Kerberos' purpose is authentication. More verbosely, using kerberos as the primary authentication method should ensure that the presented credentials do in fact belong to the user presenting them (whether that is a real user or a service is irrelevant).
To force the impersonation of credentials to perform a mount of a Windows share within the user's home directory is a subversion of the kerberos mechanism, and potentially allows a breach to propagate.
The concerns raised by this behaviour may raise fewer alarm bells for those more accustomed to a *nix environment. When the environment is Windows/Active Directory based, the aforementioned concerns become much more disconcerting. The potential damage caused by the impersonation of a user by root could be catastrophic is the right user were impersonated, which is why several of my systems are configured to send an alert when a chown of any ticket is attempted.
To make matters more interesting (at least for me), the cruid option still fails for me when attempting a mount using kerberos credentials.
Kerberos' purpose is authentication. More verbosely, using kerberos as the primary authentication method should ensure that the presented credentials do in fact belong to the user presenting them (whether that is a real user or a service is irrelevant).
To force the impersonation of credentials to perform a mount of a Windows share within the user's home directory is a subversion of the kerberos mechanism, and potentially allows a breach to propagate.
The concerns raised by this behaviour may raise fewer alarm bells for those more accustomed to a *nix environment. When the environment is Windows/Active Directory based, the aforementioned concerns become much more disconcerting. The potential damage caused by the impersonation of a user by root could be catastrophic is the right user were impersonated, which is why several of my systems are configured to send an alert when a chown of any ticket is attempted.
To make matters more interesting (at least for me), the cruid option still fails for me when attempting a mount using kerberos credentials.