MauvaisJoueur

Asked: 2020-08-24 23:50:03 +0800 CST

How to run kinit as root before automounting mutiuser cifs mounts?

Goal

I'm setting up multi-user CIFS mounts in an Active Directory environment under CentOS 8.2. The storage server supports SMB3.1.1 protocol.

Prerequisites

I could easily integrate the system to the Active Directory and I've edited SSSD (/etc/sssd/sssd.conf) and realm configuration to match preferences and needs.

Results:

Active Directory users can login

I've also created a dedicated user that I'll name in this post "mountorino". mountorino has required share permissions (RO) and NTFS permissions (traverse root folder) to mount the CIFS shares. Identification information is stored in the /root/cifs.cred file.

Scenario A: NTLM

Mounting the CIFS shares with the multiuser and ntlmsspi options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=ntlmsspi,credentials=/root/cifs.cred 0 0

Results:

It works as long as, from the end-user context, I run the cifscreds add --username <user> <server> command
It doesn't work if I run cifscreds add --username <user> --domain <domain> command

Scenario B: Kerberos

Mounting the CIFS shares with the multiuser, krb5i, and cruid options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=krb5i,cruid=0,credentials=/root/cifs.cred 0 0

Results:

It works as long as, as root, I run the kinit mounterino@<DOMAIN> command

Questions:

With NTLM, why cifscreds add --username <user> --domain <domain> doesn't work? The user, the server and the client all are members of the same Windows domain!
More importantly, with Kerberos, how can I make root to get a Kerberos ticket before automounting fstab entries happens? I understand that by generating a keytab file, I won't have to type moutorino password when running kinit, which allows to automate kinit usage. But how do I make sure kinit is run before automounts are mounted? PAM? systemd unit?

Sources

Best regards, MauvaisJoueur

How to run kinit as root before automounting mutiuser cifs mounts?

Goal

Prerequisites

Scenario A: NTLM

Scenario B: Kerberos

Questions:

Sources

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

MauvaisJoueur's questions

Goal

Prerequisites

Scenario A: NTLM

Scenario B: Kerberos

Questions:

Sources