Please forgive joining the broadcast already in progress, and for top posting. However, I have found that removing all but the DES CBC keytab entries on the client helps. With Windows 2003, you may also have to set the default encryption type for the kerberos account to DES, and use ADSIEDIT.msc to change the UserPrincipalName to nfs/hostname.fqdn. For what its worth, "net", part of the Samba client package, populates the keytabs accordingly. For advanced debugging, the rpc.*gssd services can be configured to run very verbosely, by adding multiple -v arguments on start. Louis Lagendijk wrote: > On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote: >> Hi All, > >> To support NFSv4 with Kerberos security, we also need to generate service >> principal for NFS: >> >> [root at aconite ~]# net -U administrator ads keytab add nfs >> >> which then looks like this >> >> [root at aconite ~]# klist -k >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- -------------------------------------------------------------------------- >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> > did you create the keytab on the CLIENT also? > >> Test on the client >> >> [root at celastrina ~]# showmount -e aconite >> Export list for aconite: >> /exports * >> [root at celastrina ~]# mount -t nfs4 aconite:/ /mnt >> [root at celastrina ~]# mount |grep -i nfs4 >> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84) >> [root at celastrina ~]# >> >> So as you can see everything is now working *without* Kerberos. However, >> if I change the /etc/exports file on aconite to >> >> [root at aconite ~]# cat /etc/exports >> /exports gss/krb5(rw,fsid=0) >> [root at aconite ~]# exportfs >> /exports gss/krb5 >> >> >> and then try to mount with the -o sec=krb5 on the client >> > is rpc.gssd running on the client? > rpc.svc.gssd on the server? > >> [root at celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt >> mount.nfs4: Permission denied >> >> and the entry in /var/log/messages on celastrina is >> >> Jul 2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file >> '/etc/krb5.keytab' >> Jul 2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain >> machine credentials for connection to server aconite.my.ad.name >> >> nothing appears in the logs on aconite. >> > so you most likely do not have a keytab on the client. > > Using kerberos is not simple.... > > Louis > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire