Highlighted
saschafrey
1 Nickel

OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution

Hi,

I'm trying to set up NFS with OpenLDAP (no AD) and MIT-Kerberos on OneFS 7.2.1.1.

LDAP and NFS(v4) works fine with sec=sys.

I added the kerberos configuration (including creating SPNs) and changed the export to sec=krb5.

Mounting the share with 'mount -t nfs -o sec=krb4,vers=4 nfs.isilon.fs.domain.tld:/ifs/export/test /mnt' does work (so I assume SPNs are set up correctly), but accessing files and directories not (permission denied).

The user has a valid ticket (klist shows entries for ktgt@REALM and nfs/nfs.isilon.fs.domain.tld@REALM).

'ls -l' does show correct user and group name for the directory. The directory is owned by my user, but I cannot access it. So I changed the mode to grant access to other (777) and created a file (touch foobar). It belongs to nobody.

The same client does work with a linux fileserver with the same LDAP server and KDC.

I started rpc.gssd with verbose option and compared the log output of both linux server (working) and Isilon (not working):

These are the only differences (besides the different SPN names of both systems):

Linux server:

< prepare_krb5_rfc4121_buffer: protocol 0

< prepare_krb5_rfc4121_buffer: serializing key with enctype 23 and size 16

< doing downcall lifetime_rec 2419193

---

Isilon:

> prepare_krb5_rfc4121_buffer: protocol 1

> prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

> doing downcall lifetime_rec 2419187

I'm not sure if this a kerberos or user mapping issue.

Do I have to set up some user mapping between LDAP uid=juser and Kerberos principal juser@REALM?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
saschafrey
1 Nickel

Re: OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution

My problem is solved:

I forgot to link the LDAP provider to the kerberos realm:

isi auth ldap modify "LDAP-Provider-Name" --provider-domain KRB-REALM.TLD

0 Kudos
4 Replies
saschafrey
1 Nickel

Re: OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution

My problem is solved:

I forgot to link the LDAP provider to the kerberos realm:

isi auth ldap modify "LDAP-Provider-Name" --provider-domain KRB-REALM.TLD

0 Kudos
melzeiry
1 Nickel

Re: OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution
I am not really sure if it is a mapping issue. It can be
But worth checking as well is ls -led <filename>

ACLs will be applying, so if it is access denied, make sure that the user trying to access has an allow ACL (or the group the user is member of, or everyone)
0 Kudos

Re: OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution

Hi all,

I don't know how to configure NFS kerberos share in cluster and NFS client. Please guide me to do that, thanks!

0 Kudos

Re: OneFS 7.2.1.1: NFS + LDAP + Kerberos: mounting works, but cannot access files (permission denied)

Jump to solution

and NFSv4 share in cluster and NFS client more'

0 Kudos