Help Kerberizing NFS with Active Directory

Having exactly the same problem here with a 10.7.5 client. Changing /etc/krb5.conf hasn't helped and I haven't yet found a way to really influence the client to get it to stop using des3-cbc-sha1. I may have to see how hard it is to change the domain to make it work with the Mac.

Then, I'll see if 10.8 does the same thing.

Silly me, can't change what Windows supports. You can add DES support, but not Triple DES support.

One thing I've found so far is that the lines in /etc/krb5.conf are to be separated by spaces, not by commas. That's from testing with 10.8. 10.8 does seem to use the file correctly. I have to still go back and re-test with 10.7.

But, NFS behaves the same on 10.8 - it wants to send des3-cbc-sha1.

I just found out today that Windows Server 2008 R2 no longer supports DES encryption by default. You have to enable it. Look here. http://technet.microsoft.com/en-ca/library/dd560670(v=ws.10).aspx

Once I did that, I was able to do NFS mounts using Kerberos.

The Mac client does an ipv6 DNS check so you need make sure that succeeds. Wireshark is your friend here.

ehbuller, what did you end up using in your config to get the Kerberos mount working, out of curiosity...

Working from memory here.

*Mac OS X 10.8 joined to freshly built Windows server 2008 R2 AD domain at 2008 R2 functional level.

*NFS server is a NetApp filer running OnTap 7.3.4. It is joined to the AD domain.

*Mac and filer have AD domain controllers for DNS.

*Reverse lookup zones exist on DNS servers. Needed for linux kerberos clients. Not sure about Mac. Kerberos uses DNS to verify server name, IP match.

*Mac also has a /etc/krb.conf file which does not exist by default. The important line in here is allow_weak_crypto = 1 or something like that under [libdefaults]. Otherwise, define the realms and default realms as documented on many web sites.

*I had to create a GPO for the domain controllers to allow DES encryption.

*I log on to Mac as an AD user (username@domainname) and mount the filer export to a folder under my profile:

mount_nfs -o sec=krb5,rw filer:/export/path somefolder

HTH

Is anyone still watching this thread?

I have an update and a few glitches to work out.

We used automount to mount the home folderat login. That ensures the folder is mounted before any files are touched. My original LaunchAgent ran too late and files werre created on the local disk instead of the remote file system. Ugly! Auotmount is working great.

Now the glitches.

1. We have times when a user logs on and their home folder is mounted but they get Permission denoied when accesing the folder. We have to leave them logged in for 5 minutes, log off, and log back in. then the tickets are created and they have access to the home folder. I haven't been able to pinpoint the cause for the 5 minutes delay. Anyone else see this? Any ideas?

2. The login daemon does not request renewable tickets. We have users who run programs for extended periods (days, weeks). We need to make sure they get renewable tickets so any data does not get lost once the original tgt expires (10 hours and not configurable). See the comments at the end of this article: http://jpolok.home.cern.ch/jpolok/kerberos-macosx.html