如何解决KDC不支持加密类型问题?

Linux基础

1 前言

一个问题,一篇文章,一出故事。
笔者最近发现生产环境的sftp域用户登录异常,查看sssd服务发现有如下错误提示,

Jul 19 16:00:15 sftp01.cmdschool.org krb5_child[230864]: KDC has no support for encryption type

于是整理此问题的解决方案。

2 最佳实践

2.1 确认问题

2.1.1 调试Kerberos认证过程

KRB5_TRACE=/dev/stdout kinit will@cmdschool.org

可见如下日志,

[231328] 1721376169.167530: Matching will@cmdschool.org in collection with result: -1765328243/Can't find client principal will@cmdschool.org in cache collection
[231328] 1721376169.167531: Getting initial credentials for will@cmdschool.org
[231328] 1721376169.167533: Sending unauthenticated request
[231328] 1721376169.167534: Sending request (184 bytes) to cmdschool.org
[231328] 1721376169.167535: Sending DNS URI query for _kerberos.cmdschool.org.
[231328] 1721376169.167536: No URI records found
[231328] 1721376169.167537: Sending DNS SRV query for _kerberos._udp.cmdschool.org.
[231328] 1721376169.167538: SRV answer: 0 100 88 "dgdc01.cmdschool.org."
[231328] 1721376169.167539: SRV answer: 0 100 88 "azdc01.cmdschool.org."
[231328] 1721376169.167540: SRV answer: 0 100 88 "cadc01.cmdschool.org."
[231328] 1721376169.167541: SRV answer: 0 100 88 "hkdc01.cmdschool.org."
[231328] 1721376169.167542: Sending DNS SRV query for _kerberos._tcp.cmdschool.org.
[231328] 1721376169.167543: SRV answer: 0 100 88 "dgdc01.cmdschool.org."
[231328] 1721376169.167544: SRV answer: 0 100 88 "cadc01.cmdschool.org."
[231328] 1721376169.167545: SRV answer: 0 100 88 "hkdc01.cmdschool.org."
[231328] 1721376169.167546: SRV answer: 0 100 88 "azdc01.cmdschool.org."
[231328] 1721376169.167547: Resolving hostname dgdc01.cmdschool.org.
[231328] 1721376169.167548: Resolving hostname azdc01.cmdschool.org.
[231328] 1721376169.167549: Resolving hostname cadc01.cmdschool.org.
[231328] 1721376169.167550: Resolving hostname hkdc01.cmdschool.org.
[231328] 1721376169.167551: Resolving hostname dgdc01.cmdschool.org.
[231328] 1721376169.167552: Initiating TCP connection to stream 10.168.0.46:88
[231328] 1721376169.167553: Sending TCP request to stream 10.168.0.46:88
[231328] 1721376169.167554: Received answer (125 bytes) from stream 10.168.0.46:88
[231328] 1721376169.167555: Terminating TCP connection to stream 10.168.0.46:88
[231328] 1721376169.167556: Sending DNS URI query for _kerberos.cmdschool.org.
[231328] 1721376169.167557: No URI records found
[231328] 1721376169.167558: Sending DNS SRV query for _kerberos-master._tcp.cmdschool.org.
[231328] 1721376169.167559: No SRV records found
[231328] 1721376169.167560: Response was not from primary KDC
[231328] 1721376169.167561: Received error from KDC: -1765328370/KDC has no support for encryption type
[231328] 1721376169.167562: Retrying AS request with primary KDC
[231328] 1721376169.167563: Getting initial credentials for will@cmdschool.org
[231328] 1721376169.167565: Sending unauthenticated request
[231328] 1721376169.167566: Sending request (184 bytes) to cmdschool.org (primary)
[231328] 1721376169.167567: Sending DNS URI query for _kerberos.cmdschool.org.
[231328] 1721376169.167568: No URI records found
[231328] 1721376169.167569: Sending DNS SRV query for _kerberos-master._udp.cmdschool.org.
[231328] 1721376169.167570: Sending DNS SRV query for _kerberos-master._tcp.cmdschool.org.
[231328] 1721376169.167571: No SRV records found
kinit: KDC has no support for encryption type while getting initial credentials

另外,有时候如下命令可以参考,

klist -A -e

2.1.2 确认当前加密类型

update-crypto-policies --show

可见如下提示,

DEFAULT

另外,如下命令或许也能查询,

cat /etc/crypto-policies/state/current

2.2 解决问题

2.2.1 增加加密方式

update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY

2.2.2 重启服务器使配置生效

reboot

参阅文档
====================
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/troubleshoot.html
https://manpages.ubuntu.com/manpages/focal/en/man8/update-crypto-policies.8.html
https://forums.rockylinux.org/t/activedirectory-integration-problem-in-rocky9/7927
https://serverfault.com/questions/680289/kerberos-kdc-has-no-support-for-encryption-type-while-getting-credentials

没有评论

发表回复

Linux基础
Linux下的常用性能分析工具?

1 前言 一个问题,一篇文章,一出故事。 最近笔者需要整理常用的Linux分析工具,于是整理此文。 …

Linux基础
如何排查硬盘读写慢问题?

1 前言 一个问题,一篇文章,一出故事。 最近笔者需要排查硬盘慢引起的问题,于是整理此文。 2 最佳 …

Linux基础
如何tcpdump实时测量网络吞吐量?

1 前言 一个问题,一篇文章,一出故事。 最近笔者需要实时测量网络的吞吐量,于是整理此文。 2 最佳 …