I am trying to automatically mount an active directory share using fstab on boot and then use kerberos to authenticate users trying to access it. The goal is to have secure access to the active directory shares without having to enter a password because each user is authenticated using kerberos. I don’t want to actually log in using kerberos, I just want to use kerberos to be used to authenticate me for a few network shares.
I have my krb5.conf set up properly, and I have NFS_SECURITY_GSS=“yes” in my /etc/sysconfig/network/nfs file (I have also tried it with =“no”). I also have my UID and GID matched to the UID and GID active directory is expecting. I also think I have the right packages installed, for instance all the krb5-related packages, most of the nfs packages and most of the pam packages, as well all the packages yast demands for nfs client, samba, and kerberos client.
So what I did was set up my fstab like so (actual addresses and folders were changed for privacy):
server.blah.com:/vol/share /ad/share nfs rw,tcp,nolock,sec=krb5 0 0
I have also tried adding fmask=777,dmask=777 but it didn’t like those.
So when I try to mount I get:
me@me:/ad> sudo mount share/
pam_mount password:
mount.nfs: an incorrect mount option was specified
(since I installed pam I get it asking for my password instead of sudo for some reason, it doesn’t seem to change the end result)
When I set sec=none and sec=sys, it mounts but it won’t give me access (which is logical since I am not being authenticated). krb5i and krb5p give the same error, as does every other sec option besides none and sys.
I initially tried using the yast nfs client configuration, but when I give it the same options it says, “Unknown option: sec” This happens no matter what sec is equal to. There doesn’t appear to be a straightforward way to set up kerberized nfs shares using yast that I can find, and the nfs client configuration doesn’t work at all, so that is why I am resorting to editing config files in the first place.
So does anyone have any suggestions? Why isn’t the mount.nfs accepting my security options? Why isn’t yast nfs client not accepting security options at all? Am I even approaching this the right way? Is there a more effective or more efficient approach? I keep finding conflicting information on how to do this, even from our IT website, but this looks like the most effective to me.