Is it possible to mount a cifs share with kerberos using the machine account (with active directory)
L. van Belle
belle at samba.org
Mon Jun 14 08:05:44 UTC 2021
Yes, that works fine here at least for years for me.
Make sure you have an A (AAAA) and PTR record in the DNS.
Make sure you use /etc/krb5.keytab ( as in, i have not tested it on a AD-DC,
only members )
Add cifs/your.server.fqdn to the keytab file
You can use : net ads keytab add_update_ads cifs/$(hostname -f)
This adds the UPS/SPN to the keytab file and updates it in the AD.
( dont forget to install: keyutils )
And as of this point you can pick almost any automouting setup.
Personaly i use systemd and automounting, verything is set in systemd its
service files.
Per example what i use.
Filename : srv-samba-users.mount << this name must match the path to the
users folder.
[Unit]
Description=UsersHomes (/srv/samba/users)
Requires=systemd-networkd.service
After=network-online.target
Wants=network-online.target
[Mount]
What=//server.fqdn/share
Where=/srv/samba/users
Options=(no options, try without first, default are often fine.)
# not working, play with below one.
#Options=vers=2.1,iocharset=utf8,rw,x-systemd.automount
Type=cifs
TimeoutSec=30
[Install]
WantedBy=multi-user.target
##
Refresh systemd: systemctl daemon-reload
Enable it : systemctl enable srv-samba-users.mount
Test it : systemctl start srv-samba-users.mount
Mount should be done.
Umount. : systemctl stop srv-samba-users.mount
Add automounter.
# /etc/systemd/system/home-users.automount
[Unit]
Description=Automount Home-users
[Automount]
Where=/srv/samba/users
[Install]
WantedBy=multi-user.target
Refresh systemd: systemctl daemon-reload
systemctl enable srv-samba-users.automount
systemctl start srv-samba-users.automount
Reboot and test.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens Steve
> French via samba-technical
> Verzonden: zaterdag 12 juni 2021 1:57
> Aan: samba-technical
> Onderwerp: Fwd: Is it possible to mount a cifs share with
> kerberos using the machine account (with active directory)
>
> ---------- Forwarded message ---------
> From: Bruno Bigras <bigras.bruno at gmail.com>
> Date: Fri, Jun 11, 2021 at 6:51 PM
> Subject: Is it possible to mount a cifs share with kerberos using the
> machine account (with active directory)
> To: <linux-cifs at vger.kernel.org>
>
>
> When a Linux machine joins an Active Directory's domain, a computer
> account is created.
>
> A network share can be configured to give rights to the
> computer account.
>
> Can I use that account to mount the cifs share with the computer
> account (with the keytab file)?
>
> Almost every example on the internet is about using a user account or
> using multiuser (which also uses a user account).
>
> Thanks,
>
> Bruno
>
>
> --
> Thanks,
>
> Steve
>
>
More information about the samba-technical
mailing list