1) I use a windows server is available with an AD configured. A samba server with kerberos configured can be used too.
2) Setup /etc/krb5.conf. My test machines use the following.
[logging]3) Edit /etc/request-key.conf and add the following 2 lines(Read man cifs.upcall)
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ENG1.GSSLAB.FAB.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = 1
[realms]
ENG1.GSSLAB.FAB.REDHAT.COM = {
kdc = vm140-52.eng1.gsslab.fab.redhat.com:88
}
[domain_realm]
.eng1.gsslab.fab.redhat.com = ENG1.GSSLAB.FAB.REDHAT.COM
eng1.gsslab.fab.redhat.com = ENG1.GSSLAB.FAB.REDHAT.COM
create cifs.spnego * * /usr/sbin/cifs.upcall %k4) As root user, init with a AD users credentials
create dns_resolver * * /usr/sbin/cifs.upcall %k
# kinit wintest25) Now mount using the multiuser option to allow multiple users who have authenticated with their own credentials to log in.
Password for wintest2@ENG1.GSSLAB.FAB.REDHAT.COM:
# mount -t cifs -o sec=krb5,sign,multiuser vm140-52.eng1.gsslab.fab.redhat.com:/exports /mntThe multiuser mount option allows a single cifs mount to be used by multiple users using their own credentials. An example is a cifs mount which contains the user's home directories. Instead of individually mounting each user's home directory as they log in, the root user on the client machine can mount the exported homes share under /home. As users login, they access their cifs mounted home directory using their own credentials. A new session is setup each time a new user accesses the share and this session is subsequently used for the user when accessing the share.
