Mount and use an SMB file system on a Windows client as an AD domain user - File Storage NAS

This topic describes how to mount a Server Message Block (SMB) file system on a Windows client by using an Active Directory (AD) domain account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD domain account.

Prerequisites

The mount target of an SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file system to an AD domain, you can specify whether to allow anonymous access to the SMB file system.

If the SMB file system still allows anonymous access, you can use an AD domain account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on New Technology LAN Manager (NTLM) authentication.
If the SMB file system no longer allows anonymous access, you must use an AD domain account to mount the SMB file system on a Windows client that is authenticated by using Kerberos.

Method 1: Join a Windows client to an AD domain and then mount an SMB file system on the Windows client

The following steps describe how to join a Windows client to an AD domain and mount an SMB file system on the Windows client. In this example, Windows Server 2012 is used.

Configure the IP address of the DNS server for the Windows client.
1. Log on to the Windows client.
2. In the lower-left corner of the desktop, click Start.
3. In the Start menu, click Control Panel.
4. In the Control Panel window, choose Network and Internet > Network and Sharing Center.
5. In the View your active networks section of the Network and Sharing Center dialog box, click Ethernet.
6. In the Ethernet Status dialog box, click Properties.
7. In the This connection uses the following items section of the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of the AD domain server.
9. Run the ping command in Command Prompt. Ping the IP address to verify the connectivity between the Windows client and the AD domain.
Join the Windows client to the AD domain.
1. In the Control Panel window, choose System and Security > System.
2. In the Computer name, domain, and workgroup settings section of the System dialog box, click Change settings.
3. On the Computer Name tab of the System Properties dialog box, click Change.
4. In the Member of section of the Computer Name/Domain Changes dialog box, enter the AD domain name. Click OK to complete the configurations.
5. Restart the Windows client for the modified settings to take effect.
Mount an SMB file system on the Windows client.
Log on to the Windows client as an AD domain user. Run the following command in Command Prompt to mount the SMB file system on the Windows client:
```
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare
```

Method 2: Connect a Windows client to an AD server and mount an SMB file system on the Windows client

The following steps describe how to configure a DNS server for a Windows client, connect the client to an AD server, and mount an SMB file system on the client. In this example, Windows Server 2012 is used.

Configure the IP address of the DNS server for the Windows client.
1. Log on to the Windows client.
2. In the lower-left corner of the desktop, click Start.
3. In the Start menu, click Control Panel.
4. In the Control Panel window, choose Network and Internet > Network and Sharing Center.
5. In the View your active networks section of the Network and Sharing Center dialog box, click Ethernet.
6. In the Ethernet Status dialog box, click Properties.
7. In the This connection uses the following items section of the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of the AD domain server.
9. Run the ping command in Command Prompt. Ping the IP address to verify the connectivity between the Windows client and the AD domain.
Mount an SMB file system on the Windows client.
Run the following command in Command Prompt on the Windows client to mount the SMB file system as an AD domain user:
```
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:EXAMPLE.com\USERNAME PASSWORD
```
In the preceding command, EXAMPLE.com is the name of the AD domain that you have built.

Manage the ACLs of the SMB file system

After you enable the ACL feature and mount the SMB file system as an AD domain user, you can view and edit the ACLs of files and directories by using the following methods:

Run the mklink command to mount the SMB file system

You can run the mklink command to create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client. You can also view and edit the ACLs of files and directories.

Use Command Prompt to create mappings for the file system.
```
mklink /D c:\myshare \\nas-mount-target.nas.aliyuncs.com\myshare
```
In the preceding command, \myshare is the file system path to which the symbolic link points and nas-mount-target.nas.aliyuncs.com\myshare is the mount target of the SMB file system.
Grant common users the permissions to use symbolic links.
If you use the Administrator account, skip this step.
1. Search for and run secpol.msc as a system administrator.
2. In the Local Security Policy window, choose Local Policies > User Rights Assignment. Add the specified user to the Create Symbolic Links permission group as prompted.
3. Log on to the Windows client again as a common user.
Access the SMB file system and view the ACLs of files and directories.
After a symbolic link is created, you can access the SMB file system the same way you access a subdirectory of a local disk in Windows. You can also view and edit the ACLs of files and directories.

Use the Windows File Explorer to view and edit the ACLs of files and directories

After you create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client, you can view and edit the ACLs of files and directories by using the Windows File Explorer.

Right-click the file or directory, and then select Properties.
In the Properties dialog box, click the Security tab, and then click Edit.
In the Create symbolic links Permissions dialog box, click Add User or Group and specify the information as prompted.

If you need to go back to the directory of your local disk, click the Back icon (1 in the figure) or the Up icon (2 in the figure). Do not click a section of a path in the path bar (3 in the figure). Use the File Explorer to access the SMB file system

When you use the File Explorer to access the SMB file system, the SMB file system is not joined to the AD domain. If you use a network path (for example, \nas-mount-point.nas.aliyuncs.com\myshare) instead of a path of your local disk (for example, C:\myshare) to access the SMB file system, an error occurs. When you configure an ACL, the client cannot determine whether the mount target is joined to the AD domain. This error occurs because the Remote Procedure Call (RPC) server is unavailable. SMB_ACL_Error message_1 SMB_ACL_Error message_2

Important

If you use the Windows File Explorer to modify the permissions on C:\myshare, the new permissions are not applied to the root directory of the file system. To modify the permissions on a root directory, you must run the Set-Acl Powershell or icacls command in PowerShell.

PowerShell commands

You can run the Get-Acl and Set-Acl commands in PowerShell to view and edit the ACLs of files and directories in the SMB file system.

Get-Acl

$value = Get-Acl -Path "Z:"# Set properties
$value.Access

Set properties
$identity = "Administrator"
$fileSystemRights = "FullControl"
$type = "Allow"
# Create new rule
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
# Apply new rule
$value.SetAccessRule($fileSystemAccessRule)
$value.Access

Set-Acl
To run the Set-Acl command to modify the permissions, you can change the mount path without using the mylink c:\myshare shortcut. You can also modify the permissions on the root directory.
```
Set-Acl $value -Path "Z:"
```
Important
We recommend that you configure the permissions to modify root directories immediately after the file system is created. Otherwise, you must modify subdirectories and subfiles when you run the command. This is because the permissions are inherited from the root directory to the subdirectories.

icacls command

You can run the icacls command in Command Prompt to manage ACLs. You can run the icacls command to view and edit the ACLs of files and directories.

Example:

icacls z:
#Grant full control permissions to a user.
icacls z: /grant <username>:(F)
#Grant full control permissions to the administrator.
icacls z: /grant administrator:(F)
icacls z:
#Revoke all permissions from a user.
icacls z: /remove <username>
#Revoke all permissions from all users.
icacls z: /remove <username>
icacls z: