We have a FAS 3220 filer, recently upgraded to 8.2.4P6 7-Mode. It is part of an Active Directory domain running at domain functional level Windows Server 2008 R2. We use the CIFS domain setup also for Kerberized NFS, but sadly this only gives us arcfour-hmac encryption.
We have so far been unable to NFS mount from macOS Sierra 10.12.5. The reason for this is a lack of compatible encryption types between the three systems involved:
macOS Sierra NFS RPCSEC_GSS now supports aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96, as does Active Directory domain functional level Windows Server 2008 R2.
However, the Active Directory server is still unwilling to issue AES tickets for this 8.2.4P6 7-Mode filer:
linux-client$ kvno -e aes128-cts-hmac-sha1-96 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
kvno: KDC has no support for encryption type while getting credentials for nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
It only issues tickets using the old arcfour-hmac encryption type, which is outdated and not supported by macOS NFS RPCSEC_GSS:
linux-client$ klist -e
[...]
14/07/17 09:16:28 14/07/17 19:16:28 nfs/filer.dept.cam.ac.uk@DOMAIN.DEPT.CAM.AC.UK
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
We have already tried on the filer
cifs terminate
[delete filer's Computers entry on Active Directory]
cifs setup
nfs setup
in order to make sure that the filer creates a fresh Kerberos key and related metadata on the Active Directory domain controller.
But this still did not result in the AD KDC issuing AES session keys to the filer, which would be required for macOS Sierra NFS RPCSEC_GSS compatibility.
We have noticed that when the filer creates during "cifs setup" a new server entry for itself on the domain controller, it does *not* set the attribute
msDS-SupportedEncryptionTypes
I believe it ought to set it to something like
msDS-SupportedEncryptionTypes = 28 = 0x1C = RC4-HMAC | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96
to tell the KDC what encryption types it supports.
Does 8.2.4P6 7-Mode support Kerberized NFS with AES encryption types?
Is 8.2.4P6 7-Mode Kerberized NFS compatible with macOS Sierra in a Windows Server 2008 R2 domain?