I have a simple MS ADDS multi-domain forest setup with a parent domain and one sub-domain. I joined a RHEL 8 server successfully to the sub-domain by using this official documentation. All OSs have been setup by using as much defaults as possible. I can successfully SSH into the RHEL server by using an AD account of the sub-domain. But when I try to use an account of the parent domain, the login fails. As soon as I submit the username of the parent domain, journalctl
reports the following error:
sssd_be[...]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
I checked the DCs of each domain and can confirm that all DCs support the same three default encryption types (which are stored in the msDS-SupportedEncryptionTypes
attribute of each DC computer account):
- RC4_HMAC_MD5
- AES128_CTS_HMAC_SHA1_96
- AES256_CTS_HMAC_SHA1_96
I also confirmed that RHEL 8 offers suitable encryption types (/etc/crypto-policies/back-ends/krb5.config
):
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
So, there should be two matches: aes128-cts-hmac-sha1-96
and aes256-cts-hmac-sha1-96
. As I already stated, it is working fine for the sub-domain. So, why is there no suitable encryption type for the parent domain?