We have some NAS devices currently exposed to employees via CIFS (active directory backend for user perms/groups). We are developing a Slurm cluster for processing access-restricted data. Up until now, processing was either done on local machines (with user/pass auth’d mount.cifs volumes) or data that didn’t need controls, so we didn’t have the issue of shuttling data to N worker nodes.
I am trying to architect a workflow using Vault for secrets management, since this would plug nicely into our existing auth infrastructure, enable more automated jobs / CI workflows, better secret rotation/revocation, as well as provide some niceties like logging/audits. However the step I am struggling with is how to do programmatic /token-based CIFS access? By token I mean any sort of key/cert/cookie/ticket which is obtained after some authentication and is used to access resources (terminology seems to differ by domain).
I can run kinit and receive a Kerberos ticket, so I know that there is a way to get tokens, but I’ve been unable to use that token in the mount process (the documentation here is sparse and the errors from mount are completely un-informative). I’m pretty sure mount.cifs caches a token after the basic login, so I’m pretty sure under the hood it’s using a token.
Workers are all POSIX but some are Ubuntu 18, some are Centos.
