Enduser doc kerberos

From Linux NFS

(Difference between revisions)

Latest revision as of 09:42, 7 June 2010

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

To use Kerberos with NFS you need to setup the server and the client on your realm.

We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.

Server Setup

The server needs to be identified to the KDC with a principal of

nfs/<fqdn>@REALM

On the nfs-server you can run kadmin and authenticate as kadmin/admin:

# kadmin
kadmin: addprinc -randkey nfs/myclient.mydomain
kadmin: ktadd nfs/myclient.mydomain

On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :

NEED_SVCGSSD=yes

check /etc/idmapd.conf
In the [General] section the Domain value should be the real value of your domain. The value "localdomain" is not a key meaning "your local domain" it is a misguided attempt at documentation!

 Domain = your-domain.com

If your REALM is not the same as your lowercased dns domain you can add:

 Local-Realm = <REALM>

(This is not documented)

In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771 You should edit /etc/krb5.conf and put the following in the [libdefaults] section:

 allow_weak_crypto=true

This is a WIP and may be resolved around 2.6.35+

Restart nfs-kernel-server and nfs-common

Client Setup

The client must present some kind of principal at mount time. This can be a user or an entry in the keytab; either a host/<fqdn>@REALM principal or an nfs/<fqdn>@REALM principal

Both the id-mapper daemon and the gssapi daemon should be running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:

 NEED_IDMAPD=yes
 NEED_GSSD=yes

Under Debian you may find adding debug options in /etc/defaults/nfs-common helps:

 RPCGSSDOPTS="-vvv -rrr"

(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:

 allow_weak_crypto=true

check /etc/idmapd.conf
Same as the server... if you get user-id mapping issues check this is correct.

Restart nfs-common

Mounting

NFSv4 can use Kerberos security to provide:

authentication
integrity
privacy

These are specified on the client side using:

sec=krb5
sec=krb5i
sec=krb5p

respectively. eg:

mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/

See Exporting Directories section for more details on the exports file syntax.

External Links

The constraint to use -e des-cbc-crc:normal for keytab entries for nfs/<fqdn> principals is not needed:

 http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html

Explanation of enctypes:

 http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf

From the Debian NEWS.Debian.gz referenced above

 (1.8+dfsg~alpha1-1

 This version of MIT Kerberos disables DES and 56-bit RC4 by default.
 These encryption types are generally regarded as weak; defeating them
 is well within the expected resources of some attackers.  However,
 some applications, such as OpenAFS or Kerberized NFS, still rely on
 DES.  To re-enable DES support add allow_weak_crypto=true to the
 libdefaults section of /etc/krb5.conf

 Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 2010

Warnings

Some warnings about Kerberos:

The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be included on the localhost line.
Do not us uppercase characters for machine names in Kerberos and/or the host naming solution DNS. This is not a good solution fpr NFS Kerberos only
At present NFS using Kerberos authentication is not able to work with multiple network interfaces on the same machine

FAQ

Issue: Mounting a nfs volume gives an error message and the syslog or dmesg shows

 "RPC: Couldn't create auth handle (flavor 390003)"

Solution: Try 'modprobe rpcsec_gss_krb5' on the client

Issue: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".

Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.

Issue: Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).

Solution: Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).

