I don't understand why that full list of permitted_enctypes is a problem, while your abbreviated list is not.
I do know that windows AD controllers seem to favor aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96. For most AD domains, DES was deprecated long ago and as of last year, I think most customers are trying to deprecate RC4 as well. Our AD DCs are W2016, 2020 and (formerly) W2012. I have no experience with RedHat IDM and no experience with Win10 servers (I thought Win 10 were all desktops and integrated natively with AD). But I do know that the krb5-libs will attempt to negotiate the encryption types in the order they are listed in your permitted_enctypes line. So change your line to do aes256-cts-hmac-sha1-96 first. something like: permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 camellia256-cts-cmac camellia128-cts-cmac This will at least give you another data point. to my mind, it should proceed like this: Attempt aes256-cts-hmac-sha384-192, fail, Attempt aes128-cts-hmac-sha256-128, fail. Attempt aes256-cts-hmac-sha1-96, succeed. Spike On Thu, Nov 30, 2023 at 11:23 PM Deepak Ramanath <deepak.nara...@gmail.com> wrote: > I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm using > Kerberos. When a user tries to authenticate on a Windows 10 server, the > following error is shown > > "We cannot sign you in with this credential because your domain isn't > available" > > On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following... > > Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: > NEEDED_PREAUTH: win.user@server.local for krbtgt/server.local@server.local, > Additional pre-authentication required > Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE: > authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, > win.user@server.local for krbtgt/server.local@server.local > Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes > {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), > ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for > host/win-server.server.local@server.local > > In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has > been set to > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac > camellia128-cts-cmac > > Interestingly, if all encryption types are removed except > aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on > Windows 10 is successful. > > Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of > supported methods including aes256-cts-hmac-sha1-96 does not? > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue