如果客户端使用客户端 UPN 而不是用户 UPN ，则 NFS 的 Kerberos 身份验证将失败

适用场景

• 采用 Kerberos 的 NFS
• ONTAP 9

问题描述

• 使用挂载卷时 sec=krb5，挂载将失败，并显示“Access Denied (拒绝访问)”错误。

mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.x.x.x,clientaddr=10.x.x.x'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 10.x.x.x:/test_kerberos

• 客户端系统发送客户端UPN (host/<client FQDN>@<KERBEROS REALM>) 而不是用户UPN)。
• ONTAP 报告以下错误

node1     ERROR      secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
  [  4 ms] Acquired NFS service credential for logical interface 1061 (SPN='nfs/LIF.domain.com@domain.com').
  [    6] GSS_S_COMPLETE: client = 'host/client1.domain@domain'
  [    6] Trying to map SPN 'host/client1.domain@domain' to UNIX user 'host' using implicit mapping
  [    6] Unix User Name found in Name Service Negative Cache
  [    8] Unable to map SPN 'host/client1.domain@domain'
**[    8] FAILURE: Unable to map Kerberos NFS user 'host/client1.domain@domain' to appropriate UNIX user
  [   12] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916
node1      ERROR      secd.kerberos.lookupFailed: Unable to map Kerberos user (host/client1.domain@domain) to appropriate UNIX user on Vserver (vs1).