NFSv4 (with Kerberos) on SCALE doesn't handle large Kerberos tickets
Description
Problem/Justification
None
Impact
None
Activity
Show:
Automation for Jira July 19, 2023 at 1:50 PM
This issue has now been closed. Comments made after this point may not be viewed by the TrueNAS Teams. Please open a new issue if you have found a problem or need to re-engage with the TrueNAS Engineering Teams.
Bug Clerk July 15, 2023 at 12:57 AM
Mark Grimes June 21, 2023 at 11:04 PM
Andrew Walker May 13, 2023 at 1:02 PM
You should be able to reproduce without FreeIPA (using AD)
Mark Grimes May 12, 2023 at 5:04 PM
Complete
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Mark Grimes
Mark GrimesReporter
John Yocum
John YocumComponents
Fix versions
Affects versions
Priority
LowMore fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Created March 16, 2023 at 5:15 PM
Updated July 19, 2023 at 1:50 PM
Resolved July 19, 2023 at 1:50 PM
In very large Active Directory environments a user may be part of 100s of groups. For example, I’m a member of 383 groups (we’re a university). Due to the large number of groups, and other data that AD stuffs into the Kerberos PAC field, the Kerberos ticket can be several KB in size. In my case, it’s about 5KB. Unfortunately, the Linux kernel’s NFS / rpc.svcgssd interface can only handle up to 2KB in size. Tickets larger than that, simply fail, resulting in permission denied errors. There is a solution, gssproxy, which has support within the Kernel. It can handle much larger Kerberos tickets.
gssproxy/NFS.md at main · gssapi/gssproxy · GitHub
rpcsec_gss support for kernel RPC servers — The Linux Kernel documentation