How to run kinit as root before automounting mutiuser cifs mounts?

Question

Goal

I'm setting up multi-user CIFS mounts in an Active Directory environment under CentOS 8.2. The storage server supports SMB3.1.1 protocol.

Prerequisites

I could easily integrate the system to the Active Directory and I've edited SSSD (/etc/sssd/sssd.conf) and realm configuration to match preferences and needs.

Results:

• Active Directory users can login

I've also created a dedicated user that I'll name in this post "mountorino". mountorino has required share permissions (RO) and NTFS permissions (traverse root folder) to mount the CIFS shares. Identification information is stored in the /root/cifs.cred file.

Scenario A: NTLM

Mounting the CIFS shares with the multiuser and ntlmsspi options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=ntlmsspi,credentials=/root/cifs.cred 0 0

Results:

• It works as long as, from the end-user context, I run the cifscreds add --username <user> <server> command
• It doesn't work if I run cifscreds add --username <user> --domain <domain> command

Scenario B: Kerberos

Mounting the CIFS shares with the multiuser, krb5i, and cruid options:

//<server>/<share> /mnt/<mount point> cifs auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=krb5i,cruid=0,credentials=/root/cifs.cred 0 0

Results:

• It works as long as, as root, I run the kinit mounterino@<DOMAIN> command

Questions:

• With NTLM, why cifscreds add --username <user> --domain <domain> doesn't work? The user, the server and the client all are members of the same Windows domain!
• More importantly, with Kerberos, how can I make root to get a Kerberos ticket before automounting fstab entries happens? I understand that by generating a keytab file, I won't have to type moutorino password when running kinit, which allows to automate kinit usage. But how do I make sure kinit is run before automounts are mounted? PAM? systemd unit?

Sources

• https://computingforgeeks.com/join-centos-rhel-system-to-active-directory-domain/
• https://access.redhat.com/articles/3023821
• https://superuser.com/questions/1498295/how-can-i-write-to-dfs-share-with-different-users-other-than-mount-user-on-the-l
• FSTAB CIFS kerberos

Best regards, MauvaisJoueur