Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Against AD you have to disable this PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups fail. I'm not convinced your comment about having to run svcgssd on clients is enforced due to CentOS in it scripts, but it shouldn't cause any bother as you say. I can't check right now. Jh Steve Thompson <smt at vgersoft.com> wrote: On Thu, 20 Jun 2013, steve wrote: Thanks for your reply! I am really pulling my hair out over this one, and I don't have that much left :( > What do you have in /etc/idmapd.conf The content of this file is correct as far as I understand it, as it works with NFSv3 and NFSv4 with sec=sys: [General] Verbosity = 0 Domain = icse.cornell.edu Local-Realms = TITAN.TEST.CORNELL.EDU [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch (and I have nsswitch.conf correctly configured). Note: in my case, the value of Domain in idmapd.conf is NOT the same as the DNS domain name. But as I understand it, as long as it is the same on all servers and clients, this should not matter, as it is just a label. I tried setting it to the DNS domain name, but it didn't make any difference. And changing it on just the server and not the clients leaves all ownerships as being nobody:nobody instead of the proper ownerships, which is (a) expected, and (b) leads me to believe that rpc.idmapd is working as it should. Starting rpc.idmapd with -vvv dumps the mappings to /var/log/messages, and they are correct. In any case, clients don't all have the same DNS domain name. > What does ps aux | grep rpc give? rpc 1616 0.0 0.0 18972 992 ? Ss Jun18 0:00 rpcbind rpcuser 1649 0.0 0.0 25420 1380 ? Ss Jun18 0:00 rpc.statd root 1678 0.0 0.0 0 0 ? S Jun18 0:00 [rpciod/0] root 1679 0.0 0.0 0 0 ? S Jun18 0:01 [rpciod/1] root 5789 0.0 0.0 50112 2072 ? Ss 12:06 0:00 rpc.svcgssd -vvv root 5795 0.0 0.0 107304 276 ? Ss 12:06 0:00 rpc.rquotad root 5799 0.0 0.0 22832 2560 ? Ss 12:06 0:00 rpc.mountd --no-nfs-version 2 root 5850 0.0 0.0 36900 1048 ? Ss 12:06 0:00 rpc.idmapd -vvv root 8807 0.0 0.0 37340 2556 ? Ss 16:37 0:00 rpc.gssd -vvv All the expected daemons are present, including rpc.gssd and rpc.svcgssd. I have rpc.svcgssd running on the clients too, although it should not be necessary there (but the CentOS init scripts don't give the option to not start it). > Can the user browse using nfs3? > mount -t nfs3 -o sec=krb5 <server_fqdn>:/data /mnt No; exactly the same result as NFSv4. But yes with sec=sys. > Have a look at the gotchas. There's loadsa wrong info abut kerberos and > nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration That's one of the many articles that I've read (several times). I don't see anything wrong in what I have done (btw, I don't agree that the fsid=0 export should be mode 1777, and I don't agree that your first exports example is the proper way to do it. But in any event I have tried those too, to no effect). Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos