{"id":504,"date":"2017-04-19T21:23:34","date_gmt":"2017-04-19T14:23:34","guid":{"rendered":"http:\/\/www.rickyadams.com\/wp\/?p=504"},"modified":"2017-04-19T21:24:13","modified_gmt":"2017-04-19T14:24:13","slug":"how-to-setup-cifs-mounts-in-autofs-using-kerberos-authentication-on-redhat-linux","status":"publish","type":"post","link":"https:\/\/www.rickyadams.com\/wp\/how-to-setup-cifs-mounts-in-autofs-using-kerberos-authentication-on-redhat-linux\/","title":{"rendered":"How to setup cifs mounts in autofs using kerberos authentication on RedHat Linux"},"content":{"rendered":"<h2><strong><img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" class=\"alignnone size-full wp-image-521 \" src=\"http:\/\/www.rickyadams.com\/wp\/wp-content\/uploads\/2017\/04\/img_58f7726141958.gif\" alt=\"\" \/>How to setup cifs mounts in autofs using kerberos authentication<\/strong><\/h2>\n<div id=\"page-wrap\" class=\"page-wrap\">\n<div class=\"top-page-wrap\">\n<div id=\"cp-content\" class=\"main-content\">\n<article id=\"main-content\" class=\"kcs_solution cirrus-content\">\n<div class=\"band band-first\">\n<div class=\"container\">\n<div class=\"row\">\n<div class=\"col-sm-11 solution-content content-wrapper\">\n<header class=\"header\">\n<div class=\"header-meta\">\n<p><span class=\"status verified\" title=\"\" data-original-title=\"\" data-toggle=\"popover\" data-placement=\"bottom\" data-content=\"This solution has been verified to work by Red Hat Customers and Support Engineers for the specified product version(s).\" data-trigger=\"hover\"> Solution Verified <\/span> &#8211; Updated <time class=\"moment_date\" title=\"March 6 2017 at 2:24 AM\" datetime=\"2017-03-06T02:24:12-07:00\">March 6 2017 at 2:24 AM<\/time> &#8211;<\/p>\n<div class=\"dropdown inline\">\n<p><a id=\"dLabel\" data-toggle=\"dropdown\" data-target=\"#\"><\/a> English<\/p>\n<ul class=\"dropdown-menu\">\n<li><a href=\"https:\/\/access.redhat.com\/solutions\/276503#\">No translations currently exist.<\/a><\/li>\n<\/ul>\n<\/div>\n<div id=\"rate-node-276503-2-1--2\" class=\"rate-widget-2 rate-widget clear-block inline rate-average rate-widget-custom rate-2xS2EvABDelTvzRQH8p6kLSS5jrTpx1WhueXFFMx6lI rate-node-276503-2-1--2 rate-processed\"><\/div>\n<\/div>\n<\/header>\n<p><!--Display Content --><\/p>\n<section class=\"field_kcs_environment_txt\">\n<h2>Environment<\/h2>\n<ul>\n<li>Red Hat Enterprise Linux 6<\/li>\n<\/ul>\n<h3>Please Note:<\/h3>\n<ul>\n<li>Kerberos support for CIFS mounts is considered <strong>Tech Preview<\/strong> in Red Hat Enterprise Linux 5. See <a href=\"https:\/\/access.redhat.com\/knowledge\/docs\/en-US\/Red_Hat_Enterprise_Linux\/5\/html-single\/5.8_Technical_Notes\/index.html#technology_previews\">5.8 Technical Notes<\/a> for more information.<\/li>\n<\/ul>\n<\/section>\n<section class=\"field_kcs_issue_txt\">\n<h2>Issue<\/h2>\n<ul>\n<li>How to setup <code>cifs<\/code> mounts in <code>autofs<\/code> using <code>kerberos<\/code> authentication?<\/li>\n<li>Configuration for authentication to <code>cifs<\/code> shares with a <code>kerberos<\/code> ticket.<\/li>\n<\/ul>\n<\/section>\n<section class=\"field_kcs_resolution_txt\">\n<h2>Resolution<\/h2>\n<h3>using sssd<\/h3>\n<p>The System Security Services Daemon is the preferred method of automounting CIFS shares. This is covered in the documentation at:<\/p>\n<p>https:\/\/access.redhat.com\/documentation\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Deployment_Guide\/sssd-ldap-autofs.html<\/p>\n<h3>using winbindd<\/h3>\n<ul>\n<li>The systems <code>NSS<\/code> and <code>PAM<\/code> stack will need to be configured to track uid\/gid info and also needs to obtaining a kerberos ticket on login. In this example configuration the winbind daemon is used with the idmap_ad backend.