On Wed, May 5, 2021 at 3:27 PM Jeremy Monnet <jmonnet(a)gmail.com> wrote:
[root@hostname sssd]# kinit -V -k
Using new cache: persistent:0:krb_ccache_PECiZeh
Using principal: host/fqdn@DOMAIN
kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting
You cannot knit against host/fqdn unless sAMAccountName was set to
host/fqdn when the host was joined to AD.
[root@hostname sssd]# kinit -V -k HOSTNAME$
Using new cache: persistent:0:krb_ccache_cFLtQ1H
Using principal: HOSTNAME$@DOMAIN
kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while getting initial
This may mean that the KDC does not support the aes encryption types
(only rc4-hmac). You can test this by logging in as a normal user
with a valid TGT and running:
$ kvno -e aes256-cts-hmac-sha1-96 'HOSTNAME$'
$ kvno -e aes128-cts-hmac-sha1-96 'HOSTNAME$'
$ kvno -e arcfour-hmac 'HOSTNAME$'
(The kinit commands are to flush any successfully-acquired service
ticket; if the preceding kvno command fails, you can skip them.)
We have added
krb5_validate = False
in sssd.conf and
allow_weak_crypto = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
If you mean you literally edited /etc/krb5.conf, then this will not
work, because the "includedir" directive at the top of /etc/krb5.conf
will read the configuration files in the /etc/krb5.conf.d first, and
the crypto-policies file will set permitted_enctypes to whatever the
system-wide crypto policy is. Because the first setting wins, by the
time your settings in /etc/krb5.conf are parsed, permitted_enctypes
has already been set and your attempt to override it will (silently!)
You should restore the package default /etc/krb5.conf file and perform
any overrides in a separate file in /etc/krb5.conf.d, selecting a
filename that will sort lexicographically before the other files;
e.g., create /etc/krb5.conf.d/50-override with:
permitted_enctypes = aes rc4
If the problem is that your AD only supports rc4, then performing
"kinit -V -k 'HOSTNAME$'" should then succeed.