The ipa-client-install command failed, exception: ScriptError: Kerberos authentication failed: kinit: KDC has no support for encryption type while getting initial credentials2025-05-22T20:32:08Z
Environment
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 8
- IPA server
Issue
Failing to install an IPA client:
2025-05-22T20:32:08Z DEBUG The ipa-client-install command failed, exception: ScriptError: Kerberos authentication failed: kinit: KDC has no support for encryption type while getting initial credentials2025-05-22T20:32:08Z ERROR Kerberos authentication failed: kinit: KDC has no support for encryption type while getting initial credentials2025-05-22T20:32:08Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Resolution
On the client side, change the crypto policy:
# update-crypto-policies --set FIPS:AD-SUPPORT
Reference: Interoperability of RHEL 7/8/9 IdM server and RHEL 7/8/9 IdM client
Root Cause
When the IPA server has been setup initially on a RHEL 8.6 or lower version, the IdM master key was created with the AES HMAC-SHA1 encryption type. This encryption type is blocked on RHEL9 in FIPS mode and IdM client installer fails to find a common encryption type. The consequence is that IdM client fails to install
Diagnostic Steps
In order to check the encryption type of IdM master key on the RHEL 8 server:
# kadmin.local getprinc K/M | grep -E '^Key:'
Key: vno 1, aes256-cts-hmac-sha1-96
If the encryption type is aes256-cts-hmac-sha1-96, the installation of a RHEL9 client fails.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments