Hi,

I hope posting this topic on this board is acceptable. I can see there are possibly two others in which it is also a logical fit.

In short, I have kerberised NFS shares which work fine on my local network. But over VPN it is a different matter.

The shares are hosted on Ubuntu Server 14.04.1 using NFS4. The Ubuntu Server is also the KRB5 KDC.

The clients have the following Kerberos Principals:
host/host.domain@KRB.REALM
etc.

When I'm connected direct to the network, hosts get their domain name via dhcp. Away from home and connected via VPN they don't and consequently Kinit fails with:

"kinit: Cannot determine realm for host (principal host/hostname@)".

I'm figuring I either need to tweak the kerberos configuration or change the way hosts get their FQDNs?

Any pointers would be appreciated.
Thanks

As long as internal DNS is advertising your KDCs, (normally domain controllers) it shouldn't be a problem, they should pick up the DNS pointer at the gateway on their first service query.
You have to make sure they sync on the local NTP at the gateway or the KDC is not going to grant them TGTs (it wont even answer the request for a TGT and you get a similar error) because their timestamp and the KDCs' timestamp are separated by a value greater than the KDCs drift parameter. Or you could reset the KDCs drift parameter some ginormous number and hope for the best, but that kind of defeats the purpose of using Kerberos in the first place.
Check local time on one of the failing supplicants with the KDCs local time.

You can try locking them all into the same ntp.pool but that only works if the client remains in contact for it's intermittent syncs with the pool, as soon as it doesn't (somebody turns off their computers, for example) you'll have a repeat of the same issue until they do.

1 members found this post helpful.

Thank you for that dijetlo. That gives me a few pointers as to what/where the problem might be.
A