[CentOS] [Samba] Samba4 and NFSv4

Fri Jun 14 20:05:04 UTC 2013
Steve Thompson <smt at vgersoft.com>

On Tue, 11 Jun 2013, Steve Thompson wrote:

> * allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version
>   combo.
> * a separate user object is REQUIRED with the UPN nfs/fqdn. I add this
>   using msktutil on the client when the client is joined to the domain.
>   Using "net ads keytab add nfs" is NOT sufficient, since it adds an
>   SPN and not a UPN.

Aw crap, I hate it when I do that. It turns out that allow_weak_crypto=yes 
is NOT required at all, provided that the nfs/fqdn UPN that is created 
supports the necessary enctypes. I original had --enctypes=0x3 when I 
created the UPN with msktutil; by recreating the UPN without using 
--enctypes at all, allow_weak_crypto=yes is no longer needed on either 
client or server, and NFSv4 mounts work just fine with everything 
essentially stock. It is still true that a UPN must be created, and "net 
ads keytab add" is not sufficient. This is with a Samba4 domain, btw.

I still have an issue with user access to the NFSv4 mount, and a 
workaround for it, but that's for another time.