NFS Kerberos mount fails with access denied on a client in trusted domain

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 295

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
NFS Kerberos
Trusted domain

Issue

NFS Kerberos mount fails:

[user1@rhel ~]$ sudo mount -t nfs -o vers=4,sec=krb5p,noexec nfsserver-3.nas.ss.com.in:/vol1/q10 /tmp/q10

mount.nfs: access denied by server while mounting nfsserver-3.nas.ss.com.in:/vol1/q10

NFS Client is part of REALM BODX.SDS.CS.COM.IN and BOD.SS.COM.IN

[user1@rhel ~]$ realm list

BODX.SDS.CS.COM.IN

  type: kerberos

  realm-name: BODX.SDS.CS.COM.IN

  domain-name: BODX.SDS.CS.COM.IN

  configured: kerberos-member

  server-software: active-directory

  client-software: sssd

  required-package: oddjob

  required-package: oddjob-mkhomedir

  required-package: sssd

  required-package: adcli

  required-package: samba-common-tools

  login-formats: %U

  login-policy:

NFS Kerberos LIF is created on a different domain "BOD.SS.COM.IN"

::*> nfs kerberos interface show -vserver nfsserver-3 Logical Vserver Interface Address Kerberos SPN -------------- ------------- --------------- -------- ----------------------- clus-sv3 clus-sv3-if1 10.xx.yy.228 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN clus-sv3 clus-sv3-if2 10.xx.yy.229 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN

Name mapping is configured for the trusted domain "BODX.SDS.CS.COM.IN"

::*> vserver name-mapping show -vserver nfsserver-3 Vserver: nfsserver-3 Direction: krb-unix Position Hostname IP Address/Mask -------- ---------------- ---------------- 1 - - Pattern: nfs/nfsserver-3.nas.ss.com.in@BOD.SS.COM.IN Replacement: pcuser 2 - - Pattern: (.+)\$@BOD.SS.COM.IN Replacement: root 3 - - Pattern: host/(.+)@BOD.SS.COM.IN Replacement: root 4 - - Pattern: ([^/]+)@BOD.SS.COM.IN Replacement: \1 5 - - Pattern: (.+)\$@BODX.SDS.CS.COM.IN Replacement: root 6 - - Pattern: host/(.+)@BODX.SDS.CS.COM.IN Replacement: root

Packet traces from Client shows :
Client queries DNS (10.kk.mm.5) for NFS server hostname( nfsserver-3.nas.ss.com.in )

2081 2023-02-20 14:47:45.680 10.vv.dd.42 10.kk.mm.5 DNS Standard query 0x20b5 A nfsserver-3.nas.ms.com.cn 2083 2023-02-20 14:47:45.680 10.kk.mm.5 10.vv.dd.42 DNS Standard query response 0x20b5 A nfsserver-3.nas.ss.com.in A 10.xx.yy.229 A 10.xx.yy.228

Client gets TGT using client's machine account for domain BODX.SDS.CS.COM.IN from KDC

2182 2023-02-20 14:47:45.692 10.vv.dd.42 10.rr.pp.132 KRB5 40060,88 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REQ 2185 2023-02-20 14:47:45.692 10.rr.pp.132 10.vv.dd.42 KRB5 88,40060 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REP

Client tries to get TGS for ONTAP NFS server SPN(nfs/nfsserver-3.nas.ss.com.in) which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

2212 2023-02-20 14:47:45.695 10.vv.dd.42 10.rr.pp.132 KRB5 40062,88 krbtgt,BODX.SDS.CS.COM.IN,nfs,nfsserver-3.nas.ss.com.in TGS-REQ 2214 2023-02-20 14:47:45.695 10.rr.pp.132 10.vv.dd.42 KRB5 88,40062 nfs,nfsserver-3.nas.ss.com.in KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN