On Wed, May 5, 2021 at 3:27 PM Jeremy Monnet <jmon...@gmail.com> wrote:
> [root@hostname sssd]# kinit -V -k > Using new cache: persistent:0:krb_ccache_PECiZeh > Using principal: host/fqdn@DOMAIN > kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting > initial credentials You cannot knit against host/fqdn unless sAMAccountName was set to host/fqdn when the host was joined to AD. > [root@hostname sssd]# kinit -V -k HOSTNAME$ > Using new cache: persistent:0:krb_ccache_cFLtQ1H > Using principal: HOSTNAME$@DOMAIN > kinit: Keytab contains no suitable keys for HOSTNAME$@DOMAIN while getting > initial credentials This may mean that the KDC does not support the aes encryption types (only rc4-hmac). You can test this by logging in as a normal user with a valid TGT and running: $ kvno -e aes256-cts-hmac-sha1-96 'HOSTNAME$' $ kinit $ kvno -e aes128-cts-hmac-sha1-96 'HOSTNAME$' $ kinit $ kvno -e arcfour-hmac 'HOSTNAME$' (The kinit commands are to flush any successfully-acquired service ticket; if the preceding kvno command fails, you can skip them.) > We have added > krb5_validate = False > in sssd.conf and > [libdefaults] > allow_weak_crypto = true > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > in krb5.conf If you mean you literally edited /etc/krb5.conf, then this will not work, because the "includedir" directive at the top of /etc/krb5.conf will read the configuration files in the /etc/krb5.conf.d first, and the crypto-policies file will set permitted_enctypes to whatever the system-wide crypto policy is. Because the first setting wins, by the time your settings in /etc/krb5.conf are parsed, permitted_enctypes has already been set and your attempt to override it will (silently!) fail. You should restore the package default /etc/krb5.conf file and perform any overrides in a separate file in /etc/krb5.conf.d, selecting a filename that will sort lexicographically before the other files; e.g., create /etc/krb5.conf.d/50-override with: [libdefaults] permitted_enctypes = aes rc4 If the problem is that your AD only supports rc4, then performing "kinit -V -k 'HOSTNAME$'" should then succeed. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure