Preamble: I'm pretty new to sssd, realmd, AD, and so on. While in F30 "sudo realm join TEST.LAN" works, in Rawhide I get: $ sudo realm join TEST.LAN Password for Administrator: See: journalctl REALMD_OPERATION=r92.1155 realm: Couldn't join realm: Failed to join the domain In journalctl the error seems to be: Jul 04 12:45:18 fetora realmd[1151]: adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt Jul 04 12:45:18 fetora realmd[1151]: ! Couldn't authenticate with keytab while discovering which salt to use: FEDORA$@TEST.LAN: Bad encryption type Jul 04 12:45:18 fetora realmd[1151]: ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type Jul 04 12:45:18 fetora realmd[1151]: adcli: joining domain fgm.lan failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type Jul 04 12:45:18 fetora realmd[1151]: ! Failed to join the domain The content of file /etc/krb5.conf.d/crypto-policies is the same between F30 and Rawhide.
This seems to be a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication
Sumit, who maintains realmd is on an extended vacation, so I'll try to keep this moving forward at least today, then I'm off for pretty much two weeks.. $ rpm -q adcli realmd krb5-libs adcli-0.8.2-3.fc30.x86_64 realmd-0.16.3-19.fc30.x86_64 krb5-libs-1.17-14.fc30.x86_64 Everything works: $ sudo realm leave win.trust.test $ sudo realm join win.trust.test Password for Administrator: $ id administrator.test uid=1974600500(administrator.test) gid=1974600513(domain users.test) groups=1974600513(domain users.test),1974600572(denied rodc password replication group.test),1974600518(schema admins.test),1974600519(enterprise admins.test),1974600520(group policy creator owners.test),1974600512(domain admins.test) And then upgrading only krb5-libs breaks things: $ dnf --nogpgcheck --releasever=rawhide upgrade krb5-libs $ sudo realm join win.trust.test Password for Administrator: See: journalctl REALMD_OPERATION=r289.3373 realm: Couldn't join realm: Failed to join the domain In the journald snippet I see: Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: ! Couldn't authenticate with keytab while discovering which salt to use: ADCLIENT$@WIN.TRUST.TEST: Bad encryption type Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type So I'm going to assume that this has to do with the 3DES removal that I see in the changelog of the recent krb5-libs versions. I'm really not familiar with adcli code, but there an array of permitted enctypes that also lists several DES variants, so I'm just going to try a hail mary patch and remove the des pieces..I'm not sure if I can do more considering my vacation starts in 6.5 hours..
Ah, it tur
(Sorry, I started a comment earlier, then reassigned the bug to adcli which submitted the WIP comment..) Ah, it turns out that Sumit was, as usual, ahead of everyone else :-) and the needed fixes were already upstream, so all it took was to backport them to the fedora packages. Here is a PR: https://src.fedoraproject.org/rpms/adcli/pull-request/1 Here is a test build: https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/ If that works, I hope some provenpackager can build the package.
> Here is a test build: > https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/ Installing this package, it works. $ sudo realm join TEST.LAN Password for Administrator: $ sudo realm list test.lan type: kerberos realm-name: TEST.LAN domain-name: test.lan configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins Thanks!
Did someone light the provenpackager lantern?! https://koji.fedoraproject.org/koji/taskinfo?taskID=36061859
Why am i now seeing this problem on EL8 # rpm -q adcli realmd krb5-libs adcli-0.8.2-7.el8.x86_64 realmd-0.16.3-19.el8.x86_64 krb5-libs-1.18.2-5.el8.x86_64 I got this when joining the realm: ! Couldn't authenticate with keytab while discovering which salt to use: but then messages about adding keys to keytab, so i as hoping the new keys would resolve that issue And the join to domain seemed to work. But after joining domain, sssd is not working: 2021-04-08 15:53:00): [be[blah.com]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Pre-authentication failed: Key table entry not found], expired on [0] Apr 08 16:02:11 blah.com ldap_child[23330][23330]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Pre-authentication failed: Key table entry not found. Unable to create GSSAPI-encrypted LDAP connection. Sick of this.
And I'm seeing this on recently patched EL8.3, after having run: update-crypto-policies --set LEGACY
Hmm. my krb5.conf had this, as this was required in the past: default_tgs_enctypes=arcfour-hmac default_tkt_enctypes=arcfour-hmac But over last 3 years, various old domain controllers have been removed, and looks like no longer needed. Removing those lines, and sssd is happy again now.