Mount a Samba share using Kerberos ticket

linux ubuntu mount samba kerberos
25,554

Solution 1

If you are signing in with a windows domain user a Kerberos ticket is already requested. You can test it by executing klist.

To reuse this ticket you have to add user and cruid option to your mount order. This way you do not have to enter any credentials again.

sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5 //domain/path /home/path

To mount the share with your user as owner (and thus with write permission) add the gid and uid options.

sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5,gid=$GID,uid=$UID //domain/path /home/path

You get your $GID by running id -g $USER and your $UID by id -u $USER.

It may be that you have to apt-get install keyutils to get this working.

Solution 2

First, try -o vers=1. The kernel's SMB2 client has only very recently gained Kerberos support – in Ubuntu 14.04, only the 4.4.x kernel will have it.

Second, check if the request-key and cifs.upcall binaries are installed and that the latter is mentioned in /etc/request-key.conf (or /etc/request-key.d/):

create cifs.spnego * * /usr/bin/cifs.upcall %k

Finally, check the system log (/var/log/debug or journalctl -b) for messages from cifs.upcall, and make sure it is looking for your tickets in the correct place. It doesn't actually know which process is accessing the share and what $KRB5CCNAME it has, so it needs to guess a few common places.

In fact, if you run mount via sudo, the mounting process (running as uid 0) won't have any tickets by default; a separate sudo kinit may be required.

Share:
25,554

Related videos on Youtube

mbalint987
Author by

mbalint987

Updated on September 18, 2022

Comments

  • mbalint987
    mbalint987 over 1 year

    I have a Samba server (which is the domain controller), and a Ubuntu 14.04 Client with a logged user who is authenticated by Kerberos (the client joined to domain with Likewise). The user want to access a network share with this command:

    mount.cifs //DOMAIN/PATH /HOME/USER/PATH -o sec=krb5

    But with (or without) 'sec' parameter, the mount command prompts for password. If I type my password, I can mount the share, but I want to mount without password.

    How can I do it with my valid Kerberous ticket?

  • mbalint987
    mbalint987 almost 8 years
    Now things are better, but it doesn't work yet. It prints: mount error(126): Requried key not found. But if I run klist, the command run successfully.
  • mbalint987
    mbalint987 almost 8 years
    "echo $KRB5CCNAME" command is prints nothing to console.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What's the difference between "file_mode,dir_mode" and "gid" when mounting a CIFS share?
Samba file sharing on Ubuntu doesn't mask or force permissions for new files
Ubuntu mount point does not exist
Samba: configuring a share with write permissions for everyone, mapped as a specific user
Permission on a symlinked directory in a Samba share
How to get Ubuntu 12.04 to recognize the UDF filesystem?
Automount CIFS shares: errors at the start of system
[mntent]: line 15 in /etc/fstab is bad
Mysterious 'Device or resource busy" message
What is the correct way to configure a Linux installation's partition system?