Mount and use an SMB file system on a Linux client as an AD domain user - File Storage NAS

This topic describes how to mount a Server Message Block (SMB) file system on a Linux client by using an Active Directory (AD) domain account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD domain account.

Prerequisites

The mount target of an SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.
A Linux distribution that is supported by the SMB file system is used. For more information, see Limits and Recommended kernel images.

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file system to an AD domain, you can specify whether to allow anonymous access to the SMB file system.

If the SMB file system still allows anonymous access, you can use an AD domain account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on New Technology LAN Manager (NTLM) authentication.
If the SMB file system no longer allows anonymous access, you must use an AD domain account to mount the SMB file system on a Linux client that is authenticated by using Kerberos.

In this example, Ubuntu and CentOS are used.

Method 1: Join a Linux client to an AD domain and then mount an SMB file system on the Linux client

Log on to the Linux client.
Join the Linux client to an AD domain.
- Ubuntu
  1. Run the following commands to install the configuration packages that are required to connect to an AD server:
    sudo apt-get update
    sudo apt-get -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user
  2. Run the following command to name the Linux client in the AD domain:
    sudo hostnamectl set-hostname myubuntu.example-company.com
    In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.
    After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client.
  3. Configure DNS.
    Run the following commands to disable the automatic update feature of DNS:
    sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved
    Add the IP address of the AD server to the /etc/resolv.conf file.
    Run the ping command. Ping the name of the AD server to check the network connectivity.
  4. Run the following command to search for a specified AD domain:
    realm discover <AD domain>
  5. Join the Linux client to the AD domain.
    sudo kinit Administrator@EXAMPLE-COMPANY.COM sudo realm join -U Administrator example-company.com
    Run the realm list command. If an output that is similar to the following example appears, the Linux client is joined to the AD domain.
  6. Create a home directory for an AD domain user.
    Run the following commands to configure a home directory:
    sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF
    Run the following command to enable the preceding setting:
    pam-auth-update
    After the setting is enabled, press the Up Arrow or Down Arrow key to move the cursor, and then press the Spacebar key to add an asterisk (*). Make sure that the activate mkhomedir option is prefixed by an asterisk (*). Press the Tab key until Ok is selected. Then, press the Enter key to complete the setting.
  7. Configure the Linux sssd service.
    Add krb5_ccname_template=FILE:%d/krb5cc_%U to the /etc/sssd/sssd.conf configuration file.
    Run the following commands to restart the sssd service and check the service status:
    sudo systemctl restart sssd sudo systemctl status sssd
    If an output that is similar to the following example appears, the Linux sssd service is configured.
- CentOS
  1. Run the following commands to install the configuration packages that are required to connect to an AD server:
    sudo yum update sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils -y
  2. Run the following command to name the Linux client in the AD domain:
    sudo hostnamectl set-hostname mycentos.example-company.com
    In the preceding command, example-company.com is the name of the AD domain. Replace the name based on your business scenario.
    After you complete the configuration, run the hostnamectl command to check the specified name of the Linux client.
  3. Configure DNS.
    Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. Run the ping command. Ping the name of the AD server to check the network connectivity.
  4. Configure Kerberos.
    Add the following code to the /etc/krb5.conf configuration file:
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
  5. Run the following command to search for a specified AD domain:
    realm discover example-company.com
  6. Join the Linux client to the AD domain.
    sudo realm join -U Administrator example-company.com
    Run the realm list command. If an output that is similar to the following example appears, the Linux client is joined to the AD domain.
Run the following id command to query the identity of the AD domain user:
```
id testuser@example-company.com
```
If an output that is similar to the following example appears, the AD domain user is identified.
Grant logon permissions to AD domain users.
- Run the following commands to grant specified AD domain users the permissions to log on to the Linux client:
```
sudo realm permit usera1@example-company.com
sudo realm permit userb1@example-company.com userb2@example-company.com 
```
- Run the following commands to grant specified groups the permissions to log on to the Linux client:
```
sudo realm permit -g 'Security Users'
sudo realm permit -g 'Domain Users' 'Domain Admins'
```
- Run the following command to grant all users the permissions to log on to the Linux client:
```
sudo realm permit --all
```
- Run the following command to revoke the permissions to log on to the Linux client from all users:
```
sudo realm deny --all
```
Grant the sudo permissions to an AD domain user.
Run the following command to open the configuration file for sudo. Then, grant the sudo permissions based on your business requirements.
```
sudo vim /etc/sudoers.d/domain_admins
```
- Grant the sudo permissions to specified users:
```
usera1@example-company.com     ALL=(ALL)   ALL
userb2@example-company.com     ALL=(ALL)   ALL
```
- Grant the sudo permissions to a specified group:
```
%admingroupc1@example-company.com     ALL=(ALL)   ALL
```
- Grant the sudo permissions to a specified group whose name consists of multiple words:
```
%domain\ admins@example-company.com       ALL=(ALL)       ALL
```
Configure the Secure Shell (SSH) logon setting.
1. Open the /etc/ssh/sshd_config SSH configuration file and replace the original SSH logon setting with the following setting:
```
PasswordAuthentication yes
```
2. Run the following system-specific command to restart the SSHD service:
  - CentOS
```
service sshd restart
```
  - Ubuntu
```
service ssh restart
```
Run the following command to log on to the Linux client as an AD domain user:
```
ssh localhost -l usera1@example-company.com
```
If an output that is similar to the following example appears, the logon to the Linux client is successful.
Mount an SMB file system on the Linux client.
1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
  - Ubuntu
```
sudo apt-get install keyutils cifs-utils
```
  - CentOS
```
sudo yum install keyutils cifs-utils
```
2. Query the information about the keytab file.
  Run the id command to view the UID and GID after logon.
3. Run the following command to mount the file system:
```
sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513  --verbose
```
  In the preceding command, 205dee4****-uub48.us-west-1.nas.aliyuncs.com specifies the domain name of the mount target of the file system. Replace it based on your business requirements.
  Note
  If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, change vers=2.1 in the preceding command to vers=3.0.
Enable the automatic mount feature.
After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
1. Add the following entry to the /etc/auto.master configuration file:
```
/share    /etc/auto.cifs    --timeout=30 --ghost
```
2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
```
* -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&
```
  The following list describes the key parameters. Replace the parameter values based on your business requirements.
  - cruid and uid: the ID of the local user named usera1.
  - gid: the group ID of the local user named usera1.
  - 205dee4****-uub48.us-west-1.nas.aliyuncs.com: the domain name of the mount target of the file system.
    To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the icon. Move the pointer over the icon in the Mount Target column.
3. Run the following command to restart the autofs service:
```
systemctl restart autofs.service
```
4. Check whether the automatic mount feature is enabled as expected.
  For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.
  Log on to the Linux client as an AD domain user and run the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Method 2: Connect a Linux client to an AD server and then mount an SMB file system on the Linux client

