Univention Bugzilla – Bug 38336
Failed to init credentials: KDC has no support for encryption type
Last modified: 2019-04-01 21:27:10 CEST
If creating a new host via web-gui, with kerberos support, the new host is created and kerberos keys are generated. Exporting the keytab using samba-tool domain exportkeytab nc405.xy.pz.keytab \ --principal 'host/nc405.xy.pz@XY.PZ' samba-tool domain exportkeytab nc405.xy.pz.keytab \ --principal 'host/nc405.xy.pz@XY.PZ' samba-tool domain exportkeytab nc405.xy.pz.keytab \ --principal 'NC405$@XY.PZ' These fail all. Instead I've had to use: kadmin -l ext --keytab=nc405xy.pk.keytab host/nc405.xy.pk@XY.PZ kadmin -l ext --keytab=nc405xy.pk.keytab nc405.xy.pk@XY.PZ kadmin -l ext --keytab=nc405xy.pk.keytab NC405\$@XY.PZ This lead to a keytab holding: # ktutil -k nc405.yx.pz.keytab list nc405.yx.pz.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/nc405.yx.pz@XY.PZ 2 des3-cbc-sha1 host/nc405.yx.pz@XY.PZ 2 arcfour-hmac-md5 host/nc405.yx.pz@XY.PZ 2 aes256-cts-hmac-sha1-96 host/nc405.yx.pz@XY.PZ 2 des3-cbc-sha1 host/nc405.yx.pz@XY.PZ 2 arcfour-hmac-md5 host/nc405.yx.pz@XY.PZ This keytab was transfered to the system nc405. /etc/krb5.conf was set up: # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XY.PZ default_tgs_enctypes = des3-hmac-sha1 \ des-cbc-crc des-cbc-md4 des-cbc-md5 \ des3-cbc-sha1 arcfour-hmac-md5 \ aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 default_tkt_enctypes = arcfour-hmac-md5 \ des-cbc-md5 des3-hmac-sha1 des-cbc-crc \ des-cbc-md4 des3-cbc-sha1 \ aes128-cts-hmac-sha1-96 \ aes256-cts-hmac-sha1-96 permitted_enctypes = des3-hmac-sha1 \ des-cbc-crc des-cbc-md4 des-cbc-md5 \ des3-cbc-sha1 arcfour-hmac-md5 \ aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 krb4_get_tickets = no allow_weak_crypto = true dns_lookup_kdc = false dns_lookup_realm = false ticket_lifetime = 26h renew_lifetime = 16d forwardable = true proxyable = true kdc_timesync = 1 debug = false [realms] XY.PZ = { kdc = dc.xy.pk admin_server = dc.xy.pk kpasswd_server = dc.xy.pk } [domain_realm] .xy.pz = XY.PZ xy.pz = XY.PZ Now trying to acquire systems ticket fails: (Thu Apr 23 16:20:30 2015) \ [[sssd[ldap_child[10694]]]] \ [ldap_child_get_tgt_sync] (0x0100): \ Principal name is: [host/nc405.xy.pz@XY.PZ] (Thu Apr 23 16:20:30 2015) \ [[sssd[ldap_child[10694]]]] \ [ldap_child_get_tgt_sync] (0x0200): \ Loaded 6 enctypes from keytab for host/nc405.xy.pz@XY.PZ (Thu Apr 23 16:20:30 2015) \ [[sssd[ldap_child[10694]]]] \ [ldap_child_get_tgt_sync] (0x0010): \ Failed to init credentials: KDC has no support for encryption type (Thu Apr 23 16:20:30 2015) \ [[sssd[ldap_child[10694]]]] \ [main] (0x0020): ldap_child_get_tgt_sync failed. Seems as if creating hosts via web-gui does not create all needed key-variants required to connect to UCS to authenticate if selecting "Linux" as host type. Creating a "Windows" host type leads to a different keyset: # ktutil -k nc403.xy.pz.keytab list nc403.xy.pz.keytab: Vno Type Principal Aliases 15 des-cbc-crc host/nc403.xy.pz@XY.PZ 15 des-cbc-md5 host/nc403.xy.pz@XY.PZ 15 arcfour-hmac-md5 host/nc403.xy.pz@XY.PZ 15 des-cbc-crc NC403$@XY.PZ 15 des-cbc-md5 NC403$@XY.PZ 15 arcfour-hmac-md5 NC403$@XY.PZ Using the supplied script /usr/share/univention-samba4/scripts/create_spn_account.sh *does* create some additional keys: # ktutil -k nc158.xy.pz.keytab list nc158.xy.pz.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/nc158.xy.pz@XY.PZ 2 aes128-cts-hmac-sha1-96 host/nc158.xy.pz@XY.PZ 2 des3-cbc-sha1 host/nc158.xy.pz@XY.PZ 2 arcfour-hmac-md5 host/nc158.xy.pz@XY.PZ 2 des-cbc-md5 host/nc158.xy.pz@XY.PZ 2 des-cbc-md4 host/nc158.xy.pz@XY.PZ 2 des-cbc-crc host/nc158.xy.pz@XY.PZ 2 aes256-cts-hmac-sha1-96 host/nc158.xy.pz@XY.PZ 2 aes128-cts-hmac-sha1-96 host/nc158.xy.pz@XY.PZ 2 des3-cbc-sha1 host/nc158.xy.pz@XY.PZ 2 arcfour-hmac-md5 host/nc158.xy.pz@XY.PZ 2 des-cbc-md5 host/nc158.xy.pz@XY.PZ 2 des-cbc-md4 host/nc158.xy.pz@XY.PZ 2 des-cbc-crc host/nc158.xy.pz@XY.PZ Since the web-gui leads to non functional kerberos keytabs I'd assume this broken and like to have a workaround for creating SPN-accounts for various systems to be part of the AD-domain samba spans. BTW: the provided script fails to create additional keys if the host is already created. It would be nice if it would create missing keys instead failing without doing anything!
