Hello, We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error KDC has no support for encryption type
which prevents authentication. The server has been remove and rejoin to the Active Directory with realm join -U user@DOMAIN. The object has been created in the AD (2012R2 in case it would be relevant) with SPNs: host/HOSTNAME host/fqdn RestrictedKrbHost/HOSTNAME RestrictedKrbHost/fqdn sssd_domain.log contains (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$ (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1 (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1 (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type) (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)] (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000): Waiting for child [2234]. (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100): child [2234] finished successfully. (2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed (2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2095 We have tried numerous things with kinit for example : [root@hostname sssd]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96) 2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96) 2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) 2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) 2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) 2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) [root@hostname sssd]# kinit -V -k Using new cache: persistent:0:krb_ccache_PECiZeh Using principal: host/fqdn@DOMAIN kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting initial credentials [root@hostname sssd]# kinit -V -k HOSTNAME$ Using new cache: persistent:0:krb_ccache_cFLtQ1H Using principal: HOSTNAME$@DOMAIN kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while getting initial credentials We have added krb5_validate = False in sssd.conf and [libdefaults] allow_weak_crypto = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 in krb5.conf and set msDS-SupportedEncTypes to 31 (which means "all" if I understand correctly) on the AD object. With no success. I do not know what to do now :-) Thanks for your help Jeremy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
