All Products
Search
Document Center

Apsara File Storage NAS:Mount and use an SMB file system on a Linux client as an AD domain user

Last Updated:Jan 17, 2024

This topic describes how to mount a Server Message Block (SMB) file system on a Linux client by using an Active Directory (AD) domain account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD domain account.

Prerequisites

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file system to an AD domain, you can specify whether to allow anonymous access to the SMB file system.

  • If the SMB file system still allows anonymous access, you can use an AD domain account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on New Technology LAN Manager (NTLM) authentication.

  • If the SMB file system no longer allows anonymous access, you must use an AD domain account to mount the SMB file system on a Linux client that is authenticated by using Kerberos.

In this example, Ubuntu and CentOS are used.

Method 1: Join a Linux client to an AD domain and then mount an SMB file system on the Linux client

  1. Log on to the Linux client.

  2. Join the Linux client to an AD domain.

    • Ubuntu

      1. Run the following commands to install the configuration packages that are required to connect to an AD server:

        sudo apt-get update
        sudo apt-get -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user
      2. Run the following command to name the Linux client in the AD domain:

        sudo hostnamectl set-hostname myubuntu.example-company.com

        In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.

        After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client.90

      3. Configure DNS.

        1. Run the following commands to disable the automatic update feature of DNS:

          sudo systemctl disable systemd-resolved
          sudo systemctl stop systemd-resolved

        2. Add the IP address of the AD server to the /etc/resolv.conf file.DNS

        3. Run the ping command. Ping the name of the AD server to check the network connectivity.3

      4. Run the following command to search for a specified AD domain:

        realm discover <AD domain>

        10

      5. Join the Linux client to the AD domain.

        sudo kinit Administrator@EXAMPLE-COMPANY.COM
        sudo realm join -U Administrator example-company.com

        Run the realm list command. If an output that is similar to the following example appears, the Linux client is joined to the AD domain.11

      6. Create a home directory for an AD domain user.

        1. Run the following commands to configure a home directory:

          sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
          Name: activate mkhomedir
          Default: yes
          Priority: 900
          Session-Type: Additional
          Session:
                  required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
          EOF

        2. Run the following command to enable the preceding setting:

          pam-auth-update

        3. After the setting is enabled, press the Up Arrow or Down Arrow key to move the cursor, and then press the Spacebar key to add an asterisk (*). Make sure that the activate mkhomedir option is prefixed by an asterisk (*). Press the Tab key until Ok is selected. Then, press the Enter key to complete the setting.111

      7. Configure the Linux sssd service.

        1. Add krb5_ccname_template=FILE:%d/krb5cc_%U to the /etc/sssd/sssd.conf configuration file.2

        2. Run the following commands to restart the sssd service and check the service status:

          sudo systemctl restart sssd
          sudo systemctl status sssd

          If an output that is similar to the following example appears, the Linux sssd service is configured.21

    • CentOS

      1. Run the following commands to install the configuration packages that are required to connect to an AD server:

        sudo yum update
        sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils -y
      2. Run the following command to name the Linux client in the AD domain:

        sudo hostnamectl set-hostname mycentos.example-company.com

        In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.

        After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client.Check the specified name of the AD server

      3. Configure DNS.

        Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity.3

      4. Configure Kerberos.

        Add the following code to the /etc/krb5.conf configuration file:

            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

        15

      5. Run the following command to search for a specified AD domain:

        realm discover example-company.com

        Search for the example-company.com AD domain

      6. Join the Linux client to the AD domain.

        sudo realm join -U Administrator example-company.com

        Run the realm list command. If an output that is similar to the following example appears, the Linux client is joined to the AD domain.Join the Linux client to the AD domain

  3. Run the following id command to query the identity of the AD domain user:

    id testuser@example-company.com

    If an output that is similar to the following example appears, the AD domain user is identified.22

  4. Grant logon permissions to AD domain users.

    • Run the following commands to grant specified AD domain users the permissions to log on to the Linux client:

      sudo realm permit usera1@example-company.com
      sudo realm permit userb1@example-company.com userb2@example-company.com 
    • Run the following commands to grant specified groups the permissions to log on to the Linux client:

      sudo realm permit -g 'Security Users'
      sudo realm permit -g 'Domain Users' 'Domain Admins'
    • Run the following command to grant all users the permissions to log on to the Linux client:

      sudo realm permit --all
    • Run the following command to revoke the permissions to log on to the Linux client from all users:

      sudo realm deny --all
  5. Grant the sudo permissions to an AD domain user.

    Run the following command to open the configuration file for sudo. Then, grant the sudo permissions based on your business requirements.

    sudo vim /etc/sudoers.d/domain_admins
    • Grant the sudo permissions to specified users:

      usera1@example-company.com     ALL=(ALL)   ALL
      userb2@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group:

      %admingroupc1@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group whose name consists of multiple words:

      %domain\ admins@example-company.com       ALL=(ALL)       ALL
  6. Configure the Secure Shell (SSH) logon setting.

