* Excessive group membership causes permission denied
@ 2013-03-18 18:46 Norman Elton
0 siblings, 0 replies; only message in thread
From: Norman Elton @ 2013-03-18 18:46 UTC (permalink / raw)
To: linux-nfs
There is a fairly well documented bug that we've run against. When
using Active Directory as a KDC, users with a large number of group
memberships can overrun a UDP packet, causing Kerberos to fall back to
TCP. When a user logs into the system, they have a kerberos ticket,
but get a "permission denied" when accessing the NFS share. We've
reproduced this by taking a functioning user, adding tons of group
membership. The error message pops right up.
The traditional fix is to set NO_AUTH_DATA_REQUIRED on the NFS
server's machine account, as explained here:
http://theether.net/kb/100205.
While this seems to work, it's a bit of a dirty hack. Any thoughts on
a root-cause? We're happy to serve as a guinea pig if anyone can point
us in the right direction.
Thanks,
Norman
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-03-18 18:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-18 18:46 Excessive group membership causes permission denied Norman Elton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).