On Wed, May 5, 2021 at 3:27 PM Jeremy Monnet <jmon...@gmail.com> wrote:
> [root@hostname sssd]# kinit -V -k
> Using new cache: persistent:0:krb_ccache_PECiZeh
> Using principal: host/fqdn@DOMAIN
> kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting
> initial credentials
You cannot knit against host/fqdn unless sAMAccountName was set to
host/fqdn when the host was joined to AD.
> [root@hostname sssd]# kinit -V -k HOSTNAME$
> Using new cache: persistent:0:krb_ccache_cFLtQ1H
> Using principal: HOSTNAME$@DOMAIN
> kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while getting
> initial credentials
This may mean that the KDC does not support the aes encryption types
(only rc4-hmac). You can test this by logging in as a normal user
with a valid TGT and running:
$ kvno -e aes256-cts-hmac-sha1-96 'HOSTNAME$'
$ kinit
$ kvno -e aes128-cts-hmac-sha1-96 'HOSTNAME$'
$ kinit
$ kvno -e arcfour-hmac 'HOSTNAME$'
(The kinit commands are to flush any successfully-acquired service
ticket; if the preceding kvno command fails, you can skip them.)
> We have added
> krb5_validate = False
> in sssd.conf and
> [libdefaults]
> allow_weak_crypto = true
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> in krb5.conf
If you mean you literally edited /etc/krb5.conf, then this will not
work, because the "includedir" directive at the top of /etc/krb5.conf
will read the configuration files in the /etc/krb5.conf.d first, and
the crypto-policies file will set permitted_enctypes to whatever the
system-wide crypto policy is. Because the first setting wins, by the
time your settings in /etc/krb5.conf are parsed, permitted_enctypes
has already been set and your attempt to override it will (silently!)
fail.
You should restore the package default /etc/krb5.conf file and perform
any overrides in a separate file in /etc/krb5.conf.d, selecting a
filename that will sort lexicographically before the other files;
e.g., create /etc/krb5.conf.d/50-override with:
[libdefaults]
permitted_enctypes = aes rc4
If the problem is that your AD only supports rc4, then performing
"kinit -V -k 'HOSTNAME$'" should then succeed.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
