After you add the mount target of a Server Message Block (SMB) file system to an AD domain, you can use AD to authenticate and control user access to the SMB file system. Before you can use an AD identity to mount an SMB file system, you must register a service principal for the SMB file system in the AD domain, create a keytab file, and then upload the file to the NAS console. Then, you can enable the access control list (ACL) feature for the SMB file system.

Prerequisites

An SMB file system is created. For more information, see Create an SMB file system.

Step 1: Create a keytab file

To create a keytab file, use one of the following methods:
  • Automatically create a keytab file.
    1. Log on to the ECS instance on which you want to install Active Directory Domain Services (AD DS) and DNS.
    2. Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script:
      Invoke-WebRequest https://code.aliyun.com/nas_team/nas-client-tools/raw/master/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
    3. Run the following command to automatically install AD DS, install DNS, and then create a keytab file:
      .\alinas_smb_windows_inspection.ps1 -MountAddress abcde-123.region-id.nas.aliyuncs.com -ConfigAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN
      Notice The first time you start the AD domain after AD DS is installed, the Windows AD server automatically restarts. After the Windows AD server restarts, the system runs the preceding script again to create a keytab file.

      In the preceding command, example.com is the name of the AD domain that you want to build.

  • Manually configure a keytab file.
    1. AD DS and DNS are installed and enabled.
    2. Log on to the ECS instance on which the AD domain controller resides.
    3. Open the Command Prompt and run a command that uses the following syntax to create a service account for the SMB file system.
      dsadd user CN=<Name of the service account>,DC=<AD domain name>,DC=com
        -samid <Name of the service account>
        -display <Description of the service account>
        -pwd <Password of the service account>
        -pwdneverexpires yes
      Example:
      dsadd user CN=alinas,DC=EXAMPLE,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHeRd123**** -pwdneverexpires yes
    4. Run a command that uses the setspn -S cifs/<Mount target of an SMB file system> <Name of a service account> syntax to register a service principal for the mount target of the SMB file system, and then add the service principal to AD.
      • Example:
        setspn -S cifs/nas-mount-target.nas.aliyuncs.com alinas
      • Sample responses
        If the output that is similar to the following information appears, the service principal of the SMB file system is added. 1
    5. Check the setspn configuration on the Windows AD server or a Windows client.
      1. Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script:
        Invoke-WebRequest https://code.aliyun.com/nas_team/nas-client-tools/raw/master/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
      2. Check the setspn configuration.
        .\alinas_smb_windows_inspection.ps1 -MountAddress abcde-123.region-id.nas.aliyuncs.com -CheckAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN

        In the preceding command, example.com is the name of the AD domain that you want to build.

    6. On the AD domain controller, open the Command Prompt. Then, run a command that uses the following syntax to create a keytab file for the mount target of the SMB file system.
      ktpass
        -princ cifs/<Mount target of the SMB file system>
        -ptype KRB5_NT_PRINCIPAL
        -crypto All
        -out <Path of the keytab file>
        -pass <Password of the service account>
      Example:
      ktpass -princ cifs/nas-mount-target.nas.aliyuncs.com@EXAMPLE.com -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123

Step 2: Upload the keytab file

In the Apsara File Storage NAS console, upload the keytab file of the service account that you created for the SMB file system.

  1. Log on to the NAS console.
  2. In the left-side navigation pane, choose File System > File System List.
  3. On the File System List page, click the ID of the file system that you want to manage or click Manage.
  4. On the Access Control tab, click On.
  5. In the Enable SMB ACL dialog box, upload the keytab file of the service account that you created for the SMB file system and click OK.
    Enable the ACL feature for the SMB file system
  6. On the Access Control tab, click Modify Configuration.
  7. In the Modify configuration dialog box, configure the parameters. The following table describes the parameters.
    Modify the ACL feature for the SMB file system
    Parameter Description
    Allow Anonymous Access Specifies whether to allow anonymous access to the file system. Valid values:
    • On: An account that belongs to the Everyone group can be used to mount the SMB file system based on NT LAN Manager (NTLM). ACLs that are configured for files and directories in the SMB file system remain valid.
    • Off: Anonymous users are not allowed to access the file system. Default value: Off.
    Enable Transport Encryption Specifies whether to enable the encryption in transit feature for the SMB file system. Valid values:
    • On: Enable the encryption in transit feature for the SMB file system.
    • Off: Disable the encryption in transit feature for the SMB file system. Default value: Off.
    For more information, see In-transit encryption of SMB file systems.
    Deny Access from Non-encrypted Clients Specifies whether to deny access from clients that do not support encryption to the SMB file system. Valid values:
    • Yes: You can mount the SMB file system by using a compute node for which in-transit encryption is enabled. This means that you can use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.

      However, you cannot mount the SMB file system as an anonymous user or by using a compute node that does not support in-transit encryption.

    • No: You can mount the SMB file system from all types of compute nodes. However, the in-transit encryption feature can be enabled only if you use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.
    Keytab File The keytab file that you want to upload.
    Super Admin A super admin can manage all files in a directory without the need to modify the existing ACLs. You can grant the super admin permissions to a user or a group. If you want to grant the permissions to a user or a group, you must specify the security identifier (SID) of the user or the group, for example, S-1-5-32-544. By default, the parameter is empty.
    User Home Directory The home directory of each user. For example, if you create a user named A, the file system automatically creates a directory named \home\A when User A logs on to the file system. If the \home\A directory already exists, the file system skips this step. By default, the parameter is empty.
    Notice User A must have the permissions to create folders in the \home directory. Otherwise, the system cannot create the \home\A directory when User A logs on to the system.
    Notice If the SMB file system is mounted on a client, you must remount the SMB file system after you modify one or more of the preceding parameters. This way, the parameters can take effect for the service account in the AD domain.

What to do next

After you add the mount target of the SMB file system to the AD domain, you can use an AD identity to mount and use the SMB file system. For more information, see Mount and use an SMB file system on a Windows client as an AD domain user and Mount and use an SMB file system on a Linux client as an AD domain user.