These are my notes on things I shouldn't forget, but apparently have since last time I used kerberos.
You can use kinit user@DOMAIN to get a credential in another domain.
The version of nfsv4/kerberos server in the kernel <3.11 is broken.
Setting up exports:
/export \*(ro,sync,insecure,sec=krb5p)
This means the entire internet can connect to your nfs server(*), on any tcp port (insecure), but only if the connection is inencrypted with kerberos (sec=krb5p).
This will export a filesystem with a top level directory "/export" in it.
Add "_nfs4._tcp.DOMAIN IN SRV 0 0 nfsserver.DOMAIN" to DNS.
On the client install autofs, and create a file
/etc/auto.master.d/nfs4.autofs with the contents:
/srv/nfs4 /etc/auto.nfs4
And create an executable script called /etc/auto.nfs4 with the contents:
#!/bin/sh
DOMAIN=$1
dig +short nfs4.tcp.$1 srv | awk -v domain=$1 '{ printf "-fstype=nfs4\\n %s:/\n",$4 }'
Make sure you have a keytab on your client. (I forget how to do this)
cd /srv/nfs4/domain/export/ should now contain your files.