Enduser doc kerberos

From Linux NFS

Latest revision as of 09:42, 7 June 2010

Contents

Kerberos 5 setup for NFSv4

Server Setup

Client Setup

Mounting

External Links

Warnings

FAQ

Views

Personal tools

Navigation

Search

Toolbox

@@ Line 1: / Line 1: @@
-[http://people.msoe.edu/~millerni/forums.php?show=topic&id=96&forum=13 diazepam online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=148&forum=13 cheap tramadol] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=156&forum=13 cheap wellbutrin] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=107&forum=13 jazz ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a00 cheap rivotril] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=119&forum=13 mtv ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=110&forum=13 cheap lipitor] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=89&forum=13 celexa online] [http://wc1.worldcrossing.com/WebX/.1de609e0 ativan online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=123&forum=13 nokia ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f9 order norco] [http://wc1.worldcrossing.com/WebX/.1de60a18 free motorola ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a2c cheap ultram] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=150&forum=13 cheap ultram] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=124&forum=13 norco] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=116&forum=13 free mono ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a0e celexa online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=97&forum=13 buy didrex] [http://wc1.worldcrossing.com/WebX/.1de609fa free online pharmacy] [http://wc1.worldcrossing.com/WebX/.1de60a24 cheap propecia] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=128&forum=13 cheap phentermine] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=153&forum=13 viagra online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=154&forum=13 cheap vicodin] [http://wc1.worldcrossing.com/WebX/.1de60a27 sildenafil] [http://wc1.worldcrossing.com/WebX/.1de60a1f cheap lisinopril] [http://wc1.worldcrossing.com/WebX/.1de60a26 free sharp ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a16 levitra online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=103&forum=13 funny ringtones] [http://wc1.worldcrossing.com/WebX/.1de609ee cheap hydrocodone] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=151&forum=13 valium online] [http://wc1.worldcrossing.com/WebX/.1de609e5 free cool ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e4 clonazepam online] [http://wc1.worldcrossing.com/WebX/.1de609e6 buy cyclobenzaprine] [http://wc1.worldcrossing.com/WebX/.1de60a35 verizon ringtones] [http://wc1.worldcrossing.com/WebX/.1de609ec hgh online] [http://wc1.worldcrossing.com/WebX/.1de609df cheap ambien] [http://wc1.worldcrossing.com/WebX/.1de60a03 free sony ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a0f cialis online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=91&forum=13 cingular ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=90&forum=13 cialis online] [http://wc1.worldcrossing.com/WebX/.1de60a33 cheap prozac] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=133&forum=13 free qwest ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a10 cheap didrex] [http://wc1.worldcrossing.com/WebX/.1de609fd punk ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a14 free jazz ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=102&forum=13 free free ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a2b cheap ultracet] [http://wc1.worldcrossing.com/WebX/.1de60a1e flexeril online] [http://wc1.worldcrossing.com/WebX/.1de609f8 nokia ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=87&forum=13 ativan online] [http://wc1.worldcrossing.com/WebX/.1de60a09 viagra online] [http://wc1.worldcrossing.com/WebX/.1de609f3 free midi ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=142&forum=13 free sony ericsson ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=135&forum=13 real ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=82&forum=13 cheap adipex] [http://wc1.worldcrossing.com/WebX/.1de609eb funny ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=132&forum=13 punk ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=146&forum=13 tenuate online] [http://wc1.worldcrossing.com/WebX/.1de609f2 online meridia] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=108&forum=13 free kyocera ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a05 free sprint ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=114&forum=13 online meridia] [http://wc1.worldcrossing.com/WebX/.1de60a06 order tenuate] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=92&forum=13 cheap clomid] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=86&forum=13 ambien online] [http://wc1.worldcrossing.com/WebX/.1de60a04 sonyericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e3 cheap clomid] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=120&forum=13 music ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=99&forum=13 free ericsson ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=109&forum=13 cheap levitra] [http://wc1.worldcrossing.com/WebX/.1de60a0d wwe ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a15 