{"id":2146,"date":"2014-08-20T23:59:50","date_gmt":"2014-08-20T21:59:50","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=2146"},"modified":"2022-01-20T21:21:14","modified_gmt":"2022-01-20T20:21:14","slug":"linux-mount-a-windows-share-with-kerberos-authentication","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/linux-mount-a-windows-share-with-kerberos-authentication\/","title":{"rendered":"Linux: Mount a Windows share with kerberos authentication"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_2146 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_2146')){$('.twoclick_social_bookmarks_post_2146').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Linux%3A%20Mount%20a%20Windows%20share%20with%20kerberos%20authentication\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ain%20some%20secure%20environments%20only%20kerberos%20authentication%20is%20allowed%20to%20connect%20to%20a%20Windows%20file%20share.%0D%0A%0D%0AThis%20example%20demonstrate%20the%20procedure%20on%20how%20to%20mount%20a%20share%20on%20a%20Debian%207%20%28Wheezy%29%C2%A0%20Linux.%20Other%20distributions%20should%20provide%20a%20simliar%20way.%0D%0A%0D%0AFirst%20of%20all%20install%20the%20necessary%20pakets.%0D%0A%0D%0Amichael%40debdev%3A~%23%20apt-get%20install%20krb5-user%20krb5-config%20cifs-utils%20keyutils%0D%0A%0D%0AAfter%20inst%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/linux-mount-a-windows-share-with-kerberos-authentication\\\/\",\"post_id\":2146,\"post_title_referrer_track\":\"Linux%3A+Mount+a+Windows+share+with+kerberos+authentication\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>in some secure environments only kerberos authentication is allowed to connect to a Windows file share.<\/p>\n<p>This example demonstrate the procedure on how to mount a share on a Debian 7 (Wheezy)\u00a0 Linux. Other distributions should provide a simliar way.<\/p>\n<p>First of all install the necessary pakets.<\/p>\n<p><code>michael@debdev:~# apt-get install krb5-user krb5-config cifs-utils keyutils<\/code><\/p>\n<p>After installing the packages the Kerberos configuration wizard starts.<br \/>\n<!--more--><br \/>\nEnter your domain in upcase letters.<\/p>\n<pre><code>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 Configuring Kerberos Authentication \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 When users attempt to use Kerberos and specify a\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502 principal or user name without specifying what\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502 administrative Kerberos realm that principal belongs to,\u00a0 \u2502\r\n\u2502 the system appends the default realm.\u00a0 The default realm\u00a0 \u2502\r\n\u2502 may also be used as the realm of a Kerberos service\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502 running on the local machine.\u00a0 Often, the default realm\u00a0\u00a0 \u2502\r\n\u2502 is the uppercase version of the local DNS domain.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502 Default Kerberos version 5 realm:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502 SUBDOMAIN.DOMAIN.LOCAL___________________________________ \u2502\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;Ok&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n<\/code><\/pre>\n<p>Servers should be find by DNS requests, press NO.<\/p>\n<pre><code>\r\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 Configuring Kerberos Authentication \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n \u2502                                                           \u2502\r\n \u2502 Typically, clients find Kerberos servers for their        \u2502\r\n \u2502 default realm in the domain-name system. Servers for      \u2502\r\n \u2502 your realm were found in DNS. For most configurations it  \u2502\r\n \u2502 is best to use DNS to find these servers so that if the   \u2502\r\n \u2502 set of servers for your realm changes, you need not       \u2502\r\n \u2502 reconfigure each machine in the realm. However, in        \u2502\r\n \u2502 special situations, you can locally configure the set of  \u2502\r\n \u2502 servers for your Kerberos realm.                          \u2502\r\n \u2502                                                           \u2502\r\n \u2502 Add locations of default Kerberos servers to              \u2502\r\n \u2502 \/etc\/krb5.conf?                                           \u2502\r\n \u2502                                                           \u2502\r\n \u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: #c0c0c0;\">&lt;Yes&gt;<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"color: #000000;\">&lt;No&gt;<\/span>                 \u2502\r\n \u2502                                                           \u2502\r\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n<\/code><\/pre>\n<p>Note: You can restart the wizard by starting dpkg-reconfigure:<\/p>\n<p><code><code>michael@debdev:~# <\/code>dpkg-reconfigure krb5-config<\/code><\/p>\n<p>Get a kerberos ticket from server. Username must have the form user@DOMAIN. Write the domain always in UPPERCASE Letters! Otherwise you got an &#8220;<strong>KDC reply did not match expectations while getting initial credentials<\/strong>&#8221; error!<\/p>\n<p><code><strong><code>michael@debdev:~# <\/code>kinit yourUserName@SUBDOMAIN.DOMAIN.LOCAL<\/strong><br \/>\nPassword for yourUserName@SUBDOMAIN.DOMAIN.LOCAL<br \/>\n<\/code><br \/>\nNow you should have obtained a kerberos ticket from server. Check it<\/p>\n<pre><code><strong><code>michael@debdev:~# <\/code>klist<\/strong>\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: yourUserName@SUBDOMAIN.DOMAIN.LOCAL\r\nValid starting\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Expires\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Service principal\r\n20.08.2014 23:51:51\u00a0 21.08.2014 09:52:01\u00a0 krbtgt\/SUBDOMAIN.DOMAIN.LOCAL@SUBDOMAIN.DOMAIN.LOCAL\r\nrenew until 21.08.2014 23:51:51<\/code><\/pre>\n<p>&nbsp;<\/p>\n<p>With these ticket, given that you have permission on the share, you can mount the share<br \/>\n<code>michael@debdev:~# <\/code><code>mount -t cifs -o sec=krb5i \/\/fileserver.subdomain.doamin.local\/share \/mnt<\/code><\/p>\n<p>Thats it \ud83d\ude42<\/p>\n<p>Some further examples<br \/>\nGet a cifs Ticket for a host<br \/>\n<code><br \/>\nkvno cifs\/fileserver.subdomain.doamin.local@SUBDOMAIN.DOMAIN.LOCAL<br \/>\n<\/code><\/p>\n<p>In case of an error &#8220;mount error(112): Host is down&#8221; try to force the usage of smb 2.0<br \/>\n<code>michael@debdev:~# <\/code><code>mount -t cifs -o sec=krb5i,vers=2.0 \/\/fileserver.subdomain.doamin.local\/share \/mnt<\/code><\/p>\n<p>Note: SMB 3.1 with enabled encryption is supported only from kernels >= 4.11. Check if encryption is enabled on Windows:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n&#x5B;D:\\]reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters \/v EncryptData\r\n\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\n    EncryptData    REG_DWORD    0x1\r\n<\/pre>\n<p>Michael<\/p>\n<p>Appendix: Samba CIFS Kernel <a href=\"https:\/\/wiki.samba.org\/index.php\/LinuxCIFSKernel\" rel=\"noopener\" target=\"_blank\">log<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, in some secure environments only kerberos authentication is allowed to connect to a Windows file share. This example demonstrate the procedure on how to mount a share on a Debian 7 (Wheezy)\u00a0 Linux. Other distributions should provide a simliar way. First of all install the necessary pakets. michael@debdev:~# apt-get install krb5-user krb5-config cifs-utils keyutils &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/linux-mount-a-windows-share-with-kerberos-authentication\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Linux: Mount a Windows share with kerberos authentication<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[297,415,224,169,514,20],"class_list":["post-2146","post","type-post","status-publish","format-standard","hentry","category-linux","tag-cifs","tag-kerberos","tag-linux-2","tag-mount","tag-share","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=2146"}],"version-history":[{"count":13,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2146\/revisions"}],"predecessor-version":[{"id":2149,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2146\/revisions\/2149"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=2146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=2146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=2146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}