[Samba] samba 3 a 4 with kerberized nfs4

Wed Jan 25 10:50:06 MST 2012

Hi
openSUSE 12.1 server and client.
I can't get the s4 fileserver nor uid:gid mappings working with s4. I 
used nfs and idmapd instead. It's working, but I've a couple of qns.

1. Server fqdn hh3.hh3.site Samba 4, DNS and NFS4
I set up the nfs server with GSSAPI as in this screenshot:
http://2.bp.blogspot.com/-IspbLnfxizc/Txsp-Z1z1tI/AAAAAAAAADk/lsgel498elg/s1600/yastnfs1.png
The nfs server would not start until I had made a nfs principal and 
stuck it in the keytab. Then I could mount the share and users were 
mapped correctly, home directory permissions OK etc. (I'd previously 
adder Linux attributes to LDAP). Everything fine so far.
klist -k /etc/krb5.keytab
    1 nfs/hh3.hh3.site at HH3.SITE
    1 nfs/hh3.hh3.site at HH3.SITE
    1 nfs/hh3.hh3.site at HH3.SITE

2. Client. fqdn hh6.hh3.site, Samba 3.6 smb.conf:
workgroup = CACTUS
realm = HH3.SITE
security = ADS
kerberos method = system keytab

Join the domain:
net ads join -U Administrator
net ads keytab add nfs

klist -k /etc/krb5.keytab
    1 host/hh6.hh3.site at HH3.SITE
    1 host/hh6.hh3.site at HH3.SITE
    1 host/hh6.hh3.site at HH3.SITE
    1 host/hh6 at HH3.SITE
    1 host/hh6 at HH3.SITE
    1 host/hh6 at HH3.SITE
    1 HH6$@HH3.SITE
    1 HH6$@HH3.SITE
    1 HH6$@HH3.SITE
    1 nfs/hh6.hh3.site at HH3.SITE
    1 nfs/hh6.hh3.site at HH3.SITE
    1 nfs/hh6.hh3.site at HH3.SITE
    1 nfs/hh6 at HH3.SITE
    1 nfs/hh6 at HH3.SITE
    1 nfs/hh6 at HH3.SITE

mount -t nfs4 hh3:/ /home
Amazingly still OK. Samba 4 users can login, get correctly mapped files, 
edit etc.

I now mv the keytab and recreate it _without_ nfs. It still mounts!

Why does the server(s4) need the nfs principal but the client(s3) not?
How can I tell if Kerberos is working?

Cheers,
Steve