Mounting DFS cifs share on Llinux (tested with Debian 9)


  • cifs-utils package (e.g. sudo apt-get install cifs-utils)
  • Kerberos client (e.g. sudo apt-get install krb5-user)

Obtain Kerberos ticket (or whatever it is called ...) from CERN:

  • run kinit
    kinit YourCernUsername@CERN.CH
    (note capital letters in the domain)
  • run tool for defining keytab
  • inside this tool execute sth like
    addent -password -p YourCernUsername@CERN.CH -k 1 -e rc4-hmac
  • and maybe also
    addent -password -p YourCernUsername@CERN.CH -k 1 -e aes256-cts
    (I am actually not sure, which encryption is necessary)
  • save the new keytab anywhere with
    wkt PathToKeytab
  • now move your new keytab under /etc/krb5.keytab (you could actually do that by running ktutil with sudo, but there are some issues regarding linux uid)
  • command below should now show you some entries
    klist -k
    for example:
        pptaszni@pcen36785:~$ klist -k
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
        ---- -----------------------------------------------------------    ---------------
        1 pptaszni@CERN.CH
        1 pptaszni@CERN.CH
  • now try to do sth like
    kinit -k YourCernUsername@CERN.CH
    it will probably fail with some authentication fault

Edit /etc/krb5.conf:

  • add these parameters under [libdefaults] section (unless already present):
    • default_realm = CERN.CH
    • ticket_lifetime = 25h
    • renew_lifetime = 120h
    • forwardable = true
    • proxiable = true
    • default_tkt_enctypes = arcfour-hmac-md5 aes aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    • allow_weak_crypto = true
  • add this under [realms]:
       CERN.CH = {
           default_domain =
           kdc =
  • add this under [domain_realm]:
    • = CERN.CH

  • Try again
    kinit -k YourCernUsername@CERN.CH
    it might work this time (by "work" I mean "does not fail" of course)

Mount the DFS

  • Create a mountpoint
    mkdir /media/dfs
    (or anywhere else)

  • sudo mount.cifs // /media/dfs/ -o username=YourCernUsername nocase sec=krb5


If sth is not working, consult [1] [2] [3]

If it is still not working even after extensive research, just use Windows.

It seems that this "kinit -k" should be executed once every 24h or so (I don't know actually).

I tried to put the mount parameters in fstab but it doesnt work. Simple "mount" command doesn't work either.

AFAIK, it shouldn't be required to provide any password to mount this share, but aparently in my case I had to. Not sure why.





-- PawelWojciechPtasznik - 2017-09-14

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2017-09-14 - PawelPtasznik
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback