I've got a couple of NFSv4 shares (with Kerberos authentication). Most of the time they work quite well, but when there's an issue they can be a pain to fix.
I put this down to them being quite opaque as far as internal operations and error messages go - I can tell it isn't working but can't easily see the details of what's going on. I generally just resort to checking the bread and butter issues (clock sync, keytabs correctly installed, etc) and muddling through.
So I thought I'd throw this question out there: When NFS/Kerberos authentication is failing, what is a good way to get more visibility on what's going on and understanding the root cause of the problem.
EDIT
Probably the best way of framing this is:
- What functionality has to be work correctly for Kerberized NFS to work.
- What tests can be used to validate that those functions are working fully.
e.g. (here's an incomplete list, please point out what I'm missing)
Environment Prerequisites
- NTP should be configured on server and client, and date time on both should be in sync.
- DNS lookups, and reverse lookups for both server and client hostnames must work.
Kerberos Operational
- It should be possible to get a ticket using kinit on both client and server.
NFS Permissions
- The client must match at least one host in /var/exports on the server.
- The client must have a host service principal in /etc/krb5.conf
- The client user must have acquired a user ticket.