Is it possible to mount a cifs share with kerberos using the machine account (with active directory)
awalker at ixsystems.com
Sat Jun 12 01:02:01 UTC 2021
On Fri, Jun 11, 2021 at 7:57 PM Steve French via samba-technical <
samba-technical at lists.samba.org> wrote:
> ---------- Forwarded message ---------
> From: Bruno Bigras <bigras.bruno at gmail.com>
> Date: Fri, Jun 11, 2021 at 6:51 PM
> Subject: Is it possible to mount a cifs share with kerberos using the
> machine account (with active directory)
> To: <linux-cifs at vger.kernel.org>
> When a Linux machine joins an Active Directory's domain, a computer
> account is created.
> A network share can be configured to give rights to the computer account.
> Can I use that account to mount the cifs share with the computer
> account (with the keytab file)?
> Almost every example on the internet is about using a user account or
> using multiuser (which also uses a user account).
IIRC there are some applications that will use the machine account to
perform operations over the network (like backup applications). Whether
this is successful against a Samba server depends on the configured idmap
backend on the Samba server. If idmap_rid or idmap_autorid are used, then
it _should_ be possible. If you're relying on rfc2307 attributes for
idmapping, then it's probably not possible since they can't be assigned to
computer accounts IIRC. This is hypothetical, and has caveats. I also
haven't tested with linux clients.
More information about the samba-technical