Mount a Samba share using Kerberos ticket
If you are signing in with a windows domain user a Kerberos ticket is already requested. You can test it by executing klist
.
To reuse this ticket you have to add user
and cruid
option to your mount order. This way you do not have to enter any credentials again.
sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5 //domain/path /home/path
To mount the share with your user as owner (and thus with write permission) add the gid
and uid
options.
sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5,gid=$GID,uid=$UID //domain/path /home/path
You get your $GID
by running id -g $USER
and your $UID
by id -u $USER
.
It may be that you have to apt-get install keyutils
to get this working.
First, try -o vers=1
. The kernel's SMB2 client has only very recently gained Kerberos support – in Ubuntu 14.04, only the 4.4.x kernel will have it.
Second, check if the request-key
and cifs.upcall
binaries are installed and that the latter is mentioned in /etc/request-key.conf
(or /etc/request-key.d/
):
create cifs.spnego * * /usr/bin/cifs.upcall %k
Finally, check the system log (/var/log/debug
or journalctl -b
) for messages from cifs.upcall, and make sure it is looking for your tickets in the correct place. It doesn't actually know which process is accessing the share and what $KRB5CCNAME it has, so it needs to guess a few common places.
In fact, if you run mount
via sudo, the mounting process (running as uid 0) won't have any tickets by default; a separate sudo kinit
may be required.