3

Goal

I'm setting up multi-user CIFS mounts in an Active Directory environment under CentOS 8.2. The storage server supports SMB3.1.1 protocol.

Prerequisites

I could easily integrate the system to the Active Directory and I've edited SSSD (/etc/sssd/sssd.conf) and realm configuration to match preferences and needs.

Results:

  • Active Directory users can login

I've also created a dedicated user that I'll name in this post "mountorino". mountorino has required share permissions (RO) and NTFS permissions (traverse root folder) to mount the CIFS shares. Identification information is stored in the /root/cifs.cred file.

Scenario A: NTLM

Mounting the CIFS shares with the multiuser and ntlmsspi options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=ntlmsspi,credentials=/root/cifs.cred 0 0

Results:

  • It works as long as, from the end-user context, I run the cifscreds add --username <user> <server> command
  • It doesn't work if I run cifscreds add --username <user> --domain <domain> command

Scenario B: Kerberos

Mounting the CIFS shares with the multiuser, krb5i, and cruid options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=krb5i,cruid=0,credentials=/root/cifs.cred 0 0

Results:

  • It works as long as, as root, I run the kinit mounterino@<DOMAIN> command

Questions:

  • With NTLM, why cifscreds add --username <user> --domain <domain> doesn't work? The user, the server and the client all are members of the same Windows domain!
  • More importantly, with Kerberos, how can I make root to get a Kerberos ticket before automounting fstab entries happens? I understand that by generating a keytab file, I won't have to type moutorino password when running kinit, which allows to automate kinit usage. But how do I make sure kinit is run before automounts are mounted? PAM? systemd unit?

Sources

Best regards, MauvaisJoueur

MauvaisJoueur
  • 31
  • 3
  • Why wouldn't you run a cronjob for ticket creation?. You could run it periodically or at system startup with "@reboot" keyword. Also, check out this : https://unix.stackexchange.com/questions/12021/automatic-kerberos-ticket-initialization-on-login – Lorem ipsum Aug 24 '20 at 09:03
  • Because I need this to happen in a very specific time frame: between network is up and systemd mounts fstab entries. I've check the link and I understand that it concerns Kerberos ticket creation for the user who logs in, which is not my case where no user logs in. – MauvaisJoueur Aug 24 '20 at 11:26
  • Ended up switching back to `ntlmsspi` and `cifscreds`. – MauvaisJoueur Oct 25 '21 at 22:04

0 Answers0