'=?utf-8?q?=5BSSSD-users=5D?= RHEL 8.3 KDC has no support for encryption type'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= RHEL 8.3 KDC has no support for encryption type
From:       Jeremy Monnet <jmonnet () gmail ! com>
Date:       2021-05-05 19:27:24
Message-ID: CAEQt6Z+5b3Ri6Ka+Yu9wFd4MofqX51nXL9ADwnOzH=QsN9-tgg () mail ! gmail ! com
[Download RAW message or body]

Hello,

We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
KDC has no support for encryption type

which prevents authentication. The server has been remove and rejoin
to the Active Directory with realm join -U user@DOMAIN. The object has
been created in the AD (2012R2 in case it would be relevant) with
SPNs:
host/HOSTNAME
host/fqdn
RestrictedKrbHost/HOSTNAME
RestrictedKrbHost/fqdn


sssd_domain.log contains
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL:
GSSAPI client step 1
(2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (KDC has no support for encryption type)
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080):
Extended failure message: [SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
has no support for encryption type)]
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000):
Waiting for child [2234].
(2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100):
child [2234] finished successfully.
(2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] (0x0040):
Unable to establish connection [1432158227]: Authentication Failed
(2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status]
(0x8000): Setting status: PORT_NOT_WORKING. Called from:
src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv:
2095

We have tried numerous things with kinit for example :
[root@hostname sssd]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96)
   2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96)
   2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
   2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
   2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
   2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96)

[root@hostname sssd]# kinit -V -k
Using new cache: persistent:0:krb_ccache_PECiZeh
Using principal: host/fqdn@DOMAIN
kinit: Client 'host/fqdn@domain' not found in Kerberos database while
getting initial credentials

[root@hostname sssd]# kinit -V -k HOSTNAME$
Using new cache: persistent:0:krb_ccache_cFLtQ1H
Using principal: HOSTNAME$@DOMAIN
kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while
getting initial credentials

We have added
krb5_validate = False
in sssd.conf and
[libdefaults]
 allow_weak_crypto = true
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
in krb5.conf

and set msDS-SupportedEncTypes to 31 (which means "all" if I
understand correctly) on the AD object.

With no success.

I do not know what to do now :-)

Thanks for your help

Jeremy
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic