Subscribe
Accepted Solution

Enable kerberos on LIF

Hello,

 

Our customer wants to use Kerberos and NFS4.1 ACL on their Infinite Volume… I could not found any documentation about FreeIPA or Redhat IDM. I simulated their infrastructure on our demo environment and stuck on enable Kerberos on lif. I ‘m using following steps for configuration.

 

  1. Create host on freeipa
  2. Create NFS service on freeipa
  3. Get keytab for nfs service on freeipa
  4. Create the Kerberos realm on ONTAP
  5. Get a following error when trying to enable Kerberos on lif on ONTAP

Failed to enable NFS Kerberos on LIF "nfs_node1_P1". Keytab import failed due to missing keys. Keys for encryption types "des-cbc-crc,des3-cbc-sha1,aes128-cts-hmac-sha1-96,aes256-cts-hmac-sha1-96" are required for Vserver "nfs_test" but found no matching keys for service principal name "nfs/ntap.demo.demo@demo.demo". Generate the keytab file with all required keys and try again. (Error: 13001)

 

demo::> nfs show -vserver nfs_test -fields permitted-enc-types
vserver permitted-enc-types
-------- ------------------------
nfs_test des,des3,aes-128,aes-256

 

[root@ipa-1 ~]# klist -kte /root/HOST_NFS_CERT.keytab
Keytab name: FILE:/root/HOST_NFS_CERT.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 01/17/2018 09:10:45 host/ntap.demo.demo@demo.DEMO (aes256-cts-hmac-sha1-96)
4 01/17/2018 09:10:46 host/ntap.demo.demo@demo.DEMO (aes128-cts-hmac-sha1-96)
4 01/17/2018 09:10:46 host/ntap.demo.demo@demo.DEMO (des3-cbc-sha1)
4 01/17/2018 09:10:46 host/ntap.demo.demo@demo.DEMO (des-cbc-crc)
7 01/17/2018 09:11:06 nfs/ntap.demo.demo@demo.DEMO (aes256-cts-hmac-sha1-96)
7 01/17/2018 09:11:06 nfs/ntap.demo.demo@demo.DEMO (aes128-cts-hmac-sha1-96)
7 01/17/2018 09:11:06 nfs/ntap.demo.demo@demo.DEMO (des3-cbc-sha1)
7 01/17/2018 09:11:06 nfs/ntap.demo.demo@demo.DEMO (des-cbc-crc)

Re: Enable kerberos on LIF

Hi,

 

It could be due to bug: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=880293

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Enable kerberos on LIF

I updated the ldap with weak enctypes on IPA server. Then I can enable the kerberos lif now. Thank you.

 

# ipa-ldap-updater ./20-weak-enctypes.update