Hi,
in some secure environments only kerberos authentication is allowed to connect to a Windows file share.
This example demonstrate the procedure on how to mount a share on a Debian 7 (Wheezy) Linux. Other distributions should provide a simliar way.
First of all install the necessary pakets.
michael@debdev:~# apt-get install krb5-user krb5-config cifs-utils keyutils
After installing the packages the Kerberos configuration wizard starts.
Enter your domain in upcase letters.
┌──────────┤ Configuring Kerberos Authentication ├──────────┐
│ When users attempt to use Kerberos and specify a │
│ principal or user name without specifying what │
│ administrative Kerberos realm that principal belongs to, │
│ the system appends the default realm. The default realm │
│ may also be used as the realm of a Kerberos service │
│ running on the local machine. Often, the default realm │
│ is the uppercase version of the local DNS domain. │
│ │
│ Default Kerberos version 5 realm: │
│ │
│ SUBDOMAIN.DOMAIN.LOCAL___________________________________ │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────┘
Servers should be find by DNS requests, press NO.
┌──────────┤ Configuring Kerberos Authentication ├──────────┐
│ │
│ Typically, clients find Kerberos servers for their │
│ default realm in the domain-name system. Servers for │
│ your realm were found in DNS. For most configurations it │
│ is best to use DNS to find these servers so that if the │
│ set of servers for your realm changes, you need not │
│ reconfigure each machine in the realm. However, in │
│ special situations, you can locally configure the set of │
│ servers for your Kerberos realm. │
│ │
│ Add locations of default Kerberos servers to │
│ /etc/krb5.conf? │
│ │
│ <Yes> <No> │
│ │
└───────────────────────────────────────────────────────────┘
Note: You can restart the wizard by starting dpkg-reconfigure:
michael@debdev:~# dpkg-reconfigure krb5-config
Get a kerberos ticket from server. Username must have the form user@DOMAIN. Write the domain always in UPPERCASE Letters! Otherwise you got an “KDC reply did not match expectations while getting initial credentials” error!
michael@debdev:~# kinit yourUserName@SUBDOMAIN.DOMAIN.LOCAL
Password for yourUserName@SUBDOMAIN.DOMAIN.LOCAL
Now you should have obtained a kerberos ticket from server. Check it
michael@debdev:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yourUserName@SUBDOMAIN.DOMAIN.LOCAL
Valid starting Expires Service principal
20.08.2014 23:51:51 21.08.2014 09:52:01 krbtgt/SUBDOMAIN.DOMAIN.LOCAL@SUBDOMAIN.DOMAIN.LOCAL
renew until 21.08.2014 23:51:51
With these ticket, given that you have permission on the share, you can mount the share
michael@debdev:~# mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt
Thats it 🙂
Some further examples
Get a cifs Ticket for a host
kvno cifs/fileserver.subdomain.doamin.local@SUBDOMAIN.DOMAIN.LOCAL
In case of an error “mount error(112): Host is down” try to force the usage of smb 2.0
michael@debdev:~# mount -t cifs -o sec=krb5i,vers=2.0 //fileserver.subdomain.doamin.local/share /mnt
Note: SMB 3.1 with enabled encryption is supported only from kernels >= 4.11. Check if encryption is enabled on Windows:
[D:\]reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v EncryptData
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
EncryptData REG_DWORD 0x1
Michael
Appendix: Samba CIFS Kernel log