After you add the mount target of a Server Message Block (SMB) file system to an AD domain, you can use AD to authenticate and control user access to the SMB file system. Before you can use an AD identity to mount an SMB file system, you must register a service principal for the SMB file system in the AD domain, create a keytab file, and then upload the file to the NAS console. Then, you can enable the access control list (ACL) feature for the SMB file system.

Prerequisites

An SMB file system is created. For more information, see Create an SMB file system.

Step 1: Create a keytab file

To create a keytab file, use one of the following methods:

Automatically create a keytab file

  1. Log on to the ECS instance on which you want to install Active Directory Domain Services (AD DS) and DNS.
  2. Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script:
    Invoke-WebRequest https://nas-client-tools.oss-cn-hangzhou.aliyuncs.com/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
  3. Run the following command to automatically install AD DS, install DNS, and then create a keytab file:
    .\alinas_smb_windows_inspection.ps1 -MountAddress abcde-file-system-id.region.nas.aliyuncs.com -ConfigAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN
    The following list describes the required fields. Replace the values of these fields with the actual values.
    • file-system-id.region.nas.aliyuncs.com: the mount target of the SMB file system.
    • example.com: the name of the AD domain that you want to build.
    • administrator: the name of the AD service account.
    • password: the password of the AD service account.
    Important The first time you start the AD domain after AD DS is installed, the Windows AD server automatically restarts. After the Windows AD server restarts, the system runs the preceding script again to create a keytab file.

Manually configure a keytab file

  1. Install and enable AD DS and DNS.
  2. Log on to the ECS instance on which the AD domain controller resides.
  3. Open the Command Prompt and run the following command to create an AD service account for the SMB file system:
    dsadd user CN=<Name of the AD service account>,DC=<AD domain name>,DC=com
      -samid <Name of the AD service account>
      -display <Description of the AD service account>
      -pwd <Password of the AD service account>
      -pwdneverexpires yes
    Example:
    dsadd user CN=alinas,DC=EXAMPLE,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHeRd123**** -pwdneverexpires yes
  4. Run the following command to register a service principal for the mount target of the SMB file system and add the service principal to AD:
    • Command syntax
      setspn -S cifs/<Mount target of the SMB file system> <Name of the AD service account>

      Example:

      setspn -S cifs/29fe7f4****-****.cn-wulanchabu.nas.aliyuncs.com alinas
    • Sample command output:
      If an output that is similar to the following information appears, the service principal of the SMB file system is added. 1
  5. Check the setspn configuration on the Windows AD server or a Windows client.
    1. Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script:
      Invoke-WebRequest https://nas-client-tools.oss-cn-hangzhou.aliyuncs.com/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1
    2. Check the setspn configuration.
      .\alinas_smb_windows_inspection.ps1 -MountAddress abcde-file-system-id.region.nas.aliyuncs.com -CheckAD $true -Userdomain "example.com" -Username "administrator" -Password "password" -Locale zh-CN
      The following list describes the required fields. Replace the values of these fields with the actual values.
      • file-system-id.region.nas.aliyuncs.com: the mount target of the SMB file system.
      • example.com: the name of the AD domain that you want to build.
      • administrator: the name of the AD service account.
      • password: the password of the AD service account.
  6. On the AD domain controller, open the Command Prompt. Then, run the following command to create a keytab file for the mount target of the SMB file system:
    ktpass
      -princ cifs/<Mount target of the SMB file system>
      -ptype KRB5_NT_PRINCIPAL
      -crypto All
      -out <Path of the keytab file>
      -mapuser <Name of the AD service account>@<AD domain name>
      -pass <Password of the AD service account>
    Example:
    ktpass -princ cifs/file-system-id.region.nas.aliyuncs.com@EXAMPLE.com -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123

Step 2: Upload the keytab file

In the Apsara File Storage NAS console, upload the keytab file of the AD service account that you created for the SMB file system.

  1. Log on to the NAS console.
  2. In the left-side navigation pane, choose File System > File System List.
  3. On the File System List page, click the ID of the file system that you want to manage or click Manage in the Actions column.
  4. On the Access Control tab, click On.
  5. In the Enable SMB ACL dialog box, upload the keytab file of the AD service account that you created for the SMB file system and click OK.
    Enable the ACL feature for the SMB file system
  6. On the Access Control tab, click Modify Configuration.
  7. In the Modify Configuration dialog box, configure the parameters. The following table describes the parameters.
    Modify the ACL feature for the SMB file system
    Important The encryption In transit feature can be enabled only for operating systems that support SMB 3.0 or later. For more information about the operating systems that support SMB 3.0 or later, see In-transit encryption of SMB file systems.
    ParameterDescription
    Allow Anonymous AccessSpecifies whether to allow anonymous access to the file system. Valid values:
    • On: An account that belongs to the Everyone group can be used to mount the SMB file system based on NT LAN Manager (NTLM). ACLs that are configured for files and directories in the SMB file system remain valid.
    • Off (default value): Anonymous users are not allowed to access the file system.
    Enable Encryption in TransitSpecifies whether to enable the encryption in transit feature for the SMB file system. Valid values:
    • On: enables the encryption in transit feature for the SMB file system.
    • Off (default value): disables the encryption in transit feature for the SMB file system.
    For more information, see In-transit encryption of SMB file systems.
    Deny Access from Non-encrypted ClientsSpecifies whether to deny access from clients that do not support encryption to the SMB file system. Valid values:
    • Yes: You can mount the SMB file system by using a compute node for which in-transit encryption is enabled. This means that you can use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.

      However, you cannot mount the SMB file system as an anonymous user or by using a compute node that does not support in-transit encryption.

    • No: You can mount the SMB file system from all types of compute nodes. However, the in-transit encryption feature can be enabled only if you use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.
    Keytab FileThe keytab file that you want to upload.
    Super AdminA super admin can manage all files in a directory without the need to modify the existing ACLs. You can grant the super admin permissions to a user or a group. If you want to grant the permissions to a user or a group, you must specify the security identifier (SID) of the user or the group, for example, S-1-5-32-544. This parameter is empty by default.
    User Home DirectoryThe home directory of each user. For example, if you create a user named A, the file system automatically creates a directory named \home\A when User A logs on to the file system. If the \home\A directory already exists, the file system skips this step. This parameter is empty by default.
    Important User A must have the permissions to create folders in the \home directory. Otherwise, the system cannot create the \home\A directory when User A logs on to the system.
    Important If the SMB file system is mounted on a client, you must remount the SMB file system after you modify one or more of the preceding parameters. This way, the parameters can take effect for the service account in the AD domain.

What to do next

After you add the mount target of the SMB file system to the AD domain, you can use an AD identity to mount and use the SMB file system. For more information, see Mount and use an SMB file system on a Windows client as an AD domain user and Mount and use an SMB file system on a Linux client as an AD domain user.