Acrolinx fixes.

Author: wmgries

articles/storage/files/storage-files-identity-ad-ds-update-password.md

@@ -1,6 +1,6 @@
 ---
 title: Update password for an AD DS storage account identity
-description: Learn how to update the password of the Active Directory Domain Services (AD DS) identity that represents your storage account. This prevents authentication failures and keeps the storage account from being deleted when the password expires.
+description: Learn how to update the password of the Active Directory Domain Services (AD DS) identity that represents your storage account.
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: how-to
@@ -10,13 +10,9 @@ recommendations: false
 ---
 
 # Update the password of your storage account identity in AD DS
+When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal (computer or service account) with a password that must be periodically rotated based on the policy of the organizational unit (OU) into which it is deployed. The password of the AD principal is one of the Kerberos keys of the storage account. To avoid authentication issues, including deletion of the AD principal representing the storage account by automated cleanup scripts, you should periodically rotate the password/storage account Kerberos keys. Failing to change the password before it expires could result in losing Kerberos authentication to your Azure file shares.
 
-If you registered the Active Directory Domain Services (AD DS) identity/account that represents your storage account in an organizational unit or domain that enforces password expiration time, you must change the password before the maximum password age. Your organization may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you don't change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares.
-
-To prevent unintended password rotation, during the onboarding of the Azure storage account in the domain, make sure to place the Azure storage account into a separate organizational unit in AD DS. Disable Group Policy inheritance on this organizational unit to prevent default domain policies or specific password policies from being applied.
-
-> [!NOTE]
-> A storage account identity in AD DS can be either a service account or a computer account. Service account passwords can expire in Active Directory (AD); however, because computer account password changes are driven by the client machine and not AD, they don't expire in AD.
+To prevent unintended password rotation, during the onboarding of the Azure storage account in the domain, you can place the Azure storage account into a separate organizational unit in AD DS that has password rotation policies disabled using Group Policy.
 
 There are two options for triggering password rotation. You can use the `AzFilesHybrid` module or Active Directory PowerShell. Use one method, not both.
 

articles/storage/files/storage-files-identity-auth-linux-kerberos-enable.md

@@ -21,7 +21,7 @@ For more information on supported options and considerations, see [Overview of A
 In order to use AD DS, you must sync your AD DS to Microsoft Entra ID using Microsoft Entra Connect.
 
 > [!NOTE]
-> This article uses Ubuntu for the example steps. Similar configurations will work for RHEL and SLES machines, allowing you to mount Azure file shares using Active Directory.
+> This article uses Ubuntu for the example steps. Similar configurations work for RHEL and SLES clients, allowing you to mount Azure file shares using Active Directory.
 
 ## Applies to
 | Management model | Billing model | Media tier | Redundancy | SMB | NFS |
@@ -39,15 +39,15 @@ In order to use AD DS, you must sync your AD DS to Microsoft Entra ID using Micr
 
 ## Linux SMB client limitations
 
-You can't use identity-based authentication to mount Azure File shares on Linux clients at boot time using `fstab` entries because the client can't get the Kerberos ticket early enough to mount at boot time. However, you can use an `fstab` entry and specify the `noauto` option. This won't mount the share at boot time, but it will allow a user to conveniently mount the file share after they log in using a simple mount command without all the parameters. You can also use [`autofs`](storage-how-to-use-files-linux.md?tabs=smb311#dynamically-mount-with-autofs) to mount the share upon access.
+You can't use identity-based authentication to mount Azure File shares on Linux clients at boot time using `fstab` entries because the client can't get the Kerberos ticket early enough to mount at boot time. You can use an `fstab` entry and specify the `noauto` option to enable a user to mount the file share after log in using a simple mount command without all the parameters. You can also use [`autofs`](storage-how-to-use-files-linux.md?tabs=smb311#dynamically-mount-with-autofs) to mount the share upon access.
 
 ## Prerequisites
 
-Before you enable AD authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.
+Before you enable AD authentication over SMB for Azure file shares, make sure you completed the following prerequisites.
 
 - A Linux VM running Ubuntu 18.04+, or an equivalent RHEL or SLES VM. If running on Azure, the VM must have at least one network interface on the VNET containing Microsoft Entra Domain Services. If using an on-premises VM, your AD DS must be synced to Microsoft Entra ID.
 - Root user or user credentials to a local user account that has full sudo rights (for this guide, localadmin).
-- The Linux VM must not have joined any AD domain. If it's already a part of a domain, it must first leave that domain before it can join this domain.
+- The Linux VM is not joined already joined to another AD domain. If it's already a part of a domain, it must first leave that domain before it can join this domain.
 - A Microsoft Entra tenant [fully configured](../../active-directory-domain-services/tutorial-create-instance.md), with domain user already set up.
 
 Installing the samba package isn't strictly necessary, but it gives you some useful tools and brings in other packages automatically, such as `samba-common` and `smbclient`. Run the following commands to install it. If you're asked for any input values during installation, leave them blank.
@@ -57,7 +57,7 @@ sudo apt update -y
 sudo apt install samba winbind libpam-winbind libnss-winbind krb5-config krb5-user keyutils cifs-utils
 ```
 
-The `wbinfo` tool is part of the samba suite. It can be useful for authentication and debugging purposes, such as checking if the domain controller is reachable, checking what domain a machine is joined to, and finding information about users.
+The `wbinfo` tool is part of the samba suite and is useful for authentication and debugging purposes, such as checking if the domain controller is reachable, checking what domain a machine is joined to, and finding information about users.
 
 Make sure that the Linux host keeps the time synchronized with the domain server. Refer to the documentation for your Linux distribution. For some distros, you can do this [using systemd-timesyncd](https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html). Edit `/etc/systemd/timesyncd.conf` with your favorite text editor to include the following:
 
@@ -247,7 +247,7 @@ _ldap._tcp.contosodomain.contoso.com service = 0 100 389 hxt4yo--jb9q529.contoso
 
 ### Set up hostname and fully qualified domain name (FQDN)
 
-1. Using your text editor, update the `/etc/hosts` file with the final FQDN (after joining the domain) and the alias for the host. The IP address doesn't matter for now because this line will mainly be used to translate short hostname to FQDN. For more details, see [Setting up Samba as a Domain Member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member).
+1. Using your text editor, update the `/etc/hosts` file with the final FQDN (after joining the domain) and the alias for the host. The IP address doesn't matter for now because this line is mainly used to translate short hostname to FQDN. For more information, see [Setting up Samba as a Domain Member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member).
 
