On Sun, May 9, 2021 at 6:09 PM Jeremy Monnet <jmon...@gmail.com> wrote:
> > It's not advisable to leave crypto-polcies at LEGACY -- that > > accepts some truly weak ciphers. > > You are right, only I do not decide the AD version used... 2012R2 is > still supported by Microsoft, so people are not eager to migrate to > 2016 or 2019. Microsoft has supported the AES Kerberos encryption types since Windows Server 2008: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852180(v=ws.11) > That brings me to another question : - Is there a reference to > supported ciphers, eg will rhel without enabling weak ciphers will > work out of the box with an AD 2016 (that could another argument to > upgrade) ? You need to join the computer to AD such that the encryption types used in the keytab file agree with the encryption types added to AD and the value of the msDs-supportedEncryptionTypes attribute. From the keytab you posted, the join operation thought it had successfully created the aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 encryption types in AD, because it added those encryption types to the keytab file. Either it failed to do that, or else it failed to set the msDs-supportedEncryptionTypes attribute correctly. Honestly, the best tool we have found to join computers to AD is msktutil: https://github.com/msktutil/msktutil/ E.g.: $ msktutil create \ --base OU=Linux,OU=Servers \ --computer-name $(echo "${HOSTNAME}" | sed -e 's/\..*$//g' | tr '[:lower:]' '[:upper:]') --hostname "${HOSTNAME}" \ --upn "host/${HOSTNAME}" \ --enctypes 0x18 \ --verbose Adjust the argument for --base to reflect the OU where you wish to place the host machine account. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
