Error Message states "KDC has no support for encryption type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q...
Thanks,
Daniel Adeniji
=========================================================================================
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
sudo lsb_release -d
Description: CentOS Linux release
8.1.1911 (Core)
Microsoft
OS Version
MS Windows 2003
TroubleShooting
kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com
Output
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com.
Using
default cache: 1000
Using principal: dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189313: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189315: Sending unauthenticated request
[2448] 1588503907.189316: Sending request (224 bytes) to
EPHRAIMTECH.com.
[2448] 1588503907.189317: Sending DNS URI query for
_kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189318: No URI records found
[2448] 1588503907.189319: Sending DNS SRV query for
_kerberos._udp.EPHRAIMTECH.com.
[2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189321: Sending DNS SRV query for
_kerberos._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189323: Resolving hostname
harvest.ephraimtech.com.
[2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88
[2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88
[2448] 1588503907.189326: Sending DNS URI query for
_kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189327: No URI records found
[2448] 1588503907.189328: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189329: No SRV records found
[2448] 1588503907.189330: Response was not from master KDC
[2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for
encryption type
[2448] 1588503907.189332: Retrying AS request with master KDC
[2448] 1588503907.189333: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189335: Sending unauthenticated request
[2448] 1588503907.189336: Sending request (224 bytes) to
EPHRAIMTECH.com. (master)
[2448] 1588503907.189337: Sending DNS URI query for
_kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189338: No URI records found
[2448] 1588503907.189339: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189340: Sending DNS SRV query for
_kerberos-master._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189341: No SRV records found
kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join
ephraimtech.com -U dadeniji -v
Output
sudo adcli join
ephraimtech.com -U dadeniji -v
* Using domain
name:
ephraimtech.com
* Calculated computer account name from fqdn: ADRIEL
* Calculated domain realm from name:
EPHRAIMTECH.COM
* Discovering domain controllers:
_ldap._tcp.ephraimtech.com
* Sending netlogon pings to domain controller: cldap://10.0.4.6
* Received NetLogon info from:
harvest.ephraimtech.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
Password for dadeniji(a)EPHRAIMTECH.COM:
! Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for
encryption type
adcli: couldn't connect to
ephraimtech.com domain: Couldn't authenticate as:
dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
# Temporarily enable logging
debug_level=10
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
allow_weak_crypto = true
dns_lookup_kdc = true
[realms]
#
EXAMPLE.COM = {
# kdc =
kerberos.example.com
# admin_server =
kerberos.example.com
# }
[domain_realm]
# .example.com =
EXAMPLE.COM
#
example.com =
EXAMPLE.COM
~