NFS Kerberos Authentication Fails with Cross Domain Users

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:

Visibility:: not set

Votes:: 0

Category:: not set

Specialty:: not set

Last Updated:

Applies to

* NFS Kerberos (krb5) authentication
* Multi-domain Active Directory environments

Issue

When mounting an NFSv4.1 volume with Kerberos authentication (sec=krb5) from a
client joined to a different domain within the same Active Directory forest, the
mount fails with:

mount.nfs4: access denied by server while mounting :/_x000D_

ONTAP logs show:

secd.nfsAuth.problem: vserver() General NFS authorization problem. Error: RPC accept GSS token procedure failed_x000D_
[2] Mapping Successful for SPN 'ELKSDXNFT15DTE8$@SDX.PAYROC.DEV' to UNIX user 'ELKSDXNFT15DTE8$'_x000D_
[5] Entry for user-name: ELKSDXNFT15DTE8$ not found in the current source: FILES. Ignoring and trying next available source_x000D_
[73] FAILURE: User 'ELKSDXNFT15DTE8$' not found in UNIX authorization source LDAP._x000D_
[73] Unable to map SPN 'ELKSDXNFT15DTE8$@SDX.PAYROC.DEV'_x000D_
[73] Unable to map Kerberos NFS user 'ELKSDXNFT15DTE8$@SDX.PAYROC.DEV' to appropriate UNIX user_x000D_
[75] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result=6916_x000D_