Monday, September 15, 2014

Business Problems: Leveraging UNIX-enabled AD Groups and Kerberos to Control Unix/Linux/Mac Access to a Windows Share


In the previous post we discussed how to leverage the Kerberized environment provided by Centrify's UNIX/Linux client and the computer's AD account to access a read-only Windows (CIFS) share. By leveraging Kerberos, the mount command (or filesystems table) does not have to use a cleartext password.

Windows (CIFS) shares are all over the Enterprise (for files and printers) and most likely a read-only share is not a very practical example, however, a departmental share that is used by a workgroup to share files is much more common.  This time, we will implement an example.

The Marketing Share

In our mock example we have a share in APP1 set for the Marketing department.  Both Elaine and J.Peterman are members of this department, however they consistently access these shares from OS X, Unix and Windows machines.  Today a Marketing Share Access AD group is used to control access by way of memberships.


  • Marketing users should have the ability to exchange files (read/write)
  • The current heterogeneous environment consists of Windows, Mac OS X and UNIX/Linux stations
  • Users should be able to access the information from any type of platform
  • Controlling access to the Windows share should not deviate from the current process.
  • Users should alingn with the security policy and don't use cleartext passwords when mounting CIFS shares.


  • This would not be an issue in a homogeneous environment
  • Identity is key, UNIX identities should be uniform across platforms (for users and groups)
  • Users should not have access to the root account to use the mount command

The Proposed Solution:

  • Centrify the non-Windows platforms  (Mac OS X, Unix/Linux) - this provides the AD Integration, Kerberos environment and Privilege Elevation
  • Leverage a common UID/GID scheme by leveraging Zones and the Autozone
  • UNIX-enable the Matkeing Share Access AD group.
  • On UNIX Platforms, allow the Marketing users to use the mount command with privileges

Video Labs

Lab Part I - Initial Setup (13.30 min): 
Lab Part II - Verification (11 min): 

Elaine's mount command (CentOS 6.5):
dzdo mount -t cifs // /mnt/share -o sec=krb5,user=elaine.benes,uid=1149240407,gid=99998,group=marketing-share-access,umask=0002,file_mode=0775,dir_mode=0755 --verbose
Share Permissions:
(this can be improved since the rest of the world would get read access given that ACL)
Marketing Share - Permissions.jpg
NTFS Permissions:
Marketing NTFS - Permissions.jpg
Role created for Marketing Users
Marketing - mount command.jpg

We can improve on this by using Automount to access the user's Windows home.

No comments:

Post a Comment