We appear to have the isilon talking to Redhat's IPA / IdM using kerberos as nfs4 and
krb5 work, so I assume this will work with freeipa.
Do the LDAP part as described elsewhere.
If you have access to RH support kbase, based on RHEL6 notes for non-IPA joined NFS
servers (See Debian10 NFS server example),
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/...
On an IPA master obtain a kerberos ticket as an IPA admin.
kinit admin
add the isilon host,
ipa host-add tststocoisnfs01.odstest.xxxxxx.ac.nz
And add nfs service,
ipa service-add-host nfs/tststocoisnfs01.odstest.xxxxxx.ac.nz
--hosts=tststocoisnfs01.odstest.xxxxxx.ac.nz
check,
ipa service-show nfs/tststocoisnfs01.odstest.xxxxx.ac.nz
you should see "false" for the keytab initially
Delegate DNS. Allow the Isilon to manage its roundrobin DNS as it has 6 IPs,
ipa host-add-managedby tststocoisnfs01.odstest.xxxxxx.ac.nz
--hosts=tststocoisnfs01.odstest.xxxxxx.ac.nz
Create the other keytabs the Isilon wants (there will be 4, host, HTTP, nfs and hdfs)
ipa service-add hdfs/tststocoisnfs01.odstest.xxxxxx.ac.nz
ipa service-add HTTP/tststocoisnfs01.odstest.xxxxxx.ac.nz
generate the 4 keytabs,
ipa-getkeytab -p nfs/tststocoisnfs01.odstest.xxxxxx.ac.nz(a)ODSTEST.xxxxxx.AC.NZ -k
~/tststocoisnfs01-nfs.keytab
ipa-getkeytab -p HTTP/tststocoisnfs01.odstest.xxxxxx.ac.nz(a)ODSTEST.xxxxxx.AC.NZ -k
~/tststocoisnfs01-HTTP.keytab
ipa-getkeytab -p host/tststocoisnfs01.odstest.xxxxxx.ac.nz(a)ODSTEST.xxxxxx.AC.NZ -k
~/tststocoisnfs01-host.keytab
ipa-getkeytab -p hdfs/tststocoisnfs01.odstest.xxxxxx.nz(a)ODSTEST.xxxxxx.AC.NZ -k
~/tststocoisnfs01-hdfs.keytab
(seems to complain if all 4 are not done)
keytab should now be true
scp the 4 keytabs to the isilon.
run the isilon CLI to import these 4. (I will add more as I have the commands)
So far RHEL8, RHEL7, Centos7 and Debian10 NFS clients mountnfs4 using kerberos fine.