NFSv4 and Active Directory: authenticated users fail accessing a share
This document (7018620) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Situation
If using NFSv4 and Kerberos authentication in an ADS environment, it may be that, though a NFS share is mounted correctly with one of the options krb5,krb5i or krb5p, a user with
a valid Kerberos ticket may not be able to access the mount and gets permission denied.
a valid Kerberos ticket may not be able to access the mount and gets permission denied.
Resolution
Currently the only way to solve the issue is to disable PAC on the NFS server objects in Active Directory.
This can be done on the AD server via accessing the Attribute Editor of the NFS server object, changing the "userAccountControl" attribute to "0x2000000"
( NO_AUTH_REQUIRED )
Further information on this can be found at:
https://support.microsoft.com/de-de/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-properties
This can be done on the AD server via accessing the Attribute Editor of the NFS server object, changing the "userAccountControl" attribute to "0x2000000"
( NO_AUTH_REQUIRED )
Further information on this can be found at:
https://support.microsoft.com/de-de/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-properties
Cause
Microsoft servers are using an optional field from RFC4120 called "AuthorizationData". With Microsoft servers this field contains several types of data, including group memberships.
If an affected user has, for instance, a large number of group memberships, this field will grow, growing the whole ticket far beyond the size a Kerberos implementation, sticking strictly to RFC4120,
can handle.
In the Microsoft namespace this feature is called "PAC", meaning "Privilege Attribute Certificate".
Detailed information on this is available at "https://msdn.microsoft.com/en-us/library/cc237917.aspx"
If an affected user has, for instance, a large number of group memberships, this field will grow, growing the whole ticket far beyond the size a Kerberos implementation, sticking strictly to RFC4120,
can handle.
In the Microsoft namespace this feature is called "PAC", meaning "Privilege Attribute Certificate".
Detailed information on this is available at "https://msdn.microsoft.com/en-us/library/cc237917.aspx"
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7018620
- Creation Date: 15-Feb-2017
- Modified Date:28-Sep-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
