Red Hat Linux, CentOS, Oracle Linux, Scientific Linux, SUSE Linux, openSUSE
Service
Centrify Infrastructure Services
000018311
Question:
There is a need to mount a CIFS share. Due to security restriction, leaving clear text passwords in the servers are not permitted. How can a CIFS share be mounted using Kerberos?
Answer:
1. A time skew greater than five minutes, between the Linux system and the Domain Controller or improper DNS configuration will cause this procedure to fail. Ensure that the DNS and time on the server computer are configured accordingly. If there is no internal NTP system on the server, using the Domain Controller as the NTP server for the Linux system is recommended.
2. In the directory /etc/request-key.d, create the file cifs.spnego.conf if it does not already exist. Then add the following line
create cifs.spnego * * /usr/sbin/cifs.upcall %k
3. In the directory /etc/request-key.d, create the file dns_resolver.conf if it does not already exist. Then add the following line
create dns_resolver * * /usr/sbin/cifs.upcall %k
4. Confirm a kerberos credential exists with command /usr/share/centrifydc/kerberos/bin/klist. The output here shows a valid Kerberos credential
Valid starting Expires Service principal 07/31/19 15:33:35 08/01/19 01:33:35 krbtgt/RESOURCE.CENTRIFY.LAB@RESOURCE.CENTRIFY.LAB renew until 08/01/19 15:33:36
5. Mount the directory
mount -t cifs -o sec=krb5 //<winserverFQDN>/<shareDrive> /<mountPoint>
Note: 1) It is important that the CIFS server in Active Directory, have a 'cifs/<serverFQDN>' serviceprincipalname (SPN) in the server attributes. 2) For setting up Kerberos SSO using keytab file, please read the knowledge base article KB-9939