On CentOS v 8.1, Unable to join MS Windows Active Directory Domain running MS Windows 2003
Error Message states "KDC has no support for encryption type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q7x1...
Thanks,
Daniel Adeniji =========================================================================================
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
sudo lsb_release -d
Description: CentOS Linux release 8.1.1911 (Core)
Microsoft OS Version
MS Windows 2003
TroubleShooting kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji@EPHRAIMTECH.com
Output
KRB5_TRACE=/dev/stdout kinit -V dadeniji@EPHRAIMTECH.com.
Using default cache: 1000 Using principal: dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189313: Getting initial credentials for dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189315: Sending unauthenticated request [2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com. [2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189318: No URI records found [2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com. [2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com. [2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com. [2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88 [2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88 [2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189327: No URI records found [2448] 1588503907.189328: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189329: No SRV records found [2448] 1588503907.189330: Response was not from master KDC [2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for encryption type [2448] 1588503907.189332: Retrying AS request with master KDC [2448] 1588503907.189333: Getting initial credentials for dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189335: Sending unauthenticated request [2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master) [2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189338: No URI records found [2448] 1588503907.189339: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189340: Sending DNS SRV query for _kerberos-master._tcp.EPHRAIMTECH.com. [2448] 1588503907.189341: No SRV records found kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join ephraimtech.com -U dadeniji -v
Output
sudo adcli join ephraimtech.com -U dadeniji -v
* Using domain name: ephraimtech.com * Calculated computer account name from fqdn: ADRIEL * Calculated domain realm from name: EPHRAIMTECH.COM * Discovering domain controllers: _ldap._tcp.ephraimtech.com * Sending netlogon pings to domain controller: cldap://10.0.4.6 * Received NetLogon info from: harvest.ephraimtech.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp Password for dadeniji@EPHRAIMTECH.COM: ! Couldn't authenticate as: dadeniji@EPHRAIMTECH.COM: KDC has no support for encryption type adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as: dadeniji@EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/
# Temporarily enable logging debug_level=10
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_kdc = true
[realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM ~
On Sun, May 03, 2020 at 11:28:58AM -0000, Daniel Adeniji wrote:
Error Message states "KDC has no support for encryption type".
Write Up Here
https://docs.google.com/document/d/102UCuMB5IkiPb15468EcWN8-h-t6PfRe1rq6Q7x1...
Hi,
I guess the RHEL-8 crypto policy is overriding your settings in /etc/krb5.conf.
Please try
update-crypto-policies --set LEGACY
and see man update-crypto-policies for details.
HTH
bye, Sumit
Thanks,
Daniel Adeniji
Linux - Security - Active Directory
Purpose
Trying to connect a CentOS Linux box to a Microsoft Windows Active Directory Domain.
Specification
Linux
Version
uname
uname -r
4.18.0-147.5.1.el8_1.x86_64
lsb_release
sudo lsb_release -d
Description: CentOS Linux release 8.1.1911 (Core)
Microsoft OS Version
MS Windows 2003
TroubleShooting kinit
Syntax
Kinit -V {username}@{domain}
Sample
KRB5_TRACE=/dev/stdout kinit -V dadeniji@EPHRAIMTECH.com
Output
KRB5_TRACE=/dev/stdout kinit -V dadeniji@EPHRAIMTECH.com.
Using default cache: 1000 Using principal: dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189313: Getting initial credentials for dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189315: Sending unauthenticated request [2448] 1588503907.189316: Sending request (224 bytes) to EPHRAIMTECH.com. [2448] 1588503907.189317: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189318: No URI records found [2448] 1588503907.189319: Sending DNS SRV query for _kerberos._udp.EPHRAIMTECH.com. [2448] 1588503907.189320: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189321: Sending DNS SRV query for _kerberos._tcp.EPHRAIMTECH.com. [2448] 1588503907.189322: SRV answer: 0 100 88 "harvest.ephraimtech.com." [2448] 1588503907.189323: Resolving hostname harvest.ephraimtech.com. [2448] 1588503907.189324: Sending initial UDP request to dgram 10.0.4.6:88 [2448] 1588503907.189325: Received answer (104 bytes) from dgram 10.0.4.6:88 [2448] 1588503907.189326: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189327: No URI records found [2448] 1588503907.189328: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189329: No SRV records found [2448] 1588503907.189330: Response was not from master KDC [2448] 1588503907.189331: Received error from KDC: -1765328370/KDC has no support for encryption type [2448] 1588503907.189332: Retrying AS request with master KDC [2448] 1588503907.189333: Getting initial credentials for dadeniji@EPHRAIMTECH.com. [2448] 1588503907.189335: Sending unauthenticated request [2448] 1588503907.189336: Sending request (224 bytes) to EPHRAIMTECH.com. (master) [2448] 1588503907.189337: Sending DNS URI query for _kerberos.EPHRAIMTECH.com. [2448] 1588503907.189338: No URI records found [2448] 1588503907.189339: Sending DNS SRV query for _kerberos-master._udp.EPHRAIMTECH.com. [2448] 1588503907.189340: Sending DNS SRV query for _kerberos-master._tcp.EPHRAIMTECH.com. [2448] 1588503907.189341: No SRV records found kinit: KDC has no support for encryption type while getting initial credentials
Error
Error Message
kinit: KDC has no support for encryption type while getting initial credentials
adcli
Syntax
Adcli join {domain-name} -U {username} -v
Sample
Adcli join ephraimtech.com -U dadeniji -v
Output
sudo adcli join ephraimtech.com -U dadeniji -v
- Using domain name: ephraimtech.com
- Calculated computer account name from fqdn: ADRIEL
- Calculated domain realm from name: EPHRAIMTECH.COM
- Discovering domain controllers: _ldap._tcp.ephraimtech.com
- Sending netlogon pings to domain controller: cldap://10.0.4.6
- Received NetLogon info from: harvest.ephraimtech.com
- Wrote out krb5.conf snippet to /tmp/adcli-krb5-vHcn5L/krb5.d/adcli-krb5-conf-G0KCpp
Password for dadeniji@EPHRAIMTECH.COM: ! Couldn't authenticate as: dadeniji@EPHRAIMTECH.COM: KDC has no support for encryption type adcli: couldn't connect to ephraimtech.com domain: Couldn't authenticate as: dadeniji@EPHRAIMTECH.COM: KDC has no support for encryption type
Configuration
/etc/krb5.config
# To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/
# Temporarily enable logging debug_level=10
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 defaukt_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_kdc = true
[realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM ~
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Daniel Adeniji -
Sumit Bose