ONTAP Discussions

Highlighted

NFSv4 and Kerberos encryption types

I'm working on configuring Kerberos for NFSv4 on ONTAP 9.3, following https://www.netapp.com/us/media/tr-4616.pdf.  I'm running into problems with Kerberos encryption types and am wondering if I've missed something. 

 

I've made sure to configure both the client object and the nfs server computer object to only use AES-128 or AES-256 via the following powershell command:  

set-adcomputer <server> -Replace @{'msDS-SupportedEncryptionTypes'=24}

 

Despite that, mount attempts continue to fail with the the following error, indicating that ArcFour is still being used:

7/24/2019 16:46:34 <node-02> ERROR secd.nfsAuth.problem: vserver (<test-svm>) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 12 ms] Acquired NFS service credential for logical interface 1035 (SPN='nfs/<test-svm.realm.com@REALM.COM>').
**[ 18] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).
 
Is there another location I need to be specifying which encryption type Kerberos should be using?   
 
 
 
3 REPLIES 3
Highlighted

Re: NFSv4 and Kerberos encryption types

Command used in powershell to set encryption type is correct.

Please make sure you have set AES only in keytab as well. Refer below document:

https://www.netapp.com/us/media/tr-4073.pdf                ----> Page- 31 "Setting the Keytab to Use AES Only "

If you are still facing any issues in setup NFS Kerberos, our expert team can help.

We have dedicated team for initial setup and configurations. I would suggest you to please contact sales team:

https://www.netapp.com/us/contact-us/support.aspx

View solution in original post

Highlighted

Re: NFSv4 and Kerberos encryption types

Hey Patrick,

What did you do to resolve this?  I'm facing the same issue.

--Brett

Highlighted

Re: NFSv4 and Kerberos encryption types

Yesterday we faced the same issue. Performing the PS command "Set-ADComputer NFS-KRB-NAME$ -KerberosEncryptionType AES256,AES128" on one DC for the server (SVM) and one test client solved it for us.

 

After that we faced some other 7MTT migration issues, but in the end we managed to use Kerberos authentication from NFS clients.

Check out the KB!
Knowledge Base
All Community Forums