NFSv4 and Active Directory: authenticated users fail accessing a share
This document (7018620) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
a valid Kerberos ticket may not be able to access the mount and gets permission denied.
This can be done on the AD server via accessing the Attribute Editor of the NFS server object, changing the "userAccountControl" attribute to "0x2000000"
( NO_AUTH_REQUIRED )
Further information on this can be found at:
If an affected user has, for instance, a large number of group memberships, this field will grow, growing the whole ticket far beyond the size a Kerberos implementation, sticking strictly to RFC4120,
In the Microsoft namespace this feature is called "PAC", meaning "Privilege Attribute Certificate".
Detailed information on this is available at "https://msdn.microsoft.com/en-us/library/cc237917.aspx"
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7018620
- Creation Date: 15-Feb-2017
- Modified Date:28-Sep-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com