[Samba] Kerberized-nfs4 home-dir stopped working

[Kees van Vloten]

Hi Team,


I have been using Kerberized nfs4 between 2 domain-members successfully 
since August last year.

All machines are Debian 11. The NFS-server and the desktop run with 
stock Samba 4.13.

Two days ago while I was working on the desktop-machine nfs stopped 
communicating. After rebooting the desktop I can login with my domain 
credentials on the console (not graphical as it requires home-dir 
access) but the home-dir is not there.

- wbinfo reports active connection (on all 3 items).

- klist in my user on the desktop shows a valid ticket and if I login on 
the nfsserver I get a valid ticket there as well

- system time is in sync on both machines

- resolving of domain users,groups,hosts through getent works fine, i.e. 
winbind is working on both sides

- On the DCs (I run Louis' 4.15.7 here) I have auditing enabled but 
audit.log does not show any failures, while trying to access /home from 
the desktop

/home on the desktop gets mounted by autofs with the equivalent of:

mount -t nfs4 -o rw,soft,sync,nodev,exec,nosuid,noatime,fsc,sec=krb5p 
nfsserver.example.com:/home /home

Exports on the nfsserver:

# Root path
/srv/nfs 
192.168.1.0/24(rw,root_squash,no_subtree_check,fsid=0,crossmnt,sec=krb5p)
# Share paths
/srv/nfs/home 
192.168.1.0/24(rw,sync,root_squash,no_subtree_check,crossmnt,sec=krb5p)

Where /srv/nfs/home is a bind-mount to /home

Unfortunately I have not found a way to find some useful logging on 
either side.

In the end I replaced sec=krb5p on both sides (exports and autofs) with 
sec=sys and then there is immediately access. That tells me the problem 
must be related to Kerberos, which was my initial suspicion due to the 
way it stopped working 2 days ago (nothing changed in the configurations 
on either side).

What would be the next thing to investigate?

- Kees.