By joining the mount target of a Server Message Block (SMB) file system to an Active Directory (AD) domain, you can manage user authentication and file-level access control in the AD domain. To mount and use the SMB file system as an AD domain user, you must register a service principal for the file system in the AD domain, generate a keytab file, and upload it to the NAS console to enable the SMB ACL feature.
Prerequisites
You have created an SMB file system. For more information, see Create an SMB file system.
Step 1: Generate a keytab file
You can generate a keytab file by using one of the following methods:
Automatic generation
-
Log on to the ECS instance that will host the AD domain controller and DNS service.
-
In PowerShell or PowerShell ISE, run the following command to download the script.
Invoke-WebRequest https://nas-client-tools.oss-cn-hangzhou.aliyuncs.com/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1 -
Change the encryption method in the
alinas_smb_windows_inspection.ps1script to-crypto RC4-HMAC-NT(for Windows Server 2025 only).This step is required only for Windows Server 2025. If you use an earlier version, skip to step 4.
-
Open the downloaded
alinas_smb_windows_inspection.ps1file in Notepad.notepad .\alinas_smb_windows_inspection.ps1 -
Find the line that contains
-crypto(typically line 791). -
Change the encryption method from
-crypto Allto-crypto RC4-HMAC-NT.Before:
$command = "ktpass -princ cifs/$MountAddress@$domainFullUpper -ptype KRB5_NT_PRINCIPAL -mapuser $SetspnNas@$domainFull -crypto All -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123"After:
$command = "ktpass -princ cifs/$MountAddress@$domainFullUpper -ptype KRB5_NT_PRINCIPAL -mapuser $SetspnNas@$domainFull -crypto RC4-HMAC-NT -out c:\nas-mount-target.keytab -pass tHePaSsWoRd123" -
Press Ctrl+S to save and close the file.
-
-
Run the following command to automatically install the AD domain controller and DNS service, and generate the keytab file.
.\alinas_smb_windows_inspection.ps1 -MountAddress file-system-id.region.nas.aliyuncs.com -ConfigAD $true -Userdomain "example.com" -Username "administrator" -Password "password"The following list describes the key parameters. Replace the example values with your actual information.
-
file-system-id.region-id.nas.aliyuncs.com: The mount target address of the SMB file system. On the File System List page, click Manage for the target file system, and then go to the Mount & Use page to get the mount target address.
-
example.com: The AD domain that you want to set up.
-
administrator: The name of the AD service account.
-
password: The logon password for the AD service account.
-
When you run the script for the first time to install the AD domain service and start the AD domain, the Windows AD server restarts. After the restart, run the script again to complete the keytab generation.
Manual configuration
-
Install and enable the AD domain service and the DNS service.
-
Log on to the ECS instance that hosts the AD domain controller.
-
Open a Command Prompt window and run the following command to create a service account for the SMB file system.
dsadd user CN=<AD_service_account_name>,DC=<AD_domain_name>,DC=com -samid <AD_service_account_name> -display <user_description> -pwd <user_password> -pwdneverexpires yesExample:
dsadd user CN=alinas,DC=EXAMPLE,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHeRd123**** -pwdneverexpires yesIf you are logged on as a standard user, an administrator must grant your account read and write permissions on the
servicePrincipalNameattribute before you can create the service account. To grant these permissions, run the following command:dsacls "CN=<AD_service_account_name>,DC=<AD_domain_name>,DC=com" /I:T /G "<AD_service_account_name>:RPWP;servicePrincipalName"Example:
dsacls "CN=alinas,DC=cdbptest01,DC=com" /I:T /G "alinas:RPWP;servicePrincipalName"Here,
RPis read permission, andWPis write permission. -
Run the following command to register a service principal for the mount target of the SMB file system.
-
Run the command:
setspn -S cifs/<mount_target_address_of_SMB_file_system> <AD_service_account_name>Example:
setspn -S cifs/****-****.cn-hangzhou.nas.aliyuncs.com alinasNote-
The mount target address is in the format
file-system-id.region-id.nas.aliyuncs.com. Replace the placeholders with your actual values. In the Apsara File Storage NAS console, on the File System List page, click Manage for the target file system, and then go to the Mount & Use page to get the mount target address. -
Do not include the mount directory in the mount target address, such as
file-system-id.region.nas.aliyuncs.com/myshare.
-
-
Sample output
Output similar to the following indicates that the service principal for the SMB file system mount target was successfully added.
C:\Users\Administrator>setspn -S cifs/xxx.nas.aliyuncs.com alinas Checking domain DC=smb-hk,DC=com Registering ServicePrincipalNames for CN=alinas,DC=smb-hk,DC=com cifs/xxx.nas.aliyuncs.com Updated object C:\Users\Administrator>
-
-
Check the setspn configuration on the Windows AD server or a Windows client.