<\/li>\n<li>NSS is configured with winbind in <strong>\/etc\/nsswitch.conf<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>passwd:     files winbind\r\nshadow:     files winbind\r\ngroup:      files winbind\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>PAM is configured for winbind in <strong>\/etc\/pam.d\/password-auth<\/strong> and <strong>\/etc\/pam.d\/system-auth<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>auth        required      pam_env.so\r\nauth        sufficient    pam_unix.so nullok try_first_pass\r\nauth        requisite     pam_succeed_if.so uid &gt;= 500 quiet\r\nauth        sufficient    pam_winbind.so use_first_pass\r\nauth        required      pam_deny.so\r\n\r\naccount     required      pam_unix.so broken_shadow\r\naccount     sufficient    pam_localuser.so\r\naccount     sufficient    pam_succeed_if.so uid &lt; 500 quiet\r\naccount     [default=bad success=ok user_unknown=ignore] pam_winbind.so\r\naccount     required      pam_permit.so\r\n\r\npassword    requisite     pam_cracklib.so try_first_pass retry=3 type=\r\npassword    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok\r\npassword    sufficient    pam_winbind.so use_authtok\r\npassword    required      pam_deny.so\r\n\r\nsession     optional      pam_keyinit.so revoke\r\nsession     required      pam_limits.so\r\nsession     optional      pam_oddjob_mkhomedir.so\r\nsession     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\r\nsession     required      pam_unix.so\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>In this example the windows server tracks NSS info using Identity Management for UNIX and the rfc2307 attributes are set for users and groups in AD. The idmap_ad backend is used to resolve the information on AD <strong>\/etc\/samba\/smb.conf<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>   workgroup = 2K8R2DOMAIN\r\n   password server = win2k8sp1-64.2k8r2domain.gss\r\n   realm = 2K8R2DOMAIN.GSS\r\n   security = ads\r\n   idmap config 2K8R2DOMAIN:backend = ad\r\n   idmap config 2K8R2DOMAIN:range = 1000-60000\r\n   idmap config 2K8R2DOMAIN:schema_mode = rfc2307\r\n   winbind nss info = rfc2307\r\n   idmap uid = 60001-100000\r\n   idmap gid = 60001-100000\r\n   winbind use default domain = true\r\n   winbind separator = +\r\n\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>In this example the NSS info is resolved with the idmap_rid backend. This does not require any modification to AD and is configured in <strong>\/etc\/samba\/smb.conf<\/strong> as follows.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>   workgroup = 2K8R2DOMAIN\r\n   password server = win2k8sp1-64.2k8r2domain.gss\r\n   realm = 2K8R2DOMAIN.GSS\r\n   security = ads\r\n   idmap config 2K8R2DOMAIN:backend = rid\r\n   idmap config 2K8R2DOMAIN:range = 1000-60000\r\n   idmap uid = 60001-100000\r\n   idmap gid = 60001-100000\r\n   winbind use default domain = true\r\n   winbind separator = +\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>pam_winbind is configured to get kerberos tickets on login <strong>\/etc\/security\/pam_winbind.conf<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>[global]\r\nkrb5_auth = yes\r\nkrb5_ccache_type = FILE\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>The <strong>keyutils<\/strong> package is installed and the cifs.upcall lines are added to the request keys config in <strong>\/etc\/request-key.conf<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>#OP TYPE    DESCRIPTION CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...