第四部分:从加入域的 VM 装载文件共享Part four: mount a file share from a domain-joined VM

在开始学习本文之前,请确保已完成上一篇文章:通过 SMB 配置目录和文件级别权限Before you begin this article, make sure you complete the previous article, configure directory and file level permissions over SMB.

本文中所述的过程验证是否正确设置了文件共享和访问权限,你是否可以从加入域的 VM 访问 Azure 文件共享。The process described in this article verifies that your file share and access permissions are set up correctly and that you can access an Azure File share from a domain-joined VM. 共享级别 Azure 角色分配可能需要一些时间才能生效。Share-level Azure role assignment can take some time to take effect.

使用你向其授予权限的凭据登录到客户端,如下图所示。Sign in to the client by using the credentials that you granted permissions to, as shown in the following image.

显示用户身份验证的 Azure AD 登录屏幕的屏幕截图

装载先决条件Mounting prerequisites

在装载文件共享之前,确保满足以下先决条件:Before you can mount the file share, make sure you've gone through the following pre-requisites:

  • 如果要从以前使用存储帐户密钥装载了文件共享的客户端装载文件共享,请确保已断开与共享的连接,删除存储帐户密钥的永久凭据,并且当前正在使用 AD DS 凭据进行身份验证。If you are mounting the file share from a client that has previously mounted the file share using your storage account key, make sure that you have disconnected the share, removed the persistent credentials of the storage account key, and are currently using AD DS credentials for authentication. 有关使用存储帐户密钥清除已装载共享的说明,请参阅常见问题解答页For instructions to clear the mounted share with storage account key, refer to FAQ page.
  • 客户端必须可访问 AD DS。Your client must have line of sight to your AD DS. 如果你的计算机或 VM 不在 AD DS 管理的网络中,则需要启用 VPN 来访问 AD DS 以进行身份验证。If your machine or VM is out of the network managed by your AD DS, you will need to enable VPN to reach AD DS for authentication.

将占位符值替换为你自己的值,然后使用以下命令装载 Azure 文件共享。Replace the placeholder values with your own values, then use the following command to mount the Azure file share. 始终需要使用如下所示的路径进行装载。You always need to mount using the path shown below. 对于基于标识的身份验证(AD DS 或 Azure AD DS),不支持使用 CNAME 进行文件装载。Using CNAME for file mount is not supported for identity based authentication (AD DS or Azure AD DS).

# Always mount your share using.file.core.chinacloudapi.cn, even if you setup a private endpoint for your share.
$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.chinacloudapi.cn -Port 445
if ($connectTestResult.TcpTestSucceeded)
{
  net use <desired-drive letter>: \\<storage-account-name>.file.core.chinacloudapi.cn\<fileshare-name>
} 
else 
{
  Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

如果在使用 AD DS 凭据装载时遇到问题,请参阅无法使用 AD 凭据装载 Azure 文件存储以获得指导。If you run into issues mounting with AD DS credentials, refer to Unable to mount Azure Files with AD credentials for guidance.

如果成功装载文件共享,则已成功为 Azure 文件共享启用并配置本地 AD DS 身份验证。If mounting your file share succeeded, then you have successfully enabled and configured on-premises AD DS authentication for your Azure file shares.

后续步骤Next steps

如果在 AD DS 中创建的用于表示存储帐户的标识位于强制密码轮换的域或 OU 中,请继续浏览下一篇文章,了解有关更新密码的说明:If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, continue to the next article for instructions on updating your password:

更新 AD DS 中的存储帐户标识密码Update the password of your storage account identity in AD DS