Hi,
I'm trying to mount an NFS4 export from my FS8600 NAS with Kerberos security.
Environment:
nas-1: FS8600 NAS
Directory Service: Windows AD
LC: Linux Client
On my LC I can successfully run
LC:# mount -t nfs4 nas-1:/export/test /mnt/test
If I try
LC: mount -t nfs4 -o sec=krb5 nas-1:/export/test /mnt/test I get
mount.nfs: access denied by server while mounting nas-1:/export/test
Note: /export/test has krb5, krb5i, krb5p enabled on the export.
According to rpc.gssd -vvv on LC
Apr 25 11:37:17 LC rpc.gssd[20933]: WARNING: Failed to create krb5 context for user with uid 0 for server nas-1.domain.com
Apr 25 11:37:17 LC rpc.gssd[20933]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_AD.REALM for server nas-1.domain.com
Apr 25 11:37:17 LC rpc.gssd[20933]: WARNING: Failed to create machine krb5 context with any credentials cache for server nas-1.domain.com
I have verified that I have valid kerberos ticket on LC. I can execute kinit -k nfs/LC.domain.com successfully without requiring a password.
According to the Kerberos docs I have read, you make sure that the SPN's are created on the KDC for nas-1 and LC, export the keytabs and add them to their respective hosts. i.e. add the client keytab to LC and the nfs server(i.e the NAS) keytab to nas-1. The only part I don't know how to do is to add the keytab to the NAS (if this is even necessary?).
I hope someone can point me the right direction.
Cheers,
Mike
