There are many reasons this could be failing. First verify that rpc.gssd is running on the client and rpc.svcgssd is running on the server. Running these daemons with option "-vvv" will produce extra debugging output which may give more information about the problem.

What to look at next depends on the messages that you see...

• Verify that your hostnames are correct. The hostname command should return a fully-qualified hostname that has a correct DNS reverse-mapping (either through DNS or the /etc/hosts file).
• Verify there is a keytab entry for nfs/<hostname>@REALM in your keytab file (/etc/krb5.keytab).
• Verify your Kerberos configuration file has the proper mapping from the DNS hostname to the correct realm. The [domain_realm] stanza of the /etc/krb5.conf needs to have a mapping from the DNS domain to the correct REALM. For example, if your nfs server's hostname is 'foo.abc.org' and your Kerberos realm name is 'ALPHABET.ORG', then you need an entry like the following in /etc/krb5.conf on the nfs client machine:

  [domain_realm]
    .abc.org = ALPHABET.ORG
  

Both mount points are treated the same. The security of the one mounted first will be used. So mounting with AUTH_SYS and then AUTH_GSS will result in both using AUTH_SYS. Mounting with AUTH_GSS and then AUTH_SYS will result in both using AUTH_GSS.

This message can be safely ignored. It has been removed in newer versions of the gssapi mechanism glue code.

This message means that the rpcsec_gss code is not included in the kernel. Either the option wasn't selected or it was compiled as a module and the module hasn't been inserted into the kernel.

ALL accesses as root on a Linux client (uid=0) currently use the machine credentials, not any credentials obtained via kinit. We plan to change this behavior when moving to use the new key ring kernel support to store credentials and contexts.

The kernel code caches the gssapi context that was negotiated using the Kerberos credentials. Destroying the credentials does not destroy the context in the kernel. We plan to change this behavior when moving to use the new key ring kernel support to store credentials and contexts.

We're working on it! The plan is to have it working ASAP.

Check to see that you have the nfs service listed in your /etc/services file.

nfs             2049/tcp        nfsd            # Network File System
nfs             2049/udp        nfsd            # Network File System

The first thing to do is look at Mike Eisler's blog entry about this.

If your /etc/krb5.conf has "enctype" lines such at the following, they should be removed!. See this Microsoft Support entry for one reason why. In general, these lines should never be used unless there is a specific reason to use them.

        default_tkt_enctypes = des-cbc-md5; or des-cbc-crc
        default_tgs_enctypes = des-cbc-md5; or des-cbc-crc

The SPKM-3 support is still not complete. There is experimental kernel code, but more work is needed for the user-level library.

LIPKEY depends on SPKM-3. When the SPKM-3 support is complete, (see above) it should not be much more effort to add LIPKEY support.

You can choose between the default nsswitch method, or use our experimental method described here.

The following script (run as root) will list the mappings from the server's cache.

#!/bin/sh
echo "Name-id cached entries:"
cachedir=/proc/net/rpc/nfs4.idtoname
cat ${cachedir}/content

The following script (run as root) will list and then flush the mappings from the server's cache. (There is currently no way to flush the client's mappings.)

#!/bin/sh
cachedir=/proc/net/rpc/nfs4.idtoname
echo "Flushing server name-id cache"
echo "Before:"
cat ${cachedir}/content
echo `date +'%s'` >${cachedir}/flush
echo "After:"
cat ${cachedir}/content