Kerberization issue with unsupported encryption type on RED OS
When you install ADQM on a RED OS host and try to kerberize a cluster using Active Directory, kerberization may fail during the kinit
command execution with the following error:
kinit: KDC has no support for encryption type while getting initial credentials
Cause
The issue occurs due to different sets of encryption types allowed in Active Directory and RED OS. In RED OS, this set is defined by a cryptographic policy.
By default, the RED OS cryptographic policy is set to DEFAULT
:
update-crypto-policies --show
DEFAULT
This policy sets the following encryption types that the Kerberos protocol is allowed to use:
cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
The arcfour
encryption type (also known as rc4
) is not in the list, but it is required for requesting Kerberos tickets from an Active Directory server. This encryption type has been excluded from the DEFAULT
policy as it is considered weak (see Ensuring support for common encryption types in AD and RHEL).
Solution — change cryptographic policy
To enable support for arcfour
in RED OS and resolve the issue above, it is recommended to switch the default RED OS cryptographic policy to one of the following policies.
LEGACY
The LEGACY
cryptographic policy is one of RED OS’s predefined cryptographic policies that supports a slightly larger list of encryption types than DEFAULT
and provides the compatibility with older versions and systems.
Encryption types for Kerberos that the LEGACY
policy supports are:
cat /usr/share/crypto-policies/LEGACY/krb5.txt
[libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac des3-cbc-sha1 arcfour-hmac-md5
To switch the cryptographic policy to LEGACY
, run the following command as the root
user:
update-crypto-policies --set LEGACY
After switching the cryptographic policy, the system reboot is required:
Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
Consider also that the set of permitted encryption types will be changed for other services, such as:
ls /usr/share/crypto-policies/LEGACY/
bind.txt gnutls.txt java.txt krb5.txt libreswan.txt nss.txt opensshserver.txt openssh.txt opensslcnf.txt openssl.txt
CUSTOM
You can create a new cryptographic policy (for example, CUSTOM
) based on the DEFAULT
policy and customize the list of supported encryption types.
-
Copy the
DEFAULT
policy directory to theCUSTOM
directory:cp -r /usr/share/crypto-policies/DEFAULT/ /usr/share/crypto-policies/CUSTOM
-
Add the
arcfour-hmac-md5
type to the end of the /usr/share/crypto-policies/CUSTOM/krb5.txt file. -
Set a new cryptographic policy:
update-crypto-policies --set CUSTOM
-
After switching the policy to
CUSTOM
, it is also required to restart the system:Setting system policy to CUSTOM Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.