[CentOS] [Samba] Samba4 and NSFv4

Tue Jun 11 17:38:38 UTC 2013
Steve Thompson <smt at vgersoft.com>

On Sat, 8 Jun 2013, Steve Thompson wrote:

> Running out of ideas!

Well, I managed to solve this one. It turned out to be nothing to do with 
Samba4, nor the version of nfs-utils (1.2.3-36) or the version of the 
kernel (2.6.32-358.6.2.el6) on the NFS server and client. It was in the 
/etc/exports file; I was exporting /mnt/exports (the NFSv4 root with 
fsid=0) with sec=sys:krb5 and /mnt/exports/data (a file system), also with 
sec=sys:krb5, but also /mnt/data (the real file system, which is 
bind-mounted on to /mnt/exports/data), this time without specifying sec=. 
The latter was as a service to clients using NFSv3. It transpired that by 
adding sec=sys:krb5 to the latter export, the NFSv4+krb5 mounts all 
started working. I could argue that this is a bug, but whatever, it is now 


* allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version

* a separate user object is REQUIRED with the UPN nfs/fqdn. I add this
   using msktutil on the client when the client is joined to the domain.
   Using "net ads keytab add nfs" is NOT sufficient, since it adds an
   SPN and not a UPN.