Print View

How to configure Kerberos/NFSv4 on a shared IP address


Kerberos requires forward and reverse DNS lookup, and the /etc/krb5.keytab to contain the security principal for authentication.


Ensure that the host has pam/nslcd/nsswitch configured for LDAP lookup, and the host can provide shared NFSv4/Kerberos services on it's existing IP address.

From a Windows host:

Configure forward and reverse DNS lookup on the shared IP address e.g.

Create a computer account in active directory with the same name (shared-ip).

Set the SPN on the computer account
setspn -A nfs/

Export the keytab
ktpass /princ nfs/ /out krb5.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser DOMAIN\shared-ip$ +setupn +rndPass +setpass +answer

Copy the keytab to each of the Linux hosts

On the Linux hosts:

Set the following parameter in /etc/sysconfig/nfs

Remove the existing keytab
mv /etc/krb5.keytab /tmp

Copy the keytab generated above to /etc/krb5.keytab

Restart NFS services
service nfs restart


Red Hat Enterprise Linux 6.3

Created: 24th July 2012
Updated: 24th July 2012

Print View

© 2005-2024 Jamie Morrison