Mounting Windows Shares with Kerberos Authentication on Debian GNU/Linux

Last updated: Aug 9, 2023

In a Microsoft Windows environment, we can easily mount a network share from GNU/Linux using the mount command and the cifs utility. The advantage lies in its straightforward setup process. However, the downside is that it relies on the outdated and insecure NTLM (v1 and v2) protocol for user authentication, which poses security risks due to its age and lack of robustness.

Thankfully, there's an alternative method for mounting Windows shares from Linux that offers significantly enhanced security-through the use of Kerberos. Unlike NTLM, Kerberos is a more recent and markedly more secure authentication protocol. While its implementation does require more comprehensive configuration, the substantial security improvements it offers outweigh the additional setup complexity.

This article is dedicated to guiding you through the step-by-step process of establishing and configuring Kerberos-based authentication, enabling you to securely mount Windows shares on your GNU/Linux systems.

Network Architecture

For this example, I will use the following architecture:
- A Windows domain: std.local
- Windows share: hosted on an Active Directory server, accessible via \\ad.std.local\SHARE\
- Windows user with access rights to the share: j.valmer@std.local
- GNU/Linux client: a standard Debian installation
- The share will be mounted under the user john on the Debian system

Network diagram depicting a Linux station and a Windows server file share

Install and Configure

⚠️ Prerequisites: Make sure that the clock time of both the Windows and Debian servers is synchronized. ⚠️

Install prerequisites:

root@desktop:~# apt update && apt install cifs krb5-user ntp

Edit /etc/resolv.conf and add your AD server as the primary DNS:

domain std.local
search std.local
nameserver 192.168.1.200

Edit /etc/krb5.conf:

[libdefaults]
	default_realm = STD.LOCAL
	ticket_lifetime = 1d
	renew_lifetime = 7d
	dns_lookup_realm = false
	dns_lookup_kdc = true
[realms]
	STD.LOCAL = {
		kdc = ad.std.local
		admin_server = ad.std.local
	}

Mount

Prerequisites

Identify your user ID:

john@desktop:~$ id -u
1000

Identify your group ID:

john@desktop:~$ id -g
1000

Identify your username:

john@desktop:~$ echo $USER
john

Create the mount destination:

john@desktop:~$ sudo mkdir /mnt/win_share

Classical Mount with NTLM Authentication

Understand the following options:
- domain=: sets the domain of the user
- uid=: sets the uid that will own all files or directories on the mounted filesystem when the server does not provide ownership information.
- gid=: sets the gid that will own all files or directories on the mounted filesystem when the server does not provide ownership information.

john@desktop:~$ sudo mount -t cifs username=j.valmer,domain=std.local,uid=1000,gid=1000 //192.168.1.200/SHARE /mnt/win_share

Mount with Kerberos Authentication

Obtain a ticket; be cautious as it's case sensitive:

john@desktop:~$ kinit j.valmer@STD.LOCAL
Password for j.valmer@STD.LOCAL:

Control that you have a ticket:

john@desktop:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: j.valmer@STD.LOCAL

Valid starting       Expires              Service principal
09/08/2023 18:19:54  10/08/2023 04:19:54  krbtgt/STD.LOCAL@STD.LOCAL
	renew until 10/08/2023 18:19:50
09/08/2023 18:19:59  10/08/2023 04:19:54  cifs/ad.std.local@
	renew until 10/08/2023 18:19:50
	Ticket server: cifs/ad.std.local@STD.LOCAL

Understand the following options:
- Use the SPN of the server name to indicate the path of the share; don't use the IP address. This is used for authentication with Kerberos.
- cruid=arg: Sets the UID of the owner of the credentials cache. This is primarily useful with sec=krb5.
- sec=krb5i: Uses Kerberos version 5 authentication and forcibly enables packet signing. (krb5 only doesn't enable packet signing).

john@desktop:~$ sudo mount -t cifs cruid=john,user=john,sec=krb5i,uid=1000,gid=1000 //ad.std.local/SHARE /mnt/win_share

Computing

Music

Misc