On Fri, 2 Jul 2010, Louis Lagendijk wrote: > On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote: >> Hi All, > >> To support NFSv4 with Kerberos security, we also need to generate service >> principal for NFS: >> >> [root at aconite ~]# net -U administrator ads keytab add nfs >> >> which then looks like this >> >> [root at aconite ~]# klist -k >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- -------------------------------------------------------------------------- >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite.my.ad.name at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 host/aconite at MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 ACONITE$@MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite.my.ad.name at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> 3 nfs/aconite at MY.AD.NAME >> > did you create the keytab on the CLIENT also? Do you mean did I run the net ads keytab add nfs on the client? If so the answer is yes. I've even tried mounting the NFS export directly from the NFS server > is rpc.gssd running on the client? > rpc.svc.gssd on the server? Yes and Yes. > so you most likely do not have a keytab on the client. I do but I'm not sure it is correct. If you are doing it can you please provide me some sample output to compare your server/client keytabs to mine? > Using kerberos is not simple.... I'm getting that picture. :) -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director HPC Coordinator Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_spam at hotmail.com TEAMWORK There's power in numbers. Learn to work together.