I have a simple MS ADDS multi-domain forest setup with a parent domain and one sub-domain. I joined a RHEL 8 server successfully to the sub-domain by using this official documentation. All OSs have been setup by using as much defaults as possible. I can successfully SSH into the RHEL server by using an AD account of the sub-domain. But when I try to use an account of the parent domain, the login fails. As soon as I submit the username of the parent domain, journalctl
reports the following error:
sssd_be[...]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
I checked the DCs of each domain and can confirm that all DCs support the same three default encryption types (which are stored in the msDS-SupportedEncryptionTypes
attribute of each DC computer account):
- RC4_HMAC_MD5
- AES128_CTS_HMAC_SHA1_96
- AES256_CTS_HMAC_SHA1_96
I also confirmed that RHEL 8 offers suitable encryption types (/etc/crypto-policies/back-ends/krb5.config
):
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
So, there should be two matches: aes128-cts-hmac-sha1-96
and aes256-cts-hmac-sha1-96
. As I already stated, it is working fine for the sub-domain. So, why is there no suitable encryption type for the parent domain?
The properties of an AD trust include a property called "The other domain supports Kerberos AES Encryption". By default, this option is not checked. In this scenario, this leads to the fact, that the parent domain is not able to offer AES encryption types for Kerberos. Therefore, the only option is
RC4_HMAC_MD5
. On RHEL 8, RC4 encryption has been deprecated and disabled by default. Therefore, there is indeed no encryption type available to agree on between RHEL and the parent domain.After checking the option "The other domain supports Kerberos AES Encryption", the authentication also worked for the parent domain.
If you want to set this setting programmatically, here you go.