ONTAP Discussions

Having trouble with Ontap 9.9.1 and DISA DC group policies

Sycraft
4,806 Views

I'm testing out a hardened environment with our NetApp and part of that is going to be using the government DISA STIG guidelines for group policies. When I apply them, it breaks the ability to Ontap to join the domain. The error it gives is

 

**[ 87] FAILURE: Unable to SASL bind to LDAP server using GSSAPI:
** Local error
[ 87] Additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more

 

Not a complete surprise as these group policies harden a bunch of defaults. The issue is that I would like to avoid having to go through one at a time trying to figure out what is causing the problem.  So I was wondering if anyone knew which group policies cause issues for Ontap, particularly if you happen to know which out of the STIG list.

 

Thanks.

 

EDIT: Some of the problem seems to be related to encryption types. I removed the CIFS server and attempted to rejoin it and was told:

 

**[ 40] FAILURE: Could not authenticate as
** ': KDC has no support
** for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)

Error: command failed: Failed to create the Active Directory machine account "FURFARO01". Reason: Kerberos Error: KDC has no support for encryption type.

 

The Domain controllers are set to only use AES as per the group policy. Adding in RC4 as a permissible encryption made it able to join.

 

Is there a way to join to a domain set to only allow AES for Kerberos or is RC4 required?

1 ACCEPTED SOLUTION

hmoubara
4,774 Views

Hello,

Can you verify if aes is enable on the vserver:

cluster1::> vserver cifs security show -vserver <vserver-name> -fields is-aes-encryption-enabled

Thanks

View solution in original post

5 REPLIES 5

hmoubara
4,775 Views

Hello,

Can you verify if aes is enable on the vserver:

cluster1::> vserver cifs security show -vserver <vserver-name> -fields is-aes-encryption-enabled

Thanks

Sycraft
4,768 Views

I didn't realise you could change that prior to creating the CIFS server. I enabled it after I created it, and created it by stepping down the encryption requirement on the DC, but I thought you could only enable it after setting us the CIFS server.

 

So all good there. I still haven't yet figured out all of the group policies that are potential problems, but I have it narrowed down to a couple now.

 

Thanks for your help.

parisi
4,682 Views

The issue you are likely going to hit is this:

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Microsoft_Security_Advisory%3A_ADV190023_impact_on_NetApp_appliance_ru...

 

ONTAP 9.10.1 adds support for that, so if you want to avoid that problem, upgrade.

Sycraft
4,682 Views

I'll look at 9.10, I haven't updated yet as it is still RC and this system does both test and production (on different SVMs). I'm also working on getting LDAPS up which if I understand the docs correctly mostly just needs the domain root certificate to be imported to the SVM.

 

Currently I've backed off the requirement for LDAP Server Signing and Digitally Sign Communication. That seems to have everything working. I'm going to look at getting the cert on the SVM, changing communication to LDAPS and then turning those back on and see if it all continues to work.

Sycraft
4,520 Views

Should anyone come across this later I'll just add that the only policies from the DISA STIG that were a problem were the two requiring LDAP signing, and requiring AES encryption. Enabling AES encryption on the Vserver fixes AES out of the box. Signing was a problem, the solution was just to import the AD root cert and then to enable LDAPS mode. Then signing works fine. At that point you can have the complete STIG GPO applied and have interoperability with the Vserver.

Public