Kerberos requires forward and reverse DNS lookup, and the /etc/krb5.keytab to contain the security principal for authentication.

Ensure that the host has pam/nslcd/nsswitch configured for LDAP lookup, and the host can provide shared NFSv4/Kerberos services on it's existing IP address.

From a Windows host:

Configure forward and reverse DNS lookup on the shared IP address e.g. shared-ip.domain.com

Create a computer account in active directory with the same name (shared-ip).

Set the SPN on the computer account

setspn -A nfs/shared-ip.domain.com

Export the keytab

ktpass /princ nfs/shared-ip.domain.com@DOMAIN.COM /out krb5.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser DOMAIN\shared-ip$ +setupn +rndPass +setpass +answer

Copy the keytab to each of the Linux hosts

On the Linux hosts:

Set the following parameter in /etc/sysconfig/nfs

RPCSVCGSSDARGS="-p nfs/shared-ip.domain.com@DOMAIN.COM"

Remove the existing keytab

mv /etc/krb5.keytab /tmp

Copy the keytab generated above to /etc/krb5.keytab

Restart NFS services

service nfs restart