Linux CIFS AutoFS (automount) using Kerberos Authentication and kinit
Setup Linux CIFS AutoFS (automount) using kerberos authentication
Written using CentOS 6, Windows 2012 Active Directory
This guide was written assuming you already have Kerberos authentication working. In this post I will describe how to mount a Windows CIFS share from a Linux system using Kerberos authentication to a Windows Active Directory domain. In addition, the users credentials will be stored securely in a keytab file.
Step 1. verify you can get a Kerberos ticket
kinit testuser1@CORP.COMPANY.NET Password for testuser1@CORP.COMPANY.NET:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1@CORP.COMPANY.NET
Valid starting Expires Service principal
03/05/15 13:57:02 03/05/15 23:57:02 krbtgt/CORP.COMPANY.NET@CORP.COMPANY.NET
renew until 03/12/15 14:57:02
Step 2. Run kdestroy to clear the Kerberos cache
kdestory
Step 3. Create a keytab file which will be used to store your credentials in an encrypted format. Later we will use the keytab file to get your Kerberos ticket
-k specifies the keytype
-e specifies the encryption type
wkt writes the keytab file
[user1@vm01 ~]$ ktutil
ktutil: addent -password -p testuser1@CORP.COMPANY.NET -k 1 -e aes256-cts
Password for testuser1@CORP.COMPANY.NET: [enter your password]
ktutil: wkt testuser1.keytab
ktutil: quit
Step 4. Edit the auto.misc file, enter the share path
vim /etc/auto.misc
share01 -fstype=cifs,rw,noperm,sec=krb5 ://fileserver/share01
Step 5. Create a crontab entry for root to refresh the Kerberos ticket every 12 hours
crontab -e
CRON will run at 1AM and 1PM to refresh the Kerberos ticket
0 1,13 * * * /usr/bin/kinit testuser1@CORP.COMPANY.NET -k -t /root/testuser1.keytab
Step 6. Wait for the crontab to run and verify that a Kerberos ticket is received.
klist SOURCE: https://runops.wordpress.com/2015/03/05/setup-linux-cifs-autofs-automount-using-kerberos-authentication/ ----------------------
Creating a keytab file for the Kerberos service account (using the ktutil command on Linux)
This method of creating a keytab file on Linux uses the ktutil command.
Prerequisites
- Kerberos is installed on the Linux host where Spotfire Server is installed.
- The tools ktutil, klist, and kinit are available on the Linux host.
Procedure
- Start the ktutil tool by invoking it from the command line without any arguments. Execute the commands below, replacing <database account name> with the user login name of the Spotfire database account, written in lowercase letters:
- > ktutil
- ktutil: add_entry -password -p <database account name> -k 0 -e aes128-sha1
- Password for <database account name>:
- ktutil: write_kt spotfire-database.keytab
ktutil: quit
Note: All values are case sensitive.
Note: It is not critical to use the name “spotfire‐database.keytab” for the keytab file, but the following instructions assume that this name is used.
The tool prompts you for the password of the service account.
- Enter the password that you used when creating the Spotfire database account.
- Verify the created keytab by running the klist and kinit utilities:
- > klist -k spotfire-database.keytab
> kinit -k -t spotfire-database.keytab <database account name>@<realm>
Note: If you change the password of the Kerberos service account, you must re-create the keytab file.
Creating and verifying a keytab file for the “serverdb_user” Spotfire database account in the research.example.com domain:
> ktutil
ktutil: add_entry -password -p serverdb_user -k 0 -e rc4-hmac-nt
Password for serverdb_user:
ktutil: write_kt spotfire-database.keytab
ktutil: quit
> klist -k spotfire-database.keytab
> kinit -k -t spotfire-database.keytab serverdb_user@RESEARCH.EXAMPLE.COM
- Copy the spotfire-database.keytab file to the following Spotfire Server directory: <installation dir>/jdk/jre/lib/security.
Note: Because this file contains sensitive information, it must be handled with care. The file must not under any circumstances be readable by unauthorized users.
Note: If you change the password of the Kerberos service account, you must re-create the keytab file.
SOURCE: https://docs.tibco.com/pub/spotfire_server/7.7.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html