Bug 1768015

Summary: Enable AES SHA 256 and 384 Kerberos enctypes
Product: Red Hat Enterprise Linux 8 Reporter: Robbie Harwood <rharwood>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: cheimes, ksiddiqu, myusuf, pasik, pcech, rcritten, tscherf
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
URL: https://pagure.io/freeipa/issue/8110
Whiteboard:
Fixed In Version: ipa-4.8.2-1.module+el8.2.0+4697+7171660c Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:44:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1760850    

Description Robbie Harwood 2019-11-01 20:59:30 UTC
(This is a clone of https://pagure.io/freeipa/issue/8110 )

Please enable the aes-sha2 enctypes in RHEL-8.

Comment 2 Rob Crittenden 2019-11-04 14:49:09 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/09d5b938c128d8bb01ae40b5d736a266c6075b39

Comment 3 Rob Crittenden 2019-11-05 14:46:45 UTC
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/e5c9c751e625078fbfb6c15db7085c03762c1c70

Comment 5 Christian Heimes 2019-11-20 10:38:42 UTC
Fixed in IPA 4.8.2

Comment 8 Rob Crittenden 2020-02-05 14:00:23 UTC
There are two scenarios to validate:

1. A newly installed master should include krbSupportedEncSaltTypes: aes128-sha2:normal, aes128-sha2:special, aes256-sha2:normal and aes256-sha2:special 

2. An older master should not include these and after updating, should.

To get the current settings something like:

kinit admin
ldapsearch -Y GSSAPI -s base -b cn=EXAMPLE.TEST,cn=kerberos,dc=example,dc=test krbSupportedEncSaltTypes

Comment 10 Mohammad Rizwan 2020-02-11 12:29:34 UTC
[..]
[ipatests.pytest_ipa.integration.host.Host.master.ParamikoTransport] RUN ['ldapsearch', '-x', '-ZZ', '-h', 'master.testrelm.test', '-p', '389', '-D', 'cn=Directory Manager', '-w', 'Secret123', '-s', 'base', '-b', 'cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test', '-o', 'ldif-wrap=no', '-LLL', 'krbSupportedEncSaltTypes']
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] RUN ['ldapsearch', '-x', '-ZZ', '-h', 'master.testrelm.test', '-p', '389', '-D', 'cn=Directory Manager', '-w', 'Secret123', '-s', 'base', '-b', 'cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test', '-o', 'ldif-wrap=no', '-LLL', 'krbSupportedEncSaltTypes']
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] dn: cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-cts:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-cts:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-cts:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-cts:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-sha2:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-sha2:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-sha2:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-sha2:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia128-cts-cmac:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia256-cts-cmac:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] Exit code: 0
PASSED [100%][ipatests.pytest_ipa.integration.host.Host.master.ParamikoTransport] RUN ['kinit', 'admin']

Automation passed. Hence based on the result, marking the bug as verified.

Comment 12 errata-xmlrpc 2020-04-28 15:44:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640