Merge pull request #217281 from b-ahibbard/anf-nfs4.1

ACLs for NFSv4.1

Author: v-stsavell

articles/azure-netapp-files/TOC.yml

@@ -181,8 +181,10 @@
       href: create-active-directory-connections.md
     - name: Modify Active Directory connections
       href: modify-active-directory-connections.md
-    - name: Enable AD DS LDAP authentication for NFS volumes
+    - name: Configure AD DS LDAP authentication for NFS volumes
       href: configure-ldap-over-tls.md
+    - name: Join a Linux VM to an Active Directory Domain
+      href: join-active-directory-domain.md
   - name: Manage capacity pools
     items:
     - name: Set up a capacity pool
@@ -225,6 +227,8 @@
         href: azure-netapp-files-configure-export-policy.md
       - name: Configure Unix permissions and change ownership mode
         href: configure-unix-permissions-change-ownership-mode.md
+      - name: Configure access control lists for NFSv4.1
+        href: configure-access-control-lists.md
       - name: Configure network features for a volume
         href: configure-network-features.md
       - name: Configure Virtual WAN

articles/azure-netapp-files/azure-netapp-files-create-volumes.md

@@ -143,4 +143,5 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
 * [Configure Unix permissions and change ownership mode](configure-unix-permissions-change-ownership-mode.md). 
 * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
 * [Learn about virtual network integration for Azure services](../virtual-network/virtual-network-for-azure-services.md)
-* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)
+* [Configure access control lists on NFSv4.1 with Azure NetApp Files](configure-access-control-lists.md)
+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

articles/azure-netapp-files/configure-access-control-lists.md

@@ -0,0 +1,61 @@
+---
+title: Configure access control lists with Azure NetApp Files | Microsoft Docs
+description: This article shows you how to configure access control lists (ACLs) on NFSv4.1 with Azure NetApp Files.
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.workload: storage
+ms.topic: how-to
+ms.date: 12/20/2022
+ms.author: anfdocs
+---
+# Configure access control lists on NFSv4.1 volumes for Azure NetApp Files
+
+Azure NetApp Files supports access control lists (ACLs) on NFSv4.1 volumes. ACLs provide granular file security via NFSv4.1.
+
+ACLs contain access control entities (ACEs), which specify the permissions (read, write, etc.) of individual users or groups. When assigning user roles, provide the user email address if you're using a Linux VM joined to an Active Directory Domain. Otherwise, provide user IDs to set permissions. 
+
+## Requirements
+
+- ACLs can only be configured on NFS4.1 volumes. You can [convert a volume from NFSv3 to NFSv4.1](convert-nfsv3-nfsv41.md).
+
+- You must have two packages installed:
+    1.  `nfs-utils` to mount NFS volumes 
+    1. `nfs-acl-tools` to view and modify NFSv4 ACLs. 
+    If you do not have either, install them:
+        - On a Red Hat Enterprise Linux or SuSE Linux instance:
+        ```bash
+        sudo yum install -y nfs-utils
+        sudo yum install -y nfs4-acl-tools
+        ```
+        - On Ubuntu or Debian instance:
+        ```bash
+        sudo apt-get install nfs-common
+        sudo apt-get install nfs4-acl-tools
+        ```
+
+## Configure ACLs
+
+1. If you want to configure ACLs for a Linux VM joined to Active Directory, complete the steps in [Join a Linux VM to an Azure Active Directory Domain](join-active-directory-domain.md).
+
+1. [Mount the volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md).
+
+1. Use the command `nfs4_getfacl <path>` to view the existing ACL on a directory or file.
+    
+    The default NFSv4.1 ACL is a close representation of the POSIX permissions of 770.
+    - `A::OWNER@:rwaDxtTnNcCy` - owner has full (RWX) access
+    - `A:g:GROUP@:rwaDxtTnNcy` - group has full (RWX) access
+    - `A::EVERYONE@:tcy` - everyone else has no access
+
+1. To modify an ACE for a user, use the `nfs4_setfacl` command: `nfs4_setfacl -a|x A|D::<user|group>:<permissions_alias> <file>`
+    - Use `-a` to add permission. Use `-x` to remove permission.
+    - `A` creates access; `D` denies access.
+    - In an Active Directory-joined set up, enter an email address for the user. Otherwise, enter the numerical user ID.
+    - Permission aliases include read, write, append, execute, etc.
+    In the following Active Directory-joined example, user [email protected] is given read, write, and execute access to `/nfsldap/engineering`:
+    ```bash
+    nfs4_setfacl -a A::[email protected]:RWX /nfsldap/engineering
+    ```
+
+## Next steps
+
+* [Configure NFS clients](configure-nfs-clients.md)

articles/azure-netapp-files/configure-nfs-clients.md

@@ -116,7 +116,7 @@ The examples in this section use the following domain name and IP address:
 
