Just noticed another problem with the new way to handle key tabs... # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 NOBUR01$@AD.LIU.SE 1 RestrictedKrbHost/nobur01.it.liu.se@AD.LIU.SE 1 RestrictedKrbHost/NOBUR01@AD.LIU.SE 1 HOST/NOBUR01@AD.LIU.SE 1 nfs/nobur01.ad.liu.se@AD.LIU.SE 1 nfs/NOBUR01@AD.LIU.SE 1 host/nobur01.it.liu.se@AD.LIU.SE Notice how it uses .ad.liu.se for dns principal instead of .it.liu.se for the nfs principal... This breaks the NFS server. (This is with my patch for host/ principals, otherwise that one would have been with an uppercase HOST/) smb.conf: sync machine password to keytab = /etc/krb5.keytab:account_name:spn_prefixes=nfs:sync_spns:sync_kvno:sync_etypes:machine_password # uname -a FreeBSD nobur01 15.0-RELEASE-p2 FreeBSD 15.0-RELEASE-p2 GENERIC amd64 # egrep nobur01 /etc/hosts 130.236.8.52 nobur01.it.liu.se nobur01 2001:6b0:17:2400::8:52 nobur01.it.liu.se nobur01 172.28.128.11 nobur01.console.it.liu.se # host 130.236.8.52 52.8.236.130.in-addr.arpa domain name pointer nobur01.it.liu.se. # host nobur01.ad.liu.se Host nobur01.ad.liu.se not found: 3(NXDOMAIN) # host nobur01.it.liu.se nobur01.it.liu.se has address 130.236.8.52 nobur01.it.liu.se has IPv6 address 2001:6b0:17:2400::8:52 The AD realm/domain is AD.LIU.SE though...
Found a workaround: net ads setspn nfs/nobur01.it.liu.se net ads keytab create But I still see that incorrect nfs/nobur01.ad.liu.se entry.