Access Denied When Mounting a File System with Kerberos Authentication
When mounting a file system that uses Kerberos authentication, access is denied.
The mount target's Kerberos Errors chart can include the following error types:
- Kerberos no keytab
- Kerberos no key
- Kerberos key version number mismatch
- Kerberos clock skew
- Oracle Cloud Infrastructure File Storage allows up to 300 seconds for clock skew when using Kerberos. To prevent intruders from resetting system clocks and using expired tickets, ticket requests from any host whose clock isn't within 300 seconds are rejected.
The mount target's LDAP Connection Errors chart and LDAP Request Errors chart can include the following error types:
- LDAP Connection Timeout
- LDAP Connection Refused/Reset
- LDAP Name Resolution Failure
- LDAP Bind Login Failed
- LDAP Certificate Validation Failure
- Lookup Username by UID
- Lookup UID by Username
- Lookup User Groups
Perform the following tasks to help troubleshoot this issue:
- Ensure that Kerberos is enabled on the mount target.
- Configure AUTH_SYS authentication on the export and try mounting the file system using
-o sec=sys
in the mount command. This test can help you find whether the issue is specific to Kerberos authentication. - Check the validity of the Kerberos ticket on the client using the
klist -A
command. - Review the NFS client's
rpc-gssd
daemon logs for Kerberos-related issues. Increase the log verbosity of therpc-gssd
daemon as needed. - Verify that the mount command uses the fully qualified domain name and includes the correct export options. For more information, see Mounting Kerberos-enabled File Systems.
- Check the mount target's charts and logs, if logging is enabled, for errors or Kerberos Keytab Load Success messages in the Kerberos Errors chart.
- If anonymous access is disabled, verify that a user entry is present under Search Base for Users with uid, uidNumber and gidNumber attributes in the LDAP server. Verify that the group for the user exists in the Search Base for Groups with gidNumber and memberUid.
Check the mount target's charts and logs, if logging is enabled, for errors in the LDAP Connection Errors chart or LDAP Request Errors chart.