Automount SMB Shares Using KRB5

In some cases, it may be necessary to automatically mount smb shares at host startup not using a file with login/password, but using krb5.

There is (precondition):

  • Domain joined VM on ubuntu 24 server LTS

  • The necessary libraries are installed from https://ubuntu.com/server/docs/how-to-set-up-sssd-with-ldap-and-kerberos

To set this up we will need:
1) Generate a keytab file

ktutil ktutil: addent -password -p username@DOMAIN.COM -k 1 -f Password for username@DOMAIN.COM: ktutil: wkt /path/to/username.keytab ktutil: quit
2) Set up appropriate file rights:
sudo chown username:username /path/to/username.keytabsudo chmod 600 /path/to/username.keytab
3) Get a Kerberos ticket and write it to a file:
kinit -kt /path/to/username.keytab username@DOMAIN.COM
4) Install kstart to automatically update tickets
sudo apt-get install kstart
5)Create systemd-service /etc/systemd/system/k5start-username.service :

[Unit] Description=Maintain Kerberos Ticket for username

[Service] 
Type=simple ExecStart=/usr/bin/kstart -U -t -K 60 -k /path/to/username.keytab -f /tmp/krb5cc_username 
User=username 
Restart=always

[Install] WantedBy=multi-user.target

6) enable systemd service:

sudo systemctl daemon-reload 
sudo systemctl enable kstart-username.service 
sudo systemctl start kstart-username.service

7) create a systemd service in /etc/systemd/system/mount-smb-username.service to mount the share:

[Unit] Description=Mount SMB Share for Username after k5start Requires=k5start-username.service After=k5start-username.service

[Service]
Type=oneshot ExecStart=/usr/bin/mount -t cifs //some/share/path /mnt/some_mnt_point -o sec=krb5,cruid=username

ExecStop=/usr/bin/umount /mnt/some_mnt_point RemainAfterExit=yes

[Install] WantedBy=multi-user.target

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *