6:28 a.m.
Error Message states "KDC has no support for encryption type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q...
Thanks,
Daniel Adeniji
=========================================================================================
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
sudo lsb_release -d
Description: CentOS Linux release
8.1.1911 (Core)
Microsoft
OS Version
MS Windows 2003
TroubleShooting
kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com
Output
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com.
Using
default cache: 1000
Using principal: dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189313: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189315: Sending unauthenticated request
[2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com.
[2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189318: No URI records found
[2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com.
[2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com.
[2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88
[2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88
[2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189327: No URI records found
[2448] 1588503907.189328: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189329: No SRV records found
[2448] 1588503907.189330: Response was not from master KDC
[2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for
encryption type
[2448] 1588503907.189332: Retrying AS request with master KDC
[2448] 1588503907.189333: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189335: Sending unauthenticated request
[2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master)
[2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189338: No URI records found
[2448] 1588503907.189339: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189340: Sending DNS SRV query for
_kerberos-master._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189341: No SRV records found
kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join ephraimtech.com -U dadeniji -v
Output
sudo adcli join ephraimtech.com -U dadeniji -v
* Using domain
name: ephraimtech.com
* Calculated computer account name from fqdn: ADRIEL
* Calculated domain realm from name: EPHRAIMTECH.COM
* Discovering domain controllers: _ldap._tcp.ephraimtech.com
* Sending netlogon pings to domain controller: cldap://10.0.4.6
* Received NetLogon info from: harvest.ephraimtech.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
Password for dadeniji(a)EPHRAIMTECH.COM:
! Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for
encryption type
adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as:
dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
# Temporarily enable logging
debug_level=10
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
allow_weak_crypto = true
dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
~
8:45 a.m.
New subject: On CentOS v 8.1, Unable to join MS Windows Active Directory Domain running MS Windows 2003
On Sun, May 03, 2020 at 11:28:58AM -0000, Daniel Adeniji wrote:
Error Message states "KDC has no support for encryption
type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q...
Hi,
I guess the RHEL-8 crypto policy is overriding your settings in
/etc/krb5.conf.
Please try
update-crypto-policies --set LEGACY
and see man update-crypto-policies for details.
HTH
bye,
Sumit
Thanks,
Daniel Adeniji
=========================================================================================
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
>uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
>sudo lsb_release -d
Description: CentOS Linux release 8.1.1911 (Core)
Microsoft
OS Version
MS Windows 2003
TroubleShooting
kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com
Output
>KRB5_TRACE=/dev/stdout kinit -V dadeniji(a)EPHRAIMTECH.com.
Using default cache: 1000
Using principal: dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189313: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189315: Sending unauthenticated request
[2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com.
[2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189318: No URI records found
[2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com.
[2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com."
[2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com.
[2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88
[2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88
[2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189327: No URI records found
[2448] 1588503907.189328: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189329: No SRV records found
[2448] 1588503907.189330: Response was not from master KDC
[2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for
encryption type
[2448] 1588503907.189332: Retrying AS request with master KDC
[2448] 1588503907.189333: Getting initial credentials for dadeniji(a)EPHRAIMTECH.com.
[2448] 1588503907.189335: Sending unauthenticated request
[2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master)
[2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
[2448] 1588503907.189338: No URI records found
[2448] 1588503907.189339: Sending DNS SRV query for
_kerberos-master._udp.EPHRAIMTECH.com.
[2448] 1588503907.189340: Sending DNS SRV query for
_kerberos-master._tcp.EPHRAIMTECH.com.
[2448] 1588503907.189341: No SRV records found
kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join ephraimtech.com -U dadeniji -v
Output
>sudo adcli join ephraimtech.com -U dadeniji -v
* Using domain name: ephraimtech.com
* Calculated computer account name from fqdn: ADRIEL
* Calculated domain realm from name: EPHRAIMTECH.COM
* Discovering domain controllers: _ldap._tcp.ephraimtech.com
* Sending netlogon pings to domain controller: cldap://10.0.4.6
* Received NetLogon info from: harvest.ephraimtech.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
Password for dadeniji(a)EPHRAIMTECH.COM:
! Couldn't authenticate as: dadeniji(a)EPHRAIMTECH.COM: KDC has no support for
encryption type
adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as:
dadeniji(a)EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
# Temporarily enable logging
debug_level=10
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
allow_weak_crypto = true
dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
~
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1452
days inactive
1453
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Daniel Adeniji -
Sumit Bose