In a Microsoft Windows environment, we can easily mount a network share from GNU/Linux using the mount command and the cifs utility. The advantage lies in its straightforward setup process. However, the downside is that it relies on the outdated and insecure NTLM (v1 and v2) protocol for user authentication, which poses security risks due to its age and lack of robustness.
Thankfully, there's an alternative method for mounting Windows shares from Linux that offers significantly enhanced security-through the use of Kerberos. Unlike NTLM, Kerberos is a more recent and markedly more secure authentication protocol. While its implementation does require more comprehensive configuration, the substantial security improvements it offers outweigh the additional setup complexity.
This article is dedicated to guiding you through the step-by-step process of establishing and configuring Kerberos-based authentication, enabling you to securely mount Windows shares on your GNU/Linux systems.
⚠️ Prerequisites: Make sure that the clock time of both the Windows and Debian servers is synchronized. ⚠️
root@desktop:~# apt update && apt install cifs krb5-user ntp
domain std.local
search std.local
nameserver 192.168.1.200
[libdefaults]
default_realm = STD.LOCAL
ticket_lifetime = 1d
renew_lifetime = 7d
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
STD.LOCAL = {
kdc = ad.std.local
admin_server = ad.std.local
}
john@desktop:~$ id -u
1000
john@desktop:~$ id -g
1000
john@desktop:~$ echo $USER
john
john@desktop:~$ sudo mkdir /mnt/win_share
john@desktop:~$ sudo mount -t cifs username=j.valmer,domain=std.local,uid=1000,gid=1000 //192.168.1.200/SHARE /mnt/win_share
john@desktop:~$ kinit j.valmer@STD.LOCAL
Password for j.valmer@STD.LOCAL:
john@desktop:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: j.valmer@STD.LOCAL
Valid starting Expires Service principal
09/08/2023 18:19:54 10/08/2023 04:19:54 krbtgt/STD.LOCAL@STD.LOCAL
renew until 10/08/2023 18:19:50
09/08/2023 18:19:59 10/08/2023 04:19:54 cifs/ad.std.local@
renew until 10/08/2023 18:19:50
Ticket server: cifs/ad.std.local@STD.LOCAL
john@desktop:~$ sudo mount -t cifs cruid=john,user=john,sec=krb5i,uid=1000,gid=1000 //ad.std.local/SHARE /mnt/win_share
Contact :