This topic describes how to mount a Server Message Block (SMB) file system on a Linux client by using an Active Directory (AD) account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD account.

Prerequisites

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file to an AD domain, you can specify whether to allow anonymous access to the SMB file system.
  • If the SMB file system still allows anonymous access, you can use an AD account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on NT LAN Manager (NTLM) authentication.
  • If the SMB file system no longer allows anonymous access, you must use an AD account to mount the SMB file system on a Linux client that is authenticated by using Kerberos.
In this example, Ubuntu and CentOS are used.

Method 1: Join a Linux client to an AD domain, and then mount an SMB file system on the Linux client

  1. Log on to the Linux client.
  2. Join the Linux client to the AD domain.
    • Ubuntu
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo apt-get update
        sudo apt-get -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user
      2. Run the following command to name the Linux client in the AD domain:
        sudo hostnamectl set-hostname myubuntu.example-company.com
        In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.
        After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client. 90
      3. Configure DNS.
        Run the following commands to disable the automatic update feature of DNS:
        sudo systemctl disable systemd-resolved
        sudo systemctl stop systemd-resolved
        Add the IP address of the AD server to the /etc/resolv.conf file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity. 3
      4. Run the following command to search for a specified AD domain:
        realm discover <AD domain>
        10
      5. Join the Linux client to the AD domain.
        sudo kinit Administrator@EXAMPLE-COMPANY.COM
        sudo realm join -U Administrator example-company.com
        Run the realm list command. If the result that is similar to the following information appears, the Linux client is joined to the AD domain. 11
      6. Run the following code to create a home directory for an AD user:
        sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
        Name: activate mkhomedir
        Default: yes
        Priority: 900
        Session-Type: Additional
        Session:
                required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
        EOF
        Run the following command to enable the preceding setting:
        pam-auth-update
        After the setting is enabled, press the Up Arrow or Down Arrow key to move the cursor, and then press the Spacebar key to add an asterisk (*). Make sure that the activate mkhomedir option is prefixed by an asterisk (*). Press the Tab key until Ok is selected. Then, press the Enter key to complete the setting. 111
      7. Configure the Linux sssd service.
        Add the krb5_ccname_template=FILE:%d/krb5cc_%U entry to the /etc/sssd/sssd.conf configuration file. 2Run the following commands to restart the sssd service and check the service status:
        sudo systemctl restart sssd
        sudo systemctl status sssd
        If the result that is similar to the following information appears, the Linux sssd service is configured. 21
    • CentOS
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo yum update
        sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils -y
      2. Run the following command to name the Linux client in the AD domain:
        sudo hostnamectl set-hostname mycentos.example-company.com
        In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.
        After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client. Check the specified name of the AD server
      3. Configure DNS.
        Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity. 3
      4. Configure Kerberos.
        Add the following code to the /etc/krb5.conf configuration file.
            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        15
      5. Run the following command to search for a specified AD domain:
        realm discover example-company.com
        Search for the example-company.com AD domain
      6. Join the Linux client to the AD domain.
        sudo realm join -U Administrator example-company.com
        Run the realm list command. If the result that is similar to the following information appears, the Linux client is joined to the AD domain. Join the Linux client to the AD domain
  3. Run the following id command to query the identity of the AD user:
    id testuser@example-company.com
    If the result that is similar to the following information appears, the AD user is identified. 22
  4. Grant logon permissions to AD users.
    • Run the following commands to grant specified AD users the permissions to log on to the Linux client:
      sudo realm permit usera1@example-company.com
      sudo realm permit userb1@example-company.com userb2@example-company.com 
    • Run the following commands to grant specified groups the permissions to log on to the Linux client:
      sudo realm permit -g 'Security Users'
      sudo realm permit -g 'Domain Users' 'Domain Admins'
    • Run the following command to grant all users the permissions to log on to the Linux client:
      sudo realm permit --all
    • Run the following command to revoke the permissions to log on to the Linux client from all users:
      sudo realm deny --all
  5. Grant the sudo permissions to an AD user.
    Run the following command to open the configuration file for sudo. Then, grant the sudo permissions based on your business requirements.
    sudo vim /etc/sudoers.d/domain_admins
    • Grant the sudo permissions to specified users.
      usera1@example-company.com     ALL=(ALL)   ALL
      userb2@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group:
      %admingroupc1@example-company.com     ALL=(ALL)   ALL
    • Grant the sudo permissions to a specified group whose name consists of multiple words.
      %domain\ admins@example-company.com       ALL=(ALL)       ALL
  6. Configure the Secure Shell (SSH) logon setting.
    Open the /etc/ssh/sshd_config SSH configuration file and replace the original SSH logon setting with the following setting:
    PasswordAuthentication yes
    Run the following system-specific command to restart the SSHD service:
    • CentOS
      service sshd restart
    • Ubuntu
      service ssh restart
  7. Run the following command to log on to the Linux client as an AD user:
    ssh localhost -l usera1@example-company.com
    If the result that is similar to the following information appears, the logon to the Linux client is successful. 27
  8. Mount an SMB file system on the Linux client.
    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
      • Ubuntu
        sudo apt-get install keyutils cifs-utils
      • CentOS
        sudo yum install keyutils cifs-utils
    2. Query the information about the keytab file.
      Run the id command to view the UID and GID after logon. 20
    3. Run the following command to mount the file system:
      sudo mount -t cifs //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513  --verbose
      Note If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the Apsara File Storage NAS console, change vers=2.1 in the preceding command to vers=3.0.
  9. Enable the automatic mount feature.
    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
    1. Add the following entry to the /etc/auto.master configuration file:
      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/&
    3. Run the following command to restart the autofs service:
      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.
      For example, you create a directory named //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.

