Kerberos#Domain_creation Where does logging.* = CONSOLE end up? As far as I can see, this completely breaks logging.
Kerberos#Create_client_principals "Finally, copy /etc/krb5.keytab from the server to the client: # scp kbserver.example.com:/etc/krb5.keytab /etc/krb5.keytab" DO NOT DO THIS. YOUR CLIENTS SHOULD NOT HAVE THE SERVER KEYS. Same thing in the NFS section.
In my opinion, configuring your firewall and DNS are not advanced topics, but very common ones used in most secure server configurations. If you feel strongly, feel free to explain your reasoning.
Is using `-o sec=krb5` or similar in the mount command ever required? I use `mount -t nfs4 -o vers=4.2 host:/path /path` for sec=krb5p exports.
Finally, I kind of want to remove those "certdepot" references, since they advise copying the server's entire keytab to all clients...
Maybe it's just me, but following these instructions resulted in a setup that couldn't mount NFSv4. After a couple days worth of fiddling it works if the client machines have their own host/<client> principals and *that* is added to the machine's keytab, while nfs/<host> principals belong only on the nfs server. I feel like the instructions tell you to set things up otherwise, which ended up causing rpc.gssd to complain about invalid tickets constantly. This could maybe be a bit more clear, unless I'm just stupid. --Skrylar (talk) 12:07, 5 November 2018 (UTC)
Keytabs for passwordless kinit
I don't claim to understand too much of this
kadmin stuff, but would it be appropriate to move the following section to this article, with some minor edits? Active_Directory_integration#Generating_user_Keytabs_which_are_accepted_by_AD
I found it useful even without joining an AD domain.