When a Linux machine joins a domain, a computer account is created in Active Directory.
Can this account be used to mount a network share with cifs and Kerberos?
1 Answer
Make sure root (uid 0) has a Kerberos ticket cache for the machine account – the tickets can be acquired using the system keytab, e.g. with kinit -k. However, to automatically maintain and renew them, you might need to run kstart as a system daemon. (It is not enough to just call kinit on startup, as valid tickets will be necessary whenever the connection is lost and re-established, e.g. if the SMB server gets rebooted.)
[Service]
Type=forking
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U -k /tmp/krb5cc_0 -o root -b -K 60 -v -L
Oh, and make sure that the system actually has a Kerberos keytab for its machine account. (Use klist -k to check the keytab's contents.) SSSD/adcli joins will always have one at /etc/krb5.keytab, but joining using Samba might not generate one by default.
Once root has a ticket cache, you should be able to just mount SMB with -o sec=krb5,multiuser, and as root is performing the mount, its tickets will be used. This should work from /etc/fstab all the same, as long as you ensure that the 'kstart' service does its job earlier than the SMB mounts are attempted, e.g. by using the fstab option x-systemd.requires=kstart.service.
answered Jun 18, 2021 at 20:07
-
Note that, individual users still need to provide vaild kerberos to access the share. If you want the users/scripts can run without providing tickets themselves, delegation and impersonate are required. Commented Nov 16, 2023 at 6:42
klistI see my user's ticket, not the machine's.klist -lidoes a completely different thing in Windows; usingklist -li 0x3e7on Linux is outright meaningless.