Jeremy, First off, this is not a sssd problem. You've proven that by your kinit -k attempts failing. This is an underlying problem between your kerberos client, your AD DC and your /etc/krb5.keytab file. Once you fix this underlying issue, I expect sssd will work.
Your AD domain may be accepting only weak crypto ciphers. By default, RHEL8 sets crypto-policies to DEFAULT. You can do this: update-crypto-policies --show to see the current crypto policy. As a simple test, you can do this: update-crypto-policies --set LEGACY To allow all the old (weak) RHEL7 crypto ciphers (like 3des-cbc and arcfour-hmac). It's not advisable to leave crypto-polcies at LEGACY -- that accepts some truly weak ciphers. Spike On Wed, May 5, 2021 at 2:27 PM Jeremy Monnet <jmon...@gmail.com> wrote: > Hello, > > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error > KDC has no support for encryption type > > which prevents authentication. The server has been remove and rejoin > to the Active Directory with realm join -U user@DOMAIN. The object has > been created in the AD (2012R2 in case it would be relevant) with > SPNs: > host/HOSTNAME > host/fqdn > RestrictedKrbHost/HOSTNAME > RestrictedKrbHost/fqdn > > > sssd_domain.log contains > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: HOSTNAME$ > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: > GSSAPI client step 1 > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x4000): SASL: > GSSAPI client step 1 > (2021-05-05 21:06:55): [be[bcrs.fr]] [ad_sasl_log] (0x0040): SASL: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (KDC has no support for encryption type) > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0020): > ldap_sasl_bind failed (-2)[Local error] > (2021-05-05 21:06:55): [be[bcrs.fr]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (KDC > has no support for encryption type)] > (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x1000): > Waiting for child [2234]. > (2021-05-05 21:06:55): [be[bcrs.fr]] [child_sig_handler] (0x0100): > child [2234] finished successfully. > (2021-05-05 21:06:55): [be[bcrs.fr]] [sdap_cli_connect_recv] (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-05 21:06:55): [be[bcrs.fr]] [_be_fo_set_port_status] > (0x8000): Setting status: PORT_NOT_WORKING. Called from: > src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: > 2095 > > We have tried numerous things with kinit for example : > [root@hostname sssd]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 HOSTNAME$@DOMAIN (aes128-cts-hmac-sha1-96) > 2 HOSTNAME$@DOMAIN (aes256-cts-hmac-sha1-96) > 2 host/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) > 2 host/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) > 2 host/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) > 2 host/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) > 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes128-cts-hmac-sha1-96) > 2 RestrictedKrbHost/HOSTNAME@DOMAIN (aes256-cts-hmac-sha1-96) > 2 RestrictedKrbHost/fqdn@DOMAIN (aes128-cts-hmac-sha1-96) > 2 RestrictedKrbHost/fqdn@DOMAIN (aes256-cts-hmac-sha1-96) > > [root@hostname sssd]# kinit -V -k > Using new cache: persistent:0:krb_ccache_PECiZeh > Using principal: host/fqdn@DOMAIN > kinit: Client 'host/fqdn@domain' not found in Kerberos database while > getting initial credentials > > [root@hostname sssd]# kinit -V -k HOSTNAME$ > Using new cache: persistent:0:krb_ccache_cFLtQ1H > Using principal: HOSTNAME$@DOMAIN > kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while > getting initial credentials > > We have added > krb5_validate = False > in sssd.conf and > [libdefaults] > allow_weak_crypto = true > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > in krb5.conf > > and set msDS-SupportedEncTypes to 31 (which means "all" if I > understand correctly) on the AD object. > > With no success. > > I do not know what to do now :-) > > Thanks for your help > > Jeremy > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
