Mounting SMB shares via keytab/fips

Enabling Fips on CentOS can cause Samba mounts to fail with "cifs could not crypto alloc hmacmd5 mc".

You need to update to the latest Samba which supports fips mode. Also try to mount the share via Kerberos/keytab file instead of usernmae/password:


yum install krb5-workstation Use ktutil to create a kerberos keytab file
addent -password -p username@DOMAIN.COM -k 1 -e RC4-HMAC
ktutil: wkt username.keytabcall


ktutil rkt /etc/krb5.keytab


kinit username@DOMAIN.COM -k -t /home/username/username.keytab


Add entry to /etc/fstab


//cifs-server/Share$/share /mount-point cifs _netdev,username=username@DOMAIN.COM,sec=krb5,dir_mode=0755,file_mode=0755,uid=username,gid=username 0 0


# Put into your cron job

kinit -kt /home/username/username.keytab username@DOMAIN.COM


2. In the directory
/etc/request-key.d, create the file cifs.spnego.conf if it does not already exist. Then add the following line

create     cifs.spnego     * * /usr/sbin/cifs.upcall %k

3. In the directory /etc/request-key.d, create the file dns_resolver.conf if it does not already exist. Then add the following line 

create  dns_resolver   * * /usr/sbin/cifs.upcall %k

4. Confirm a kerberos credential exists with command klist.  The output here shows a valid Kerberos credential

csssup-suse12:/etc/request-key.d # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: csssup-suse12$@RESOURCE.CENTRIFY.LAB

Valid starting     Expires            Service principal
07/31/19 15:33:35  08/01/19 01:33:35  krbtgt/RESOURCE.CENTRIFY.LAB@RESOURCE.CENTRIFY.LAB
        renew until 08/01/19 15:33:36

5. Mount the directory

mount -t cifs -o sec=krb5 //<winserverFQDN>/<shareDrive>  /<mountPoint>