ONTAP Discussions

Secure NFS help

bsnyder27
2,513 Views

I'm working on getting an NFS mount to succeed using krb5p security using a RHEL 7 client. Kerberos is enabled on a data lif of the SVM. The linux client has kerberos set up correctly to at least ssh in and get a kerberos ticket generated. I just can't figure out the piece I'm missing to get NFS mount with krb5. A successful kinit with a domain user account uses encryption type aes256-cts-hmac-sha1-96.

 

2 errors I'll make note of.

 

First is in the event logs of the NetApp, a secd error. Not sure why it's trying ArcFour when SVM is set to only allow aes-128, aes-256. krb.conf on client only set for aes256-cts-hmac-sha1-96

 

Message Name: secd.nfsAuth.problem
**[ 11] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).
Corrective Action: Examine the failure details to determine corrective action. Common failures include name mapping issues, or the inability to communicate with domain controllers, NIS servers, or LDAP servers due to connectivity or configuration problems.
Description: This message occurs when an NFS authorization attempt fails.

 

Second error is on the linux client yet there is a SPN in AD and in the keytab file of the host for nfs.

 

gssproxy[553]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Client 'nfs/rhel7test.realm.example.com@REALM.EXAMPLE.COM' not found in Kerberos database

 

Also possibly related: The 'klist -ke' command shows many encryption types for each principle name listed. Where are all of these populated from when I only desire AES?

1 REPLY 1

bsnyder27
2,433 Views

Two things that really boggle me with this issue...

 

  1. The secd error noting 'Encryption type ArcFour with HMAC/md5 not permitted'
    • I only have AES-256 encryption set in the krb5.conf file on the linux client. klist -e confims this so why is it attempting RC4?
  2. When joining the linux client to the AD domain, it adds all of the following encryption types. Any idea as to why? Where is it getting this list?
    • des-cbc-crc
    • des-cbc-md5
    • aes128-cts-hmac-sha1-96
    • aes256-cts-hmac-sha1-96
    • arcfour-hmac
Public