In most cases, you must mount an File Storage NAS (NAS) file system on a compute node that belongs to the same Alibaba Cloud account, the same region, and the same virtual private cloud (VPC). If you want to mount a NAS file system on a macOS client, you must connect the macOS client to the VPC where the NAS file system resides. This topic describes how to mount a Server Message Block (SMB) file system on a macOS client over a virtual private network (VPN) and how to access the SMB file system by using the Kerberos protocol.
Prerequisites
An SMB file system is created. For more information, see Create a file system.
A mount target is created in a VPC. For more information, see Create a mount target.
Mount the SMB file system on the macOS client
Connect the macOS client to the VPC by using a VPN gateway. For more information, see Connect a macOS client to a VPC.
In Step 2: Create an SSL server, Client Subnet and Local Network must be unique. The value of Local Network is the CIDR block of the VPC. You can log on to the VPC console and view the CIDR block of the VPC on the VPC details page.
Verify the connectivity between the macOS client and the mount target of the SMB file system.
Check the network connectivity
After the VPN gateway is connected, run the ping command to ping the mount target of the SMB file system in the VPC.
NoteIf the mount target cannot be pinged, you must ping the mount target on the Elastic Compute Service (ECS) instance in the same VPC as the SMB file system to obtain the IP address of the mount target, and then use the IP address to mount the file system on the macOS client.
Check the port connectivity
telnet [Mount target of the SMB file system] 445
Mount the SMB file system.
In the Finder bar of the macOS client desktop, choose .
In the Connect to Server dialog box, enter the domain name of the mount target and click Connect.
In the Connect As section, select Guest, and then click Connect.
In the Finder bar of the macOS client desktop, choose . Click the myshare tab to view the mounted SMB file system.
NoteAfter the file system is mounted, the macOS client reads all files that are stored in the file system. The myshare disk may be empty when the macOS client is reading the files. Wait until the read process is completed.
Run the mount_smbf command to mount the SMB file system. The following sample code provides an example:
mount_smbfs '//guest@nas-mount-point.nas.aliyuncs.com/myshare' /Volumes/myshare/nas-mount-point.nas.aliyuncs.comis the mount target of the SMB file system in the VPC. Replace the mount target with the actual value.If a command output that is similar to the following information appears, the file system is mounted.
Access the SMB file system on the macOS client by using the Kerberos protocol
After an SMB file system is mounted on a macOS client based on New Technology LAN Manager (NTLM), the macOS client has all permissions on the SMB file system by default. To grant different permissions to different users, NAS allows you to authenticate users and control access to the SMB file system based on an Active Directory (AD) domain. You can perform the following steps to control access to the SMB file system.
Build an AD domain.
Establish a connection between the mount target of the SMB file system and the AD domain. For more information, see Join the mount target of an SMB file system to an AD domain.
Add the CIDR block of the SSL VPN network to a security group of the ECS instance. For more information, see Add a security group rule.
Add rules for the following ports to a security group of the ECS instance. This ensures that the SMB file system can be mounted on the macOS client based on the AD domain.
Domain Name System (DNS) port: UDP 53
Kerberos port: TCP 88
LDAP port: TCP 389
LDAP Global Catalog port: TCP 3268
Set the DNS server of the macOS client to the internal IP address of the AD domain controller.
Run the ipconfig command on the ECS instance to query the internal IP address of the AD domain controller.
In the Finder bar of the macOS client desktop, choose .
In the Network dialog box, set the DNS server of the macOS client to the internal IP address of the AD domain controller.
Verify the connection between the macOS client and the AD domain.
On the macOS client, run the ping command to connect to the AD domain controller. The following figure shows a successful connection.
Use an AD domain identity to mount the SMB file system on the macOS client by using the Kerberos protocol.
Run the kinit command to verify the security of the AD domain identity. The following sample code provides an example:
kinit user@MYDOMAIN.COMRun the
klistcommand to view the AD domain identity. The following sample code provides an example:klistRun the
kinitcommand to use the AD domain identity to log on to the macOS client. The following sample code provides an example:kinitRun the following command to mount the SMB file system. The following sample code provides an example:
mount_smbfs //administrator@nas-mount-point.nas.aliyuncs.com/myshare /Volumes/myshareNoteIf the error message
mount_smbfs: server rejected the connection: Authentication errorappears, run the kinit command to verify the AD domain identity and mount the SMB file system again.The following figure shows a successful mount:
After the SMB file system is mounted, run the klist command. Two service principals are returned, as shown in the following figure.
NoteSMB access control lists (ACLs) are not displayed on the macOS client. However, when you perform an operation on the SMB file system, the SMB server verifies the ACLs and then allows or denies the operation. You can configure the ACLs of the SMB file system when you mount the SMB file system on the AD domain controller.