NFS client failing with permission denied error when mounting a vSAN File Service file share using Kerberos
Article ID: 326425
Updated On:
Products
VMware vSAN
Issue/Introduction
Symptoms:
Mounting a vSAN File Service Share will fail with error "Permission denied" when using authentication via krb5 as mentioned in following example:
[root@h10-186-84-188 ~]# mount -t nfs4 -o sec=krb5, minorversion=1 h308-0-a-0-1d26.vsanfs-sh.prv:/vsanfs/
Share-FM3K /mnt/exports/ -vvv
mount.nfs4: timeout set for Tue Feb 1 08:39:48 2022
mount.nfs4: trying text-based options 'sec=krb5,minorversion=1,addr=<NFS-Server-IP>,clientaddr=<Client-IP>'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting h308-0-a-0-1d26.vsanfs-sh.prv:/vsanfs/Share-FM3K
[root@h10-186-84-188 ~]#
Mounting a vSAN File Service Share will fail with error "Permission denied" when using authentication via krb5 as mentioned in following example:
[root@h10-186-84-188 ~]# mount -t nfs4 -o sec=krb5, minorversion=1 h308-0-a-0-1d26.vsanfs-sh.prv:/vsanfs/
Share-FM3K /mnt/exports/ -vvv
mount.nfs4: timeout set for Tue Feb 1 08:39:48 2022
mount.nfs4: trying text-based options 'sec=krb5,minorversion=1,addr=<NFS-Server-IP>,clientaddr=<Client-IP>'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting h308-0-a-0-1d26.vsanfs-sh.prv:/vsanfs/Share-FM3K
[root@h10-186-84-188 ~]#
Environment
VMware vSAN 8.0.x
VMware vSAN 7.0.x
VMware vSAN 6.x
VMware vSAN 7.0.x
VMware vSAN 6.x
Cause
Attempting to mount a file share which eventually gets referred to different file share fails. This occurs due to missing reverse lookup entry in DNS server for the referred file share IP address and thus the NFS client fails to get a Kerberos ticket to access file share and as a result the security falls back to weaker security methods which is not allowed by the server.
Resolution
On adding an entry for the referred file share in the DNS server, the client uses GSS credential to mount the referred share, thus the mount works fine and the issue is resolved.
Kerberos config in the client should have enabled reverse name lookup in addition to forward name lookup. Also the DNS server must be configured such that the reverse lookup to any file server IP addresses must succeed.
Kerberos config in the client should have enabled reverse name lookup in addition to forward name lookup. Also the DNS server must be configured such that the reverse lookup to any file server IP addresses must succeed.
Feedback
Yes
No
Powered by