Log on to the Linux client.
Connect a Linux client to an AD server.
- Ubuntu
  1. Run the following commands to install the configuration packages that are required to connect to an AD server:
    sudo apt-get -y install keyutils cifs-utils krb5-user
  2. Configure DNS.
    Run the following commands to disable the automatic update feature of DNS:
    sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved
    Add the IP address of the AD server to the /etc/resolv.conf file.
    Run the ping command. Ping the name of the AD server to check the network connectivity.
- CentOS
  1. Run the following commands to install the configuration packages that are required to connect to an AD server:
    sudo yum install keyutils cifs-utils krb5-workstation
  2. Configure DNS.
    Add the IP address of the AD server to the /etc/resolv.conf configuration file, and then delete the settings of the default DNS server from the file. Run the ping command. Ping the name of the AD server to check the network connectivity.
  3. Configure Kerberos.
    Add the following code to the /etc/krb5.conf configuration file:
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Store the ticket information about the mount target of the SMB file system.
1. Run the following commands to create a local user named usera1 and show the UID and GID of the local user. Then, record the UID and GID of the local user.
```
useradd usera1
su - usera1
id
```
2. Run the following command to use the local user to store the ticket information about the mount target of the SMB file system:
```
kinit administrator@EXAMPLE-COMPANY.COM
klist
```
Mount an SMB file system on the Linux client.
1. Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
  - Ubuntu
```
sudo apt-get install keyutils cifs-utils
```
  - CentOS
```
sudo yum install keyutils cifs-utils
```
2. Run the following command to mount the file system:
```
sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=1004,uid=1004,gid=1004  --verbose
```
  In the preceding command, 205dee4****-uub48.us-west-1.nas.aliyuncs.com specifies the domain name of the mount target of the file system. Replace it based on your business requirements.
  Note
  If you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, replace vers=2.1 in the preceding command with vers=3.0.
Enable the automatic mount feature.
After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
1. Add the following entry to the /etc/auto.master configuration file:
```
/share    /etc/auto.cifs    --timeout=30 --ghost
```
2. Modify the content of the /etc/auto.cifs configuration file based on the following example:
```
* -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&
```
  The following list describes the key parameters. Replace the parameter values based on your business requirements.
  - cruid and uid: the ID of the local user named usera1.
  - gid: the group ID of the local user named usera1.
  - 205dee4****-uub48.us-west-1.nas.aliyuncs.com: the domain name of the mount target of the file system.
    To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the icon. Move the pointer over the icon in the Mount Target column.
3. Run the following command to restart the autofs service:
```
systemctl restart autofs.service
```
4. Check whether the automatic mount feature is enabled as expected.
  For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.
  Log on to the Linux client as an AD domain user and run the ls /share/usera1 command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.

Use the cifsacl tool to manage the ACLs of an SMB file system

You can run the getcifsacl and setcifsacl commands to manage the ACLs of an SMB file system. Examples:

getcifsacl usera1/

sudo setcifsacl -a "ACL:S-1-5-21-3076751034-3769290925-1520581464-513:ALLOWED/OI|CI|I/FULL" usera1/