Run the command:
setspn alinasIf the output includes the mount target of the file system, the setspn is configured correctly on the Windows AD server or Windows client.
C:\Users\Administrator\Desktop>setspn alinas Registered ServicePrincipalNames for CN=alinas,DC=smbmock60,DC=com: cifs/xxx.nas.aliyuncs.com -
On the AD domain controller, open a Command Prompt window and run the following command to generate a keytab file for the mount target of the SMB file system.
ImportantThe
-princparameter is case-sensitive, and the value for the<AD domain>parameter must be in all uppercase.-
For Windows Server 2022 and earlier
ktpass -princ cifs/<SMB_file_system_mount_target_address>@<AD_domain> -ptype KRB5_NT_PRINCIPAL -mapuser <AD_service_account_name>@<AD_domain> -crypto All -out <path_of_the_generated_keytab_file> -pass <user_password>Example:
ktpass -princ cifs/****-****.cn-hangzhou.nas.aliyuncs.com@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123 -
For Windows Server 2025
Windows Server 2025 does not support the Data Encryption Standard (DES). Therefore, you must change the
-crypto Allparameter to-crypto RC4-HMAC-NTwhen you generate a keytab file.ktpass -princ cifs/<SMB_file_system_mount_target_address>@<AD_domain> -ptype KRB5_NT_PRINCIPAL -mapuser <AD_service_account_name>@<AD_domain> -crypto RC4-HMAC-NT -out <path_of_the_generated_keytab_file> -pass <user_password>Example:
ktpass -princ cifs/****-****.cn-hangzhou.nas.aliyuncs.com@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto RC4-HMAC-NT -out c:\nas-mount-target.keytab -pass tHeP****d123
To verify the keytab file, see How do I verify a keytab file?.
-
To download the keytab file to a local computer, see Use Workbench to upload, download, or manage files on an ECS instance.
Step 2: Upload the keytab file
In the NAS console, upload the keytab file for the Apsara File Storage NAS service account.
-
Log on to the NAS console.
-
In the left-side navigation pane, choose .
-
On the File System List page, click the ID of the target file system or click Manage in the Actions column.
-
On the Access Control tab, click Enable.
-
In the Enable SMB ACL dialog box, upload the keytab file for the Apsara File Storage NAS service account, and then click OK.
Note: If a client has already mounted the file system, you must remount it for the changes to take effect.
-
On the Access Control tab, click Modify Configuration.
-
In the Modify Configuration dialog box, configure the parameters as described in the table below.
ImportantTransport encryption is supported only on operating systems that use SMB 3.0 or later. For more information about the supported operating systems, see Client operating systems that support SMB 3.0 and later protocol versions.
Parameter
Description
allow anonymous access
Specifies whether to allow anonymous access to the file system. Valid values:
-
Yes: Allows anyone to mount the file system by using NTLM. After mounting, the user identity is Everyone, but the configured ACLs still apply.
-
No (default): Prevents anonymous users from accessing the file system.
enable transport encryption
Specifies whether to enable transport encryption for the SMB file system. Valid values:
-
Yes: Enables transport encryption for the SMB file system.
-
No (default): Disables transport encryption for the SMB file system.
For more information, see Transport encryption for SMB file systems.
deny non-encrypted clients
Specifies the type of client that can access the SMB file system. Valid values:
Yes: Mount the SMB file system by using a client or which the encryption in transit feature is enabled. This means that you can use an AD domain user to mount the SMB file system on a client whose operating system supports the encryption in transit feature.
However, you cannot mount the SMB file system as an anonymous user or by using a client that does not support the encryption in transit feature.
No: Mount the SMB file system from all types of clients. However, the encryption in transit feature can be enabled only if you use an AD domain user to mount the SMB file system on a client whose operating system supports the encryption in transit feature.
keytab file
Upload the keytab file.
super admin
A super admin can perform operations on any file in any folder without changing ACLs. You can configure a user or a group as a super admin. The value must be in Security Identifier (SID) format, such as S-1-5-32-544. Default value: empty.
user home directory
The primary path for each user's home directory. For example, if you set this to
\home, the file system automatically creates a\home\Adirectory when User A logs on. If\home\Aalready exists, this action is skipped. Default value: empty.ImportantUser A must have permission to create directories in the
\homedirectory. Otherwise, the\home\Adirectory cannot be created.ImportantIf a client has already mounted the SMB file system, you must remount it for the changes to the AD domain service account to take effect.
-
Next steps
After joining the SMB file system mount target to the AD domain, you can mount and use the SMB file system as an AD domain user. For more information, see Mount and use an SMB file system as an AD domain user on a Windows client and Mount and use an SMB file system as an AD domain user on a Linux client.