Kerberization issue with unsupported encryption type on RED OS

When you install ADQM on a RED OS host and try to kerberize a cluster using Active Directory, kerberization may fail during the kinit command execution with the following error:

kinit: KDC has no support for encryption type while getting initial credentials

Cause

The issue occurs due to different sets of encryption types allowed in Active Directory and RED OS. In RED OS, this set is defined by a cryptographic policy.

By default, the RED OS cryptographic policy is set to DEFAULT:

update-crypto-policies --show
DEFAULT

This policy sets the following encryption types that the Kerberos protocol is allowed to use:

cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac

The arcfour encryption type (also known as rc4) is not in the list, but it is required for requesting Kerberos tickets from an Active Directory server. This encryption type has been excluded from the DEFAULT policy as it is considered weak (see Ensuring support for common encryption types in AD and RHEL).

Solution — change cryptographic policy

To enable support for arcfour in RED OS and resolve the issue above, it is recommended to switch the default RED OS cryptographic policy to one of the following policies.

LEGACY

The LEGACY cryptographic policy is one of RED OS’s predefined cryptographic policies that supports a slightly larger list of encryption types than DEFAULT and provides the compatibility with older versions and systems.

Encryption types for Kerberos that the LEGACY policy supports are:

cat /usr/share/crypto-policies/LEGACY/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac des3-cbc-sha1 arcfour-hmac-md5

To switch the cryptographic policy to LEGACY, run the following command as the root user:

update-crypto-policies --set LEGACY

After switching the cryptographic policy, the system reboot is required:

Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.

Consider also that the set of permitted encryption types will be changed for other services, such as:

ls /usr/share/crypto-policies/LEGACY/
bind.txt gnutls.txt java.txt krb5.txt libreswan.txt nss.txt opensshserver.txt openssh.txt opensslcnf.txt openssl.txt

CUSTOM

You can create a new cryptographic policy (for example, CUSTOM) based on the DEFAULT policy and customize the list of supported encryption types.

  1. Copy the DEFAULT policy directory to the CUSTOM directory:

    cp -r /usr/share/crypto-policies/DEFAULT/ /usr/share/crypto-policies/CUSTOM
  2. Add the arcfour-hmac-md5 type to the end of the /usr/share/crypto-policies/CUSTOM/krb5.txt file.

  3. Set a new cryptographic policy:

    update-crypto-policies --set CUSTOM
  4. After switching the policy to CUSTOM, it is also required to restart the system:

    Setting system policy to CUSTOM
    Note: System-wide crypto policies are applied on application start-up.
    It is recommended to restart the system for the change of policies to fully take place.
Found a mistake? Seleсt text and press Ctrl+Enter to report it