Kerberos authentication for NFS fails when the client uses a client UPN rather than a user UPN

Applies to

• Kerberized NFS
• ONTAP 9

Issue

• When mounting volume with sec=krb5, the mount fails with Access denied error

mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.x.x.x,clientaddr=10.x.x.x'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 10.x.x.x:/test_kerberos

• Client system sending a client UPN(host/<client FQDN>@<KERBEROS REALM>) rather than a user UPN
• ONTAP reports below error:

node1        ERROR         secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
  [  4 ms] Acquired NFS service credential for logical interface 1061 (SPN='nfs/LIF.domain.com@domain.com').
  [     6] GSS_S_COMPLETE: client = 'host/client1.domain@domain'
  [     6] Trying to map SPN 'host/client1.domain@domain' to UNIX user 'host' using implicit mapping
  [     6] Unix User Name found in Name Service Negative Cache
  [     8] Unable to map SPN 'host/client1.domain@domain'
**[     8] FAILURE: Unable to map Kerberos NFS user 'host/client1.domain@domain' to appropriate UNIX user
  [    12] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916
node1         ERROR         secd.kerberos.lookupFailed: Unable to map Kerberos user (host/client1.domain@domain) to appropriate UNIX user on Vserver (vs1).