Hello,
We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
KDC has no support for encryption type
which prevents authentication. The server has been remove and rejoin
to the Active Directory with realm join -U user@DOMAIN. The object has
been created in the AD (2012R2 in case it would be relevant) with
SPNs:
host/HOSTNAME
host/fqdn
RestrictedKrbHost/HOSTNAME
RestrictedKrbHost/fqdn
sssd_domain.log contains
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (KDC has no support for encryption type)
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080):
Extended failure message: [SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (KDC
has no support for encryption type)]
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000):
Waiting for child [2234].
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100):
child [2234] finished successfully.
(2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] (0x0040):
Unable to establish connection [1432158227]: Authentication Failed
(2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status]
(0x8000): Setting status: PORT_NOT_WORKING. Called from:
src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv:
2095
We have tried numerous things with kinit for example :
[root@hostname sssd]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96)
2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96)
2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
[root@hostname sssd]# kinit -V -k
Using new cache: persistent:0:krb_ccache_PECiZeh
Using principal: host/fqdn@DOMAIN
kinit: Client 'host/fqdn@domain' not found in Kerberos database while
getting initial credentials
[root@hostname sssd]# kinit -V -k HOSTNAME$
Using new cache: persistent:0:krb_ccache_cFLtQ1H
Using principal: HOSTNAME$@DOMAIN
kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while
getting initial credentials
We have added
krb5_validate = False
in sssd.conf and
[libdefaults]
allow_weak_crypto = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
in krb5.conf
and set msDS-SupportedEncTypes to 31 (which means "all" if I
understand correctly) on the AD object.
With no success.
I do not know what to do now :-)
Thanks for your help
Jeremy