Mount and use an SMB file system on a Windows client as an AD domain user - Apsara File Storage NAS

This topic describes how to use an Active Directory (AD) account to mount a Server Message Block (SMB) file system on a Windows client. This topic also describes how to use an AD account to view and edit the access control lists (ACLs) of files and directories in the SMB file system.

Prerequisites

The mount target of the SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of the SMB file to the AD domain, you can specify whether to allow anonymous access to the file system.

If anonymous access is still allowed, you can use an AD account to access the SMB file system based on Kerberos authentication. You can also use an Everyone account to access the SMB file system based on NT LAN Manager (NTLM) authentication.
If anonymous access is no longer allowed, you must use an AD account to mount the SMB file system based on Kerberos authentication.

Method 1: Join a Windows client to an AD domain and mount an SMB file system on the Windows client

The following steps describe how to join a Windows client to an AD domain and mount an SMB file system on the Windows client. In this example, Windows Server 2012 is used.

Configure the IP address of the DNS server for the Windows client.
1. Log on to the Windows client.
2. In the lower-left corner of your desktop, click Start.
3. In the Start menu, click Control Panel.
4. In the Control Panel window, choose Network and Internet > Network and Sharing Center.
5. In the View your active networks section of the Network and Sharing Center dialog box, click Ethernet.
6. In the Ethernet Status dialog box, click Properties.
7. In the This connection uses the following items section of the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
8. On the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of the AD domain server.
9. Use Command Prompt to ping the IP address to verify the connectivity between the Windows client and the AD domain.
Join a Windows client to an AD domain.
1. In the Control Panel window, choose System and Security > System.
2. In the Computer name, domain, and workgroup settings section of the System dialog box, click Change settings.
3. On the Computer Name tab of the System Properties dialog box, click Change.
4. In the Member of section of the Computer Name/Domain Changes dialog box, enter the AD domain. Click OK to compete the settings as prompted.
5. Restart the Windows client. After you restart the Windows client, the modified settings take effect.
Mount the SMB file system on the Windows client.
Use an AD account to log on to the Windows client. Run the following command in Command Prompt to mount the SMB file system on the Windows client:
```
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare
```

Method 2: Connect a Windows client to an AD server and mount an SMB file system on the Windows client

The following steps describe how to configure a DNS server for a Windows client, connect the client to an AD server, and mount an SMB file system on the client. In this example, Windows Server 2012 is used.

Configure the IP address of the DNS server for the Windows client.
1. Log on to the Windows client.
2. In the lower-left corner of your desktop, click Start.
3. In the Start menu, click Control Panel.
4. In the Control Panel window, choose Network and Internet > Network and Sharing Center.
5. In the View your active networks section of the Network and Sharing Center dialog box, click Ethernet.
6. In the Ethernet Status dialog box, click Properties.
7. In the This connection uses the following items section of the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
8. On the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of the AD domain server.
9. Use Command Prompt to ping the IP address to verify the connectivity between the Windows client and the AD domain.
Mount the SMB file system on the Windows client.
Use Command Prompt to run the following command on the Windows client to mount the SMB file system as a user of the AD domain.
```
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:EXAMPLE.com\USERNAME PASSWORD
```
EXAMPLE.com is the name of the AD domain that you have configured.

Manage the ACL of the SMB file system

After you enable the ACL feature and mount the SMB file system as a user of the AD domain, you can view and edit the ACLs of files and directories by using the following methods:

Run the mklink command to mount an SMB file system.
You can run the mklink command to create a symbolic link on a local disk of a Windows client. You can also view and edit the ACLs of files and directories.
1. Use Command Prompt to create mappings for the file system.
```
mklink /D c:\myshare \\nas-mount-target.nas.aliyuncs.com\myshare
```
  In the preceding command, \myshare is the file system path to which the symbolic link points and nas-mount-target.nas.aliyuncs.com\myshare is the mount target of the SMB file system.
2. Grant common users the permission to use symbolic links.
  If you use the Administrator account, skip this step.
  1. Search for and run secpol.msc as a system administrator.
  2. In the Local Security Policy window, choose Local Policies > User Rights Assignment. Add the specified user to the Create Symbolic Links permission group as prompted.
  3. Log on to the Windows client again as a common user.
3. Access the SMB file system and view the ACLs of files and directories.
  After a symbolic link is created, you can access the SMB file system the same way you access a subdirectory of a local disk in Windows. You can also view and edit the ACLs of files and directories.
Use the Windows File Explorer to view and edit the ACLs of files and directories
After you create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client, you can view and edit the ACLs of files and directories by using the Windows File Explorer.
1. Right-click the file or directory, and then click Properties.
2. In the Properties dialog box, click the Security tab, and then click Edit.
3. In the Create symbolic links Permissions dialog box, click Add User or Group and enter the information as prompted.
If you need to go back to the previous directory, click the Back icon (1 in the figure) or the Up icon (2 in the figure). Do not click a section of a path in the path bar (3 in the figure).
When you use the File Explorer to access the SMB file system, the SMB file system is not joined to the AD domain. If you use a network path, for example, \\nas-mount-point.nas.aliyuncs.com\myshare instead of the C:\myshare path to access the SMB file system, an error occurs. When you configure an ACL, the client cannot determine whether the mount target is joined to the AD domain. This error occurs because the Remote Procedure Call (RPC) server is unavailable.
Important If you use the Windows File Explorer to modify the permission on c:\myshare, the new permissions are not applied to the root directories of the file system. To modify the permissions on a root directory, you must run the Set-Acl cmdlet or icacls command in PowerShell.
PowerShell commands
You can run the Get-Acl and Set-Acl cmdlet in PowerShell to view and edit the ACLs of files and directories in the SMB file system.
- Get-Acl
```
$value = Get-Acl -Path "Z:"# Set properties
$value.Access
```
```
# Set properties
$identity = "Administrator"
$fileSystemRights = "FullControl"
$type = "Allow"
# Create new rule
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
# Apply new rule
$value.SetAccessRule($fileSystemAccessRule)
$value.Access
```
- Set-Acl
  To run the Set-Acl command to modify the permissions, you can change the mount path without using the mylink c:\myshare shortcut. You can also modify the permissions of the root directory.
```
Set-Acl $value -Path "Z:"
```
  Important We recommend that you configure the permissions to modify root directories immediately after the file system is created. Otherwise, you must modify subdirectories and subfiles when you run the command. This is because the permissions are inherited from the root directory to the subdirectories.

icacls command

You can run the icacls command in Command Prompt to manage ACLs. You can run the icacls command to view and edit the ACLs of files and directories.

Example:

icacls z:
#Grant full control permissions to a user.
icacls z: /grant <username>:(F)
#Grant full control permissions to the administrator.
icacls z: /grant administrator:(F)
icacls z:
#Revoke all permissions from a user.
icacls z: /remove <username>
#Revoke all permissions from all users.
icacls z: /remove <username>
icacls z: