Can't Join Active Directory with Realm - No Support for Encryption Type

Hi All,

I am hoping someone can offer some help with this. I’ve done a fair bit of “research” but found no definitive answer.

I am almost sure the setup is correct, and done my background it seems as if Rocky is not able to determine the cypher type being used by Kerberos on a very vanilla AD Domain.
Certainly no problems with other distro’s

Hey there!

I suspect your AD DC is still using very old cyphers / a SHA1 certificate, so you might have to lower your system-wide crypto policy (LEGACY:AD-SUPPORT):

Tbh I definitely also have seen this being unnecessary in our (work) environment, so the other solution might be to improve your crypto standards of your AD environment (WS 2016 DCs here with lots of security tweaks and SHA256 certs)

Yes indeed the checks show AES256 RC4 and AES128
Or Factor “28” in ```

Which should surely work. With Either Legacy or Standard ?

Yeah okay the ciphers are definitely new enough, what about SHA1?
Tbh the easiest might be to switch a testsystem to the other crypto policy and see if it works.

If this also does not help, might be time to enable the debug log and see what it says :thinking:

OK - its working.

krb5.conf set to

allow_weak_crypto = false
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Seems like I am declaring it to allow ALL but weak here … I am guessing it was trying rc4

Which isn’t great - domain is ear marked for a major upgrade in 3 months anyway so …

Okay great that you got it working! Guess after the domain upgrade you won’t need this anymore :slight_smile:

Microsoft removed RC4 from Kerberos encryption types due to a sudden security issue specific to Kerberos:

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support

So you can remove RC4 from your list of etypes. And you should definitely remove all DES types. Nothing uses DES for a long time now.

You could add AES128-CTS-HMAC-SHA1-96 as that is still quite valid. But it’s somewhat pointless if you can know AES256 works.