On Sun, May 9, 2021 at 9:23 PM Spike White wrote:
> My understanding is that even AD 2016 will support arcfour-hmac
> (even though it's deprecated and not recommended).
Correct; we are using it with Windows Server 2016.
> Local company AD teams will make the decision to stop supporting
>
On Sun, May 9, 2021 at 6:09 PM Jeremy Monnet wrote:
> > It's not advisable to leave crypto-polcies at LEGACY -- that
> > accepts some truly weak ciphers.
>
> You are right, only I do not decide the AD version used... 2012R2 is
> still supported by Microsoft, so people are not eager to migrate to
Jeremy,
My understanding is that even AD 2016 will support arcfour-hmac (even
though it's deprecated and not recommended). Local company AD teams will
make the decision to stop supporting arcfour-hmac or not. (for instance,
our company's team tried -- and it broke something to do with
Hi,
> To allow all the old (weak) RHEL7 crypto ciphers (like 3des-cbc and
> arcfour-hmac).
>
> It's not advisable to leave crypto-polcies at LEGACY -- that accepts some
> truly weak ciphers.
>
>
You are right, only I do not decide the AD version used... 2012R2 is
still supported by Microsoft,
Jeremy,
First off, this is not a sssd problem. You've proven that by your kinit -k
attempts failing. This is an underlying problem between your kerberos
client, your AD DC and your /etc/krb5.keytab file. Once you fix this
underlying issue, I expect sssd will work.
Your AD domain may be
On 5/6/21 9:44 AM, Jeremy Monnet wrote:
> I have now (DEPRECATED:arcfour-hmac) in the keytab, and
> authentication works after rejoining the AD !
RC4 is deprecated for very good reasons.
You should rather try to set attribute msDs-supportedEncryptionTypes in
the service / host entry to enable
Hello,
On Thu, May 6, 2021 at 7:40 AM Sumit Bose wrote:
>
> > > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
> > > KDC has no support for encryption type
>
> Hi,
>
> this is most probably about the rc4 encryption type which is still
> heavily used in AD environments but
On Wed, May 5, 2021 at 3:27 PM Jeremy Monnet wrote:
> [root@hostname sssd]# kinit -V -k
> Using new cache: persistent:0:krb_ccache_PECiZeh
> Using principal: host/fqdn@DOMAIN
> kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting
> initial credentials
You cannot knit
Am Wed, May 05, 2021 at 07:34:18PM + schrieb Patrick Riehecky:
> I believe DES is not even compiled into krb5-utils on 8.3
>
> Pat
>
> On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote:
> > Hello,
> >
> > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
> > KDC has
I believe DES is not even compiled into krb5-utils on 8.3
Pat
On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote:
> Hello,
>
> We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
> KDC has no support for encryption type
>
> which prevents authentication. The server has
10 matches
Mail list logo