There is a fairly well documented bug that we've run against. When
using Active Directory as a KDC, users with a large number of group
memberships can overrun a UDP packet, causing Kerberos to fall back to
TCP. When a user logs into the system, they have a kerberos ticket,
but get a "permission denied" when accessing the NFS share. We've
reproduced this by taking a functioning user, adding tons of group
membership. The error message pops right up.
The traditional fix is to set NO_AUTH_DATA_REQUIRED on the NFS
server's machine account, as explained here:
http://theether.net/kb/100205.
While this seems to work, it's a bit of a dirty hack. Any thoughts on
a root-cause? We're happy to serve as a guinea pig if anyone can point
us in the right direction.
Thanks,
Norman