      An AD user logs on to the Linux client and runs the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Method 2: Connect a Linux client to an AD server, and then mount an SMB file system on the Linux client

  1. Log on to the Linux client.
  2. Connect a Linux client to an AD server.
    • Ubuntu
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo apt-get -y install keyutils cifs-utils krb5-user
      2. Configure DNS.
        Run the following commands to disable the automatic update feature of DNS:
        sudo systemctl disable systemd-resolved
        sudo systemctl stop systemd-resolved
        Add the IP address of the AD server to the /etc/resolv.conf file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity. 3
    • CentOS
      1. Run the following commands to install the configuration packages that are required to connect to an AD server:
        sudo yum install keyutils cifs-utils krb5-workstation
      2. Configure DNS.
        Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. DNSRun the ping command. Ping the name of the AD server to check the network connectivity. 3
      3. Configure Kerberos.
        Add the following code to the /etc/krb5.conf configuration file.
            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        15
  3. Store the ticket information about the mount target of the SMB file system.
    1. Run the following commands to create a local user named usera1 and show the UID and GID of the local user. Then, record the UID and GID of the local user.
      useradd usera1
      su - usera1
      id usera1
      usera1
    2. Run the following command to use the local user to store the ticket information about the mount target of the SMB file system:
      kinit administrator@EXAMPLE-COMPANY.COM
      klist
      21
  4. Mount an SMB file system on the Linux client.
    1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
      • Ubuntu
        sudo apt-get install keyutils cifs-utils
      • CentOS
        sudo yum install keyutils cifs-utils
    2. Run the following command to mount the file system:
      sudo mount -t cifs //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=1004,uid=1004,gid=1004  --verbose

      In the preceding command, the values of the cruid and uid parameters indicate the UID of usera1, and the value of the gid parameter indicates the GID of usera1.

      Note If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, change vers=2.1 in the preceding command to vers=3.0.
  5. Enable the automatic mount feature.
    After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
    1. Add the following entry to the /etc/auto.master configuration file:
      /share    /etc/auto.cifs    --timeout=30 --ghost
    2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
      * -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/&
    3. Run the following command to restart the autofs service:
      systemctl restart autofs.service
    4. Check whether the automatic mount feature is enabled as expected.
      For example, you create a directory named //205dee494a3-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.

      An AD user logs on to the Linux client and runs the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Use the cifsacl tool to manage the ACLs of an SMB file system

You can run the getcifsacl and setcifsacl commands to manage the ACLs of an SMB file system. Example:
getcifsacl /mnt/usera1/
57
setcifsacl -a "ACL:S-1-5-21-3076751034-3769290925-1520581464-513:ALLOWED/OI|CI/FULL" /mnt/usera1
58