On la, 26 helmi 2022, Ville Teronen via FreeIPA-users wrote:
Ok, after trying the obvious myself I think I have figure out what was causing
the issue.
"dnf upgrade" upgraded openssl version from 3.0.1-1.el9 to 3.0.1-12.el9
and the problem started after that.
After I downgraded the openssl back to 3.0.1-1.el9 and restarted
Kerberos (systemctl restart krb5kdc.service) the problem went away.
So it would seem the openssl is the root cause. Should I create a bug
report or something like that? (not really familiar with the process
regarding this
I assume you are using CentOS 9 Stream, right? RHEL 9 is going to
disable SHA-1 globally and openssl 3.0.1-12.el9 is one of the starting
points. More so in FIPS mode (I hope you have no need for that,
definitely not a good idea in CentOS 9 Stream right now). The output
below is what I have on Fedora 35, for the reference.
Can you give me output of
[root@dc ~]# update-crypto-policies --show
DEFAULT
[root@dc ~]# cat /etc/krb5.conf.d/crypto-policies
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
camellia256-cts-cmac aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
camellia128-cts-cmac
and
[root@dc ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 9.
Request ID '20220128174302':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.TEST
subject: CN=dc.ipa.test,O=IPA.TEST
issued: 2022-01-28 17:43:02 UTC
expires: 2024-01-29 17:43:02 UTC
dns: dc.ipa.test
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
It should look like the above if you are using IPA CA. Specifically,
check that issuer, subject, principal name and EKUs are correct, but the
rest is important as well.
If you are not using IPA CA, then there might be other issues too, but I
need to see the output.
For SHA-1 issues, if I'm right, you may want to fix that with
# update-crypto-policies --set DEFAULT:SHA1
This would restore use of SHA-1 HMAC for Kerberos.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
