On 01/04/2011 04:32 PM, Jason Gunthorpe wrote: > On Thu, Dec 23, 2010 at 12:55:16PM +0200, Timo Aaltonen wrote: >> On Wed, 22 Dec 2010, Jason Gunthorpe wrote: >> >>> An Active Directory KDC will only grant a TGT for UPNs, getting >>> a TGT for SPNs is not possible: >>> >>> $ kinit -k host/ib5@xxxxxxxxxxxxx >>> kinit: Client not found in Kerberos database while getting initial credentials >>> >>> The correct thing to do for machine credentials is to get a TGT >>> for the computer UPN <HOSTNAME>$@REALM: >>> $ kinit -k IB5\$ >>> $ klist >>> 12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@xxxxxxxxxxxxx >>> >>> Samba automatically creates /etc/krb5.keytab entry for the computer UPN, >>> this patch makes gssd_refresh_krb5_machine_credential prefer it above >>> the SPNs if it is present. >>> >>> The net result is that nfs client works automatically out of the box >>> if samba has been used to setup kerberos via 'net ads join' 'net ads >>> keytab create' >>> >>> Tested using Windows Server 2003 R2 as the AD server. >> >> This is basically what I did earlier, see: >> >> http://marc.info/?l=linux-nfs&m=128108638228797&w=2 >> >> though I still haven't cleaned it up as promised.. > > Right, mine is a bit more complete (man page updated, etc) but it does > the same thing. > > Maybe we can get a nfs-utils maintainer to comment this time? Sorry for the delay.... I'll trying to get to this asap... steved. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
