Use Kerberos authentication for Linux clients with Azure Files
Here’s a concise summary of the article.
What this covers
How to enable identity-based SMB (Kerberos) authentication for Linux clients (Ubuntu example; RHEL/SLES similar) to access Azure Files.
Supported identity sources: on-premises AD DS (synced to Microsoft Entra ID via Entra Connect) and Microsoft Entra Domain Services.
Reference: Overview of Azure Files identity-based authentication options for SMB access (link preserved).
Key limitations
Linux clients cannot mount Azure file shares at boot using fstab with AD/Kerberos because Kerberos tickets are not available early in boot. Use fstab with noauto or autofs to mount after login or on access.
Prerequisites (summary)
Linux VM (Ubuntu 18.04+ or equivalent RHEL/SLES). If on Azure, VM needs a NIC on the VNet containing Microsoft Entra Domain Services. On-premises AD DS must be synced to Microsoft Entra ID if used.
Root or sudo-capable local admin account.
VM must not already be joined to another AD domain.
Microsoft Entra tenant and domain user(s) configured.
Preparation and packages
Recommended packages: samba, winbind, libpam-winbind, libnss-winbind, krb5-config, krb5-user, keyutils, cifs-utils (install via apt as shown in the article).
Ensure time sync between host and domain server (example using systemd-timesyncd).
High-level configuration steps
Ensure domain server reachability and DNS discovery
Verify DNS servers (systemd-resolve --status), ping domain IPs, and update netplan if DNS servers aren’t discovered.
Optional: add DHCP exit hook to perform DDNS updates on Azure DHCP.
Verify Microsoft Entra Domain Services discoverability
Ping domain by name and query SRV records via nslookup to confirm LDAP/AD services discoverable.
Set hostname/FQDN
Add an FQDN entry in /etc/hosts and verify with getent hosts, dnsdomainname, hostname -f (hostnamectl may be required).
Configure Kerberos (/etc/krb5.conf)
Configure default realm and KDC discovery (example snippet provided in article).
Configure Samba (smb.conf)
Set security=ADS, realm, workgroup, winbind options, idmap config (example smb.conf provided).
Reload Samba config (sudo smbcontrol all reload-config).
Join the domain
Use net ads join -U and verify the DNS record for the new host.
Configure NSS and winbind
Update /etc/nsswitch.conf to include winbind for passwd/group.
Enable and start winbind; verify domain users/groups with getent and wbinfo.
Configure PAM for winbind
Enable pam-auth-update winbind and mkhomedir so domain users can authenticate and get home dirs. Verify pam_winbind entries.
Verification
Verify client DNS entry on domain controller (nslookup).
Check Kerberos tickets with klist; if PAM was not configured, get tickets with wbinfo -K or scripted wbinfo -K 'user%password'.
Mounting Azure file shares (Kerberos)
Use sec=krb5 with cifs mount; omit username/password. Example: sudo mount -t cifs $SMB_PATH $MNT_PATH -o sec=krb5,cruid=$UID,serverino,nosharesock,actimeo=30,mfsymlinks
Note: only server-enforced NT ACL model is supported (no mode bits). Client-enforced and client-translated access control modes are not supported.
Other mount considerations
Single-user vs multi-user mounts: use the multiuser option when multiple domain users on the same client need distinct Kerberos contexts.
File permissions: use file_mode/dir_mode for client-side enforcement, but server enforces DACLs.
File ownership: use uid/gid defaults or RFC2307 mapping (nss_winbind or nss_sssd) to map UID/GID to SIDs.
Attribute caching: actimeo default is 1s; recommended actimeo=30 (or use acdirmax/acregmax on newer kernels).
References / Next step
For mounting details: Mount SMB Azure file share on Linux (link preserved).
See article’s additional links and the Microsoft docs referenced throughout for full commands, example configs, and troubleshooting.
Last updated: 07/31/2025
If you’d like, I can produce a condensed stepper with the exact commands and file snippets from the article for a quick runbook. Which would you prefer?
Was this helpful?