rss logo

Mounting Windows Shares with Kerberos Authentication on Debian GNU/Linux

Tux logo

In a Microsoft Windows environment, we can easily mount a network share from GNU/Linux using the mount command and the cifs utility. The advantage lies in its straightforward setup process. However, the downside is that it relies on the outdated and insecure NTLM (v1 and v2) protocol for user authentication, which poses security risks due to its age and lack of robustness.

Thankfully, there's an alternative method for mounting Windows shares from Linux that offers significantly enhanced security-through the use of Kerberos. Unlike NTLM, Kerberos is a more recent and markedly more secure authentication protocol. While its implementation does require more comprehensive configuration, the substantial security improvements it offers outweigh the additional setup complexity.

This article is dedicated to guiding you through the step-by-step process of establishing and configuring Kerberos-based authentication, enabling you to securely mount Windows shares on your GNU/Linux systems.

Network Architecture

  • For this example, I will use the following architecture:
    • A Windows domain: std.local
    • Windows share: hosted on an Active Directory server, accessible via \\ad.std.local\SHARE\
    • Windows user with access rights to the share: j.valmer@std.local
    • GNU/Linux client: a standard Debian installation
    • The share will be mounted under the user john on the Debian system
Network diagram depicting a Linux station and a Windows server file share

Install and Configure

⚠️ Prerequisites: Make sure that the clock time of both the Windows and Debian servers is synchronized. ⚠️

  • Install prerequisites:
root@desktop:~# apt update && apt install cifs krb5-user ntp
  • Edit /etc/resolv.conf and add your AD server as the primary DNS:
domain std.local search std.local nameserver
  • Edit /etc/krb5.conf:
[libdefaults] default_realm = STD.LOCAL ticket_lifetime = 1d renew_lifetime = 7d dns_lookup_realm = false dns_lookup_kdc = true [realms] STD.LOCAL = { kdc = ad.std.local admin_server = ad.std.local }



  • Identify your user ID:
john@desktop:~$ id -u 1000
  • Identify your group ID:
john@desktop:~$ id -g 1000
  • Identify your username:
john@desktop:~$ echo $USER john
  • Create the mount destination:
john@desktop:~$ sudo mkdir /mnt/win_share

Classical Mount with NTLM Authentication

  • Understand the following options:
    • domain=: sets the domain of the user
    • uid=: sets the uid that will own all files or directories on the mounted filesystem when the server does not provide ownership information.
    • gid=: sets the gid that will own all files or directories on the mounted filesystem when the server does not provide ownership information.
john@desktop:~$ sudo mount -t cifs username=j.valmer,domain=std.local,uid=1000,gid=1000 // /mnt/win_share

Mount with Kerberos Authentication

  • Obtain a ticket; be cautious as it's case sensitive:
john@desktop:~$ kinit j.valmer@STD.LOCAL Password for j.valmer@STD.LOCAL:
  • Control that you have a ticket:
john@desktop:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: j.valmer@STD.LOCAL Valid starting Expires Service principal 09/08/2023 18:19:54 10/08/2023 04:19:54 krbtgt/STD.LOCAL@STD.LOCAL renew until 10/08/2023 18:19:50 09/08/2023 18:19:59 10/08/2023 04:19:54 cifs/ad.std.local@ renew until 10/08/2023 18:19:50 Ticket server: cifs/ad.std.local@STD.LOCAL
  • Understand the following options:
    • Use the SPN of the server name to indicate the path of the share; don't use the IP address. This is used for authentication with Kerberos.
    • cruid=arg: Sets the UID of the owner of the credentials cache. This is primarily useful with sec=krb5.
    • sec=krb5i: Uses Kerberos version 5 authentication and forcibly enables packet signing. (krb5 only doesn't enable packet signing).
john@desktop:~$ sudo mount -t cifs cruid=john,user=john,sec=krb5i,uid=1000,gid=1000 //ad.std.local/SHARE /mnt/win_share
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address