Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6280: AD Users unable to mount kerberos-enabled NFSv4 shares on RHEL

Centrify DirectControl ,  

12 April,16 at 11:01 AM

Applies to:

All versions of Centrify DirectControl on Red Hat Enterprise Linux
 

Problem:

When attempting to mount an NFSv4 share with Kerberos enabled as an AD user it fails. The server has the DirectControl agent installed and the OS is Red Hat. Below are some errors that may be observed:

  • cannot access /mynfsshare: Permission denied
  • Jul 10 13:35:01 myserver rpc.gssd[2790]: WARNING: Failed to create krb5 context for user with uid 12345 for server myserver.mydomain.com
  • WARNING: Failed to create krb5 context for user

The NFSv4 configuration has been verified and the shares are possibly mountable by certain users including root.
 

Cause:

This is a known issue in NFSv4 for Red Hat, specifically where it is unable to handle large Kerberos tickets. Large Kerberos tickets are common in enterprise environments where AD users have many group memberships. In order to support AD users with many group memberships the user's kerberos ticket has to append a Privilege Account Certificate (PAC) which is an extension of the basic Kerberos ticket.

As per Red Hat solution #969123 (see link below) the root cause of the issue is the communication mechanism between the kernel nfs server and the rpc.svcgssd daemon:

https://access.redhat.com/solutions/969123
(Red Hat login required to view full article)


Workaround:

Red Hat advises one of the options below:

Option 1: Reduce the number of groups of which the user is a member. This can be done by consolidating groups, for example.

Option 2: Configure the Active Directory KDC to omit the PAC data when generating a service ticket for the NFS server:

For option 1 if it is feasible in production then it should help.

For option 2 please note that this involves setting the NO_AUTH_DATA_REQUIRED property in the UserAccountControl field of the machine account for the NFS server. This will effectively turn off PAC & S4U logon which has major implications.  
For instance this will result in kerberos tickets being issued without a PAC, which will result in NFS performance degradation. This is because adclient will now be required to do the overhead of group expansion, calculation of password expiration, etc. for each NFS authentication attempt and when scaled out over a multitude of transactions will reduce the observed throughput of the NFS server.  While this may resolve the issue in a small scale test this won't scale effectively in production as any environment that has enough group memberships to warrant a PAC will likely be placing a similar high load on NFS as well.

For more information on option 2 please refer to the following link:
https://blogs.technet.microsoft.com/askpfeplat/2014/01/15/understanding-the-useraccountcontrol-attribute-in-active-directory/


Resolution:


As Centrify is only involved at the Kerberos layer not NFS nor RPCSEC; it is up to the vendor to resolve this issue. This information is being provided as a courtesy to Centrify customers who deploy NFSv4 with Kerberos enabled.

Red Hat lists this solution as "In Progress" meaning that it will be resolved in an upcoming release of the OS. Please refer to the Red Hat solution or contact the vendor for more information:

https://access.redhat.com/solutions/969123
(Red Hat login required to view full article)

(All external links are provided as a courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.