Thank you for the insightful responses, Russ, Nico and Steve. On 2012-08-27, at 10:11 AM, Nico Williams wrote: > I'm going to assume that you meant "GSS context", not "Kerberos context".
I'm going to assume you're correct since I'm quite, quite lost. :-) >> 2) Why would rpc.gssd on the client be unsuccessful in creating a >> Kerberos context? > > Depends on which kind of context you really meant. Assuming you meant > "GSS security context"... it could be lots of things. Assuming I have no clue what I'm doing (cough) what are some basic things I could poke at to begin troubleshooting? I'm not even sure where to start. The NFS client? The KDC? Which of those two contexts do you suppose the authors of nfs-utils meant when writing error messages like this: > rpc.gssd: WARNING: Failed to create krb5 context for user with uid 0 for > server nfsserver.example.com > rpc.gssd: Failed to create machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_AD.EXAMPLE.COM for server nfsserver.example.com On 2012-08-27, at 10:59 AM, [email protected] wrote: > For us, nfs4 with a Samba4 AD, gssd fails when it can't find e.g. a > machine key in (by default) /etc/krb5.keytab Thank you, Steve. My previous diatribe shows that _all_ of those principals are present in /etc/krb5.keytab on the NFS server and client. Interesting that the only obvious differences here are that your setup works and doesn't contain any Microsoft products... Are you using Samba4 to do AD<->UID/GID mapping as well? On 2012-08-27, at 11:11 AM, Douglas E. Engert wrote: > http://joshuawise.com/kerberos-nfs > has some debugging, and take about idmapd issues Thank you, but we're erroring out despite having all of the pieces that he has documented already in place. --Derek -- Derek Warren, IT Services, Research Computing Group, Simon Fraser University ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
