On Sat, 8 Jun 2013, Steve Thompson wrote:
Running out of ideas!
Well, I managed to solve this one. It turned out to be nothing to do with Samba4, nor the version of nfs-utils (1.2.3-36) or the version of the kernel (2.6.32-358.6.2.el6) on the NFS server and client. It was in the /etc/exports file; I was exporting /mnt/exports (the NFSv4 root with fsid=0) with sec=sys:krb5 and /mnt/exports/data (a file system), also with sec=sys:krb5, but also /mnt/data (the real file system, which is bind-mounted on to /mnt/exports/data), this time without specifying sec=. The latter was as a service to clients using NFSv3. It transpired that by adding sec=sys:krb5 to the latter export, the NFSv4+krb5 mounts all started working. I could argue that this is a bug, but whatever, it is now working.
Notes:
* allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version combo.
* a separate user object is REQUIRED with the UPN nfs/fqdn. I add this using msktutil on the client when the client is joined to the domain. Using "net ads keytab add nfs" is NOT sufficient, since it adds an SPN and not a UPN.
Steve