Hello, first let me introduce our setup:
- FreeIPA 4.6.5 (I know it's a bit old already) masters CentOS 7 - FreeIPA 4.6.6 client CentOS 7 - Windows Server 2016 DCs - Netapp Filer NFS server There's a two-way trust between the AD and IPA domains which works nicely. User accounts exist in the AD domain and can be used on IPA members as well. The Netapp has a computer account in AD. IPA clients mount NFSv4 shares using krb5p encryption. The problem: After installing the latest Windows updates on the DCs (kb4586830) the Kerberos authentication to the file server started failing. We were able to identify it as a Kerberos problem by trying to mount without Kerberos, which worked but of course nothing was accessible. After trying a bunch of different things and reading a lot of logs, we finally uninstalled the update on the DCs and everything worked again. There's not a whole lot of error messages to go on even though log/debug levels were set to the highest. The mounting client will simply say "mount.nfs: access denied by server while mounting". On the DC I was a able to find a Failure Code 0x3C for the Kerberos ticket request. 0x3C is a generic error, according to https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769. None of the possible causes listed by Microsoft apply to our situation. Since uninstalling the update on the DCs made the problem go away, I guess it's safe to assume that Microsoft changed something. The update notes don't really mention anything useful, but after some googling I found https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17049 which seems like something that could have caused this. Is there some settings in the IPA that could be changed to comply with the changes made by Microsoft? Thanks! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
