On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sss...
For people hosting NFS/krb5 on EL6, there certainly used to be problems if you
had PAC enabled on the server for users who were members of many groups.
The solution is to disable PAC for services on that host via
userAccountControl.
userAccountControl: 33624064
That then causes fun, as Samba on EL6 can't cope with PAC being disabled. Cue
fun with running two AD objects per server, and merging of keytabs such that
you can have PAC on Samba and not on NFS.
userAccountControl: 69632
jh