您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

第三部分:通过 SMB 配置目录和文件级别权限Part three: configure directory and file level permissions over SMB

在开始本文之前,请确保已完成上一篇文章:向标识分配共享级别权限,以确保共享级别权限已就位。Before you begin this article, make sure you completed the previous article, Assign share-level permissions to an identity to ensure that your share-level permissions are in place.

使用 Azure RBAC 分配共享级别权限后,必须在根、目录或文件级别配置适当的 Windows ACL 才能利用粒度访问控制。After you assign share-level permissions with Azure RBAC, you must configure proper Windows ACLs at the root, directory, or file level, to take advantage of granular access control. 将 Azure RBAC 共享级别权限视为确定用户是否可以访问共享的高级网关守卫。Think of the Azure RBAC share-level permissions as the high-level gatekeeper that determines whether a user can access the share. 而 Windows ACL 则更精细地运行,确定用户可以在目录或文件级别执行的操作。While the Windows ACLs operate at a more granular level to determine what operations the user can do at the directory or file level. 当用户尝试访问文件/目录时,会强制执行共享级别和文件/目录级别权限,因此,如果两者之间存在差异,则只会应用限制最严格的权限。Both share-level and file/directory level permissions are enforced when a user attempts to access a file/directory, so if there is a difference between either of them, only the most restrictive one will be applied. 例如,如果用户在文件级别具有读取/写入访问权限,但在共享级别只具有读取权限,则该用户只能读取该文件。For example, if a user has read/write access at the file-level, but only read at a share-level, then they can only read that file. 反过来也是这样,如果用户在共享级别具有读取/写入访问权限,但在文件级别只具有读取权限,则该用户仍然只能读取文件。The same would be true if it was reversed, and a user had read/write access at the share-level, but only read at the file-level, they can still only read the file.

Azure RBAC 权限Azure RBAC permissions

下表包含与此配置相关的 Azure RBAC 权限:The following table contains the Azure RBAC permissions related to this configuration:

内置角色Built-in role NTFS 权限NTFS permission 得到的访问权限Resulting access
存储文件数据 SMB 共享读取者Storage File Data SMB Share Reader 完全控制、修改、读取、写入、执行Full control, Modify, Read, Write, Execute 读取并执行Read & execute
读取Read 读取Read
存储文件数据 SMB 共享参与者Storage File Data SMB Share Contributor 完全控制Full control 修改、读取、写入、执行Modify, Read, Write, Execute
修改Modify 修改Modify
读取并执行Read & execute 读取并执行Read & execute
读取Read 读取Read
写入Write 写入Write
存储文件数据 SMB 共享特权参与者Storage File Data SMB Share Elevated Contributor 完全控制Full control 修改、读取、写入、编辑、执行Modify, Read, Write, Edit, Execute
修改Modify 修改Modify
读取并执行Read & execute 读取并执行Read & execute
读取Read 读取Read
写入Write 写入Write

支持的权限Supported permissions

Azure 文件存储支持全套基本和高级 Windows ACL。Azure Files supports the full set of basic and advanced Windows ACLs. 可以通过装载共享,然后使用 Windows 文件资源管理器、运行 Windows icacls 命令或 Set-ACL 命令,查看并配置 Azure 文件共享中目录和文件的 Windows ACL。You can view and configure Windows ACLs on directories and files in an Azure file share by mounting the share and then using Windows File Explorer, running the Windows icacls command, or the Set-ACL command.

若要使用超级用户权限配置 ACL,必须使用存储帐户密钥从已加入域的 VM 装载共享。To configure ACLs with superuser permissions, you must mount the share by using your storage account key from your domain-joined VM. 请按照下一节中的说明操作,从命令提示符装载 Azure 文件共享,并配置 Windows ACL。Follow the instructions in the next section to mount an Azure file share from the command prompt and to configure Windows ACLs.

文件共享的根目录包含以下权限:The following permissions are included on the root directory of a file share:

  • BUILTIN\Administrators:(OI)(CI)(F)BUILTIN\Administrators:(OI)(CI)(F)
  • BUILTIN\Users:(RX)BUILTIN\Users:(RX)
  • BUILTIN\Users:(OI)(CI)(IO)(GR,GE)BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
  • NT AUTHORITY\Authenticated Users:(OI)(CI)(M)NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
  • NT AUTHORITY\SYSTEM:(OI)(CI)(F)NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  • NT AUTHORITY\SYSTEM:(F)NT AUTHORITY\SYSTEM:(F)
  • CREATOR OWNER:(OI)(CI)(IO)(F)CREATOR OWNER:(OI)(CI)(IO)(F)
用户Users 定义Definition
BUILTIN\AdministratorsBUILTIN\Administrators 作为本地 AD DS 环境的域管理员的所有用户。All users who are domain administrators of the on-prem AD DS environment.
BUILTIN\UsersBUILTIN\Users AD 中的内置安全组。Built-in security group in AD. 默认情况下,它包括 NT AUTHORITY\Authenticated Users。It includes NT AUTHORITY\Authenticated Users by default. 对于传统的文件服务器,可以为每个服务器配置成员身份定义。For a traditional file server, you can configure the membership definition per server. 对于 Azure 文件存储,没有托管服务器,因此 BUILTIN\Users 包含与 NT AUTHORITY\Authenticated Users 相同的用户组。For Azure Files, there isn’t a hosting server, hence BUILTIN\Users includes the same set of users as NT AUTHORITY\Authenticated Users.
NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 文件服务器操作系统的服务帐户。The service account of the operating system of the file server. 此类服务帐户在 Azure 文件存储上下文中不适用。Such service account doesn’t apply in Azure Files context. 它包含在根目录中,以便在混合方案中与 Windows 文件服务器体验保持一致。It is included in the root directory to be consistent with Windows Files Server experience for hybrid scenarios.
NT AUTHORITY\Authenticated UsersNT AUTHORITY\Authenticated Users AD 中可获取有效 Kerberos 令牌的所有用户。All users in AD that can get a valid Kerberos token.
CREATOR OWNERCREATOR OWNER 每个对象(目录或文件)都具有对应的所有者。Each object either directory or file has an owner for that object. 如果在该对象上有分配给“CREATOR OWNE”的 ACL,则作为此对象所有者的用户具有对 ACL 定义的对象的权限。If there are ACLs assigned to “CREATOR OWNER” on that object, then the user that is the owner of this object has the permissions to the object defined by the ACL.

