• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

“Couldn’t authenticate with keytab while discovering which salt to use: hostname: KDC has no support for encryption type” – error while joining domain

by admin

The Problem

A CentOS/RHEL 6 client fails to be enrolled in an Active Directory domain, with the adcli command randomly failing with the following error written to the console:

Couldn't authenticate with keytab while discovering which salt to use: [SERVER$@DOMAIN_NAME]: KDC has no support for encryption type

The following errors are logged at the same time to /var/log/messages:

Feb 20 16:23:52 [hostname] [sssd[ldap_child[27134]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: KDC has no support for encryption type. Unable to create GSSAPI-encrypted LDAP connection.
Feb 20 16:23:52 [hostname] [sssd[ldap_child[27134]]]: KDC has no support for encryption type
Feb 20 16:23:53 [hostname] sssd[be[AD_DOMAIN_NAME]]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)
Feb 20 16:23:53 [hostname] sssd[be[AD_DOMAIN_NAME]]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)

However, sometimes subsequent attempts to enroll the server via the adcli command successfully completed, with no configuration changes being made to the CentOS/RHEL client.

The Solution

The Windows Active Directory Domain Controllers were configured as a cluster for redundancy on the domain, however, some domain controllers were configured to enforce specific encryption algorithms, while others were not.

This means that if the CentOS/RHEL client attempted to communicate with a Domain Controller that was enforcing specific encryption algorithms, sssd on the Linux client would fail if it was configured to use a different encryption algorithm to the ones the Domain controller was configured to enforce.

Configure both the Windows Active Directory domain controllers and the Linux clients to use matching encryption algorithms. To configure the encryption algorithms on the Linux client, such as in the below example where the aes256-cts algorithm is set, please do the following:

1. Backup /etc/krb5.conf configuration file before making any changes to it..

2. Change the encryption values in /etc/krb5.conf to:

allow_weak_crypto = false
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes =  aes256-cts

3. Restart the sssd service:

On CentOS/RHEL 6, do:

# service sssd restart

On CentOS/RHEL 7, do:

# systemctl restart sssd.service

To configure the encryption algorithms on the Windows domain controllers, please contact the systems administrator for the Windows domain controllers, and if necessary contact Microsoft for assistance, as the relevant software vendor.

Filed Under: CentOS/RHEL, CentOS/RHEL 6, CentOS/RHEL 7

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : Chrony V/s NTP (Differences Between ntpd and chronyd)
  2. How to set udev rule for setting the disk permission on ASM disks when using multipath on CentOS/RHEL 6
  3. Understanding RPM Versions and Naming Schemes
  4. “btrfs” command examples to Create and Manage Btrfs File System
  5. Passwordless SSH not working for local users on LDAP servers – CentOS/RHEL 7
  6. RHEL 7 – RHCSA Notes – Create and manage Access Control Lists (ACLs)
  7. Linux OS Service ‘sysstat’
  8. How to Install GUI On CentOS/RHEL 8
  9. rm: cannot remove ‘doc/by-app’: Function not implemented (CentOS/RHEL 7)
  10. “Couldn’t find device with uuid [UUID]” – error whith pvs command

You May Also Like

Primary Sidebar

Recent Posts

  • fprintd-delete Command Examples in Linux
  • fprintd-delete: command not found
  • foreman: command not found
  • foreman Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright