How to setup cifs mounts in autofs using kerberos authentication on RedHat Linux
How to setup cifs mounts in autofs using kerberos authentication
Environment
- Red Hat Enterprise Linux 6
Please Note:
- Kerberos support for CIFS mounts is considered Tech Preview in Red Hat Enterprise Linux 5. See 5.8 Technical Notes for more information.
Issue
- How to setup
cifsmounts inautofsusingkerberosauthentication? - Configuration for authentication to
cifsshares with akerberosticket.
Resolution
using sssd
The System Security Services Daemon is the preferred method of automounting CIFS shares. This is covered in the documentation at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-autofs.html
using winbindd
- The systems
NSSandPAMstack will need to be configured to track uid/gid info and also needs to obtaining a kerberos ticket on login. In this example configuration the winbind daemon is used with the idmap_ad backend. - NSS is configured with winbind in /etc/nsswitch.conf.
passwd: files winbind
shadow: files winbind
group: files winbind
- PAM is configured for winbind in /etc/pam.d/password-auth and /etc/pam.d/system-auth.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
- In this example the windows server tracks NSS info using Identity Management for UNIX and the rfc2307 attributes are set for users and groups in AD. The idmap_ad backend is used to resolve the information on AD /etc/samba/smb.conf.
workgroup = 2K8R2DOMAIN
password server = win2k8sp1-64.2k8r2domain.gss
realm = 2K8R2DOMAIN.GSS
security = ads
idmap config 2K8R2DOMAIN:backend = ad
idmap config 2K8R2DOMAIN:range = 1000-60000
idmap config 2K8R2DOMAIN:schema_mode = rfc2307
winbind nss info = rfc2307
idmap uid = 60001-100000
idmap gid = 60001-100000
winbind use default domain = true
winbind separator = +
- In this example the NSS info is resolved with the idmap_rid backend. This does not require any modification to AD and is configured in /etc/samba/smb.conf as follows.
workgroup = 2K8R2DOMAIN
password server = win2k8sp1-64.2k8r2domain.gss
realm = 2K8R2DOMAIN.GSS
security = ads
idmap config 2K8R2DOMAIN:backend = rid
idmap config 2K8R2DOMAIN:range = 1000-60000
idmap uid = 60001-100000
idmap gid = 60001-100000
winbind use default domain = true
winbind separator = +
- pam_winbind is configured to get kerberos tickets on login /etc/security/pam_winbind.conf.
[global]
krb5_auth = yes
krb5_ccache_type = FILE
- The keyutils package is installed and the cifs.upcall lines are added to the request keys config in /etc/request-key.conf.
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate * * * /bin/keyctl negate %k 30 %S
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
Note: Please keep in mind that recent versions of the cifs-utils package ship individual request key configuration files:
# rpm -ql cifs-utils-6.2-9.el7.x86_64|grep request
/etc/request-key.d/cifs.idmap.conf
/etc/request-key.d/cifs.spnego.conf
- Autofs is configured for home dirs and also to mount a static share /etc/auto.master.
/adhome /etc/auto.home
/cifs /etc/auto.cifs
- This share is the c:\users area on the windows server and its configured in /etc/auto.home.
* -fstype=cifs,sec=krb5i,user=&,uid=$UID,gid=$GID,cruid=$UID,file_mode=0600,dir_mode=0700,nounix,noserverino ://win2k8sp1-64.2k8r2domain.gss/Users/&
- This share is the c:\share area on the windows server and is configured in /etc/auto.cifs
share -fstype=cifs,sec=krb5i,user=&,uid=$UID,gid=$GID,cruid=$UID,file_mode=0600,dir_mode=0700,nounix,noserverino ://win2k8sp1-64.2k8r2domain.gss/share
Diagnostic Steps
[jagee@enigma ~]$ ssh jagee@rhel6-2k8-ad.2k8r2domain.gss
[jagee@rhel6-2k8-ad ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: jagee@2K8R2DOMAIN.GSS
Valid starting Expires Service principal
12/07/12 15:35:30 12/08/12 01:35:30 krbtgt/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
12/07/12 15:35:30 12/08/12 01:35:30 RHEL6-2K8-AD$@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
12/07/12 15:35:30 12/08/12 01:35:30 RHEL6-2K8-AD$@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
[jagee@rhel6-2k8-ad share]$ id
uid=10000(jagee) gid=10000(domain users) groups=10000(domain users),10001(domain admins),10002(redhat),60001(BUILTIN+administrators),60002(BUILTIN+users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[jagee@rhel6-2k8-ad ~]$ cd /cifs/share
[jagee@rhel6-2k8-ad share]$ cp dns.txt dns2.txt
[jagee@rhel6-2k8-ad share]$ ls -la
total 7796
drwx------. 1 jagee domain users 4096 Dec 7 14:48 .
drwxr-xr-x. 3 root root 0 Dec 7 15:35 ..
