This topic describes how to mount a Server Message Block (SMB) file system on a Linux client by using an Active Directory (AD) domain account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD domain account.
Prerequisites
The mount target of an SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.
A Linux distribution that is supported by the SMB file system is used. For more information, see Limits and Recommended kernel images.
Background information
Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file system to an AD domain, you can specify whether to allow anonymous access to the SMB file system.
If the SMB file system still allows anonymous access, you can use an AD domain account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on New Technology LAN Manager (NTLM) authentication.
If the SMB file system no longer allows anonymous access, you must use an AD domain account to mount the SMB file system on a Linux client that is authenticated by using Kerberos.
In this example, Ubuntu and CentOS are used.
Method 1: Join a Linux client to an AD domain and then mount an SMB file system on the Linux client
Log on to the Linux client.
Join the Linux client to an AD domain.
Run the following id command to query the identity of the AD domain user:
id testuser@example-company.com
If an output that is similar to the following example appears, the AD domain user is identified.
Grant logon permissions to AD domain users.
Run the following commands to grant specified AD domain users the permissions to log on to the Linux client:
sudo realm permit usera1@example-company.com sudo realm permit userb1@example-company.com userb2@example-company.com
Run the following commands to grant specified groups the permissions to log on to the Linux client:
sudo realm permit -g 'Security Users' sudo realm permit -g 'Domain Users' 'Domain Admins'
Run the following command to grant all users the permissions to log on to the Linux client:
sudo realm permit --all
Run the following command to revoke the permissions to log on to the Linux client from all users:
sudo realm deny --all
Grant the sudo permissions to an AD domain user.
Run the following command to open the configuration file for sudo. Then, grant the sudo permissions based on your business requirements.
sudo vim /etc/sudoers.d/domain_admins
Grant the sudo permissions to specified users:
usera1@example-company.com ALL=(ALL) ALL userb2@example-company.com ALL=(ALL) ALL
Grant the sudo permissions to a specified group:
%admingroupc1@example-company.com ALL=(ALL) ALL
Grant the sudo permissions to a specified group whose name consists of multiple words:
%domain\ admins@example-company.com ALL=(ALL) ALL
Configure the Secure Shell (SSH) logon setting.
Open the /etc/ssh/sshd_config SSH configuration file and replace the original SSH logon setting with the following setting:
PasswordAuthentication yes
Run the following system-specific command to restart the SSHD service:
CentOS
service sshd restart
Ubuntu
service ssh restart
Run the following command to log on to the Linux client as an AD domain user:
ssh localhost -l usera1@example-company.com
If an output that is similar to the following example appears, the logon to the Linux client is successful.
Mount an SMB file system on the Linux client.
Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
Ubuntu
sudo apt-get install keyutils cifs-utils
CentOS
sudo yum install keyutils cifs-utils
Query the information about the keytab file.
Run the id command to view the UID and GID after logon.
Run the following command to mount the file system:
sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=371801107,uid=371801107,gid=371800513 --verbose
In the preceding command,
205dee4****-uub48.us-west-1.nas.aliyuncs.com
specifies the domain name of the mount target of the file system. Replace it based on your business requirements.NoteIf you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, change vers=2.1 in the preceding command to vers=3.0.
Enable the automatic mount feature.
After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
Add the following entry to the /etc/auto.master configuration file:
/share /etc/auto.cifs --timeout=30 --ghost
Modify the content of the /etc/auto.cifs configuration file based on the following example:
* -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&
The following list describes the key parameters. Replace the parameter values based on your business requirements.
cruid
anduid
: the ID of the local user named usera1.gid
: the group ID of the local user named usera1.205dee4****-uub48.us-west-1.nas.aliyuncs.com
: the domain name of the mount target of the file system.To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the icon. Move the pointer over the icon in the Mount Target column.
Run the following command to restart the autofs service:
systemctl restart autofs.service
Check whether the automatic mount feature is enabled as expected.
For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.
Log on to the Linux client as an AD domain user and run the
ls /share/usera1
command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.
Method 2: Connect a Linux client to an AD server and then mount an SMB file system on the Linux client
Log on to the Linux client.
Connect a Linux client to an AD server.
Store the ticket information about the mount target of the SMB file system.
Run the following commands to create a local user named usera1 and show the UID and GID of the local user. Then, record the UID and GID of the local user.
useradd usera1 su - usera1 id
Run the following command to use the local user to store the ticket information about the mount target of the SMB file system:
kinit administrator@EXAMPLE-COMPANY.COM klist
Mount an SMB file system on the Linux client.
Run the following system-specific command to install the tool kit that is required to mount the SMB file system:
Ubuntu
sudo apt-get install keyutils cifs-utils
CentOS
sudo yum install keyutils cifs-utils
Run the following command to mount the file system:
sudo mount -t cifs //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare /mnt -o vers=2.1,sec=krb5,cruid=1004,uid=1004,gid=1004 --verbose
In the preceding command,
205dee4****-uub48.us-west-1.nas.aliyuncs.com
specifies the domain name of the mount target of the file system. Replace it based on your business requirements.NoteIf you turn on Enable Transport Encryption when you configure an ACL for an SMB file system in the NAS console, replace vers=2.1 in the preceding command with vers=3.0.
Enable the automatic mount feature.
After you mount the file system, enable the automatic mount feature. After you restart the Linux client, the file system is automatically mounted.
Add the following entry to the /etc/auto.master configuration file:
/share /etc/auto.cifs --timeout=30 --ghost
Modify the content of the /etc/auto.cifs configuration file based on the following example:
* -fstype=cifs,vers=2.1,sec=krb5,cruid=${UID},uid=${UID},gid=${GID},file_mode=0700,dir_mode=0700 ://205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/&
The following list describes the key parameters. Replace the parameter values based on your business requirements.
cruid
anduid
: the ID of the local user named usera1.gid
: the group ID of the local user named usera1.205dee4****-uub48.us-west-1.nas.aliyuncs.com
: the domain name of the mount target of the file system.To obtain the domain name of the mount target of a file system, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to view, and click the icon. Move the pointer over the icon in the Mount Target column.
Run the following command to restart the autofs service:
systemctl restart autofs.service
Check whether the automatic mount feature is enabled as expected.
For example, you create a directory named //205dee4****-uub48.us-west-1.nas.aliyuncs.com/myshare/usera1, and then grant all users full access permissions on the usera1 directory.
Log on to the Linux client as an AD domain user and run the
ls /share/usera1
command. If the content of the usera1 directory in the SMB file system is displayed, the automatic mount feature is enabled.
Use the cifsacl tool to manage the ACLs of an SMB file system
You can run the getcifsacl and setcifsacl commands to manage the ACLs of an SMB file system. Examples:
getcifsacl usera1/
sudo setcifsacl -a "ACL:S-1-5-21-3076751034-3769290925-1520581464-513:ALLOWED/OI|CI|I/FULL" usera1/