I'm testing out a hardened environment with our NetApp and part of that is going to be using the government DISA STIG guidelines for group policies. When I apply them, it breaks the ability to Ontap to join the domain. The error it gives is
**[ 87] FAILURE: Unable to SASL bind to LDAP server using GSSAPI:
** Local error
[ 87] Additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
Not a complete surprise as these group policies harden a bunch of defaults. The issue is that I would like to avoid having to go through one at a time trying to figure out what is causing the problem. So I was wondering if anyone knew which group policies cause issues for Ontap, particularly if you happen to know which out of the STIG list.
Thanks.
EDIT: Some of the problem seems to be related to encryption types. I removed the CIFS server and attempted to rejoin it and was told:
**[ 40] FAILURE: Could not authenticate as
** ': KDC has no support
** for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)
Error: command failed: Failed to create the Active Directory machine account "FURFARO01". Reason: Kerberos Error: KDC has no support for encryption type.
The Domain controllers are set to only use AES as per the group policy. Adding in RC4 as a permissible encryption made it able to join.
Is there a way to join to a domain set to only allow AES for Kerberos or is RC4 required?
