Instantly share code, notes, and snippets.

AllanGH/mount-windows-share-on-unix-with-kerberos.md

Created March 27, 2025 11:00

Show Gist options

Download ZIP

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/AllanGH/1f1da4c8f7971077872882f7e7b2fb33.js"></script>
Save AllanGH/1f1da4c8f7971077872882f7e7b2fb33 to your computer and use it in GitHub Desktop.

Code Revisions 1

Learn more about clone URLs

Clone this repository at <script src="https://gist.github.com/AllanGH/1f1da4c8f7971077872882f7e7b2fb33.js"></script>

Save AllanGH/1f1da4c8f7971077872882f7e7b2fb33 to your computer and use it in GitHub Desktop.

Download ZIP

How to mount a Windows share with Kerberos on Linux

Raw

mount-windows-share-on-unix-with-kerberos.md

How to mount a Windows share with Kerberos authentication on Linux

This approach relies on the Unix server being joined to the Active Directory domain. The share is mounted using Kerberos authentication, which is more secure than using a username and password.

Share the Windows folder

On the Windows machine, right-click on the folder you want to share and select "Properties".
Go to the "Sharing" tab and click on "Advanced Sharing".
Check the box that says "Share this folder".
Click on "Permissions" and add the server where you want to mount the share.
The Object Types should include "Computers", and then search for the server name. Set the permissions as needed.
Click "OK" to close the permissions window, and then click "OK" again.
Go to the "Security" tab and add the server name with the necessary permissions as well.

Mount the share on the Unix server

Create a directory where you want to mount the share:
```
sudo mkdir /mnt/windows_share
```
Set the permissions on the directory:
```
sudo chmod 777 /mnt/windows_share
```
To renew and/or acquire a Kerberos ticket, create the following script
```
 sudo nano /usr/local/sbin/kerb-refresh.sh
```
Add the following content:
```
#!/bin/bash

kinit -R 2>/dev/null

if [ $? -ne 0 ]; then
  hostname=$(hostname | tr '[:lower:]' '[:upper:]')
  kinit -k -t /etc/krb5.keytab "${hostname}\$@DOMAIN"
fi
```
make the script executable:
```
 chmod +x /usr/local/sbin/kerb-refresh.sh
```
The script will first try to renew the Kerberos ticket. If that fails, it will acquire a new ticket using the keytab file located at /etc/krb5.keytab. The hostname is converted to uppercase to match the expected format in Active Directory.
Verify that the script works:
```
/usr/local/sbin/kerb-refresh.sh
klist
```
which should show the Kerberos ticket. If not, check the keytab file and ensure that the server is joined to the Active Directory domain. The server might be registered with multiple SPNs.

Add a systemd service to execute the script

sudo nano /etc/systemd/system/kerb-refresh.service

Add the following content:

[Unit]
Description=Obtain Kerberos ticket for machine account
 
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/kerb-refresh.sh

Set up systemd timer to run the script at boot and every 2 hours

sudo nano /etc/systemd/system/kerb-refresh.timer

Add the following content:

[Unit]
Description=Obtain (and refresh) Kerberos ticket for machine account at boot and bi-hourly
After=network-online.target
Wants=network-online.target

[Timer]
# Run once, immediately after boot:
OnBootSec=0
# Then run again every 2 hours:
OnUnitActiveSec=2h

Unit=kerb-refresh.service
 
[Install]
WantedBy=multi-user.target

Refresh systemctl and enable the timer:

  sudo systemctl daemon-reload
  sudo systemctl enable kerb-refresh.timer
  sudo systemctl start kerb-refresh.timer

Verify that the timer is running:
```
 sudo systemctl list-timers
```

Add the share to the fstab file:

sudo nano /etc/fstab

Add the following line:

//WindowsServer/share /mnt/windows_share cifs sec=krb5,rw,file_mode=0777,dir_mode=0777 0 0

Mount the share:

 sudo mount -a