{"id":502,"date":"2017-04-19T01:40:43","date_gmt":"2017-04-18T18:40:43","guid":{"rendered":"http:\/\/www.rickyadams.com\/wp\/?p=502"},"modified":"2017-07-14T23:39:53","modified_gmt":"2017-07-14T16:39:53","slug":"linux-cifs-autofs-automount-using-kerberos-authentication-and-kinit","status":"publish","type":"post","link":"https:\/\/www.rickyadams.com\/wp\/linux-cifs-autofs-automount-using-kerberos-authentication-and-kinit\/","title":{"rendered":"Linux CIFS AutoFS (automount) using Kerberos Authentication and kinit"},"content":{"rendered":"<header class=\"entry-header\">\n<h1 class=\"entry-title\">Setup Linux CIFS AutoFS (automount) using kerberos\u00a0authentication<\/h1>\n<div class=\"entry-meta\"><span class=\"posted-on\"><a href=\"https:\/\/runops.wordpress.com\/2015\/03\/05\/setup-linux-cifs-autofs-automount-using-kerberos-authentication\/\" rel=\"bookmark\"><time class=\"entry-date published\" datetime=\"2015-03-05T20:18:51+00:00\">March 5, 2015<\/time><\/a><\/span><span class=\"byline\"><span class=\"sep\"> ~ <\/span><span class=\"author vcard\"><a class=\"url fn n\" href=\"https:\/\/runops.wordpress.com\/author\/tatroc2015\/\">tatroc2015<\/a><\/span><\/span><\/div>\n<\/header>\n<div class=\"entry-content\">\n<p>Written using CentOS 6, Windows 2012 Active Directory<br \/>\nThis guide was written assuming you already have Kerberos authentication working. In this post I will describe how to mount a Windows CIFS share from a Linux system using Kerberos authentication to a Windows Active Directory domain. In addition, the users credentials will be stored securely in a keytab file.<\/p>\n<p>Step 1. verify you can get a Kerberos ticket<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">kinit testuser1@CORP.COMPANY.NET\r\nPassword for testuser1@CORP.COMPANY.NET:\r\n<\/pre>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">klist\r\n\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: testuser1@CORP.COMPANY.NET\r\n\r\nValid starting     Expires            Service principal\r\n03\/05\/15 13:57:02  03\/05\/15 23:57:02  krbtgt\/CORP.COMPANY.NET@CORP.COMPANY.NET\r\n        renew until 03\/12\/15 14:57:02\r\n<\/pre>\n<p>Step 2. Run kdestroy to clear the Kerberos cache<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">kdestory\r\n<\/pre>\n<p>Step 3. Create a keytab file which will be used to store your credentials in an encrypted format. Later we will use the keytab file to get your Kerberos ticket<\/p>\n<p>-k specifies the keytype<br \/>\n-e specifies the encryption type<br \/>\nwkt writes the keytab file<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">[user1@vm01 ~]$ ktutil\r\n    ktutil:  addent -password -p testuser1@CORP.COMPANY.NET -k 1 -e aes256-cts\r\n    Password for testuser1@CORP.COMPANY.NET: [enter your password]\r\n    ktutil:  wkt testuser1.keytab\r\n    ktutil:  quit\r\n<\/pre>\n<p>Step 4. Edit the auto.misc file, enter the share path<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">vim \/etc\/auto.misc\r\n<\/pre>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">share01             -fstype=cifs,rw,noperm,sec=krb5 :\/\/fileserver\/share01\r\n<\/pre>\n<p>Step 5. Create a crontab entry for root to refresh the Kerberos ticket every 12 hours<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">crontab -e\r\n<\/pre>\n<p>CRON will run at 1AM and 1PM to refresh the Kerberos ticket<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">0 1,13 * * *       \/usr\/bin\/kinit testuser1@CORP.COMPANY.NET -k -t \/root\/testuser1.keytab\r\n<\/pre>\n<p>Step 6. Wait for the crontab to run and verify that a Kerberos ticket is received.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">klist \r\n\r\nSOURCE: https:\/\/runops.wordpress.com\/2015\/03\/05\/setup-linux-cifs-autofs-automount-using-kerberos-authentication\/\r\n\r\n----------------------<\/pre>\n<\/div>\n<p><strong>Creating a keytab file for the Kerberos service account (using the ktutil command on Linux)<\/strong><\/p>\n<p>This method of creating a keytab file on Linux uses the ktutil command.