Error Message states "KDC has no support for encryption type". Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q7x1IOc/edit?usp=sharing Thanks, Daniel Adeniji ========================================================================================= Linux - Security - Active Directory Purpose Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain. Specification Linux Version uname >uname -r 4.18.0-147.5.1.el8_1.x86_64 lsb_release >sudo lsb_release -d Description: CentOS Linux release 8.1.1911 (Core) Microsoft OS Version MS Windows 2003 TroubleShooting kinit Syntax Kinit -V {username}@{domain} Sample KRB5_TRACE=/dev/stdout kinit -V [email protected] Output >KRB5_TRACE=/dev/stdout kinit -V [email protected]. Using default cache: 1000 Using principal: [email protected]. [2448] 1588503907.189313: Getting initial credentials for [email protected]. [2448] 1588503907.189315: Sending unauthenticated request [2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com. [2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189318: No URI records found [2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com. [2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com. [2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com. [2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88 [2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88 [2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189327: No URI records found [2448] 1588503907.189328: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189329: No SRV records found [2448] 1588503907.189330: Response was not from master KDC [2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for encryption type [2448] 1588503907.189332: Retrying AS request with master KDC [2448] 1588503907.189333: Getting initial credentials for [email protected]. [2448] 1588503907.189335: Sending unauthenticated request [2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master) [2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189338: No URI records found [2448] 1588503907.189339: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189340: Sending DNS SRV query for _kerberos-master._tcp.EPHRAIMTECH.com. [2448] 1588503907.189341: No SRV records found kinit: KDC has no support for encryption type while getting initial credentials Error Error Message kinit: KDC has no support for encryption type while getting initial credentials adcli Syntax Adcli join {domain-name} -U {username} -v Sample Adcli join ephraimtech.com -U dadeniji -v Output >sudo adcli join ephraimtech.com -U dadeniji -v * Using domain name: ephraimtech.com * Calculated computer account name from fqdn: ADRIEL * Calculated domain realm from name: EPHRAIMTECH.COM * Discovering domain controllers: _ldap._tcp.ephraimtech.com * Sending netlogon pings to domain controller: cldap://10.0.4.6 * Received NetLogon info from: harvest.ephraimtech.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp Password for [email protected]: ! Couldn't authenticate as: [email protected]: KDC has no support for encryption type adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as: [email protected]: KDC has no support for encryption type Configuration /etc/krb5.config # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ # Temporarily enable logging debug_level=10 [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_kdc = true [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM ~ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
