Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2005277

Summary:	Write a release note for "krb5 now only requests permitted encryption types"
Product:	Red Hat Enterprise Linux 8	Reporter:	Marc Muehlfeld <mmuehlfe>
Component:	doc-Release_Notes-8-en-US	Assignee:	Lucie Vařáková <lmanasko>
Status:	CLOSED CURRENTRELEASE	QA Contact:	RHEL DPM <rhel-docs>
Severity:	unspecified	Docs Contact:	Marc Muehlfeld <mmuehlfe>
Priority:	medium
Version:	8.5	CC:	abokovoy, rhel-docs
Target Milestone:	rc	Keywords:	Documentation
Target Release:	8.5	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	.Kerberos now only requests permitted encryption types Previously, RHEL did not apply permitted encryption types specified in the `permitted_enctypes` parameter in the `/etc/krb5.conf` file if the `default_tgs_enctypes` or `default_tkt_enctypes` parameters were not set. Consequently, Kerberos clients were able to request deprecated cipher suites, such as RC4, which might cause other processes to fail. With this update, RHEL applies the encryption types set in `permitted_enctypes` to the default encryption types as well, and processes can only request permitted encryption types. If you use Red Hat Identity Management (IdM) and want to set up a trust with Active Directory (AD), note that the RC4 cipher suite, which is deprecated in RHEL 8, is the default encryption type for users, services, and trusts between AD domains in an AD forest. You can use one of the following options: * (Preferred): Enable strong AES encryption types in AD. For details, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article. * Use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command on RHEL hosts that should be members of an AD domain to enable the deprecated RC4 encryption type for backwards compatibility with AD.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-15 08:32:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marc Muehlfeld 2021-09-17 10:12:03 UTC

Draft from the SME (Andreas Schneider):

.`krb5` now only requests permitted encryption types

Previously, permitted encryption types specified in the `permitted_enctypes` variable in the `/etc/krb5.conf` file did not apply to the default encryption types if the `default_tgs_enctypes` or `default_tkt_enctypes` attributes were not set. Consequently, Kerberos clients were able to request deprecated cipher suites like RC4, which may cause other processes to fail. With this update, encryption types specified in the `permitted_enctypes` variable apply to the default encryption types as well, and only permitted encryption types are requested.

The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for users, services, and trusts between Active Directory (AD) domains in an AD forest.

* To ensure support for strong AES encryption types between AD domains in an AD forest, see the link:https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust[AD DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted domain] Microsoft article.
* To enable support for the deprecated RC4 encryption type on a Domain Member for backwards compatibility with AD, use the `update-crypto-policies --set DEFAULT:AD-SUPPORT` command.


This came up in the Samba rebase BZ (BZ#1944657#c3), but should be documented as a separate RN.

Comment 2 Marc Muehlfeld 2021-09-28 11:11:18 UTC

Alexander, can you please review the release note (see Doc Text field)? Thanks.

Comment 3 Alexander Bokovoy 2021-10-04 07:31:28 UTC

Marc, the note looks fine, no changes required from my perspective.
Thanks!

Comment 4 Lucie Vařáková 2021-11-15 08:32:06 UTC

Published: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/bug_fixes#BZ-2005277