On Sun, May 9, 2021 at 6:09 PM Jeremy Monnet <jmonnet(a)gmail.com> wrote:
> It's not advisable to leave crypto-polcies at LEGACY --
that
> accepts some truly weak ciphers.
You are right, only I do not decide the AD version used... 2012R2 is
still supported by Microsoft, so people are not eager to migrate to
2016 or 2019.
Microsoft has supported the AES Kerberos encryption types since
Windows Server 2008:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows...
That brings me to another question : - Is there a reference to
supported ciphers, eg will rhel without enabling weak ciphers will
work out of the box with an AD 2016 (that could another argument to
upgrade) ?
You need to join the computer to AD such that the encryption types
used in the keytab file agree with the encryption types added to AD
and the value of the msDs-supportedEncryptionTypes attribute.
From the keytab you posted, the join operation thought it had
successfully created the aes128-cts-hmac-sha1-96 and
aes256-cts-hmac-sha1-96 encryption types in AD, because it added those
encryption types to the keytab file. Either it failed to do that, or
else it failed to set the msDs-supportedEncryptionTypes attribute
correctly.
Honestly, the best tool we have found to join computers to AD is
msktutil:
https://github.com/msktutil/msktutil/
E.g.:
$ msktutil create \
--base OU=Linux,OU=Servers \
--computer-name $(echo "${HOSTNAME}" | sed -e 's/\..*$//g' | tr
'[:lower:]' '[:upper:]')
--hostname "${HOSTNAME}" \
--upn "host/${HOSTNAME}" \
--enctypes 0x18 \
--verbose
Adjust the argument for --base to reflect the OU where you wish to
place the host machine account.