On Wed, 12 Feb 2014, Ondrej Valousek wrote:
Well not exactly.
rpc.gssd (i.e. NFS client side) does need a TGT. Kerberized NFS server (i.e.
rpc.svcgssd) is just happy with the ServicePrincipal.
Sure, although if you just roll this out as standard policy for joining
machines to the domain, having the nfs/fqdn UPN setup all over the shop won't
break anything, and it's a rare requirement to need another UPN for a machine.
If you do, there are ways of having even more UPNs for a single host.
To make the long story short, you have 3 options now:
1. Have the nfs-utils maintainers fix this bug for you :)
2. Use short hostname
3. Define UserServicePrincipal computer attribute in AD and add something
like "nfs/fqdn". This will allow Gssd to obtain a TGT using that princpal.
Personally, I think taking both option 1 *and* 3 is the best solution.
jh