\r\n#====== ======= =============== =============== ===============================\r\ncreate  user    debug:*     negate      \/bin\/keyctl negate %k 30 %S\r\ncreate  user    debug:loop:*    *       |\/bin\/cat\r\ncreate  user    debug:*     *       \/usr\/share\/keyutils\/request-key-debug.sh %k %d %c %S\r\nnegate  *   *       *       \/bin\/keyctl negate %k 30 %S\r\ncreate cifs.spnego * * \/usr\/sbin\/cifs.upcall %k\r\ncreate dns_resolver * * \/usr\/sbin\/cifs.upcall %k\r\n<\/code><\/pre>\n<\/div>\n<p><strong>Note:<\/strong> Please keep in mind that recent versions of the <code>cifs-utils<\/code> package ship individual request key configuration files:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code> # rpm -ql cifs-utils-6.2-9.el7.x86_64|grep request\r\n\/etc\/request-key.d\/cifs.idmap.conf\r\n\/etc\/request-key.d\/cifs.spnego.conf\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>Autofs is configured for home dirs and also to mount a static share <strong>\/etc\/auto.master<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>\/adhome \/etc\/auto.home\r\n\/cifs \/etc\/auto.cifs\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>This share is the c:\\users area on the windows server and its configured in <strong>\/etc\/auto.home<\/strong>.<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>* -fstype=cifs,sec=krb5i,user=&amp;,uid=$UID,gid=$GID,cruid=$UID,file_mode=0600,dir_mode=0700,nounix,noserverino :\/\/win2k8sp1-64.2k8r2domain.gss\/Users\/&amp;\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>This share is the c:\\share area on the windows server and is configured in <strong>\/etc\/auto.cifs<\/strong><\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>share -fstype=cifs,sec=krb5i,user=&amp;,uid=$UID,gid=$GID,cruid=$UID,file_mode=0600,dir_mode=0700,nounix,noserverino :\/\/win2k8sp1-64.2k8r2domain.gss\/share\r\n<\/code><\/pre>\n<\/div>\n<\/section>\n<section class=\"field_kcs_diagnostic_txt\">\n<h2>Diagnostic Steps<\/h2>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><a class=\"code-raw-btn\" href=\"https:\/\/access.redhat.com\/solutions\/276503#\">Raw<\/a><\/div>\n<pre><code>[jagee@enigma ~]$ ssh jagee@rhel6-2k8-ad.2k8r2domain.gss\r\n\r\n[jagee@rhel6-2k8-ad ~]$ klist \r\nTicket cache: FILE:\/tmp\/krb5cc_10000\r\nDefault principal: jagee@2K8R2DOMAIN.GSS\r\n\r\nValid starting     Expires            Service principal\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  krbtgt\/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  RHEL6-2K8-AD$@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  RHEL6-2K8-AD$@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n\r\n[jagee@rhel6-2k8-ad share]$ id\r\nuid=10000(jagee) gid=10000(domain users) groups=10000(domain users),10001(domain admins),10002(redhat),60001(BUILTIN+administrators),60002(BUILTIN+users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\n[jagee@rhel6-2k8-ad ~]$ cd \/cifs\/share\r\n[jagee@rhel6-2k8-ad share]$ cp dns.txt dns2.txt\r\n[jagee@rhel6-2k8-ad share]$ ls -la\r\ntotal 7796\r\ndrwx------. 1 jagee domain users    4096 Dec  7 14:48 .\r\ndrwxr-xr-x. 3 root  root               0 Dec  7 15:35 ..\r\n-rw-------. 1 jagee domain users    2685 Mar  6  2012 2k8r2domain-WIN2K8SP1-64-CA.p12\r\n-rw-------. 1 jagee domain users    1310 Mar  6  2012 AD-CA.cer\r\n-rw-------. 1 jagee domain users    1695 Jun 20 23:16 bulkgroupadd.ps1\r\n-rw-------. 1 jagee domain users    2319 Jun 20 22:31 bulkuseradd.ps1\r\n-rw-------. 1 jagee domain users 3980202 Dec  7 14:48 dns2.txt\r\n-rw-------. 1 jagee domain users 3980202 Nov 20 17:49 dns.txt\r\n\r\n[jagee@rhel6-2k8-ad share]$ cd \/adhome\/jagee\r\n[jagee@rhel6-2k8-ad jagee]$ echo test &gt; cifstest\r\n[jagee@rhel6-2k8-ad jagee]$ ls -la\r\ntotal 1849\r\ndrwx------. 1 jagee domain users   8192 Dec  7 15:52 .\r\ndrwxr-xr-x. 4 root  root              0 Dec  7 15:44 ..