2017-07-14 01:52 AM - edited 2017-07-14 02:14 AM
We have a FAS 3220 filer, recently upgraded to 8.2.4P6 7-Mode. It is part of an Active Directory domain running at domain functional level Windows Server 2008 R2. We use the CIFS domain setup also for Kerberized NFS, but sadly this only gives us arcfour-hmac encryption.
We have so far been unable to NFS mount from macOS Sierra 10.12.5. The reason for this is a lack of compatible encryption types between the three systems involved:
macOS Sierra NFS RPCSEC_GSS now supports aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96, as does Active Directory domain functional level Windows Server 2008 R2.
However, the Active Directory server is still unwilling to issue AES tickets for this 8.2.4P6 7-Mode filer:
linux-client$ kvno -e aes128-cts-hmac-sha1-96 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
kvno: KDC has no support for encryption type while getting credentials for nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
It only issues tickets using the old arcfour-hmac encryption type, which is outdated and not supported by macOS NFS RPCSEC_GSS:
linux-client$ klist -e
14/07/17 09:16:28 14/07/17 19:16:28 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
We have already tried on the filer
[delete filer's Computers entry on Active Directory]
in order to make sure that the filer creates a fresh Kerberos key and related metadata on the Active Directory domain controller.
But this still did not result in the AD KDC issuing AES session keys to the filer, which would be required for macOS Sierra NFS RPCSEC_GSS compatibility.
We have noticed that when the filer creates during "cifs setup" a new server entry for itself on the domain controller, it does *not* set the attribute
I believe it ought to set it to something like
msDS-SupportedEncryptionTypes = 28 = 0x1C = RC4-HMAC | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96
to tell the KDC what encryption types it supports.
Does 8.2.4P6 7-Mode support Kerberized NFS with AES encryption types?
Is 8.2.4P6 7-Mode Kerberized NFS compatible with macOS Sierra in a Windows Server 2008 R2 domain?
2017-07-18 12:07 AM
try this kb?
2017-07-18 07:20 AM
That KB does not help: it merely demonstrates how to set up Kerberized NFS with
the old "ArcFour with HMAC/md5" encryption type. We have used this for many years from Linux.
However, "ArcFour with HMAC/md5" was never supported by Apple.
Since Apple disabled Single-DES in OS X Yosemite, the only Kerberos encryption types
compatible with both Active Directory and macOS Sierra have been 128-bit AES and 256-bit AES.
AES is what we have not managed to get to work under 7-mode.
2017-07-19 04:30 AM
Thanks for the clarification. :-( In that case, you should probably review/revise
all mention of AES in the 7-mode documentation, for example in
Data ONTAP® 8.2
File Access and Protocols Management Guide
in the /etc/krb5.conf example file on page 30 the lines
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
and in the command-line examples on page 31 the use of the option
These examples (and feedback from a support contractor) had given
us hope that AES would be supported in 8.2 7-mode.
None of the above options make sense if the server does not actually
support any AES encryption types. (In that case, their presence may
actually prevent NFS (RPCSEC_GSS) authentication from succeeding,
by restricting the enctype to one that the server doesn't implement.)