Same for Univention Corporate Server 4.1: if I create a host using the web gui this host will not be functional. Creating it with the script will create a working keytab if exported. Problem: later changes require deleting the host, then recreating it -> THIS CHANGES ALL KEYS associated with this host. This is not desirable in all cases. Created some machine accounts and exported krb5.keytabs: -- snip #!/bin/bash cd /root/sct-muc-keyexport for i in nxmaster nxnode01 nxnode02; do h=${i}-muc.domain.XX /usr/share/univention-samba4/scripts/create_spn_account.sh \ --samaccountname "$h" \ --serviceprincipalname "host/$h" \ --privatekeytab "${h}.keytab" mv /var/lib/samba/private/${h}.keytab /root/exportedkeys/ done -- snap Went OK. Copied keytabs to the systems in question, checked if keytab is usable: -- snip # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 host/nxnode01-muc.domain.xx@DOMAIN.XX (DES cbc mode with CRC-32) 2 1 nxnode01-muc.domain.xx@DOMAIN.XX (DES cbc mode with CRC-32) 3 1 host/nxnode01-muc.domain.xx@DOMAIN.XX (DES cbc mode with RSA-MD5) 4 1 nxnode01-muc.domain.xx@DOMAIN.XX (DES cbc mode with RSA-MD5) 5 1 host/nxnode01-muc.domain.xx@DOMAIN.XX (ArcFour with HMAC/md5) 6 1 nxnode01-muc.domain.xx@DOMAIN.XX (ArcFour with HMAC/md5) 7 1 host/nxnode01-muc.domain.xx@DOMAIN.XX (AES-128 CTS mode with 96-bit SHA-1 HMAC) 8 1 nxnode01-muc.domain.xx@DOMAIN.XX (AES-128 CTS mode with 96-bit SHA-1 HMAC) 9 1 host/nxnode01-muc.domain.xx@DOMAIN.XX (AES-256 CTS mode with 96-bit SHA-1 HMAC) 10 1 nxnode01-muc.domain.xx@DOMAIN.XX (AES-256 CTS mode with 96-bit SHA-1 HMAC) -- snap Seems they are. But: -- snip cat ldap_child.log (Mon Nov 23 15:03:40 2015) [[sssd[ldap_child[26669]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: KDC has no support for encryption type -- snap In /etc/krb5.conf: -- snip [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.XX default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md4 des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true proxiable = true kdc_timesync = 1 rdns = false krb4_get_tickets = no allow_weak_crypto = true [realms] DOMAIN.XX = { kdc = 10.161.18.48 admin_server = mail-muc.domain.xx kpasswd_server = mail-muc.domain.xx } [domain_realm] .domain.xx = DOMAIN.XX domain.xx = DOMAIN.XX -- snap And /etc/sssd/sssd.conf holds: -- snip [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN.XX #debug_level = 0x0270 [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 #debug_level = 0x0270 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 5 offline_failed_login_delay = 5 #debug_level = 0x0270 [autofs] [ssh] [domain/DOMAIN.XX] enumerate = true cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap krb5_realm = DOMAIN.XX krb5_server = mail-muc.domain.xx krb5_kpasswd = mail-muc.domain.xx krb5_canonicalize = false ldap_uri = ldaps://mail-muc.domain.xx:7636 ldap_search_base = dc=bfs,dc=de ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem ldap_sasl_mech = GSSAPI #ldap_sasl_authid = NC402-MUC$@DOMAIN.XX #ldap_default_bind_dn = cn=nc402-muc,cn=clients,cn=computers,ou=muc,dc=bfs,dc=de #ldap_default_authtok_type = password #ldap_default_authtok = ieDi4Mee7eifeeg3eeru #ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true #ldap_user_search_base = dc=bfs,dc=de #ldap_user_object_class = user #ldap_user_name =sAMAccountName #ldap_user_fullname = displayName #ldap_user_home_directory = unixHomeDirectory #ldap_user_principal = userPrincipalName #ldap_user_gid_number = bfsrbacImisGidNumber #ldap_group_search_base = cn=IMIS,cn=groups,dc=domain,dc=xx ldap_user_search_base = dc=domain,dc=xx #debug_level = 0x0270 -- snap Something like "getent passwd" or "getent group" fails. Only local accounts are given. The 2000 accounts (300 groups) out of UCS-AD are not handled back. on a working system I have in /etc/krb5.keytab: -- snip # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/nc402-muc.domain.xx@DOMAIN.XX (des-cbc-crc) 2 2 host/nc402-muc.domain.xx@DOMAIN.XX (des-cbc-md5) 3 2 host/nc402-muc.domain.xx@DOMAIN.XX (aes128-cts-hmac-sha1-96) 4 2 host/nc402-muc.domain.xx@DOMAIN.XX (aes256-cts-hmac-sha1-96) 5 2 host/nc402-muc.domain.xx@DOMAIN.XX (arcfour-hmac) 6 2 host/nc402-muc@DOMAIN.XX (des-cbc-crc) 7 2 host/nc402-muc@DOMAIN.XX (des-cbc-md5) 8 2 host/nc402-muc@DOMAIN.XX (aes128-cts-hmac-sha1-96) 9 2 host/nc402-muc@DOMAIN.XX (aes256-cts-hmac-sha1-96) 10 2 host/nc402-muc@DOMAIN.XX (arcfour-hmac) 11 2 NC402-MUC$@DOMAIN.XX (des-cbc-crc) 12 2 NC402-MUC$@DOMAIN.XX (des-cbc-md5) 13 2 NC402-MUC$@DOMAIN.XX (aes128-cts-hmac-sha1-96) 14 2 NC402-MUC$@DOMAIN.XX (aes256-cts-hmac-sha1-96) 15 2 NC402-MUC$@DOMAIN.XX (arcfour-hmac) -- snap Compared to the above /etc/krb5.keytab there are additional entries: - entries for SMB-Machine name: NC402-MUC$ - entries for the host name alone
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
> These fail all. In which way? Please note that kadmin fetches keys from OpenLDAP, rather than from Samba/AD. Using samba-tool is currently preferred. This works for me (UCS 4.2): ========================================================================== root@master10:~# udm computers/linux create --set name=linux04 \ --set password=univention Object created: cn=linux04,dc=ar41i1,dc=qa root@master10:~# samba-tool domain exportkeytab linux04.ar41i1.qa.keytab \ --principal=host/linux04.ar41i1.qa Export one principal to linux04.ar41i1.qa.keytab root@master10:~# samba-tool domain exportkeytab linux04.ar41i1.qa.keytab \ --principal='LINUX04$' Export one principal to linux04.ar41i1.qa.keytab root@master10:~# ktutil -k linux04.ar41i1.qa.keytab list linux04.ar41i1.qa.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/linux04.ar41i1.qa@AR41I1.QA 2 aes128-cts-hmac-sha1-96 host/linux04.ar41i1.qa@AR41I1.QA 2 arcfour-hmac-md5 host/linux04.ar41i1.qa@AR41I1.QA 2 des-cbc-md5 host/linux04.ar41i1.qa@AR41I1.QA 2 des-cbc-crc host/linux04.ar41i1.qa@AR41I1.QA 2 aes256-cts-hmac-sha1-96 LINUX04$@AR41I1.QA 2 aes128-cts-hmac-sha1-96 LINUX04$@AR41I1.QA 2 arcfour-hmac-md5 LINUX04$@AR41I1.QA 2 des-cbc-md5 LINUX04$@AR41I1.QA 2 des-cbc-crc LINUX04$@AR41I1.QA root@master10:~# kinit -t linux04.ar41i1.qa.keytab LINUX04$ root@master10:~# smbclient -k //$(hostname -f)/sysvol -c ls . D 0 Mon Nov 23 18:08:36 2015 .. D 0 Tue Nov 24 04:11:34 2015 ar41i1.qa D 0 Mon Nov 23 18:08:38 2015 48135984 blocks of size 1024. 42541688 blocks available ========================================================================== > BTW: the provided [create_spn_account.sh] script fails to create additional keys if the host is already created. It would be nice if it would create missing keys instead failing without doing anything! A agree.
This issue has been filed against UCS 3.2. UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.