Hi. I have a Samba/AD domain consisting of a bunch of Linux servers and Linux workstations, all presently running latest Samba 4.15. My question comes in two parts: Part 1: I have a Linux NFS server (nfs1) sharing various volumes to many Linux workstations via Kerberized NFS4, and it's all working great. When I originally setup nfs1, I added a service principal for nfs before mounting would work: On nfs1: net ads keytab add_update_ads nfs/nfs1.FQDN at REALM This added the nfs service principal to both the local keytab (/etc/krb5.keytab) and on the DC server (samba-tool computer show nfs1 would show the nfs principal). Now, I'm adding a new nfs server called nfs2. If I do the same thing that I did in the past: On nfs2: net ads keytab add_update_ads nfs/nfs2.FQDN at REALM<mailto:nfs/nfs2.FQDN at REALM> ... then the service principal gets added to the local /etc/krb5.keytab on nfs2, but if I do: samba-tool computer show nfs2, the nfs service principal was NOT automatically added there like before! Since the DC record for nfs2 doesn't have the nfs service principal, a client workstation cannot mount from nfs2. If instead I do on nfs2: net ads setspn add nfs/nfs2.FQDN then the service principal gets added in the DC server database (samba-tool computer show nfs2 displays it), but is not written to /etc/krb5.keytab. Yet, NFS mounting now works. I just want to understand: 1. Why does net ads keytab add_update_ads not work like it did before, updating both the /etc/krb5.keytab on the NFS server and the DC database with the nfs2 service principal? 2. Why can a client mount from nfs2 when only the DC has the nfs service principal, and not /etc/krb5.keytab on nfs2. I'm assuming that's because /etc/krb5.keytab has the host/nfs2... entry, and this is a fallback? Part 2: nfs2 needs to be able to handle requests for nfs1 for a little bit. If I take nfs1 offline, and add the IP of nfs1 to nfs2, now I can ping either nfs2 or nfs1. Of course clients can't mount from nfs1 name yet because nfs2 needs nfs1 principal. I tried exporting from the DC host/nfs1.FQDN at REALM<mailto:host/nfs1.FQDN at REALM> and adding it to /etc/krb5.keytab on nfs2, and the mount would not work: mount.nfs: Operation not permitted I then tried exporting from the DC nfs/nfs1.FQDN at REALM<mailto:nfs/nfs1.FQDN at REALM> and adding it to /etc/krb5.keytab on nfs2, and that didn't work either. I know that I've done this before, and it worked. Any thoughts as to what I'm missing? (The machine uses gssproxy, and it seems there is a bug because when enabling debugging on gssproxy, it core dumps, and hence I can't find the details...) Thanks for any assistance, Jason.