I don't understand why that full list of permitted_enctypes is a problem,
while your abbreviated list is not.
I do know that windows AD controllers seem to favor aes256-cts-hmac-sha1-96
and aes128-cts-hmac-sha1-96. For most AD domains, DES was deprecated long
ago and as of last year, I think most customers are trying to deprecate RC4
as well.
Our AD DCs are W2016, 2020 and (formerly) W2012. I have no experience with
RedHat IDM and no experience with Win10 servers (I thought Win 10 were all
desktops and integrated natively with AD).
But I do know that the krb5-libs will attempt to negotiate the encryption
types in the order they are listed in your permitted_enctypes line. So
change your line to do aes256-cts-hmac-sha1-96 first. something like:
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 camellia256-cts-cmac
camellia128-cts-cmac
This will at least give you another data point. to my mind, it should
proceed like this:
Attempt aes256-cts-hmac-sha384-192, fail,
Attempt aes128-cts-hmac-sha256-128, fail.
Attempt aes256-cts-hmac-sha1-96, succeed.
Spike
On Thu, Nov 30, 2023 at 11:23 PM Deepak Ramanath <deepak.nara...@gmail.com>
wrote:
> I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm using
> Kerberos. When a user tries to authenticate on a Windows 10 server, the
> following error is shown
>
> "We cannot sign you in with this credential because your domain isn't
> available"
>
> On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following...
>
> Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
> UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55:
> NEEDED_PREAUTH: win.user@server.local for krbtgt/server.local@server.local,
> Additional pre-authentication required
> Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
> UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE:
> authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)},
> win.user@server.local for krbtgt/server.local@server.local
> Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
> UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes
> {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
> ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for
> host/win-server.server.local@server.local
>
> In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has
> been set to
>
> [libdefaults]
> permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
> camellia128-cts-cmac
>
> Interestingly, if all encryption types are removed except
> aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on
> Windows 10 is successful.
>
> Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of
> supported methods including aes256-cts-hmac-sha1-96 does not?
> --
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
