Automated mount of DartFS via SMB using a keytab file

Summary

Instructions for configuring SMB mount of DartFS using a keytab (encrypted stored password)

Body

Linux can mount all or part of DartFS via the SMB protocol.  This requires SMB version 2 or higher, and so is only available to Red Hat Enterprise 7 and later, or Ubuntu 16 or later.  (Other Linux variants are left as an exercise).  You will need an account which has permission to read (at minimum) the location in DartFS that you wish to mount, and for which a keytab file can be created.  In general, this will be a service account with limited access.  Request a service account

You will also join the system to the Dartmouth domain, which permits the keytab file to be validated.  This does not grant other access to domain administrators.

Requirements

Kerberos client tools; Active Directory client tools; kstart.  Listed below are packages which may need to be added to a system.

  • RHEL
    • krb5-workstation
    • krb5-libs
    • adcli
    • kstart
  • Ubuntu
    • libsas12-modules-gssapi-mit
    • krb5-config
    • krb5-user
    • adcli
    • kstart

 

Configure and Test

Edit /etc/krb5.conf and set the default authentication realm and other parameters as follows:

[libdefaults]
 default_realm = KIEWIT.DARTMOUTH.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 30d
 renew_lifetime = 30d
 forwardable = true
 rdns = false

Next, we need to create a computer record for the system in Active Directory (AD), if it hasn't already been done.  This creates a file /etc/krb5.keytab containing a key that can be used to validate operations with our AD.  You need the adcli tool, from the adcli RPM.

Make sure that hostname returns a fully qualified domain name (XXX.dartmouth.edu), or the adcli join won't get the correct host principals that are needed later.

Get a kerberos ticket as a regular NetD,  storing the credential cache in a temporary place (krb5cc_0_join) we can give to adcli

kinit -c /tmp/krb5cc_0_join NetID@KIEWIT.DARTMOUTH.EDU

  (enter password for <NetID>)

Now run adcli using this credential.  You need to explicitly give it one of the AD domain controllers - in this case kiewit-dc01

adcli join kiewit.dartmouth.edu -S kiewit-dc01.kiewit.dartmouth.edu  --login-ccache=/tmp/krb5cc_0_join --verbose
You should now have a small file /etc/krb5.keytab.  Discard that temporary credential:
kdestroy -c /tmp/krb5cc_0_join

If you have not already done so, create a keytab file for your service account (service-NetID -- see related article) and store in a local filesystem and readable only by root, e.g. /usr/local/private/mykeytab  Make sure service-NetID has been put in the appropriate group or otherwise granted access to the part of DartFS that you will be mounting.

Test ticket generation with:

# kinit -k -t /usr/local/private/mykeytab  service-NetID@KIEWIT.DARTMOUTH.EDU
# klist
If klist shows that you have a credential for service-NetID@KIEWIT.DARTMOUTH.EDU,  now test SMB mount using this credential.  Substitute your values for service-NetID, and also local-UID (the user who will apparently own the files on this system) and local-GID (the group for the files as seen by this system), and the path/to/DartFS/share -- full path to the location in DartFS that you wish to use.  The last argument is the local mount point, which should be an existing empty directory.   The local UID and GID numbers must exist.  If your share is on DartFS tier-4, substitute dartfs for dartfs-hpc in the server name.  Do not append the domain .dartmouth.edu to the server name.
 
# mount -t cifs --verbose -o username=service-NetID,domain=KIEWIT.DARTMOUTH.EDU -o vers=3.0,file_mode=0664,dir_mode=0774,uid=local-UID,gid=local-GID,sec=krb5 //dartfs-hpc/path/to/DartFS/share /mnt/dartfs

 

Run at boot time

Directory /mnt/dartfs and everything below it will appear to be owned by local-UID:local-GID. On other clients, the files will be owned by service-NetID.  If /mnt/dartfs now goes to the desired location in DartFS and you have the expected access, you need to arrange for the k5start and mountcommands to be run at boot time.  There are various options for this, but one place is in the file /etc/rc.local, run at the end of the boot sequence.  You need to use k5start from the kstart package, which obtains a credential from the keytab file like kinit but then keeps renewing it.  Without k5start, the credential expires after 10 hours, and the mount will be dropped.

# This is run at the end of the boot sequence, when all system services should be started
# Authenticate to DartFS with a service account keytab
k5start -b -K 60 -L -f /usr/local/private/mykeytab service-NetID@KIEWIT.DARTMOUTH.

# Now mount SMB using these credentials.
mount -t cifs --verbose -o username=service-NetID,domain=KIEWIT.DARTMOUTH.EDU -o vers=3.0,file_mode=0664,dir_mode=0774,uid=local-UID,gid=local-GID,sec=krb5 //dartfs-hpc.dartmouth.edu/path/to/DartFS/share /mnt/dartfs

These commands can also be run at the start of a cron script.  To unmount DartFS, use

umount /mnt/dartfs

Details

Details

Article ID: 84275
Created
Fri 8/2/19 12:00 PM
Modified
Wed 2/22/23 11:57 AM

Related Articles

Related Articles (2)

Access DartFS from Linux
DartFS is available via two different protocols: NFS and SMB. Linux can mount DartFS volumes with either but for Linux workstations we recommend using SMB because it is less complicated. Older Linux systems supported only the SMB1 protocol, which is not supported by DartFS for security reasons.  This includes RHEL6/Centos6/Ubuntu14 and earlier.
Create a keytab file for automated access to DartFS
Use ktutil to create a keytab file containing an encrypted password for use with automated operations with kerberized services (e.g. DartFS or AFS)