KDC has no support for encryption type in RHEL8 and above

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 8.3 or later
    • kerberos
  • Red Hat Enterprise Linux 9

Issue

  • Below error message is recorded in /var/log/messageswhen joining SSSD to AD Domain.
    • KDC has no support for encryption type
    • kinit: KDC has no support for encryption type while getting initial credentials
  • Unable to join AD domain KDC has no support for encryption type while getting initial credentials

Resolution

  • In RHEL8 and RHEL9 krb5 does not support RC4 anymore. In cases where this old and unsecured cipher is being used then as a workaround, load the 'AD-SUPPORT' crypto policy on top of the 'DEFAULT' policy in RHEL8 and AD-SUPPORT-LEGACY crypto policy on top of the 'DEFAULT' policy in RHEL9.

  • To enable the AD-SUPPORT subpolicy in addition to the DEFAULT cryptographic policy in RHEL8.

     # update-crypto-policies --set DEFAULT:AD-SUPPORT

  • To enable the AD-SUPPORT-LEGACY subpolicy in addition to the DEFAULT cryptographic policy in RHEL9.

     # update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY

  • System must be rebooted for the changes to take effect

     # reboot

  • Refer to Product Documentation1 for detail.
    1: 1.3. Ensuring support for common encryption types in AD and RHEL

Root Cause

  • RC4 is an unsecured cipher.
  • The join will fail if UF_USE_DES_KEY_ONLY encryption is enabled. Below are the steps that realmd or adcli will follow
    1] Attempt to authenticate as the machine account first, using
    default RHEL set of encryption types, excluding DES.
    2] AD DC looks into the userAcccountControl attribute and sees
    UF_USE_DES_KEY_ONLY, excludes everything but DES.
    3] AD DC sees that the list of common encryption types is empty, rejects
    request with 'KDC has no support for encryption type

Diagnostic Steps

  • Check the trace of kinit:

    # KRB5_TRACE=/dev/stdout kinit ad_user@REALM_NAME
# klist -A -e

  • Validate current crypto-policy:

    # update-crypto-policies --show
# cat /etc/crypto-policies/state/current

  • Comment the below lines in the /etc/krb5.conf file:

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96   
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96   
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.