 The following steps are optional. You need to perform the steps only if you use user mapping at the NFS client: 
 
-1. Complete all steps described in the [RHEL 8 configuration if you are using NFSv4.1 Kerberos encryption](#rhel8_nfsv41_kerberos) section.   
+1. Complete all steps described in the [RHEL 8 configuration if you are using NFSv4.1 Kerberos encryption](#rhel8_nfsv41_kerberos) section.  
 
 2. Add a static DNS record in your /etc/hosts file to use fully qualified domain name (FQDN) for your AD, instead of using the IP address in SSSD configuration file:  
 

articles/azure-netapp-files/convert-nfsv3-nfsv41.md

@@ -143,3 +143,4 @@ This section shows you how to convert the NFSv4.1 volume to NFSv3.
 
 * [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md)
 * [Mount or unmount a volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md)
+* [Configure access control lists on NFSv4.1 with Azure NetApp Files](configure-access-control-lists.md)

articles/azure-netapp-files/join-active-directory-domain.md

@@ -0,0 +1,63 @@
+---
+title: Join a Linux VM to an Azure Active Directory Domain | Microsoft Docs
+description: Describes how to join a Linux VM to an Azure Active Directory Domain
+services: azure-netapp-files
+documentationcenter: ''
+author: b-ahibbard
+manager: ''
+editor: ''
+
+ms.assetid:
+ms.service: azure-netapp-files
+ms.workload: storage
+ms.tgt_pltfrm: na
+ms.topic: how-to
+ms.date: 12/20/2022
+ms.author: anfdocs
+---
+
+# Join a Linux VM to an Azure Active Directory Domain
+
+Joining a Linux virtual machine (VM) to an [Azure Active Directory Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md) managed domain enables users to sign into to VMs with one set of credentials. Once joined, the user accounts and credentials can be used to sign in, access, and manage servers. 
+
+Refer to [Understand guidelines for Active Directory Domain Services site design and planning](understand-guidelines-active-directory-domain-service-site.md) to learn more about using Active Directory in Azure NetApp Files. 
+
+## Steps
+
+1. Configure `/etc/resolv.conf` with the proper DNS server.  
+
+    For example:  
+
+    `[root@reddoc cbs]# cat /etc/resolv.conf`   
+    `search contoso.com`   
+    `nameserver 10.6.1.4(private IP)`   
+
+2. Add the NFS client record in the DNS server for the DNS forward and reverse lookup zone.
+
+3. To verify DNS, use the following commands from the NFS client:   
+
+    `# nslookup [hostname/FQDN of NFS client(s)]`   
+    `# nslookup [IP address of NFS client(s)]`
+
+4. Install packages:   
+
+    `yum update`   
+    `sudo yum -y install realmd sssd adcli samba-common krb5-workstation chrony nfs-utils`
+
+5.	Configure the NTP client.  
+
+    RHEL 8 uses chrony by default. Following the configuration guidelines in [Using the `Chrony` suite to configure NTP](https://access.redhat.com/documentation/en-us/red-hat-enterprise-linux/8/guide/6c230de2-39f1-455a-902d-737eea31ad34).
+
+6.	Join the Active Directory domain:  
+
+    `sudo realm join $DOMAIN.NAME -U $SERVICEACCOUNT --computer-ou="OU=$YOUROU"`
+
+    For example: 
+
+    `sudo realm join CONTOSO.COM -U ad_admin --computer-ou="CN=Computers"`
+
+## Next steps
+
+* [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md)
+* [Modify an Active Directory Connection](modify-active-directory-connections.md)
+* [Configure access control lists for NFSv4.1 volumes](configure-access-control-lists.md)