https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/155686#M35102 <P>Yesterday we faced the same issue. Performing the PS command "Set-ADComputer NFS-KRB-NAME$ -KerberosEncryptionType AES256,AES128" on one DC for the server (SVM) and one test client solved it for us.</P> <P>&nbsp;</P> <P>After that we faced some other 7MTT migration issues, but in the end we managed to use Kerberos authentication from NFS clients.</P> Thu, 23 Apr 2020 06:26:42 GMT MARIOWEISE 2020-04-23T06:26:42Z https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/149829#M33332 <P>I'm working on configuring Kerberos for NFSv4 on ONTAP 9.3, following <A href="https://www.netapp.com/us/media/tr-4616.pdf" target="_blank">https://www.netapp.com/us/media/tr-4616.pdf</A>.&nbsp; I'm running into problems with Kerberos encryption types and am wondering if I've missed something.&nbsp;</P> <P>&nbsp;</P> <P>I've made sure to configure both the client object and the nfs server computer object to only use AES-128 or AES-256 via the following powershell command:&nbsp;&nbsp;</P> <P><FONT size="2"><SPAN style="font-family: inherit;">set-adcomputer &lt;server&gt; -Replace @{'msDS-SupportedEncryptionTypes'=24}</SPAN></FONT></P> <P>&nbsp;</P> <P><SPAN style="font-family: inherit;">Despite that, mount attempts continue to fail with the the following error, indicating that ArcFour is still being used:</SPAN></P> <DIV class="BubbleStyle_GroupFrame"> <DIV id="patrick.w.klein@emcins.com@3:48 PM" class="BubbleStyle_BubbleContainer"> <DIV class="flagIcon right"> <DIV class="BubbleStyle_GroupFrame"> <DIV id="patrick.w.klein@emcins.com@3:48 PM" class="BubbleStyle_BubbleContainer"> <DIV class="BubbleStyle_BubbleFrame"> <DIV class="BubbleStyle_MessageAndTimeContainer"> <DIV class="BubbleStyle_MessagesContainer"> <DIV id="msg_id_308" class="BubbleStyle_MessageContainer"><FONT size="2">7/24/2019 16:46:34 &lt;node-02&gt; ERROR secd.nfsAuth.problem: vserver (&lt;test-svm&gt;) General NFS authorization problem. Error: RPC accept GSS token procedure failed</FONT><BR /><FONT size="2">[ 12 ms] Acquired NFS service credential for logical interface 1035 (SPN='nfs/&lt;test-svm.realm.com@REALM.COM&gt;').</FONT><BR /><FONT size="2">**[ 18] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).</FONT></DIV> </DIV> </DIV> </DIV> <DIV class="flagIcon right">&nbsp;</DIV> <DIV class="flagIcon right">Is there another location I need to be specifying which encryption type Kerberos should be using?&nbsp; &nbsp;</DIV> <DIV class="flagIcon right">&nbsp;</DIV> </DIV> </DIV> <DIV class="BubbleStyle_BubbleAvatar" title="Patrick Klein" data-jid="patrick.w.klein@emcins.com">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="BubbleStyle_BubbleAvatar" title="Patrick Klein" data-jid="patrick.w.klein@emcins.com">&nbsp;</DIV> Wed, 24 Jul 2019 22:14:12 GMT https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/149829#M33332 patrick-k 2019-07-24T22:14:12Z https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/149938#M33360 <P>Command used in powershell to set encryption type is correct.</P> <P>Please make sure you have set AES only in keytab as well. Refer below document:</P> <P><A href="https://www.netapp.com/us/media/tr-4073.pdf" target="_blank">https://www.netapp.com/us/media/tr-4073.pdf</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ----&gt;<STRONG> Page- 31 "Setting the Keytab to Use AES Only "</STRONG></P> <P>If you are still facing any issues in setup NFS Kerberos, our expert team can help.</P> <P>We have dedicated team for initial setup and configurations. I would suggest you to please contact sales team:</P> <P><A href="https://www.netapp.com/us/contact-us/support.aspx" target="_blank">https://www.netapp.com/us/contact-us/support.aspx</A></P> Wed, 31 Jul 2019 04:19:49 GMT https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/149938#M33360 ManpreetS 2019-07-31T04:19:49Z https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/154755#M34748 <P>Hey Patrick,</P> <P>What did you do to resolve this? &nbsp;I'm facing the same issue.</P> <P>--Brett</P> Wed, 04 Mar 2020 22:47:12 GMT https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/154755#M34748 Brett_Monroe 2020-03-04T22:47:12Z https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/155686#M35102 <P>Yesterday we faced the same issue. Performing the PS command "Set-ADComputer NFS-KRB-NAME$ -KerberosEncryptionType AES256,AES128" on one DC for the server (SVM) and one test client solved it for us.</P> <P>&nbsp;</P> <P>After that we faced some other 7MTT migration issues, but in the end we managed to use Kerberos authentication from NFS clients.</P> Thu, 23 Apr 2020 06:26:42 GMT https://community.netapp.com/t5/ONTAP-Discussions/NFSv4-and-Kerberos-encryption-types/m-p/155686#M35102 MARIOWEISE 2020-04-23T06:26:42Z