Applies to:
All versions of Centrify DirectControl.
Question:
Is it possible to get Nfsv4 to work with W2k03 Domain functional level with mixed Windows 2003 and Windows 2008 R2 DCs?
Answer:
With domain function level = W2003, with mixed W2003 and W2008R2 DC, it is possible to make DES work and thus support NFSv4.
Note: Newer nfs-utils (RHEL6) can work with arcfour but at the time of writing of this KB, Centrify is not sure about other flavors of RHEL.
Steps needed on AD side:
(1) Microsoft KB-978055
You need the hot fix installed on W2008R2 to fix a bug in KDC. Note: This hot fix may not be needed if SP1 is installed. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
(2) Microsoft KB-977321
The KB tells how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. You need to fix the GP to allow DES encryption types. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
With the above 2 steps, Window 2008R2 will now support DES.
Steps on the Centrify Unix server side (you need to be root):
(3) You need to instruct Centrify adclient to ask for DES tickets (if this is not already in place):
(a) In /etc/centrifydc/centrifydc.conf, move des encryption to the front as shown below.
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc arcfour-hmac-md5
aes256-cts aes128-cts
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc
arcfour-hmac-md5 aes256-cts aes128-cts
(b) In /etc/krb5.conf (or /etc/krb5/krb5.conf, depending on the OS), move DES encryption to the front:
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
aes128-cts
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
aes128-cts
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
aes128-cts
(4) Remove /var/centrifydc/kset.preferred.enctype (if its content is not for DES already).
(5) Restart adclient (/etc/init.d/centrifydc restart).
(6) You should see
- /var/centrifydc/kset.preferred.enctype now shows one of the flavor of DES encryption.
- adclient is running with DES machine credential (TGT).
- when AD user login, kerberos credential should also use DES encryption.
(7) Please see KB-1849 (KB-1849: How to configure NFSv4 with Kerberos)
Note: If customers need DES for NFSv4, then they need to fix both adclient side, as well as AD side for enctype.
W2003->W2008 upgrade changes KRBTGT password hash. This invalidates all TGT that were issued prior to upgrade.
adclients need to be restarted by issuing centrifydc restart command.