Hi, Pre-authentication errors: Try to limit the /etc/krb5.conf to use the 3 closest KDC's only. I'm using winbind and link /etc/krb5.conf to /var/run/samba/smb_krb5/krb5.conf.* (there should be a "locate" module for mit-krb5 but lucid doesn't provide it). It can be solved with do not require but I think it's better to solve the real problem. -- Emil Assarsson > -----Original Message----- > From: Richard Smits [mailto:R.Smits@xxxxxxxxxx] > Sent: torsdag den 14 juli 2011 15:03 > To: linux-nfs@xxxxxxxxxxxxxxx > Cc: Assarsson, Emil > Subject: Re: krb5 mount with large group membership > > Hi, > > Good tip. Thank you. > > note : If I check the "Do not require Kerberos preauthentication" in the > AD on my testaccount, it works... > > So now i have to look what else this breaks. > > Greetings .. Richard > > On 07/14/2011 01:14 PM, Assarsson, Emil wrote: > > Hi, > > > > Your ticket is probably oversized for the NFS server. > > Try set NO_AUTH_DATA_REQUIRED (google msn) on the object holding the servers > SPN. > > > > -- > > Emil Assarsson > > > >> -----Original Message----- > >> From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs- > owner@xxxxxxxxxxxxxxx] > >> On Behalf Of Richard Smits > >> Sent: torsdag den 14 juli 2011 11:30 > >> To: linux-nfs@xxxxxxxxxxxxxxx > >> Subject: krb5 mount with large group membership > >> > >> Hello list, > >> > >> I am running into a problem. Perhaps someone understands what is > >> happening here. I will explain. > >> > >> I have a Redhat 5.4 client that is accessing a nfs export on a NFS > >> server. (Redhat 6.1) > >> > >> Our KDC is a Windows AD. > >> > >> The client is using samba-winbind. If a user is a member of 23 groups or > >> lower, I can access the export. If a user is a member of more groups, > >> the mount fails with a "Permission denied" > >> > >> mount /data > >> -bash-3.2$ cd /data > >> -bash: cd: /data: Permission denied > >> > >> Thew odd thing is if I try a mount to our Netapp filer with also a krb5 > >> export, there is no problem. > >> > >> This has to do something with the ticket size in combination with > >> memberships to a large number of groups. > >> > >> So what must i do to get this Redhat server working with this setup ? It > >> seems that Netapp did something to get this working ? > >> > >> Does this sound familiar to anyone, or should i provide more information ? > >> > >> Versions server side : > >> nfs-utils-1.2.3-7 > >> krb5-workstation-1.9-9 > >> > >> Greetings ... Richard Smits > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > >> the body of a message to majordomo@xxxxxxxxxxxxxxx > >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
