NFSv4 and Active Directory: authenticated users fail accessing a share

This document (7018620) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)

Situation

If using NFSv4 and Kerberos authentication in an ADS environment, it may be that, though a NFS share is mounted correctly with one of the options krb5,krb5i or krb5p, a user with
a valid Kerberos ticket may not be able to access the mount and gets permission denied.

Resolution

Currently the only way to solve the issue is to disable PAC on the NFS server objects in Active Directory.
This can be done on the AD server via accessing the Attribute Editor of the NFS server object, changing the "userAccountControl" attribute to "0x2000000"
( NO_AUTH_REQUIRED )
Further information on this can be found at:
https://support.microsoft.com/de-de/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-properties

Cause

Microsoft servers are using an optional field from RFC4120 called "AuthorizationData". With Microsoft servers this field contains several types of data, including group memberships.
If an affected user has, for instance, a large number of group memberships, this field will grow, growing the whole ticket far beyond the size a Kerberos implementation, sticking strictly to RFC4120,
can handle.
In the Microsoft namespace this feature is called "PAC", meaning "Privilege Attribute Certificate".
Detailed information on this is available at "https://msdn.microsoft.com/en-us/library/cc237917.aspx"

Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018620
  • Creation Date: 15-Feb-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center