KDC has no support for encryption type

Hi, new user here, I have no experience with any Linux at all and am learning Fedora 32 as part of a networking and server course.

I have setup a VMWare virtual lab with a Windows domain controller acting as DNS/DHCP server and with routing to the outside network and internet with the standard contoso.com domain. I can currently connect to the internet through this domain controller but when I attempt to join the domain using realm join CONTOSO.COM with password I am faced with

[fparke@FedServ ~]$ realm join CONTOSO.COM
Password for Administrator:
See: journalctl REALMD_OPERATION=r3325.3180
realm: Couldn’t join realm: Failed to join the domain

So I had a look at the journalctl line and it looks like a kerberos problem (see below)

[fparke@FedServ ~]$ journalctl REALMD_OPERATION=r3325.3180
– Logs begin at Fri 2021-06-04 10:14:42 AEST, end at Fri 2021-06-04 15:25:41 AEST. –
Jun 04 15:25:08 FedServ.contoso.com realmd[3183]: * Resolving: _ldap._tcp.contoso.com
Jun 04 15:25:08 FedServ.contoso.com realmd[3183]: * Performing LDAP DSE lookup on: 192.168.10.136
Jun 04 15:25:08 FedServ.contoso.com realmd[3183]: * Performing LDAP DSE lookup on: 192.168.1.2
Jun 04 15:25:08 FedServ.contoso.com realmd[3183]: * Successfully discovered: contoso.com
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * LANG=C /usr/sbin/adcli join --verbose --domain contoso.com --domain-realm CONTOSO.COM --domain-controller 192.168.10.136 --login-type user --login-user Administrator --stdin-password
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Using domain name: contoso.com
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Calculated computer account name from fqdn: FEDSERV
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Using domain realm: contoso.com
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Sending NetLogon ping to domain controller: 192.168.10.136
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Received NetLogon info from: ServerA-RWDC.contoso.com
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hCJ88t/krb5.d/adcli-krb5-conf-t5gLZu
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: ! Couldn’t authenticate as: Administrator@CONTOSO.COM: KDC has no support for encryption type
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: adcli: couldn’t connect to contoso.com domain: Couldn’t authenticate as: Administrator@CONTOSO.COM: KDC has no support for encryption type
Jun 04 15:25:15 FedServ.contoso.com realmd[3183]: ! Failed to join the domain
[fparke@FedServ ~]$

when I attempt to access krb5.conf at /etc/krb5.conf I get the below result

[fparke@FedServ ~]$ /etc/krb5.conf
bash: /etc/krb5.conf: Permission denied

I should add that I have the exact same problems while logged in as the root user.

Any help would be greatly appreciated. I have found bits and pieces of information throughout the web but any help given would just talk in general terms about changing things in the krb5.conf but with no explanation as to how to do so or what actual commands to put into the terminal to go about fixing the problem. I would appreciate a more step by step approach for a solution to my problem … if that is possible.

I have installed vsftpd, postfix, dovecot and samba so far but this stumbling block has prevented me from experimenting further with the Fedora environment.

Thanks in advance to anyone who can help with my problem.

1 Like

update: I was able to access krb5.conf with the command vi etc/krb5.conf but do not know where to go from here.

I have found a fix for this problem … at least one that works for me. I’ll try to write this for someone like me who has literally no clue.

Credit goes to Michls Tech Blog: “Linux: Kerberos authentication against Windows Active Directory”
Jan 23 2014 entry

For Kerberos realm join problem to a Windows Active Directory where KDC has no support for encryption type - Need to be in root or superuser mode for elevated write privileges to krb5.conf file. Below I will insert my screenshots of the original vs edited krb5.conf from my terminal

  1. I have renamed my host as FedServAlt so instead of [root@localhost] it shows [root@FedServAlt]

  2. In the terminal at [root@localhost]# input “vi /etc/krb5.conf” … or in my case [root@FedServAlt]# vi /etc/krb5.conf - This will show the text of krb5.conf. Press i to be able to input – delete but not backspace works for me when removing text.

  3. You need to input three lines into the [Libdefaults] part of the krb5.conf file from the point where you can see " default realm = EXAMPLE.COM ".
    a) default_realm = SUBDOMAIN.DOMAIN.LOCAL where SUBDOMAIN is your hostname in capitals (in my case it is FEDSERVALT or [root@FedServAlt] when in terminal and root user). Where DOMAIN is your domain name in capitals (in my case it is CONTOSO). So in total mine looks like FEDSERVALT.CONTOSO.COM
    b) default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
    c) default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

edit: There is no need to change default_realm = EXAMPLE COM to whatver your realm is. Just leave as default_realm = EXAMPLE COM (I left out the . between EXAMPLE and COM to deal with a fedoraproject link limit per post).

  1. After you have added these values but with your own hostname and domain press the esc button, this will exit you from the insert edit mode you were in

  2. Then type “ : ” (ignore the “”, I’m using them to show that you should type what is within them) (the “ : “ should appear at the bottom of the krb5.conf file) and “ wq! ” to save so that it looks like “ :wq! ” and press enter

  3. If you have been in root/superuser as mentioned above, this should overwrite the krb5.conf file and take you back to where you originally input “ vi /etc/krb5.conf“

  4. Now I can realm join to my Windows domain controller … this fixed it for me at least.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.