Setup Linux CIFS AutoFS (automount) using kerberos authentication

Written using CentOS 6, Windows 2012 Active Directory
This guide was written assuming you already have Kerberos authentication working. In this post I will describe how to mount a Windows CIFS share from a Linux system using Kerberos authentication to a Windows Active Directory domain. In addition, the users credentials will be stored securely in a keytab file.

Step 1. verify you can get a Kerberos ticket

kinit testuser1@CORP.COMPANY.NET
Password for testuser1@CORP.COMPANY.NET:
klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1@CORP.COMPANY.NET

Valid starting     Expires            Service principal
03/05/15 13:57:02  03/05/15 23:57:02  krbtgt/CORP.COMPANY.NET@CORP.COMPANY.NET
        renew until 03/12/15 14:57:02

Step 2. Run kdestory to clear the Kerberos cache

kdestory

Step 3. Create a keytab file which will be used to store your credentials in an encrypted format. Later we will use the keytab file to get your Kerberos ticket

-k specifies the keytype
-e specifies the encryption type
wkt writes the keytab file

[user1@vm01 ~]$ ktutil
    ktutil:  addent -password -p testuser1@CORP.COMPANY.NET -k 1 -e aes256-cts
    Password for testuser1@CORP.COMPANY.NET: [enter your password]
    ktutil:  wkt testuser1.keytab
    ktutil:  quit

Step 4. Edit the auto.misc file, enter the share path

vim /etc/auto.misc
share01             -fstype=cifs,rw,noperm,sec=krb5 ://fileserver/share01

Step 5. Create a crontab entry for root to refresh the Kerberos ticket every 12 hours

crontab -e

CRON will run at 1AM and 1PM to refresh the Kerberos ticket

0 1,13 * * *       /usr/bin/kinit testuser1@CORP.COMPANY.NET -k -t /root/testuser1.keytab

Step 6. Wait for the crontab to run and verify that a Kerberos ticket is received.

klist 
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s