OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Hi,

I'm trying to set up NFS with OpenLDAP (no AD) and MIT-Kerberos on OneFS 7.2.1.1.

LDAP and NFS(v4) works fine with sec=sys.

I added the kerberos configuration (including creating SPNs) and changed the export to sec=krb5.

Mounting the share with 'mount -t nfs -o sec=krb4,vers=4 nfs.isilon.fs.domain.tld:/ifs/export/test /mnt' does work (so I assume SPNs are set up correctly), but accessing files and directories not (permission denied).

The user has a valid ticket (klist shows entries for ktgt@REALM and nfs/nfs.isilon.fs.domain.tld@REALM).

'ls -l' does show correct user and group name for the directory. The directory is owned by my user, but I cannot access it. So I changed the mode to grant access to other (777) and created a file (touch foobar). It belongs to nobody.

The same client does work with a linux fileserver with the same LDAP server and KDC.

I started rpc.gssd with verbose option and compared the log output of both linux server (working) and Isilon (not working):

These are the only differences (besides the different SPN names of both systems):

Linux server:

< prepare_krb5_rfc4121_buffer: protocol 0

< prepare_krb5_rfc4121_buffer: serializing key with enctype 23 and size 16

< doing downcall lifetime_rec 2419193

---

Isilon:

> prepare_krb5_rfc4121_buffer: protocol 1

> prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

> doing downcall lifetime_rec 2419187

I'm not sure if this a kerberos or user mapping issue.

Do I have to set up some user mapping between LDAP uid=juser and Kerberos principal juser@REALM?