ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

NFSv4 and Kerberos encryption types

patrick-k
‎2019-07-24 03:14 PM
6,365 Views

I'm working on configuring Kerberos for NFSv4 on ONTAP 9.3, following https://www.netapp.com/us/media/tr-4616.pdf.  I'm running into problems with Kerberos encryption types and am wondering if I've missed something. 

 

I've made sure to configure both the client object and the nfs server computer object to only use AES-128 or AES-256 via the following powershell command:  

set-adcomputer <server> -Replace @{'msDS-SupportedEncryptionTypes'=24}

 

Despite that, mount attempts continue to fail with the the following error, indicating that ArcFour is still being used:

7/24/2019 16:46:34 <node-02> ERROR secd.nfsAuth.problem: vserver (<test-svm>) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 12 ms] Acquired NFS service credential for logical interface 1035 (SPN='nfs/<test-svm.realm.com@REALM.COM>').
**[ 18] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).
 
Is there another location I need to be specifying which encryption type Kerberos should be using?   
 
 
 
0 Kudos
1 ACCEPTED SOLUTION

ManpreetS
NetApp
‎2019-07-30 09:19 PM
6,066 Views

Command used in powershell to set encryption type is correct.

Please make sure you have set AES only in keytab as well. Refer below document:

https://www.netapp.com/us/media/tr-4073.pdf                ----> Page- 31 "Setting the Keytab to Use AES Only "

If you are still facing any issues in setup NFS Kerberos, our expert team can help.

We have dedicated team for initial setup and configurations. I would suggest you to please contact sales team:

https://www.netapp.com/us/contact-us/support.aspx

View solution in original post

0 Kudos
3 REPLIES 3

ManpreetS
NetApp
‎2019-07-30 09:19 PM
6,067 Views

Command used in powershell to set encryption type is correct.

Please make sure you have set AES only in keytab as well. Refer below document:

https://www.netapp.com/us/media/tr-4073.pdf                ----> Page- 31 "Setting the Keytab to Use AES Only "

If you are still facing any issues in setup NFS Kerberos, our expert team can help.

We have dedicated team for initial setup and configurations. I would suggest you to please contact sales team:

https://www.netapp.com/us/contact-us/support.aspx

0 Kudos

Brett_Monroe
‎2020-03-04 02:47 PM
5,735 Views

Hey Patrick,

What did you do to resolve this?  I'm facing the same issue.

--Brett

0 Kudos

MARIOWEISE
‎2020-04-22 11:26 PM
In response to Brett_Monroe
5,507 Views

Yesterday we faced the same issue. Performing the PS command "Set-ADComputer NFS-KRB-NAME$ -KerberosEncryptionType AES256,AES128" on one DC for the server (SVM) and one test client solved it for us.

 

After that we faced some other 7MTT migration issues, but in the end we managed to use Kerberos authentication from NFS clients.

Announcements
All Community Forums
Public