Bug 1851442
| Summary: | Update crypto policy to allow AD-SUPPORT when installing Samba | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Andreas Schneider <asn> |
| Component: | Documentation | Assignee: | Marc Muehlfeld <mmuehlfe> |
| Documentation sub component: | default | QA Contact: | |
| Status: | CLOSED CURRENTRELEASE | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | asn, dkarpele, fhanzelk, gdeschner, jarrpa, lmanasko, mmuehlfe, nsoman, rharwood, rhel-docs, tcapek |
| Version: | 8.3 | Keywords: | Documentation, Triaged |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.5 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
.`krb5` now only requests permitted encryption types
Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.
The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.
* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a Domain Member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-14 08:44:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1851458 | ||
| Bug Blocks: | |||
|
Description
Andreas Schneider
2020-06-26 14:10:29 UTC
`krb5` now only requests permitted encryption types Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested. The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest. * To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article. * To enable support for the deprecated RC4 encryption type in an IdM server for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command. Update: `krb5` now only requests permitted encryption types Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested. The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest. * To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article. * To enable support for the deprecated RC4 encryption type on a domain member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command. Marc, this information needs to be added to the RHEL 8 documentation and should also be mentioned in the release notes! Andreas, I think this is already covered: Step 1 of "Joining a RHEL system to an AD domain" mentions what do do if AD requires RC4: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/deploying_different_types_of_servers/index#proc_joining-samba-to-a-domain_assembly_setting-up-samba-as-an-ad-domain-member-server If RC4 is not required, then users will skip this step. Additionally, for those who currently need RC4, we link an "Additional resources" of the above section how to enable AES in AD using a GPO (it's also part of our docs). Do we need anything else? Looks fine, thanks! |