On Wed, 12 Feb 2014, Longina Przybyszewska wrote:
Do I miss something in getting point here:
If there is a key for the principal 'host/client.domain.org(a)DOMAIN.ORG' in local
/etc/krb5.keytab -
why there are no credentials in Kerberos database?
ServicePrincipal vs UserPrincipal. In AD, you can add as many service
principals as you like (net ads keytab add blah), but these are only useful
for services, as they can't get a Ticket Granting Ticket. NFS is unusual in
needing a tgt. So you have ones like host/fqdn which can be used by ssh. You
get one user principal for free with AD, which is 'shorthostname$'. That can
generate a TGT (i.e. you can use kinit with it). You're allowed one other,
which you can generate with samba via 'net ads join
createupn='something/fqdn'. This can be useful for services that need it,
that don't know to use the other one. So you can use that with nfs to make it
all happy that way, by making the nfs/fqdn principal able to request a tgt.
Is this because for NFS4 service machine asks, there is need for
credentials for machine principal, the one ending with “$”, and rpc.gssd
asks about CLIENT.DOMAIN.ORG$(a)DOMAIN.ORG instead of CLIENT$(a)DOMAIN.ORG
and that question depends on what ‘hostname’ returns?
hostname should always return the full hostname, and hostname -s should return
the short host name. I'd really not change that to fix this problem.
jh