I have two linux machines. One is a machine behind a typical dynamic IP cable modem + OpenWRT router. The machine behind the NAT regularly updates a forward DNS record via an API call with my provider (ie. there is a dynamic DNS set up to identify this machine). The router forwards port 2049 and 22 to this machine just fine. When a machine on the public internet tries to ssh to this machine using Kerberos authentication, it works thanks to the option
ignore_acceptor_hostname = true
in krb5.conf on both server and client (without this I get "Ticket isn't for us" errors due to reverse dns mismatches).
However, when a machine on the public internet tries to nfs4 mount this machine with security krb5p, it doesn't work and gives
mount.nfs4: access denied by server while mounting my-dynamic-dns.name.here:/home
running rpc.gssd -v -v -v -f on the client machine shows that it is looking up my dynamic dns name, and then reverse looking up that ip address and then trying to get a kerberos principal. Error message looks something like:
WARNING: Failed to create krb5 context for user with uid 0 for server RNS-Record.from.my.isp.goes.here
On the modern internet, where IP addresses are "owned" by providers and everyone is using a VPS etc, there is absolutely NO reason to think that RDNS records mean anything at all.
What I want is for rpc.gssd and other associated nfs4 machinery to NOT try to rnds the IP address, and instead just use the name I provided in the mount command.
Things that WON'T work include modifying /etc/hosts because the ip address is dynamic.
Any suggestions as to how I can configure my public machines to connect to this machine behind a dynamic IP / NAT via NFS4 with kerberos security?
note that in /etc/krb5.conf I do have the line
rdns=false
which prevents kerberos from doing RDNS, but doesn't seem to stop NFS4 from doing the same.