Skip to content

Commit 805025e

Browse files
YunZhou-MSYun Zhou
YunZhou-MS
and
Yun Zhou
authored
Yunzho/sam2 (#98)
* Support SamAccountName and AccountType * Integrate Az.Storage 4.3.0 Co-authored-by: Yun Zhou <yunzho@microsoft.com>
1 parent 4fbd7a9 commit 805025e

File tree

1 file changed

+58
-35
lines changed

1 file changed

+58
-35
lines changed

AzFilesHybrid/AzFilesHybrid.psm1

Lines changed: 58 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -883,13 +883,13 @@ function Request-AzPowerShellModule {
883883

884884
$storageModule = Get-Module -Name Az.Storage -ListAvailable | `
885885
Where-Object {
886-
$_.Version -ge [Version]::new(2,0,0)
886+
$_.Version -ge [Version]::new(4,3,0)
887887
}
888888

889889
# Do should process if modules must be installed
890890
if ($null -eq $azModule -or $null -eq $storageModule) {
891891
$caption = "Install Azure PowerShell modules"
892-
$verboseConfirmMessage = "This module requires Azure PowerShell (`"Az`" module) 2.8.0+ and Az.Storage 2.0.0+. This can be installed now if you are running as an administrator."
892+
$verboseConfirmMessage = "This module requires Azure PowerShell (`"Az`" module) 2.8.0+ and Az.Storage 4.3.0+. This can be installed now if you are running as an administrator."
893893

894894
if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
895895
if (!(Get-IsElevatedSession)) {
@@ -926,7 +926,7 @@ function Request-AzPowerShellModule {
926926
-Repository PSGallery `
927927
-AllowClobber `
928928
-Force `
929-
-MinimumVersion "2.0.0" `
929+
-MinimumVersion "4.3.0" `
930930
-SkipPublisherCheck `
931931
-ErrorAction Stop
932932
}
@@ -941,7 +941,7 @@ function Request-AzPowerShellModule {
941941

942942
$storageModule = ,(Get-Module -Name Az.Storage -ListAvailable | `
943943
Where-Object {
944-
$_.Version -ge [Version]::new(2,0,0)
944+
$_.Version -ge [Version]::new(4,3,0)
945945
} | `
946946
Sort-Object -Property Version -Descending)
947947

@@ -2379,7 +2379,10 @@ function New-ADAccountForStorageAccount {
23792379
[string]$ObjectType = "ComputerAccount",
23802380

23812381
[Parameter(Mandatory=$false, Position=6)]
2382-
[switch]$OverwriteExistingADObject
2382+
[switch]$OverwriteExistingADObject,
2383+
2384+
[Parameter(Mandatory=$false, Position=7)]
2385+
[string]$SamAccountName
23832386
)
23842387

23852388
Assert-IsWindows
@@ -2513,6 +2516,12 @@ function New-ADAccountForStorageAccount {
25132516
Write-Verbose -Message "Overwriting an existing AD $ObjectType object $ADObjectName with a Service Principal Name of $spnValue in domain $Domain."
25142517
}
25152518

2519+
if ([System.String]::IsNullOrEmpty($SamAccountName)) {
2520+
$SamAccountName = $ADObjectName
2521+
}
2522+
2523+
Write-Verbose -Message "AD object name is $ADObjectName, SamAccountName is $SamAccountName."
2524+
25162525
# Create the identity in Active Directory.
25172526
try
25182527
{
@@ -2528,7 +2537,7 @@ function New-ADAccountForStorageAccount {
25282537
Set-ADUser -Instance $userSpnMatch -ErrorAction Stop
25292538
} else {
25302539
New-ADUser `
2531-
-SamAccountName $ADObjectName `
2540+
-SamAccountName $SamAccountName `
25322541
-Path $path `
25332542
-Name $ADObjectName `
25342543
-AccountPassword $fileServiceAccountPwdSecureString `
@@ -2555,7 +2564,7 @@ function New-ADAccountForStorageAccount {
25552564
Set-ADComputer -Instance $computerSpnMatch -ErrorAction Stop
25562565
} else {
25572566
New-ADComputer `
2558-
-SAMAccountName $ADObjectName `
2567+
-SAMAccountName $SamAccountName `
25592568
-Path $path `
25602569
-Name $ADObjectName `
25612570
-AccountPassword $fileServiceAccountPwdSecureString `
@@ -3736,7 +3745,9 @@ function Set-StorageAccountDomainProperties {
37363745
ForestName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.ForestName) `
37373746
DomainGuid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainGuid) `
37383747
DomainSid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainSid) `
3739-
AzureStorageSid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.AzureStorageSid)" `
3748+
AzureStorageSid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.AzureStorageSid) `
3749+
SamAccountName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.SamAccountName) `
3750+
AccountType=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.AccountType)" `
37403751
-ErrorAction Stop
37413752
}
37423753

@@ -3758,24 +3769,43 @@ function Set-StorageAccountDomainProperties {
37583769
-Domain $Domain `
37593770
-ErrorAction Stop
37603771
$azureStorageSid = $azureStorageIdentity.SID.Value
3761-
3772+
$samAccountName = $azureStorageIdentity.SamAccountName.TrimEnd("$")
37623773
$domainGuid = $domainInformation.ObjectGUID.ToString()
37633774
$domainName = $domainInformation.DnsRoot
37643775
$domainSid = $domainInformation.DomainSID.Value
37653776
$forestName = $domainInformation.Forest
37663777
$netBiosDomainName = $domainInformation.DnsRoot
3778+
$accountType = ""
3779+
3780+
switch ($azureStorageIdentity.ObjectClass) {
3781+
"computer" {
3782+
$accountType = "Computer"
3783+
}
3784+
"user" {
3785+
$accountType = "User"
3786+
}
3787+
Default {
3788+
Write-Error `
3789+
-Message ("AD object $ADObjectName is of unsupported object class " + $azureStorageIdentity.ObjectClass + ".") `
3790+
-ErrorAction Stop
3791+
}
3792+
}
37673793

37683794
Write-Verbose "Setting AD properties on $StorageAccountName in $ResourceGroupName : `
37693795
EnableActiveDirectoryDomainServicesForFile=$true, ActiveDirectoryDomainName=$domainName, `
37703796
ActiveDirectoryNetBiosDomainName=$netBiosDomainName, ActiveDirectoryForestName=$($domainInformation.Forest) `
37713797
ActiveDirectoryDomainGuid=$domainGuid, ActiveDirectoryDomainSid=$domainSid, `
3772-
ActiveDirectoryAzureStorageSid=$azureStorageSid"
3798+
ActiveDirectoryAzureStorageSid=$azureStorageSid, `
3799+
ActiveDirectorySamAccountName=$samAccountName, `
3800+
ActiveDirectoryAccountType=$accountType"
37733801

37743802
Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName `
37753803
-EnableActiveDirectoryDomainServicesForFile $true -ActiveDirectoryDomainName $domainName `
37763804
-ActiveDirectoryNetBiosDomainName $netBiosDomainName -ActiveDirectoryForestName $forestName `
37773805
-ActiveDirectoryDomainGuid $domainGuid -ActiveDirectoryDomainSid $domainSid `
3778-
-ActiveDirectoryAzureStorageSid $azureStorageSid
3806+
-ActiveDirectoryAzureStorageSid $azureStorageSid `
3807+
-ActiveDirectorySamAccountName $samAccountName `
3808+
-ActiveDirectoryAccountType $accountType
37793809
}
37803810

37813811
Write-Verbose "Set-StorageAccountDomainProperties: Complete"
@@ -3881,7 +3911,7 @@ function Test-AzStorageAccountADObjectPasswordIsKerbKey {
38813911
$domainDns = $activeDirectoryProperties.DomainName
38823912
$domain = Get-ADDomain -Server $domainDns
38833913

3884-
$userName = $domain.NetBIOSName + "\" + $adObj.Name
3914+
$userName = $domain.NetBIOSName + "\" + $adObj.SamAccountName
38853915

38863916
$oneKeyMatches = $false
38873917
$keyMatches = [KerbKeyMatch[]]@()
@@ -4263,14 +4293,16 @@ function Update-AzStorageAccountAuthForAES256 {
42634293
-ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop
42644294
$domain = $activeDirectoryProperties.DomainName
42654295

4266-
if (($adObject.ObjectClass -ine "computer") -or ($adObject.SamAccountName.TrimEnd("$") -ine $StorageAccountName)) {
4296+
if ($adObject.ObjectClass -ine "computer") {
42674297
$message = "Removing object '$($adObject.DistinguishedName)' of type '$adObject.ObjectClass' from domain '$domain'." `
42684298
+ " AES256 is only supported for computer objects."
42694299
Write-Verbose -Message $message
42704300

42714301
Remove-ADObject -Identity $adObject.DistinguishedName -Server $domain -Confirm:$false -ErrorAction Stop
42724302

42734303
$organizationalUnitDistinguishedName = $adObject.DistinguishedName.Substring($adObject.DistinguishedName.IndexOf(',') + 1)
4304+
$adObjectName = $adObject.Name
4305+
$samAccountName = $adObject.SamAccountName.TrimEnd("$")
42744306

42754307
$message = "Join storage account '$StorageAccountName' to domain '$domain'" `
42764308
+ " as a computer object under '$organizationalUnitDistinguishedName'"
@@ -4279,7 +4311,8 @@ function Update-AzStorageAccountAuthForAES256 {
42794311
Join-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName `
42804312
-Domain $domain -DomainAccountType "ComputerAccount" `
42814313
-OrganizationalUnitDistinguishedName $organizationalUnitDistinguishedName `
4282-
-ADObjectNameOverride $StorageAccountName -ErrorAction Stop
4314+
-ADObjectNameOverride $adObjectName -SamAccountName $samAccountName `
4315+
-ErrorAction Stop
42834316

42844317
$adObject = Get-AzStorageAccountADObject -ResourceGroupName $ResourceGroupName `
42854318
-StorageAccountName $StorageAccountName -ErrorAction Stop
@@ -4375,7 +4408,10 @@ function Join-AzStorageAccount {
43754408
[switch]$OverwriteExistingADObject,
43764409

43774410
[Parameter(Mandatory=$false, Position=7)]
4378-
[System.Collections.Generic.HashSet[string]]$EncryptionType = @("RC4","AES256")
4411+
[System.Collections.Generic.HashSet[string]]$EncryptionType = @("RC4","AES256"),
4412+
4413+
[Parameter(Mandatory=$false, Position=8)]
4414+
[string]$SamAccountName
43794415
)
43804416

43814417
begin {
@@ -4406,30 +4442,16 @@ function Join-AzStorageAccount {
44064442
$ResourceGroupName = $StorageAccount.ResourceGroupName
44074443
}
44084444

4409-
if ($EncryptionType -contains "AES256") {
4410-
if ($PSBoundParameters.ContainsKey("ADObjectNameOverride") -and ($ADObjectNameOverride -ine $StorageAccountName)) {
4411-
$message = "Parameter -ADObjectNameOverride '$ADObjectNameOverride' is different from storage account" `
4412-
+ " name '$StorageAccountName'. It cannot be used as the SamAccountName to create an Active Directory object" `
4413-
+ " for the storage account. Azure Files will be supporting AES256 encryption for Kerberos tickets," `
4414-
+ " which requires that the SamAccountName match the storage account name."
4415-
Write-Error -Message $message -ErrorAction Stop
4416-
}
4417-
if ($StorageAccountName.Length -gt 15) {
4418-
$message = "Parameter -StorageAccountName '$StorageAccountName' has more than 15 characters," `
4419-
+ " which is not supported to be used as the SamAccountName to create an Active Directory object" `
4420-
+ " for the storage account. Azure Files will be supporting AES256 encryption for Kerberos tickets," `
4421-
+ " which requires that the SamAccountName match the storage account name. Please consider using" `
4422-
+ " a storage account with a shorter name."
4423-
Write-Error -Message $message -ErrorAction Stop
4424-
}
4445+
if (!$PSBoundParameters.ContainsKey("ADObjectNameOverride")) {
4446+
$ADObjectNameOverride = $StorageAccountName
44254447
}
44264448

4427-
if (!$PSBoundParameters.ContainsKey("ADObjectNameOverride")) {
4449+
if (!$PSBoundParameters.ContainsKey("SamAccountName")) {
44284450
if ($StorageAccountName.Length -gt 15) {
44294451
$randomSuffix = Get-RandomString -StringLength 5 -AlphanumericOnly
4430-
$ADObjectNameOverride = $StorageAccountName.Substring(0, 10) + $randomSuffix
4452+
$SamAccountName = $StorageAccountName.Substring(0, 10) + $randomSuffix
44314453
} else {
4432-
$ADObjectNameOverride = $StorageAccountName
4454+
$SamAccountName = $StorageAccountName
44334455
}
44344456
}
44354457

@@ -4455,7 +4477,8 @@ function Join-AzStorageAccount {
44554477
"ADObjectName" = $ADObjectNameOverride;
44564478
"StorageAccountName" = $StorageAccountName;
44574479
"ResourceGroupName" = $ResourceGroupName;
4458-
"ObjectType" = $DomainAccountType
4480+
"ObjectType" = $DomainAccountType;
4481+
"SamAccountName" = $SamAccountName
44594482
}
44604483

44614484
if ($PSBoundParameters.ContainsKey("Domain")) {

0 commit comments

Comments
 (0)