Back to bug 1851442

Who When What Removed Added
Red Hat Bugzilla 2020-06-26 14:10:29 UTC Pool ID sst_identity_management_rhel_8
Andreas Schneider 2020-06-26 14:11:15 UTC CC asn
Andreas Schneider 2020-06-26 14:12:03 UTC Priority unspecified high
Status NEW ASSIGNED
Severity unspecified high
Alexander Bokovoy 2020-06-26 15:02:20 UTC Depends On 1851458
Denis Karpelevich 2020-06-30 19:10:44 UTC CC dkarpele
Robbie Harwood 2020-07-01 21:26:13 UTC CC rharwood
Filip Hanzelka 2020-07-11 12:53:39 UTC CC fhanzelk
Filip Hanzelka 2020-07-16 08:07:07 UTC Flags needinfo?(asn)
Andreas Schneider 2020-07-27 09:19:27 UTC Flags needinfo?(asn)
Filip Hanzelka 2020-07-27 10:30:46 UTC Doc Text .`krb5` now only requests permitted encryption types

Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.

* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a domain member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command.
Doc Type If docs needed, set a value Bug Fix
Andreas Schneider 2020-07-27 11:26:02 UTC Doc Text .`krb5` now only requests permitted encryption types

Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.

* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a domain member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command. 		.`krb5` now only requests permitted encryption types

Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.

* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a Domain Member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command.
Lucie Vařáková 2020-07-27 13:47:14 UTC CC lmanasko
Docs Contact fhanzelk
Namita Soman 2020-07-28 13:50:00 UTC CC nsoman
Red Hat One Jira (issues.redhat.com) 2020-11-04 19:45:23 UTC Link ID Red Hat Issue Tracker - Private RHELPLAN-47648
RHEL Program Management 2020-11-13 16:21:37 UTC Keywords Triaged
PnT Account Manager 2021-01-04 07:33:36 UTC CC iboukris
Tomas Halman 2021-02-09 08:24:37 UTC Link ID Red Hat Issue Tracker - Private SSSD-3188
Filip Dvorak 2021-03-16 15:20:13 UTC QA Contact idmafs-qe sssd-qe
Kaushik Banerjee 2021-04-13 10:48:27 UTC Pool ID sst_identity_management_rhel_8 sst_idm_sssd_rhel_8
Denis Karpelevich 2021-06-09 12:08:00 UTC QA Contact sssd-qe dkarpele
Andreas Schneider 2021-06-17 13:42:11 UTC Sub Component default
Pool ID sst_idm_sssd_rhel_8 sst_ccs_rhel_8
CC mmuehlfe, rhel-docs
Component samba Documentation
Docs Contact fhanzelk
Assignee asn rhel-docs
QA Contact dkarpele
Tomas Capek 2021-06-23 10:14:47 UTC Keywords Documentation
CC tcapek
Assignee rhel-docs sdubewar
Tomas Capek 2021-06-24 08:31:11 UTC Target Release 8.0 8.5
Marc Muehlfeld 2021-06-28 08:39:18 UTC Assignee sdubewar mmuehlfe
Flags needinfo?(asn)
Andreas Schneider 2021-07-14 08:44:37 UTC Status ASSIGNED CLOSED
Resolution --- CURRENTRELEASE
Flags needinfo?(asn)
Last Closed 2021-07-14 08:44:37 UTC

Back to bug 1851442