Learn how to fix the “Access denied by server while mounting Kerberos NFS “ error. Our NFS Support team is here to help you with your questions and concerns.

Access denied by server while mounting Kerberos NFS | Resolved

If you have been coming across the following error message, you are in the right place.

access denied by server while mounting Kerberos NFS

According to our experts, this error occurs if there is a permission issue or a misconfiguration in the NFS server or client related to Kerberos authentication.

Here are some troubleshooting tips put together by our experts:

• In some cases, the NFS server may support NFSv3 connections only.

  However, the mount command relies on NFSv4, by default. This will lead to an error message. We can avoid this by specifying the NFSv3 while mounting the share as seen here:

  # mount -t nfs -o nfsvers=3 x.x.x.x:/share /mnt
• If the above tip did not help, check if the /etc/exports file refers to the correct NFS client information to provide access. In some cases, NFS servers require NFS client names to be resolvable to IP. Hence it has to be resolvable via DNS or specified in /etc/hosts of the NFS server.
• Sometimes the error may pop up due to an issue with the NFS server sharing the NFS share. Then, we can try mounting the share causing the error on another NFS client, to determine if the NFS server is behind the error.
• Next, check if the Kerberos options are set for secure Kerberos authentication.

  sec=krb5p, krb5i, or krb5

  These options ensure that the NFS client and server communicate securely using Kerberos.
• Now, it is time to verify that the Kerberos configuration is set up on both the NFS server and the client. Furthermore, our experts recommend making sure that the clocks on both the server and client are synchronized.
• Rarely, we may have to rely on tcpdump to capture tcpdump of the mount operation.

  This involves running the following command to capture the network packets. Parallelly. We have to start the NFS mount operation.

  # tcpdump -s0 -i [eth#] host [nfs_server_ip] -w /tmp/tcpdump.pcap
• Now, check if the NFS service principal name is correctly configured in the Kerberos database (/etc/krb5.keytab) and matches the one used in the NFS server configuration and client mount command. The service principal name has to be in this format

  nfs/hostname@REALM
• Finally, we have to verify that the client has a valid Kerberos ticket.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

To conclude, our Support Techs demonstrated how to troubleshoot the “ Access denied by server while mounting Kerberos” error.