I'm working on configuring Kerberos for NFSv4 on ONTAP 9.3, following https://www.netapp.com/us/media/tr-4616.pdf. I'm running into problems with Kerberos encryption types and am wondering if I've missed something.
I've made sure to configure both the client object and the nfs server computer object to only use AES-128 or AES-256 via the following powershell command:
set-adcomputer <server> -Replace @{'msDS-SupportedEncryptionTypes'=24}
Despite that, mount attempts continue to fail with the the following error, indicating that ArcFour is still being used:
7/24/2019 16:46:34 <node-02> ERROR secd.nfsAuth.problem: vserver (<test-svm>) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 12 ms] Acquired NFS service credential for logical interface 1035 (SPN='nfs/<test-svm.realm.com@REALM.COM>').
**[ 18] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).
[ 12 ms] Acquired NFS service credential for logical interface 1035 (SPN='nfs/<test-svm.realm.com@REALM.COM>').
**[ 18] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Encryption type ArcFour with HMAC/md5 not permitted).
Is there another location I need to be specifying which encryption type Kerberos should be using?