Jeremy,

First off, this is not a sssd problem.  You've proven that by your kinit -k attempts failing.  This is an underlying problem between your kerberos client, your AD DC and your /etc/krb5.keytab file.  Once you fix this underlying issue, I expect sssd will work.
  
Your AD domain may be accepting only weak crypto ciphers.  By default, RHEL8 sets crypto-policies to DEFAULT.

You can do this:

update-crypto-policies --show

to see the current crypto policy.  As a simple test, you can do this:

update-crypto-policies --set LEGACY

To allow all the old (weak) RHEL7 crypto ciphers (like 3des-cbc and arcfour-hmac).

It's not advisable to leave crypto-polcies at LEGACY -- that accepts some truly weak ciphers.


Spike

On Wed, May 5, 2021 at 2:27 PM Jeremy Monnet <jmonnet@gmail.com> wrote:
Hello,

We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
KDC has no support for encryption type

which prevents authentication. The server has been remove and rejoin
to the Active Directory with realm join -U user@DOMAIN. The object has
been created in the AD (2012R2 in case it would be relevant) with
SPNs:
host/HOSTNAME
host/fqdn
RestrictedKrbHost/HOSTNAME
RestrictedKrbHost/fqdn


sssd_domain.log contains
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (KDC has no support for encryption type)
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080):
Extended failure message: [SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
has no support for encryption type)]
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000):
Waiting for child [2234].
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100):
child [2234] finished successfully.
(2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] (0x0040):
Unable to establish connection [1432158227]: Authentication Failed
(2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status]
(0x8000): Setting status: PORT_NOT_WORKING. Called from:
src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv:
2095

We have tried numerous things with kinit for example :
[root@hostname sssd]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96)
   2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96)
   2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
   2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
   2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
   2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)

[root@hostname sssd]# kinit -V -k
Using new cache: persistent:0:krb_ccache_PECiZeh
Using principal: host/fqdn@DOMAIN
kinit: Client 'host/fqdn@domain' not found in Kerberos database while
getting initial credentials

[root@hostname sssd]# kinit -V -k HOSTNAME$
Using new cache: persistent:0:krb_ccache_cFLtQ1H
Using principal: HOSTNAME$@DOMAIN
kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while
getting initial credentials

We have added
krb5_validate = False
in sssd.conf and
[libdefaults]
 allow_weak_crypto = true
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
in krb5.conf

and set msDS-SupportedEncTypes to 31 (which means "all" if I
understand correctly) on the AD object.

With no success.

I do not know what to do now :-)

Thanks for your help

Jeremy
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure