After you join the mount target of a Server Message Block (SMB) file system to an Active Directory (AD) domain, you can use AD to authenticate and control user access to the SMB file system. Before you can use an AD identity to mount an SMB file system, you must register a service principal for the SMB file system in the AD domain, create a keytab file, and then upload the file to the NAS console. Then, you can enable the access control list (ACL) feature for the SMB file system.
Prerequisites
An SMB file system is created. For more information, see Mount a file system on a Windows ECS instance.
Step 1: Create a keytab file
To create a keytab file, use one of the following methods:
Automatically create a keytab file
Log on to the Elastic Compute Service (ECS) instance on which you want to install Active Directory Domain Services (AD DS) and DNS.
Run the following command in PowerShell or PowerShell ISE to download the alinas_smb_windows_inspection.ps1 script:
Invoke-WebRequest https://nas-client-tools.oss-cn-hangzhou.aliyuncs.com/windows_client/alinas_smb_windows_inspection.ps1 -OutFile alinas_smb_windows_inspection.ps1Run the following command to automatically install AD DS, install DNS, and then create a keytab file:
.\alinas_smb_windows_inspection.ps1 -MountAddress file-system-id.region.nas.aliyuncs.com -ConfigAD $true -Userdomain "example.com" -Username "administrator" -Password "password"The following list describes the required fields. Replace the values of these fields with the actual values.
file-system-id.region.nas.aliyuncs.com: the mount target of the SMB file system. On the File System List page, you can click the icon before the file system to obtain the mount target in the Mount Target column.
example.com: the name of the AD domain that you want to build.
administrator: the name of the AD service account.
password: the password of the AD service account.
ImportantThe first time you start the AD domain after AD DS is installed, the Windows AD server automatically restarts. After the Windows AD server restarts, the system runs the preceding script again to create a keytab file.
Manually configure a keytab file
Install and enable AD DS and DNS.
Log on to the ECS instance on which the AD domain controller resides.
Open the Command Prompt and run the following command to create an AD service account for the SMB file system:
dsadd user CN=<Name of the AD service account>,DC=<AD domain name>,DC=com -samid <Name of the AD service account> -display <Description of the AD service account> -pwd <Password of the AD service account> -pwdneverexpires yesExample
dsadd user CN=alinas,DC=EXAMPLE,DC=com -samid alinas -display "Alibaba Cloud NAS Service Account" -pwd tHeRd123**** -pwdneverexpires yesIf the logon account is a standard account, you must configure the read and write permissions on ServicePrincipalName as an administrator before you create a service account for the SMB file system. Command syntax:
dsacls "CN=<Name of the AD service account>,DC=<AD domain name>,DC=com" /I:T /G "<Name of the AD service account>:RPWP;servicePrincipalName"Example
dsacls "CN=alinas,DC=cdbptest01,DC=com" /I:T /G "alinas:RPWP;servicePrincipalName"The
RPis the read permission and theWPis the write permission.Run the following command to register a service principal for the mount target of the SMB file system and add the service principal to AD:
Command syntax
setspn -S cifs/<Mount target of the SMB file system> <Name of the AD service account>Example
setspn -S cifs/****-****.cn-hangzhou.nas.aliyuncs.com alinasNoteThe format of the mount target is
file-system-id.region.nas.aliyuncs.com. Replace it with the actual value. You can perform the following operations to obtain the mount target: Log on to the NAS console. On the File System List page, find the file system and click Manage in the Actions column. Obtain the mount target on the Mount Usage tab.Do not attach the mount directory to the mount target, for example,
file-system-id.region.nas.aliyuncs.com/myshare.
Sample command output
If an output that is similar to the following information appears, the service principal of the SMB file system is added.
Check the setspn configuration on the Windows AD server or a Windows client.
Command syntax
setspn alinasIf the command output contains the mount target of the SMB file system, the setspn configuration is correct on the Windows AD server or the Windows client.
On the AD domain controller, open the Command Prompt. Then, run the following command to create a keytab file for the mount target of the SMB file system:
ktpass -princ cifs/<Mount target of the SMB file system>@<AD domain> -ptype KRB5_NT_PRINCIPAL -crypto All -out <Path of the keytab file> -pass <Password of the AD service account>Example
ktpass -princ cifs/****-****.cn-hangzhou.nas.aliyuncs.com@EXAMPLE.com -ptype KRB5_NT_PRINCIPAL -crypto All -out c:\nas-mount-target.keytab -pass tHeP****d123For information about how to verify the correctness of the keytab file, see How do I verify the correctness of a keytab file?
Step 2: Upload the keytab file
In the NAS console, upload the keytab file of the AD service account that you created for the SMB file system.
Log on to the NAS console.
In the left-side navigation pane, choose .
On the File System List page, click the ID of the file system that you want to manage or click Manage in the Actions column.
On the Access Control tab, click On.
In the Enable SMB ACL dialog box, upload the keytab file of the AD service account that you created for the SMB file system and click OK.
On the Access Control tab, click Modify Configuration.
In the Modify Configuration dialog box, configure the parameters. The following table describes the parameters.
ImportantThe encryption in transit feature can be enabled only for operating systems that support SMB 3.0 or later. For more information about the operating systems that support SMB 3.0 or later, see In-transit encryption of SMB file systems.
Parameter
Description
Allow Anonymous Access
Specifies whether to allow anonymous access to the file system. Valid values:
On: An account that belongs to the Everyone group can be used to mount the SMB file system based on New Technology LAN Manager (NTLM). ACLs that are configured for files and directories in the SMB file system remain valid.
Off (default): Anonymous users are not allowed to access the file system.
Enable Encryption in Transit
Specifies whether to enable the encryption in transit feature for the SMB file system. Valid values:
On: enables the encryption in transit feature for the SMB file system.
Off (default): disables the encryption in transit feature for the SMB file system.
For more information, see In-transit encryption of SMB file systems.
Deny Access from Non-encrypted Clients
Specifies whether to deny access from clients that do not support encryption to the SMB file system. Valid values:
Yes: You can mount the SMB file system by using a compute node for which in-transit encryption is enabled. This means that you can use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.
However, you cannot mount the SMB file system as an anonymous user or by using a compute node that does not support in-transit encryption.
No: You can mount the SMB file system from all types of compute nodes. However, the in-transit encryption feature can be enabled only if you use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.
Keytab File
The keytab file that you want to upload.
Super Admin
A super admin can manage all files in a directory without the need to modify the existing ACLs. You can grant the super admin permissions to a user or a group. If you want to grant the permissions to a user or a group, you must specify the security identifier (SID) of the user or the group, for example, S-1-5-32-544. This parameter is empty by default.
User Home Directory
The home directory of each user. For example, if you create a user named A, the file system automatically creates a directory named \home\A when User A logs on to the file system. If the \home\A directory already exists, the file system skips this step. This parameter is empty by default.
ImportantUser A must have the permissions to create folders in the \home directory. Otherwise, the system cannot create the \home\A directory when User A logs on to the system.
ImportantIf the SMB file system is mounted on a client, you must remount the SMB file system after you modify one or more of the preceding parameters. This way, the parameters can take effect for the service account in the AD domain.
What to do next
After you join the mount target of the SMB file system to the AD domain, you can use an AD identity to mount and use the SMB file system. For more information, see Mount and use an SMB file system on a Windows client as an AD domain user and Mount and use an SMB file system on a Linux client as an AD domain user.