"KDC has no support for encryption type" when setting up cross-realm trust between MIT Kerberos and Active Directory
I have solved the problem. I'm posting a reply here in case someone else faces the same issue.
The solution was very simple. I needed to make sure that the cross-realm authentication principals were created with a single encoding type, of type rc4-hmac:
addprinc -e rc4-hmac krbtgt/[email protected]
addprinc -e rc4-hmac krbtgt/[email protected]
As far as I can tell, what happens is that the MIT KDC uses the most secure encoding type when sending the ticket to the AD server. The AD server is unable to handle that encoding and thus replied with the error that the encryption type is not supported. By only having a single encoding type for the principals, the MIT server will use that type when talking to the AD server.
Related videos on Youtube
03 : 40
03 : 29
![[Solved] CredSSP Encryption Oracle Remediation](https://i.ytimg.com/vi/aDsxH9zyQsM/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLClW-grb652wB7rlot7Slu3Km95Pw)
03 : 19
01 : 12 : 44
04 : 20
Elias Mårtenson
Updated on September 18, 2022Comments
-
Elias Mårtenson almost 2 years
I am currently setting up an environment where I have a set of Solaris and Linux machines, using a dedicated Krberos 5 realm (MIT, on Solaris 11,
krb5-config --versionreturns:Solaris Kerberos (based on MIT Kerberos 5 release 1.6.3)). We also have an Active Directory (Windows 2003) server for a separate realm.My goal is to have all users in the AD server, and the host/nnn, nfs/nnn and cifs/nnn principals in the MIT-based realm. I'm trying to set up cross-domain trust between these two realms.
Assume the following:
- Unix realm: EXAMPLE.COM
- AD realm: AD.EXAMPLE.COM
I've set up the AD cross-realm trust according to the Microsoft documentation, with two-way trust.
What happens is that cross-realm authentication only works in one direction. From AD to Unix works:
# kinit [email protected] Password for [email protected]: root@clienttest2:~# kvno [email protected] [email protected]: kvno = 1But, the opposite does not, and gives me an error message: KDC has no support for encryption type while getting credentials for [email protected]
# kinit [email protected] Password for [email protected]: root@clienttest2:~# kvno [email protected] kvno: KDC has no support for encryption type while getting credentials for [email protected]Note that I have tried all sorts of different things. Some of those being:
- Configured the cross-realm keys on the Unix side to use
rc4-hmaconly, with the effect that the call tokvnowon't even be able to find the KDC on the Microsoft side. - Added
default_tkt_enctypesanddefault_tgs_enctypesentries to force the use ofrc4-hmac. This was necessary to just get login authentication against AD to work.
What could be the cause of this, and how can I figure out what is actually going on? In particular, it would be very helpful to know exactly what encryption type it's trying to use which the KDC has no support for. It would also be useful to know which KDC that sent the error.
For completeness, here is the content of the
krb5.conffile:[libdefaults] default_realm = EXAMPLE.COM allow_weak_crypto = true verify_ap_req_nofail = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] EXAMPLE.COM = { kdc = unix-server.example.com admin_server = unix-server.example.com } AD.EXAMPLE.COM = { kdc = ad-server.ad.example.com admin_server = ad-server.ad.example.com } [domain_realm] .example.com = EXAMPLE.COM .ad.example.com = AD.EXAMPLE.COM [capaths] EXAMPLE.COM = { AD.EXAMPLE.COM = . } AD.EXAMPLE.COM = { EXAMPLE.COM = . } [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable = true }