yast and fstab won't accept "sec=" option for nfs mount

I am trying to automatically mount an active directory share using fstab on boot and then use kerberos to authenticate users trying to access it. The goal is to have secure access to the active directory shares without having to enter a password because each user is authenticated using kerberos. I don’t want to actually log in using kerberos, I just want to use kerberos to be used to authenticate me for a few network shares.

I have my krb5.conf set up properly, and I have NFS_SECURITY_GSS=“yes” in my /etc/sysconfig/network/nfs file (I have also tried it with =“no”). I also have my UID and GID matched to the UID and GID active directory is expecting. I also think I have the right packages installed, for instance all the krb5-related packages, most of the nfs packages and most of the pam packages, as well all the packages yast demands for nfs client, samba, and kerberos client.

So what I did was set up my fstab like so (actual addresses and folders were changed for privacy):

server.blah.com:/vol/share	/ad/share	nfs	rw,tcp,nolock,sec=krb5 0 0

I have also tried adding fmask=777,dmask=777 but it didn’t like those.

So when I try to mount I get:

me@me:/ad> sudo mount share/     
pam_mount password:                     
mount.nfs: an incorrect mount option was specified

(since I installed pam I get it asking for my password instead of sudo for some reason, it doesn’t seem to change the end result)

When I set sec=none and sec=sys, it mounts but it won’t give me access (which is logical since I am not being authenticated). krb5i and krb5p give the same error, as does every other sec option besides none and sys.

I initially tried using the yast nfs client configuration, but when I give it the same options it says, “Unknown option: sec” This happens no matter what sec is equal to. There doesn’t appear to be a straightforward way to set up kerberized nfs shares using yast that I can find, and the nfs client configuration doesn’t work at all, so that is why I am resorting to editing config files in the first place.

So does anyone have any suggestions? Why isn’t the mount.nfs accepting my security options? Why isn’t yast nfs client not accepting security options at all? Am I even approaching this the right way? Is there a more effective or more efficient approach? I keep finding conflicting information on how to do this, even from our IT website, but this looks like the most effective to me.

I made some progress. I needed to enable the nfs daemon in the YaST system services configuration, as well as setting NFS_SECURITY_GSS=“yes” in /etc/sysconfig/nfs Doing both of these and rebooting got rid of that error message.

However, when I try to mount now the mount command hangs and I am getting the following error repeated until the mount command times out (from tail -f /var/log/messages/)

Jul 28 19:13:17 mycomputer rpc.gssd[7172]: ERROR: No credentials found for connection to server server.site.com
Jul 28 19:13:17 mycomputer rpc.gssd[7172]: ERROR: No such file or directory while beginning keytab scan for keytab ‘FILE:/etc/krb5.keytab’
Jul 28 19:13:17 mycomputer syslog-ng[1941]: last message repeated 5 times
Jul 28 19:13:17 mycomputer rpc.gssd[7172]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host server.site.com

I know this is because I don’t have a /etc/krb5.keytab file. The IT people at my department say that there isn’t one, and that for nfsv3 I shouldn’t need one. I need to find out how to get rid of this error so I can connect. My guess is either disable the requirement for a keytab or trick the computer into thinking there is a keytab. I don’t know how to do either of these.