Is it possible to mount a cifs share with kerberos using the machine account (with active directory)

L. van Belle belle at samba.org
Mon Jun 14 08:05:44 UTC 2021 

Yes, that works fine here at least for years for me. 

Make sure you have an A (AAAA) and PTR record in the DNS. 
Make sure you use /etc/krb5.keytab ( as in, i have not tested it on a AD-DC,
only members ) 

Add cifs/your.server.fqdn to the keytab file 
You can use : net ads keytab add_update_ads cifs/$(hostname -f)
This adds the UPS/SPN to the keytab file and updates it in the AD. 


( dont forget to install: keyutils ) 
And as of this point you can pick almost any automouting setup. 

Personaly i use systemd and automounting, verything is set in systemd its
service files. 
Per example what i use. 

Filename : srv-samba-users.mount << this name must match the path to the
users folder. 

[Unit]
Description=UsersHomes (/srv/samba/users) 
Requires=systemd-networkd.service
After=network-online.target
Wants=network-online.target

[Mount]
What=//server.fqdn/share
Where=/srv/samba/users
Options=(no options, try without first, default are often fine.)
# not working, play with below one.
#Options=vers=2.1,iocharset=utf8,rw,x-systemd.automount
Type=cifs
TimeoutSec=30

[Install]
WantedBy=multi-user.target

##
Refresh systemd:  systemctl daemon-reload

Enable it : systemctl enable srv-samba-users.mount
Test it : systemctl start srv-samba-users.mount
Mount should be done. 
Umount. : systemctl stop srv-samba-users.mount

Add automounter.
# /etc/systemd/system/home-users.automount
[Unit]
Description=Automount Home-users

[Automount]
Where=/srv/samba/users

[Install]
WantedBy=multi-user.target

Refresh systemd:  systemctl daemon-reload

systemctl enable srv-samba-users.automount
systemctl start srv-samba-users.automount



Reboot and test. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens Steve 
> French via samba-technical
> Verzonden: zaterdag 12 juni 2021 1:57
> Aan: samba-technical
> Onderwerp: Fwd: Is it possible to mount a cifs share with 
> kerberos using the machine account (with active directory)
> 
> ---------- Forwarded message ---------
> From: Bruno Bigras <bigras.bruno at gmail.com>
> Date: Fri, Jun 11, 2021 at 6:51 PM
> Subject: Is it possible to mount a cifs share with kerberos using the
> machine account (with active directory)
> To: <linux-cifs at vger.kernel.org>
> 
> 
> When a Linux machine joins an Active Directory's domain, a computer
> account is created.
> 
> A network share can be configured to give rights to the 
> computer account.
> 
> Can I use that account to mount the cifs share with the computer
> account (with the keytab file)?
> 
> Almost every example on the internet is about using a user account or
> using multiuser (which also uses a user account).
> 
> Thanks,
> 
> Bruno
> 
> 
> -- 
> Thanks,
> 
> Steve
> 
>

More information about the samba-technical mailing list