<\/p>\n<p><strong>Prerequisites<\/strong><\/p>\n<ul>\n<li>Kerberos is installed on the Linux host where Spotfire Server is installed.<\/li>\n<li>The tools ktutil, klist, and kinit are available on the Linux host.<\/li>\n<\/ul>\n<p><strong>Procedure<\/strong><\/p>\n<ol>\n<li>Start the ktutil tool by invoking it from the command line without any arguments. Execute the commands below, replacing &lt;database account name&gt; with the user login name of the Spotfire database account, written in lowercase letters:<\/li>\n<\/ol>\n<ol start=\"2\">\n<li>&gt; ktutil<\/li>\n<li><\/li>\n<li>ktutil:\u00a0\u00a0add_entry -password\u00a0-p &lt;database account name&gt;\u00a0-k 0\u00a0-e aes128-sha1<\/li>\n<li><\/li>\n<li>Password for &lt;database account name&gt;:<\/li>\n<li><\/li>\n<li>ktutil:\u00a0\u00a0write_kt spotfire-database.keytab<\/li>\n<li><\/li>\n<\/ol>\n<p>ktutil:\u00a0\u00a0quit<\/p>\n<p>Note: All values are case sensitive.<\/p>\n<p>Note: It is not critical to use the name &#8220;spotfire\u2010database.keytab&#8221; for the keytab file, but the following instructions assume that this name is used.<\/p>\n<p>The tool prompts you for the password of the service account.<\/p>\n<ol>\n<li>Enter the password that you used when creating the Spotfire database account.<\/li>\n<li>Verify the created keytab by running the klist and kinit utilities:<\/li>\n<\/ol>\n<ul>\n<li>&gt; klist\u00a0 -k spotfire-database.keytab<\/li>\n<\/ul>\n<p>&gt; kinit\u00a0 -k\u00a0 -t spotfire-database.keytab &lt;database account name&gt;@&lt;realm&gt;<\/p>\n<p>Note: If you change the password of the Kerberos service account, you must re-create the keytab file.<\/p>\n<p>Creating and verifying a keytab file for the &#8220;serverdb_user&#8221; Spotfire database account in the research.example.com domain:<\/p>\n<p>&gt; ktutil<\/p>\n<p>&nbsp;<\/p>\n<p>ktutil:\u00a0\u00a0add_entry\u00a0-password\u00a0-p serverdb_user\u00a0-k 0\u00a0-e rc4-hmac-nt<\/p>\n<p>&nbsp;<\/p>\n<p>Password for serverdb_user:<\/p>\n<p>&nbsp;<\/p>\n<p>ktutil:\u00a0\u00a0write_kt spotfire-database.keytab<\/p>\n<p>&nbsp;<\/p>\n<p>ktutil:\u00a0\u00a0quit<\/p>\n<p>&nbsp;<\/p>\n<p>&gt; klist\u00a0-k spotfire-database.keytab<\/p>\n<p>&nbsp;<\/p>\n<p>&gt; kinit\u00a0-k\u00a0-t spotfire-database.keytab serverdb_user@RESEARCH.EXAMPLE.COM<\/p>\n<ol>\n<li>Copy the spotfire-database.keytab file to the following Spotfire Server directory: &lt;installation dir&gt;\/jdk\/jre\/lib\/security.<\/li>\n<\/ol>\n<p>Note: Because this file contains sensitive information, it must be handled with care. The file must not under any circumstances be readable by unauthorized users.<\/p>\n<p>Note: If you change the password of the Kerberos service account, you must re-create the keytab file.<\/p>\n<p>SOURCE: https:\/\/docs.tibco.com\/pub\/spotfire_server\/7.7.0\/doc\/html\/TIB_sfire_server_tsas_admin_help\/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Setup Linux CIFS AutoFS (automount) using kerberos\u00a0authentication March 5, 2015 ~ tatroc2015 Written using CentOS 6, Windows 2012 Active Directory This guide was written assuming you already have Kerberos authentication working. In this post I will describe how to mount a Windows CIFS share from a Linux system using Kerberos authentication to a Windows Active Directory domain. In addition, the users credentials will be stored securely in a keytab file. Step 1. verify you can get a Kerberos ticket kinit&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.rickyadams.com\/wp\/linux-cifs-autofs-automount-using-kerberos-authentication-and-kinit\/\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/comments?post=502"}],"version-history":[{"count":2,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/502\/revisions"}],"predecessor-version":[{"id":648,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/502\/revisions\/648"}],"wp:attachment":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}