Salesforce

KB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?

Printable View

Information

 
TitleKB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?
URL NameKB-2098-How-to-configure-Windows-2008-R2-to-support-DES-nfsv4
Knowledge Article TypeProblem / Resolution
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
Component 
Version 
Tags
Internal Comments
Article Edits
Bug #25675
Solution ID2098
Knowledge Base Article Details
Applies to:
 
All versions of Centrify DirectControl.
 
Question:
 
Is it possible to get Nfsv4 to work with W2k03 Domain functional level with mixed  Windows 2003 and Windows 2008 R2 DCs?
 
Answer:
 
With domain function level = W2003, with mixed W2003 and W2008R2 DC, it is possible to make DES work and thus support NFSv4. 
 
Note: Newer nfs-utils (RHEL6) can work with arcfour but at the time of writing of this KB, Centrify is not sure about other flavors of RHEL.
 
Steps needed on AD side: 
 
(1) Microsoft KB-978055 
 
 
You need the hot fix installed on W2008R2 to fix a bug in KDC. Note: This hot fix may not be needed if SP1 is installed. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
 
(2) Microsoft KB-977321 
 
 
The KB tells how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. You need to fix the GP to allow DES encryption types.  Please contact Microsoft for further assistance as this link was provided as a courtesy only.
 
With the above 2 steps, Window 2008R2 will now support DES. 
 
Note: The registry hack (KdcUseRequestedEtypesForTickets) in Microsoft KB-833708 (http://support.microsoft.com/kb/833708) is NOT needed. 
 
Steps on the Centrify Unix server side (you need to be root): 
 
(3) You need to instruct Centrify adclient to ask for DES tickets (if this is not already in place): 
 
(a) In /etc/centrifydc/centrifydc.conf, move des encryption to the front as shown below. 
 
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc arcfour-hmac-md5 
aes256-cts aes128-cts 
 
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc 
arcfour-hmac-md5 aes256-cts aes128-cts 
 
(b) In /etc/krb5.conf (or /etc/krb5/krb5.conf, depending on the OS), move DES encryption to the front: 
 
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
(4) Remove /var/centrifydc/kset.preferred.enctype (if its content is not for DES already).
 
(5) Restart adclient (/etc/init.d/centrifydc restart). 
 
(6) You should see 
 
- /var/centrifydc/kset.preferred.enctype now shows one of the flavor of DES encryption. 
 
- adclient is running with DES machine credential (TGT). 
 
- when AD user login, kerberos credential should also use DES encryption. 
 
(7) Please see KB-1849 (KB-1849: How to configure NFSv4 with Kerberos)
 

Note: If customers need DES for NFSv4, then they need to fix both adclient side, as well as AD side for enctype.

W2003->W2008 upgrade changes KRBTGT password hash. This invalidates all TGT that were issued prior to upgrade.

 

adclients need to be restarted by issuing centrifydc restart command.

 
 
Created ByArticle Admin
Solution CreatorRaghu Srinivasan
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by