Update to 2605.5.0 breaks kerberos / adcli / sssd / AD #194
Description
Description
After update from 2512.5.0 to 2605.5.0 adcli is unable to authenticate with kerberos: /etc/krb5.keytab: Bad encryption type, sssd fails with Failed to init credentials: Preauthentication failed
Impact
Users are unable to authenticate using Active Directory credentials, machines cannot be joined to AD:
# adcli join -D DOMAIN -U administrator@DOMAIN -K /etc/krb5.keytab -O OU=Servers,DC=DOMAIN -v
* Using domain name: DOMAIN
* Calculated computer account name from fqdn: FQDN
* Calculated domain realm from name: DOMAIN
* Discovering domain controllers: _ldap._tcp.DOMAIN
* Sending netlogon pings to domain controller: cldap://10.10.10.20
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from: DC02.DOMAIN
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-g1vkaY/krb5.d/adcli-krb5-conf-MYmSzi
Password for administrator@DOMAIN:
* Authenticated as user: administrator@DOMAIN
* Looked up short domain name: SDN
* Using fully qualified name: fqdn.domain
* Using domain name: DOMAIN
* Using computer account name: FQDN
* Using domain realm: DOMAIN
* Calculated computer account name from fqdn: FQDN
* Generated 120 character computer password
* Using keytab: /etc/krb5.keytab
* Found computer account for FQDN$ at: CN=FQDN,OU=Servers,DC=DOMAIN
* Set computer password
* Retrieved kvno '3' for computer account in directory: CN=FQDN,OU=Servers,DC=DOMAIN
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystemVersion, operatingSystemServicePack
* Modifying computer account: userPrincipalName
adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt
! Couldn't authenticate with keytab while discovering which salt to use: FQDN$@DOMAIN: Bad encryption type
! Couldn't add keytab entries: /etc/krb5.keytab: Bad encryption type
adcli: joining domain DOMAIN failed: Couldn't add keytab entries: /etc/krb5.keytab: Bad encryption type
Expected behavior
After rollback of the same machine to 2512.5.0:
# adcli join -D DOMAIN -U administrator@DOMAIN -K /etc/krb5.keytab -O OU=Servers,DC=DOMAIN -v
* Using domain name: DOMAIN
* Calculated computer account name from fqdn: FQDN
* Calculated domain realm from name: DOMAIN
* Discovering domain controllers: _ldap._tcp.DOMAIN
* Sending netlogon pings to domain controller: cldap://10.10.10.20
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from: DC02.domain
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-mhcRLc/krb5.d/adcli-krb5-conf-efE34V
Password for administrator@DOMAIN:
* Authenticated as user: administrator@DOMAIN
* Looked up short domain name: SDN
* Using fully qualified name: fqdn.domain
* Using domain name: DOMAIN
* Using computer account name: FQDN
* Using domain realm: DOMAIN
* Calculated computer account name from fqdn: FQDN
* Generated 120 character computer password
* Using keytab: /etc/krb5.keytab
* Found computer account for FQDN$ at: CN=FQDN,OU=Servers,DC=DOMAIN
* Set computer password
* Retrieved kvno '4' for computer account in directory: CN=FQDN,OU=Servers,DC=DOMAIN
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystemVersion, operatingSystemServicePack
* Modifying computer account: userPrincipalName
* Cleared old entries from keytab: /etc/krb5.keytab
* Discovered which keytab salt to use
* Added the entries to the keytab: FQDN$@DOMAIN: /etc/krb5.keytab
* Added the entries to the keytab: host/FQDN@DOMAIN: /etc/krb5.keytab
* Added the entries to the keytab: host/fqdn.domain@DOMAIN: /etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/FQDN@DOMAIN: /etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/fqdn.domain@DOMAIN: /etc/krb5.keytab