free kyocera ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a20 cheap nexium] [http://wc1.worldcrossing.com/WebX/.1de60a19 free mp3 ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=104&forum=13 cheap hgh] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=158&forum=13 xanax online] [http://wc1.worldcrossing.com/WebX/.1de60a01 sagem ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a30 cheap xenical] [http://wc1.worldcrossing.com/WebX/.1de609de but alprazolam] [http://wc1.worldcrossing.com/WebX/.1de60a1b music ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a31 zanaflex online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=152&forum=13 free verizon ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f7 nextel ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=147&forum=13 tracfone ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a11 buy diethylpropion] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=83&forum=13 cheap albuterol] [http://wc1.worldcrossing.com/WebX/.1de60a29 tramadol online] [http://wc1.worldcrossing.com/WebX/.1de60a25 free samsung ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=118&forum=13 mp3 ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=157&forum=13 free wwe ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a28 cheap soma] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=139&forum=13 free sharp ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=111&forum=13 order lisinopril] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=126&forum=13 cheap paxil] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=117&forum=13 motorola ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=138&forum=13 free samsung ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=155&forum=13 vigrx] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=140&forum=13 sildenafil online] [http://wc1.worldcrossing.com/WebX/.1de60a21 paxil online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=160&forum=13 cheap zanaflex] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=136&forum=13 rivotril online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=98&forum=13 cheap diethylpropion] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=145&forum=13 free sprint ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=129&forum=13 polyphonic ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=137&forum=13 sagem ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=121&forum=13 nexium online] [http://wc1.worldcrossing.com/WebX/.1de60a1d cingular ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=95&forum=13 cheap cyclobenzaprine] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=127&forum=13 cheap pharmacy online] [http://wc1.worldcrossing.com/WebX/.1de609dd alltel ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=144&forum=13 sonyericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a34 free sony ericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e7 diazepam online] [http://wc1.worldcrossing.com/WebX/.1de60a0a vicodin] [http://wc1.worldcrossing.com/WebX/.1de60a17 buy lipitor] [http://wc1.worldcrossing.com/WebX/.1de60a0b vigrx online] [http://wc1.worldcrossing.com/WebX/.1de60a1a free mtv ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=141&forum=13 cheap soma] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=112&forum=13 buy lorazepam] [http://wc1.worldcrossing.com/WebX/.1de609ff free real ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=162&forum=13 cheap zyban] [http://wc1.worldcrossing.com/WebX/.1de609dc buy albuterol] [http://wc1.worldcrossing.com/WebX/.1de60a12 free ericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f0 cheap lorazepam] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=161&forum=13 but zoloft] [http://wc1.worldcrossing.com/WebX/.1de609db but adipex] [http://wc1.worldcrossing.com/WebX/.1de60a0c buy wellbutrin] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=84&forum=13 alltel ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=94&forum=13 free cool ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=122&forum=13 free nextel ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a32 zoloft online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=93&forum=13 cheap clonazepam] [http://wc1.worldcrossing.com/WebX/.1de60a2d cheap valium] [http://wc1.worldcrossing.com/WebX/.1de60a13 order fioricet] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=115&forum=13 free midi ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a2e cheap xanax] [http://wc1.worldcrossing.com/WebX/.1de60a23 polyphonic ringtones] [http://wc1.worldcrossing.com/WebX/.1de609ed buy hoodia] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=113&forum=13 but lortab] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=85&forum=13 alprazolam online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=106&forum=13 hydrocodone online] [http://wc1.worldcrossing.com/WebX/.1de609f1 lortab online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=149&forum=13 ultracet online] [http://wc1.worldcrossing.com/WebX/.1de609ea free free ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f4 free mono ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=88&forum=13 cheap carisoprodol] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=143&forum=13 