Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to:
 
All versions of Centrify DirectControl.
 
Question:
 
Is it possible to get Nfsv4 to work with W2k03 Domain functional level with mixed  Windows 2003 and Windows 2008 R2 DCs?
 
Answer:
 
With domain function level = W2003, with mixed W2003 and W2008R2 DC, it is possible to make DES work and thus support NFSv4. 
 
Note: Newer nfs-utils (RHEL6) can work with arcfour but at the time of writing of this KB, Centrify is not sure about other flavors of RHEL.
 
Steps needed on AD side: 
 
(1) Microsoft KB-978055 
 
 
You need the hot fix installed on W2008R2 to fix a bug in KDC. Note: This hot fix may not be needed if SP1 is installed. Please contact Microsoft for further assistance as this link was provided as a courtesy only.
 
(2) Microsoft KB-977321 
 
 
The KB tells how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. You need to fix the GP to allow DES encryption types.  Please contact Microsoft for further assistance as this link was provided as a courtesy only.
 
With the above 2 steps, Window 2008R2 will now support DES. 
 
Note: The registry hack (KdcUseRequestedEtypesForTickets) in Microsoft KB-833708 (http://support.microsoft.com/kb/833708) is NOT needed. 
 
Steps on the Centrify Unix server side (you need to be root): 
 
(3) You need to instruct Centrify adclient to ask for DES tickets (if this is not already in place): 
 
(a) In /etc/centrifydc/centrifydc.conf, move des encryption to the front as shown below. 
 
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc arcfour-hmac-md5 
aes256-cts aes128-cts 
 
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc 
arcfour-hmac-md5 aes256-cts aes128-cts 
 
(b) In /etc/krb5.conf (or /etc/krb5/krb5.conf, depending on the OS), move DES encryption to the front: 
 
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 aes256-cts 
aes128-cts 
 
(4) Remove /var/centrifydc/kset.preferred.enctype (if its content is not for DES already).
 
(5) Restart adclient (/etc/init.d/centrifydc restart). 
 
(6) You should see 
 
- /var/centrifydc/kset.preferred.enctype now shows one of the flavor of DES encryption. 
 
- adclient is running with DES machine credential (TGT). 
 
- when AD user login, kerberos credential should also use DES encryption. 
 
(7) Please see KB-1849 (KB-1849: How to configure NFSv4 with Kerberos)
 

Note: If customers need DES for NFSv4, then they need to fix both adclient side, as well as AD side for enctype.

W2003->W2008 upgrade changes KRBTGT password hash. This invalidates all TGT that were issued prior to upgrade.

 

adclients need to be restarted by issuing centrifydc restart command.