Register a Linux NFS client with Active Directory

To use Active Directory (AD) as the KDC for your NFS Kerberos configuration, you must create accounts for the client and server in AD and map the account to a principal. For the NFS server, the principal represents the NFS service accounts, for the NFS client, the principal represents the client host machine.


You must have administrator credentials for the AD domain controller.


  1. Log in to AD.
  2. In Server Manager, go to Tools > Active Directory Users and Computers.
  3. Create a computer account for the client machine (for example, "nfsclient"). Set the password to never expire.
  4. Create an account for a user (optional and one time)
  5. Execute the following command to create a keytab file for the NFS service account.
    ktpass -princ host/<fqdn>@REALM.LOCAL +rndPass -mapUser <host>@REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out filename.keytab

    For example, to associate the nfs-ecsnode1 account with the principle host/, you can generate a keytab using:

    ktpass -princ host/ +rndPass -mapUser nfsclient$@NFS-REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out nfsclient.keytab
  6. Import the keytab to the client node.
    ktutil> rkt <keytab to import>
    ktutil> wkt /etc/krb5.keytab
  7. Test registration by running.
    kinit -k host/<fqdn>@NFS-REALM.LOCAL
  8. See the cached credentials by running the klist command.
  9. Delete the cached credentials by running the kdestroy command.
  10. View the entries in the keytab file by running the klist command.
     klist -kte /etc/krb5.keytab
  11. Follow steps 2, 4, and 5 from Configure ECS NFS with Kerberos security to place the Kerberos configuration files (krb5.conf, krb5.keytab and jce/unlimited) on the ECS node.