free sony ringtones] [http://wc1.worldcrossing.com/WebX/.1de609fb order ortho] [http://wc1.worldcrossing.com/WebX/.1de60a07 tracfone ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a22 but phentermine] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=125&forum=13 cheap ortho] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=159&forum=13 xenical online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=131&forum=13 cheap prozac] [http://wc1.worldcrossing.com/WebX/.1de609e1 cheap carisoprodol] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=130&forum=13 propecia online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=101&forum=13 flexeril] [http://wc1.worldcrossing.com/WebX/.1de609fe qwest ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=100&forum=13 fioricet online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=105&forum=13 cheap hoodia] [http://wc1.worldcrossing.com/WebX/.1de60a36 zyban online] [http://people.msoe.edu/~millerni/forums.php?show=topic
+== Kerberos 5 setup for NFSv4 ==
+The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
+To use Kerberos with NFS you need to setup the server and the client on your realm.
+We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.  This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
+=== Server Setup ===
+The server needs to be identified to the KDC with a principal of
+ nfs/<fqdn>@REALM
+On the nfs-server you can run kadmin and authenticate as kadmin/admin:
+ # kadmin
+ kadmin: addprinc -randkey nfs/myclient.mydomain
+ kadmin: ktadd nfs/myclient.mydomain
+On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :
+ NEED_SVCGSSD=yes
+'''check /etc/idmapd.conf'''<br>
+In the [General] section the Domain value should be the real value of your domain. The value "localdomain"
+is not a key meaning "your local domain" it is a misguided attempt at documentation!
+  Domain = your-domain.com
+If your REALM is not the same as your lowercased dns domain you can add:
+  Local-Realm = <REALM>
+(This is not documented)
+In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771
+You should edit /etc/krb5.conf and put the following in the [libdefaults] section:
+  allow_weak_crypto=true
+This is a WIP and may be resolved around 2.6.35+
+Restart nfs-kernel-server and nfs-common
+=== Client Setup ===
+The client must present some kind of principal at mount time. This can be a user or an entry in the keytab;
+either a host/<fqdn>@REALM principal or an nfs/<fqdn>@REALM principal
+Both the id-mapper daemon and the gssapi daemon should be running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:
+  NEED_IDMAPD=yes
+  NEED_GSSD=yes
+Under Debian you may find adding debug options in /etc/defaults/nfs-common helps:
+  RPCGSSDOPTS="-vvv -rrr"
+(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:
+  allow_weak_crypto=true
+'''check /etc/idmapd.conf'''<br>
+Same as the server... if you get user-id mapping issues check this is correct.
+Restart nfs-common
+=== Mounting ===
+NFSv4 can use Kerberos security to provide:
+* authentication
+* integrity
+* privacy
+These are specified on the client side using:
+* sec=krb5
+* sec=krb5i
+* sec=krb5p
+respectively. eg:
+ mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/
+See [[Nfsv4_configuration#Exporting_directories|Exporting Directories section]] for more details on the exports file syntax.
+== External Links ==
+The constraint to use -e des-cbc-crc:normal for keytab entries for nfs/<fqdn> principals is not needed:
+  http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html
+Explanation of enctypes:
+  http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf
+From the Debian NEWS.Debian.gz referenced above
+  (1.8+dfsg~alpha1-1
+  This version of MIT Kerberos disables DES and 56-bit RC4 by default.
+  These encryption types are generally regarded as weak; defeating them
+  is well within the expected resources of some attackers.  However,
+  some applications, such as OpenAFS or Kerberized NFS, still rely on
+  DES.  To re-enable DES support add allow_weak_crypto=true to the
+  libdefaults section of /etc/krb5.conf
+  Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 2010
+== Warnings ==
+Some warnings about Kerberos:
+# The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
+# The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be included on the localhost line.
+# Do not us uppercase characters for machine names in Kerberos and/or the host naming solution DNS. This is not a good solution fpr NFS Kerberos only
+# At present NFS using Kerberos authentication is not able to work with multiple network interfaces on the same machine
+== FAQ ==
+* '''Issue:''' Mounting a nfs volume gives an error message and the syslog or dmesg shows
+  "RPC: Couldn't create auth handle (flavor 390003)"
+* '''Solution:''' Try 'modprobe rpcsec_gss_krb5' on the client
+* '''Issue:''' Enabling users other than root to access the nfs4 mount, i.e. bob.  The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
+* '''Solution:'''  Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC.  Then on the client, as user bob, run kinit.
+* '''Issue:''' Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).
+* '''Solution:'''  Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).