[an error occurred while processing this directive]

Configuring NFSv4.1 door with GSS-API support

Adding sec=krb5 into /etc/exports is not sufficient to get kerberos authentication to work.

All clients, pool nodes and node running NFSv4.1 door must have a valid kerberos configuration. Each clients, pool node and node running NFSv4.1 door must have a /etc/krb5.keytab with nfs service principal:

nfs/host.domain@<YOUR.REALM>

The /opt/d-cache/etc/dcache.conf on pool nodes and node running NFSv4.1 door must enable kerberos and RPCSEC_GSS:

nfs.rpcsec_gss=true
dcache.authn.kerberos.realm=<YOUR.REALM>
dcache.authn.jaas.config=/opt/d-cache/etc/gss.conf
dcache.authn.kerberos.key-distribution-center-list=your.kdc.server

The /opt/d-cache/etc/gss.conf on pool nodes and node running NFSv4.1 door must configure Java’s security module:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useKeyTab=true
keyTab="${/}etc${/}krb5.keytab"
debug=false
storeKey=true
principal="nfs/host.domain@<YOUR.REALM>";
};

Now your NFS client can securely access dCache.