On pe, 08 kesä 2018, Zane Zak via FreeIPA-users wrote:

I know that this is not the ideal list for NFS questions, but I'm not sure of a better one.

I'm exploring NFSv4 with kerberos security, all tied into FreeIPA.

My question is whether or not the NFSv4 clients need nfs service principals. Obviously the NFSv4 server needs both, but the client side is where I'm confused.

Some documentations say the client needs both a host and nfs service principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...

Other documentations say the client needs just a host principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...

Any clarification would be appreciated.

You don't need more than host/... principal on the client side.

You can check rpc.gssd manual page. It says:

------------------------------------------------------------------------ rpc.gssd searches in the following order for a principal to use. The first matching credential is used. For the search, <hostname> and <REALM> are replaced with the local sys‐ tem's hostname and Kerberos realm.

<HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM>

The <anyname> entries match on the service name and realm, but ignore the hostname. These can be used if a principal matching the local host's name is not found.

Note that the first principal in the search order is a user principal that enables Kerberized NFS when the local system is joined to an Active Directory domain using Samba. A password for this principal must be provided in the local system's keytab. --------------------------------------------------------------------------------

The documentation links you point are for two different versions of RHEL. RHEL7 documentation basically corresponds to rpc.gssd man page. The older documentation wasn't updated.