-rw-------. 1 jagee domain users 2685 Mar 6 2012 2k8r2domain-WIN2K8SP1-64-CA.p12
-rw-------. 1 jagee domain users 1310 Mar 6 2012 AD-CA.cer
-rw-------. 1 jagee domain users 1695 Jun 20 23:16 bulkgroupadd.ps1
-rw-------. 1 jagee domain users 2319 Jun 20 22:31 bulkuseradd.ps1
-rw-------. 1 jagee domain users 3980202 Dec 7 14:48 dns2.txt
-rw-------. 1 jagee domain users 3980202 Nov 20 17:49 dns.txt
[jagee@rhel6-2k8-ad share]$ cd /adhome/jagee
[jagee@rhel6-2k8-ad jagee]$ echo test > cifstest
[jagee@rhel6-2k8-ad jagee]$ ls -la
total 1849
drwx------. 1 jagee domain users 8192 Dec 7 15:52 .
drwxr-xr-x. 4 root root 0 Dec 7 15:44 ..
drwx------. 1 jagee domain users 0 Jan 31 2012 AppData
drwx------. 1 jagee domain users 0 Jan 31 2012 Application Data
-rw-------. 1 jagee domain users 5 Dec 7 15:53 cifstest
drwx------. 1 jagee domain users 0 Jul 23 17:38 Contacts
drwx------. 1 jagee domain users 0 Jan 31 2012 Cookies
drwx------. 1 jagee domain users 0 Jul 23 17:38 Desktop
drwx------. 1 jagee domain users 4096 Oct 3 10:41 Documents
drwx------. 1 jagee domain users 4096 Jul 23 17:38 Downloads
drwx------. 1 jagee domain users 0 Jul 23 17:38 Favorites
drwx------. 1 jagee domain users 0 Jul 23 17:38 Links
drwx------. 1 jagee domain users 0 Jan 31 2012 Local Settings
drwx------. 1 jagee domain users 0 Jul 23 17:38 Music
drwx------. 1 jagee domain users 0 Jan 31 2012 My Documents
drwx------. 1 jagee domain users 0 Jan 31 2012 NetHood
-rw-------. 1 jagee domain users 524288 Dec 7 15:48 NTUSER.DAT
-rw-------. 1 jagee domain users 234496 Dec 7 15:48 ntuser.dat.LOG1
-rw-------. 1 jagee domain users 0 Jan 31 2012 ntuser.dat.LOG2
-rw-------. 1 jagee domain users 20 Jan 31 2012 ntuser.ini
drwx------. 1 jagee domain users 0 Jul 23 17:38 Pictures
drwx------. 1 jagee domain users 0 Jan 31 2012 PrintHood
drwx------. 1 jagee domain users 0 Jan 31 2012 Recent
drwx------. 1 jagee domain users 0 Jul 23 17:38 Saved Games
drwx------. 1 jagee domain users 0 Jul 23 17:38 Searches
drwx------. 1 jagee domain users 0 Jan 31 2012 SendTo
drwx------. 1 jagee domain users 0 Jan 31 2012 Start Menu
drwx------. 1 jagee domain users 0 Jan 31 2012 Templates
drwx------. 1 jagee domain users 0 Jul 23 17:38 Videos
[jagee@rhel6-2k8-ad jagee]$ mount|grep cifs
//win2k8sp1-64.2k8r2domain.gss/share on /cifs/share type cifs (rw)
//win2k8sp1-64.2k8r2domain.gss/Users/jagee on /adhome/jagee type cifs (rw)
[jagee@rhel6-2k8-ad share]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: jagee@2K8R2DOMAIN.GSS
Valid starting Expires Service principal
12/07/12 15:35:30 12/08/12 01:35:30 krbtgt/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
12/07/12 15:35:30 12/08/12 01:35:30 RHEL6-2K8-AD$@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
12/07/12 15:35:30 12/08/12 01:35:30 RHEL6-2K8-AD$@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
12/07/12 15:35:52 12/08/12 01:35:30 cifs/win2k8sp1-64.2k8r2domain.gss@2K8R2DOMAIN.GSS
renew until 12/14/12 15:35:30
SOURCE: https://access.redhat.com/solutions/276503