Print View

NFS4/Kerberos Linux Server fails access for users with large Active Directory group membership

Issue

When using Linux as a NFS4 server secured with Kerberos and using Active Directory as the KDC, a user with large group membership may receive "Permission Denied" errors when trying to access a previously mounted export.

Could not chdir to home directory /home/domain/user: Permission denied
-sh: /home/domain/user/.profile: Permission denied


Packet traces show the KRB5KDC_ERR_RESPONSE_TOO_BIG Kerberos error.

Users with smaller group membership do not experience this issue.

Resolution

Set the NO_AUTH_DATA_REQUIRED flag (also known as NO_AUTH_REQUIRED) on the userAccountControl flag of the computer account of the NFS4/Kerberos server.

Flag                   Hexadecimal value   Decimal value
--------------------------------------------------------
NO_AUTH_DATA_REQUIRED  0x2000000           33554432


In Active Directory Users and Computers | View | Advanced Features:

- Open the computer object
- Select the Attribute Editor tab
- Edit the userAccountControl attribute
- Add 33554432 (0x2000000) to the existing value
- Click OK
- Ensure the stored value shows NO_AUTH_DATA_REQUIRED

This can also be modified in ADSIEdit.

References

An update is available that introduces the NO_AUTH_REQUIRED flag to the UserAccountControl property
http://support.microsoft.com/kb/832572
"When you use Windows Server 2003 or Windows 2000 as a Kerberos Key Distribution Center (KDC) in a mixed environment, such as an environment that has Windows and Unix servers, the KDC adds Privilege Attribute Certificate (PAC) information to a service ticket.
...
You may want to prevent PAC information from being added to service tickets in situations where the increased size of the service ticket causes issues with programs that use either the User Datagram Protocol (UDP) or remote procedure call (RPC) functionality. A PAC is large, and can increase the size of a ticket more than 500 percent. Tickets that do not have a PAC are approximately 240 bytes. Tickets that have a simple PAC may be approximately 1,200 bytes. Additionally, some services do not understand PAC information. If a PAC is present, services that do not understand the PAC information ignore it."



Products

Red Hat Enterprise Linux 6.x
Microsoft Windows Server 2008 R2 SP1

Created: 11th September 2012
Updated: 11th September 2012

Print View

© 2005-2024 Jamie Morrison