/resolv.conf file. DNSRun the ping command. Ping the name of the AD server to test the network connectivity. 3
      4. Run the following command to search for a specified AD domain:
        realm discover <AD domain>
        10
      5. Run the following commands to join the Linux client to the AD domain:
        sudo kinit Administrator@EXAMPLE-COMPANY.COM
        sudo realm join -U Administrator example-company.com
        Run the realm list command. If the result that is similar to the following information appears, the Linux client is joined to the AD domain. 11
      6. Run the following code to create a home directory for an AD user.
        sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
        Name: activate mkhomedir
        Default: yes
        Priority: 900
        Session-Type: Additional
        Session:
                required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
        EOF
        Run the following command to enable the preceding setting:
        pam-auth-update
        After the setting is enabled, press Up Arrow or Down Arrow to move the cursor, and then press the Spacebar key to add an asterisk (*). Make sure that the activate mkhomedir option is prefixed by an asterisk (*). Press the Tab key until Ok is selected. Then, press the Enter key to complete the setting. 111
      7. Configure the Linux sssd service.
        Add the krb5_ccname_template=FILE:%d/krb5cc_%U entry to the /etc/sssd/sssd.conf configuration file. 2Run the following commands to restart the sssd service and check the service status:
        sudo systemctl restart sssd
        sudo systemctl status sssd
        If the result that is similar to the following information appears, the Linux sssd service is configured. 21
    • CentOS
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo yum update
        sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils -y
      2. Run the following command to specify an FQDN for the Linux client:
        sudo hostnamectl set-hostname mycentos.example-company.com
        In the preceding command, example-company.com is the name of the AD service. Replace the name based on your business requirements.
        After you complete the configuration, run the hostnamectl command to check the specified name of the AD server. The specified FQDN for the Linux client
      3. Configure DNS.
        Add the IP address of the AD server to the /etc/resolv.conf configuration file and delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to test the network connectivity. 3
      4. Configure Kerberos.
        Add the following code to the /etc/krb5.conf configuration file.
            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        15
      5. Run the following command to search for the example-company.com AD domain:
        realm discover example-company.com
        Search for the example-company.com AD domain
      6. Run the following command to join the Linux client to the AD domain:
        sudo realm join -U Administrator example-company.com
        Run the realm list command. If the result that is similar to the following information appears, the Linux client is joined to the AD domain. The Linux client is joined to the AD domain
  3. Run the following id command to query the identity of the AD user:
    id testuser@example-company.com
    If the result that is similar to the following information appears, the AD user is identified. 22
  4. Grant logon permissions to AD users.
    • Run the following commands to grant specified AD users the permissions to log on to the Linux client:
      sudo realm permit usera1@example-company.com
      sudo realm permit userb1@example-company.com userb2@example-company.com 
    • Run the following commands to grant specified groups the permissions to log on to the Linux client:
      sudo realm permit -g 'Security Users'
      sudo realm permit -g 'Domain Users' 'Domain Admins'
    • Run the following command to grant all users the permissions to log on to the Linux client:
      sudo realm permit --all
    • Run the following command to revoke the permissions to log on to the Linux client from all users:
      sudo realm deny --all
  5. Grant the sudo permissions to an AD user.
    Run the following command to open the sudo configuration file. Then, grant the sudo permissions based on your business requirements.
    sudo vim /etc/sudoers.d/domain_admins
    • Grant the sudo permissions to specified users.
      usera1@example-company.com     ALL=(ALL)   ALL
      userb2@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group.
      %admingroupc1@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group whose name consists of multiple words.
      %domain\ admins@example-company.com       ALL=(ALL)       ALL
  6. Configure the Secure Shell (SSH) logon setting.
    Open the /etc/ssh/sshd_config SSH configuration file and replace the original SSH logon setting with the following setting:
    PasswordAuthentication yes
    Run the following system-specific command to restart the SSH service:
    • CentOS
      service sshd restart
    • Ubuntu
      service ssh restart
  7. Run the following command to log on to the Linux client as an AD user:
    ssh localhost -l usera1@example-company.com
    If the result that is similar to the following information appears, the logon to the Linux client is successful. 27
  8. Mount an SMB file system on the Linux client.
    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
      • Ubuntu
        sudo apt-get install keyutils cifs-utils
      • CentOS
        sudo yum install keyutils cifs-utils
    2. Query the information about the keytab file.
      Run the id command to view the uid and gid after logon. 20
    3. Run the following command to mount the file system.
      sudo mount -t cifs //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513  --verbose
  9. Enable the automatic mount feature.
    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
    1. Add the following entry to the /etc/auto.master configuration file.
      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/&
    3. Run the following command to restart the autofs service:
      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.
      For example, you have created the //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1 directory and then granted all users full access permissions on the usera1 directory.

      An AD user logs on to the Linux client and runs the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Method 2: Connect a Linux client to an AD server and mount an SMB file system on the Linux client

  1. Log on to the Linux client.
  2. Connect a Linux client to an AD server.
    • Ubuntu
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo apt-get -y install keyutils cifs-utils krb5-user
      2. Configure DNS.
        Run the following commands to disable the automatic update feature of DNS:
        sudo systemctl disable systemd-resolved
        sudo systemctl stop systemd-resolved
        Add the IP address of the AD server to the /etc/resolv.conf file. DNSRun the ping command. Ping the name of the AD server to test the network connectivity. 3
    • CentOS
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo yum install keyutils cifs-utils krb5-workstation
      2. Configure DNS.
        Add the IP address of the AD server to the /etc/resolv.conf configuration file and delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to test the network connectivity. 3
      3. Configure Kerberos.
        Add the following code to the /etc/krb5.conf configuration file.
            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        15
  3. Run the following command to obtain the ticket information about the mount target for the SMB file system:
    kinit administrator@EXAMPLE-COMPANY.COM
    klist
  4. Mount an SMB file system on the Linux client.
    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
      • Ubuntu
        sudo apt-get install keyutils cifs-utils
      • CentOS
        sudo yum install keyutils cifs-utils
    2. Query the information about the keytab file.
      Run the id command to view the uid and gid after logon. 20
    3. Run the following command to mount the file system.
      sudo mount -t cifs //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513  --verbose
  5. Enable the automatic mount feature.
    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
    1. Add the following entry to the /etc/auto.master configuration file.
      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/&
    3. Run the following command to restart the autofs service:
      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.
      For example, you have created the //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1 directory and then granted all users full access permissions on the usera1 directory.

      An AD user logs on to the Linux client and runs the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Use the cifsacl tool to manage the ACLs of an SMB file system

You can run the getcifsacl and setcifsacl commands to manage the ACLs of an SMB file system. The following example provides sample code:
getcifsacl /mnt/usera1/
57
setcifsacl -a "ACL:S-1-5-21-3076751034-3769290925-1520581464-513:ALLOWED/OI|CI/FULL" /mnt/usera1
58