Linux: Mount a Windows share with kerberos authentication

Hi,

in some secure environments only kerberos authentication is allowed to connect to a Windows file share.

This example demonstrate the procedure on how to mount a share on a Debian 7 (Wheezy)  Linux. Other distributions should provide a simliar way.

First of all install the necessary pakets.

michael@debdev:~# apt-get install krb5-user krb5-config cifs-utils keyutils

After installing the packages the Kerberos configuration wizard starts.

Enter your domain in upcase letters.

┌──────────┤ Configuring Kerberos Authentication ├──────────┐
│ When users attempt to use Kerberos and specify a          │
│ principal or user name without specifying what            │
│ administrative Kerberos realm that principal belongs to,  │
│ the system appends the default realm.  The default realm  │
│ may also be used as the realm of a Kerberos service       │
│ running on the local machine.  Often, the default realm   │
│ is the uppercase version of the local DNS domain.         │
│                                                           │
│ Default Kerberos version 5 realm:                         │
│                                                           │
│ SUBDOMAIN.DOMAIN.LOCAL___________________________________ │
│                                                           │
│                          <Ok>                             │
│                                                           │
└───────────────────────────────────────────────────────────┘

Servers should be find by DNS requests, press NO.


 ┌──────────┤ Configuring Kerberos Authentication ├──────────┐
 │                                                           │
 │ Typically, clients find Kerberos servers for their        │
 │ default realm in the domain-name system. Servers for      │
 │ your realm were found in DNS. For most configurations it  │
 │ is best to use DNS to find these servers so that if the   │
 │ set of servers for your realm changes, you need not       │
 │ reconfigure each machine in the realm. However, in        │
 │ special situations, you can locally configure the set of  │
 │ servers for your Kerberos realm.                          │
 │                                                           │
 │ Add locations of default Kerberos servers to              │
 │ /etc/krb5.conf?                                           │
 │                                                           │
 │               <Yes>                  <No>                 │
 │                                                           │
 └───────────────────────────────────────────────────────────┘

Note: You can restart the wizard by starting dpkg-reconfigure:

michael@debdev:~# dpkg-reconfigure krb5-config

Get a kerberos ticket from server. Username must have the form user@DOMAIN. Write the domain always in UPPERCASE Letters! Otherwise you got an “KDC reply did not match expectations while getting initial credentials” error!

michael@debdev:~# kinit yourUserName@SUBDOMAIN.DOMAIN.LOCAL
Password for yourUserName@SUBDOMAIN.DOMAIN.LOCAL

Now you should have obtained a kerberos ticket from server. Check it

michael@debdev:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yourUserName@SUBDOMAIN.DOMAIN.LOCAL
Valid starting       Expires              Service principal
20.08.2014 23:51:51  21.08.2014 09:52:01  krbtgt/SUBDOMAIN.DOMAIN.LOCAL@SUBDOMAIN.DOMAIN.LOCAL
renew until 21.08.2014 23:51:51

 

With these ticket, given that you have permission on the share, you can mount the share
michael@debdev:~# mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt

Thats it 🙂

Some further examples
Get a cifs Ticket for a host

kvno cifs/fileserver.subdomain.doamin.local@SUBDOMAIN.DOMAIN.LOCAL

In case of an error “mount error(112): Host is down” try to force the usage of smb 2.0
michael@debdev:~# mount -t cifs -o sec=krb5i,vers=2.0 //fileserver.subdomain.doamin.local/share /mnt

Note: SMB 3.1 with enabled encryption is supported only from kernels >= 4.11. Check if encryption is enabled on Windows:

[D:\]reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v EncryptData

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    EncryptData    REG_DWORD    0x1

Michael

Appendix: Samba CIFS Kernel log

Leave a Reply