Programs using Kerberos fail after update to krb5-1.20.1-150600.11.8.1
This document (000021823) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server for SAP 15 SP6
Situation
After updating packages krb5
, krb5-32bit, or krb5-client to version 1.20.1-150600.11.8.1 or higher, applications on the server experience issues with features that utilize Kerberos. These packages were of version 1.20.1-150600.11.3.1 or lower before they were upgraded.
Resolution
To resolve the issue, algorithms that are not supported by the currently crypto-policy should be removed from settings permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes in the file /etc/krb5.conf and other configuration files in /etc/krb5.conf.d/. Or, if crypto-policy support is not needed on Kerberos, this can be disabled by deleting the file /etc/krb5.conf.d/crypto-policies.
The crypto-policy that is currently set is defined in the file /etc/crypto-policies/config. The algorithms allowed by each crypto-policy are listed in the crypto-policies man page in the PROVIDED POLICIES section
man 7 crypto-policies
Cause
Starting in version 1.20.1-150600.11.8.1, Kerberos supports crypto-policy and blocks any algorithms that are not approved by the crypto-policy.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021823
- Creation Date: 05-May-2025
- Modified Date:22-May-2025
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com