Written using CentOS 6, Windows 2012 Active Directory
This guide was written assuming you already have Kerberos authentication working. In this post I will describe how to mount a Windows CIFS share from a Linux system using Kerberos authentication to a Windows Active Directory domain. In addition, the users credentials will be stored securely in a keytab file.
Step 1. verify you can get a Kerberos ticket
kinit testuser1@CORP.COMPANY.NET Password for testuser1@CORP.COMPANY.NET:
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testuser1@CORP.COMPANY.NET Valid starting Expires Service principal 03/05/15 13:57:02 03/05/15 23:57:02 krbtgt/CORP.COMPANY.NET@CORP.COMPANY.NET renew until 03/12/15 14:57:02
Step 2. Run kdestory to clear the Kerberos cache
kdestory
Step 3. Create a keytab file which will be used to store your credentials in an encrypted format. Later we will use the keytab file to get your Kerberos ticket
-k specifies the keytype
-e specifies the encryption type
wkt writes the keytab file
[user1@vm01 ~]$ ktutil ktutil: addent -password -p testuser1@CORP.COMPANY.NET -k 1 -e aes256-cts Password for testuser1@CORP.COMPANY.NET: [enter your password] ktutil: wkt testuser1.keytab ktutil: quit
Step 4. Edit the auto.misc file, enter the share path
vim /etc/auto.misc
share01 -fstype=cifs,rw,noperm,sec=krb5 ://fileserver/share01
Step 5. Create a crontab entry for root to refresh the Kerberos ticket every 12 hours
crontab -e
CRON will run at 1AM and 1PM to refresh the Kerberos ticket
0 1,13 * * * /usr/bin/kinit testuser1@CORP.COMPANY.NET -k -t /root/testuser1.keytab
Step 6. Wait for the crontab to run and verify that a Kerberos ticket is received.
klist