Use kerberos ticket to mount CIFS shares on a Linux server. You do not need to know the password for the account, nor have the password stored in a file.
Create the keytab file for the account my-account, this step must be completed by a Domain Admin on a domain controller
C:\>ktpass -princ my-account -mapuser my-account -pass password -crypto ALL -out “C:\my-account.keytab” -pType KRB5_NT_PRINCIPAL
Copy the keytab files to Linux server /etc/my-account.keytab
Determine what the UID for my-account is.
[root@server1 etc]# id my-account
uid=16861554(my-account) gid=16861554(my-account) groups=16861554(my-account)
Add this to /etc/fstab, replace uid and gid with the ones for my-account
//server3/share/myshare /opt/myshare cifs sec=krb5,uid=16861554,gid=16861554 0 0
Create the file /kerberos_renewal.sh, cut and paste the below into it and modify where necessarry.
#!/bin/bash
. ~/.bash_profile
/usr/bin/kinit -k -t /etc/my-account.keytab my-account
[[ $? -ne 0 ]] && {
echo “Kerberos TGT renewal JOB failed on `hostname`”|mailx -s “Kerberos TGT renewal JOB failed on `hostname`” email1@myemail.com
exit 1
}
echo “Last startup run – `date`” >> /my-account/cronjob.log
exit 0
Create the file /cronjob.txt, cut and paste the below into the file.
#Kerberos TGT renewal
@reboot /my-account/kerberos_renewal.sh
0 */8 * * * /my-account/kerberos_renewal.sh
Apply correct ownership for files
chown my-account cronjob.txt kerberos_renewal.sh
Schedule the cronjob.
crontab /cronjob.txt
Reboot