AlmaLinux Failed to Join Windows Active Directory Domain
The Problem
Joining an AlmaLinux machine to a Windows Active Directory (AD) Domain has been simplified in web console. However, when I tried it, I ran into this error.
Failed to join the domain
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
* Joining using a truncated netbios name: WEBDEV-ALMALINU
* LANG=C /usr/sbin/adcli join --verbose --domain mydomain.local --domain-realm DHERST.LOCAL --domain-controller 192.168.100.254 --computer-name WEBDEV-ALMALINU --login-type user --login-user Administrator --stdin-password
* Using domain name: mydomain.local
* Using computer account name: WEBDEV-ALMALINU
* Using domain realm: mydomain.local
* Sending NetLogon ping to domain controller: 192.168.100.254
* Received NetLogon info from: dc1.mydomain.local
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-toSdUT/krb5.d/adcli-krb5-conf-tslTgM
! Couldn't authenticate as: Administrator@MYDOMAIN.LOCAL: KDC has no support for encryption type
adcli: couldn't connect to mydomain.local domain: Couldn't authenticate as: Administrator@MYDOMAIN.LOCAL: KDC has no support for encryption type
Please check
https://red.ht/support_rhel_ad
to get help for common issues.
! Failed to join the domain
The Cause
After doing some research I found out that the issue is caused by the use of the RC4 encryption algorithm in Windows environments. However, in the Red Hat Enterprise Linux (RHEL) environment and its variants, this encryption is disabled.
The RC4 Encryption Algorithm
In a nutshell, the Rivest Cipher 4 or RC4 was created in 1987 and is the most commonly used stream cipher as it is being used in Secure Socket Layer (SSL)/Transport Layer Security (TLS) – protocols widely used in Windows environments.
You can get more details about RC4 here (https://www.encryptionconsulting.com/education-center/what-is-rc4/) or a quick search on Google.
The Solution
The solution to his problem is enabling support for RC4. This is done by calling following command.
sudo update-crypto-policies --set default:ad-supportThe following results should be returned.
[admin@webdev-almalinux ~]$ sudo update-crypto-policies --set default:ad-support
[sudo] password for sysadmin:
Setting system policy to DEFAULT:AD-SUPPORT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[admin@webdev-almalinux ~]$ As recommended by the results, reboot the system.
sudo rebootNow you can try reconnecting to the domain again.
- How to Get Stock Photography Pictures That Sell - April 10, 2024
- How to Use Etcher AppImage on Ubuntu - September 13, 2023
- How to Install LogicalDOC CE on Ubuntu 22.04 LTS - June 22, 2023
