14 Jun
2013
14 Jun
'13
8:05 p.m.
On Tue, 11 Jun 2013, Steve Thompson wrote:
- allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version combo.
- a separate user object is REQUIRED with the UPN nfs/fqdn. I add this using msktutil on the client when the client is joined to the domain. Using "net ads keytab add nfs" is NOT sufficient, since it adds an SPN and not a UPN.
Aw crap, I hate it when I do that. It turns out that allow_weak_crypto=yes is NOT required at all, provided that the nfs/fqdn UPN that is created supports the necessary enctypes. I original had --enctypes=0x3 when I created the UPN with msktutil; by recreating the UPN without using --enctypes at all, allow_weak_crypto=yes is no longer needed on either client or server, and NFSv4 mounts work just fine with everything essentially stock. It is still true that a UPN must be created, and "net ads keytab add" is not sufficient. This is with a Samba4 domain, btw.
I still have an issue with user access to the NFSv4 mount, and a workaround for it, but that's for another time.
Steve