 ```plaintext
 127.0.0.1       contosovm.contosodomain.contoso.com contosovm
@@ -383,11 +383,11 @@ Name:   contosovm.contosodomain.contoso.com
 Address: 10.0.0.8
 ```
 
-If users will be actively logging into client machines or VMs and accessing the Azure file shares, you need to [set up nsswitch.conf](#set-up-nsswitchconf) and [configure PAM for winbind](#configure-pam-for-winbind). If access will be limited to applications represented by a user account or computer account that need Kerberos authentication to access the file share, then you can skip these steps.
+If you plan for users to actively log into client machines and access the Azure file shares, you need to [set up nsswitch.conf](#set-up-nsswitchconf) and [configure PAM for winbind](#configure-pam-for-winbind). If planned access is limited to applications represented by a user account or computer account that need Kerberos authentication to access the file share, you can skip these steps.
 
 ### Set up nsswitch.conf
 
-1. Now that the host is joined to the domain, you need to put winbind libraries in the places to look for when looking for users and groups. Do this by updating the passwd and group entries in `nsswitch.conf`. Use your text editor to edit `/etc/nsswitch.conf` and add the following entries:
+1. Now that the host is joined to the domain, you need to put winbind libraries in the places to look for when looking for users and groups. Use your text editor to edit `/etc/nsswitch.conf` and add the following entries:
 
 ```plaintext
 passwd:         compat systemd winbind
@@ -520,11 +520,11 @@ wbinfo -K 'contososmbadmin%SUPERSECRETPASSWORD'
 
 ## Mount the file share
 
-After you've enabled AD (or Microsoft Entra ID) Kerberos authentication and domain-joined your Linux VM, you can mount the file share.
+After you enabled AD (or Microsoft Entra ID) Kerberos authentication and domain-joined your Linux VM, you can mount the file share.
 
 For detailed mounting instructions, see [Mount the Azure file share on-demand with mount](storage-how-to-use-files-linux.md?tabs=smb311#mount-the-azure-file-share-on-demand-with-mount).
 
-Use the following additional mount option with all access control models to enable Kerberos security: `sec=krb5`. Username and password must be omitted when sec=krb5 is in use. 
+Use the following mount option with all access control models to enable Kerberos security: `sec=krb5`. Username and password must be omitted when sec=krb5 is in use. 
 
 > [!NOTE]
 > This feature only supports a server-enforced access control model using NT ACLs with no mode bits. Linux tools that update NT ACLs are minimal, so update ACLs through Windows. Client-enforced access control (`modefromsid,idsfromsid`) and client-translated access control (`cifsacl`) models aren't currently supported.
@@ -533,17 +533,17 @@ Use the following additional mount option with all access control models to enab
 
 #### Single-user versus multi-user mount
 
-In a single-user mount use case, the mount point is accessed by a single user of the AD domain and isn't shared with other users of the domain. Each file access happens in the context of the user whose krb5 credentials were used to mount the file share. Any user on the local system who accesses the mount point will impersonate that user.
+In a single-user mount use case, the mount point is accessed by a single user of the AD domain and isn't shared with other users of the domain. Each file access happens in the context of the user whose krb5 credentials were used to mount the file share. Any user on the local system who accesses the mount point impersonates that user.
 
-In a multi-user mount use case, there's still a single mount point, but multiple AD users can access that same mount point. In scenarios where multiple users on the same client will access the same share, and the system is configured for Kerberos and mounted with `sec=krb5`, consider using the `multiuser` mount option.
+In a multi-user mount use case, there's still a single mount point, but multiple AD users can access that same mount point. In scenarios where multiple users on the same client access the same share, and the system is configured for Kerberos and mounted with `sec=krb5`, consider using the `multiuser` mount option.
 
 #### File permissions
 
-File permissions matter, especially if both Linux and Windows clients will access the file share. To convert file permissions to DACLs on files, use a default mount option such as **file_mode=<>,dir_mode=<>**. File permissions specified as **file_mode** and **dir_mode** are only enforced within the client. The server enforces access control based on the file's or directory's security descriptor.
+File permissions matter, especially if both Linux and Windows clients access the file share. To convert file permissions to DACLs on files, use a default mount option such as **file_mode=<>,dir_mode=<>**. File permissions specified as **file_mode** and **dir_mode** are only enforced within the client. The server enforces access control based on the file's or directory's security descriptor.
 
 #### File ownership
 
-File ownership matters, especially if both Linux and Windows clients will access the file share. Choose one of the following mount options to convert file ownership UID/GID to owner/group SID on file DACL:
+File ownership matters, especially if both Linux and Windows clients access the file share. Choose one of the following mount options to convert file ownership UID/GID to owner/group SID on file DACL:
 
 - Use a default such as **uid=<>,gid=<>**
 - Configure UID/GID mapping via RFC2307 and Active Directory (**nss_winbind** or **nss_sssd**)