On 20 October 2015 at 12:33, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-a...
Thanks for this, I've had another attempt to get an AD-sssd Linux client (CentOS 6.7) to connect to our Isilon cluster kerberized, but am not having much luck. When I try the mount I get:
mount.nfs: access denied by server while mounting .....
Upping idmapd verbosity to 9, I get the following: (here EXAMPLE.COM is our long domain name, where a user would be joebloggs@EXAMPLE.COM and AD.INT is the short domain name):
https://gist.github.com/jberanek/3c8a1a10704b6200dc1d
The only thing that doesn't quite fit from your guidance is that the FQDN used to access the Isilon is actually a load-balanced A record, where every time you lookup the name you get a different IP, with the different reverse lookup...
e.g..
nfs.siteb.isilon.example.com -> 10.20.30.34 -> pool-00-04.siteb.example.com
Any ideas?
Cheers,
John