NFS4/Kerberos Linux Server fails access for users with large Active Directory group membership
Issue
When using Linux as a NFS4 server secured with Kerberos and using Active Directory as the KDC, a user with large group membership may receive "Permission Denied" errors when trying to access a previously mounted export.
Could not chdir to home directory /home/domain/user: Permission denied
-sh: /home/domain/user/.profile: Permission denied
Packet traces show the KRB5KDC_ERR_RESPONSE_TOO_BIG Kerberos error.
Users with smaller group membership do not experience this issue.
Resolution
Set the NO_AUTH_DATA_REQUIRED flag (also known as NO_AUTH_REQUIRED) on the userAccountControl flag of the computer account of the NFS4/Kerberos server.
Flag Hexadecimal value Decimal value
--------------------------------------------------------
NO_AUTH_DATA_REQUIRED 0x2000000 33554432
In
Active Directory Users and Computers |
View |
Advanced Features:
- Open the computer object
- Select the
Attribute Editor tab
- Edit the
userAccountControl attribute
- Add 33554432 (0x2000000) to the existing value
- Click
OK
- Ensure the stored value shows
NO_AUTH_DATA_REQUIRED
This can also be modified in ADSIEdit.
References
An update is available that introduces the NO_AUTH_REQUIRED flag to the UserAccountControl property
http://support.microsoft.com/kb/832572
"When you use Windows Server 2003 or Windows 2000 as a Kerberos Key Distribution Center (KDC) in a mixed environment, such as an environment that has Windows and Unix servers, the KDC adds Privilege Attribute Certificate (PAC) information to a service ticket.
...
You may want to prevent PAC information from being added to service tickets in situations where the increased size of the service ticket causes issues with programs that use either the User Datagram Protocol (UDP) or remote procedure call (RPC) functionality. A PAC is large, and can increase the size of a ticket more than 500 percent. Tickets that do not have a PAC are approximately 240 bytes. Tickets that have a simple PAC may be approximately 1,200 bytes. Additionally, some services do not understand PAC information. If a PAC is present, services that do not understand the PAC information ignore it."
Products
Red Hat Enterprise Linux 6.x
Microsoft Windows Server 2008 R2 SP1
Created: 11th September 2012
Updated: 11th September 2012
© 2005-2024 Jamie Morrison