:Configure access control rules

If the workspace in which an Apsara File Storage NAS (NAS) file system is created is an Active Directory (AD) workspace and the NAS file system has the Server Message Block (SMB) access control list (ACL) feature enabled, you can attach the mount target of the NAS file system to the AD domain to authenticate user identities and perform file-level access control as an AD domain user. This topic describes how to configure access control rules and how to attach the mount target of a NAS file system that has the SMB ACL feature enabled to an AD domain.

1. Log on to the EDS console.
2. In the top navigation bar, select a region.
3. In the left-side navigation pane, choose Storage > Apsara File Storage NAS.
4. On the Shared Storage NAS page, find the NAS file system for which you want to configure access control policies and click Access control in the Actions column.
5. On the Access Control page, complete the configurations.
   1. Read the instructions, log on to the AD server, and then run a command in PowerShell to obtain the keytab file. Then, click Next: Upload Keytab File.
      You can click Download Command File, upload the command file to the AD server, and then copy and run the command. Sample commands:

      1. Create a service account for NAS in the AD domain.

         dsadd user CN=alinas,DC=edstest,DC=org -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHePaSsWoRd123 -pwdneverexpires yes

      2. Register the domain name of the mount target of the NAS file system.

         setspn -S cifs/0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com alinas

         In the preceding sample command, 0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com indicates the domain name of the mount target of the NAS file system, and alinas indicates the service account created in the previous step.

      3. Create a keytab file for the NAS file system.

         ktpass -princ cifs/0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com@edstest**.org -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123

         In the preceding sample command, 0bf744****-xob**.cn-hangzhou.nas.aliyuncs.com indicates the domain name of the mount target of the NAS file system, edstest**.org indicates the AD domain name, and -out c:\nas-mount-target.keytab indicates that the created keytab file is saved in drive C.

   2. Click Select File, upload the created keytab file, and then click Next: Configure Rules.
   3. Confirm the rules and click Close.
      You cannot modify the rules. Take note of the following parameters:

      • Authentication Method: The default value of this parameter is Kerberos.
      • Allow Anonymous Access: The default value of this parameter is Off. You cannot mount the NAS file system by using Everyone accounts based on NT LAN Manager (NTLM) authentication.
        Note For Linux cloud desktops, NAS file systems can only be anonymously mounted when the file systems are automatically mounted. To mount NAS file systems as a domain user, you must manually mount the file systems.
      • Enable Transmission Encryption: The default value of this parameter is Off. The SMB3 encryption feature is disabled.
      • Deny Unencrypted Clients: The default value of this parameter is Off.