2005277 – Write a release note for "krb5 now only requests permitted encryption types"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2005277 - Write a release note for "krb5 now only requests permitted encryption types"

Summary: Write a release note for "krb5 now only requests permitted encryption types"

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	doc-Release_Notes-8-en-US
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.5
Assignee:	Lucie Vařáková
QA Contact:	RHEL DPM
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-17 10:12 UTC by Marc Muehlfeld
Modified:	2021-11-15 08:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	.Kerberos now only requests permitted encryption types Previously, RHEL did not apply permitted encryption types specified in the `permitted_enctypes` parameter in the `/etc/krb5.conf` file if the `default_tgs_enctypes` or `default_tkt_enctypes` parameters were not set. Consequently, Kerberos clients were able to request deprecated cipher suites, such as RC4, which might cause other processes to fail. With this update, RHEL applies the encryption types set in `permitted_enctypes` to the default encryption types as well, and processes can only request permitted encryption types. If you use Red Hat Identity Management (IdM) and want to set up a trust with Active Directory (AD), note that the RC4 cipher suite, which is deprecated in RHEL 8, is the default encryption type for users, services, and trusts between AD domains in an AD forest. You can use one of the following options: * (Preferred): Enable strong AES encryption types in AD. For details, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article. * Use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command on RHEL hosts that should be members of an AD domain to enable the deprecated RC4 encryption type for backwards compatibility with AD.
Clone Of:
Environment:
Last Closed:	2021-11-15 08:32:06 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-97440	0	None	None	None	2021-09-17 10:13:27 UTC

Description Marc Muehlfeld 2021-09-17 10:12:03 UTC

Draft from the SME (Andreas Schneider):

.`krb5` now only requests permitted encryption types

Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.

* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a Domain Member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command.


This came up in the Samba rebase BZ (BZ#1944657#c3), but should be documented as a separate RN.

Comment 2 Marc Muehlfeld 2021-09-28 11:11:18 UTC

Alexander, can you please review the release note (see Doc Text field)? Thanks.

Comment 3 Alexander Bokovoy 2021-10-04 07:31:28 UTC

Marc, the note looks fine, no changes required from my perspective.
Thanks!

Comment 4 Lucie Vařáková 2021-11-15 08:32:06 UTC

Published: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/bug_fixes#BZ-2005277

Note You need to log in before you can comment on or make changes to this bug.