On Mon, Aug 11, 2014 at 01:23:38PM -0500, Ben H wrote: > First off, apologies if this is not the correct list. > I saw questions like this on the old nfsv4@xxxxxxxxxxxxx list, and > believe that this replaces that. > Please direct me to a more appropriate resource if available. > If I'm in the right place, I'm looking for some schooling... > > I have been working with NFSv4 sec=krb5 and early on ran into the PAC > issue described nebulously throughout various resources on the web. > > When working with AD users who are in multiple groups (in my > experiments, seems to be approximately 20) I have to set > NO_AUTH_DATA_REQUIRED on the userAccountControl of my NFS server > principal so that the PAC is not sent and the TGS-REQ can occur over > UDP. > > What I cannot find an answer for is why/where exactly is this > limitation introduced? > Kerberos can deal with the larger packets via TCP, and some Kerberos > implementation may enforce TCP even on smaller packets. The main problem is the kernel<->rpc.svcgssd interface. The problem should be fixed on newer distros that use gss-proxy. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
