NFS Kerberos mount fails with access denied on a client in trusted domain
Applies to
- ONTAP 9
- NFS Kerberos
- Trusted domain
Issue
- NFS Kerberos mount fails:
[user1@rhel ~]$ sudo mount -t nfs -o vers=4,sec=krb5p,noexec nfsserver-3.nas.ss.com.in:/vol1/q10 /tmp/q10
mount.nfs: access denied by server while mounting nfsserver-3.nas.ss.com.in:/vol1/q10
- NFS Client is part of REALM BODX.SDS.CS.COM.IN and BOD.SS.COM.IN
[user1@rhel ~]$ realm list
BODX.SDS.CS.COM.IN
type: kerberos
realm-name: BODX.SDS.CS.COM.IN
domain-name: BODX.SDS.CS.COM.IN
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy:
- NFS Kerberos LIF is created on a different domain
"BOD.SS.COM.IN"
::*> nfs kerberos interface show -vserver nfsserver-3
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
clus-sv3 clus-sv3-if1
10.xx.yy.228 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN
clus-sv3 clus-sv3-if2
10.xx.yy.229 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN
- Name mapping is configured for the trusted domain "
BODX.SDS.CS.COM.IN"
::*> vserver name-mapping show -vserver nfsserver-3
Vserver: nfsserver-3
Direction: krb-unix
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: nfs/nfsserver-3.nas.ss.com.in@BOD.SS.COM.IN
Replacement: pcuser
2 - - Pattern: (.+)\$@BOD.SS.COM.IN
Replacement: root
3 - - Pattern: host/(.+)@BOD.SS.COM.IN
Replacement: root
4 - - Pattern: ([^/]+)@BOD.SS.COM.IN
Replacement: \1
5 - - Pattern: (.+)\$@BODX.SDS.CS.COM.IN
Replacement: root
6 - - Pattern: host/(.+)@BODX.SDS.CS.COM.IN
Replacement: root
- Packet traces from Client shows :
- Client queries DNS (10.kk.mm.5) for NFS server hostname( nfsserver-3.nas.ss.com.in )
2081 2023-02-20 14:47:45.680 10.vv.dd.42 10.kk.mm.5 DNS Standard query 0x20b5 A nfsserver-3.nas.ms.com.cn
2083 2023-02-20 14:47:45.680 10.kk.mm.5 10.vv.dd.42 DNS Standard query response 0x20b5 A nfsserver-3.nas.ss.com.in A 10.xx.yy.229 A 10.xx.yy.228
- Client gets TGT using client's machine account for domain BODX.SDS.CS.COM.IN from KDC
2182 2023-02-20 14:47:45.692 10.vv.dd.42 10.rr.pp.132 KRB5 40060,88 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REQ
2185 2023-02-20 14:47:45.692 10.rr.pp.132 10.vv.dd.42 KRB5 88,40060 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REP
- Client tries to get TGS for ONTAP NFS server SPN(nfs/nfsserver-3.nas.ss.com.in) which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
2212 2023-02-20 14:47:45.695 10.vv.dd.42 10.rr.pp.132 KRB5 40062,88 krbtgt,BODX.SDS.CS.COM.IN,nfs,nfsserver-3.nas.ss.com.in TGS-REQ
2214 2023-02-20 14:47:45.695 10.rr.pp.132 10.vv.dd.42 KRB5 88,40062 nfs,nfsserver-3.nas.ss.com.in KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN