On Thu, 6 Jun 2013, Ritter, Marcel wrote:
Newer versions of nfs-utils (>= 1.2.4) support the HOSTNAME$ format (treated like a UPN) used by Samba/Windows, which makes things easier (and could/should work out of the box with a keytab created by samba itself).
I have tried creating a Samba4 user object with a suitable UPN using msktutil on the DC (this is successfully entered into the database):
# OU=Computers # HOST=<short hostname> # msktutil -c -b CN=$OU \ -k nfs-$HOST.keytab \ --computer-name nfs-$HOST \ --upn nfs/$HOST.test.cornell.edu \ --service nfs/$HOST.test.cornell.edu \ --server `hostname` \ --dont-expire-password \ --hostname $HOST.test.cornell.edu \ --enctypes 0x3
and then importing this keytab into the host's keytab with ktutil (so, not using "net ads keytab add"). Verified the keytab with klist. Get permission denied when trying to mount with sec=krb5. Various different enctypes all get the same result.
I tried also building nfs-utils 1.2.8 from source and installing that on the NFSv4 server (using the NFSv4 server as a client for this test). All I get then, no matter what I put in the keytab, is:
rpc.gssd[1679]: ERROR: GSS-API: error in gss_set_allowable_enctypes(): GSS_S_BAD_MECH (An unsupported mechanism was requested) - Unknown error
The build of nfs-utils (via rpmbuild) appeared clean but I suspect that there may be something wrong with it. Still using the 2.6.32-358.6.2.el6 kernel.
I tried the workaround suggested in:
https://bugzilla.redhat.com/show_bug.cgi?id=720479
just in case, but it made no difference.
Running out of ideas!
-Steve