从命令提示符装载文件共享Mount a file share from the command prompt

使用 Windows net use 命令装载 Azure 文件共享。Use the Windows net use command to mount the Azure file share. 请务必将下面示例中的占位符值替换为你自己的值。Remember to replace the placeholder values in the following example with your own values. 有关装载文件共享的详细信息,请参阅 将 Azure 文件共享与 Windows 配合使用For more information about mounting file shares, see Use an Azure file share with Windows.

$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded)
{
  net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
} 
else 
{
  Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN,   Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

如果连接到 Azure 文件存储时遇到问题,请查看我们在 Windows 上发布的 Azure 文件存储装载错误排查工具If you experience issues in connecting to Azure Files, refer to the troubleshooting tool we published for Azure Files mounting errors on Windows. 我们还提供了指南来解决端口 445 被阻止时的情况。We also provide guidance to work around scenarios when port 445 is blocked.

配置 Windows ACLConfigure Windows ACLs

使用存储帐户密钥装载文件共享后,必须配置 Windows ACL(也称为 NTFS 权限)。Once your file share has been mounted with the storage account key, you must configure the Windows ACLs (also known as NTFS permissions). 可以使用 Windows 文件资源管理器或 icacls 配置 Windows ACL。You can configure the Windows ACLs using either Windows File Explorer or icacls.

如果在针对 AD DS 标识配置了 Windows DACL 的本地文件服务器中有目录或文件,则可以使用传统文件复制工具(如 Robocopy 或 Azure AzCopy v 10.4+)将其复制到 Azure 文件存储以保留 ACL。If you have directories or files in on-premises file servers with Windows DACLs configured against the AD DS identities, you can copy it over to Azure Files persisting the ACLs with traditional file copy tools like Robocopy or Azure AzCopy v 10.4+. 如果通过 Azure 文件同步将目录和文件分层到 Azure 文件存储,则会以本机格式移动并保留 ACL。If your directories and files are tiered to Azure Files through Azure File Sync, your ACLs are carried over and persisted in their native format.

使用 icacls 配置 Windows ACLConfigure Windows ACLs with icacls

使用以下 Windows 命令为文件共享(包括根目录)下的所有目录和文件授予完全权限。Use the following Windows command to grant full permissions to all directories and files under the file share, including the root directory. 请务必将示例中的占位符值替换为你自己的值。Remember to replace the placeholder values in the example with your own values.

icacls <mounted-drive-letter>: /grant <user-email>:(f)

若要详细了解如何使用 icacls 设置 Windows ACL,以及各种受支持的权限,请参阅 icacls 的命令行参考For more information on how to use icacls to set Windows ACLs and on the different types of supported permissions, see the command-line reference for icacls.

使用 Windows 文件资源管理器配置 Windows ACLConfigure Windows ACLs with Windows File Explorer

使用 Windows 文件资源管理器为文件共享(包括根目录)下的所有目录和文件授予完全权限。Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory. 如果无法在 Windows 文件资源管理器中正确加载 AD 域信息,这可能是由于本地 AD 环境中的信任配置引起的。If you are not able to load the AD domain information correctly in Windows File Explorer, this is likely due to trust configuration in your on-prem AD environment. 客户端计算机无法访问为 Azure 文件存储身份验证注册的 AD 域控制器。The client machine was not able to reach the AD domain controller registered for Azure Files authentication. 在这种情况下,请使用 icacls 配置 Windows ACL。In this case, use icacls for configurating Windows ACLs.

  1. 打开 Windows 文件资源管理器,右键单击文件/目录,然后选择“属性”。Open Windows File Explorer and right click on the file/directory and select Properties.
  2. 选择“安全”选项卡。Select the Security tab.
  3. 选择“编辑...”Select Edit.. 更改权限。to change permissions.
  4. 可以更改现有用户的权限,也可以选择“添加...”向新用户授予权限。You can change the permissions of existing users or select Add... to grant permissions to new users.
  5. 在添加新用户的提示窗口中,在“输入要选择的对象名称”框中输入要向其授予权限的目标用户名,然后选择“检查名称”以查找目标用户的完整 UPN 名称 。In the prompt window for adding new users, enter the target username you want to grant permissions to in the Enter the object names to select box, and select Check Names to find the full UPN name of the target user.
  6. 选择“确定”。Select OK.
  7. 在“安全性”选项卡中,选择要授予新用户的所有权限。In the Security tab, select all permissions you want to grant your new user.
  8. 选择“应用”。Select Apply.

后续步骤Next steps

启用并配置此功能后,请继续阅读下一篇文章,从已加入域的 VM 装载 Azure 文件共享。Now that the feature is enabled and configured, continue to the next article, where you mount your Azure file share from a domain-joined VM.

第 4 部分:从加入域的 VM 装载文件共享Part four: mount a file share from a domain-joined VM