Am Wed, May 05, 2021 at 07:34:18PM +0000 schrieb Patrick Riehecky:
I believe DES is not even compiled into krb5-utils on 8.3
Pat
On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote:
> Hello,
>
> We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
> KDC has no support for encryption type
Hi,
this is most probably about the rc4 encryption type which is still
heavily used in AD environments but already disabled by default in
RHEL-8.3. It can be re-enabled by calling
update-crypto-policies --set DEFAULT:AD-SUPPORT
see RHEL-8.3 Release Notes at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
for details.
After that you have to re-join or at least update your keytab becasue
...
>
> which prevents authentication. The server has been remove and rejoin
> to the Active Directory with realm join -U user@DOMAIN. The object
> has
> been created in the AD (2012R2 in case it would be relevant) with
> SPNs:
> host/HOSTNAME
> host/fqdn
> RestrictedKrbHost/HOSTNAME
> RestrictedKrbHost/fqdn
>
>
> sssd_domain.log contains
> (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100):
> Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$
> (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
> GSSAPI client step 1
> (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
> GSSAPI client step 1
> (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL:
> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> information (KDC has no support for encryption type)
> (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020):
> ldap_sasl_bind failed (-2)[Local error]
> (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080):
> Extended failure message: [SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (KDC
> has no support for encryption type)]
> (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000):
> Waiting for child [2234].
> (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100):
> child [2234] finished successfully.
> (2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv]
> (0x0040):
> Unable to establish connection [1432158227]: Authentication Failed
> (2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status]
> (0x8000): Setting status: PORT_NOT_WORKING. Called from:
> src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv:
> 2095
>
> We have tried numerous things with kinit for example :
> [root@hostname sssd]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
> 2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96)
> 2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96)
> 2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
> 2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
> 2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
> 2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
... as you can see currently there are only AES keys in the keytab.
After a re-join or key update you should see rc4 keys as well.
HTH
bye,
Sumit
>
> [root@hostname sssd]# kinit -V -k
> Using new cache: persistent:0:krb_ccache_PECiZeh
> Using principal: host/fqdn@DOMAIN
> kinit: Client 'host/fqdn@domain' not found in Kerberos database while
> getting initial credentials
>
> [root@hostname sssd]# kinit -V -k HOSTNAME$
> Using new cache: persistent:0:krb_ccache_cFLtQ1H
> Using principal: HOSTNAME$@DOMAIN
> kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while
> getting initial credentials
>
> We have added
> krb5_validate = False
> in sssd.conf and
> [libdefaults]
> allow_weak_crypto = true
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> in krb5.conf
>
> and set msDS-SupportedEncTypes to 31 (which means "all" if I
> understand correctly) on the AD object.
>
> With no success.
>
> I do not know what to do now :-)
>
> Thanks for your help
>
> Jeremy
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
>
> List Guidelines:
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
>
> List Archives:
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
>
> Do not reply to spam on the list, report it:
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_fedora-2Di...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure