Mount a Samba share using Kerberos ticket

Solution 1:

If you are signing in with a windows domain user a Kerberos ticket is already requested. You can test it by executing klist.

To reuse this ticket you have to add user and cruid option to your mount order. This way you do not have to enter any credentials again.

sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5 //domain/path /home/path

To mount the share with your user as owner (and thus with write permission) add the gid and uid options.

sudo mount -t cifs -o user=$USER,cruid=$USER,sec=krb5,gid=$GID,uid=$UID //domain/path /home/path

You get your $GID by running id -g $USER and your $UID by id -u $USER.

It may be that you have to apt-get install keyutils to get this working.

Solution 2:

First, try -o vers=1. The kernel's SMB2 client has only very recently gained Kerberos support – in Ubuntu 14.04, only the 4.4.x kernel will have it.

Second, check if the request-key and cifs.upcall binaries are installed and that the latter is mentioned in /etc/request-key.conf (or /etc/request-key.d/):

create cifs.spnego * * /usr/bin/cifs.upcall %k

Finally, check the system log (/var/log/debug or journalctl -b) for messages from cifs.upcall, and make sure it is looking for your tickets in the correct place. It doesn't actually know which process is accessing the share and what $KRB5CCNAME it has, so it needs to guess a few common places.

In fact, if you run mount via sudo, the mounting process (running as uid 0) won't have any tickets by default; a separate sudo kinit may be required.