After you add the mount target of a Server Message Block (SMB) file system to an AD domain, you can use AD to authenticate and control user access to the SMB file system. Before you can use an AD identity to mount an SMB file system, you must register a service principal for the SMB file system in the AD domain, create a keytab file, and then upload the file to the NAS console. Then, you can enable the access control list (ACL) feature for the SMB file system.
Prerequisites
An SMB file system is created. For more information, see Create an SMB file system.
Step 1: Create a keytab file
- Automatically create a keytab file.
- Log on to the ECS instance on which you want to install Active Directory Domain Services (AD DS) and DNS.
- Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1
script:
Invoke-WebRequest https://code.aliyun.com/nas_team/nas-client-tools/raw/master/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
- Run the following command to automatically install AD DS, install DNS, and then create
a keytab file:
.\alinas_smb_windows_inspection.ps1 -MountAddress abcde-123.region-id.nas.aliyuncs.com -ConfigAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN
Notice The first time you start the AD domain after AD DS is installed, the Windows AD server automatically restarts. After the Windows AD server restarts, the system runs the preceding script again to create a keytab file.In the preceding command,
example.com
is the name of the AD domain that you want to build.
- Manually configure a keytab file.
- AD DS and DNS are installed and enabled.
- Log on to the ECS instance on which the AD domain controller resides.
- Open the Command Prompt and run a command that uses the following syntax to create
a service account for the SMB file system.
dsadd user CN=<Name of the service account>,DC=<AD domain name>,DC=com -samid <Name of the service account> -display <Description of the service account> -pwd <Password of the service account> -pwdneverexpires yes
Example:dsadd user CN=alinas,DC=EXAMPLE,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHeRd123**** -pwdneverexpires yes
- Run a command that uses the
setspn -S cifs/<Mount target of an SMB file system> <Name of a service account>
syntax to register a service principal for the mount target of the SMB file system, and then add the service principal to AD.- Example:
setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas
- Sample responses
If the output that is similar to the following information appears, the service principal of the SMB file system is added.
- Example:
- Check the setspn configuration on the Windows AD server or a Windows client.
- Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1
script:
Invoke-WebRequest https://code.aliyun.com/nas_team/nas-client-tools/raw/master/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
- Check the setspn configuration.
.\alinas_smb_windows_inspection.ps1 -MountAddress abcde-123.region-id.nas.aliyuncs.com -CheckAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN
In the preceding command,
example.com
is the name of the AD domain that you want to build.
- Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1
script:
- On the AD domain controller, open the Command Prompt. Then, run a command that uses
the following syntax to create a keytab file for the mount target of the SMB file
system.
ktpass -princ cifs/<Mount target of the SMB file system> -ptype KRB5_NT_PRINCIPAL -crypto All -out <Path of the keytab file> -pass <Password of the service account>
Example:ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@EXAMPLE.com -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123
Step 2: Upload the keytab file
In the Apsara File Storage NAS console, upload the keytab file of the service account that you created for the SMB file system.