# Strange behavour with GSSAPI and Kerberized NFS



## freddano (Nov 1, 2018)

Hello,
I'm a new user of FreeBSD - I recently installed FreeBSD 11.2 p4, and I use it as a backup- and fileserver using Samba48 and bacula. I also play around with it. 

I've joined the machine to a Samba domain and log in with winbind with domain users works using GSSAPI. NFSv4 with kerberos also works, after I created spns and upns using msktutil on the DC (running debian on a Raspberry Pi3). I mount the ad-users homedirectories using nfsv4 and kerberos from an Ubuntu server, also connected to the domain.

However, logging from sshd with GSS and mounting of kerberized nfs (other than the users homedirs) works ONLY if I also has a have a kerberos ticket as Administrator issued to root at the FreeBSD server. I can actually mount the share, only I can't do anything with it. (Not even ls works - it behaves quite like the problem described in the handbook. But restarting mountd doesn't work). I can still login, however not using GSS, only with password. 

It is quite baffling - I've tried using heimdal kerberos, mit kerberos, locked my self out of the system by messing up /etc/pam.d/ etc. etc. Nothing other than "su - ; kinit Administrator@DOMAIN.AD" remedies the situation. 

Obviously, both kerberos and nfs works - as does winbind-integration. I
I wonder if anyone has encountered anything like this and can Point me in the right direction?

Best regards,
Fredrik


----------



## freddano (Dec 5, 2018)

Well, don't I feel like a moron now. The problem was resolved by installing k5start and using a keytab exported with samba-tool on the domain controller. 

I'm Writing this if someone in the future has the same problem and is about to give up. Don't! There is a solution!

/Fredrik


----------

