Back to bug 2120572

Who When What Removed Added
Red Hat Bugzilla 2022-08-23 09:39:27 UTC Pool ID sst_idm_ipa_rhel_8
Varun Mylaraiah 2022-08-23 09:40:49 UTC Keywords Regression, TestBlocker
Red Hat One Jira (issues.redhat.com) 2022-08-23 09:46:32 UTC Link ID Red Hat Issue Tracker FREEIPA-8679
Red Hat One Jira (issues.redhat.com) 2022-08-23 09:46:37 UTC Link ID Red Hat Issue Tracker RHELPLAN-131950
Varun Mylaraiah 2022-08-23 09:55:05 UTC CC pbrezina
Component ipa sssd
Red Hat One Jira (issues.redhat.com) 2022-08-23 09:59:15 UTC Link ID Red Hat Issue Tracker FREEIPA-8679
Florence Blanc-Renaud 2022-08-24 07:17:22 UTC QA Contact ipa-qe sssd-qe
Assignee frenaud sssd-maint
Florence Blanc-Renaud 2022-08-24 07:17:58 UTC CC frenaud
Pool ID sst_idm_ipa_rhel_8 sst_idm_sssd_rhel_8
Alexey Tikhonov 2022-08-24 07:22:55 UTC CC atikhono
Flags needinfo?(mvarun)
Alexander Bokovoy 2022-08-24 07:26:11 UTC CC abokovoy
Alexey Tikhonov 2022-08-24 08:59:44 UTC Flags needinfo?(sbose)
CC sbose
Varun Mylaraiah 2022-08-25 12:10:25 UTC Flags needinfo?(mvarun) needinfo-
Sumit Bose 2022-08-26 17:50:44 UTC Flags needinfo?(sbose)
Alexey Tikhonov 2022-08-26 17:58:48 UTC Pool ID sst_idm_sssd_rhel_8 sst_idm_ipa_rhel_8
QA Contact sssd-qe ipa-qe
Assignee sssd-maint frenaud
Component sssd ipa
Red Hat One Jira (issues.redhat.com) 2022-08-26 18:00:54 UTC Link ID Red Hat Issue Tracker FREEIPA-8679
Trivino 2022-08-29 11:53:34 UTC Keywords Triaged
CC ftrivino
Trivino 2022-09-01 13:21:15 UTC Assignee frenaud ftrivino
Varun Mylaraiah 2022-09-05 11:33:46 UTC Blocks 2124243
Sudhir Menon 2022-09-06 07:56:15 UTC Blocks 2089955
Florence Blanc-Renaud 2022-09-16 06:45:37 UTC Flags needinfo?(ftrivino)
Trivino 2022-09-21 10:26:17 UTC Doc Text Cause:
RC4 (NTLM hash) is not allowed in FIPS mode.

Consequence:
two-way trust can't be established in FIPS mode.

Workaround (if any):

Result:
when establishing two-way trust, Win AD-DC attempts to auth to IPA DC by using NTLMSSP which is blocked by FIPS, communication fallsdown to "gse_krb5" which is not working and needs to be investigated as part of this BZ.
Doc Type If docs needed, set a value Known Issue
Trivino 2022-09-21 10:27:26 UTC Flags needinfo?(ftrivino)
Lucie Vařáková 2022-09-21 12:44:14 UTC Docs Contact lmcgarry
Filip Hanzelka 2022-09-22 12:42:52 UTC Doc Text Cause:
RC4 (NTLM hash) is not allowed in FIPS mode.

Consequence:
two-way trust can't be established in FIPS mode.

Workaround (if any):

Result:
when establishing two-way trust, Win AD-DC attempts to auth to IPA DC by using NTLMSSP which is blocked by FIPS, communication fallsdown to "gse_krb5" which is not working and needs to be investigated as part of this BZ.
.FIPS mode does not support using the NTLM hashing algorithm to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Identity Management (IdM) and Active Directory (AD) using the New Technology LAN Manager (NTLM) hashing algorithm fails in FIPS mode because NTLM Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. The communication between the IdM and AD servers falls down to the `gse_krb5` GENSEC submechanism, which is not working.
CC fhanzelk
Docs Contact lmcgarry fhanzelk
Filip Hanzelka 2022-09-22 12:52:01 UTC Flags needinfo?(ftrivino)
Trivino 2022-09-22 16:45:06 UTC Flags needinfo?(ftrivino)
Filip Hanzelka 2022-09-23 14:23:00 UTC Flags needinfo?(ftrivino)
Filip Hanzelka 2022-09-26 11:08:44 UTC Flags needinfo?(ftrivino)
Filip Hanzelka 2022-09-26 18:50:23 UTC Flags needinfo?(mmuehlfe)
Filip Hanzelka 2022-09-27 08:31:02 UTC Doc Text .FIPS mode does not support using the NTLM hashing algorithm to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Identity Management (IdM) and Active Directory (AD) using the New Technology LAN Manager (NTLM) hashing algorithm fails in FIPS mode because NTLM Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. The communication between the IdM and AD servers falls down to the `gse_krb5` GENSEC submechanism, which is not working.
.IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.
Trivino 2022-09-27 10:12:55 UTC Flags needinfo?(ftrivino) needinfo?(ftrivino)
Marc Muehlfeld 2022-09-30 06:10:17 UTC Flags needinfo?(mmuehlfe)
Pasi Karkkainen 2022-11-09 15:34:26 UTC CC pasik
Leos Pol 2023-02-13 08:55:12 UTC Blocks 2144443
CongLi 2023-08-11 07:51:51 UTC Blocks 2209172

Back to bug 2120572