All versions of Centrify DirectControl.
Is it possible to get Nfsv4 to work with W2k03 Domain functional level with mixed Windows 2003 and Windows 2008 R2 DCs?
With domain function level = W2003, with mixed W2003 and W2008R2 DC, it is possible to make DES work and thus support NFSv4.
Note: Newer nfs-utils (RHEL6) can work with arcfour but at the time of writing of this KB, Centrify is not sure about other flavors of RHEL.
Steps needed on AD side:
(1) Microsoft KB-978055
You need the hot fix installed on W2008R2 to fix a bug in KDC. Note: This hot fix may not be needed if SP1 is installed. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
(2) Microsoft KB-977321
The KB tells how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. You need to fix the GP to allow DES encryption types. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
With the above 2 steps, Window 2008R2 will now support DES.
Steps on the Centrify Unix server side (you need to be root):
(3) You need to instruct Centrify adclient to ask for DES tickets (if this is not already in place):
(a) In /etc/centrifydc/centrifydc.conf, move des encryption to the front as shown below.
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc arcfour-hmac-md5
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc
arcfour-hmac-md5 aes256-cts aes128-cts
(b) In /etc/krb5.conf (or /etc/krb5/krb5.conf, depending on the OS), move DES encryption to the front:
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts
(4) Remove /var/centrifydc/kset.preferred.enctype (if its content is not for DES already).
(5) Restart adclient (/etc/init.d/centrifydc restart).
(6) You should see
- /var/centrifydc/kset.preferred.enctype now shows one of the flavor of DES encryption.
- adclient is running with DES machine credential (TGT).
- when AD user login, kerberos credential should also use DES encryption.
(7) Please see KB-1849 (KB-1849: How to configure NFSv4 with Kerberos)
Note: If customers need DES for NFSv4, then they need to fix both adclient side, as well as AD side for enctype.
W2003->W2008 upgrade changes KRBTGT password hash. This invalidates all TGT that were issued prior to upgrade.
adclients need to be restarted by issuing centrifydc restart command.