NFS Services Administrator's Guide (762805-001, March 2014)
“Permission Denied” message
This message could be displayed because of one of the following reasons:
• The Ticket Granting Ticket (TGT) has expired
To renew the ticket, enter the following command:
kinit username
• Fully qualified hostname resolution problem
To verify the hostname resolution, check the following files:
◦ /etc/nsswitch.conf
◦ /etc/hosts
To provide a fully qualified host name, do the following:
◦ Add dns in the host entry in the /etc/nsswitch.conf
◦ Re-configure NIS and /etc/hosts
• Time mismatch of 5 minutes between Kerberos server and Kerberos client
HP recommends that you run time server to synchronize the time between client and server.
• Improper krb5.conf
This could be because the realm to domain matching is not set in either server or client’s
configuration file (krb5.conf).
To fix the krb5.conf file for proper domain name to realm matching, modify the file based
on the following sample:
#
# Kerberos configuration
# This krb5.conf file is intended as an example only.
# see krb5.conf(4) for more details
# hostname is the fully qualified hostname(FQDN) of host on
which kdc is running
# domain_name is the fully qualified name of your domain
[libdefaults]
default_realm = krbhost.anyrealm.com
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
krbhost.anyrealm.com = {
kdc = krbhost.anyrealm.com:88
admin_server = krbhost.anyrealm.com
}
[domain_realm]
.anyrealm.com = krbhost.anyrealm.com
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
• The user who is trying to access the mounted filesystem has not obtained a TGT using their
login.
For example, if you are a guest user and are attempting to access the NFS mounted filesystem
with Kerberos security option, you need to have a TGT.
To identify the default principal name, enter the following command:
klist
Common problems while using secure NFS with Kerberos 101