I believe DES is not even compiled into krb5-utils on 8.3 Pat
On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote: > Hello, > > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error > KDC has no support for encryption type > > which prevents authentication. The server has been remove and rejoin > to the Active Directory with realm join -U user@DOMAIN. The object > has > been created in the AD (2012R2 in case it would be relevant) with > SPNs: > host/HOSTNAME > host/fqdn > RestrictedKrbHost/HOSTNAME > RestrictedKrbHost/fqdn > > > sssd_domain.log contains > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$ > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: > GSSAPI client step 1 > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: > GSSAPI client step 1 > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (KDC has no support for encryption type) > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020): > ldap_sasl_bind failed (-2)[Local error] > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (KDC > has no support for encryption type)] > (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000): > Waiting for child [2234]. > (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100): > child [2234] finished successfully. > (2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] > (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status] > (0x8000): Setting status: PORT_NOT_WORKING. Called from: > src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: > 2095 > > We have tried numerous things with kinit for example : > [root@hostname sssd]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- ---------------------------------------------------------------- > ---------- > 2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96) > 2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96) > 2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) > 2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) > 2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) > 2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) > 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) > 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) > 2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) > 2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) > > [root@hostname sssd]# kinit -V -k > Using new cache: persistent:0:krb_ccache_PECiZeh > Using principal: host/fqdn@DOMAIN > kinit: Client 'host/fqdn@domain' not found in Kerberos database while > getting initial credentials > > [root@hostname sssd]# kinit -V -k HOSTNAME$ > Using new cache: persistent:0:krb_ccache_cFLtQ1H > Using principal: HOSTNAME$@DOMAIN > kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while > getting initial credentials > > We have added > krb5_validate = False > in sssd.conf and > [libdefaults] > allow_weak_crypto = true > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > in krb5.conf > > and set msDS-SupportedEncTypes to 31 (which means "all" if I > understand correctly) on the AD object. > > With no success. > > I do not know what to do now :-) > > Thanks for your help > > Jeremy > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=r5IAzZF1kNK2xvWJ0i6CHqsikv4eQXB-os23pSf1EGk&s=CC8nemCQUuvYBx6G4NwKjXpMSQDO6FyzqTZmb5Bou9E&e= > > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=r5IAzZF1kNK2xvWJ0i6CHqsikv4eQXB-os23pSf1EGk&s=1ysgNe8h8DOgLSdyZ08At-zhMvtJ0QQECspHUnY8mMM&e= > > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=r5IAzZF1kNK2xvWJ0i6CHqsikv4eQXB-os23pSf1EGk&s=6hPvIc7PoABO4hoZVaeble4P2xN50uBGzke_nXVSaLM&e= > > Do not reply to spam on the list, report it: > https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_fedora-2Dinfrastructure&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=r5IAzZF1kNK2xvWJ0i6CHqsikv4eQXB-os23pSf1EGk&s=b3jUWQ2Df2Zw2wLaOYofKfLx31SbkKK6pHaB7xExyFs&e= > _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