    1. Open the /etc/ssh/sshd_config SSH configuration file and replace the original SSH logon setting with the following setting:

      PasswordAuthentication yes
    2. Run the following system-specific command to restart the SSHD service:

      • CentOS

        service sshd restart
      • Ubuntu

        service ssh restart
  7. Run the following command to log on to the Linux client as an AD domain user:

    ssh localhost -l usera1@example-company.com

    If an output that is similar to the following example appears, the logon to the Linux client is successful.27

  8. Mount an SMB file system on the Linux client.

    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:

      • Ubuntu

        sudo apt-get install keyutils cifs-utils
      • CentOS

        sudo yum install keyutils cifs-utils
    2. Query the information about the keytab file.

      Run the id command to view the UID and GID after logon.20

    3. Run the following command to mount the file system:

      sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513  --verbose

      In the preceding command, 205dee4****-uub48.us-west-1.nas.aliyuncs.com specifies the domain name of the mount target of the file system. Replace it based on your business requirements.

      Note

      If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, change vers=2.1 in the preceding command to vers=3.0.

  9. Enable the automatic mount feature.

    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.

    1. Add the following entry to the /etc/auto.master configuration file:

      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:

      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&

      The following list describes the key parameters. Replace the parameter values based on your business requirements.

      • cruid and uid: the ID of the local user named usera1.

      • gid: the group ID of the local user named usera1.

      • 205dee4****-uub48.us-west-1.nas.aliyuncs.com: the domain name of the mount target of the file system.

        To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the image..png icon. Move the pointer over the Domain name of the mount target.png icon in the Mount Target column.

    3. Run the following command to restart the autofs service:

      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.

      For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.

      Log on to the Linux client as an AD domain user and run the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Method 2: Connect a Linux client to an AD server and then mount an SMB file system on the Linux client

  1. Log on to the Linux client.

  2. Connect a Linux client to an AD server.

    • Ubuntu

      1. Run the following commands to install the configuration packages that are required to connect to an AD server:

        sudo apt-get -y install keyutils cifs-utils krb5-user
      2. Configure DNS.

        1. Run the following commands to disable the automatic update feature of DNS:

          sudo systemctl disable systemd-resolved
          sudo systemctl stop systemd-resolved

        2. Add the IP address of the AD server to the /etc/resolv.conf file.DNS

        3. Run the ping command. Ping the name of the AD server to check the network connectivity.3

    • CentOS

      1. Run the following commands to install the configuration packages that are required to connect to an AD server:

        sudo yum install keyutils cifs-utils krb5-workstation
      2. Configure DNS.

        Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity.3

      3. Configure Kerberos.

        Add the following code to the /etc/krb5.conf configuration file:

            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

        15

  3. Store the ticket information about the mount target of the SMB file system.

    1. Run the following commands to create a local user named usera1 and show the UID and GID of the local user. Then, record the UID and GID of the local user.

      useradd usera1
      su - usera1
      id

      usera1

    2. Run the following command to use the local user to store the ticket information about the mount target of the SMB file system:

      kinit administrator@EXAMPLE-COMPANY.COM
      klist

      21

  4. Mount an SMB file system on the Linux client.

    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:

      • Ubuntu

        sudo apt-get install keyutils cifs-utils
      • CentOS

        sudo yum install keyutils cifs-utils
    2. Run the following command to mount the file system:

      sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=1004,uid=1004,gid=1004  --verbose

      In the preceding command, 205dee4****-uub48.us-west-1.nas.aliyuncs.com specifies the domain name of the mount target of the file system. Replace it based on your business requirements.

      Note

      If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, replace vers=2.1 in the preceding command with vers=3.0.

  5. Enable the automatic mount feature.

    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.

    1. Add the following entry to the /etc/auto.master configuration file:

      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:

      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&

      The following list describes the key parameters. Replace the parameter values based on your business requirements.

      • cruid and uid: the ID of the local user named usera1.

      • gid: the group ID of the local user named usera1.

      • 205dee4****-uub48.us-west-1.nas.aliyuncs.com: the domain name of the mount target of the file system.

        To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the image..png icon. Move the pointer over the Domain name of the mount target.png icon in the Mount Target column.

    3. Run the following command to restart the autofs service:

      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.

      For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.

      Log on to the Linux client as an AD domain user and run the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Use the cifsacl tool to manage the ACLs of an SMB file system

You can run the getcifsacl and setcifsacl commands to manage the ACLs of an SMB file system. Examples:

getcifsacl usera1/

57

sudo setcifsacl -a "ACL:S-1-5-21-3076751034-3769290925-1520581464-513:ALLOWED/OI|CI|I/FULL" usera1/

58