On Sun, May 03, 2020 at 11:28:58AM -0000, Daniel Adeniji wrote:
> Error Message states "KDC has no support for encryption type".
>
> Write Up Here
>
> https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q7x1IOc/edit?usp=sharing
Hi,
I guess the RHEL-8 crypto policy is overriding your settings in
/etc/krb5.conf.
Please try
update-crypto-policies --set LEGACY
and see man update-crypto-policies for details.
HTH
bye,
Sumit
>
> Thanks,
>
> Daniel Adeniji
> =========================================================================================
>
> Linux - Security - Active Directory
>
>
> Purpose
>
> Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory
> Domain.
>
>
>
>
> Specification
>
> Linux
>
> Version
>
> uname
> >uname -r
> 4.18.0-147.5.1.el8_1.x86_64
>
> lsb_release
>
> >sudo lsb_release -d
> Description: CentOS Linux release 8.1.1911 (Core)
>
>
>
> Microsoft
> OS Version
>
> MS Windows 2003
>
>
>
> TroubleShooting
> kinit
>
> Syntax
>
> Kinit -V {username}@{domain}
>
> Sample
>
> KRB5_TRACE=/dev/stdout kinit -V [email protected]
>
> Output
>
>
> >KRB5_TRACE=/dev/stdout kinit -V [email protected].
> Using default cache: 1000
> Using principal: [email protected].
> [2448] 1588503907.189313: Getting initial credentials for
> [email protected].
> [2448] 1588503907.189315: Sending unauthenticated request
> [2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com.
> [2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
> [2448] 1588503907.189318: No URI records found
> [2448] 1588503907.189319: Sending DNS SRV query for
> _kerberos._udp.EPHRAIMTECH.com.
> [2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com."
> [2448] 1588503907.189321: Sending DNS SRV query for
> _kerberos._tcp.EPHRAIMTECH.com.
> [2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com."
> [2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com.
> [2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88
> [2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88
> [2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
> [2448] 1588503907.189327: No URI records found
> [2448] 1588503907.189328: Sending DNS SRV query for
> _kerberos-master._udp.EPHRAIMTECH.com.
> [2448] 1588503907.189329: No SRV records found
> [2448] 1588503907.189330: Response was not from master KDC
> [2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no
> support for encryption type
> [2448] 1588503907.189332: Retrying AS request with master KDC
> [2448] 1588503907.189333: Getting initial credentials for
> [email protected].
> [2448] 1588503907.189335: Sending unauthenticated request
> [2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com.
> (master)
> [2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com.
> [2448] 1588503907.189338: No URI records found
> [2448] 1588503907.189339: Sending DNS SRV query for
> _kerberos-master._udp.EPHRAIMTECH.com.
> [2448] 1588503907.189340: Sending DNS SRV query for
> _kerberos-master._tcp.EPHRAIMTECH.com.
> [2448] 1588503907.189341: No SRV records found
> kinit: KDC has no support for encryption type while getting initial
> credentials
>
> Error
>
> Error Message
>
>
> kinit: KDC has no support for encryption type while getting initial
> credentials
>
>
> adcli
>
> Syntax
>
> Adcli join {domain-name} -U {username} -v
>
> Sample
>
> Adcli join ephraimtech.com -U dadeniji -v
>
> Output
>
>
> >sudo adcli join ephraimtech.com -U dadeniji -v
> * Using domain name: ephraimtech.com
> * Calculated computer account name from fqdn: ADRIEL
> * Calculated domain realm from name: EPHRAIMTECH.COM
> * Discovering domain controllers: _ldap._tcp.ephraimtech.com
> * Sending netlogon pings to domain controller: cldap://10.0.4.6
> * Received NetLogon info from: harvest.ephraimtech.com
> * Wrote out krb5.conf snippet to
> /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
> Password for [email protected]:
> ! Couldn't authenticate as: [email protected]: KDC has no support for
> encryption type
> adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as:
> [email protected]: KDC has no support for encryption type
>
>
>
> Configuration
>
> /etc/krb5.config
>
> # To opt out of the system crypto-policies configuration of krb5, remove the
> # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
> includedir /etc/krb5.conf.d/
>
> # Temporarily enable logging
> debug_level=10
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
> spake_preauth_groups = edwards25519
> default_ccache_name = KEYRING:persistent:%{uid}
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> allow_weak_crypto = true
> dns_lookup_kdc = true
>
> [realms]
> # EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> # }
>
>
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
> ~
>
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
