On Tue, 11 Jun 2013, Steve Thompson wrote: > * allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version > combo. > * a separate user object is REQUIRED with the UPN nfs/fqdn. I add this > using msktutil on the client when the client is joined to the domain. > Using "net ads keytab add nfs" is NOT sufficient, since it adds an > SPN and not a UPN. Aw crap, I hate it when I do that. It turns out that allow_weak_crypto=yes is NOT required at all, provided that the nfs/fqdn UPN that is created supports the necessary enctypes. I original had --enctypes=0x3 when I created the UPN with msktutil; by recreating the UPN without using --enctypes at all, allow_weak_crypto=yes is no longer needed on either client or server, and NFSv4 mounts work just fine with everything essentially stock. It is still true that a UPN must be created, and "net ads keytab add" is not sufficient. This is with a Samba4 domain, btw. I still have an issue with user access to the NFSv4 mount, and a workaround for it, but that's for another time. Steve