9:13 a.m.
Hello,
first let me introduce our setup:
- FreeIPA 4.6.5 (I know it's a bit old already) masters CentOS 7
- FreeIPA 4.6.6 client CentOS 7
- Windows Server 2016 DCs
- Netapp Filer NFS server
There's a two-way trust between the AD and IPA domains which works nicely. User
accounts exist in the AD domain and can be used on IPA members as well. The Netapp has a
computer account in AD. IPA clients mount NFSv4 shares using krb5p encryption.
The problem:
After installing the latest Windows updates on the DCs (kb4586830) the Kerberos
authentication to the file server started failing. We were able to identify it as a
Kerberos problem by trying to mount without Kerberos, which worked but of course nothing
was accessible. After trying a bunch of different things and reading a lot of logs, we
finally uninstalled the update on the DCs and everything worked again. There's not a
whole lot of error messages to go on even though log/debug levels were set to the highest.
The mounting client will simply say "mount.nfs: access denied by server while
mounting". On the DC I was a able to find a Failure Code 0x3C for the Kerberos ticket
request. 0x3C is a generic error, according to
https://docs.microsoft.com/en-us/windows/security/threat-protection/audit....
None of the possible causes listed by Microsoft apply to our situation.
Since uninstalling the update on the DCs made the problem go away, I guess it's safe
to assume that Microsoft changed something. The update notes don't really mention
anything useful, but after some googling I found
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17049 which seems
like something that could have caused this. Is there some settings in the IPA that could
be changed to comply with the changes made by Microsoft?
Thanks!