From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Assarsson, Emil" <Emil.Assarsson@sonyericsson.com>
Cc: "'Richard Smits'" <R.Smits@tudelft.nl>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: krb5 mount with large group membership
Date: Thu, 14 Jul 2011 13:25:05 -0400 [thread overview]
Message-ID: <20110714172504.GA19003@fieldses.org> (raw)
In-Reply-To: <2BF070A7A2375D46BA1B6087F8D5DCB67E846BA792@seldmbx01.corpusers.net>
On Thu, Jul 14, 2011 at 01:14:07PM +0200, Assarsson, Emil wrote:
> Hi,
>
> Your ticket is probably oversized for the NFS server.
> Try set NO_AUTH_DATA_REQUIRED (google msn) on the object holding the servers SPN.
The server has trouble with init_sec_context tokens that are longer than
a few k--I'd have to check the exact limit. (I wonder how big this one
is?)
--b.
>
> --
> Emil Assarsson
>
> > -----Original Message-----
> > From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-owner@vger.kernel.org]
> > On Behalf Of Richard Smits
> > Sent: torsdag den 14 juli 2011 11:30
> > To: linux-nfs@vger.kernel.org
> > Subject: krb5 mount with large group membership
> >
> > Hello list,
> >
> > I am running into a problem. Perhaps someone understands what is
> > happening here. I will explain.
> >
> > I have a Redhat 5.4 client that is accessing a nfs export on a NFS
> > server. (Redhat 6.1)
> >
> > Our KDC is a Windows AD.
> >
> > The client is using samba-winbind. If a user is a member of 23 groups or
> > lower, I can access the export. If a user is a member of more groups,
> > the mount fails with a "Permission denied"
> >
> > mount /data
> > -bash-3.2$ cd /data
> > -bash: cd: /data: Permission denied
> >
> > Thew odd thing is if I try a mount to our Netapp filer with also a krb5
> > export, there is no problem.
> >
> > This has to do something with the ticket size in combination with
> > memberships to a large number of groups.
> >
> > So what must i do to get this Redhat server working with this setup ? It
> > seems that Netapp did something to get this working ?
> >
> > Does this sound familiar to anyone, or should i provide more information ?
> >
> > Versions server side :
> > nfs-utils-1.2.3-7
> > krb5-workstation-1.9-9
> >
> > Greetings ... Richard Smits
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2011-07-14 17:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-14 9:30 krb5 mount with large group membership Richard Smits
2011-07-14 11:14 ` Assarsson, Emil
2011-07-14 13:03 ` Richard Smits
2011-07-14 13:29 ` Assarsson, Emil
2011-07-14 17:25 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110714172504.GA19003@fieldses.org \
--to=bfields@fieldses.org \
--cc=Emil.Assarsson@sonyericsson.com \
--cc=R.Smits@tudelft.nl \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.