Bug 57847 - Kerberos Keycloak login does not work due to deprecated encryption types
Summary: Kerberos Keycloak login does not work due to deprecated encryption types
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: Univention Domain Join (Ubuntu)
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-09 14:41 CET by Marius Meschter
Modified: 2025-02-05 14:29 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marius Meschter univentionstaff 2025-01-09 14:41:38 CET 
After joining an Ubuntu system into a UCS domain using "Univention Domain Join" and configuring Firefox for Kerberos authentication, the Kerberos authentication does not work and the standard Keycloak login form is shown.

The default "Univention Domain Join" program writes the krb5 config which contains old encryption types for Kerberos tickets ( https://github.com/univention/univention-domain-join/blob/5ca95dc87f9576d5adf40b15addeabb51e2240cf/univention_domain_join/join_steps/kerberos_configurator.py#L44 ).

After adjusting the krb5.conf like this

default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

and removing the line 

allow_weak_crypto=true

the Kerberos login with Firefox and Keycloak worked.