Issue with mount and kerberos authentication.

Hi all, I tried sysadmin with this same question but had no luch so maybe somebody here can help.

I'm a software engneer and not a sysadmin, but for my current project I need to enable mounting with kerberos authentication.

My setup is made out of 3 systems.

1. Windows server 2012 r2 (Active directory/KDC)
2. Redhat linux 7.2 (Nfs server optimusprime)
3. Centos 7.2 (Nfs client centos72)

I've installed samba and kerberos on both linux machines and configured them.

I've then added both machines to the windows server active directory, and then created a keytab file on each machine.

Next I added the nfs/ principle to the linux machines keytabs.

Finally I kinit into the AD with the following command on both the server and the client. Bellow is my client:

[root@centos72 /]# kinit -k -t /etc/krb5.keytab -S nfs/centos72.car.local@CAR.LOCAL CENTOS72$ [root@centos72 /]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CENTOS72$@CAR.LOCAL Valid starting Expires Service principal 02/19/2016 10:26:42 02/19/2016 20:26:42 nfs/centos72.car.local@CAR.LOCAL renew until 02/26/2016 10:26:42 

Then I start my nfs-ganesha server on the server side, if I mount with sec=sys everything works fine, but if I mount with sec=krb5 I get the following:

[root@centos72 /]# mount -t nfs4 -o sec=krb5 optimusprime:/ /mnt -vvvv mount.nfs4: timeout set for Fri Feb 19 12:56:04 2016 mount.nfs4: trying text-based options 'sec=krb5i,addr=optimusprime,clientaddr=centos72' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting optimusprime:/ 

And in /var/log/messages:

Feb 19 11:42:47 centos72 rpc.gssd[694]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt12) Feb 19 11:42:47 centos72 rpc.gssd[694]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' Feb 19 11:42:47 centos72 rpc.gssd[694]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt12) Feb 19 11:42:47 centos72 rpc.gssd[694]: process_krb5_upcall: service is '*' Feb 19 11:42:47 centos72 rpc.gssd[694]: krb5_use_machine_creds: uid 0 tgtname (null) Feb 19 11:42:47 centos72 rpc.gssd[694]: Full hostname for 'optimusprime.hermes.si' is 'optimusprime.hermes.si' Feb 19 11:42:47 centos72 rpc.gssd[694]: Full hostname for 'centos72.car.local' is 'centos72.car.local' Feb 19 11:42:47 centos72 rpc.gssd[694]: Success getting keytab entry for 'CENTOS72$@CAR.LOCAL' Feb 19 11:42:47 centos72 rpc.gssd[694]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_CAR.LOCAL' are good until 1455910074 Feb 19 11:42:47 centos72 rpc.gssd[694]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_CAR.LOCAL' are good until 1455910074 Feb 19 11:42:47 centos72 rpc.gssd[694]: using FILE:/tmp/krb5ccmachine_CAR.LOCAL as credentials cache for machine creds Feb 19 11:42:47 centos72 rpc.gssd[694]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_CAR.LOCAL Feb 19 11:42:47 centos72 rpc.gssd[694]: creating tcp client for server optimusprime.hermes.si Feb 19 11:42:47 centos72 rpc.gssd[694]: DEBUG: port already set to 2049 Feb 19 11:42:47 centos72 rpc.gssd[694]: creating context with server nfs@optimusprime.hermes.si Feb 19 11:42:47 centos72 gssproxy: gssproxy[681]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Feb 19 11:42:47 centos72 rpc.gssd[694]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@optimusprime.hermes.si Feb 19 11:42:47 centos72 rpc.gssd[694]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_CAR.LOCAL for server optimusprime.hermes.si Feb 19 11:42:47 centos72 rpc.gssd[694]: WARNING: Machine cache prematurelyexpired or corrupted trying torecreate cache for server optimusprime.hermes.si 

And I am stuck at this point. I have no idea what the issue might be, I can see both computers in the Active Directory and I can see that both computers have the NFS principle. Both machines have keytabs that I created with "net ads keytab create" and those keytabs are filled with the correct principles so I have no idea what is blocking the connection.

I would appreciate any help you can give.