Kerberized NFS access from macOS Sierra to 8.2.4P6 7-Mode

markus_kuhn · ‎2017-07-14

We have a FAS 3220 filer, recently upgraded to 8.2.4P6 7-Mode. It is part of an Active Directory domain running at domain functional level Windows Server 2008 R2. We use the CIFS domain setup also for Kerberized NFS, but sadly this only gives us arcfour-hmac encryption.

We have so far been unable to NFS mount from macOS Sierra 10.12.5. The reason for this is a lack of compatible encryption types between the three systems involved:

macOS Sierra NFS RPCSEC_GSS now supports aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96, as does Active Directory domain functional level Windows Server 2008 R2.

However, the Active Directory server is still unwilling to issue AES tickets for this 8.2.4P6 7-Mode filer:

linux-client$ kvno -e aes128-cts-hmac-sha1-96 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
kvno: KDC has no support for encryption type while getting credentials for nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK

It only issues tickets using the old arcfour-hmac encryption type, which is outdated and not supported by macOS NFS RPCSEC_GSS:

linux-client$ klist -e

[...]

14/07/17 09:16:28 14/07/17 19:16:28 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
Etype (skey, tkt): arcfour-hmac, arcfour-hmac

We have already tried on the filer

cifs terminate
[delete filer's Computers entry on Active Directory]
cifs setup
nfs setup

in order to make sure that the filer creates a fresh Kerberos key and related metadata on the Active Directory domain controller.

But this still did not result in the AD KDC issuing AES session keys to the filer, which would be required for macOS Sierra NFS RPCSEC_GSS compatibility.

We have noticed that when the filer creates during "cifs setup" a new server entry for itself on the domain controller, it does *not* set the attribute

msDS-SupportedEncryptionTypes

I believe it ought to set it to something like

msDS-SupportedEncryptionTypes = 28 = 0x1C = RC4-HMAC | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96

to tell the KDC what encryption types it supports.

Does 8.2.4P6 7-Mode support Kerberized NFS with AES encryption types?

Is 8.2.4P6 7-Mode Kerberized NFS compatible with macOS Sierra in a Windows Server 2008 R2 domain?

Jeff_Yao · ‎2017-07-18

try this kb?

https://kb.netapp.com/support/s/article/ka31A0000000wP5QAI/how-to-set-up-kerberized-nfs-access-for-a-unix-client-in-an-active-directory-kdc

thanks

Jeff

markus_kuhn · ‎2017-07-18

That KB does not help: it merely demonstrates how to set up Kerberized NFS with

the old "ArcFour with HMAC/md5" encryption type. We have used this for many years from Linux.

However, "ArcFour with HMAC/md5" was never supported by Apple.

Since Apple disabled Single-DES in OS X Yosemite, the only Kerberos encryption types

compatible with both Active Directory and macOS Sierra have been 128-bit AES and 256-bit AES.

AES is what we have not managed to get to work under 7-mode.

parisi · ‎2017-07-18

There will be no AES support for 7-Mode. For AES, use ONTAP 8.3 or later.

markus_kuhn · ‎2017-07-19

Thanks for the clarification. 😞 In that case, you should probably review/revise

all mention of AES in the 7-mode documentation, for example in

Data ONTAP® 8.2
File Access and Protocols Management Guide
For 7-Mode

https://library.netapp.com/ecm/ecm_download_file/ECMP1401220

in the /etc/krb5.conf example file on page 30 the lines

default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96

and in the command-line examples on page 31 the use of the option

-e "aes128-cts-hmac-sha1-96:normal"

These examples (and feedback from a support contractor) had given

us hope that AES would be supported in 8.2 7-mode.

None of the above options make sense if the server does not actually

support any AES encryption types. (In that case, their presence may

actually prevent NFS (RPCSEC_GSS) authentication from succeeding,

by restricting the enctype to one that the server doesn't implement.)

parisi · ‎2017-07-19

Thanks.

I don't write the product docs but will pass this feedback on.