Bug 1866695

.SSSD, adcli, and realmd now support the deprecated RC4 cipher suite with a new system-wide cryptographic subpolicy This update introduces the new `AD-SUPPORT` cryptographic subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite for the following utilities: * the System Security Services Daemon (SSSD) * `adcli` * `realmd` As an administrator, you can activate the new `AD-SUPPORT` subpolicy when Active Directory (AD) is not configured to use Advanced Encryption Standard (AES) in the following scenarios: * SSSD is used on a RHEL system connected directly to AD. * `adcli` is used to join an AD domain or to update host attributes, for example the host key. * `realmd` is used to join an AD domain. Red Hat recommends enabling the new subpolicy if one of the following conditions applies: * The user or service accounts in AD have RC4 encryption keys and lack AES encryption keys. * The trust links between individual Active Directory domains have RC4 encryption keys and lack AES encryption keys. To enable the `AD-SUPPORT` subpolicy in addition to the `DEFAULT` cryptographic policy, enter: [literal] ---- # update-crypto-policies --set DEFAULT:AD-SUPPORT ----