This topic describes how to authenticate users and control access to a Server Message
Block (SMB) file system of Apsara File Storage NAS based on an Active Directory (AD)
domain.
Background information
NAS allows you to authenticate users and control access to SMB file systems based
on an AD domain. After the mount target of an SMB file system is joined to an AD domain,
AD users can access the SMB file system. Then, you can control access to files and
directories in the SMB file system based on the AD domain. NAS does not support permission
control of specific users on specific files or directories in SMB file systems. You
can control access to SMB file systems only based on permission groups and Alibaba
Cloud accounts. Each permission group represents a whitelist.
Procedures
You can join SMB clients in a virtual private cloud (VPC) and SMB clients in a data
center to the same AD domain. Then, AD users can be used to access the SMB file system
from the SMB clients. You can use the AD domain controller to manage the AD users
and control access to the SMB file system in a centralized manner. NAS allows you
to authenticate AD users by using the Kerberos protocol. When an AD user attempts
to access the file system from a Windows or Linux server that serves as the AD domain
controller, the file system verifies the identity of the AD user. In this way, you
can control access from a specific user to specific files and directories in the SMB
file system. The following figure shows how user authentication and access control
are implemented based on an AD domain.

- Join the mount target of the SMB file system to the AD domain.
- Create a service account for NAS.
- Register the domain name of the mount target for the SMB file system.
- Create a keytab file for the mount target of the SMB file system.
- Download the keytab file, and upload the file in the NAS console.
- Log on to the NAS console to upload the keytab file for the SMB file system.
Choose . On the page that appears, find the target SMB file system, and click the file system
ID or Management. On the Access Control tab, click On (or Off). In the Enable SMB ACL dialog box, upload the keytab file.
Then, the secret key that the keytab file contains is stored in the NAS console. After
the mount target of the SMB file system is joined to the AD domain, you can mount
and access the SMB file system as an AD user. For more information, see
Use an AD account to mount an SMB file system.
- Authenticate an AD user who attempts to access the SMB file system.
If an AD user from a virtual machine in the VPC or an application in the data center
attempts to access the SMB file system, NAS checks whether the IP address of the AD
user is allowed to access the file system based on the permission groups. Then, the
AD user is authenticated based on the Kerberos protocol. The following procedure describes
the process of Kerberos authentication:
- A client sends an SMB2 NEGOTIATE request to NAS.
- NAS checks whether Kerberos authentication is enabled for the SMB file system.
For more information, see Introduction to the Kerberos protocol and the procedure of applying the protocol to SMB file systems.
- The client sends a request for accessing the SMB file system to the AD domain controller
in the VPC or data center.
- The AD domain controller authenticates the client. Then, the AD domain controller
encrypts the information of the AD user by using the secret key that is contained
in the keytab file, and sends the encrypted user information to the client.
- The client sends an SMB2 SESSION_SETUP request to NAS. The request message includes
the encrypted user information.
- NAS decrypts the encrypted user information by using the secret key that is contained
in the keytab file.
Note The authenticated AD user is then used for all subsequent access to the SMB file system
in the session.
- After the authentication is complete, NAS sends a response to the SMB2 SESSION_SETUP
request. This indicates that NAS allows access from the client to the SMB file system.
Otherwise, the SMB2 SESSION_SETUP request is denied.
- The client sends read, write, and other requests to the SMB file system.
- NAS returns the result of the request to the client.
NAS controls access to the SMB file system. Based on the user information in the session
and the ACLs of files and directories in the SMB file system, NAS denies or allows
the request.