Ubuntu – Error: KDC has no support for encryption type

authenticationkerberossambasssdUbuntu

I have intermittent authentication issues on my ubuntu 15.04 servers. Periodically, authentication will just stop working. Eventually it will start working again on its own. Or, if I restart both smbd and sssd it will start working again right away.

Around the same times as the auth problems, I see this error in /var/log/syslog:

[sssd[ldap_child[4199]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: KDC has no support for encryption type. Unable to create GSSAPI-encrypted LDAP connection.

My googling has pointed me towards adding "allow_weak_crypto = true" to the libdefaults section of /etc/krb5.conf. I've tried that but to no avail.

I have a bunch of CentOS 6 servers configured for AD authentication the same way (same smb and sssd config, etc.) and they all work fine without any issues.

Anyone have any other ideas?

Best Answer

The Server already told you the answer.

So you will need to identity 2 things:

1) Why encryption types does the client support?

1) Why encryption types does the KDC support?

Post your the clients krb5.conf and the server kdc.conf and tell use what OS the clients are.

FWIW have a glance here: https://help.ubuntu.com/community/Kerberos

Related Solutions

Kerberos KDC has no support for encryption type while getting credentials

The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes attribute of the domain controller's computer object. In a default installation, they are typically something like:

RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96

This is a bitmask which works out to decimal 28, so it'd be something like 00011100.

So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.

(Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)

I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

; for Windows 2008 with AES
   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac in their configuration, which is different from what you have, arcfour-hmac-md5. (Also don't forget the permitted_enctypes line, which I did not see in your post.)

I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.

Samba – Unable to Join Domain Using Samba Tool Net or Realm/SSSD

Why are you using net? You should join the domain with samba-tool

samba-tool domain join domain.example.org DC -Uadministrator --realm=domain.example.org

net isn't really used in samba 4 anymore except for shares and some other stuff.
Don't mess with kerberos cryptographic settings.

Best Answer

Related Solutions

Kerberos KDC has no support for encryption type while getting credentials

Samba – Unable to Join Domain Using Samba Tool Net or Realm/SSSD

Related Topic