Mount Windows CIFS share on Linux server using kerberos keytab

Use kerberos ticket to mount CIFS shares on a Linux server. You do not need to know the password for the account, nor have the password stored in a file.

Create the keytab file for the account my-account, this step must be completed by a Domain Admin on a domain controller

C:\>ktpass -princ my-account -mapuser my-account -pass password -crypto ALL -out “C:\my-account.keytab” -pType KRB5_NT_PRINCIPAL

Copy the keytab files to Linux server /etc/my-account.keytab

Determine what the UID for my-account is.

[root@server1 etc]# id my-account
uid=16861554(my-account) gid=16861554(my-account) groups=16861554(my-account)

Add this to /etc/fstab, replace uid and gid with the ones for my-account

//server3/share/myshare /opt/myshare cifs sec=krb5,uid=16861554,gid=16861554 0 0

Create the file /kerberos_renewal.sh, cut and paste the below into it and modify where necessarry.

#!/bin/bash
. ~/.bash_profile
/usr/bin/kinit -k -t /etc/my-account.keytab my-account
[[ $? -ne 0 ]] && {
echo “Kerberos TGT renewal JOB failed on `hostname`”|mailx -s “Kerberos TGT renewal JOB failed on `hostname`” email1@myemail.com
exit 1
}
echo “Last startup run – `date`” >> /my-account/cronjob.log
exit 0

Create the file /cronjob.txt, cut and paste the below into the file.

#Kerberos TGT renewal
@reboot /my-account/kerberos_renewal.sh
0 */8 * * * /my-account/kerberos_renewal.sh

Apply correct ownership for files

chown my-account cronjob.txt kerberos_renewal.sh

Schedule the cronjob.

crontab /cronjob.txt

Reboot

About Andrew Lin

Hi, I have always wanted to creat a blog site but never had the time. I have been working in Information Technology for over 15 years. I specialize mainly in networks and server technologies and dabble a little with the programming aspects. Andrew Lin

View all posts by Andrew Lin →