NFS 4 Client

Please follow the steps below to configure your personal Linux system(s) for using NFS4 with Kerberos.


Fedora, CentOS and RHEL
# yum install -y nfs-utils nfs4-acl-tools
$ sudo apt-get install -y nfs-common nfs4-acl-tools

System Keytab

The NFS4 client in Linux requires a ticket granting ticket to mount NFS4 shares with Kerberos. To obtain this ticket a Linux system typically has a keytab file /etc/krb5.keytab with an entry for a computer account. Managed Linux installations from isginf are set up like this.

For personal systems the user keytab for the ETH user name can also be used. Install the user-keytab command as described here and as root (or via sudo) run:

user-keytab --user {your ETH user name} --output /etc/krb5.keytab


When using a system keytab for an ETH user name the rpc.gssd service needs to be configured to use a preexisting ticket. This ticket must also be obtained at system startup and regularly renewed.

Fedora, CentOS 7 and RHEL 7

Edit the file /etc/sysconfig/nfs as root and change the line for RPCGSSDARGS to:

RPCGSSDARGS="-n -d /run/gssd:/tmp:/run/user/%U"


Edit the file /etc/default/nfs-common as root and add the following line at the end:

GSSDARGS="-n -d /run/gssd:/tmp:/run/user/%U"

Then also edit /usr/lib/systemd/scripts/ and add the following line to the other echo commands:



Download the following four files and copy them to /etc/systemd/system as root:

Copy-paste the following commands into the root shell to download them all:

cd /etc/systemd/system/
wget -O kinit-k.service
wget -O kinit-k-resume.service
wget -O kinit-k-update.service
wget -O kinit-k-update.timer

All of the services need to know the principal to use in /etc/krb5.keytab. Create the file /etc/gss-principal as root with the following content:

GSSPRINCIPAL={your ETH user name}

Then run the following commands as root to enable and start the ticket obtaining services:

systemctl daemon-reload
systemctl enable kinit-k.service
systemctl enable kinit-k-resume.service
systemctl enable kinit-k-update.timer
systemctl start kinit-k.service
systemctl start kinit-k-update.timer

Fedora, CentOS 7 and RHEL 7

On the Red hat distributions SELinux must be configured to allow rpc.gssd to look in /var/run/gssd. Run the following commands as root to do so:

semanage fcontext -a -t user_tmp_t "/var/run/gssd(/.*)?"
restorecon -RF /run/gssd 

Start the NFS Client

Run the following commands as root to start all NFS client services:

systemctl enable
systemctl start


If mounting does not work, please check the following:

  • Does /etc/gss-principal exist and does it contain your ETH user name?
  • Does /run/gssd/krb5cc_0 exist? If not then make sure that the kinit-k.service service is enabled and started.
  • Does ps -elf | fgrep rpc.gssd show that rpc.gssd is running with the arguments above?

I Attachment History Action Size Date Who Comment
Unknown file formatservice kinit-k-resume.service r1 manage 0.3 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formatservice kinit-k-update.service r1 manage 0.2 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formattimer kinit-k-update.timer r1 manage 0.1 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formatservice kinit-k.service r2 r1 manage 0.5 K 2018-05-03 - 08:04 StefanWalter  

Page URL:
© 2019 Eidgenössische Technische Hochschule Zürich