The Problem
A CentOS/RHEL 6 client fails to be enrolled in an Active Directory domain, with the adcli command randomly failing with the following error written to the console:
Couldn't authenticate with keytab while discovering which salt to use: [SERVER$@DOMAIN_NAME]: KDC has no support for encryption type
The following errors are logged at the same time to /var/log/messages:
Feb 20 16:23:52 [hostname] [sssd[ldap_child[27134]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: KDC has no support for encryption type. Unable to create GSSAPI-encrypted LDAP connection. Feb 20 16:23:52 [hostname] [sssd[ldap_child[27134]]]: KDC has no support for encryption type Feb 20 16:23:53 [hostname] sssd[be[AD_DOMAIN_NAME]]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type) Feb 20 16:23:53 [hostname] sssd[be[AD_DOMAIN_NAME]]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
However, sometimes subsequent attempts to enroll the server via the adcli command successfully completed, with no configuration changes being made to the CentOS/RHEL client.
The Solution
The Windows Active Directory Domain Controllers were configured as a cluster for redundancy on the domain, however, some domain controllers were configured to enforce specific encryption algorithms, while others were not.
This means that if the CentOS/RHEL client attempted to communicate with a Domain Controller that was enforcing specific encryption algorithms, sssd on the Linux client would fail if it was configured to use a different encryption algorithm to the ones the Domain controller was configured to enforce.
Configure both the Windows Active Directory domain controllers and the Linux clients to use matching encryption algorithms. To configure the encryption algorithms on the Linux client, such as in the below example where the aes256-cts algorithm is set, please do the following:
1. Backup /etc/krb5.conf configuration file before making any changes to it..
2. Change the encryption values in /etc/krb5.conf to:
allow_weak_crypto = false default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts
3. Restart the sssd service:
On CentOS/RHEL 6, do:
# service sssd restart
On CentOS/RHEL 7, do:
# systemctl restart sssd.service
To configure the encryption algorithms on the Windows domain controllers, please contact the systems administrator for the Windows domain controllers, and if necessary contact Microsoft for assistance, as the relevant software vendor.