Bug 1768015 - Enable AES SHA 256 and 384 Kerberos enctypes
Summary: Enable AES SHA 256 and 384 Kerberos enctypes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL: https://pagure.io/freeipa/issue/8110
Whiteboard:
Depends On:
Blocks: 1760850
TreeView+ depends on / blocked
 
Reported: 2019-11-01 20:59 UTC by Robbie Harwood
Modified: 2020-04-28 15:44 UTC (History)
7 users (show)

Fixed In Version: ipa-4.8.2-1.module+el8.2.0+4697+7171660c
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 15:44:10 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:1640 0 None None None 2020-04-28 15:44:31 UTC

Description Robbie Harwood 2019-11-01 20:59:30 UTC
(This is a clone of https://pagure.io/freeipa/issue/8110 )

Please enable the aes-sha2 enctypes in RHEL-8.

Comment 2 Rob Crittenden 2019-11-04 14:49:09 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/09d5b938c128d8bb01ae40b5d736a266c6075b39

Comment 3 Rob Crittenden 2019-11-05 14:46:45 UTC
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/e5c9c751e625078fbfb6c15db7085c03762c1c70

Comment 5 Christian Heimes 2019-11-20 10:38:42 UTC
Fixed in IPA 4.8.2

Comment 8 Rob Crittenden 2020-02-05 14:00:23 UTC
There are two scenarios to validate:

1. A newly installed master should include krbSupportedEncSaltTypes: aes128-sha2:normal, aes128-sha2:special, aes256-sha2:normal and aes256-sha2:special 

2. An older master should not include these and after updating, should.

To get the current settings something like:

kinit admin
ldapsearch -Y GSSAPI -s base -b cn=EXAMPLE.TEST,cn=kerberos,dc=example,dc=test krbSupportedEncSaltTypes

Comment 10 Mohammad Rizwan 2020-02-11 12:29:34 UTC
[..]
[ipatests.pytest_ipa.integration.host.Host.master.ParamikoTransport] RUN ['ldapsearch', '-x', '-ZZ', '-h', 'master.testrelm.test', '-p', '389', '-D', 'cn=Directory Manager', '-w', 'Secret123', '-s', 'base', '-b', 'cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test', '-o', 'ldif-wrap=no', '-LLL', 'krbSupportedEncSaltTypes']
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] RUN ['ldapsearch', '-x', '-ZZ', '-h', 'master.testrelm.test', '-p', '389', '-D', 'cn=Directory Manager', '-w', 'Secret123', '-s', 'base', '-b', 'cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test', '-o', 'ldif-wrap=no', '-LLL', 'krbSupportedEncSaltTypes']
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] dn: cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-cts:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-cts:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-cts:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-cts:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-sha2:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes128-sha2:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-sha2:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: aes256-sha2:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia128-cts-cmac:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] krbSupportedEncSaltTypes: camellia256-cts-cmac:special
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd26] Exit code: 0
PASSED [100%][ipatests.pytest_ipa.integration.host.Host.master.ParamikoTransport] RUN ['kinit', 'admin']

Automation passed. Hence based on the result, marking the bug as verified.

Comment 12 errata-xmlrpc 2020-04-28 15:44:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640


Note You need to log in before you can comment on or make changes to this bug.