\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 AppData\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Application Data\r\n-rw-------. 1 jagee domain users      5 Dec  7 15:53 cifstest\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Contacts\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Cookies\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Desktop\r\ndrwx------. 1 jagee domain users   4096 Oct  3 10:41 Documents\r\ndrwx------. 1 jagee domain users   4096 Jul 23 17:38 Downloads\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Favorites\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Links\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Local Settings\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Music\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 My Documents\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 NetHood\r\n-rw-------. 1 jagee domain users 524288 Dec  7 15:48 NTUSER.DAT\r\n-rw-------. 1 jagee domain users 234496 Dec  7 15:48 ntuser.dat.LOG1\r\n-rw-------. 1 jagee domain users      0 Jan 31  2012 ntuser.dat.LOG2\r\n-rw-------. 1 jagee domain users     20 Jan 31  2012 ntuser.ini\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Pictures\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 PrintHood\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Recent\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Saved Games\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Searches\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 SendTo\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Start Menu\r\ndrwx------. 1 jagee domain users      0 Jan 31  2012 Templates\r\ndrwx------. 1 jagee domain users      0 Jul 23 17:38 Videos\r\n\r\n\r\n[jagee@rhel6-2k8-ad jagee]$ mount|grep cifs\r\n\/\/win2k8sp1-64.2k8r2domain.gss\/share on \/cifs\/share type cifs (rw)\r\n\/\/win2k8sp1-64.2k8r2domain.gss\/Users\/jagee on \/adhome\/jagee type cifs (rw)\r\n\r\n[jagee@rhel6-2k8-ad share]$ klist \r\nTicket cache: FILE:\/tmp\/krb5cc_10000\r\nDefault principal: jagee@2K8R2DOMAIN.GSS\r\n\r\nValid starting     Expires            Service principal\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  krbtgt\/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  RHEL6-2K8-AD$@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n12\/07\/12 15:35:30  12\/08\/12 01:35:30  RHEL6-2K8-AD$@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n12\/07\/12 15:35:52  12\/08\/12 01:35:30  cifs\/win2k8sp1-64.2k8r2domain.gss@2K8R2DOMAIN.GSS\r\n    renew until 12\/14\/12 15:35:30\r\n\r\nSOURCE: https:\/\/access.redhat.com\/solutions\/276503\r\n<\/code><\/pre>\n<\/div>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How to setup cifs mounts in autofs using kerberos authentication Solution Verified &#8211; Updated March 6 2017 at 2:24 AM &#8211; English No translations currently exist. Environment Red Hat Enterprise Linux 6 Please Note: Kerberos support for CIFS mounts is considered Tech Preview in Red Hat Enterprise Linux 5. See 5.8 Technical Notes for more information. Issue How to setup cifs mounts in autofs using kerberos authentication? Configuration for authentication to cifs shares with a kerberos ticket. Resolution using sssd&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.rickyadams.com\/wp\/how-to-setup-cifs-mounts-in-autofs-using-kerberos-authentication-on-redhat-linux\/\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-504","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":3,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":534,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/posts\/504\/revisions\/534"}],"wp:attachment":[{"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rickyadams.com\/wp\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}