Now we need to create a "machine" credential for the Linux NFS client. Currently, Linux 2.6 requires a credential of form:

nfs/hostname@REALM-NAME

You must create a principal as type User. Do NOT create the principal as type Computer. Microsoft's Kerberos Interoperability document says:

Use the Active Directory Management tool to create a new user account for the UNIX host:
* Select the Users folder, right-click and select New, then choose user.
* Type the name of the UNIX host.

We are ultimately going to create a principal of form nfs/hostname@REALM. Above describes host/hostname@REALM.

我们将这个用户起名为 nfsH3CStor (此处用户名随意，我们使用 servicenameHostname 命名)。

The next step requires opening a Command Prompt window on the Windows 2000 server, and mapping nfsScully to its real machine principal,

nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG

The command to do is ktpass, and it is invoked as:

ktpass -princ nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG -mapuser TANGO\nfsH3CStor +rndPass -out h3cnfs.keytab

想办法把这个文件拷贝到 Linux 机器上， kinit 需要用这个文件。别忘了需要用管理员权限执行，否则报很奇怪的错误。如果想不出来办法，可以用 PuTTY PSCP 拷贝。

首先，导入这个 keytab 文件，可以直接拷这个 keytab 到 /etc/krb5.keytab (注意 permission)。

Verify:

<code shell>

[L:h3cstor] ~# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal —- ————————————————————————–

 1 Alex@TANGO.OSQDU.ORG
 1 Alex@TANGO.OSQDU.ORG
 3 nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG
 1 Alex@TANGO.OSQDU.ORG
 1 Alex@TANGO.OSQDU.ORG

</shell>