Mount Windows DFS in Linux with Kerberos

1. Use case:
some time you need to transfer large data files (e.g. vmware image files) between a windows system and a linux system, what i did before is to use the winscp client to transfer the data from windows to linux, or use winscp client to get the data from linux to windows. Since it is a big sized file (2 GB), it will take about 30-60 minutes depending on your LAN speed.
The new Solution is to use a windows DFS shared drive in windows environment, and mount the windows DFS with kerberos in Linux Systems. So you can write and get the file from all of your systems. And it is very fast (10MB/s) in the file transfer.

2. Package needed:
smbclient, pam_krb5, krb5-client are needed for using kerberos to mount DFS.
In SLES11 just click kerberos client and smbclient in yast2, the package will be installed automatically.

3. Configure Kerberos in Linux:
/etc/krb5.conf:

[libdefaults]
default_realm = <your domain name in upper case>
udp_preference_limit = 0
[realms]
<your domain name in upper case> = {
kdc = <your Active Directory server name>.<your domain name>
}
[logging]
kdc = <FILE:/var/log/krb5/krb5kdc.log>
admin_server =<FILE:/var/log/krb5/kadmind.log>
default = SYSLOG:NOTICE:DAEMON

4. To apply for a TGT  in Shell:
$root> kinit <Username>
Mostly the first letter of your active directory Username should be in Uppercase.
klist checks, if you have a TGT (ticket granting ticket),  as result you should get the following in shell:
klist
Ticket cache:
<FILE:/tmp/krb5cc_500>
Default principal: < your username >@ < your domain name >
Valid starting           Expires                        Service principal
08/30/10 12:21:22  08/30/10 22:21:25  krbtgt/<your domain name>@<your domain name>
renew until 08/31/10 12:21:22

Becarefull in using the tgt for authetication, the client should have the same NTP time Server as the TGT Server.

5.a Mount as “root” Windows DFS shared drive with mount.cifs :
Mount Command:

/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx}

e.g. /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5
in this case die windows share is unter “//dfs/Home/Dummy” reachable, and the mount path is /windowsShare in your linux, which should be created with “mkdir” before you mount DFS share, the user has the name “Dummy”. There should be NO files in the /windowsShare directory, otherwise the share directory will NOT be mounted.

5.b Access the Windows DFS shared drive as “no root user”:
If you don’t want to use root, you have to run “chmod u+s /sbin/mount.cifs” to allow user to call mount.cifs with setting the setuid-Bit (there should be no security issues about using this setuid-Bit). And then you can mount as “no root user” the windows DFS shared drive following the steps which are discripted in section 4.
If it is still not working for your linux system. Mount the DFS shared drive as “root” with the following command:

/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx},uid=<read/write userid>
e.g.: /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5,uid=Dummy
In this Example the option “uid=Dummy” allowed user Dummy to access the DFS shared drive after the root user managed to mount it.

6. Make alias for the mount commands
in Dummy/home/.alias
$Dummy> vi .alias
insert the followint line to the .alias file:
alias mws=”/sbin/mount.cifs //dfs1/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5″
alias ad=”kinit Dummy”
with this alias you only need to use the following commands to mount a windows DFS share:
$ Dummy> ad
$ Dummy> mws
Advertisements

About yingding wang
i am looking forward to innovation in IT and Robotics

Comments are closed.

%d bloggers like this: