Mounting Windows Shares with Kerberos Authentication on Debian GNU/Linux

Last updated: Oct 23, 2024

In a Microsoft Windows environment, we can easily mount a network share from GNU/Linux using the mount command and the cifs utility. The advantage lies is that it is easy to set up. However, the disadvantage is that it relies on the obsolete and insecure NTLM (v1 and v2) protocol for user authentication, which poses security risks due to its age and lack of robustness.

Fortunately, there is an alternative method for mounting Windows shares from Linux that offers significantly improved security-through the use of Kerberos. Unlike NTLM, Kerberos is a newer and much more secure authentication protocol. Although it requires more extensive configuration to implement, the substantial security improvements it offers outweigh the additional complexity of setting it up.

This article will guide you step-by-step through setting up and configuring Kerberos-based authentication, enabling you to securely mount Windows shares on your GNU/Linux systems.

Network Architecture

For this example, I will use the following architecture:
- A Windows domain: std.local
- Windows share: hosted on an Active Directory server, accessible via \\ad.std.local\SHARE\
- A Windows user with access rights to the share: j.valmer@std.local
- GNU/Linux client: a standard Debian installation
- The share will be mounted by the user john on the Debian system

Network diagram depicting a Linux station and a Windows server file share

Install and Configure

⚠️ Prerequisites: Make sure that the Windows and Debian server are synchronized. ⚠️

Install the prerequisites:

root@desktop:~# apt update && apt install cifs krb5-user ntp

Edit the /etc/resolv.conf file and add your AD server as the primary DNS server:

domain std.local
search std.local
nameserver 192.168.1.200

Edit /etc/krb5.conf:

[libdefaults]
	default_realm = STD.LOCAL
	ticket_lifetime = 1d
	renew_lifetime = 7d
	dns_lookup_realm = false
	dns_lookup_kdc = true
[realms]
	STD.LOCAL = {
		kdc = ad.std.local
		admin_server = ad.std.local
	}

Mount

Prerequisites

Identify your user ID:

john@desktop:~$ id -u
1000

Identify your group ID:

john@desktop:~$ id -g
1000

Identify your username:

john@desktop:~$ echo $USER
john

Create the mount destination:

john@desktop:~$ sudo mkdir /mnt/win_share

Classical Mount with NTLM Authentication

Understand the following options:
- domain=: sets the user's domain
- uid=: sets the uid that will own all files or directories on the mounted file system when the server does not provide ownership information.
- gid=: sets the gid that will own all files or directories on the mounted file system when the server does not provide ownership information.

john@desktop:~$ sudo mount -t cifs username=j.valmer,domain=std.local,uid=1000,gid=1000 //192.168.1.200/SHARE /mnt/win_share

Mount with Kerberos Authentication

Get a ticket, be careful as it is case-sensitive:

john@desktop:~$ kinit j.valmer@STD.LOCAL
Password for j.valmer@STD.LOCAL:

Check that you have a ticket:

john@desktop:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: j.valmer@STD.LOCAL

Valid starting       Expires              Service principal
09/08/2023 18:19:54  10/08/2023 04:19:54  krbtgt/STD.LOCAL@STD.LOCAL
	renew until 10/08/2023 18:19:50
09/08/2023 18:19:59  10/08/2023 04:19:54  cifs/ad.std.local@
	renew until 10/08/2023 18:19:50
	Ticket server: cifs/ad.std.local@STD.LOCAL

Understand the following options:
- Use the SPN of the server name to specify the share path, do not use the IP address. This is used for Kerberos authentication.
- cruid=arg: Sets the UID of the owner of the credentials cache. This is mainly useful with sec=krb5.
- sec=krb5i: Uses Kerberos version 5 authentication and forces packet signing. (krb5 only does not enable packet signing).

john@desktop:~$ sudo mount -t cifs cruid=john,user=john,sec=krb5i,uid=1000,gid=1000 //ad.std.local/SHARE /mnt/win_share

Computing

Music

Misc