I Need IPA (Centos 8) and AD (Windows Server 2003 forest and domain functional level.) trust. Its works on Cerntos 7.
I Install Centos 8 (8.1 or 8.2)
I Install IPA Server with --setup-adtust --enable-compat
I Setup IPA and Windows Server 2008 R2 (Windows Server 2003 forest and domain functional level) trust:
I add trust on windows with New Trust Wizzard user trust-secret
I run ipa add-trust with --trust-secret
I add to /etc/krb5.conf
allow_weak_crypto = true
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 rc4-hmac
add to /etc/krb5.conf.d/crypto-policies
des-cbc-md5 rc4-hmac
I Set Crypto polices to LEGACY (update-crypto-policies --set LEGACY) and reboot
After that:
I can kinit winadmin@ad2003.ad.
I can getent winadmin@ad2003.ad.
I cannot authenticate on client or server - Access denied
/var/log/krb5kdc.log:
TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des-cbc-md5(3), DEPRECATED:arcfour-hmac(23)}) 10.125.3.11: PROCESS_TGS: authtime 0, etypes {rep=(0)} <unknown client> for host/dc1-main.compat.ad@COMPAT.AD, No matching key in entry
klist -e
Etype (skey, tkt): DEPRECATED:des-cbc-md5, DEPRECATED:arcfour-hmac
In centos 7 klist -e:
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
If I remove des-cbc-md5 from /etc/krb5.conf
klist -e
Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
but can't authenticate with error in /var/log/krb5kdc.log:
TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des-cbc-md5(3), DEPRECATED:arcfour-hmac(23)}) 10.125.3.11: PROCESS_TGS: authtime 0, etypes {rep=(0)} <unknown client> for host/dc1-main.compat.ad@COMPAT.AD, No matching key in entry
IPA - AD 2003 Trust, Authentication Error
Issues related to applications and software problems and general support
Return to “8 /8-Stream / 9-Stream - General Support”
Jump to
- CentOS General Purpose
- ↳ CentOS - FAQ & Readme First
- ↳ Announcements
- ↳ CentOS Social
- ↳ User Comments
- ↳ Website Problems
- CentOS 8 / 8-Stream / 9-Stream
- ↳ 8 /8-Stream / 9-Stream - General Support
- ↳ 8 /8-Stream / 9-Stream - Hardware Support
- ↳ 8 /8-Stream / 9-Stream - Networking Support
- ↳ 8 /8-Stream / 9-Stream - Security Support
- CentOS 7
- ↳ CentOS 7 - General Support
- ↳ CentOS 7 - Software Support
- ↳ CentOS 7 - Hardware Support
- ↳ CentOS 7 - Networking Support
- ↳ CentOS 7 - Security Support
- CentOS Legacy Versions
- ↳ CentOS 5
- ↳ CentOS 5 - General Support
- ↳ CentOS 5 - Software Support
- ↳ CentOS 5 - Hardware Support
- ↳ CentOS 5 - Networking Support
- ↳ CentOS 5 - Server Support
- ↳ CentOS 5 - Security Support
- ↳ CentOS 5 - Oracle Installation and Support
- ↳ CentOS 5 - Miscellaneous Questions
- ↳ CentOS 6
- ↳ CentOS 6 - General Support
- ↳ CentOS 6 - Software Support
- ↳ CentOS 6 - Hardware Support
- ↳ CentOS 6 - Networking Support
- ↳ CentOS 6 - Security Support