Network and Storage Protocols

Kerberized NFS access from macOS Sierra to 8.2.4P6 7-Mode

markus_kuhn
5,308 Views

We have a FAS 3220 filer, recently upgraded to 8.2.4P6 7-Mode. It is part of an Active Directory domain running at domain functional level Windows Server 2008 R2. We use the CIFS domain setup also for Kerberized NFS, but sadly this only gives us arcfour-hmac encryption.

 

We have so far been unable to NFS mount from macOS Sierra 10.12.5. The reason for this is a lack of compatible encryption types between the three systems involved:

 

macOS Sierra NFS RPCSEC_GSS now supports aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96, as does Active Directory domain functional level Windows Server 2008 R2.

 

However, the Active Directory server is still unwilling to issue AES tickets for this 8.2.4P6 7-Mode filer:

 

linux-client$ kvno -e aes128-cts-hmac-sha1-96 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
kvno: KDC has no support for encryption type while getting credentials for nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK

 

It only issues tickets using the old arcfour-hmac encryption type, which is outdated and not supported by macOS NFS RPCSEC_GSS:

 

linux-client$ klist -e

[...]

14/07/17 09:16:28 14/07/17 19:16:28 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
Etype (skey, tkt): arcfour-hmac, arcfour-hmac

 

We have already tried on the filer

 

cifs terminate
[delete filer's Computers entry on Active Directory]
cifs setup
nfs setup

in order to make sure that the filer creates a fresh Kerberos key and related metadata on the Active Directory domain controller.

 

But this still did not result in the AD KDC issuing AES session keys to the filer, which would be required for macOS Sierra NFS RPCSEC_GSS compatibility.

 

We have noticed that when the filer creates during "cifs setup" a new server entry for itself on the domain controller, it does *not* set the attribute

 

  msDS-SupportedEncryptionTypes

 

I believe it ought to set it to something like

 

  msDS-SupportedEncryptionTypes = 28 = 0x1C =  RC4-HMAC | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96

 

to tell the KDC what encryption types it supports.

 

Does 8.2.4P6 7-Mode support Kerberized NFS with AES encryption types?

 

Is 8.2.4P6 7-Mode Kerberized NFS compatible with macOS Sierra in a Windows Server 2008 R2 domain?

 

5 REPLIES 5

markus_kuhn
5,227 Views

That KB does not help: it merely demonstrates how to set up Kerberized NFS with

the old "ArcFour with HMAC/md5" encryption type. We have used this for many years from Linux.

 

However, "ArcFour with HMAC/md5" was never supported by Apple.

 

Since Apple disabled Single-DES in OS X Yosemite, the only Kerberos encryption types

compatible with both Active Directory and macOS Sierra have been 128-bit AES and 256-bit AES.

 

AES is what we have not managed to get to work under 7-mode.

 

parisi
5,209 Views

There will be no AES support for 7-Mode. For AES, use ONTAP 8.3 or later.

markus_kuhn
5,169 Views

Thanks for the clarification. 😞 In that case, you should probably review/revise

all mention of AES in the 7-mode documentation, for example in

 

  Data ONTAP® 8.2
  File Access and Protocols Management Guide
  For 7-Mode

  https://library.netapp.com/ecm/ecm_download_file/ECMP1401220

 

in the /etc/krb5.conf example file on page 30 the lines

 

  default_tgs_enctypes = aes128-cts-hmac-sha1-96
  default_tkt_enctypes = aes128-cts-hmac-sha1-96

 

and in the command-line examples on page 31 the use of the option

 

  -e "aes128-cts-hmac-sha1-96:normal" 

 

These examples (and feedback from a support contractor) had given

us hope that AES would be supported in 8.2 7-mode.

 

None of the above options make sense if the server does not actually

support any AES encryption types. (In that case, their presence may

actually prevent NFS (RPCSEC_GSS) authentication from succeeding,

by restricting the enctype to one that the server doesn't implement.)

 

parisi
5,120 Views

Thanks.

 

I don't write the product docs but will pass this feedback on.

Public